GO2-16-119, License Amendment Request for One-Time 7 Day Extension of Completion Time for TS Condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A

From kanterella
Jump to navigation Jump to search

License Amendment Request for One-Time 7 Day Extension of Completion Time for TS Condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A
ML16313A573
Person / Time
Site: Columbia Energy Northwest icon.png
Issue date: 11/08/2016
From: Javorik A
Energy Northwest
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
GO2-16-119
Download: ML16313A573 (159)
v  d  e


Text

Alex L Javorik Columbia Generating Station P.O. Box 968, PE23 Richland, WA 99352-0968 Ph. 509.377.2354F. 509.377.8555 aljavorik@energy-northwest.com November 8, 2016 GO2-16-119 10 CFR 50.90 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, D.C. 20555-0001

Subject:

COLUMBIA GENERATING STATION, DOCKET NO. 50-397 LICENSE AMENDMENT REQUEST FOR ONE-TIME 7 DAY EXTENSION OF COMPLETION TIME FOR TS CONDITION 3.5.1.A, 3.6.1.5.A, AND 3.6.2.3.A

References:

1. Regulatory Guide (RG) 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk- Informed Decisions on Plant-Specific Changes to the Licensing Basis," Revision 2, dated May 2011
2. RG 1.177, "An Approach for Plant-Specific, Risk-Informed Decision making: Technical Specifications, Revision 1, dated May 2011
3. RG 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, Revision 2, dated March 2009

Dear Sir or Madam:

In accordance with the provisions of 10 CFR 50.90, "Application for amendment of license, construction permit, or early site permit," Energy Northwest requests an amendment to the Technical Specifications (TS) for Columbia Generating Station (Columbia). The proposed amendment would on a one-time basis, extend the completion time by 7 days for TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A. This one-time extension will be used to support preventive maintenance (PM) which replaces the Residual Heat Removal (RHR) train A subsystems pump and motor.

GO2-16-119 Page 3 of 3 Attachments: As stated cc: NRC Region IV Administrator NRC NRR Project Manager NRC Sr. Resident Inspector - 988C CD Sonoda - BPA1399 (email)

WA Horin - Winston & Strawn RR Cowley - WDOH (email)

EFSECutc.wa.gov- EFSEC (email)

GO2-16-119 Page 1 of 27 Evaluation of Proposed Change Table of Contents

1.

SUMMARY

DESCRIPTION

2. DETAILED DESCRIPTION 3 TECHNICAL EVALUATION
4. REGULATORY EVALUATION 4.1 Applicable Regulatory Requirements / Criteria 4.2 Precedent 4.3 No Significant Hazards Consideration Determination 4.4 Conclusions
5. ENVIRONMENTAL CONSIDERATION
6. REFERENCES

GO2-16-119 Page 2 of 27 1.0

SUMMARY

DESCRIPTION This evaluation supports a revision to the completion time (CT) specified in Columbia Generating Station (Columbia) Technical Specification (TS) conditions 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A, by adding a footnote to each of the required actions to allow a one-time 7 day extension (14 day completion time) for restoring Residual Heat Removal (RHR) train A. The extended CT will allow sufficient time to complete the preventive maintenance to install a new pump and motor in the RHR train A subsystem. This change supports the implementation of the Columbia Equipment Reliability program associated with the Emergency Core Cooling System (ECCS). The proposed change also deletes a footnote associated with TS conditions 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A which expired at 05:00 PST on February 9, 2015. The proposed change is similar to a license amendment granted February 1, 2015 (ML15030A501).

2.0 DETAILED DESCRIPTION 2.1 RHR MODES OF OPERATION The RHR system is comprised of three independent trains. Each train contains its own motor-driven pump, piping, valves, instrumentation, and controls. In addition, the A and B trains have heat exchangers which are cooled by standby service water (SW).

Low-pressure coolant injection (LPCI) mode There are 3 redundant subsystems in the LPCI mode of RHR: train A, train B, and train C. The RHR systems LPCI mode automatically pumps suppression pool water into separate lines and core nozzles for injection into the core region of the reactor pressure vessel (RPV) following a loss of coolant accident (LOCA). The RHR systems LPCI mode operates in conjunction with the other ECCS subsystems to provide adequate core cooling for all design basis LOCA conditions. The LPCI mode of RHR is part of the ECCS along with the high pressure core spray (HPCS) subsystem, the low pressure core spray (LPCS) subsystem and the automatic depressurization system (ADS).

Suppression pool cooling (SPC) and containment spray cooling (CSC) modes There are 2 redundant subsystems in the SPC and CSC modes of RHR: train A and train B. The RHR systems SPC and CSC modes provide heat removal from the suppression pool and containment by pumping suppression pool water through the systems heat exchangers and discharging the water either directly back to the suppression pool (i.e., in the SPC mode) or discharging the water to the wetwell and drywell spray spargers (i.e., in the CSC mode) where the water is then returned, by drainage, back to the suppression pool. These modes of operation are designed to provide cooling to maintain containment and suppression pool temperatures and

GO2-16-119 Page 3 of 27 pressures following major transients. For the CSS mode, only drywell spray mode is included in the Columbia TS.

Shutdown Cooling Mode The RHR systems normal shutdown cooling mode removes reactor core decay and sensible heat from the primary reactor system to permit refueling and servicing. This heat removal function is initiated manually after the reactor pressure has been reduced to less than 48 psig (295°F) by discharge of steam to the main condenser. This mode of operation provides the capability to cool down the reactor under controlled conditions.

2.2 APPLICABLE SAFETY ANALYSES The ECCS performance is evaluated for the entire spectrum of safety analysis break sizes for a postulated LOCA. The limiting single failures are discussed in the Columbia final safety analysis report (FSAR) Chapter 6. For a large break LOCA, failure of ECCS subsystems in electrical division 1 which consists of LPCS and LPCI train A, or electrical division 2 which consist of LPCI train B and LPCI train C, due to failure of its associated diesel generator is, in general, the most severe failure. For a small break LOCA, HPCS system failure is the most severe failure. The small break analysis also assumes two ADS valves are inoperable at the time of the accident. The remaining operable ECCS subsystems provide the capability to adequately cool the core and prevent excessive fuel damage.

While RHR train A is out of service, the remaining required operable ECCS subsystems ensure the 10 CFR 50.46 limits are not exceeded.

The RHR CSC mode for drywell spray is credited for two functions in the LOCA analysis. The RHR CSC for drywell spray is credited for scrubbing inorganic iodines and particulates from the primary containment atmosphere. This function reduces the amount of airborne activity available for leakage from primary containment. The RHR drywell spray is also credited for primary containment pressure reduction. This function reduces the leak rate of airborne activity from primary containment.

2.3 CURRENT TS REQUIREMENTS TS 3.5.1 limiting condition for operation (LCO) requires each ECCS injection/spray subsystem and six ADS valves to be OPERABLE. The TS applies in MODE 1, MODES 2 and 3, except ADS valves are not required to be OPERABLE with reactor steam dome pressure 150 psig. The ECCS injection/spray subsystems are defined as the three LPCI subsystems, the LPCS System, and the HPCS System. The low pressure ECCS injection/spray subsystems are defined as the LPCS System and the three LPCI subsystems.

GO2-16-119 Page 4 of 27 The LPCI subsystems may be considered OPERABLE during alignment and operation for decay heat removal when below 48 psig reactor steam dome pressure in MODE 3, if capable of being manually realigned either remotely or locally to the LPCI mode and not otherwise inoperable. Alignment and operation for decay heat removal includes when the required RHR pump is not operating or when the system is being realigned from or to the RHR shutdown cooling mode. At these low pressures and decay heat levels, a reduced complement of ECCS subsystems should provide the required core cooling, thereby allowing operation of RHR shutdown cooling when necessary.

TS 3.6.1.5 LCO requires two RHR drywell spray subsystems to be OPERABLE. The TS applies in MODES 1, 2, and 3. In the event of a Design Basis Accident (DBA), a minimum of one RHR drywell spray subsystem is required to mitigate the effects of potential bypass leakage paths and maintain the primary containment peak pressure below design limits.

TS 3.6.2.3 requires two RHR suppression pool cooling subsystems to be OPERABLE.

The TS applies in MODES 1, 2, and 3. In the event of a DBA, a minimum of one RHR drywell spray subsystem is required to mitigate the effects of potential bypass leakage paths and maintain the primary containment peak pressure below the design limits in Columbia FSAR Section 6.2.2.3.

2.4 REASON FOR THE PROPOSED CHANGE The proposed change would allow preventive maintenance (PM) in support of Engineering Change (EC) 14635 to replace RHR train A pump and motor. This EC is part of the Energy Northwest long range plan for improving reliability of the RHR system pumps and motors. The pump replacement also satisfies the corrective action for a 10 CFR 21 notification for this model pump.

The work to implement the replacement of RHR train A pump and motor is being scheduled to minimize unavailability time for the RHR system. Previous experience from replacing just the RHR train B pump in May 2015 required approximately 5 days out of the 7 day completion time for TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A.

Since just replacing the RHR train B pump took most of the current allowed outage time, it is expected that the work needed to replace both the RHR train A pump and motor under engineering change (EC) 14635 will not be able to be completed within the current 7 day CT and would necessitate a plant shutdown. The proposed addition to the CT provides margin to ensure adequate time is provided for the pump and motor replacement.

In addition, the proposed change to delete a footnote from TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A is due to this note being no longer applicable.

GO2-16-119 Page 5 of 27

2.5 PROPOSED CHANGE

The proposed change will revise the CT for TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A by adding a footnote for restoring RHR train A to each of the required actions to allow a one-time 7 day extension (14 day completion time). The footnote will state:

(1)

The Completion Time that one train of RHR (RHR-A) can be inoperable as specified by Required Action A.1 may be extended beyond the 7 day completion time up to 7 days to support restoration of RHR-A following pump and motor replacement. This footnote will expire at 23:59 PST February 28, 2019.

The proposed change will also delete the following footnote from TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A which is no longer applicable:

(1)

The Completion Time that one train of RHR (RHR-B) can be inoperable as specified by Required Action A.1 may be extended beyond the 7 day completion time up to 7 days to support restoration of RHR-B from the modification activity.

Upon successful restoration of RHR-B, this footnote is no longer applicable and will expire at 05:00 PST on February 9, 2015.

The markup of the proposed changes to TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A is provided in Attachment 2 of this letter.

3.0 TECHNICAL EVALUATION

The proposed one-time change in the CT for TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A for RHR train A has been evaluated using the risk-informed approach for assessing changes to TS allowed outage times (AOT) or CT described in Regulatory Guide (RG) 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," and RG 1.177, "An Approach for Plant-Specific, Risk-Informed Decision making: Technical Specifications, (References 1, and 2 respectively).

RG 1.200 An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment [PRA] Results for Risk-Informed Activities, provides guidance for determining the technical adequacy of an internal events Probabilistic Safety Assessment (PSA) (Reference 3).

This section provides the risk-informed evaluation of the proposed one-time change in the CT for TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A for RHR train A, against the five key principles involved in implementing risk informed decision-making for assessing TS changes.

GO2-16-119 Page 6 of 27 As provided in RG 1.177 the five key principles are:

1. The proposed change meets the current regulations unless it is explicitly related to a requested exemption or rule change.
2. The proposed change is consistent with the defense-in-depth philosophy.
3. The proposed change maintains sufficient safety margins.
4. When proposed changes result in an increase in core damage frequency or risk, the increases should be small and consistent with the intent of the Commission's Safety Goal Policy Statement.
5. The impact of the proposed change should be monitored using performance measurement strategies.

3.1 KEY PRINCIPLE #1: COMPLIANCE WITH CURRENT REGULATIONS AND COMMITMENTS The LPCI operational mode of the RHR system complies with the applicable Nuclear Regulatory Commission (NRC) Title 10 of the Code of Federal Regulations Part 50 (10 CFR 50), Appendix A, General Design Criteria (GDC). The specific GDC applicable to the proposed license amendment are GDC 35, Emergency Core Cooling, GDC 36, Inspection of Emergency Core Cooling System, and GDC 37, Testing of Emergency Core Cooling System. The proposed change only affects the TS CT and does not involve a change to the design or method of operation of the ECCS. Conformance to the GDC criteria is not altered by the proposed change.

The SPC and CSC operational modes of RHR system comply with GDC 38, Containment Heat Removal." The containment heat removal function is accomplished by the SPC and CSC operational modes of RHR train A and train B. Following a LOCA, one or both of the SPC and CSC modes of RHR would be initiated. The two cooling trains, A and B, are each mechanically and electrically separate from the other to achieve redundancy. The proposed one-time change in the CT for TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A for RHR train A does not alter the redundant design capability of the RHR system to accomplish these functions.

The regulatory requirements related to the contents of TS are contained in 10 CFR 50.36. Pursuant to 10 CFR 50.36, TS are required to contain (1) safety limits, limiting safety system settings, and limiting control settings, (2) limiting conditions for operation (LCO), (3) surveillance requirements, (4) design features, and (5) administrative controls.

The regulations in 10 CFR 50.36(c)(2) state that the LCOs are the lowest functional capability or performance level of equipment required for safe operation of the facility

GO2-16-119 Page 7 of 27 and when LCOs are not met, the licensee shall shut down the reactor or follow any remedial actions permitted by the TS until the LCO can be met.

This proposed revision to the Technical Specifications (TS) provides the plant-specific review that supports a finding of continued adequate protection of public health and safety. Although it is less restrictive than the current TS requirement, it still affords adequate assurance of safety when judged against the current regulatory standards.

The proposed one-time change in the CT for TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A for RHR train A associated with limiting conditions for operation is proposed in accordance with 10 CFR 50.90. The detailed technical evaluation is provided in Sections 3.2 through 3.10.

10 CFR 50.46 provides acceptance criteria for ECCS. A summary of the 10CFR 50.46(b) acceptance criteria is provided below:

x Peak cladding temperature - the calculated maximum fuel element cladding temperature shall not exceed 2200 °F.

x Maximum cladding oxidation - the calculated total oxidation of the cladding shall nowhere exceed 0.17 times the total cladding thickness before oxidation.

x Maximum hydrogen generation - the calculated total amount of hydrogen generation from chemical reaction of the cladding with water or steam shall not exceed 0.01 times the hypothetical amount that would be generated if all the metal in the cladding cylinders surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react.

x Coolable geometry - calculated changes in core geometry shall be such that the core remains amenable to cooling.

x Long-term cooling - after any calculated successful initial operation of the ECCS, the calculated core temperature shall be maintained at an acceptably low value and decay heat shall be removed for the extended period of time required by the long-lived radioactivity remaining in the core.

The proposed one-time change in the CT for TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A for RHR train A does not modify any ECCS component or the ECCS systems ability to perform its safety related function. Thus, compliance with 10 CFR 50.46 is not altered by the proposed change.

There are no other license conditions or orders applicable to this proposed change.

GO2-16-119 Page 8 of 27 3.2 KEY PRINCIPLE #2: DEFENSE IN DEPTH The impact of the proposed one-time change in the CT for TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A for RHR train A was evaluated and is consistent with the defense-in-depth philosophy and also ensures the protection of the public health and safety.

The defense in depth is primarily maintained by the TS requirements for operability of the remaining RHR trains. The limited increase in unavailability for the proposed one-time change in the CT for TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A for RHR train A for the LPCI mode of operation subsystem, SPC mode of operation subsystem, and CSC mode of operation subsystem does not significantly change the balance among the defense-in-depth principles of prevention of core damage, prevention of containment failure, and consequence mitigation. The proposed change does not impact the capability of the remaining ECCS subsystems to provide adequate core cooling, suppression pool cooling, or containment spray. The small increase in unavailability for a single ECCS subsystem does not significantly change the balance among the defense-in-depth principles. Additionally while on-line, more ECCS systems and or subsystems are available to mitigate a design basis accident such as HPCS, LPCS, LPCI mode of RHR and the ADS system.

Over-reliance on programmatic activities to compensate for weakness in plant design is avoided. Columbias normal administrative controls will be used during the extended completion time which includes protecting opposite train systems and support systems.

Compensatory measures above and beyond those required by plant procedure will be employed as further risk management actions. However, no credit for these measures were taken in the probabilistic risk assessment (PRA) performed for the proposed CT extension. This programmatic activity does not constitute over-reliance on programmatic activities to compensate for weakness in the Columbia plant design.

Administrative controls ensure that redundant ECCS subsystems are not removed from service thereby maintaining system redundancy.

There are two redundant SPC and CSC subsystems for containment heat removal at Columbia. There are three redundant LPCI subsystems for ECCS at Columbia. Both the Columbia ECCS and containment heat removal systems are robust and diverse. In addition to the LPCI subsystems, the ECCS is also composed of diverse HPCS and LPCS subsystems. There is no change in the automatic operational responses to accident signals or are any abnormal lineups proposed for the ECCS, SPC or CSC subsystems. Additionally, independence, redundancy, and diversity are maintained during the increased CT period. Restrictions are placed on simultaneous equipment outages that would erode the principles of redundancy and diversity.

Planning for preventative maintenance activities during the proposed extension will assess overall plant risk and establish compensatory measures in accordance with

GO2-16-119 Page 9 of 27 Columbias risk management program. Additional compensatory measures for avoidance of risk significant configurations are discussed in Section 3.6.

Voluntary removal of redundant equipment from service as allowed by TS and risk assessment is reassessed when severe weather conditions are predicted or at a time when the plant may be subjected to other abnormal conditions.

Columbias risk management configuration control program protects redundant equipment and systems to assure redundancy and diversity are maintained.

Additionally, Columbia uses procedural controlled risk informed approaches for scheduling maintenance for all modes of plant operation, which limits removal of risk sensitive equipment combinations from service.

For the RHR train A subsystem outage during the extended CT, the redundant subsystems of RHR LPCI mode of operation and the ECCS diverse subsystems HPCS and LPCS as well as the redundant SPC and CSC subsystems will continue to be capable of performing the safety functions assumed in Columbias FSAR Chapter 15 accident analyses.

The potential for a common cause failure is not increased. No change in system alignment or operational modes is proposed. The proposed one-time change in the CT for TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A for RHR train A for the LPCI mode of operation subsystem, SPC and CSC mode of operation subsystems, will not significantly increase the unavailability such that new common cause failures not previously considered would occur.

Additionally, movement of the RHR train A pump and motor has been planned to ensure the load path does not affect other ECCS equipment. The floor plugs remain in place the RHR train B pump room and the reactor core isolation cooling (RCIC) pump room during load travel. The removed floor plugs from the RHR train A pump room will be transported on rollers and staged above the RCIC pump room floor plugs in accordance with plant procedure. The removed pump and motor will be set into the staging area setup at the 471 elevation of the reactor building and then lowered to the truck bay for shipping. The load paths as well as floor loading of the staging areas has been evaluated to ensure these locations contain margins of safety for the additional floor loads during the pump and motor replacement activity. This ensures that no new common cause failures will occur during this replacement.

The independence of physical barriers is not degraded. For the proposed one-time change in the CT for TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A for RHR train A LPCI mode of operation subsystem, SPC mode of operation subsystem, and CSC mode of operation, the redundant low pressure ECCS subsystems and the diverse HPCS system, as well as the redundant SPC mode of operation and CSC mode of operation subsystems will be protected, providing sufficient independent, redundant and diverse

GO2-16-119 Page 10 of 27 means to prevent any undue challenges to the fuel cladding, reactor coolant pressure boundary, and the containment from occurring.

Defenses against human errors are maintained. The proposed one-time change in the CT for TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A for RHR train A LPCI mode of operation subsystem, SPC mode of operation subsystem, and CSC mode of operation will not change the mode of operation, introduce additional operator challenges, or cause any new operator actions in response to normal, abnormal or postulated accident conditions. The risk management categorization for this evolution is a high risk classification in accordance with Columbia procedures. High risk work activities require a documented action plan and Plant Operations Committee (POC) approval. This provides heightened awareness to reduce human errors.

The intent of the plant design criteria is still met. There are no design changes to the RHR system associated with the proposed one-time change in the CT for TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A for RHR train A LPCI mode of operation subsystem, SPC mode of operation subsystem, and CSC mode of operation. Therefore the criteria in NRC Standard Review Plan (SRP) 5.4.7 are still met. There are no design changes to the Columbia containment for the proposed change. Therefore the criteria in NRC SRP 6.2.1.1.C are still met. There are no changes to the design of the ECCS system associated with the proposed change. Therefore, the criteria in NRC SRP 6.3 are still met.

3.3 KEY PRINCIPLE #3: SUFFICIENT SAFETY MARGINS The proposed one-time change in the CT for TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A for RHR train A LPCI mode of operation subsystem, SPC mode of operation subsystem, and CSC mode of operation does not conflict with existing codes and standards applicable to Columbia. There are no codes or standards that place a limit on the CT for ECCS subsystems or containment heat removal systems. There is no change in plant configuration associated with the proposed changes. The same configuration conditions exist for the extended CT as is currently allowed for a CT of 7 days. The safety analysis acceptance criteria would continue to be met during the extended CT. Specific limitations exist within Columbias TS that identify conditions where more restrictive CT limits would be required should other ECCS subsystems or if other containment heat removal SPC or CSC subsystems become unavailable at the same time. Required Actions associated with these more restrictive conditions assure adequate safety margins are preserved for maintaining the intended ECCS safety function for LPCI as well as SPC and CSC.

GO2-16-119 Page 11 of 27 3.4 KEY PRINCIPLE #4: RISK IMPACT The NRC identified a three tiered approach for licensees to evaluate the risk in RG 1.177 associated with proposed CT changes.

Tier 1 is an evaluation of the impact on plant risk of the proposed TS change as expressed by the change in core damage frequency (CDF), the incremental conditional core damage probability (ICCDP), and when appropriate, the change in large early release frequency (LERF) and incremental conditional large early release probability (ICLERP).

Tier 2 is an identification of potentially high-risk configurations that could exist if equipment in addition to that associated with the change were to be taken out of service simultaneously, or other risk-significant operational factors such as concurrent system or equipment testing were also involved. The objective of this part of the evaluation is to ensure that appropriate restrictions on dominant risk-significant configurations associated with the change are in place.

Tier 3 is the establishment of an overall configuration risk management program to ensure that other potentially lower probability, but nonetheless risk-significant configurations resulting from maintenance and other operational activities, are identified and appropriate compensation taken.

If the Tier 2 assessment demonstrates, with reasonable assurance, that there are no risk-significant configurations involving the subject equipment, the application of Tier 3 to the proposed TS CT change may not be necessary. Although defense in depth is protected to some degree by the current TS, application of the three tiered approach to risk-informed TS CT changes discussed below provides additional assurance that defense-in-depth will not be significantly impacted by such changes to the licensing basis. Energy Northwest has evaluated the proposed extension of the TS CT using the guidance of RG 1.177 and the results are provided.

Sections 3.5 through 3.8 address the risk informed impact.

3.5 TIER 1: PSA EVALUATION OF RISK IMPACT Tier 1 is an evaluation of the impact on plant risk of the proposed TS change as expressed by the change in CDF, the ICCDP, the change in LERF and ICLERP. The results of this evaluation, the PRA insights, a discussion of the uncertainty associated with these results, and the capability of the PRA model of record assessed to RG 1.200 (Reference 3) for the proposed one-time change in the CT for TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A are presented in Attachment 5.

GO2-16-119 Page 12 of 27 The risk evaluation considers the impact of the proposed change with respect to the risks due to internal events, internal fire, seismic, and other external hazards. A quantitative evaluation was performed for internal event risks. Qualitative and quantitative evaluations were performed for fire and seismic risks. A qualitative evaluation was performed for other external hazards.

Table 1 provides a summary of the approach and results of the evaluation of each of the potential risk contributors. These analyses demonstrate that the risk impact of the proposed one-time change in the CT for TS conditions 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A are small and below the acceptance guidelines.

Table-1

SUMMARY

OF RISK INSIGHTS Risk Approach Insights Contributor Internal Quantify ICCDP & ICLERP x Base risk within Events for planned configuration acceptance guidelines x ICCDP < 1E-6 x Compensatory x ICLERP < 1E-7 measures keep risk well within the acceptance guidelines Internal Fire Qualitatively and x Base risk within quantitatively evaluated: acceptance guidelines x Identify scenarios x Compensatory impacted by measures keep risk configuration well within the x Estimate risk impacts acceptance guidelines due to configuration x New fire-related and quantify ICCDP compensatory and ICLERP measures identified x Identify compensatory measures

GO2-16-119 Page 13 of 27 Table-1

SUMMARY

OF RISK INSIGHTS Risk Approach Insights Contributor Seismic Qualitatively and x Seismic risk impacts quantitatively evaluated: negligible x Identify scenarios x Seismic risk reduced impacted by with compensatory configuration measures for internal x Estimate risk impacts events and fire due to configuration and quantify ICCDP and ICLERP x Identify compensatory measures Other Qualitatively evaluate based x Other external event External on the CGS IPEEE risks are negligible Hazards contributors Overall Quantify ICCDP & ICLERP x Base risk within At-Power for planned configuration acceptance guidelines Risks x ICCDP < 1E-6 x Compensatory x ICLERP < 1E-7 measures keep risk well within the acceptance guidelines The numeric results are summarized in Table 2 for RHR Train A out of service (OOS) for the extended CT. Since this is a one-time change and there is no permanent change to the plant CDF or LERF, delta CDF and delta LERF values are not included as would normally if requesting a permanent change request. The results are compared with the risk acceptance guidelines described in Reference 2. The values for the Incremental ICCDP and the ICLERP demonstrate that the proposed one-time change in the CT for TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A is small and below the acceptance guidelines.

GO2-16-119 Page 14 of 27 Table-2 14-DAY AOT PREVENTIVE MAINTENANCE Average Maintenance Model with protected Trains per plant procedures Acceptance PRA Risk Metric Guideline Results RHR-A_OOS - ICCDP (Total) 6.25E-7 RHR-A_OOS- ICCDP (Internal Events) 2.10E-7

< 1.0E-6 RHR-A_OOS- ICCDP (Fire) 2.73E-7 RHR-A_OOS- ICCDP (Seismic) 1.41E-7 RHR-A_OOS - ICLERP (Total) 6.90E-10 RHR-A_OOS - ICLERP (Internal Events) < 1.0E-7 7.67E-11 RHR-A_OOS - ICLERP (Fire) 6.14E-10 RHR-A_OOS - ICLERP (Seismic) Negligible The technical adequacy of Columbias PSA has been evaluated and contains sufficient detail and features to perform this evaluation. The technical adequacy of Columbias PSA Revision 7.2 was reviewed for TSTF-425 and is discussed in detail in Attachment 6 of this submittal.

In PSA minor model Revision 7.2.1 selected dependent Human Error Probabilities (HEP) values were modified for use in the non-LERF Level 2 release term quantification and separate recovery files were constituted to implement these recoveries. The revisions associated with this model release had no impact on the CDF or LERF modeling or quantitative solutions; therefore, the release of this model version had no impact on the assessed technical adequacy of the PSA with respect to the ASME Standard.

The Columbia PRA models are technically adequate to support this risk assessment as described in Attachments 5 and 6.

3.6 TIER 2: AVOIDANCE OF RISK SIGNIFICANT PLANT CONFIGURATIONS High-risk plant configurations were identified and the following compensatory measures will be established to lessen the calculated increase in core damage risk when RHR train A is OOS. The compensatory measures will provide additional risk reduction not included in the ICCDP and ICLERP calculated for the procedurally required protected equipment.

Based on the risk-significant contributors to the ICCDP, the following compensatory measures will be taken during the 14 day CT for the RHR train A OOS to address the risk-significant scenarios discussed in Attachment 5.

GO2-16-119 Page 15 of 27 Compensatory Measures

1. In addition to the protected equipment required by plant procedures when RHR train A is OOS, which are RHR train B, Diesel Generator (DG2) and SW train B; the following equipment will be protected HPCS, high pressure core spray service water (HPCS-SW), startup transformer (TR-S), DG3, RCIC, LPCS and RHR train C.
2. While no credit is taken in the PRA evaluation in Attachment 5, the Control Air System (CAS), Standby Gas Treatment system (SGT), and the division 2 DC battery chargers will be protected.
3. A flood watch tour of the Turbine Building (TB) to provide early detection of internal floods will be established.
4. A fire watch tour of the TB corridor (TG-12), Reactor Building elevations 471 and 522, cable chase, and the Division 2 electrical switchgear rooms will be established.
5. To increase fire risk awareness, shift briefs or pre-job walk downs will be performed to reduce and manage transient combustibles.
6. Fire risk management actions required per plant procedure which include the following will be established:

Fire Zone Description Risk Management Actions Risk RW 437 N Waste Tank Floor Area C106; Initiate Fire Prevention Evaluation Permit per PPM 1.3.10 to:

RW 437 Behind Shield Wall;

- implement hourly fire tours for Waste Tank Floor Area Offgas Dryer Rooms C130 and C106 per FPP-1.7 C131

- ensure no unnecessary fire hazards and no obstructed fire equipment in Waste Tank Floor Area C106

- confirm area detection, suppression and fire doors available for Waste Tank Floor Area C106, RW 437 Behind Shield wall and Offgas Dryer rooms C130 and C131

- prohibit hot work in Waste Tank Floor Area C106, RW 437 Behind shield wall and Offgas Dryer rooms C130 and C131

- update plant status page with plant fire risk status and affected fire area for station awareness

GO2-16-119 Page 16 of 27 Fire Zone Description Risk Management Actions Risk RW 467 Division 2 RPS Room C213; Initiate Fire Prevention Evaluation Permit per PPM 1.3.10 to:

RPS 2 Division 2 Battery Charger Room C224 - implement hourly fire tour for Division 2 RPS Room CHG 2 C213 and Division 2 Battery Charger Room C224 per FPP-1.7

- ensure no unnecessary fire hazards and no obstructed fire equipment in Division 2 RPS Room C213 and Division 2 Battery Charger Room C224

- confirm area detection, suppression and fire doors available for Division 2 RPS Room C213 and Division 2 Battery Charger Room C224

- prohibit hot work in Division 2 RPS Room C213 and Division 2 Battery Charger Room C224

- update plant status page with plant fire risk status and affected fire area for station awareness RW 525 Division 1 HVAC Equipment Initiate Fire Prevention Evaluation Permit per PPM 1.3.10 Room C507 to:

HVAC 1

- implement hourly fire tour for Division 1 HVAC Equipment Room C507 per FPP-1.7

- ensure no unnecessary fire hazards and no obstructed fire equipment in Division 1 HVAC Equipment Room C507

- confirm area detection, suppression and fire doors available for Division 1 HVAC Equipment Room C507

- prohibit hot work in Division 1 HVAC Equipment Room C507

- update plant status page with plant fire risk status and affected fire area for station awareness

GO2-16-119 Page 17 of 27 Fire Zone Description Risk Management Actions Risk RW 525 Emergency Chiller Room C502; Initiate Fire Prevention Evaluation Permit per PPM 1.3.10 to:

CHLR Communications Room C503;

- implement hourly fire tour for Emergency Chiller Room Instrument Shop Room C510 C502; Communications Room C503 and Instrument Shop Room C510 per FPP-1.7

- ensure no unnecessary fire hazards and no obstructed fire equipment in Emergency Chiller Room C502; Communications Room C503 and Instrument Shop Room C510

- confirm area detection, suppression and fire doors available for Emergency Chiller Room C502; Communications Room C503 and Instrument Shop Room C510

- prohibit hot work in Emergency Chiller Room C502; Communications Room C503 and Instrument Shop Room C510

- update plant status page with plant fire risk status and affected fire area for station awareness TG 441 W Condenser Bay West End Initiate Fire Protection Evaluation Permit per PPM 1.3.10 T105; to:

H2 Seal Oil Room T117; - implement hourly fire tour for H2 Seal Oil Room T117 and TG 441 west general area T106 per FPP-1.7 TG 441 West General Area T106 - ensure no unnecessary fire hazards and no obstructed fire equipment in H2 Seal Oil Room T117 and TG 441 west general area T106

- confirm area detection, suppression and fire doors available for Condenser bay west end T105; H2 seal oil room T117; and TG 441 west general area T106

- prohibit hot work in Condenser bay west end T105; H2 seal oil room T117; and TG 441 west general area T106

- update plant status page with plant fire risk status and affected fire area for station awareness

GO2-16-119 Page 18 of 27 Fire Zone Description Risk Management Actions Risk TG 471 TG 471 Heater Bay Initiate Fire Prevention Evaluation Permit per PPM 1.3.10 to:

Center

- confirm Operations shiftly camera tour of the TG 471 Heater Bay

- ensure no unnecessary fire hazards and no obstructed fire equipment in TG 471 Heater Bay (via camera tour)

- confirm area detection, suppression and fire doors available for TG 471 Heater Bay

- prohibit hot work in TG 471 Heater Bay

- update plant status page with plant fire risk status and affected fire area for station awareness

7. To increase the likelihood of successful operator recovery actions in response to initiating events, operator awareness of the following measures will be increased through use of briefing sheets or procedural reviews:

x The importance of containment venting x The importance of RPV depressurization x The importance of aligning RHR to suppression pool cooling x The importance of connecting fire water to condensate x The Importance of connecting SW to RHR train B

8. Weather forecast will be monitored prior to entering the 14 day CT to ensure no hazardous weather conditions are forecasted.

3.7 KEY PRINCIPLE #5 AND TIER 3: CONFIGURATION CONTROL Plant procedures implement Columbias configuration risk management control program. The basis for Columbias configuration risk management control program is Maintenance Rule Section 10 CFR 50.65(a)(4). The maintenance rule (MR) requires that licensees perform risk assessments before maintenance activities are performed on SSCs and manage the increase in risk resulting from the planned activities.

"Assessing Risk" means using an appropriate tool to evaluate the temporary and aggregate risk increases generated by the maintenance activities. The assessment tool used at Columbia is PARAGON. In addition, the Shift Technical Adviser (STA) or on-shift senior reactor operator (SRO) can also perform qualitative risk assessments for unusual external conditions.

GO2-16-119 Page 19 of 27 "Managing Risk" means using the result of the risk assessment during plant decision-making, this controls overall risk impact. This is accomplished through carefully planning and scheduling maintenance activities, and implementing additional actions beyond routine work controls to address situations where the risk increase is above the established threshold.

PARAGON software program provides the infrastructure for modeling nuclear plant safety functions, transient functions, as well as PSA and is used to assess plant configuration risk conditions. The at-power model uses a blended method, i.e., both qualitative and quantitative approaches. It has the capability to perform evaluations for combinations of structures, systems, and components (SSC) being out-of-service and human reliability events in an efficient manner.

Qualitative considerations evaluate defense-in-depth in safety functions and potential maintenance activities that may lead to a plant transient or an initiating event. The safety functions and transient functions are listed below.

The Columbia at-power safety functions are:

x Reactivity Control x RPV Overpressure Control x High Pressure Inventory Control x RPV Depressurization x Low Pressure Inventory Control x Reactor/Containment Heat Removal x Primary Containment Control x Secondary Containment Control x 4160 AC Power Supply x Fuel Pool Cooling The Columbia at-power transient functions (TF) are:

x Plant Transient/Manual Scram x Loss of Condenser/Loss of Feedwater x Loss of Off-Site Power x Anticipated Transient Without Scram (ATWS)

Quantitative considerations use the internal events PSA model to calculate the risk increase for the maintenance configuration.

Plant Risk Level is based on the results of the qualitative and quantitative assessments of the maintenance configuration. The Columbia risk levels are designated as defined below:

GO2-16-119 Page 20 of 27 x Green - Normal work controls o Maximum defense-in-depth o No evident plant transient o Minimal increase in core damage risk x Yellow -Increased risk awareness o Reduced defense-in-depth o Plant transient is evident but a full complement of mitigation capability is available, or plant transient mitigating capability is reduced but no related plant transient is evident.

o Acceptable increase in core damage risk x Orange - Risk management actions required o Marginal defense-in-depth, o Plant transient is evident and plant transient mitigating capability is degraded, or plant transient mitigating capability is significantly degraded but no related plant transient is evident.

o Significant increase in core damage risk x Red - Not voluntarily entered o No defense-in-depth o Plant transient is evident and plant transient mitigating capability is degraded.

o Unacceptable increase in core damage risk Columbia also addresses the amended Maintenance Rule Section 10 CFR 50.65(a)(4) for added consideration of plant fire risk. Plant level fire risk is based on qualitative assessments of the maintenance configuration. The plant fire risk level is designated in the colors as defined below:

x Green - Normal work controls o Work with no plant fire risk o Work with plant fire risk increase with a duration less than 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> x Blue - Risk management actions required o Work with plant fire risk increase with a duration greater than 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />

GO2-16-119 Page 21 of 27

3.8 TECHNICAL ANALYSIS

CONCLUSION The five key principles involved in implementing risk-informed decision-making for assessing TS changes, as provided in RG 1.177 and RG 1.200 (References 2 and 3 respectively), have been demonstrated by this analysis. Specifically:

1. The proposed change meets the current regulations.

This LAR itself does not propose to deviate from existing regulatory requirements, and compliance with existing regulations is maintained by the proposed one time change to the plant's TS requirements.

2. The proposed change is consistent with the defense-in-depth philosophy.

For the RHR train A subsystem outage during the extended CT, the redundant subsystems of RHR LPCI mode of operation and the ECCS diverse subsystems HPCS and LPCS as well as the redundant SPC and CSC subsystems will continue to be capable of performing the necessary assumed safety function consistent with Columbia FSAR Chapter 15 accident analysis assumption. Additionally, Columbias normal administrative controls will be used during the extended completion time which includes protecting opposite train systems and support systems

3. The proposed change maintains sufficient safety margins.

While in the proposed configuration, safety analysis acceptance criteria in the FSAR are met, assuming no additional failures.

4. The proposed change for the one-time CT extension quantitative results for ICCDP and ICLERP application are less than the guidance thresholds as shown in Table 2 and is consistent with the intent of the Commissions Safety Goal Policy Statement.

A risk evaluation was performed that considers the impact of the proposed change with respect to the risks due to internal events, internal fires, seismic events and other external hazards. The evaluation of the quantitative impacts of internal event risks during the planned CT extension demonstrates that the impact on the likelihood of core damage and large early release is well below the risk acceptance guideline.

The fire and seismic evaluation determined that the impact on the likelihood of fire and seismic related core damage is also below the risk acceptance guideline. In addition, recommended actions have been identified that further reduce the risk of the significant fire scenarios. The risk associated with other external hazards is negligible.

None of the uncertainties identified in the evaluation were found to be key uncertainties that influence this RHR CT extension, based on the guidance provided

GO2-16-119 Page 22 of 27 by EPRI 1016737, Treatment of Parameter and Model Uncertainty for Probabilistic risk Assessments, (Reference 4).

5. The impact of the proposed change will be monitored using Columbias Maintenance Rule a(4) program.

Columbias configuration risk management program will effectively monitor the risk of emergent conditions during the period the proposed extended CT is in effect.

This will ensure any additional risk increase due to emergent conditions is appropriately managed.

Risk management actions will be implemented to reduce risk as described in Section 3.6.

4.0 REGULATORY EVALUATION

4.1 APPLICABLE REGULATORY REQUIREMENTS / CRITERIA The following GDCs for the ECCS were evaluated to determine if these GDC continue to be met.

GDC 35 - Emergency Core Cooling (Criterion 35)

A system to provide abundant emergency core cooling shall be provided. The system safety function shall be to transfer heat from the reactor core following any loss of reactor coolant at a rate such that (1) fuel and clad damage that could interfere with continued effective core cooling is prevented and (2) clad metal-water reaction is limited to negligible amounts.

Suitable redundancy in components and features, and suitable interconnections, leak detection, isolation, and containment capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure The ECCS are designed to limit fuel cladding temperature over the complete spectrum of possible break sizes in the reactor coolant pressure boundary (RCPB) including a complete and sudden circumferential rupture of the largest pipe connected to the reactor vessel.

The ECCS consists of the HPCS subsystem, ADS subsystem, LPCS subsystem, and the RHR LPCI subsystem mode of operation.

GO2-16-119 Page 23 of 27 The LPCI subsystem mode of RHR operation continues to provide RPV flooding with 2 of the 3 subsystems available during the proposed TS CT extension. The proposed change only affects the TS CT and does not involve a change to the design or method of operation of the ECCS. Conformance to the GDC criteria is not altered by the proposed change.

GDC 36Inspection of emergency core cooling system (Criterion 36)

The emergency core cooling system shall be designed to permit appropriate periodic inspection of important components, such as spray rings in the reactor pressure vessel, water injection nozzles, and piping, to assure the integrity and capability of the system.

The proposed CT extension does not alter any ECCS equipment. Therefore, conformance to the GDC criteria is not altered by the proposed change.

GDC 37Testing of emergency core cooling system (Criterion 37)

The emergency core cooling system shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and performance of the active components of the system, and (3) the operability of the system as a whole and, under conditions as close to design as practical, the performance of the full operational sequence that brings the system into operation, including operation of applicable portions of the protection system, the transfer between normal and emergency power sources, and the operation of the associated cooling water system.

The proposed CT extension does not alter any ECCS equipment. Therefore, conformance to the GDC criteria is not altered by the proposed change.

4.2 PRECEDENT A one-time 7 day extension to Columbia TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3 completion times (ML15031A002) was approved for use at Columbia under license amendment number 230 (ML15030A501). This precedent extended the completion time for 7 days to allow for restoration of the B train of RHR after completion of phase 2 fuel pool cooling assist modification. This precedent is similar in that it extended the same TS actions. The precedent used the same approach for assuring the proposed change is acceptable however, this precedent used the zero-maintenance PSA model.

This license amendment request uses the average-maintenance PSA model. The precedent has similar compensatory measures. The precedent also affected a single train of RHR. The basis for license amendment 230 concluded that when the station is on-line, more ECCS systems and/or subsystems are available to mitigate a design basis accident such as HPCS, LPCS, LPCI mode of RHR and the ADS system. It also

GO2-16-119 Page 24 of 27 concluded that a mode transition from operating to shutdown brings inherent risk and only one RHR train would be available for shutdown cooling. The risk exposure is reduced by staying online.

4.3 NO SIGNIFICANT HAZARDS CONSIDERATION DETERMINATION The proposed change will revise the completion time (CT) for Technical Specification (TS) condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A by adding a footnote for restoring residual heat removal (RHR) train A to each of the required actions to allow a one-time 7 day extension (14 day completion time). The footnote will state:

(1)

The Completion Time that one train of RHR (RHR-A) can be inoperable as specified by Required Action A.1 may be extended beyond the 7 day completion time up to 7 days to support restoration of RHR-A following the modification activity governed by EC 14635. This footnote will expire at 23:59 PST February 28, 2019.

The proposed change will also delete the following footnote which is no longer applicable from TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A:

(1)

The Completion Time that one train of RHR (RHR-B) can be inoperable as specified by Required Action A.1 may be extended beyond the 7 day completion time up to 7 days to support restoration of RHR-B from the modification activity.

Upon successful restoration of RHR-B, this footnote is no longer applicable and will expire at 05:00 PST on February 9, 2015.

Energy Northwest has evaluated whether or not a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, Issuance of Amendment, as discussed below:

1. Does the proposed amendment involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No.

The proposed amendment does not increase the probability of an accident because the residual heat removal (RHR) system cannot initiate an accident. The RHR system provides coolant injection to the reactor core, cooling of the suppression pool water inventory, and drywell sprays following a design basis accident.

The proposed one time completion time (CT) change for RHR train A does not alter the conditions, operating configurations, or minimum amount of operating equipment assumed in the safety analysis for accident mitigation. No changes are proposed in the manner in which the emergency core cooling system (ECCS) provides plant protection or which create new modes of plant operation. In addition, a probabilistic safety assessment (PSA) evaluation concluded that the risk contribution of the

GO2-16-119 Page 25 of 27 increased CT is a very small increase in risk. The proposed change in CT will not affect the probability of any event initiators. There will be no degradation in the performance of, or an increase in the number of challenges imposed on, safety related equipment assumed to function during an accident situation. There will be no change to normal plant operating parameters or accident mitigation performance.

Therefore, the proposed amendment does not involve a significant increase in the probability or consequences of an accident previously evaluated.

2. Does the proposed amendment create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No.

The proposed amendment will not create the possibility of a new or different kind of accident because inoperability of one RHR subsystem is not an accident precursor.

There are no hardware changes nor are there any changes in the method by which any plant system performs a safety function. This request does not affect the normal method of plant operation. The proposed amendment does not introduce new equipment, or new way of operation of the system which could create a new or different kind of accident. No new external threats, release pathways, or equipment failure modes are created. No new accident scenarios, transient precursors, failure mechanisms, or limiting single failures are introduced as a result of this request.

Therefore, the implementation of the proposed amendment will not create a possibility for an accident of a new or different type than those previously evaluated.

3. Does the proposed amendment involve a significant reduction in a margin of safety?

Response: No.

Columbias ECCS is designed with sufficient redundancy such that a low pressure ECCS subsystem may be removed from service for maintenance or testing. The remaining subsystems are capable of providing water and removing heat loads to satisfy the final safety analysis report (FSAR) requirements for accident mitigation or plant shutdown. A PSA evaluation concluded that the risk contribution of the CT extension is very small. There will be no change to the manner in which safety limits or limiting safety system settings are determined nor will there be any change to those plant systems necessary to assure the accomplishment of protection functions. There will be no change to post-LOCA peak clad temperatures.

For these reasons, the proposed amendment does not involve a significant reduction in a margin of safety.

GO2-16-119 Page 26 of 27 Based on the above, Energy Northwest concludes that the proposed amendment presents no significant hazards considerations under the standards set forth in 10 CFR 50.92(c), and, accordingly, a finding of no significant hazards consideration is justified.

4.4 CONCLUSION

S The proposed amendment will provide a one-time change to TS condition 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A completion times, to allow RHR train A to be inoperable for up to 14 days. Based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commissions regulations, and (3) the issuance of the amendment will not be adverse to the common defense and security or the health and safety of the public.

5.0 ENVIRONMENTAL CONSIDERATION

Title 10 of CFR 51.22(c)(9) identifies certain licensing and regulatory actions, which are eligible for categorical exclusion from the requirement to perform an environmental assessment. A proposed amendment to an operating license for a facility does not require an environmental assessment if operations of the facility in accordance with the proposed amendment would not: (1) involve a significant hazards consideration; (2) result in a significant change in the types or significant increase in the amounts of any effluents that may be released offsite; or (3) result in a significant increase in individual or cumulative occupational radiation exposure. Energy Northwest has evaluated the proposed change and determined that the proposed change meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9). Accordingly, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessments needs to be prepared in connection with the issuance of the amendment. The basis for this determination, using the above criteria, follows:

Basis As demonstrated in the No Significant Hazards Consideration evaluation, the proposed amendment does not involve a significant hazards consideration. There is no significant change in the operational transients. The proposed change does not involve any physical alteration of the plant. No new or different type of equipment will be installed. The proposed change does not involve any change in methods governing normal plant operation. There is no significant increase in individual or cumulative occupational radiation exposure.

GO2-16-119 Page 27 of 27

6.0 REFERENCES

1. Regulatory Guide (RG) 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk- Informed Decisions on Plant-Specific Changes to the Licensing Basis," Revision 2, dated May 2011
2. RG 1.177, "An Approach for Plant-Specific, Risk-Informed Decision making:

Technical Specifications, Revision 1, dated May 2011

3. RG 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, Revision 2, dated March 2009
4. EPRI 1016737, Treatment of Parameter and Model Uncertainty for Probabilistic risk Assessments, dated December 2008

GO2-16-119 Technical Specification Markups

ECCS - Operating 3.5.1 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM 3.5.1 ECCS - Operating LCO 3.5.1 Each ECCS injection/spray subsystem and the Automatic Depressurization System (ADS) function of six safety/relief valves shall be OPERABLE.

APPLICABILITY: MODE 1, MODES 2 and 3, except ADS valves are not required to be OPERABLE with reactor steam dome pressure d 150 psig.

ACTIONS

NOTE-----------------------------------------------------------

LCO 3.0.4.b is not applicable to HPCS.

CONDITION REQUIRED ACTION COMPLETION TIME A. One low pressure ECCS A.1 Restore low pressure 7 days(1) injection/spray ECCS injection/spray subsystem inoperable. subsystem to OPERABLE status.

B High Pressure Core B.1 Verify by administrative Immediately Spray (HPCS) System means RCIC System is inoperable. OPERABLE when RCIC System is required to be OPERABLE.

AND B.2 Restore HPCS System to 14 days OPERABLE status.

(1)

The Completion Time that one train of RHR (RHR-B) can be inoperable as specified by Required Action A.1 may be extended beyond the 7 day completion time up to 7 days to support restoration of RHR-B from the modification activity. Upon successful restoration of RHR-B, this footnote is no longer applicable and will expire at 05:00 PST on February 9, 2015. The Completion Time that one train of RHR (RHR-A) can be inoperable as specified by Required Action A.1 may be extended beyond the 7 day completion time up to 7 Columbia Generating Station 3.5.1-1 Amendment No. 187 225 230

ECCS - Operating 3.5.1 days to support restoration of RHR-A following pump and motor replacement. This footnote will expire at 23:59 PST February 28, 2019.

Columbia Generating Station 3.5.1-2 Amendment No. 187 225 230

RHR Drywell Spray 3.6.1.5 3.6 CONTAINMENT SYSTEMS 3.6.1.5 Residual Heat Removal (RHR) Drywell Spray LCO 3.6.1.5 Two RHR drywell spray subsystems shall be OPERABLE.

APPLICABILITY: MODES 1, 2, and 3.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One RHR drywell spray A.1 Restore RHR drywell spray 7 days(1) subsystem inoperable. subsystem to OPERABLE status.

B. Two RHR drywell spray B.1 Restore one RHR drywell 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> subsystems inoperable. spray subsystem to OPERABLE status.

C. Required Action and C.1 --------------NOTE--------------

associated Completion LCO 3.0.4.a is not Time not met. applicable when entering MODE 3.

Be in MODE 3. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (1))

The Completion Time that one train of RHR (RHR-B) can be inoperable as specified by Required Action A.1 may be extended beyond the 7 day completion time up to 7 days to support restoration of RHR-B from the modification activity. Upon successful restoration of RHR-B, this footnote is no longer applicable and will expire at 05:00 PST on February 9, 2015. The Completion Time that one train of RHR (RHR-A) can be inoperable as specified by Required Action A.1 may be extended beyond the 7 day completion time up to 7 days to support restoration of RHR-A following pump and motor replacement. This footnote will expire at 23:59 PST February 28, 2019.

Columbia Generating Station 3.6.1.5-1 Amendment No. 149,169,225,230,236

RHR Suppression Pool Cooling 3.6.2.3 3.6 CONTAINMENT SYSTEMS 3.6.2.3 Residual Heat Removal (RHR) Suppression Pool Cooling LCO 3.6.2.3 Two RHR suppression pool cooling subsystems shall be OPERABLE.

APPLICABILITY: MODES 1, 2, and 3.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One RHR suppression A.1 Restore RHR suppression 7 days(1) pool cooling subsystem pool cooling subsystem to inoperable. OPERABLE status.

B. Required Action and B.1 ---------------NOTE--------------

associated Completion LCO 3.0.4.a is not Time of Condition A not applicable when entering met. MODE 3.

Be in MODE 3. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> C. Two RHR suppression C.1 Be in MODE 3. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> pool cooling subsystems inoperable. AND C.2 Be in MODE 4. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> (1)

The Completion Time that one train of RHR (RHR-B) can be inoperable as specified by Required Action A.1 may be extended beyond the 7 day completion time up to 7 days to support restoration of RHR-B from the modification activity. Upon successful restoration of RHR-B, this footnote is no longer applicable and will expire at 05:00 PST on February 9, 2015. The Completion Time that one train of RHR (RHR-A) can be inoperable as specified by Required Action A.1 may be extended beyond the 7 day completion time up to 7 days to support restoration of RHR-A following pump and motor replacement. This footnote will expire at 23:59 PST February 28, 2019.

Columbia Generating Station 3.6.2.3-1 Amendment No. 149,169,225,230,236

GO2-16-119 Clean Technical Specification Pages

ECCS - Operating 3.5.1 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM 3.5.1 ECCS - Operating LCO 3.5.1 Each ECCS injection/spray subsystem and the Automatic Depressurization System (ADS) function of six safety/relief valves shall be OPERABLE.

APPLICABILITY: MODE 1, MODES 2 and 3, except ADS valves are not required to be OPERABLE with reactor steam dome pressure d 150 psig.

ACTIONS

NOTE-----------------------------------------------------------

LCO 3.0.4.b is not applicable to HPCS.

CONDITION REQUIRED ACTION COMPLETION TIME A. One low pressure ECCS A.1 Restore low pressure 7 days(1) injection/spray ECCS injection/spray subsystem inoperable. subsystem to OPERABLE status.

B High Pressure Core B.1 Verify by administrative Immediately Spray (HPCS) System means RCIC System is inoperable. OPERABLE when RCIC System is required to be OPERABLE.

AND B.2 Restore HPCS System to 14 days OPERABLE status.

(1)

The Completion Time that one train of RHR (RHR-A) can be inoperable as specified by Required Action A.1 may be extended beyond the 7 day completion time up to 7 days to support restoration of RHR-A following pump and motor replacement. This footnote will expire at 23:59 PST February 28, 2019.

Columbia Generating Station 3.5.1-1 Amendment No. 187 225 230

RHR Drywell Spray 3.6.1.5 3.6 CONTAINMENT SYSTEMS 3.6.1.5 Residual Heat Removal (RHR) Drywell Spray LCO 3.6.1.5 Two RHR drywell spray subsystems shall be OPERABLE.

APPLICABILITY: MODES 1, 2, and 3.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One RHR drywell spray A.1 Restore RHR drywell spray 7 days(1) subsystem inoperable. subsystem to OPERABLE status.

B. Two RHR drywell spray B.1 Restore one RHR drywell 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> subsystems inoperable. spray subsystem to OPERABLE status.

C. Required Action and C.1 --------------NOTE--------------

associated Completion LCO 3.0.4.a is not Time not met. applicable when entering MODE 3.

Be in MODE 3. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (1)

The Completion Time that one train of RHR (RHR-A) can be inoperable as specified by Required Action A.1 may be extended beyond the 7 day completion time up to 7 days to support restoration of RHR-A following pump and motor replacement. This footnote will expire at 23:59 PST February 28, 2019.

Columbia Generating Station 3.6.1.5-1 Amendment No. 149,169,225,230,236

RHR Suppression Pool Cooling 3.6.2.3 3.6 CONTAINMENT SYSTEMS 3.6.2.3 Residual Heat Removal (RHR) Suppression Pool Cooling LCO 3.6.2.3 Two RHR suppression pool cooling subsystems shall be OPERABLE.

APPLICABILITY: MODES 1, 2, and 3.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One RHR suppression A.1 Restore RHR suppression 7 days(1) pool cooling subsystem pool cooling subsystem to inoperable. OPERABLE status.

B. Required Action and B.1 ---------------NOTE--------------

associated Completion LCO 3.0.4.a is not Time of Condition A not applicable when entering met. MODE 3.

Be in MODE 3. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> C. Two RHR suppression C.1 Be in MODE 3. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> pool cooling subsystems inoperable. AND C.2 Be in MODE 4. 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> (1)

The Completion Time that one train of RHR (RHR-A) can be inoperable as specified by Required Action A.1 may be extended beyond the 7 day completion time up to 7 days to support restoration of RHR-A following pump and motor replacement. This footnote will expire at 23:59 PST February 28, 2019.

Columbia Generating Station 3.6.2.3-1 Amendment No. 149,169,225,230,236

GO2-16-119 Summary of Regulatory Commitments

GO2-16-119 List of Regulatory Commitments The following table identifies the regulatory commitments in this document. Any other statements in this submittal regarding intended or planned actions, are provided for information purposes, and are not considered to be regulatory commitments.

Type Scheduled Commitment Continuing Completion Date One-Time Compliance Compensatory Measures outlined in section 3.6 of Upon implementation of the of this one-time completion time letter will be X extension supporting RHR implemented during the Train A pump and motor period of the proposed replacement.

completion time

GO2-16-119 Probabilistic Risk Assessment (PRA)

RHR CT Extension Risk Evaluation Table of Contents 1. Introduction ............................................................................................................................ 2

2. Technical Approach ............................................................................................................... 7

3. Results ................................................................................................................................... 9

4. PRA Assumptions and Uncertainties ................................................................................... 21

5. PRA Quality ......................................................................................................................... 46

6. Sensitivity and Uncertainty Analyses ................................................................................... 51

7. Compensatory Measures and Conclusions ......................................................................... 52

8. References .......................................................................................................................... 55

Attachment A .............................................................................................................................. 57

Attachment B .............................................................................................................................. 80

Page i

RHR CT Extension Risk Evaluation

1. Introduction 1.0 PURPOSE This evaluation provides the calculations and assessment to support a technical specification (TS) completion time (CT) extension from seven days to 14 days for the following limiting conditions for operation (LCOs):

x LCO 3.5.1, Condition A for low pressure ECCS injection/spray subsystems x LCO 3.6.1.5, Condition A for Residual Heat Removal (RHR) drywell spray subsystems x LCO 3.6.2.3, Condition A for RHR suppression pool cooling subsystems.

1.1 BACKGROUND

1.1.1 Technical Specification Changes Since the mid-1980s, the NRC has been reviewing and granting improvements to TS that are based, at least in part, on probabilistic risk assessment (PRA) insights. In its final policy statement on TS improvements of July 22, 1993, the NRC stated that it . . .

. . . expects that licensees, in preparing their Technical Specification related submittals, will utilize any plant-specific PSA or risk survey and any available literature on risk insights and PSAs. . . Similarly, the NRC staff will also employ risk insights and PSAs in evaluating Technical Specifications related submittals.

Further, as a part of the Commissions ongoing program of improving Technical Specifications, it will continue to consider methods to make better use of risk and reliability information for defining future generic Technical Specification requirements.

The NRC reiterated this point when it issued the revision to 10 CFR 50.36, Technical Specifications, in July 1995. In August 1995, the NRC adopted a final policy statement on the use of PRA methods in nuclear regulatory activities that encouraged greater use of PRA to improve safety decision-making and regulatory efficiency. The PRA policy statement included the following points:

1. The use of PRA technology should be increased in all regulatory matters to the extent supported by the state of the art in PRA methods and data and in a manner that complements the NRCs deterministic approach and supports the NRCs traditional defense-in-depth philosophy.
2. PRA and associated analyses (e.g., sensitivity studies, uncertainty analyses, and importance measures) should be used in regulatory matters, where practical within the bounds of the state of the art, to reduce unnecessary conservatism associated with current regulatory requirements.
3. PRA evaluations in support of regulatory decisions should be as realistic as practicable and appropriate supporting data should be publicly available for review.

Page 2

RHR CT Extension Risk Evaluation

4. The Commission's safety goals and subsidiary numerical objectives are to be used with consideration of uncertainties in making regulatory judgments.

The movement of the NRC to more risk-informed regulation has led to the NRC identifying Regulatory Guides and associated processes by which licensees can submit changes to the plant design basis including Technical Specifications. Regulatory Guides 1.174 [Ref. 1] and 1.177 [Ref. 2] both provide processes to incorporate PRA input for decision makers regarding a Technical Specification modification.

1.2 REGULATORY GUIDES Three Regulatory Guides (RG) provide primary guidance related to risk evaluations of a Technical Specification change. The relevance of these Regulatory Guides in relationship to this applicable are discussed in this section.

1.2.1 Regulatory Guide 1.200, Revision 2 Regulatory Guide 1.200, Revision 2 [Ref. 4] describes an acceptable approach for determining whether the quality of the PRA, in total or the parts that are used to support an application, is sufficient to provide confidence in the PRA results, such that the PRA can be used in regulatory decision-making. This guidance is intended to be consistent with the NRCs PRA Policy Statement.

It is noted that RG 1.200, Revision 2 endorses Addendum A of the ASME/ANS PRA Standard

[Ref. 5] as clarified in Appendix A of RG 1.200, Revision 2.

The Columbia Generating Station (CGS) full power internal events (FPIE) PRA model meets the requirements of RG 1.200 Revision 2. The fire and seismic PRA models do not meet all aspects of the RG 1.200 guidance, but the PRA models are judged to be of sufficient quality for this application and provide insights into dominant risk contributors for fire and seismic events.

The technical adequacy of the CGS PRA models is further discussed in Section 5.0 of this assessment.

1.2.2 Regulatory Guide 1.174, Revision 2 Regulatory Guide 1.174 [Ref. 1] specifies an approach and acceptance guidelines for use of PRA in risk informed activities. RG 1.174 outlines PRA related acceptance guidelines for use of PRA metrics of Core Damage Frequency (CDF) and Large Early Release Frequency (LERF) for the evaluation of permanent TS changes. The guidelines given in RG 1.174 for determining what constitutes an acceptable permanent change specify that the delta (') CDF and the

'LERF associated with the change should be less than specified values, which are dependent on the baseline CDF and LERF, respectively.

RG 1.174 also specifies guidelines for consideration of external events. External events can be evaluated in either a qualitative or quantitative manner.

Since this LAR is for a one-time TS change, the 'CDF and the 'LERF of RG 1.1.74 do not specifically apply and are therefore, not evaluated in this assessment.

Page 3

RHR CT Extension Risk Evaluation 1.2.3 Regulatory Guide 1.177, Revision 1 Regulatory Guide 1.177 [Ref. 2] specifies an approach and acceptance guidelines for the evaluation of plant licensing basis changes. RG 1.177 identifies a three-tiered approach for the evaluation of the risk associated with a proposed TS change as identified below:

x Tier 1 is an evaluation of the plant-specific risk associated with the proposed TS change, as shown by the change in core damage frequency (CDF) and incremental conditional core damage probability (ICCDP). Where applicable, containment performance should be evaluated on the basis of an analysis of large early release frequency (LERF) and incremental conditional large early release probability (ICLERP). The acceptance guidelines given in RG 1.177 for determining an acceptable permanent TS change is that the ICCDP and the ICLERP associated with the change should be less than 1E-06 and 1E-07, respectively. RG 1.177 also addresses risk metric requirements for one-time TS changes, as outline in Section 1.2.4 of this risk assessment.

x Tier 2 identifies and evaluates, with respect to defense-in-depth, any potential risk-significant plant equipment outage configurations associated with the proposed change. The licensee should provide reasonable assurance that risk-significant plant equipment outage configurations will not occur when equipment associated with the proposed TS change is out-of-service.

x Tier 3 provides for the establishment of an overall configuration risk management program (CRMP) and confirmation that its insights are incorporated into the decision-making process before taking equipment out-of-service prior to or during the completion time. Compared with Tier 2, Tier 3 provides additional risk management actions based on any additional risk significant configurations that may be encountered during maintenance scheduling over extended periods of plant operation. Tier 3 guidance can be satisfied by the Maintenance Rule (10 CFR 50.65(a)(4)), which requires a licensee to assess and manage the increase in risk that may result from activities such as surveillance, testing, and corrective and preventive maintenance.

1.2.4 Acceptance Guidelines Risk significance of a proposed permanent change to Technical Specifications is typically determined by the comparison of changes in CDF and LERF and values of ICCDP and ICLERP and compared to the acceptance guidelines given in RG 1.174 and RG 1.177. RG 1.174 specifies the acceptable changes in CDF and LERF for permanent changes. RG 1.177 specifies the acceptable ICCDP and ICLERP for permanent changes, usually associated with changing TS completion times.

RG 1.177 also directly addresses the risk metric requirements for one-time TS changes, which is most applicable to this risk application. The discussion of acceptance guidelines for one-time TS changes from RG 1.177 are provided below:

For one-time only changes to TS CTs, the frequency of entry into the CT may be known, and the configuration of the plant SSCs may be established.

Page 4

RHR CT Extension Risk Evaluation Further, there is no permanent change to the plant CDF or LERF, and hence the risk guidelines of Regulatory Guide 1.174 cannot be applied directly. The following TS acceptance guidelines specific to one-time only CT changes are provided for evaluating the risk associated with the revised CT:

1. The licensee has demonstrated that implementation of the one-time only TS CT change impact on plant risk is acceptable (Tier 1):

x ICCDP of less than 1.0x10-6 and an ICLERP of less than 1.0x10-7, or x ICCDP of less than 1.0x10-5 and an ICLERP of less than 1.0x10-6 with effective compensatory measures implemented to reduce the sources of increased risk.

2. The licensee has demonstrated that there are appropriate restrictions on dominant risk-significant configurations associated with the change (Tier 2).
3. The licensee has implemented a risk-informed plant configuration control program. The licensee has implemented procedures to utilize, maintain, and control such a program (Tier 3).

The quantitative criteria shown in Table 1-1 are consistent with the acceptance guidelines in RG 1.177 and are judged to represent a reasonable set of acceptance guidelines for this application. These guidelines demonstrate that the risk impacts are acceptably low. These acceptance guidelines combined with effective compensatory measures to further reduce the risk will ensure that the TS temporary change meets the intent of small risk increases consistent with the Commission's Safety Goal Policy Statement.

Table 1-1 PROPOSED RISK ACCEPTANCE GUIDELINES RISK ACCEPTANCE GUIDELINE BASIS ICCDP < 1E-6, or ICCDP is an appropriate metric for assessing risk impacts of out of service equipment per RG ICCDP < 1E-5 with effective compensatory 1.177. This guideline is specified in Section 2.4 measures implemented to reduce the sources of of RG 1.177.

increased risk ICLERP < 1E-7, or ICLERP is an appropriate metric for assessing risk impacts of out of service equipment per RG ICLERP < 1E-6 with effective compensatory 1.177. This guideline is specified in Section 2.4 of measures implemented to reduce the sources of RG 1.177.

increased risk Page 5

RHR CT Extension Risk Evaluation 1.3 SCOPE This section addresses the requirements of RG 1.200, Revision 2, Section 3.1, which directs the licensee to define the treatment of the scope of risk contributors (i.e., internal initiating events, external initiating events, and modes of power operation at the time of the initiator). Discussion of these risk contributors is provided below:

x Full Power Internal Events (FPIE) - This calculation utilizes the CGS Revision 7.2.1 integrated probabilistic risk assessment (PRA) to calculate ICCDP and ICLERP for the internal events PRA. This CT extension applies only to power operation. It is reasonable to conclude that transition risk will be lower as a result of the extension, owing to the lower frequency that the plant will exceed the allowed outage time due to the greater ability to accommodate RHR pump maintenance within the extended completion time interval. This increase in safety has not been quantified for CGS.

x Low Power Operation - The FPIE model is judged to adequately capture risk contributors associated with low power plant operations. The FPIE analysis assumes that the plant is at full power at the time of any internal events transient, manual shutdown, or accident initiating event. This analytic approach results in conservative accident progression timings and systemic success criteria compared to what may otherwise be applicable to an initiator occurring at low power. As such, low power risk impacts are not discussed further in this risk assessment.

x Shutdown / Refueling - The intent is for the unit to remain at-power for the duration of the extended CT. Therefore, there is no increase in risk for shutdown condition. Additionally, it is reasonable to conclude that performing RHR overhauls on-line rather than during outages will increase RHR availability during outages. This should reduce shutdown risk by improving the availability of decay heat removal during shutdown. This increase in safety has not been quantified for CGS. Shutdown risk is not addressed further in this risk evaluation.

x Internal Fires - CGS has a fire PRA model, which was peer reviewed in 2004 and is currently undergoing a significant update. The current Fire PRA model

[Ref. 13] is used to provide both quantitative and qualitative insights to the analysis of the RHR A CT extension.

x Seismic - CGS has a seismic PRA model, which provides quantitative results and is used in this risk assessment. Qualitative risk inputs are also provided for this analysis as well.

x Other External Events - Evaluation of high winds, external floods, volcanic eruption and other external events in the IPEEE per GL 88-20 were submitted to and reviewed by the NRC. The Staff Evaluation Report (Ref. 12) concluded that CGS IPEEE was capable of identifying the most likely severe accidents and severe accident vulnerabilities and the IPEEE met the intent of Supplement 4 to GL 88-20. The IPEEE determined that the recurrence frequency for the maximum tornado wind speed is approximately 1E-07/yr Page 6

RHR CT Extension Risk Evaluation and, as such, maximum wind speed was eliminated as a plant hazard per the Standard Review Plan. Other external events (e.g., external fire, external floods, high winds, volcanic eruption etc.) were considered to be insignificant contributors to severe accidents. The proposed changes are judged to have a negligible effect on the risk profiles from other external events.

2. Technical Approach The integrated CGS PRA model of record, Revision 7.2.1, for internal events, fire and seismic was used to perform the calculations. Revision 7.2.1 was completed in 2016. The following subsections discuss the technical approach used to perform the calculations.

2.1 Residual Heat Removal (RHR) CT Extension Scope To support the RHR CT extension, this evaluation calculates ICCDP and ICLERP for the internal events, seismic, and fire PRA for RHR A (the low pressure coolant injection [LPCI],

suppression pool cooling and drywell spray modes of operation), for an AOT extension from 7 days to 14 days. These values of ICCDP and ICLERP are then compared to the acceptance criteria given in Table 1-1.

2.2 Modeling Notes and Assumptions The following assumptions are made as part of this calculation:

1. This calculation evaluates the change to plant risk for the CT extension for the preventive maintenance case when an RHR A train is electively removed from service.

As directed by PPM 1.3.83 Rev 21, PROTECTED EQUIPMENT PROGRAM [Ref. 9],

when RHR train A is inoperable, RHR train B, diesel generator (DG) 2 and standby service water (SW) train B are protected. To ensure safety margins and defensive in depth for the RHR train A CT extension, the compensatory measures mentioned in the procedure above (protection of RHR train B, DG2 and SW train B) are assumed for this evaluation in the base case. A quantification is also performed without credit for the assumed protected equipment for comparison purposes.

2. This calculation uses equipment mean outage times (average maintenance unavailability). This calculation does not use the zero maintenance states.
3. By the use of house event flags, the RHR train A, which is out of service, is set to be unavailable (logical TRUE). Additionally, in order to fail the drywell spray mode of the RHR A train that is out of service, the PRA quantification sets to TRUE the pump failure-to-start basic event of the RHR train that is out of service (OOS).
4. The PRA model is quantified at a truncation limit of 2E-12. This is consistent with the base quantification of the PRA model and a truncation study performed and documented in the Quantification notebook [Ref.6]. Since the model is re-quantified as part of this evaluation (as opposed to using pre-solved cutsets) and the truncation study has shown the model converged at this truncation level, it is concluded that the truncation level is appropriate for this application.

Page 7

RHR CT Extension Risk Evaluation 2.3 Core Damage Frequency Calculations 2.3.1 Average Maintenance Model The core damage frequency calculations employed the average maintenance model. The average maintenance is solved with all maintenance terms set to the base case average unavailability, except for the maintenance unavailability of protected trains, which are set to zero.

The maintenance unavailability for protected trains is set by flag files as follows:

x RHR A out of service: Flag file settings are:

RHR----B----T3LL (RHR train B unavailable due to maintenance) EQU .F.

EACEDG-2----T3D2 (DG-2 unavailable due to maintenance) EQU .F.

SW-----B----T3LL (SW train B unavailable due to maintenance) EQU .F.

2.3.2 Treatment of Common Cause Failures.

The PRA evaluations examine preventive maintenance cases (i.e., train is electively taken out of service). The following subsections describe the methodology used to appropriately adjust common cause failure unavailability. The Tables A-1 through A-3 document the development in detail.

2.3.2.1 Preventive Maintenance Case For preventive maintenance, RHR-A is electively removed from service. Common cause terms that involve the train in question are not applicable when the train is removed from service, and are set to zero, as the train removed from service is operable prior to removal from service [Ref.

10]. The common cause terms that involve the RHR pump trains that remain in service are recomputed assuming a common cause group of two, as shown in Tables A-1 and A-2.

The CCF adjustments are as follows:

x RHR A out of service: Flag file setting for the CCF values for the corrective maintenance case are:

RHRP-MD-2ABCC3R2 EQU .F.

RHRP-MD-2ABCC3S4 EQU .F.

RHRP-MDABFTRC2LL EQU .F.

RHRP-MDABFTSC2LL EQU .F.

RHRP-MDBCFTRC2LL PROB 5.3E-6 RHRP-MDBCFTSC2LL PROB 1.94E-5 RHRP-MDACFTRC2LL EQU .F.

RHRP-MDACFTSC2LL EQU .F.

2.4 LERF Calculations The LERF and ICLERP were computed using the Rev. 7.2.1 PRA LERF modeling, in a manner similar to the quantifications described above for CDF.

Page 8

RHR CT Extension Risk Evaluation 2.5 Computation Approach Results for each PRA quantification were placed in an Excel file for calculation of ICCDP ICLERP. The computation results are summarized in Table A-10 of Attachment A.

The following equations were used for the computations [Ref. 2]:

The ICCDP and ICLERP are computed using their definitions in RG 1.177. The formulas are as follows:

ICCDP(YOOS) = (CDFYOOS - CDFBASELINE)*¨T Where:

ICCDP(YOOS) is the ICCDP with train Y out of service, CDFYOOS is the CDF computed with train Y out of service, CDFBASELINE is the baseline, average-maintenance case CDF, and

¨T is the extension of the CT converted to units consistent with the CDF frequency units (14 days

  • 1 yr / 365 days = 3.84E-2 yr).

Similarly, ICLERP is computed as follows:

ICLERP(YOOS) = (LERFYOOS - LERFBASELINE)

  • 3.84E-2 yr Where:

ICLERP(YOOS) is the ICLERP with train Y out of service, LERFYOOS is the LERF computed with train Y out of service, and LERFBASELINE is the LERF baseline, average-maintenance case LERF.

3. Results The ICCDP and ICLERP results are presented in Tables 3-1 and 3-2.

Table 3-1 represents the average maintenance results with RHR A out of service (OOS) without protected trains as required by PPM 1.3.83 (i.e., no compensatory measures).

Table 3-2, represents the base case average maintenance results with protected trains as directed by PPM 1.3.83.

The ICCDP and ICLERP were compared with guidance thresholds of less than or equal to an ICCDP of 1E-6 and an ICLERP of 1E-7 [Ref. 2]. All results for the RHR A CT extension application base case were less than the guidance thresholds. The results include significant margin to the maximum allowed changes (1E-5 ICCDP and 1E-6 ICLERP) while still having the total CDF < 1E-4/year and LERF < 1E-5/year. There is margin to accommodate additional risk due to non-RG 1.200 fire and seismic PRA models and still be within acceptable limits.

Page 9

RHR CT Extension Risk Evaluation Table 3-1 14-DAY RHR CT EXTENSION RISK RESULTS Average Maintenance Model without protected Trains per PPM 1.3.83 Acceptance Risk Metric PRA Results Guideline RHR-A_OOS - ICCDP (Total) 8.32E-7

< 1.0E-6 RHR-A_OOS- ICCDP (Internal Events) 3.52E-7 RHR-A_OOS- ICCDP (Fire) 3.04E-7 RHR-A_OOS- ICCDP (Seismic) 1.75E-7 RHR-A_OOS - ICLERP (Total) 1.23E-9 RHR-A_OOS - ICLERP (Internal Events) < 1.0E-7 1.15E-10 RHR-A_OOS - ICLERP (Fire) 1.11E-9 RHR-A_OOS - ICLERP (Seismic) Negligible Table 3-2 14-DAY EXTENSION PREVENTIVE MAINTENANCE Average Maintenance Model with protected Trains per PPM 1.3.83 Acceptance Risk Metric PRA Results Guideline RHR-A_OOS - ICCDP (Total) < 1.0E-6 6.25E-7 RHR-A_OOS- ICCDP (Internal Events) 2.10E-7 RHR-A_OOS- ICCDP (Fire) 2.73E-7 RHR-A_OOS- ICCDP (Seismic) 1.41E-7 RHR-A_OOS - ICLERP (Total) < 1.0E-7 6.90E-10 RHR-A_OOS - ICLERP (Internal Events) 7.67E-11 RHR-A_OOS - ICLERP (Fire) 6.14E-10 RHR-A_OOS - ICLERP (Seismic) Negligible 3.1 Dominant Risk Contributors and Insights - RG 1.177 Tier 2 As part of addressing the RG 1.177 Tier 2 guidance, dominant sequences for the RHR A CT extension are calculated. Based on these results, dominant risk contributors and insights are discussed in the following subsections. These insights are found to be reasonable for the RHR A CT extension application, and support demonstrating the validity of the PRA for assessing the proposed TS changes. LERF was not addressed in this section because the ICLERP results are very small (< 1E-9).

3.1.1 Insights Derived from Accident Sequences with Significant Change in the Birnbaum Importance Measure Relative to Base Case Results This discussion focuses on risk contributors with the most significant Birnbaum increases from the baseline model as a result of the assumed CT extension. These cutsets were identified by comparing the base model sequence results to the sequence results for the PRA quantification Page 10

RHR CT Extension Risk Evaluation assuming RHR A out of service. These sequences were then sorted by the largest change in the Birmbaum importance measure.

The cutsets below are the top cutsets for the corresponding sequences.

Internal Events Accident Sequences:

FPIE Cutset #1:

INIT-RY-TDC2 :REACTOR YEAR CONVRSN - LOSS OF E-DP-S1/2 EACENG-EDG3-S424 :EMERGENCY DG SYSTEM DOES NOT CONTINUE TO RUN 24H EACTRL-S----T3-- :TRANSFORMER TR-S OUT FOR MAINTENANCE (MRULE DATA)

EDCC1--2A2B-C3LL :COMMON CAUSE FAIL. OF BATTERY CHARGERS C1-2A AND C1-2B

-L1-SUCC-U2 :RCIC SUCCESS TERM REC-L1-TDC2010 :Sequence Tag REC-L1-TDC2010 The above cutset belongs to sequence TDC2010. This sequence represents loss of DC Div-2 initiating event due to Common Cause failure of battery chargers C1-2A and C1-2B. Reactor Feed Water (RFW) failed due to failure of startup transformer (TR-S). High Pressure Core Spray (HPCS) failed due to random failure of Diesel Generator (DG)3. Reactor Core Isolation Cooling (RCIC) is available at the beginning of the sequence, but failed because suppression pool cooling is not available. Suppression Pool Cooling (SPC) is unavailable because RHR B failed due to failure of chargers to C1-2A and C1-2B and because RHR A is in maintenance.

Sequence REC-L1-TDC2010s Birnbaum value has increased 820 times from its baseline value.

FPIE Cutset #2:

IE-FLD-TLO--RFWM :LARGE RFW LEAKS IN TURB BLDG - LOCA OUTSIDE CONTNMENT EACENG-EDG3-S424:EMERGENCY DG SYSTEM DOES NOT CONTINUE TO RUN 24 hrs PRAAHUS--1B-S3LL :FAN PRA-FN-1B DOES NOT START ON DEMAND RCI---------T3LL :RCIC UNAVAILABILITY DUE TO T & M (MRULE DATA)

REC-L1-FLMRF009 :Sequence Tag REC-L1-FLMRF009 The above cutset belongs to sequence FLMRF009. This sequence represents moderate breaks in RFW which results in the RFW initiating event. The break is assumed to damage all equipment in the turbine building. HPCS failed due to random failure of DG3. RCIC fails because it is out of service for maintenance. Depressurization and low pressure injection (Low Pressure Core Spray (LPCS) available) injection are successful. However, heat removal is not available. RHR B fails due to the random failure of SW-B room cooling and RHR A is OOS for maintenance. Containment vent fails because Control Air System (CAS) is unavailable due to RFW flood in the turbine building. Core damage occurs due to containment failure. Sequence REC-L1- FLMRF009s Birnbaum value has increased 313 times from its baseline value.

FPIE Cutset #3:

IE-FLD-RLO-RCICS :SMALL RCIC LEAK IN REACTOR BLDG - LOCA OUTSIDE containment HPS---------T3LL  : HPCS UNAVAILABILITY DUE TO T & M (MRULE DATA)

PRAAHUS--1B-S3LL: FAN PRA-FN-1B DOES NOT START ON DEMAND REC-L1-FLSRC007 : Sequence Tag REC-L1-FLSRC007 Page 11

RHR CT Extension Risk Evaluation The above cutset belongs to sequence FLSRC007. This sequence represents a small RCIC steam break loss of coolant accident (LOCA) outside containment initiating event. HPCS is unavailable because it is OOS for maintenance. RCIC is unavailable due to the break.

Depressurization and low pressure injection are successful (LPCS available). However, heat removal is unavailable. RHR B fails due to a random failure of SW B room cooling and RHR A OOS for maintenance. It is conservatively assumed that containment vent failure occurs due to the flood caused by the RCIC line break. Core damage occurs due to containment failure.

Sequence REC-L1- FLSRC007s Birnbaum value has increased 213 times from its baseline value.

Internal Fire Accident Sequences:

The following Fire event PRA contributors were found to be dominant sequences that have increased when RHR A is removed from service for preventive maintenance, relative to the base case results.

Fire Cutset #1:

LZT12  : TG-12 Full-PAU Burnup - Initiator

-L1-SUCC-U2 : RCIC SUCCESS TERM REC-L1-T(E)N025 : Sequence Tag REC-L1-T(E)N025 The above cutset belongs to sequence T(E)N025. The above sequence represents a fire event in the turbine building corridor, TG-12. Fire damage produces a loss of offsite power, RHR B, RHR C and HPCS, SPC is unavailable (due to RHR A in maintenance). RCIC successfully provides injection, but long term operation of RCIC fails due to unavailability of SPC. Operators can depressurize and maintain level with LPCS, but eventually LPCS will fail because containment fails due to overpressurization. It is conservatively assumed that operators will not be able to vent containment during this sequence and operators cannot use firewater after containment failure. Sequence REC-L1-T(E)N025s Birnbaum value has increased 92 times from its baseline value.

Fire Cutset #2:

LZT12 : TG-12 Full-PAU Burnup - Initiator PTM : FAILURE OF SRV'S RECLOSING FOR TM,TC & LOOP INITIATORS SGTV-AO2A---W3LL : AIR OPERATED VALVE SGT-V-2A FAILS TO CLOSE REC-L1-T(E)N081 : Sequence Tag REC-L1-T(E)N081 The above cutset belongs to sequence T(E)N081. The above sequence represents a fire event in the turbine building corridor, TG-12. Fire damage produces a loss of offsite power, RHR B, RHR C and HPCS. SRV is stuck open (PTM), but depressurization succeeds. SPC is unavailable (due to RHR A in maintenance). RCIC failed due to the stuck open relief valve.

Containment vent fails due to the random failure of the Standby Gas Treatment (SGT) valve.

Core damage occurs due to containment failure. Sequence REC-L1-T(E)N081s Birnbaum value has increased 23 times from its baseline value.

Page 12

RHR CT Extension Risk Evaluation Fire Cutset #3:

T3W07 : RC-7 Detailed Scenario 3 - Initiator EACENG-EDG3-S424 : EMERGENCY DG SYSTEM DOES NOT CONTINUE TO RUN 24H RCI---------T3LL : RCIC UNAVAILABILITY DUE TO T & M (MRULE DATA)

SGTV-AO2A---W3LL: AIR OPERATED VALVE SGT-V-2A FAILS TO CLOSE REC-L1-TT024 : Sequence Tag REC-L1-TT024 The above cutset belongs to sequence (TT024). The above sequence represents a fire event in the division 2 electrical equipment room, RC07. Fire damage produces a turbine trip, and feedwater (FW), power conversion system (PCS), RHR B and C and control rod drive (CRD) are unavailable due to fire damage. RCIC is out of service for maintenance. HPCS is unavailable due to DG3 random failure. Depressurization and low pressure injection are successful, but SPC is unavailable due to RHR A in maintenance and containment vent fails due to random failure of SGT. Core damage occurs due to containment failure and failure of fire water and SW cross tie due to fire. Sequence REC-L1-TT024s Birnbaum value has increased 11 times from its baseline value.

Seismic Accident Sequences:

The following seismic events PRA contributors were found to be the dominant sequences that have increased when train RHR A is removed from service for preventive maintenance relative to the base case results.

Seismic Cutset #1:

SDS14 : SDS 26 BOP CST LOOP N2 Tank SLOCA - Initiator EACENG-EDG2SS4D2 : EMERGENCY DG-2 DOES NOT CONTINUE TO RUN FOR 6 HRS NRAC24H-SEIS: No Recovery of Offsite AC w/in 24 hrs. (Seismic)

REC-L1-SDS14-22: Sequence Tag REC-L1-SDS14-22 The above cutset belongs to sequence SDS14-22 and represents a seismic event that results in seismic damage state 14, which is a loss of power conversion system (PCS), the condensate storage tank, offsite power and a small LOCA. RHR B is unavailable due to the unavailability of the division 2 DG (EACENG-EDG2SS4D2). For this particular sequence, high pressure injection fails, but low pressure injection succeeds. Core damage occurs as a result of the unavailability of heat removal systems (i.e., SPC and containment vent). Sequence REC-L1-SDS14-22s Birnbaum value has increased 157 times from its baseline value.

Seismic Cutset #2:

SDS26 : SDS 26 BOP CST LOOP N2 Tank SLOCA - Initiator EACENG-EDG2SS4D2 : EMERGENCY DG-2 DOES NOT CONTINUE TO RUN FOR 6 HRS NRAC24H-SEIS: No Recovery of Offsite AC w/in 24 hrs. (Seismic)

REC-L1-SDS26-49 : Sequence Tag REC-L1-SDS26-49 The above cutset belongs to sequence SDS26-49 and represents a seismic event that results in seismic damage state 26, which is a loss of PCS, the condensate storage tank, offsite power, and a small LOCA. RHR B is unavailable due to the unavailability of the division 2 DG (EACENG-EDG2SS4D2). The division 1 and 3 DGs fail to initially start, due to release of nitrogen in their vicinity, but are recovered. For this particular sequence, high pressure injection Page 13

RHR CT Extension Risk Evaluation fails, but low pressure injection succeeds. Core damage occurs as a result of the unavailability of heat removal systems. Sequence REC-L1-SDS26-49s Birnbaum value has increased 157 times from its baseline value.

Seismic Cutset #3:

SDS8 : SDS 8 BOP CST LOOP SLOCA - Initiator EACENG-EDG2SS4D2 : EMERGENCY DG-2 DOES NOT CONTINUE TO RUN FOR 6 HRS NRAC24H-SEIS: No Recovery of Offsite AC w/in 24 hrs. (Seismic)

REC-L1-SDS8-49: Sequence Tag REC-L1-SDS8-49 The above cutset belongs to sequence REC-L1-SDS8-49 and represents a seismic event that results in seismic damage state 8, which is a loss of PCS, the condensate storage tank, offsite power and a small LOCA. RHR B is unavailable due to the unavailability of the division 2 DG (EACENG-EDG2SS4D2). For this particular sequence, high pressure injection fails, but low pressure injection succeeds. Core damage occurs as a result of the unavailability of heat removal systems. Sequence REC-L1-SDS8-49s Birnbaum value has increased 142 times from its baseline value.

Based on the comparison of the above dominant sequences for Internal, Fire and Seismic events relative to base case results, the following insights were derived:

x The Birnbaum value relative to their baseline contribution has increased because RHR-A is removed from service for preventive maintenance.

x This insight is found to be reasonable for the RHR-A CT extension application, and supports the validity of the PRA for assessing the proposed TS changes, especially for fire and seismic.

x Based on the results of the first FPIE cutset, the DC Div 2 battery charger room will be protected.

3.1.2 Insights derived from the most Significant Accident Sequence Contributions.

This discussion focuses on the risk contributors that are most significant when a train of RHR-A is removed from service. The sequences with the top five Birnbaum measures are discussed below.

Internal Events The following internal events sequences were found to be the dominant contributors when a train of RHR-A is removed from service for preventive maintenance.

FPIE Cutset #1:

IE-FLD-T106CONDS : SMALL COND BREAK IN T106 HPS---------T3LL: HPCS UNAVAILABILITY DUE TO T & M (MRULE DATA)

-L1-SUCC-U2 : RCIC SUCCESS TERM PRAAHUS--1B-S3LL: FAN PRA-FN-1B DOES NOT START ON DEMAND REC-L1-FLTSW006 : Sequence Tag REC-L1-FLTSW006 The above cutset belongs to sequence FLTSW006, and involves an internal flood that causes loss of plant service water. HPCS is unavailable due to maintenance, but RCIC is available for Page 14

RHR CT Extension Risk Evaluation injection. Core damage occurs due to the unavailability of heat removal systems (i.e., SPC and containment venting). RHR B fails due to the unavailability of SW B room cooling and RHR A is out of service. Containment venting fails due to flood damage.

FPIE Cutset #2:

IE-FLD-TLO--MS-S : SMALL MS LEAKS IN TURB BLDG - LOCA OUTSIDE CONTNMENT EACENG-EDG3-S424: EMERGENCY DG SYSTEM DOES NOT CONTINUE TO RUN 24H PRAAHUS--1B-S3LL : FAN PRA-FN-1B DOES NOT START ON DEMAND REC-L1-FLSMS007: Sequence Tag REC-L1-FLSMS007 The above cutset belongs to sequence FLMS007, and involves a small main steam leak outside containment. High pressure injection is unavailable due to DG3 random failures and RCIC is assumed unavailable due to the steam leak. Reactor Pressure Vessel (RPV) depressurization and low pressure injection succeed. Core damage occurs due to the unavailability of containment heat removal. RHR B failed due to the random failure of SW B room cooling and RHR-A is out for maintenance. Containment venting failed due to the flood.

FPIE Cutset #3:

IE-FLD-TLO--MS-U: MOD MS LEAKS IN TURB BLDG - LOCA OUTSIDE CONTNMENT EACENG-EDG3-S424: EMERGENCY DG SYSTEM DOES NOT CONTINUE TO RUN 24H PRAAHUS--1B-S3LL: FAN PRA-FN-1B DOES NOT START ON DEMAND REC-L1-FLUMS007: Sequence Tag REC-L1-FLUMS007 The above cutset belongs to sequence FLUMS007, and involves a moderate main steam leak outside containment that causes an initiating event. High pressure injection is unavailable due to DG3 random failures and RCIC is assumed unavailable due to the steam leak. RPV depressurization and low pressure injection succeed. Core damage occurs due to the unavailability of containment heat removal. RHR B failed due to the random failure of SW B room cooling and RHR-A is out for maintenance. Containment venting failed due to the flood.

This sequence is similar to the above sequence.

FPIE Cutset #4:

IE-TF : LOSS OF FEEDWATER FREQUENCY IN EVENTS PER REACTOR YEAR CF-FAILS-HPCS-INJ : HPCS INJECTION FAILS DUE TO CONTAINMENT FAILURE RHRHUMNSP-COOLLL: FAILURE TO ALIGN RHR TO SUPPRESSION POOL COOLING RHRHUMNSWCRTIEXX: OPERATOR FAILS TO CONNECT SW TO RHR-B POST CONTAINMENT FAILURE FP-HUMNSYS62H3LL: OPERATOR FAILS TO CONNECT FIREWATER TO CONDENSATE POST CONTAINMENT FAILURE VENTFAIL: OPERATOR FAILS TO VENT CONTAINMENT REC-L1-TF006: Sequence Tag REC-L1-TF006 The above cutset belongs to sequence TF006, and involves a loss of feedwater initiating event, with success of HPCS, but failure of containment heat removal due to human action (RHRHUMNSP-COOLLL). Containment venting is failed due to human action (VENTFAIL).

Eventually containment fails, which fails HPCS (CF-FAILS-HPCS-INJ). Depressurization succeeds but alternate injection via fire water and the SW cross-tie are not available due to human actions (FP-HUMNSYS62H3LL, RHRHUMNSWCRTIEXX).

Page 15

RHR CT Extension Risk Evaluation FPIE Cutset #5:

IE-FLD-TLORFWS: SMALL RFW LEAKS IN TURB BLDG - LOCA OUTSIDE CONTNMENT EACENG-EDG3-S424: EMERGENCY DG SYSTEM DOES NOT CONTINUE TO RUN 24H

-L1-SUCC-U2: RCIC SUCCESS TERM PRAAHUS--1B-S3LL ; FAN PRA-FN-1B DOES NOT START ON DEMAND REC-L1-FLSRF006: Sequence Tag REC-L1-FLSRF006 The above cutset belongs to sequence FLSRF006, and involves a small reactor feedwater leak outside containment that causes an initiating event. HPCS is unavailable due to random failure of DG3, but RCIC is available for injection. Core damage occurs due to the unavailability of containment heat removal.

For additional information on accident sequence contribution to CDF for the base case where RHR A is OOS, see Table A-11 for significant internal event accident sequences percentage contribution to CDF.

Based on the review of the above dominant sequences, the following insight are identified.

1. RCIC, HPCS, DG3 and SW-B are very important. To avoid risk-significant plant configurations, RCIC, HPCS, and DG3 will be protected. SW B will be protected per PPM 1.3.83. TR-S and HPCS-SW will be protected to support HPCS. RHR C will be protected to provide additional defense in depth for low pressure injection when RHR A is OOS for maintenance.
2. The above cutsets include initiating events from flood in the turbine building. For this reason, the plant will initiate a flood watch tour in the turbine building when RHR A is taken out of service. This measure is not credited in the PRA.
3. Operator actions to cross-tie SW with RHR and to inject with Fire water after containment failure are important. Human actions to align SPC and to vent containment are important. Successful depressurization is also important. Operator awareness briefings will be provided to increase awareness for these actions. In addition, in order to perform the containment venting, the following support systems will be protected:

Standby Gas Treatment (SGT) and Control and Service Air (CAS). These measures are not credited in the PRA.

Internal Fire Fire Cutset #1:

LZT12: TG-12 Full-PAU Burnup - Initiator

-L1-SUCC-U2: RCIC SUCCESS TERM REC-L1-T(E)N025: Sequence Tag REC-L1-T(E)N025 The above sequence (T(E)N025) represents a fire event in the turbine building corridor, TG-12.

Fire damage produces a loss of offsite power, and unavailability of RHR B, RHR C and HPCS.

Depressurization succeeds. SPC is unavailable (due to RHR A in maintenance), RCIC successfully provides injection, but long term operation of RCIC fails due to unavailability of SPC.

Page 16

RHR CT Extension Risk Evaluation Fire Cutset #2:

F4R1D : R-1D Detailed Scenario 4 - Initiator PRAAHUS--1B-S3LL: FAN PRA-FN-1B DOES NOT START ON DEMAND REC-L1-TF027: Sequence Tag REC-L1-TF027 The above sequence (TF027) represents a fire event in the NW quadrant of the reactor building 471 elevation. Fire damage produces a loss of feedwater / condensate, HPCS, RCIC, and LPCS. High pressure injection is unavailable (due to fire), but depressurization succeeds. LPCI B and C and the service water crosstie are unavailable due to unavailability of service water pump B HVAC (PRAAHUS--1B-S3LL). LPCI A is unavailable due to maintenance. Core damage occurs due to a loss of core cooling.

Fire Cutset #3:

F4R1J: R-1J Detailed Scenario 4 - Initiator HPS---------T3LL: HPCS UNAVAILABILITY DUE TO T & M (MRULE DATA)

HS-RHRV-MO-23: RHR-V-23 FAILURE CAUSED BY HOT SHORT REC-L1-TF023: Sequence Tag REC-L1-TF023 The above sequence (TF023) represents a fire event in the reactor building 522 elevation. Fire damage produces a loss of feedwater / condensate, RCIC, RHR A, LPCI C and LPCS. HPCS is unavailable due to maintenance (HPS---------T3LL), but depressurization and LPCI B succeed. SPC from Loop B is unavailable due to hot short of RHR-V-23 (HS-RHRV-MO-23).

LPCI / RHR A are unavailable due to maintenance. Core damage occurs due to loss of decay heat removal.

Fire Cutset #4:

T3W07 : RC-7 Detailed Scenario 3 - Initiator EACENG-EDG3-S424: EMERGENCY DG SYSTEM DOES NOT CONTINUE TO RUN 24H

-L1-SUCC-U2 : RCIC SUCCESS TERM LPS---------T3LL: LPCS UNAVAILABILITY DUE TO MAINTENANCE (MRULE DATA)

REC-L1-TT018: Sequence Tag REC-L1-TT018 The above sequence (TT018) represents a fire event in the division 2 electrical equipment room, RC-07. Fire damage produces a turbine trip, and FW / PCS, RHR B and C and CRD are unavailable due to fire damage. RCIC is successful initially, but SPC is unavailable for continued operation for RCIC operation (RHR B is unavailable due to the fire and RHR A is out of service). CRD is unavailable once RCIC reaches operational limits. Late depressurization succeeds, but alternate injection fails due to RHR B and C unavailable due to fire, LPCS is unavailable for maintenance, condensate and SW cross-tie unavailability due to fire.

Page 17

RHR CT Extension Risk Evaluation Fire Cutset #5:

LZW03 : RC-3 Full-PAU Burnup - Initiator REC-L1-SBO-R044: Sequence Tag REC-L1-SBO-R044 The above sequence (SBO-R044) represents a full Physical Analysis Unit ( PAU) area burn-up fire event in the cable chase, RC-03. Fire suppression fails, and this scenario leads directly to core damage due to fire impacts.

For additional results, see Table A-12 for Significant Fire Accident Sequences percentage contribution to CDF.

Based on the review of the above dominant fire sequences, the following insights can be identified.

1. RCIC success, HPCS, DG3, SW-B, and LPCS are very important. To avoid high risk configurations that could exist from equipment taken out of service, the same equipment protected for the internal event will be protected with the addition of LPCS (insight derived from the fire PRA model).
2. The above cutsets include initiating events from fires in the turbine building corridor, TG12, the reactor building 471 and 522, cable chase, and the division 2 electrical and switchgear rooms. This underscores the benefit of establishing a fire watch tour in these areas when RHR-A is taken out of service. Heightened awareness in the form of shift briefs or pre-job walkdown to reduce and manage transient combustibles prior to entrance into the extended completion time will be used to alert the staff about the increased sensitivity to fire. These compensatory measures are not credited in the PRA, but will further reduce the fire risk due to this maintenance configuration.

Seismic Seismic Cutset #1:

SDS2 : SDS 2 BOP CST LOOP SS LOCA - Initiator EACENG-EDG2SS4D2: EMERGENCY DG-2 DOES NOT CONTINUE TO RUN FOR 6 HOURS NRAC24H-SEIS: No Recovery of Offsite AC w/in 24 hrs. (Seismic)

REC-L1-SDS2-50: Sequence Tag REC-L1-SDS2-50 The above sequence (SDS2-50) represents a seismic event that results in seismic damage state 2, which is a loss of PCS, the condensate storage tank, offsite power and a small-small LOCA. RHR B is unavailable due to the unavailability of the division 2 DG (EACENG-EDG2SS4D2). For this particular sequence, high pressure injection fails due to CST unavailable and operator failed to transfer HPCS to the suppression pool, but depressurization and low pressure injection (LPCS) are successful. Recovery of offsite power failed (NRAC24H-SEIS). Core damage occurs as a result of the unavailability of suppression pool cooling and containment venting.

Page 18

RHR CT Extension Risk Evaluation Seismic Cutset #2:

SDS42 : SDS 42 Failure of RPV and/or Category I Bldgs. - Initiator SEIS-MITGTN-FAIL: NO ADDITIONAL MITIGATION POSSIBLE (SEISMIC SCENARIO)

REC-L1-SDS42-02: Sequence Tag REC-L1-SDS42-02 The above sequence (SDS42-02) represents a seismic event that results in seismic damage state 42, which is a failure of the reactor pressure vessel and proceeds directly to core damage.

Seismic Cutset #3:

SDS41: SDS 41 Wide-spread failure of SSEL equipment - Initiator SEIS-LONGTERM : PROB OF LONG TERM CORE DAMAGE SEQ FOR SDS41 REC-L1-SDS41-01: Sequence Tag REC-L1-SDS41-01 The above sequence (SDS41-01) represents a seismic event that results in widespread failure of ECCS and proceeds directly to core damage.

Seismic Cutset #4:

SDS41 : SDS 41 Wide-spread failure of SSEL equipment - Initiator SEIS-SHRTTERM: PROB OF SHORT TERM CORE DAMAGE SEQ FOR SDS41 REC-L1-SDS41-02: Sequence Tag REC-L1-SDS41-02 The above sequence (SDS41-02) represents a seismic event that results in widespread failure of ECCS and proceeds directly to core damage.

Seismic Cutset #5:

SDS2: SDS 2 BOP CST LOOP SS LOCA - Initiator PRAAHUS--1B-S3LL: FAN PRA-FN-1B DOES NOT START ON DEMAND REC-L1-SDS2-47: Sequence Tag REC-L1-SDS2-47 The above sequence (SDS2-47) represents a seismic event that results in seismic damage state 2, which is a loss of PCS, the condensate storage tank, offsite power and a small-small LOCA. RHR B is unavailable due to the unavailability of SW B HVAC (PRAAHUS--1B-S3LL).

For this particular sequence, high pressure injection fails because CST fail and operator fails to transfer HPCS to the suppression pool, but depressurization and low pressure injection (LPCS) succeed. Offsite power is recovered within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, but core damage occurs as a result of the unavailability of SPC and containment venting.

For additional results, see Table A-13 for Significant Seismic Event Accident Sequences percentage contribution to CDF.

No additional insights were identified based on the review of the above dominant seismic sequences.

Page 19

RHR CT Extension Risk Evaluation 3.2 Avoidance of Risk-Significant Plant Configurations (RG 1.177 Tier 2)

The following insight was derived from risk significant contributors based on basic events importance measures (Fussell-Vesely and risk achievement worth (RAW)) listed in Table A-4 through A-9.

Maintenance unavailability basic events for HPCS, TRS, DG3, SW-HPCS, RCIC, and LPCS are risk-significant plant contributors. The insights gained based on the review of importance measures are consistent with the results of the review of dominant sequences.

Examination of the risk reductions for avoiding these plant configurations are examined included in Section 6.

Table 3-3 Risk-Significant Plant Configurations based on Fussell-Vesely Importance RHR A Out of Service Train Unavailable due to Maintenance Internal Events Fire Seismic HPCS (HPS---------T3LL) x x TRS (EACTRL-S----T3--) x x DG3 (EACEDG-3----T3D3) x x SW-HPCS (SW-----HPCS-T3LL) x x LPCS (LPS---------T3LL) x RHR C (RHR----C----T3LL)

RCIC (RCI---------T3LL) x x Division 2 DC battery chargers basic event (EDCC1--2A2B-C3LL) is a risk-significant plant contributor. The insights gained based on the review of RAW importance measures are consistent with the results of the review of dominant sequences.

3.3 Configuration Risk Management Program (RG 1.177 Tier 3)

Tier 3 is not discussed in this report. The main body of the LAR submittal will address the Tier 3 element.

3.4 Qualitative Evaluation of External Events and Weather-related Risk Evaluation of high winds, external floods, volcanic eruption and other external events in the IPEEE per GL 88-20 were submitted to and reviewed by the NRC. The Staff Evaluation Report concluded that CGS IPEEE was capable of identifying the most likely severe accidents and severe accident vulnerabilities and the IPEEE met the intent of Supplement 4 to GL 88-20. The IPEEE determined that the recurrence frequency for the maximum tornado wind speed is approximately 1E-07/yr and, as such, maximum wind speed was eliminated as a plant hazard per the Standard Review Plan. Other external events (e.g., external fire, external floods, high winds, volcanic eruption etc.) were considered to be insignificant contributors to severe accidents. It is judged that the proposed changes should have a negligible effect on the risk profiles from other external events.

Page 20

RHR CT Extension Risk Evaluation External events risk was examined explicitly through the quantification of the internal fire and seismic evaluations. In addition, fire risk management actions are taken per PPM 1.3.85 as part of the Maintenance Rule fire 10 CFR 50.65(a)4 configuration risk management program. Plant vulnerabilities related to weather conditions are explicitly treated on an average basis through modeling of weather-related impacts to the frequency of offsite power loss. Although no credit is assumed for avoiding weather related impacts for planned preventative maintenance conditions, scheduling of planned maintenance of risk significant equipment and systems during forecasted hazardous weather conditions are avoided through the plant risk management procedures and process.

4. PRA Assumptions and Uncertainties The assessment of uncertainty establishes the level of confidence that can be placed in a decision or conclusion based on a quantitative assessment of risk, with the aim of providing reasonable assurance that the risk-informed decision made based on RG 1.177 guidelines is robust [Ref. 2].

The CGS fire and seismic PRAs are quantified for the RHR CT LAR. The PRAs are based on the Rev. 7.2.1 internal events model. Although the PRAs do not meet all aspects of RG 1.200, the insights derived from them for the RHR CT LAR are judged to be reasonable and applicable based upon the IPEEE development and subsequent updates of the PRA models. However, no formal assessment of modeling uncertainties has been performed for the fire and seismic PRAs.

4.1 Types of Uncertainty There are three general types of probabilistic risk assessment uncertainty, and each is addressed by this evaluation for the FPIE PRA model [Ref. 6]:

1. Parameter uncertainty - The parametric uncertainty evaluation compares the PRA quantification point estimate results to the parametric mean estimates to ensure adequate agreement.
2. Model uncertainty - Model uncertainty is typically handled by making assumptions.

Dispositions for assumptions are treated by assuming alternate assumptions and performing sensitivity analyses as described in Section 4.3.

3. Completeness Uncertainty - The ASME PRA Standard and RG 1.200 provide confidence in the completeness of the treatment of the things we know (that is, scope and level of detail). Safety margins provide protection and margin against the things we do not know. Therefore, completeness uncertainty focuses on evaluation of peer review findings that might require changes to the PRA model. Completeness uncertainty is addressed in Section 4.4, and in the review of PRA quality (Section 5).

4.2 Parametric Uncertainty The parametric evaluation performed for the base internal events model demonstrated that the point estimate mean and parametric mean are judged to be acceptable [Ref. 6].

A mathematical assessment of uncertainty was performed. This evaluation performed a Monte Carlo calculation for 15000 samples, using the sampling characteristics of the distributions in the type code file.

Page 21

RHR CT Extension Risk Evaluation The uncertainty results indicate that the mean CDF, with uncertainty included, is about 6.45E-06 per year, which is about 4.3E-07 per year higher than the plant CDF equation best estimate of 6.02E-06 per year, or about 7% higher. This increase is typical for an uncertainty analysis where most variables are lognormally distributed.

The close agreement between the mean and the point estimate values show that the PRA model produces a reasonable representation of plant risk considering the uncertainty associated with the individual basic event values. Therefore, it is concluded that the parametric uncertainty is adequately addressed.

4.3 Modeling Uncertainties To evaluate the influence of modeling assumptions and uncertainties on the RHR completion time extension, the CGS potential key sources of modeling uncertainty for internal events [Ref.

6] are reviewed in Table 4-1. The review identified no modeling uncertainties that challenge the RHR CT extension.

Page 22

RHR CT Extension Risk Evaluation Table 4-1 Review of Generic Sources of Model Uncertainty Part of Model Plant-Specific Approach Characterization Topic Discussion of Issue Assumptions Made Impact on Model Affected Taken Assessment Initiating Event Analysis (IE)

The LOOP frequency for the The offsite power non-CGS PRA is the plant-specific recovery probabilities that frequency developed in influence the CGS risk NUREG/CR-6890. profile have the following The LOOP events in importance NUREG/CR-6890 were measurements. Only Based on the plant-specific analyzed for CGS to derive a NR30M meets the risk approach and impact to the curve for probability of non- significance threshold: CGS risk profile, offsite The LOOP frequency is a power recovery function of several factors recovery that was applicable to NR19M - RAW = 1, FV =

CGS. This calculation used the probabilities are identified including switchyard 0.00015 same methods, assumptions as a source of model design, the number and NR24-AVE - RAW = uncertainty. Applications of independence of offsite and principles as NUREG/CR-Based on the stability of the 1.057, FV = 0.00196 the PRA should take into power feeds, the local 6890, except that three weather-related events and seven grid- BPA grid and regional NR30M - RAW = 1.011, consideration the power production and assumptions and approach related events were removed. location, offsite power FV = 0.01189 consumption environment for estimation of LOOP Two of the weather-related recovery probabilities NR5-AVE - RAW = 1, FV and the degree of plant non-recovery probabilities,

1. Grid stability events were not used for the assume that the 2003 = 0.00001 control of the local grid 1a) LOOP / SBO and the possible need to CGS calculation because they blackout and specific and grid maintenance. sequences NRAC10-24AVE - RAW = perform sensitivity studies.

are characteristic of Atlantic weather-related LOOPs Two different aspects coast storms and are not events are judged to not be 1, FV = 0 The source of uncertainty relate to this issue: applicable to the CGS site. A applicable to the estimation NRAC24 - RAW = 1.062, related to offsite power 1a. LOOP initiating tornado-related event was of offsite power non- FV = 0.0002 non-recovery probabilities event frequency excluded on the basis that the recovery probabilities. NRAC4 - RAW = 1.009, does not significantly values and two power supplies are very FV = 0.00052 impact the RHR CT LAR, recovery unlikely to be disabled by such as the importance of offsite NRAC5 - RAW = 1.001, probabilities an event. The BPA power grid power loss does not FV = 0.00004 has a large proportion of hydro- change significantly for the power and is not vulnerable to NRAC5-24AVE - RAW = CT extension cases from the grid disturbances that led to 1.024, FV = 0.00025 the base PRA the August 2003 grid blackout. NRAC6 - RAW = 1, FV = 0 quantification results.

The events from the 2003 grid NRAC7 - RAW = 1.005, blackout have been excluded FV = 0.00013 from the calculation of offsite power non-recovery NRAC9 - RAW = 1.011, probabilities for Columbia. FV = 0.00019 Page 23

RHR CT Extension Risk Evaluation Table 4-1 Review of Generic Sources of Model Uncertainty Part of Model Plant-Specific Approach Characterization Topic Discussion of Issue Assumptions Made Impact on Model Affected Taken Assessment The consequential LOOP probability is identified to be a source of model uncertainty, as a plant-specific approach has been applied. Applications of the The industry consequential PRA should take into LOOP probability is 5.3E-3 for consideration the the 1997-2004 period. This assumptions and approach probability is judged to not be for estimation of the representative of CGS. consequential LOOP probability, and the possible need to perform Based on the strong stability of sensitivity studies.

Based on the strong stability the BPA grid due to its large The risk-importance of the and in-depth analysis by The source of uncertainty hydro-electric base within the consequential LOOP BPA along with agreements related to offsite power Federal Columbia River probability is: FV = 2.4E-Grid stability 1b) Conditional LOOP to periodically re-evaluate conditional LOOP 1b) All Transmission System (FCRTS ) 3 and RAW = 3.4, which is (continued) probability the stability of the network, probability does not network (the grid supply of risk significant.

the consequential LOOP significantly impact the offsite power to CGS), the modeled in the CGS PRA is RHR CT LAR, as the assumptions associated with assigned to be 1E-3. importance of offsite power grid stability are well supported.

CGS plant scrams from power loss does not change have not resulted in a significantly for the CT subsequent loss of an offsite extension cases from the power source due to the BPA base PRA quantification grid becoming unstable over the results. Notwithstanding history of operation. the insignificant influence of offsite power loss on the RHR CT extension, a sensitivity is performed in which the offsite power loss frequency and conditional LOOP probability are increased.

Success Criteria (SC)

Page 24

RHR CT Extension Risk Evaluation Table 4-1 Review of Generic Sources of Model Uncertainty Part of Model Plant-Specific Approach Characterization Topic Discussion of Issue Assumptions Made Impact on Model Affected Taken Assessment Loss of containment heat The unavailability modeled removal leading to long- for HPCS following With the exception of HPCS, term containment over- containment failure is containment failure causes loss pressurization and failure identified as a source of of all other ECCS pumps due to can be a significant modeling uncertainty, environmental impacts.

contributor in some based on its significant HPCS is environmentally impact on the risk profile PRAs. Consideration of qualified for LOCA conditions. and potential the containment failure A containment failure releasing conservatism.

mode might result in steam into the HPCS pump Likelihood for HPCS failure Applications of the PRA additional mechanical

8. Core cooling room would be assumed to fail Conservatively, the CGS following containment should include failures of credited success Core cooling success HPCS. However, if containment PRA assumes that if the failure, basic event CF- consideration of this systems. Containment following following failure occurs in the lower third containment is failed in the FAILS-HPCS-INJ, has a source of uncertainty.

venting through soft containment containment failure of the structure, HPCS is lower one-third, the significant impact on the ducts or containment The source of uncertainty failure or or venting through conservatively modeled to fail. environmental impacts CGS risk profile - FV =

failure can result in loss related to unavailability of venting through non hard pipe vent If failure is in the upper two- would fail HPCS. 2.68E-1, RRW = 1.36, of core cooling due to HPCS following non hard pipe paths thirds of the structure than RAW = 3.82 environmental impacts on containment failure does vent paths HPCS is modeled to not be equipment in the not significantly impact the impacted by environmental reactor/auxiliary building, RHR CT LAR, as the impacts.

loss of NPSH on ECCS importance of the pumps, steam binding of HPCS pump NPSH and suction applicable basic event ECCS pumps, or damage temperature requirements were does not change to injection piping or reviewed, and were determined significantly for the CT valves. There is no to be adequate after the extension cases from the definitive reference on containment failure and SP base PRA quantification the proper treatment of depressurization (Ref. 6). results.

these issues.

Systems Analysis (SY)

Page 25

RHR CT Extension Risk Evaluation Table 4-1 Review of Generic Sources of Model Uncertainty Part of Model Plant-Specific Approach Characterization Topic Discussion of Issue Assumptions Made Impact on Model Affected Taken Assessment

1) No applicable uncertainties Some plants have 2) Source of uncertainty incorporated digital for the base model based systems into their on risk significance.

designs or to replace 1) Loss of reactor 1) No applicable 1) Digital control failure Applications that existing analog systems. 1) Failure of RFW digital control encompass RFW system Supplementary Topic feedwater assumptions reflected in historical plant There are model for IEs reflected in Bayesian availability may need to 12 - Digital sequences 2) Likelihood of digital data uncertainties associated update of loss of RFW IE examine more closely the instrumentation and 2) Transient failure control is estimated 2) Risk significant: RRW =

with modeling digital 2) Failure of digital control post- reliability of the digital control sequences with to be RFW-DIGITALFW = 1.005, RAW = 3.67, FV =

systems, such as those trip modeled explicitly feedwater control system.

related to determining the RFW available 2E-3 5.3E-3 The source of uncertainty failure modes of these related to reliability of the systems and digital feedwater control components. system does not significantly impact the RHR CT LAR.

Page 26

RHR CT Extension Risk Evaluation 4.4 Completeness Uncertainty Completeness uncertainty as it relates to the RHR CT LAR is documented in Table 4-2.

Page 27

RHR CT Extension Risk Evaluation Table 4-2 Review of Sources of Model Uncertainty and Completeness Uncertainty Part of Model Plant-Specific Assumptions Characterization Topic Discussion of Issue Impact on Model Affected Approach Taken Made Assessment Accident Sequence Analysis (AS)

Impacts LOOP CDF by small impact to overall risk profile. This is retained as an uncertainty area to LOOP accident consider for PRA sequences applications.

Based on examination of T(E)N062, For the LOOP event tree, Inclusion of RCIC Modeling of RCIC the LOOP event tree [Ref. The source of uncertainty T(E)N065, the development of the operation for this branch was excluded from Inclusion of RCIC 6], the LOOP CDF may related to RCIC modeling T(E)N069, failure branch for P (SORV) would add considerable development of the operation was decrease by about 3.6E- for LOOP sequences does T(E)N072, excludes the possibility to complexity to these failure branch for P conservatively 10/rx-year if RCIC operation not significantly impact the T(E)N074, utilize RCIC for high relatively low-contributing (SORV) in the excluded. is taken into account, which RHR CT LAR, as the T(E)N078, pressure injection. accident sequences. LOOP event tree. is equivalent to a Fussell importance of offsite power T(E)N081, Vesely of 6E-5. loss does not change T(E)N082, and significantly for the CT T(E)N083.

extension cases from the base PRA quantification results.

Page 28

RHR CT Extension Risk Evaluation Table 4-2 Review of Sources of Model Uncertainty and Completeness Uncertainty Part of Model Plant-Specific Assumptions Characterization Topic Discussion of Issue Impact on Model Affected Approach Taken Made Assessment A 12.5 gpm reactor recirculation pump seal leakage rate results in RCIC unavailability due to backpressure A seal leakage rate trip at about 10 of 12.5 gpm is hours [MAAP judged to be No impact to CDF for the calculation appropriate estimate base PRA. This area of CGS080102, for most CGS uncertainty is retained for Refs. 22 and 21]. accident sequences. consideration for PRA If a 36 gpm rate is For scenarios A sensitivity was performed applications.

assumed, involving extended to examine a 6-hour time to The source of uncertainty backpressure trip operation of RCIC recover offsite power for related to recirc seal The assumed reactor occurs at about using the EDG 4 LOOP sequences T(E)027 leakage during a loss o of Reactor recirculation pump recirculation pump seal 6.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> [MAAP crosstie, a maximum See plant-specific and T(E)029, and offsite offsite power conditional seal leakage rate for LOOP leakage rate is an area of calculation postulated seal approach taken. power and diesel recoveries LOOP probability does not and SBO modeling uncertainty for plant CGS080104a, leakage rate of 36 for SBO-I sequences S60 significantly impact the RHR PRAs. Ref. 6]. gpm is used to and S61, instead of a 9- CT LAR, as the importance Assuming the examine timing.

hour time. There was no of offsite power loss does maximum The issue of seal impact to CDF [Ref. 6]. not change significantly for expected rate of leakage rate is the CT extension cases 36 gpm would evaluated in the from the base PRA reduce the time treatment of quantification results.

available to uncertainties and recover offsite assumptions in the power from LOOP quantification sequences S27 notebook [Ref. 6].

and S29 and offsite power and diesel recoveries for SBO-I sequences S60 and S61 to about 6.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />.

Page 29

RHR CT Extension Risk Evaluation Table 4-2 Review of Sources of Model Uncertainty and Completeness Uncertainty Part of Model Plant-Specific Assumptions Characterization Topic Discussion of Issue Impact on Model Affected Approach Taken Made Assessment Although there is no significant impact on the overall plant risk profile, consideration of this potential area of uncertainty may be needed for PRA Due to potential applications.

LOOP sequences complications during SW cross-tie to the If alternate injection was T(E)N018, The source of uncertainty LOOP conditions, credit RHR system and Fire available, LOOP sequences T(E)N027, related to the SW cross-tie SW cross-tie to the RHR for alternate injection from Protection water to the T(E)N027, T(E)N047, T(E)N047, Modeling to the RHR system and FP system and Fire Protection SW or FP was not condensate system T(E)N057, T(E)N074, T(E)N057, assumption based water modeling for loss of water modeling for loss of credited. EDG 2 is are assumed to not be T(E)N082 may reduce T(E)N074, on judgment. offsite power sequences offsite power sequences required for the SW cross- available for loss of significantly. The total CDF T(E)N082, does not significantly tie, and FP operation offsite power for these sequences is T(E)N099, impact the RHR CT LAR, as relies on the diesel-driven sequences. about 1.5E-8/rx-year.

T(E)N0107. the importance of offsite fire pumps.

power loss does not change significantly for the CT extension cases from the base PRA quantification results.

Page 30

RHR CT Extension Risk Evaluation Table 4-2 Review of Sources of Model Uncertainty and Completeness Uncertainty Part of Model Plant-Specific Assumptions Characterization Topic Discussion of Issue Impact on Model Affected Approach Taken Made Assessment A conservative sensitivity analysis was performed.

The impact to CDF is on the order of 1E-5/rx-year. For the sensitivity, the following conservative assumptions were made: - A simplified fault tree that accounts for a Based on the risk loss of normal HVAC and a significance of this The operators are completeness uncertainty, loss of emergency HVAC assumed to open the assumption that due to a loss of SW A, B or doors / install fans operators will open main loss of SW A, B and C was given a loss of HVAC, control room doors, given a prepared. - On a loss of however, ABN-HVAC loss of HVAC is a key the control room HVAC, does not direct these assumption. All PRA operators will not open actions. Also, the applications should doors to control room control room is consider the potential temperature (ABN-HVAC The control room is expected to not impact that this assumption does not direct opening Control room heat-up and Loss of control modeled to be temperatures that has on risk-informed doors) - Given a loss of Control Room Habitability habitability require more room HVAC habitable given a challenge habitability, decisions.

control room HVAC, the analysis. modeling loss of control room however, room heat-up control room will become In the event of a loss of HVAC calculations for non-uninhabitable (no room control room habitability, SBO for periods of 24 heat-up calculations have alternate shutdown credits hours and greater been performed for non-sbo RCIC, not LPCI, and have not been conditions) - The likelihood manual containment modeled. Room heat-for operators to evacuate venting, not suppression up was found to be the control room and shut pool cooling. This source of relatively fast based on down the plant using completeness uncertainty analyses for other remote shutdown is 1E-3. - therefore does not impact plants [Ref. 6].

It is assumed that operators the RHR CT extension have RCIC as well as application.

manual containment vent, for shutting down the plant.

Operators can utilize RCIC only for core cooling; low pressure injection is unavailable due to the loss of service water.

Page 31

RHR CT Extension Risk Evaluation Table 4-2 Review of Sources of Model Uncertainty and Completeness Uncertainty Part of Model Plant-Specific Assumptions Characterization Topic Discussion of Issue Impact on Model Affected Approach Taken Made Assessment Potential risk-significant impact on the overall plant risk profile; consideration of Examine whether the The ISLOCA this potential area of ISLOCA event tree accident sequence uncertainty may be needed modeling can be refined, modeling was for PRA applications.

now that credit is taken for developed with the ISLOCA modeling - Refine the reactor building floor assumption that the The ISLOCA modeling is See plant-specific The potential CDF conservative, from the the modeling drain isolation valves (the ISLOCA floor drain isolation approach. reduction is 1%. perspective that it doesnt phenomenological impacts valves are now valves could not be periodically tested, and credited. This credit isolation of floor credit for this was taken in modeling could be drains in the reactor Rev. 7.2 for the internal refined as building basement.

flooding analysis). applicable. ISLOCA is not a significant contributor related to the RHR CT extension quantification results.

In the SBO event trees, given a failure to recover offsite power, and given that the EDG 3 crosstie is There is no significant successful, EDG power is impact on the overall plant assumed available to risk profile, but either Div 1 or Div. 2 and consideration may be Assumption made to the EAC recovery node is needed for PRA reduce model not questioned (i.e., applications.

complexity. Adding compare sequences SBO-an EAC node also The source of uncertainty I008 and SBO-I078). The SBO sequences SBO sequences SBO-I008, Recovery of EDG 1 or EDG may have limited related to recovery of the EAC node could have SBO-I008, SBO- See discussion of SBO-I078, SBO-R008, and 2 given successful crosstie value, as EDGs does not significantly been considered on I078, SBO-R008, issue. SBO-R052 make no of EDG 3 dependencies may impact the RHR CT LAR, as Sequence SBO-I008 and and SBO-R052 contribution to CDF.

exist between the the importance of SBO SBO-I078 (SBO-R008 EDG 3 cross tie and sequences does not and SBO-R052) such that EDG 1 and EDG 2 change significantly for the success of the EAC node generator repair. CT extension cases from would mean that two the base PRA quantification EDGs are available (i.e.,

results.

EDG power to both Division 1 and 2).

However, this level of detail was not included in the model.

Page 32

RHR CT Extension Risk Evaluation Table 4-2 Review of Sources of Model Uncertainty and Completeness Uncertainty Part of Model Plant-Specific Assumptions Characterization Topic Discussion of Issue Impact on Model Affected Approach Taken Made Assessment There is no significant impact on the overall plant risk profile, but consideration may be DC power load shedding needed for PRA was not credited for the applications.

SORV sequences in the DC power load The source of uncertainty Modeling DC power load shedding for SBO-I event tree to shedding is not The CDF for SBO-I104 is related DC load shedding SBO-I sequence assumption to SBO sequences that involve reduce complexity. The credited for the SORV below the 2E-12/yr does not significantly SBO-I104 reduce model a SORV SBO modeling is split sequences in the SBO- truncation. impact the RHR CT LAR, as complexity.

among two event trees I event tree. the importance of SBO and currently involve sequences do not change considerable complexity. significantly for the CT extension cases from the base PRA quantification results.

There is no significant impact on the overall plant ISLOCA leak (i.e., leak Given an ISLOCA risk profile, but The modeling approach rather than rupture) is leak, Phenomenological / Modeling introduces some degree of consideration may be postulated to impact the ISLOCA phenomenological / needed for PRA environmental impacts to assumption for modeling asymmetry.

train that experienced the sequences IS005, environmental impacts ECCS given an ISLOCA analytical ISLOCA does not contribute applications.

failed pressure boundary IS011 to ECCS were leak. convenience. significantly to the overall ISLOCA is not a significant and one other train due to assumed to disable risk profile. contributor related to the environmental impacts. LPCS and LPCI-A train RHR CT extension quantification results.

There is no significant For turbine trip ATWS impact on the overall plant The SRV success risk profile, but from 25% power, the criteria for turbine trip consideration may be turbine bypass system SRV success criteria for TTC2 sequences Modeling ATWS from 25% These TTC2 sequences needed for PRA can handle all power turbine trip ATWS from 25% TTC2026 and assumption based power are assumed to contribute 3.6E-12/rx-year applications.

generated from the power TTC2050. on judgment. be the same as for full to the overall risk profile.

reactor core, and the ATWS is not a significant power Turbine Trip SRVs would not be contributor related to the ATWS.

required. RHR CT extension quantification results.

Page 33

RHR CT Extension Risk Evaluation Table 4-2 Review of Sources of Model Uncertainty and Completeness Uncertainty Part of Model Plant-Specific Assumptions Characterization Topic Discussion of Issue Impact on Model Affected Approach Taken Made Assessment An update of the calculation of representative mission time for diesel generators has not yet been performed. It will be Selection of a 6-hour considered in a mission time is judged to be future revision. a consensus approach.

The mission time Consideration of the used for the diesel potential uncertainty should generators is be made, however, for PRA chosen to prevent applications.

masking of The mission time for A longer mission time would The source of uncertainty Calculation of This calculation was LOOP and SBO significant core the diesel generators impact the SBO / LOOP related to the DG mission Representative Mission performed using Rev. 5.0 event tree damage sequences is assigned to be 6 contribution to the risk times does not significantly Time for Diesel Generators of the CGS PRA. sequences by conservative hours. profile. impact the RHR CT LAR, as estimates for the the importance of offsite failure of AC power power loss does not change events due to significantly for the CT conservatism in the extension cases from the diesel run failure base PRA quantification rate. results.

The selection of a six-hour mission time in combination with the lumped recovery method leads to acceptable results The FLDAC event tree (as well as DAC, and DDC FLDAC sequence 8 could event trees) do not model There is a risk-significant reduce as a result of this the W2 function and The W2 function impact to the risk profile, observation. FLDAC therefore do not include was not previously therefore this is a key area sequence 8 contributes Credit for Manual modeling for manual FLDAC, DAC, creditable. W2 can of uncertainty. The None 1.6E-7/yr, to the total core Containment Vent containment vent (ABN- DDC now be added to the modeling is conservative, damage frequency and CONT-VENT). Now that FLDAC, DAC, DDC however, and doesnt therefore a potential 3%

manual containment event trees. contribute significantly to total CDF reduction is venting is modeled, the the RHR CT extension.

possible.

W2 function can be added to these event trees.

Page 34

RHR CT Extension Risk Evaluation Table 4-2 Review of Sources of Model Uncertainty and Completeness Uncertainty Part of Model Plant-Specific Assumptions Characterization Topic Discussion of Issue Impact on Model Affected Approach Taken Made Assessment For nuclear power plant safety-related systems, As no industry non-non-recovery probabilities recovery values No alternate approaches at two hours generally are were identified, non- currently available.

Recovery / repair about 0.2, based on a recovery / non- Contribution to risk profile would rely heavily on study performed for EPRI repair probabilities for these initiators is small skill-of-craft operator

[Ref. 6]. However, the were assumed. The and judged to be actions. The following evaluation of non- Event tree failure probabilities reasonable. PRA non-recovery / non-recovery for electrical sequences for are judged to be applications that are repair probabilities systems in the study dual loss of 125 appropriately The RAW and RRW values influenced by the Non-recovery Probabilities were assigned based focused on diesel VDC Division 1 conservative given for the non-recovery events availabilities of electrical for Losses of Divisional AC on engineering generators. Since no and 2 power and the lack of guidance are 1.0, indicating a equipment should take into or DC Power due to judgment:

specific information was dual loss of 4160 / data / research. negligible impact on the consideration that the non-Common Cause Failure Non-recovery in:

found regarding the VAC Division 1 There is no CGS risk profile. recovery values are based likelihood for recovery and 2 power significant impact on 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> - 0.5 on engineering judgment.

divisional dc or ac power (DDC and DAC) the overall plant risk 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> - 0.5 buses, engineering profile, as discussed The modeling of dual losses 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> - 0.5 judgment, including in the quantification of ac power and dc power 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> - 0.3 considerations of time and notebook [Ref. 6] dont contribute significantly 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> - 0.1 to the RHR CT extension manpower available, was but consideration used to assess the may be needed for results.

following recovery failure PRA applications.

probabilities.

Success Criteria (SC)

Page 35

RHR CT Extension Risk Evaluation Table 4-2 Review of Sources of Model Uncertainty and Completeness Uncertainty Part of Model Plant-Specific Assumptions Characterization Topic Discussion of Issue Impact on Model Affected Approach Taken Made Assessment This is retained as a candidate modeling uncertainty. PRA applications should consider in more detail the realism of this PRA The PRA modeling modeling, and whether The potential need to turn off Some in the industry have The PRA model approach conforms to other additional modeling needs The ECCS pumps are low pressure ECCS pumps expressed a potential does not model a plant PRAs. Potential non- to be considered (e.g.,

assumed to be that are running on minimum issue for ECCS pumps Sequences potential impact on conservatism in the PRA model a human failure capable of running an flow within 30 minutes to operating on minimum involving low ECCS pumps if they results. There could be a event for failure to secure extended period on avoid pump damage has flow for extended periods, pressure injection run extended need to model an operator ECCS pumps not in use).

minimum flow without been cited by CGS potentially leading to periods on minimum action to manually turn off damage (hours). The PRA modeling Operations. pump damage. flow. the pumps and turn them back on as needed. approach conforms to other plant PRAs and represents the industry-consensus approach. This is judged to not be a source of modeling uncertainty for the RHR CT extension.

Systems Analysis (SY)

Page 36

RHR CT Extension Risk Evaluation Table 4-2 Review of Sources of Model Uncertainty and Completeness Uncertainty Part of Model Plant-Specific Assumptions Characterization Topic Discussion of Issue Impact on Model Affected Approach Taken Made Assessment RHR pump seal cooling is modeled as not required for LPCI pump C, per a CVI calculation [Ref.

6]. It is likely that RHR pumps A and B also should not include the dependency on seal cooling.

The impact on the model is RHR pump room If the seal bearing cooling risk-significant. Therefore cooling calculations dependency is removed this is a key source of were performed for from RHR pumps 1A and modeling uncertainty.

Examine the need for the FSAR assuming 1B, to be consistent the these dependencies for suppression pool The PRA modeling that LPCI pump C, there is no LPCI and suppression cooling was models seal bearing cooling significant change in CDF pool cooling: available. The CDF as required is conservative.

(as the SW dependency for core damage Room cooling is Model refinement to remove Low Pressure Injection and the RHR pumps is retained

1) Do the RHR pump Event Tree sequences modeled assumed to be the conservatism is judged Suppression Pool Cooling due to the dependency on seals require seal cooling, Function V1 by the PRA involve required for the RHR to not change the System Dependencies room cooling).

as modeled by the PRA? failure of pumps A, B, and C. conclusions of this analysis containment heat (for example, the removal, and If the room cooling conclusion that the RHR

2) Do the RHR pumps therefore the FSAR dependency were to be SW crosstie must be require room cooling as room heatup removed from the RHR protected for the corrective modeled by the PRA?

calculations are not pumps, the total CDF maintenance case is judged applicable for the reduces by 3.3E-7/yr, or to not change as a result of PRA. According to 5.4%. addressing this the post fire safe completeness issue).

shutdown analysis, NE-02-85-19, the LPCI C room heats up to 155 degrees F within one hour which is very close to the pump motor design limit of 166 degrees F, (ME 98-18), so certainly more research /

analysis is needed.

Page 37

RHR CT Extension Risk Evaluation Table 4-2 Review of Sources of Model Uncertainty and Completeness Uncertainty Part of Model Plant-Specific Assumptions Characterization Topic Discussion of Issue Impact on Model Affected Approach Taken Made Assessment The current plant EOPs credit RCIC suction from the suppression pool up o

to 240 F. Rev. 7.2 of the PRA PRA applications should conservatively did consider whether any not take this credit, impacts arise from this and this is an area If RCIC suction from the modeling incompleteness of completeness suppression pool is (producing slightly uncertainty. credited, CDF reduces by conservative results).

1.98E-8/yr (FV 0.0033).

The PRA models RCIC /

Additionally, it was HPCS suction discovered later in If HPCS suction credits the conservatively. Model No assumption made.

Suction transfer to the the development of automatic signal for refinement to remove the Suction Transfer to the This is an area of suppression pool is All Rev.7.2 that the swapping to the conservatism is judged to Suppression Pool completeness modeled conservatively. HPCS suction fault suppression pool, CDF not change the conclusions uncertainty.

tree logic is also reduces by 2.86E-8/yr (FV of this analysis (for conservative. The 0.0047). example, the conclusion signal for automatic that the RHR SW crosstie transfer is not must be protected for the The combined CDF credited (the valve corrective maintenance reduction is 4.8E-8/yr (FV transfers are case is judged to not 0.008).

modeled, but the change as a result of fault tree logic addressing this requires operators completeness issue).

to perform the suction transfer).

This is an area of completeness uncertainty.

Page 38

RHR CT Extension Risk Evaluation Table 4-2 Review of Sources of Model Uncertainty and Completeness Uncertainty Part of Model Plant-Specific Assumptions Characterization Topic Discussion of Issue Impact on Model Affected Approach Taken Made Assessment Development of PRA System walkdowns have applications should include not been performed consideration for performing recently to confirm that system walkdowns.

the systems analysis System walkdowns It is judged that system correctly reflects the as- have not been walkdowns would not built, as-operated plant. performed recently significantly alter the The ASME/ANS Standard to confirm that the Potentially risk-significant conclusions of the analysis.

System Walkdowns All None requires system systems analysis impacts. Interviews with system walkdowns, and therefore correctly reflects the engineers were performed maintaining the PRA to as-built, as-operated recently in 2014, which represent the as-built as- plant. identified only minor operated plant ought to potential enhancements for include system system fault tree modeling, walkdowns. none of which are related to RHR.

Human Reliability Analysis (HR)

There are three risk-significant HFEs that still employ the CBDTM+ASEP Given that the Cause combination sum technique. PRA applications should Based Decision Tree Conservatism arising from consider the potential Method (CBDTM) does this technique may affect For Rev. 7.2 most Industry consensus conservatism introduced by not explore the full impact the plant risk profile:

HEPs were revised approach employed. the HEP development for of timing on the induced The cognitive to use either the Some HFEs still MS-HUMNLOUMSH3LL MS-HUMNLOUMSH3LL Use of a combination of stress for cognitive HEPs calculated CBDTM or employ the OPERATOR and multiple methods for decision making, the Rev.

for post initiation HRC/ORE methods. combination sum FAILS TO ISOLATE MOD REAHUMNHVMCCH3LL.

treatment of cognitive errors 7.1 HRA method events are This approach technique and are MS LOCA OUTSIDE CONT for selected HEPs combined the cognitive affected. follows the industry candidates for FV =

HEPs generated from consensus and best refinement in a future 0.0057 These HFEs do not CBDTM and the Time practice. update. REAHUMNHVMCCH3LL significantly impact the RHR Reliability Correlation as FAILURE TO CT extension quantification allowed by the EPRI HRA PROVIDE ALT HVAC FOR results.

Calculator.

REACTOR BLDG MCC ROOMS FV =

0.01137 Internal Flooding (IF)

Page 39

RHR CT Extension Risk Evaluation Table 4-2 Review of Sources of Model Uncertainty and Completeness Uncertainty Part of Model Plant-Specific Assumptions Characterization Topic Discussion of Issue Impact on Model Affected Approach Taken Made Assessment For lower elevations in the reactor building, barriers are designed to withstand 44 feet of water. A better estimate of barrier strength would result in longer times to propagate. However, the volume of water to reach 44-feet is so large that these changes would show only minor impact to the overall results. For higher Inter-area barriers pass reactor building elevations, Assume complete no fluid until their design Assume complete This assumption can result accumulation above 6 failure when flood capacity is reached. Timing of failure when flood in minor changes in timing inches is not possible so Barrier Integrity levels reach the Barriers fail when the propagation levels reach the design of propagation or little change would be design capacity of design capacity is capacity of barriers. equipment failure. expected. Other buildings barriers.

reached. are provided with large openings that prevent accumulation and, therefore, challenging barriers. The effect of barrier integrity could impact specific applications.

Water floods in the reactor building do not significantly impact the RHR CT extension quantification results.

Page 40

RHR CT Extension Risk Evaluation Table 4-2 Review of Sources of Model Uncertainty and Completeness Uncertainty Part of Model Plant-Specific Assumptions Characterization Topic Discussion of Issue Impact on Model Affected Approach Taken Made Assessment Reactor building floods are not a significant contribution There is no impact to the to overall risk. Scenarios CDF results if CCF is that involve drain valve modeled for the sump failures are a small subset isolation valves based on a of the reactor building flood Sump drain isolation sensitivity evaluation. risk. Although not valves in the reactor Issue of Common cause failure is significant to the overall building are modeled in completeness -

below the quantification plant risk profile, the lack of Rev. 7.2, as the valves common cause Reactor Building Sump Flood propagation truncation, indicating that common cause modeling are now routinely tested. failures not yet Completeness issue Isolation Valves and timing there are no cutsets above for the drain isolation valves However, the model does modeled for the the truncation that contain may warrant discussion not yet include common drain isolation more than one sump /consideration as part of cause failures for these valves.

isolation valve failure basic PRA applications.

valves.

event (no combinations of two or three valves, FDR-V- Water floods in the reactor 607, FDR-V-608, FDR- building do not significantly V0609. impact the RHR CT extension quantification results.

Refinements to radwaste and control building flood scenarios should be considered for a future PRA update, which will examine potential plant modifications and will take into account refinements in flood At the time of the flooding Internal flooding A higher flood damage damage heights of Flood Damage Heights for walkdown, flood damage scenario results A flood damage height (for example six equipment in the vital Division 1 and Division 2 See plant-specific heights for the 4KV buses for the radwaste height of 0 inches inches) is judged to not island. For PRA Electrical Equipment in Vital approach.

SM-7 and SM-8 could not and control was assumed. significantly impact the applications, examine this Island be confirmed. building. current results. area of model completeness for potential impacts to risk-informed decisions.

Control building floods do not significantly impact the RHR CT extension quantification results.

Page 41

RHR CT Extension Risk Evaluation Table 4-2 Review of Sources of Model Uncertainty and Completeness Uncertainty Part of Model Plant-Specific Assumptions Characterization Topic Discussion of Issue Impact on Model Affected Approach Taken Made Assessment For PRA applications for For floods grouped with which the FLDAC CDF Flooding in the contribution could influence the FLDAC initiator (flood-switchgear rooms is the risk-informed decision, induced loss of divisional postulated to ac power, division 1 and This is judged to likely be a evaluate the potential that Flood damage to the damage the battery the battery chargers are not division 2), investigate Internal flooding See plant-specific documentation issue. No Division 1 and 2 battery chargers, in addition whether the division 1 and event tree FLDAC approach taken significant impact to the risk impacted for switchgear chargers to the switchgear, room floods.

division 2 battery chargers profile is expected.

once the flood survive these floods, FLDAC does not damage height is based on flood damage significantly impact the RHR reach.

height. CT extension quantification results.

PSA-2-FL-0003 Section 2.1, Methodology, includes a discussion on "Maintenance-Related Flooding Frequencies", This should not be a source which concluded that that of model uncertainty in most maintenance-induced applications. For flooding events are Not likely to be risk- applications in which negligible contributors to Maintenance- significant, as maintenance- internal flooding is overall initiating event induced flooding Maintenance-induced induced floods are particularly applicable, frequency based on a events are not flooding events are expected to be quickly consideration should be Human-Induced Floods Internal Flooding calculated frequency of modeled by the negligible contributors detected and corrected by given to the impacts from 2.70E-5/yr. This internal flooding to internal flooding risk plant operators prior to human-induced floods.

conclusion was not PRA. damage of plant equipment This source of modeling reconciled in the due to flooding impacts. uncertainty is judged to not documentation with significantly impact the dominant flooding quantification results for the initiators IE-FLD- RHR CT extension.

C502TSW-U, IE-FLD-C507TSW-M, and IE-FLD-C508TSW-M, which are all around 1E-6/yr.

Page 42

RHR CT Extension Risk Evaluation Table 4-2 Review of Sources of Model Uncertainty and Completeness Uncertainty Part of Model Plant-Specific Assumptions Characterization Topic Discussion of Issue Impact on Model Affected Approach Taken Made Assessment No significant impact to CDF for the base PRA [Ref.

The risk-significant internal 6]. This area of uncertainty events floods with FV > or is retained for consideration equal to 0.005 were for PRA applications.

System operation evaluated and none would The postulated The PRA modeling potentially can be Internal flooding The postulated piping produce a different result if Postulated piping break in piping break in the assumes that a leaking recovered if the portion of scenarios break in the flooding the assumption for the flooding scenario fails flooding scenario plant system is unavailable the system leaking is involving TSW, scenario is assumed to postulated piping break in the affected system / train fails the affected for plant shutdown. This isolated and the effects of SW, and CST fail the affected system the flooding scenario fails with the break system / train with conforms to the industry the flooding does not piping. / train with the break. the affected system / train the break. consensus approach. Any impact system availability. with the break were altered to give some credit for relaxation of this system available of the assumption is judged to not affected system. significantly impact the RHR CT extension quantitative results.

Data Analysis (DA)

The number of plant-specific demands on standby components was mainly documented for the maintenance rule and MSPI components. Tier 3 PSA documents for PSA-2-DA-0002 show the Evaluate this source of details. Estimates based modeling uncertainty for on the surveillance tests PRA applications.

Unavailability and maintenance acts as data for This modeling uncertainty described in this SR Estimating Plant-specific significant See discussion of Potential impact to system impacts risk-insignificant should be performed even None.

Demands components not issue. unavailabilities components and this though the major tracked in the uncertainty is judged to not components have been MSPI data. impact the RHR CT included in the MSPI data.

Estimates based on the extension quantification surveillance tests and results.

maintenance acts as described in DA-C6 and DA-C7 should be performed for significant components whose data are not tracked in the MSPI data.

Page 43

RHR CT Extension Risk Evaluation Table 4-2 Review of Sources of Model Uncertainty and Completeness Uncertainty Part of Model Plant-Specific Assumptions Characterization Topic Discussion of Issue Impact on Model Affected Approach Taken Made Assessment There is unmeasured uncertainty in the assignment of a NUREG-6928 failure mode to the failure mode of the CGS No alternative approaches Generic data has PRA. The classification of exist at this time. This is Component Failure Mode All been utilized None. n/a events into failure modes not a candidate for appropriately.

by NUREG/CR-6928 is modeling uncertainty.

not specified. It is not possible to match it with the CGS definition of the same event.

Quantification (QU)

The rare event approximation is appropriate for the PRA quantification.

For any PRA application that utilizes a result for The CGS PRA is which basic event solved using unavailabilities or CAFTA, which uses frequencies are greater 0.1 The CGS PRA is solved the minimum cutset (for example, the by CAFTA, which uses upper bound. The unavailability of HPCS for the minimum cutset upper results reported in None required. some specific application),

bound solution. The PRAQuant use the Industry-accepted the validity of the rare event minimum cutset upper rare event Use of the rare event All portions of the software program approximation will need to bound solution can be approximation. All approximation for PRA Level 1 and Level used, and the n/a be considered when seen when the cutset file accident sequence solutions 2 PRAs requirements for the utilizing the PRAQuant

(*.cut) is opened. and LERF cutsets rare event results. That is, the PRA However, the results have frequencies approximation are met. practitioner will need to reported in PRAQuant use less than 1E-6/yr.

compare the PRAQuant the rare event The total CDF is results to those in the cutset approximation. less than 5E-5/yr.

(*.cut) file (typically very The rare event small differences).

approximation is therefore valid. The CT extension calculation are based on the minimum cutset upper bound, and therefore this source of uncertainty is not applicable to this application.

Page 44

RHR CT Extension Risk Evaluation Table 4-2 Review of Sources of Model Uncertainty and Completeness Uncertainty Part of Model Plant-Specific Assumptions Characterization Topic Discussion of Issue Impact on Model Affected Approach Taken Made Assessment Any PRA application should take into consideration the potential that CDF / LERF is overestimated due to success branch modeling.

Care should be taken if the margin for the risk-informed decision is small, to For PRA applications, consider whether success event tree branch branch modeling has an probabilities may increase PRA Rev. 7.2 impact.

(if an electrical bus is out employs static Depending on the A future PRA version can of service for example). success branch application, core damage consider automating the This becomes an issue modeling for risk- frequencies and particularly success branch modeling, when the down-branch significant success LERFs may be using the XNEG feature of probability becomes branch probabilities. conservative. Typically this FTREX. Employing XNEG Success Branch Modeling greater than 0.1, as the All The PRA does not None conservatism is expected to would require joint HFE rare event approximation employ automated be no more than 20% for dependent events to be is challenged. (Note that success branch PRA applications (result modeled explicitly in the top if the down branch is modeling, and could be up to 20% less if logic fault tree, rather than TRUE, CAFTA produces therefore the PRA automated success branch being applied in cutset post-the correct solution, since may produce were employed).

processing, which has the the PRA quantifies the conservative results.

disadvantage that it cannot success branch as FALSE be as easily updated as the in these instances).

cutset post-processing approach to applied dependent HFEs.

The current PRA modeling is conservative, and judged to not significantly impact the RHR CT extension application.

Page 45

RHR CT Extension Risk Evaluation

5. PRA Quality 5.1 FPIE Model Technical Adequacy The CGS PRA model of record is Revision 7.2.1. The Columbia PRA meets Capability Category II of Addendum A of the ASME ANS Standard, ASME/ANS RA-Sa-2009 [Ref.5], as clarified by RG 1.200, Rev. 2 [Ref. 4], based on the following considerations:

x In 2004 the CGS Revision 5.0 internal events PRA received a full scope peer review against the Capability Category II (CC-II) requirements of the ASME/ANS PRA Standard, ASME RA-Sa-2003, as clarified by Regulatory Guide (RG) 1.200 (DRAFT),

using the industry peer review process guidelines described in Nuclear Energy Institute (NEI) NEI-00-02, Revision A-3, Probabilistic Risk Assessment Peer Review Process Guidance.

x In 2009, the Columbia PRA Rev 7.0 received a full scope peer review from the Boiling Water Reactor Owners Group (BWROG) against the ASME/ANS PRA Standard RA-Sa-2009 [Ref. 5], as clarified by Regulatory Guide 1.200, Rev. 2 [Ref.4], using the industry peer review process guidelines in NEI-05-04, Revision 2, Process for Performing Follow-On PRA Peer Reviews Using the ASME PRA Standard.

x The Columbia PRA Rev. 7.1 resolved all F&O Findings from the 2004 and 2009 Peer Review, with the exception of Finding 2-2 for supporting requirement (SR) DA-C6 (SR DA-C6 meets Capability Category II, as assessed by the 2009 peer review) and 2-14 for supporting requirement SY-A4 [Ref. 8].

x Since the development of Rev. 7.1 in 2010, the CGS plant design has been reviewed for permanent plant changes, such as design or operational practices. For the Rev. 7.2 PRA update, those changes that were found to have an impact on the PRA model have been incorporated into the baseline PRA model.

x As part of the risk-informed technical specification initiative 5b license amendment request, the open findings from the 2009 peer review, 2-2 and 2-14, were resolved.

However, finding 2-2 has not been incorporated into the model. As noted in Section 6.3, a sensitivity case was performed for this issue and it was concluded that this finding is judged to have no impact on the RHR A CT extension.

x In 2016, PRA Rev. 7.2.1 was issued as part of the risk-informed Inservice Inspection.

Selected dependent HEP values were modified for use in the non-LERF Level 2 release term quantification and separate recovery files were constituted to implement these recoveries. There was no effect on the CDF and LERF quantifications.

Columbia maintains a PRA Configuration Control Program. The Configuration Control Program is governed by SYS-4-34. SYS-4-34 contains the following key elements:

x A process for monitoring PSA inputs and collecting new information, x A process that maintains and updates the PSA to be consistent with the as-built, as-operated plant, Page 46

RHR CT Extension Risk Evaluation x A process that ensures that the cumulative impact of pending changes is considered when applying the PSA, x A process that maintains configuration control of computer codes used to support PSA quantification, and x Documentation of the program.

To ensure that the current PRA model remains an accurate reflection of the as-built, as-operated plant the above activities are routinely performed. In accordance with this guidance, a review of PRA inputs and new information nominally occurs on a four year cycle; shorter intervals may be required if plant changes, procedure enhancements, or model changes result in significant risk changes.

CGS RG 1.200 compliance database is Columbias PRA model update tracking system. All self assessment (SA) and Plant Design Changes (PDC) that impact the PRA model are input into the database. The database is reviewed during each PRA update and all items that significantly impact the PRA are resolved and incorporated into the model to keep it consistent with the as-built, as-operated plant. Table 5-1 shows the model revision and major changes. The table shows that Columbias PRA model reflects the as-built as-operated plant since the Rev 7.0 model update.

Table 5-1 PRA Model Revision Summary Rev # Issue Revisions Highlights and Documentation Results Date 7.0 7/2009 x PSA upgrade in which the remaining 2004 peer review F&Os were resolved, as well as self-assessment F&Os, prior to the 2009 peer review. Updated Level 2 PRA.

7.1 6/2010 x Resolved most 2009 peer review F&O findings and CDF =

some suggestions. 7.6E-6/yr, LERF =

3.6E-7/yr 7.2 6/2014 x Resolved self-assessment comments collected since CDF =

2010 as well as more 2009 peer review F&O findings 6.0E-6/yr and suggestions. Converted the PSA from WinNUPRA to CAFTA. LERF =

3.3E-7/yr 7.2.1 6/2016 x Selected dependent HEP values were modified for use CDF =

in the non-LERF Level 2 release term quantification 6.0E-6/yr and separate recovery files were constituted to LERF =

implement these recoveries. There was no effect on 3.3E-7/yr the CDF and LERF quantifications.

A review of the database was performed to determine the impact of any open PDCs, since the last PRA update in 2014 that could potentially impact this risk assessment. The open items are summarized in Table 5-2.

Page 47

RHR CT Extension Risk Evaluation Table 5-2 Open PDCs that Potentially Impact RHR A CT Extension PDC Impact on RHR A CT Number Description Disposition Extension EC 12954 In this modification, Electrical Panel E- Revise FT No impact PP-7AA (located in the control room) modeling as is being split into two panels. The applicable right panel will become a safety related panel (E-PP-7AA) and the left panel will become the non-safety related panel (E-PP-US/D). Non-safety related loads presently connected to E-PP-7AA will be moved to EPP-US/D. Some safety related loads will be rearranged on E-PP-7AA. Panel E-PP-US/D will be re-fed from the spare fuse disconnect from panel E-PP_US.

EC 14838 Feedwater oil pressure logic change. Update the No impact. Feedwater change to the is not significant to this RFW logic for risk assessment.

control oil pressure.

The elimination of an SPV should reduce the CDF.

EC 14786 Changing power source to RRA-FN- Revise the This plant design 21, and RRA-FN-9 so that the steam power supplies change further tunnel cooling fans will remain for the steam reduces the risk-powered under certain load shed tunnel fans per significance of conditions EC 14786. This suppression pool modification will cooling, and thus, The load centers that the fans are fed mean that reduces the risk of from now, E-MC-7C and EMC- MSIVs can RHR-A CT. It is 8C are load shed given. remain open, if scheduled for the isolation implementation in signal is only 2017. This analysis due to a loss of conservatively doesnt steam tunnel credit this design cooling. change.

Page 48

RHR CT Extension Risk Evaluation Table 5-2 Open PDCs that Potentially Impact RHR A CT Extension PDC Impact on RHR A CT Number Description Disposition Extension EC 13094 Hardened Containment Vent Update the This plant design model to change further incorporate the reduces the risk-hardened and significance of RHR-A vent into the CT. It is scheduled for model implementation in 2017. This analysis conservatively doesnt credit this design change.

Conclusion Based on these considerations, the Columbia PRA is therefore technically adequate to address PRA applications that require Capability Category II. Additionally, the review of modeling assumptions, uncertainties, and PRA quality, identified no model limitations that would significantly impact the one-time CT extension application.

5.2 Fire Model Technical Adequacy The fire PRA is based upon the IPEEE development and received a subsequent update in 2002, 2004 and 2006. The fire PRA has also been updated to utilize the current internal events model of record. The Rev. 7.2.1 internal events PRA model of record serves as the basis for the current Fire PRA model.

The Fire PRA received a Peer Review in January 2004. The peer review team used the Revision A-3 NEI draft "Probabilistic Risk Assessment (PRA) Peer Review Process Guidance",

NEI 00-02, dated June 2, 2000 as the basis for the process to conduct the review. However, the criteria for the review were derived from the then current applicable sources.

The specific technical items and criteria for assignment of Capability Categories for the 2004 Peer review were based on the following:

x Fire Events: Checklists are developed from available fire PRA best practices, EPRI Guidance documents, NUREGs, and NRC Guidance.

While the peer review process and PRA standards have evolved since 2004, this peer review provided a valid, critical detailed review of the Fire PRA model.

Subsequently, the 2006 Fire PRA model was developed following the general methods discussed in the EPRI Fire PRA Implementation Guide and some of the methods of NUREG/CR-6850. This Fire PRA update addressed all of the findings from the January 2004 Fire Peer Review.

A current effort is underway to upgrade the existing Fire PRA to meet all aspects of the ASME/ANS PRA standard at a capability category (CC) II level. While the current Fire PRA Page 49

RHR CT Extension Risk Evaluation does not meet all of the PRA standard supporting requirements at a CC II level, the following reasons are provided as to why the Fire PRA is adequate for this application.

x The mapping of fire zones to risk significant equipment and cables is adequate to ensure that the impacts from fires are identified. In other words, the Fire PRA appropriately captures the spatial relationship of risk significant equipment to fire areas in the plant.

The Fire PRA model results, as discussed in Section 3.1.1, are reasonable and provide assurance that the Fire PRA produces useful results for identifying appropriate risk management actions to minimize risk.

x The Fire PRA has been used to obtain risk insights for past risk-informed licensing requests including a permanent DG allowed outage time TS change request and a LAR submittal to implement TS initiative 5b (approval pending).This risk-informed application is similar in that it requires the same level of technical quality of the fire PRA.

Based on the reasons provided above, CGS concludes that the Fire PRA is technically adequate for use in this application.

5.3 Seismic Model Technical Adequacy The seismic PRA is based upon the IPEEE development and it has been updated in 2004 and 2007. The seismic PRA has also been updated to utilize the current internal events model of record. The Rev. 7.2.1 internal events PRA model of record serves as the basis for the current seismic PRA model.

The quantification results for the seismic PRA are provided in Section 3. A reasonableness check of the results was performed and is discussed in Section 3.1.1.

The seismic PRA has not been peer reviewed, but is used in this application to obtain insights, where applicable. The quantitative results are well within the acceptance criteria for ICCDP and ICLERP. The quantitative results are supplemented by qualitative insights as discussed below.

A fundamental concept of the seismic modeling is that similar components at the same location of a building will experience similar seismic forces. All three RHR pumps are located on the basement elevation of the Reactor Building and would be expected to experience the same seismic acceleration from a seismic event.

In addition, with each pump being the same style, make, and model, the pumps would be expected to have the same fragility. Motor driven pumps generally have high seismic capacity and a relatively low probability of failure compared to other components during a seismic event.

For the purposes of a seismic risk evaluation, the RHR pumps can be treated as completely seismically correlated (i.e., a seismic event that can cause failure of one RHR pump is likely to cause failure of all RHR pumps). Therefore, unavailability of the RHR pump would not have a significant impact on overall seismic risk.

Based on the low contribution of seismic risk to the risk spectrum, it is concluded that the seismic PRA model combined with qualitative risk insights is technically adequate to support this risk application.

Page 50

RHR CT Extension Risk Evaluation

6. Sensitivity and Uncertainty Analyses The following sensitivity analyses were performed as part of this evaluation (see Attachment B):

6.1 Sensitivity Case 1: Assumed Compensatory Measures Compensatory measures are assumed to be in place to avoid the risk-significant plant configurations and to reduce the risk increase which results from the proposed RHR A OOS for preventive maintenance. The results are shown in Table B-1. The following compensatory measures are assumed for case 1.

HPCS, TR-S, DG3, LPCS, RCIC, RHR-C and HPCS-SW are protected. The maintenance unavailability for the protected trains is set to zero. The maintenance unavailability for the protected trains is set by flags files as follows:

HPS---------T3LL EQU .F.

SW-----HPCS-T3LL EQU .F.

EACTRL-S----T3-- EQU .F.

EACEDG-3----T3D3 EQU .F.

RCI---------T3LL EQU .F.

RHR----C----T3LL EQU .F.

LPS---------T3LL EQU .F.

Based on this sensitivity case with the additional compensatory measures in place, the ICCDP was reduced by almost half for both the FPIE and Fire PRA results.

6.2 Sensitivity Case 2: LOOP and Conditional LOSP Probability To examine the sensitivity of offsite power loss frequency and consequential loss of offsite power (LOSP) probability, the frequency and probability were doubled for RHR A OOS base case. All quantitative results for ICCDP and ICLERP for this sensitivity were less than the guidance thresholds, with adequate safety margin. See Table B-2. The frequency and the probability were doubled by flag file as follow:

EAC-CONSEQ-LOOP PROB 2E-3 TE PROB 6E-2 The results show that the base case is not sensitive to LOSP because LOSP is not a significant contributor to Columbias risk profile.

6.3 Sensitivity Case 3: Completion Uncertainty related to Failure Estimates To address completeness uncertainty, a sensitivity was performed for the RHR A OOS base case to examine sensitivity to the resolution for F&O 2-2. For the resolution of F&O 2-2, estimates for significant events not tracked in the MSPI data are now based on surveillance test and maintenance records.

Page 51

RHR CT Extension Risk Evaluation This F&O resolution impacted the following component failure modes:

C---W2 (compressor fails to start),

C---W4 (compressor fails to run),

FN--R3 (fan fails to start),

FR--W4 (fan fails to run),

AHUS---S3 (air handling unit fails to start),

AHUR---W4 (air handling unit fails to run).

The revised failure data will be utilized in the next PRA update. As the revised failure data is not part of the base model, a sensitivity was performed to examine the sensitivity of the RHR CT LAR to this resolution. See Table B-3.

The results show that the base case is not sensitive to the F&O 2-2 resolution not yet incorporated into the PRA model. The resolution of this F&O has no impact on the application for the RHR-A extension.

7. Compensatory Measures and Conclusions Based on the risk-significant contributors to ICCDP the following compensatory measures will be taken during the 14 days CT for RHR A OOS to address the risk-significant PRA scenarios:

x Besides the protected equipment required by PPM 1.3.83 (RHR-B, DG2 and SW-B), the following equipment will be protected HPCS, HPCS-SW, TRS, DG3, RCIC, LPCS and RHR-C.

x Also, DC Div 2 battery chargers, CAS and SGT will be protected, but no credit was taken in the PRA evaluation for this protected equipment. Therefore, the impact of these actions has not been quantified.

The following additional compensatory measures will be implemented to address the risk-significant PRA scenarios identified during the review of cutsets and importance measures. No credit was taken in the PRA and therefore the impact of these actions has not been quantified.

x Establish flood watch tour of the Turbine Building to provide potential early detection of internal floods.

x Establish fire watch tour for the turbine building corridor (TG-12), reactor building 471 and 522, cable chase, and the division 2 electrical and switchgear rooms when RHR A is taken out of service.

x Increase awareness of fire risk by performing shift briefs or pre-job walk downs to reduce and managed transient combustibles.

x Establish fire (a)(4) risk management actions required per PPM 1.3.85 [Ref.13] which are shown in Table 7-1.

Page 52

RHR CT Extension Risk Evaluation Table 7-1 Maintenance Rule fire (a)(4) Risk Management Actions based on the Fire Zones Fire Risk Zone Description Risk Management Actions RW 437 N Waste Tank Floor Initiate Fire Prevention Evaluation Permit per PPM 1.3.10 to:

Area C106;

- implement hourly fire tours for Waste Tank Floor Area C106 RW 437 Behind per FPP-1.7 Shield Wall;

- ensure no unnecessary fire hazards and no obstructed fire Offgas Dryer Rooms equipment in Waste Tank Floor Area C106 C130 and C131

- confirm area detection, suppression and fire doors available for Waste Tank Floor Area C106, RW 437 Behind Shield wall and Offgas Dryer rooms C130 and C131

- prohibit hot work in Waste Tank Floor Area C106, RW 437 Behind shield wall and Offgas Dryer rooms C130 and C131

- update plant status page with plant fire risk status and affected fire area for station awareness RW 467 Division 2 RPS Room Initiate Fire Prevention Evaluation Permit per PPM 1.3.10 to:

C213; RPS 2 - implement hourly fire tour for Division 2 RPS Room C213 and Division 2 Battery Division 2 Battery Charger Room C224 per FPP-1.7 CHG 2 Charger Room C224

- ensure no unnecessary fire hazards and no obstructed fire equipment in Division 2 RPS Room C213 and Division 2 Battery Charger Room C224

- confirm area detection, suppression and fire doors available for Division 2 RPS Room C213 and Division 2 Battery Charger Room C224

- prohibit hot work in Division 2 RPS Room C213 and Division 2 Battery Charger Room C224

- update plant status page with plant fire risk status and affected fire area for station awareness RW 525 Division 1 HVAC Initiate Fire Prevention Evaluation Permit per PPM 1.3.10 to:

Equipment Room HVAC 1 - implement hourly fire tour for Division 1 HVAC Equipment C507 Room C507 per FPP-1.7

- ensure no unnecessary fire hazards and no obstructed fire equipment in Division 1 HVAC Equipment Room C507

- confirm area detection, suppression and fire doors available for Division 1 HVAC Equipment Room C507

- prohibit hot work in Division 1 HVAC Equipment Room C507

- update plant status page with plant fire risk status and affected fire area for station awareness Page 53

RHR CT Extension Risk Evaluation Table 7-1 Maintenance Rule fire (a)(4) Risk Management Actions based on the Fire Zones Fire Risk Zone Description Risk Management Actions RW 525 Emergency Chiller Initiate Fire Prevention Evaluation Permit per PPM 1.3.10 to:

Room C502; CHLR - implement hourly fire tour for Emergency Chiller Room C502; Communications Communications Room C503 and Instrument Shop Room C510 Room C503; per FPP-1.7 Instrument Shop - ensure no unnecessary fire hazards and no obstructed fire Room C510 equipment in Emergency Chiller Room C502; Communications Room C503 and Instrument Shop Room C510

- confirm area detection, suppression and fire doors available for Emergency Chiller Room C502; Communications Room C503 and Instrument Shop Room C510

- prohibit hot work in Emergency Chiller Room C502; Communications Room C503 and Instrument Shop Room C510

- update plant status page with plant fire risk status and affected fire area for station awareness TG 441 W Condenser Bay West Initiate Fire Protection Evaluation Permit per PPM 1.3.10 to:

End T105;

- implement hourly fire tour for H2 Seal Oil Room T117 and TG H2 Seal Oil Room 441 west general area T106 per FPP-1.7 T117;

- ensure no unnecessary fire hazards and no obstructed fire TG 441 West General equipment in H2 Seal Oil Room T117 and TG 441 west general Area T106 area T106

- confirm area detection, suppression and fire doors available for Condenser bay west end T105; H2 seal oil room T117; and TG 441 west general area T106

- prohibit hot work in Condenser bay west end T105; H2 seal oil room T117; and TG 441 west general area T106

- update plant status page with plant fire risk status and affected fire area for station awareness TG 471 TG 471 Heater Bay Initiate Fire Prevention Evaluation Permit per PPM 1.3.10 to:

Center - confirm Operations shiftly camera tour of the TG 471 Heater Bay

- ensure no unnecessary fire hazards and no obstructed fire equipment in TG 471 Heater Bay (via camera tour)

- confirm area detection, suppression and fire doors available for TG 471 Heater Bay

- prohibit hot work in TG 471 Heater Bay

- update plant status page with plant fire risk status and affected fire area for station awareness Page 54

RHR CT Extension Risk Evaluation x Increase operator awareness of the increased significance of these actions by performing an operator briefing prior to taking RHR A out of service for the extended completion time:

o OPERATOR FAILS TO VENT CONTAINMENT o OPERATOR FAILS TO DEPRESSURIZE THE RPV o FAILURE TO ALIGN RHR TO SUPPRESSION POOL COOLING o OPERATOR FAILS TO CONNECT FIREWATER to CONDENSATE POSTCONTAINMENT FAILURE o OPERATOR FAILS TO CONNECT SW TO RHR-B POST CONTAINMENT FAILURE x Verify hazardous weather conditions are not forecasted.

The following conclusions were reached as a result of this analysis:

x All quantitative results for ICCDP and ICLERP for the CT extension application are less than the guidance thresholds for:

1. RHR A case OOS (see result in Table 3-1)
2. RHR A OOS with only protected trains required per PPM 1.3.83. (See result in Table 3-2)
3. RHR A OOS with additional compensatory measures in place (See results in Table B-1).

x Additional compensatory measures are proposed and have not been directly quantified in the PRA model, but are judged to further reduce the risk for this plant configuration.

x None of the PRA uncertainties identified for this application were found to be key uncertainties that influence this RHR CT extension, based on the guidance provided by EPRI [Ref. 7].

x The PRA models are adequate to support this risk assessment and the resulting risk is acceptable and consistent with the NRC safety goals.

8. References
1. Regulatory Guide 1.174, Rev. 2, 2011.
2. Regulatory Guide 1.177, Rev. 1, 2011.
3. Practical Guidance on the Use of Probabilistic Risk Assessment in Risk-Informed Applications with a Focus on the Treatment of Uncertainty. EPRI, Palo Alto, CA: 2012.

1026511.

4. Regulatory Guide 1.200, An Approach for Determining the Technical Adequacy of Probabilistic risk Assessment Results for Risk-informed Activities, Office of Nuclear Regulatory Research, Rev. 2, March 2009.

Page 55

RHR CT Extension Risk Evaluation

5. ASME/ANS RA-Sa-2009, Addenda to ASME/ANS RA-S-2008 Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, 2009.
6. Quantification, PSA-2-QU-0001, Rev. 6, 2016.
7. Treatment of Parameter and Model Uncertainty for Probabilistic Risk Assessments. EPRI, Palo Alto, CA: 2008. 1016737.
8. CGS RG 1.200 compliance database
9. PPM 1.3.83, Protected Equipment Program, Rev. 21, 7/18/16.
10. Updated CCF Data for CGS, PSA-2-DA-0004, Rev. 5, 2016.
11. PSA Internal Event Summary, PSA-1-SM-0001, Rev. 7, 2016.
12. Staff Evaluation Report of Individual Plant Examination of External Events (IPEEE)

Submittal on Columbia Generating Station, Energy Northwest, Docket No. 50-397, February 26, 2001.

13. PPM 1.3.85, ON-LINE FIRE RISK MANAGEMENT Rev. 5 Page 56

RHR CT Extension Risk Evaluation Attachment A Data Inputs and Analyses Page 57

RHR CT Extension Risk Evaluation Table A-1 PRA Rev. 7.2.1 Data for RHR Pump CCF Failure to Start MDP FTS Alpha Adjustment per CCF Clean Systems Factor methodology Final CCF 2/2 2.19E-02 1 2.19E-02 1.94E-05 Calculated with CCFWin 4.0.2007.5 [Ref. 10]

Table A-2 PRA Rev. 7.2.1 Data for CCF Failure to Run MDP FTS Alpha Adjustment per CCF Clean Systems Factor methodology Final CCF 2/2 1.65E-02 1 1.65E-02 5.30E-06 Calculated with CCFWin 4.0.2007.5 [Ref. 10]

Table A-3 RHR A CCF Adjustments Point Event ID Description Estimate for Value Used Notes Base Case Since RHR A OOS, CCF FAIL TO RUN RHR compute CCF as failure 2 RHRP-MDBCFTRC2LL 1.35E-06 5.30E-06 P-2B AND RHR P-2C of 2 to run: 5.3E-6 [per Table A-2 in Attachment A].

Since RHR A OOS, CCF OF PUMPS 2B AND compute CCF as failure 2 RHRP-MDBCFTSC2LL 4.04E-06 1.94E-05 2C FAILTO START of 2 to start: 1.94E-5 [per Table A-1 in Attachment A].

Page 58

RHR CT Extension Risk Evaluation Table A-4 Importance Measures Evaluation for RHR A Unavailable with Protected Trains Case - Internal Events Event Probability Fus Ves BirnBm Description CF-FAILS-HPCS-INJ 8.30E-02 2.18E-01 2.93E-05 HPCS INJECTION FAILS DUE TO CONTAINMENT FAILURE ADSHUMNSTARTH3LT 3.30E-04 1.77E-01 6.15E-03 OPERATOR FAILS TO DEPRESSURIZE THE RPV (Transient)

VENTFAIL 7.30E-05 1.52E-01 2.37E-02 OPERATOR FAILS TO VENT CONTAINMENT HPS---------T3LL 8.76E-03 1.48E-01 1.93E-04 HPCS UNAVAILABILITY DUE TO T & M (MRULE DATA)

RHRHUMNSP-COOLLL 1.00E-05 1.07E-01 1.23E-01 FAILURE TO ALIGN RHR TO SUPPRESSION POOL COOLING EMERGENCY DG SYSTEM DOES NOT CONTINUE TO RUN FOR 1.02E-01 EACENG-EDG3-S424 3.95E-02 2.97E-05 24H IE-FLD-TLO--MS-S 8.58E-04 9.24E-02 1.24E-03 SMALL MS LEAKS IN TURB BLDG - LOCA OUTSIDE CONTNMENT LOSS OF FEEDWATER FREQUENCY IN EVENTS PER REACTOR 8.27E-02 IE-TF 1.60E-01 5.94E-06 YEAR RHRHUMNSYS62H3LL 1.60E-04 8.20E-02 5.87E-03 FAILURE TO ALIGN RHR TO SUPPRESSION POOL COOLING LOSS OF CONDENSER FREQUENCY IN EVENTS PER REACTOR 7.74E-02 IE-TC 1.50E-01 5.93E-06 YEAR IE-FLD-TLO--MS-U 5.61E-04 6.96E-02 1.43E-03 MOD MS LEAKS IN TURB BLDG - LOCA OUTSIDE CONTNMENT CM 2.15E-06 6.51E-02 3.33E-01 MECHANICAL FAILURE OF SCRAM SYSTEM NUREG/CR-5500 OPERATOR FAILS TO CONNECT FIREWATER TO CONDENSATE 6.49E-02 FP-HUMNSYS62H3LL 6.50E-03 1.15E-04 POST CONTAINMENT FAILURE OPERATOR FAILS TO CONNECT SW TO RHR-B POST 6.38E-02 RHRHUMNSWCRTIEXX 6.80E-04 1.08E-03 CONTAINMENT FAILURE PRAAHUS--1B-S3LL 9.01E-04 6.17E-02 7.54E-04 FAN PRA-FN-1B DOES NOT START ON DEMAND FAILURE OF SSW PUMP MOTOR TO START ON DEMAND, 6.05E-02 SW-P-MDSWP1BS3LB 8.84E-04 7.54E-04 MECHANICAL HPSHUMN-CTL-HNAT 4.20E-03 6.02E-02 1.65E-04 FAILURE TO CONTROL HPCS INJECTION (NON-ATWS)

HPS-CTL-COND---- 6.82E-03 6.02E-02 1.01E-04 HPCS CONTROL REQUIR ED IE-FLD-TLO--RFWS 4.77E-04 4.86E-02 1.17E-03 SMALL RFW LEAKS IN TURB BLDG - LOCA OUTSIDE CONTNMENT OP. CNTRLS RPV LVL ADQUTLY (NOT TOO LOW) -- ATWS 4.68E-02 ATWH-HPLPRSTH3XX 1.00E+00 5.38E-07 W/HPCS AVAL INIT-RY-TF 3.11E+02 4.45E-02 1.64E-09 REACTOR YEAR CONVRSN - LOSS OF RFW IE GROUP IE-FLD-T106CONDS 2.71E-03 4.40E-02 1.86E-04 SMALL COND BREAK IN T106 RHRH-ATWSDC-H3XX 4.50E-01 4.36E-02 1.11E-06 OPERATOR FAILS TO BYPASS RHR-SDC INTERLOCKS (ATWS)

CRDHUMNALTCLH3LL 2.00E-02 4.35E-02 2.50E-05 OP FAILS TO ALIGN ALTERNATE COOLING TO CRD Page 59

RHR CT Extension Risk Evaluation Table A-4 Importance Measures Evaluation for RHR A Unavailable with Protected Trains Case - Internal Events Event Probability Fus Ves BirnBm Description HPSV-MO----4P2LL 2.43E-03 4.25E-02 2.00E-04 HPCS-V-4 MO GATE VALVE NC-FTO HPSV-MO---12P2LL 2.43E-03 4.25E-02 2.00E-04 HPCS-V-12, MIN FLOW PROTECTION VALVE NC-FTO ON DEMAND IE-FLD-T106CONDU 2.52E-03 4.09E-02 1.86E-04 MODERATE OR MAJ COND BREAK IN T106/107/108/109 RRAAHUSRFC03S3D2 9.01E-04 3.98E-02 4.95E-04 AHU RRA-FN-03 DOES NOT START ON DEMAND RHRP-MD---2BS3LL 8.84E-04 3.90E-02 4.95E-04 RHR-P-2B MOTOR DRIVEN PUMP FAILS TO START IE-FLD-TLO--MS-M 3.16E-04 3.74E-02 1.36E-03 LARGE MS LEAKS IN TURB BLDG - LOCA OUTSIDE CONTNMENT EACEDG-3----T3D3 1.27E-02 3.65E-02 3.29E-05 DG-3 OUT FOR MAINTENANCE (MRULE DATA)

TE 2.98E-02 3.60E-02 1.39E-05 LOSS OF OFF-SITE POWER FREQUENCY IN EVENTS PER YEAR INIT-RY-LOSP 8.50E-01 3.60E-02 4.87E-07 CONVERTS CRITICAL YEARS TO RX YEARS INIT EVENTS INIT-RY-MS 3.11E+02 3.50E-02 1.29E-09 REACTOR YEAR CONVERSION - MAN SHUTDOWN IE GROUP MOC-RHRB-F 4.00E-04 3.50E-02 9.54E-04 MOC ASS'Y FAILURE FOR RHR B FAILURE IE-TIA 3.60E-02 3.31E-02 1.06E-05 LOSS OF NON-SAFETY CIA INIT EVENT PER REACTOR YEAR DMATE-----32W2LL 1.85E-03 3.22E-02 1.99E-04 TEMPERATURE SENSOR FOR DAMPER 32 LOSS OF FUNCTION IE-FLD-TLO--RFWU 3.12E-04 3.17E-02 1.17E-03 MOD RFW LEAKS IN TURB BLDG - LOCA OUTSIDE CONTNMENT CRDHUMNLTINJH3XX 5.40E-05 2.91E-02 6.18E-03 OP FAILS TO ALIGN STANDBY CRD TRAIN FOR LONG TERM INJ IE-FLD-T106TSW-S 1.72E-03 2.79E-02 1.86E-04 SMALL TSW BREAK IN T106 RCI---------T3LL 2.41E-02 2.53E-02 1.21E-05 RCIC UNAVAILABILITY DUE TO T & M (MRULE DATA)

OP FAILS TO ISOL MAJOR TSW LEAK ON RAD/CNTRL BLDG ELEV 2.51E-02 TSWHUMNIC525H3LL 1.00E+00 2.89E-07 525 INIT-RY-TM 3.11E+02 2.26E-02 8.33E-10 REACTOR YEAR CONVRSN - MSIV CLOSURE IE GROUP SW-OPER 1.12E-01 2.24E-02 2.26E-06 STANDBY SERVICE WATER OPERATING SW-P-MDSWP1BS4LB 3.21E-04 2.17E-02 7.43E-04 FAILURE OF SSW PUMP MOTOR TO KEEP RUN- NING FOR 24 HR FAILURE TO DIAGNOSE ECCS MIN FLOW VALVES FAILED 2.01E-02 OP-RHR-MNFL 1.00E+00 2.31E-07 CLOSED EDCC1--EC1-7W4D1 1.24E-04 1.97E-02 1.83E-03 125V DC BATTERY CHARGER C1-7 FAILS CF-FAIL-CRDH 6.60E-01 1.96E-02 3.41E-07 CRDH INJECTION FAILS DUE TO CONTAINMENT FAILURE IE-TT 7.00E-01 1.94E-02 3.19E-07 CGS TURBINE TRIP FREQUENCY IN EVENTS PER YEAR F-RHR-MOCSTRT 1.00E+00 1.91E-02 2.19E-07 CONDITIONAL PROBABILITY OF SW START OP-ECCS-SW 1.00E+00 1.91E-02 2.19E-07 FAILURE OF OP TO DIAGNOSE LACK OF SW FOR ECCS PUMP EACENG-EDG3-R3D3 6.36E-03 1.91E-02 3.44E-05 EMERGENCY DG-3 DOES NOT START IE-FLD-RLO-RWCUU 4.65E-04 1.89E-02 4.67E-04 MOD RWCU LK REACTOR BLDG - LOCA OUTSIDE CONTNMENT HPSRMS----S2W2LL 1.08E-03 1.83E-02 1.95E-04 HPCS-RMS-P/1 (E22B-S2) SWITCH FAILURE Page 60

RHR CT Extension Risk Evaluation Table A-4 Importance Measures Evaluation for RHR A Unavailable with Protected Trains Case - Internal Events Event Probability Fus Ves BirnBm Description HUMAN ERROR TO RESTORE SW B TRAIN FROM TEST AND 1.82E-02 SWB-XHE-RE-RHRSW 2.70E-04 7.40E-04 MAINT IE-FLD-TLO--RFWM 1.76E-04 1.78E-02 1.17E-03 LARGE RFW LEAKS IN TURB BLDG - LOCA OUTSIDE CONTNMENT EACTRL-S----T3-- 1.46E-03 1.76E-02 1.38E-04 TRANSFORMER TR-S OUT FOR MAINTENANCE (MRULE DATA)

RRARMS-RFC03W2D2 3.59E-04 1.58E-02 4.93E-04 FAILURE OF CONTACT 1-2 ON MANUAL SWICH RRA-RMS-FN/03 RRAAHUSRFC04S3D3 9.01E-04 1.52E-02 1.94E-04 AHU RRA-FN-04 DOES NOT START ON DEMAND HPSP-MD----1S3LL 8.84E-04 1.50E-02 1.94E-04 HPCS PUMP FAILS TO START SW-P-MDHPSP2S3LC 8.84E-04 1.50E-02 1.94E-04 HPCS-P-2 SSW PUMP MOTOR FAILS TO START ON DEMAND OPERATOR FAILS TO DEPRESSURIZE THE RPV (Small Water 1.49E-02 ADS-XHE-FO-S2W 5.50E-04 2.95E-04 LOCA)

RHRP-MD---2BS4LL 3.21E-04 1.41E-02 4.92E-04 RHR-P-2B MOTOR DRIVEN PUMP FAILS TO RUN 24 HRS SW-V-MODV-29P2LC 8.11E-04 1.37E-02 1.93E-04 MECHANICAL FAILURE OF MOTOR ACTUATED VALVE SW-V-29 PTT 2.20E-02 1.35E-02 7.04E-06 FAILURE OF SRV'S RECLOSING FOR TT AND TF INITIATORS IE-MS 1.10E+00 1.35E-02 1.39E-07 MANUAL SHUTDOWN FREQUENCY IN EVENTS PER YEAR IE-TM 2.90E-02 1.32E-02 5.24E-06 MSIV CLOSURE FREQUENCY IN EVENTS PER REACTOR YEAR RCITDP-----1R3LL 9.54E-03 1.31E-02 1.58E-05 RCIC TDP PUMP FAILS TO START IE-SR 1.00E-02 1.30E-02 1.49E-05 CGS RX LEVEL INSTRUMENT LINE BRK FREQUENCY,EVENTS/YR FAILURE TO DIAGNOSE DEAD HEAD OPS BEFORE PUMP 1.29E-02 OP-SW-PMP 3.70E-01 4.01E-07 FAILURE COMMON CAUSE HUMAN ERROR OF MISCAL & MISALIGN MS-PS-1.28E-02 MS-HUMNP413-C3LL 9.50E-04 1.54E-04 413ABCD SW-V-MODV-2BP2LB 1.89E-04 1.26E-02 7.35E-04 MOV SW-V-2B FAILS TO OPEN ON DEMAND SW-V-MOV-12BP2LB 1.89E-04 1.26E-02 7.35E-04 MOV SW-V-12B FAILS TO OPEN ON DEMAND IE-FLD-C507TSW-M 1.39E-06 1.26E-02 1.04E-01 MAJOR TSW BREAK IN C507 IE-FLD-C508TSW-M 1.39E-06 1.26E-02 1.04E-01 MAJOR TSW BREAK IN C508 SMALL RWCU LEAK IN REACTOR BLDG - LOCA OUTSIDE 1.25E-02 IE-FLD-RLO-RWCUS 4.55E-04 3.15E-04 CONTNMENT OPERATOR FAILS TO BYPASS RHR-SDC INTERLOCKS (NON-1.20E-02 RHRHUMN-SDC-H3XX 1.10E-01 1.25E-06 ATWS)

SW-STR-SST3BE4LB 1.77E-04 1.18E-02 7.34E-04 SW PUMP 1B MOTOR BEARING STRAINER SW-ST-3B PLUGGED NRAC24 3.23E-03 1.09E-02 3.89E-05 NO RECOVERY OF OFFSITE POWER WITHIN 24 HOURS EACTR--7-73-W4D1 2.17E-05 1.07E-02 5.66E-03 TRANSFORMER TR-7-73 LOSS OF FUNCTION Page 61

RHR CT Extension Risk Evaluation Table A-4 Importance Measures Evaluation for RHR A Unavailable with Protected Trains Case - Internal Events Event Probability Fus Ves BirnBm Description ADS-XHE-FO-SORV 3.40E-04 1.03E-02 3.48E-04 OPERATOR FAILS TO DEPRESSURIZE THE RPV (SORV)

OP FAILS TO ISOL MAJOR SW LEAK ON RAD/CNTRL BLDG 525 1.03E-02 SW-HUMNIC525H3LL 1.00E+00 1.18E-07 ELEV Page 62

RHR CT Extension Risk Evaluation Table A-5 Importance Measures Evaluation for RHR A Unavailable with Protected Trains Case - Fire Event Probability FusVes BirnBm Description LZT12 3.92E-06 2.20E-01 9.25E-01 TG-12 Full-PAU Burnup - Initiator HS-RHRV-MO-23 3.00E-01 1.24E-01 6.74E-06 RHR-V-23 FAILURE CAUSED BY HOT SHORT HPS---------T3LL 8.76E-03 1.12E-01 2.08E-04 HPCS UNAVAILABILITY DUE TO T & M (MRULE DATA)

EMERGENCY DG SYSTEM DOES NOT CONTINUE TO RUN 9.07E-02 EACENG-EDG3-S424 3.95E-02 3.76E-05 FOR 24H T3W07 4.74E-04 7.40E-02 2.58E-03 RC-7 Detailed Scenario 3 - Initiator F4R1J 1.32E-04 6.35E-02 7.93E-03 R-1J Detailed Scenario 4 - Initiator LZW03 1.02E-06 6.19E-02 1.00E+00 RC-3 Full-PAU Burnup - Initiator FIRE - OPERATOR FAILS TO DEPRESSURIZE THE RPV 5.54E-02 ADSHUMNSTARTH3LT-F 6.60E-04 1.35E-03 (Transient)

HS-EAC-TRS 3.00E-01 5.12E-02 2.78E-06 HOT SHORT DISABLES TR-S TZT1C 2.49E-03 4.89E-02 3.24E-04 TG-1C Full-PAU Burnup - Initiator EAC-CONSEQ-LOOP 1.00E-03 4.40E-02 7.00E-04 CONSEQUENTIAL LOOP FOLLOWING PLANT TRIP F3W13 5.20E-05 3.64E-02 1.15E-02 RC-13 Detailed Scenario 3 - Initiator LAW14 1.07E-04 3.54E-02 5.46E-03 RC-14 Detailed Scenario A - Initiator LPCS UNAVAILABILITY DUE TO MAINTENANCE (MRULE 3.51E-02 LPS---------T3LL 5.12E-03 1.08E-04 DATA)

HPSV-MO----4P2LL 2.43E-03 3.38E-02 2.25E-04 HPCS-V-4 MO GATE VALVE NC-FTO HPCS-V-12, MIN FLOW PROTECTION VALVE NC-FTO ON 3.38E-02 HPSV-MO---12P2LL 2.43E-03 2.25E-04 DEMAND HS-ADS-OPEN 3.00E-01 3.19E-02 1.74E-06 ADS VALVE(S) STUCK OPEN DUE TO HOT SHORT CF-FAILS-HPCS-INJ 8.30E-02 3.08E-02 6.05E-06 HPCS INJECTION FAILS DUE TO CONTAINMENT FAILURE COMMON CAUSE HUMAN ERROR OF MISCAL & MISALIGN 3.03E-02 MS-HUMNP413-C3LL 9.50E-04 5.04E-04 MS-PS-413ABCD EACEDG-3----T3D3 1.27E-02 2.96E-02 3.82E-05 DG-3 OUT FOR MAINTENANCE (MRULE DATA)

T5W07 7.37E-04 2.73E-02 6.11E-04 RC-7 Detailed Scenario 5 - Initiator F4W08 1.32E-03 2.64E-02 3.30E-04 RC-8 Detailed Scenario 4 - Initiator TEMPERATURE SENSOR FOR DAMPER 32 LOSS OF 2.56E-02 DMATE-----32W2LL 1.85E-03 2.24E-04 FUNCTION F6R1J 5.11E-05 2.43E-02 7.83E-03 R-1J Detailed Scenario 6 - Initiator Page 63

RHR CT Extension Risk Evaluation Table A-5 Importance Measures Evaluation for RHR A Unavailable with Protected Trains Case - Fire Event Probability FusVes BirnBm Description EMERGENCY DG-2 DOES NOT CONTINUE TO RUN FOR 6 2.34E-02 EACENG-EDG2-S4D2 1.00E-02 3.72E-05 HOURS LPSV-MO----5P5LL 2.62E-03 2.33E-02 1.41E-04 LPCS-V-5, MOV, FAILS TO OPEN (ANNUALLY TESTED)

F4R1D 6.37E-05 2.24E-02 5.79E-03 R-1D Detailed Scenario 4 - Initiator LPCS-FCV-11, MIN. FLOW PROTECTION VLV ,NC-FTO ON 2.15E-02 LPSV-MO---11P2LL 2.43E-03 1.40E-04 DEMAND FIRE - FAILURE TO DIAGNOSE DEAD HEAD OPS BEFORE 2.14E-02 OP-SW-PMP-F 1.00E+00 3.52E-07 PUMP FAILURE F6W04 6.36E-04 2.11E-02 5.48E-04 RC-4 Detailed Scenario 6 - Initiator FZR1B 3.76E-05 2.08E-02 9.11E-03 R-1B Full-PAU Burnup - Initiator PRAAHUS--1B-S3LL 9.01E-04 2.06E-02 3.74E-04 FAN PRA-FN-1B DOES NOT START ON DEMAND FAILURE OF SSW PUMP MOTOR TO START ON DEMAND, 2.03E-02 SW-P-MDSWP1BS3LB 8.84E-04 3.74E-04 MECHANICAL T4W07 5.16E-04 1.90E-02 6.08E-04 RC-7 Detailed Scenario 4 - Initiator F3R1D 4.83E-05 1.90E-02 6.48E-03 R-1D Detailed Scenario 3 - Initiator FIRE - OPERATOR FAILS TO BYPASS RHR-SDC INTERLOCKS 1.82E-02 RHRHUMN-SDC-H3XX-F 4.40E-01 6.79E-07 (NON-ATWS)

EACENG-EDG3-R3D3 6.36E-03 1.69E-02 4.33E-05 EMERGENCY DG-3 DOES NOT START TRANSFORMER TR-S OUT FOR MAINTENANCE (MRULE 1.61E-02 EACTRL-S----T3-- 1.46E-03 1.77E-04 DATA)

HPS-CTL-COND---- 6.82E-03 1.60E-02 3.86E-05 HPCS CONTROL REQUIR ED HPSHUMN-CTL-HNAT-F 8.40E-03 1.57E-02 3.07E-05 FIRE - FAILURE TO CONTROL HPCS INJECTION (NON-ATWS)

MS-HUMNP413CX3LL 1.70E-03 1.49E-02 1.39E-04 MS-PS-413C MISCALIBRATION EACENG-EDG2-R3D2 6.36E-03 1.48E-02 3.70E-05 EMERGENCY DG-2 DOES NOT START HPSRMS----S2W2LL 1.08E-03 1.47E-02 2.21E-04 HPCS-RMS-P/1 (E22B-S2) SWITCH FAILURE ADSHUMNSTARTH3LT 3.30E-04 1.38E-02 6.79E-04 OPERATOR FAILS TO DEPRESSURIZE THE RPV (Transient)

F3W04 4.19E-04 1.37E-02 5.37E-04 RC-4 Detailed Scenario 3 - Initiator MOC-SWB-F 4.00E-04 1.30E-02 4.60E-04 MOC ASSY FAILS FOR SWB F7W04 3.93E-04 1.28E-02 5.37E-04 RC-4 Detailed Scenario 7 - Initiator RRAAHUSRFC04S3D3 9.01E-04 1.22E-02 2.20E-04 AHU RRA-FN-04 DOES NOT START ON DEMAND HPSP-MD----1S3LL 8.84E-04 1.20E-02 2.20E-04 HPCS PUMP FAILS TO START SW-P-MDHPSP2S3LC 8.84E-04 1.20E-02 2.20E-04 HPCS-P-2 SSW PUMP MOTOR FAILS TO START ON DEMAND Page 64

RHR CT Extension Risk Evaluation Table A-5 Importance Measures Evaluation for RHR A Unavailable with Protected Trains Case - Fire Event Probability FusVes BirnBm Description 1.10E-02 F5R1J 2.33E-05 7.81E-03 R-1J Detailed Scenario 5 - Initiator SW-V-MODV-29P2LC 8.11E-04 1.10E-02 2.19E-04 TG-12 Full-PAU Burnup - Initiator RHRHUMNSYS62H3LL 1.60E-04 1.02E-02 1.04E-03 RHR-V-23 FAILURE CAUSED BY HOT SHORT OP-RHR-ALGN 1.00E+00 1.01E-02 1.66E-07 HPCS UNAVAILABILITY DUE TO T & M (MRULE DATA)

EMERGENCY DG SYSTEM DOES NOT CONTINUE TO RUN 1.01E-02 OP-RHR-MNFL 1.00E+00 1.66E-07 FOR 24H FZT1D 3.49E-03 1.00E-02 4.73E-05 RC-7 Detailed Scenario 3 - Initiator Page 65

RHR CT Extension Risk Evaluation Table A-6 Importance Measures Evaluation for RHR A Unavailable with Protected Trains Case - Seismic Event Probability FusVes BirnBm Description SDS2 6.66E-05 4.36E-01 5.33E-02 SDS 2 BOP CST LOOP SS LOCA - Initiator NRAC24H-SEIS 7.30E-01 4.19E-01 4.61E-06 No Recovery of Offsite AC w/in 24 hrs. (Seismic)

SEIS-MITGTN-FAIL 1.00E+00 2.93E-01 2.39E-06 NO ADDITIONAL MITIGATION POSSIBLE (SEISMIC SCENARIO)

SDS42 2.38E-06 2.92E-01 1.00E+00 SDS 42 Failure of RPV and/or Category I Bldgs. - Initiator EACENG- EMERGENCY DG-2 DOES NOT CONTINUE TO RUN FOR 6 2.58E-01 EDG2SS4D2 4.00E-02 5.01E-05 HOURS 24 HRS - SEISMIC SDS41 1.64E-06 1.51E-01 7.50E-01 SDS 41 Wide-spread failure of SSEL equipment - Initiator SEIS-LONGTERM 5.00E-01 1.01E-01 8.20E-07 PROB OF LONG TERM CORE DAMAGE SEQ FOR SDS41 SEIS-SHRTTERM 5.00E-01 1.01E-01 8.20E-07 PROB OF SHORT TERM CORE DAMAGE SEQ FOR SDS41 EACENG-EDG2- EMERGENCY DG-2 DOES NOT CONTINUE TO RUN FOR 6 6.46E-02 S4D2 1.00E-02 4.90E-05 HOURS EACENG-EDG2-4.10E-02 R3D2 6.36E-03 4.89E-05 EMERGENCY DG-2 DOES NOT START CF-FAILS-HPCS-INJ 8.30E-02 2.06E-02 1.50E-06 HPCS INJECTION FAILS DUE TO CONTAINMENT FAILURE SDS 5, SDS 23 BOP CST LOOP SS LOCA EDG 1 and 2 Div. III -

1.72E-02 S523 1.40E-07 1.00E+00 Initiator SDS17, SDS19, SDS35 BOP CST LOOP MLOCA EDG 1 and 2 Div.

1.33E-02 SLAC 1.08E-07 1.00E+00 III OSP Not Recov - Init SDS 7, SDS 25 BOP CST LOOP SS LOCA Div. I and II Div. III OSP 1.25E-02 S725 1.02E-07 1.00E+00 Not Recov - Initia DMATE-----21W2LL 1.85E-03 1.20E-02 4.87E-05 TEMPERATURE SENSOR FOR DAMPER 21 LOSS OF FUNCTION DMATE-----22W2LL 1.85E-03 1.20E-02 4.87E-05 TEMPERATURE SENSOR FOR DAMPER 22 LOSS OF FUNCTION SDS 38 BOP CST LOOP N2 Tank EDGs stalled and not re-started -

1.16E-02 SDS38 9.45E-08 1.00E+00 Initiator SDS20 1.77E-06 1.15E-02 5.31E-02 SDS 20 BOP CST LOOP N2 Tank SS LOCA - Initiator SDS4 5.43E-07 1.11E-02 1.67E-01 SDS 4 BOP CST LOOP SS LOCA EDG 1 and 2 - Initiator EACENG-EDG3- EMERGENCY DG SYSTEM DOES NOT CONTINUE TO RUN FOR 1.05E-02 S424 3.95E-02 1.78E-06 24H SDS 6, SDS 24 BOP CST LOOP SS LOCA Div. I and II OSP Not 1.03E-02 S624 5.08E-07 1.64E-01 Recov - Initiator Page 66

RHR CT Extension Risk Evaluation Table A-6 Importance Measures Evaluation for RHR A Unavailable with Protected Trains Case - Seismic Event Probability FusVes BirnBm Description SDS 2 SDS 2 BOP CST LOOP SS LOCA SBO WITHOUT RCIC -

1.02E-02 S2P3 4.57E-07 1.81E-01 Initiator PRAAHUS--1B-S3LL 9.01E-04 7.73E-03 6.62E-05 FAN PRA-FN-1B DOES NOT START ON DEMAND SW-P- FAILURE OF SSW PUMP MOTOR TO START ON DEMAND, 7.59E-03 MDSWP1BS3LB 8.84E-04 6.62E-05 MECHANICAL N24-AVE-SEIS 8.54E-01 6.11E-03 5.04E-08 Average NRAC for First 24 Hrs. (Seismic)

DMAAHUS--21-S3LL 9.01E-04 5.81E-03 4.86E-05 FAN DMA-FN-21 DOES NOT START ON DEMAND (EMERGENCY)

EACP-MD-10B-S3LL 8.84E-04 5.70E-03 4.86E-05 OIL PUMP DO-P-1B FAILS TO START Page 67

RHR CT Extension Risk Evaluation Table A-7 Importance Measures Evaluation for RHR A Unavailable with Protected Trains Case - Internal Events Event Probability RAW Description IE-VESSEL-RUPTUR 1.00E-08 74807.474 REACTOR VESSEL RUPTURE EACCB- 1.16E-07 67151.065 CIRCUIT BREAKER 7-73 AND 8-83 FTRC DUE TO CCF 7383SOC2LL CM 2.15E-06 28984.033 MECHANICAL FAILURE OF SCRAM SYSTEM NUREG/CR-5500 EDCC1--2A2B-C3LL 1.94E-07 19841.012 COMMON CAUSE FAIL. OF BATTERY CHARGERS C1-2A AND C1-2B RHRHUMNSP- 1.00E-05 10738.121 FAILURE TO ALIGN RHR TO SUPPRESSION POOL COOLING COOLLL IE-FLD-C507TSW-M 1.39E-06 9064.8 MAJOR TSW BREAK IN C507 IE-FLD-C508TSW-M 1.39E-06 9064.8 MAJOR TSW BREAK IN C508 IE-FLD-C205-FP-U 4.22E-07 9060.377 MODERATE FPW BREAK IN C205 C212 OR C214 IE-FLD-C304-FP-U 4.52E-08 9036.58 MOD OR MAJOR FPW BREAK IN C304 SW-V- 1.33E-06 7035.774 FAILURE OF DISCHARG MOV'S SW-2A, SW-2B AND SW-29(ATC 4/18)

MO2AB29C3LL SW-SCR-SCRN- 7.29E-07 6948.485 CCF BLOCKAGE OF ALL SW INTAKE SCREENS C3LL RHRV-MO--8-9C3RR 7.88E-08 5540.107 COMMON CAUSE RUPTURE FAILURE OF RHR-V-8 AND -9 IE-DDC 1.80E-07 3390.263 LOSS OF DIV 1 AND DIV 2 DC POWER INITIATING EVENT MTM 1.60E-08 2067.035 SUCCESS CRITERIA 11 SRV'S OPEN OUT OF 18 NOT MET VENTFAIL 7.30E-05 2060.633 OPERATOR FAILS TO VENT CONTAINMENT IE-FLD-C502TSW-U 2.52E-06 2030.965 MOD OR MAJOR TSW BREAK IN C502 MTT 1.60E-08 1530.639 SUCCESS CRITERIA 7 SRV'S OPEN OUT OF 18 NOT MET IE-DAC 1.00E-07 1481.924 LOSS OF SM-7 AND SM-8 DUE TO CCF INITIATING EVENT EACSM--8----W4D1 1.67E-06 1339.705 4160 VOLT BUS SM-8 LOSS OF FUNCTION SW-SCR- 1.16E-06 1155.104 CCF BLOCKAGE OF SW-P1B AND HPCS-P2 SCREENS S1BH2C2LL IE-FLD-C507SSWAM 4.89E-06 1050.471 MAJOR SW A BREAK IN C507 IE-FLD-C508SSWBM 4.89E-06 1050.471 MAJOR SW B BREAK IN C508 Page 68

RHR CT Extension Risk Evaluation Table A-7 Importance Measures Evaluation for RHR A Unavailable with Protected Trains Case - Internal Events Event Probability RAW Description IE-FLD-C212SSWAU 2.05E-07 1044.998 MOD OR MAJ SW A BREAK IN C212 OR C509 IE-FLD-C212SSWBU 2.05E-07 1044.998 MOD OR MAJ SW B LEAK IN C212 OR C509 EDCC1--127--C3LL 3.78E-08 873.557 CCF BATTERY CHARGERS 1A, 1B 2A, 2B, AND 7 EDCC1--12---C3LL 3.50E-08 819.901 COMMON CAUSE FAIL. OF BATTERY CHARGERS C1-1A, 1B, 2A, 2B EACSM--7----W4D1 1.67E-06 645.185 4160 VOLT BUS SM-7 LOSS OF FUNCTION EDCPP--S17--W4LL 1.68E-06 634.214 FAILURE OF BUS E-DP-S1/7 CRDHUMNLTINJH3 5.40E-05 538.71 OP FAILS TO ALIGN STANDBY CRD TRAIN FOR LONG TERM INJ XX EACCB--7-73-G4D1 4.00E-06 536.617 CIRCUIT BREAKER 7-73 FTRC ADSHUMNSTARTH3 3.30E-04 535.694 OPERATOR FAILS TO DEPRESSURIZE THE RPV (Transient)

LT EACMC--7A---W4D1 1.67E-06 519.731 MOTOR CONTROL CENTER MC-7A LOSS OF FUNCTION EACSL--73---W4D1 1.67E-06 519.731 480 VOLT AC BUS SL-73 LOSS OF FUNCTION RHRHUMNSYS62H3 1.60E-04 511.635 FAILURE TO ALIGN RHR TO SUPPRESSION POOL COOLING LL EACTR--7-73-W4D1 2.17E-05 493.655 TRANSFORMER TR-7-73 LOSS OF FUNCTION EACCB--73-7AG4D1 4.00E-06 470.684 CIRCUIT BREAKER FROM SL-73 TO MC-7A FTRC EDCB1--127--C3LL 2.27E-07 447.32 COMMON CAUSE FAIL OF E-B1-1, B1-2 AND B1-7 EDCB1--12721C3LL 2.12E-07 444.181 C C FAILURE OF ALL EXIDE MDL 2GN BATTS B1-1,-2,-7& B2-1 SP-FL-----BSI-LL 9.99E-06 306.931 CCF SUPP POOL STRAINERS FOR BOC IS - SM LOCAS EACSM--2----W4D3 1.67E-06 265.595 4160 VOLT SM-2 LOSS OF FUNCTION EACTR--663--W4-- 2.17E-05 252.429 TRANSFORMER JUN-63 LOSS OF FUNCTION EACTR--7-71-W4D1 2.17E-05 240.642 TRANSFORMER TR-7-71 LOSS OF FUNCTION IE-FLD- 3.06E-06 229.732 MOD OR MAJOR SW A BREAK INSIDE WMA-AH-53A W53ASSWAU IE-FLD- 3.69E-06 229.61 MOD OR MAJOR SW A BREAK INSIDE WMA-AH-52A W52ASSWAU IE-FLD- 3.69E-06 229.61 MOD OR MAJOR SW B BREAK INSIDE WMA-AH-52B W52BSSWBU Page 69

RHR CT Extension Risk Evaluation Table A-7 Importance Measures Evaluation for RHR A Unavailable with Protected Trains Case - Internal Events Event Probability RAW Description IE-FLD- 3.06E-06 229.314 MOD OR MAJOR SW B BREAK INSIDE WMA-AH-53B W53BSSWBU EACCB--636B-G4-- 4.00E-06 224.904 CIRCUIT BREAKER FRM SL-63 TO MC-6B SPURIOUS TRIP EACCB--663--G4-- 4.00E-06 224.904 CIRCUIT BREAKER JUN-63 SPURIOUS TRIP EACCB--7-71-G4D1 4.00E-06 223.189 CIRCUIT BREAKER 7-71 FTRC SW-P-MD1A-1BC2 3.16E-05 218.061 COMON CAUSE FAILURE FOR SW-P-1A,B FAIL TO START & RUN Page 70

RHR CT Extension Risk Evaluation Table A-8 Importance Measures Evaluation for RHR A Unavailable with Protected Trains Case - Fire Event Probability RAW Description L8W02 4.87E-08 60646.898 RC-2 Detailed Scenario 8 - Initiator LZW03 1.02E-06 60646.84 RC-3 Full-PAU Burnup - Initiator LZT12 3.92E-06 56109.622 TG-12 Full-PAU Burnup - Initiator L5W02 3.60E-07 19735.674 RC-2 Detailed Scenario 5 - Initiator L6W02 3.60E-07 8320.781 RC-2 Detailed Scenario 6 - Initiator L2W1A 3.81E-07 2764.382 RC-1A Detailed Scenario 2 - Initiator L3W1A 1.98E-07 2746.856 RC-1A Detailed Scenario 3 - Initiator CM 2.15E-06 2347.621 MECHANICAL FAILURE OF SCRAM SYSTEM NUREG/CR-5500 SW-V-MO2AB29C3LL 1.33E-06 1997.988 FAILURE OF DISCHARG MOV'S SW-2A, SW-2B AND SW-29(ATC 4/18)

SW-SCR-SCRN-C3LL 7.29E-07 1993.822 CCF BLOCKAGE OF ALL SW INTAKE SCREENS L4W10 3.56E-07 1919.841 RC-10 Detailed Scenario 4 - Initiator F3W13 5.20E-05 700.647 RC-13 Detailed Scenario 3 - Initiator F5W13 1.32E-05 693.995 RC-13 Detailed Scenario 5 - Initiator F4W13 1.14E-05 692.962 RC-13 Detailed Scenario 4 - Initiator F2W13 2.43E-06 674.983 RC-13 Detailed Scenario 2 - Initiator F1W13 1.37E-06 664.867 RC-13 Detailed Scenario 1 - Initiator FZR1B 3.76E-05 553.297 R-1B Full-PAU Burnup - Initiator F4R1J 1.32E-04 481.59 R-1J Detailed Scenario 4 - Initiator F1R1J 1.70E-05 478.925 R-1J Detailed Scenario 1 - Initiator F6R1J 5.11E-05 475.601 R-1J Detailed Scenario 6 - Initiator F5R1J 2.33E-05 474.367 R-1J Detailed Scenario 5 - Initiator F2R1J 1.45E-05 473.455 R-1J Detailed Scenario 2 - Initiator FZR1K 2.19E-05 453.614 R-1K Full-PAU Burnup - Initiator F1R1D 1.81E-05 438.435 R-1D Detailed Scenario 1 - Initiator F3R1D 4.83E-05 393.718 R-1D Detailed Scenario 3 - Initiator F1W10 4.78E-06 377.874 RC-10 Detailed Scenario 1 - Initiator F4R1D 6.37E-05 352.324 R-1D Detailed Scenario 4 - Initiator F2R1D 1.00E-05 351.517 R-1D Detailed Scenario 2 - Initiator FZM09 7.32E-06 351.255 M-9 Full-PAU Burnup - Initiator SW-SCR-S1BH2C2LL 1.16E-06 341.157 CCF BLOCKAGE OF SW-P1B AND HPCS-P2 SCREENS L7W02 3.57E-07 332.718 RC-2 Detailed Scenario 7 - Initiator Page 71

RHR CT Extension Risk Evaluation Table A-8 Importance Measures Evaluation for RHR A Unavailable with Protected Trains Case - Fire Event Probability RAW Description LAW14 1.07E-04 331.973 RC-14 Detailed Scenario A - Initiator F1W1A 1.17E-05 304.062 RC-1A Detailed Scenario 1 - Initiator F6W1A 2.55E-06 293.836 RC-1A Detailed Scenario 6 - Initiator F4W1A 3.96E-07 269.623 RC-1A Detailed Scenario 4 - Initiator L2W10 9.59E-07 249.618 RC-10 Detailed Scenario 2 - Initiator EAC-SWA-SWB-CCF 4.00E-05 202.572 CCF OF SWA/SWB SW-SCR-S1AH2C2LL 1.16E-06 176.281 CCF BLOCKAGE OF SW-P1A AND HPCS-P2 SCREENS EACEDG-123FRC3LL 5.43E-05 169.639 CCF OF ALL 3 DG FAIL TO RUN EACEDG-123FSC3LL 2.32E-05 169.272 CCF OF ALL 3 DG FAIL TO START EACM-S-10AB2C3LL 1.40E-05 169.081 COMMON CAUSE FAIL- URE OF OIL PUMPS 10A, 10B, AND 2 TO START EACM-R-10AB2C3LL 8.48E-07 166.346 COMMON CAUSE FAIL- URE OF OIL PUMPS 10A, 10B, AND 2 TO RUN EACCB--DG123C3LL 4.41E-07 165.931 CCF OF OUTPUT BRKRS ON ALL THREE DG'S DG1,DG2,DG3 T3W07 4.74E-04 157.125 RC-7 Detailed Scenario 3 - Initiator SW-P-MD1A-1BC2 3.16E-05 152.123 COMON CAUSE FAILURE FOR SW-P-1A,B FAIL TO START & RUN SW-STR-ST3ABC2E4 1.19E-05 148.241 CCF OF SW-P-1A & 1B MOTOR BEARING STRAINERS T2W07 1.37E-05 146.925 RC-7 Detailed Scenario 2 - Initiator SW-SCR-S1A1BC2LL 1.16E-06 131.379 CCF BLOCKAGE OF SW-P-1A AND -1B SCREENS SW-V-MO12A-BC3 1.15E-06 131.267 COMON CAUSE FAILURE FOR POND RETRN VLVE SW-12 TO OPEN Event Probability Ach W Description L8W02 4.87E-08 60646.898 RC-2 Detailed Scenario 8 - Initiator Page 72

RHR CT Extension Risk Evaluation Table A-9 Importance Measures Evaluation for RHR A Unavailable with Protected Trains Case - Seismic Event Probability RAW Description S1129 1.76E-08 122820.635 SDS 11, SDS 29 BOP CST LOOP SLOCA EDG 1 and 2 Div. III - Initiator SDS 13, SDS 31 BOP CST LOOP SLOCA Div. I and II Div. III OSP Not Recov -

S1331 1.63E-08 122820.635 Initiat S21P2 1.25E-09 122820.635 SDS 21 BOP CST LOOP N2 Tank SS LOCA Div. III SBO - Initiator S3P2 4.04E-09 122820.635 SDS 3 BOP CST LOOP SS LOCA Div. III SBO - Initiator SDS38 9.45E-08 122820.635 SDS 38 BOP CST LOOP N2 Tank EDGs stalled and not re-started - Initiator SDS40 7.93E-09 122820.635 SDS 40 Seismic Failure to Scram and Failure to Mitigate - Initiator S523 1.40E-07 122820.621 SDS 5, SDS 23 BOP CST LOOP SS LOCA EDG 1 and 2 Div. III - Initiator SDS 7, SDS 25 BOP CST LOOP SS LOCA Div. I and II Div. III OSP Not Recov -

S725 1.02E-07 122820.621 Initia SDS17, SDS19, SDS35 BOP CST LOOP MLOCA EDG 1 and 2 Div. III OSP Not SLAC 1.08E-07 122820.621 Recov - Init SDS42 2.38E-06 122820.342 SDS 42 Failure of RPV and/or Category I Bldgs. - Initiator SDS41 1.64E-06 92115.579 SDS 41 Wide-spread failure of SSEL equipment - Initiator S2P3 4.57E-07 22231.672 SDS 2 SDS 2 BOP CST LOOP SS LOCA SBO WITHOUT RCIC - Initiator S20P3 1.15E-08 21592.012 SDS 20 BOP CST LOOP N2 Tank SS LOCA SBO WITHOUT RCIC - Initiator SDS4 5.43E-07 20484.567 SDS 4 BOP CST LOOP SS LOCA EDG 1 and 2 - Initiator SDS22 1.83E-07 20468.614 SDS 22 BOP CST LOOP N2 Tank SS LOCA EDG 1 and 2 - Initiator SDS 6, SDS 24 BOP CST LOOP SS LOCA Div. I and II OSP Not Recov -

S624 5.08E-07 20203.36 Initiator S1230 4.28E-08 20142.901 SDS 12, SDS 30 BOP CST LOOP SLOCA Div. I and II OSP Not Recov - Initiator SDS 18, SDS 36 BOP CST LOOP MLOCA Div. I and II OSP Not Recov -

S1836 4.71E-08 20142.901 Initiator S8P2 1.91E-09 16943.753 SDS 8 BOP CST LOOP SLOCA SBO - Initiator SDS16 2.68E-08 16935.252 SDS 16 BOP CST LOOP MLOCA EDG 1 and 2 - Initiator SDS10 2.52E-08 16927.335 SDS 10 BOP CST LOOP SLOCA EDG 1 and 2 - Initiator SDS28 1.87E-08 16887.24 SDS 28 BOP CST LOOP N2 Tank SLOCA EDG 1 and 2 - Initiator SDS34 1.92E-08 16887.24 SDS 34 BOP CST LOOP N2 Tank MLOCA EDG 1 and 2 - Initiator S26P2 4.78E-10 15656.341 SDS 26 BOP CST LOOP N2 Tank SLOCA SBO - Initiator SDS9 2.73E-08 7318.496 SDS 9 BOP CST LOOP SLOCA Div. III - Initiator SDS15 2.69E-08 7275.748 SDS 15 BOP CST LOOP MLOCA Div. III - Initiator Page 73

RHR CT Extension Risk Evaluation Table A-9 Importance Measures Evaluation for RHR A Unavailable with Protected Trains Case - Seismic Event Probability RAW Description SDS27 1.99E-08 7181.453 SDS 27 BOP CST LOOP N2 Tank SLOCA Div. III - Initiator SDS33 1.82E-08 7157.026 SDS 33 BOP CST LOOP N2 Tank MLOCA Div. III - Initiator SDS3 6.12E-07 7010.337 SDS 3 BOP CST LOOP SS LOCA Div. III - Initiator SDS21 1.98E-07 6983.314 SDS 21 BOP CST LOOP N2 Tank SS LOCA Div. III - Initiator SDS2 6.66E-05 6551.553 SDS 2 BOP CST LOOP SS LOCA - Initiator SDS20 1.77E-06 6520.228 SDS 20 BOP CST LOOP N2 Tank SS LOCA - Initiator SDS8 2.97E-07 6464.259 SDS 8 BOP CST LOOP SLOCA - Initiator SDS14 8.28E-08 6406.118 SDS 14 BOP CST LOOP MLOCA - Initiator SDS26 8.01E-08 6365.761 SDS 26 BOP CST LOOP N2 Tank SLOCA - Initiator SDS32 2.79E-08 6257.519 SDS 32 BOP CST LOOP N2 Tank MLOCA - Initiator RHRHUMNSP-LOCALL 1.00E-05 116.643 FAILURE TO ALIGN RHR TO SUPPRESSION POOL COOLING PRAAHUS--1B-S3LL 9.01E-04 9.125 FAN PRA-FN-1B DOES NOT START ON DEMAND SW-P-MDSWP1BS3LB 8.84E-04 9.125 FAILURE OF SSW PUMP MOTOR TO START ON DEMAND, MECHANICAL SW-P-MDSWP1BS4LB 3.21E-04 9.125 FAILURE OF SSW PUMP MOTOR TO KEEP RUN- NING FOR 24 HR SW-STR-SST3BE4LB 1.77E-04 9.124 SW PUMP 1B MOTOR BEARING STRAINER SW-ST-3B PLUGGED SW-V-MODV-2BP2LB 1.89E-04 9.124 MOV SW-V-2B FAILS TO OPEN ON DEMAND SW-V-MOV-12BP2LB 1.89E-04 9.124 MOV SW-V-12B FAILS TO OPEN ON DEMAND SWB-XHE-RE-RHRSW 2.70E-04 9.124 HUMAN ERROR TO RESTORE SW B TRAIN FROM TEST AND MAINT SW-SCR-SCR1BE4LB 1.12E-04 9.123 BLOCKAGE OF INTAKE SCREEN FOR SW-P-1B PRAAHUS--1B-W4LL 9.13E-05 9.115 PRA-FC-1B CHILLER (COOLING COIL+FAN) FAILURE TO RUN SW-PT--PS-1BW2LB 6.89E-05 9.105 FAILURE OF PRESSURE SENSOR SSW-PS-1B SIGNAL EDCDIS1-C1-2W4LL 2.39E-05 9.078 BATTERY CHARGER C1-2 TO S1-2 DISCON NECT SWITCH FAILS EDCDISCS1-2AW4LL 2.39E-05 9.078 FAILURE OF 200 AMP. FUSED DISCONNECT TO E-DP-S1/2A Event Probability Ach W Description S1129 1.76E-08 122820.635 SDS 11, SDS 29 BOP CST LOOP SLOCA EDG 1 and 2 Div. III - Initiator Page 74

RHR CT Extension Risk Evaluation Table A-10 PRA Computation Results Summary CASE RISK METRIC Baseline CDF/LERF L1_INT 6.02E-06 L1_FIRE 9.37E-06 L1_SEIS 4.46E-06 L2_INT 3.27E-07 L2_FIRE 2.69E-07 L2_SEIS 1.85E-06 RHR-A OOS CDF/LERF CDF/LERF ICCDP/ICLERP Total ICCDP 8.32E-07 L1_INT_RHRA 1.52E-05 9.18E-06 3.52E-07 L1_FIRE_RHRA 1.73E-05 7.93E-06 3.04E-07 L1_SEIS_RHRA 9.03E-06 4.57E-06 1.75E-07 Total ICLERP 1.23E-09 L2_INT_RHRA 3.30E-07 3.00E-09 1.15E-10 L2_FIRE_RHRA 2.98E-07 2.90E-08 1.11E-09 L2_SEIS_RHRA 1.85E-06 0.00E+00 Negligible Protected Trains CDF/LERF CDF/LERF ICCDP/ICLERP Total ICCDP 6.25E-07 L1_INT_PROT 1.15E-05 5.48E-06 2.10E-07 L1_FIRE_PROT 1.65E-05 7.13E-06 2.73E-07 L1_SEIS_PROT 8.14E-06 3.68E-06 1.41E-07 Total ICLERP 6.90E-10 L2_INT_PROT 3.29E-07 2.00E-09 7.67E-11 L2_FIRE_PROT 2.85E-07 1.60E-08 6.14E-10 L2_SEIS_PROT 1.85E-06 Negligible Negligible Compensatory Measures CDF/LERF CDF/LERF ICCDP/ICLERP Total ICCDP 3.95E-07 L1_INT_COMP 8.88E-06 2.86E-06 1.10E-07 L1_FIRE_COMP 1.32E-05 3.83E-06 1.47E-07 L1_SEIS_COMP 8.08E-06 3.62E-06 1.39E-07 Total ICLERP -1.30E-09[1]

L2_INT_COMP 3.16E-07 -1.10E-08 -4.22E-10[1]

L2_FIRE_COMP 2.46E-07 -2.30E-08 -8.82E-10[1]

L2_SEIS_COMP 1.85E-06 Negligible Negligible Page 75

RHR CT Extension Risk Evaluation Table A-10 PRA Computation Results Summary CASE CDF/LERF CDF/LERF ICCDP/ICLERP LOSP Sensitivity Total ICCDP 6.71E-7 L1_INT_SENS 1.20E-05 5.98E-06 2.29E-7 L1_FIRE_SENS 1.72E-05 7.83E-06 3.00E-7 L1_SEIS_SENS 8.14E-06 3.68E-06 1.41E-7 Total ICLERP 1.04E-9 L2_INT_SENS 3.33E-07 6.00E-09 2.30E-10 L2_FIRE_SENS 2.90E-07 2.10E-08 8.05E-10 L2_SEIS_SENS 1.85E-06 0.00E+0 0.00E+0 F&O 2-2 Baseline CDF/LERF CDF/LERF ICCDP/ICLERP L1_INT_RAI_BASE 6.79E-06 L1_FIRE_RAI_BASE 1.12E-05 L1_SEIS_RAI_BASE 4.48E-06 L2_INT_RAI_BASE 3.33E-07 L2_FIRE_RAI_BASE 2.92E-07 L2_SEIS_RAI_BASE 1.85E-06 F&O 2-2 Sensitivity CDF/LERF CDF/LERF ICCDP/ICLERP Total ICCDP 7.96E-07 L1_INT_RAI 1.55E-05 8.71E-06 3.34E-07 L1_FIRE_RAI 1.92E-05 8.00E-06 3.07E-07 L1_SEIS_RAI 8.51E-06 4.03E-06 1.55E-07 Total ICLERP 9.21E-10 L2_INT_RAI 3.35E-07 2.00E-09 7.67E-11 L2_FIRE_RAI 3.14E-07 2.20E-08 8.44E-10 L2_SEIS_RAI 1.85E-06 Negligible Negligible

[1]

When crediting the additional comp measures for HPCS, LPCS and RHR-C, the LERF value result is less than the baseline result.

Page 76

RHR CT Extension Risk Evaluation Table A-11 Significant Internal Events Accident Sequences: RHR A OOs with Protected system as directed by PPM 1.3.83

% Contribution to Sequence ID Sequence Description CDF Internal event flood that causes loss of plant service water. HPCS unavailable.

RCIC success but fail eventually due to back pressure. Decay heat removal 13.4%

REC-L1-FLTSW006 unavailable. Containment venting fail due to flood Small main steam leak outside containment. High Pressure injection unavailable.

Depressurization and low pressure succeeded. Decay heat removal unavailable. 6.1%

REC-L1-FLSMS007 Containment venting fail due to flood.

Moderate main steam leak outside containment. High Pressure injection unavailable. Depressurization and low pressure succeeded. Decay heat removal 4.0%

REC-L1-FLUMS007 unavailable. Containment venting fail due to flood.

Loss of Feedwater initiating, HPCS success, failure of heat removal due to operator action fail. Containment vent fail due to operator action. Eventually containment fail 3.5%

which will fail HPCS. Operator success to depressurize but low pressure injection REC-L1-TF006 fail due to operator action Involves a small reactor feedwater leak outside containment that causes an initiating event. HPCS is unavailable due to random causes of DG3, but RCIC is available for injection. Core damage occurs due to the unavailability of containment 3.3%

heat removal.

REC-L1-FLSRF006 Page 77

RHR CT Extension Risk Evaluation Table A-12 Significant Fire Accident Sequences: RHR A OOs with Protected system as directed by PPM 1.3.83

% Contribution to Sequence ID Sequence Description CDF (T(E)N025) represents a fire event in the turbine building corridor, TG-12. Fire damage produces a loss of offsite power, and unavailability of RHR B, RHR C and HPCS. Depressurization succeeds. SPC is unavailable (due to RHR A in RECL1T(E)N025 24.8%

maintenance), RCIC successfully provides injection, but long term operation of RCIC fails due to unavailability of SPC.

(TF027) represents a fire event in the NW quadrant of the reactor building 471 elevation. Fire damage produces a loss of feedwater / condensate, HPCS, RCIC, and LPCS. High pressure injection is unavailable (due to fire), but depressurization succeeds. LPCI B and C and the service water crosstie are unavailable due to RECL1TF027 unavailability of service water pump B HVAC (PRAAHUS--1B-S3LL). LPCI A is 14.1%

unavailable due to maintenance. Core damage occurs due to a loss of core cooling.

(TF023) represents a fire event in the reactor building 522 elevation. Fire damage produces a loss of feedwater / condensate, RCIC, RHR A, LPCI C and LPCS.

HPCS is unavailable due to maintenance (HPS---------T3LL), but depressurization RECL1TF023 and LPCI B succeed. SPC from Loop B is unavailable due to hot short of RHR-V- 12.1%

23 (HS-RHRV-MO-23). LPCI / RHR A are unavailable due to maintenance. Core damage occurs due to loss of decay heat removal.

TT018) represents a fire event in the division 2 electrical equipment room, RC-07.

Fire damage produces a turbine trip, and FW / PCS, RHR B and C and CRD are unavailable due to fire damage. RCIC is successful initially, but SPC is unavailable for continued operation for RCIC operation (RHR B is unavailable due to the fire RECL1TT018 9.3%

and RHR A is out of service). CRD is unavailable once RCIC reaches operational limits. Late depressurization succeeds, but alternate injection fails due to RHR B and C unavailable due to fire, LPCS is unavailable for maintenance, condensate and SW cross-tie unavailability due to fire.

The above sequence (SBO-R044) represents a full PAU burn-up fire event in the cable chase, RC-03. Fire suppression fails, and this scenario leads directly to core RECL1SBOR044 7.8%

damage due to fire impacts.

Page 78

RHR CT Extension Risk Evaluation Table A-13 Significant Seismic Accident Sequences: RHR A OOs with Protected system as directed by PPM 1.3.83

% Contribution to Sequence ID Sequence Description CDF SDS2-50) represents a seismic event that results in seismic damage state 2, which is a loss of PCS, the condensate storage tank, offsite power and a small-small LOCA. RHR B is unavailable due to the unavailability of the division 2 DG (EACENG-EDG2SS4D2). For this particular sequence, high pressure injection fails 39.1%

due to CST unavailable and operator failed to transfer HPCS to the suppression pool, but depressurization and low pressure injection (LPCS) are successful.

Recovery of offsite power failed (NRAC24H-SEIS). Core damage occurs as a REC-L1-SDS2-50 result of the unavailability of suppression pool cooling and containment venting.

(SDS42-02) represents a seismic event that results in seismic damage state 42, which is a failure of the reactor pressure vessel and proceeds directly to core 29.2%

damage.

REC-L1-SDS42-02 (SDS41-01) represents a seismic event that results in widespread failure of ECCS 10.1%

REC-L1-SDS41-01 and proceeds directly to core damage (SDS41-02) represents a seismic event that results in widespread failure of ECCS and proceeds directly to core damage. 10.1%

REC-L1-SDS41-02 (SDS2-47) represents a seismic event that results in seismic damage state 2, which is a loss of Power Conversion System (PCS), the condensate storage tank, offsite power and a small-small LOCA. RHR B is unavailable due to the unavailability of SW B HVAC (PRAAHUS--1B-S3LL). For this particular sequence, high pressure injection fails because CST fail and operator fails to transfer HPCS to the 3.5%

suppression pool, but depressurization and low pressure injection (LPCS) succeed.

Offsite power is recovered within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, but core damage occurs as a result of the unavailability of SPC and containment venting.

REC-L1-SDS2-47 Page 79

RHR CT Extension Risk Evaluation Attachment B This attachment provides the results for the sensitivity studies documented in Section 6.

Page 80

RHR CT Extension Risk Evaluation Table B-1 14-DAY EXTENSION RHR PREVENTIVE MAINTENANCE Average Maintenance Model - With Protected Trains per PPM 1.3.83 and Compensatory Measures: HPCS (and support systems), RCIC, LPCS, TRS, and RHR-C Risk Metric Acceptance Guideline PRA Results RHR A - ICCDP (Total) 3.95E-7 RHR A - ICCDP (Internal Events) 1.10E-7

< 1.0E-6 RHR A - ICCDP (Fire) 1.47E-7 RHR A - ICCDP (Seismic) 1.39E-7 RHR A - ICLERP (Total) -1.30E-9(1)

RHR A - ICLERP (Internal Events) -4.22E-10(1)

< 1.0E-7 RHR A - ICLERP (Fire) -8.82E-10(1)

RHR A - ICLERP (Seismic) Negligible Note to Table B-1:

(1)

Negative ICLERF results indicate that the LERF results are not sensitive to RHR A being unavailable and the compensatory measures have a greater influence on risk that the unavailability of RHR A.

Table B-2 14-DAY EXTENSION RHR PREVENTIVE MAINTENANCE Average Maintenance Model - With Protected Trains per PPM 1.3.83 and Loss Offsite Power Frequency Doubled Risk Metric Acceptance Guideline PRA Results RHR A - ICCDP (Total) 6.71E-7 RHR A - ICCDP (Internal Events) 2.29E-7

< 1.0E-6 RHR A - ICCDP (Fire) 3.00E-7 RHR A - ICCDP (Seismic) 1.41E-7 RHR A - ICLERP (Total) 1.04E-9 RHR A - ICLERP (Internal Events) 2.30E-10

< 1.0E-7 RHR A - ICLERP (Fire) 8.05E-10 RHR A - ICLERP (Seismic) Negligible Table B-3 14-DAY EXTENSION RHR PREVENTIVE MAINTENANCE Average Maintenance Model - With Protected Trains per PPM 1.3.83 Sensitivity for Resolution of F&O 2-2 Risk Metric Acceptance Guideline PRA Results RHR A - ICCDP (Total) 7.96E-7 RHR A - ICCDP (Internal Events) 3.34E-7

< 1.0E-6 RHR A - ICCDP (Fire) 3.07E-7 RHR A - ICCDP (Seismic) 1.55E-7 RHR A - ICLERP (Total) 9.21E-10 RHR A - ICLERP (Internal Events) 7.67E-11 RHR A - ICLERP (Fire) < 1.0E-7 8.44E-10 RHR A - ICLERP (Seismic) Negligible Page 81

GO2-16-119 Page 1 of 35 Technical Adequacy of Columbia PRA for TSTF-425

GO2-16-119 Page 2 of 35 1.0 OVERVIEW The following is the discussion of the Columbia Probabilistic Risk Assessment (PRA) -

commonly identified as Probabilistic Safety Assessment (PSA) technical adequacy as provided in the Energy Northwest License Amendment Request (LAR) for Adoption of Technical Specification Task Force Traveler (TSTF)-425, REVISION 3 and as supplemented by responses to requests for additional information for said LAR (ADAMS Accession Nos. ML15093A178, ML15260A570, ML15302A492, ML160984A387, and ML16174A432). The PRA technical adequacy also meets the requirements for the proposed one-time change in the Completion Time (CT) for Technical Specification (TS) conditions 3.5.1.A, 3.6.1.5.A, and 3.6.2.3.A. There are no open F&Os and the PRA model satisfies capability category II of the internal events standard, which is adequate to support a CT change evaluation of TS. Since this information is applicable to the current submittal, it is therefore provided below.

2.0 DOCUMENTATION OF PROBABILISTIC RISK ASSESSMENT TECHNICAL ADEQUACY FOR LICENSE AMENDMENT REQUEST FOR ADOPTION OF TECHNICAL SPECIFICATION TASK FORCE TRAVELER (TSTF)-425, REVISION 3 Introduction The NRC has previously reviewed the Columbia PSA for technical adequacy as part of the approval for License Renewal. By letter dated January 19, 2010, Energy Northwest submitted an application to the NRC to issue a renewed operating license for Columbia for an additional 20 years. As part of this submittal, Columbia submitted an assessment of Severe Accident Mitigation Alternatives (SAMAs), based on what was then the most recent Columbia PSA (Revision 6.2). During the NRC review of the SAMAs, the NRC issued requests for additional information (RAIs), and Columbia responded to the requests. Also during this review process, the PSA was updated from Revision 6.2 to Revision 7.1. As part of the responses to the RAIs, Columbia provided updated PSA information to the NRC based on PSA Revision 7.1. The PSA Revision 7.1 model incorporated the following:

x Resolution of Facts and Observations (F&Os) from the 2004 peer review; x Resolution of areas of model incompleteness identified by Columbia internal technical reviews; x Upgrades to meet NRC RG 1.200, Revision 2 and the associated ASME Standard RA-S-2008 for Level 1, LERF, and flooding modeling; and x Other plant and procedure changes.

The above changes were first incorporated in the PSA Revision 7.0 model, for which a peer review was performed in 2009 on Level 1 and 2 internal events, which included internal flooding, and a report was issued in January 2010. The F&Os from this peer review that could significantly impact the model quantification were incorporated into the

GO2-16-119 Page 3 of 35 Revision 7.1 model, and a review of the remaining F&Os associated with supporting requirements (SupRs) that were graded as CC-1 or not met identified none that would significantly impact the results of the SAMA analysis.

The NRC reviewed the information provided by Columbia concerning the internal events PSA model, seismic PSA model, Fire PSA model, and "other" external events PSA model. This review is documented in NUREG-1437, Supplement 47, Volume 1, "Generic Environmental Impact Statement for the License Renewal of Nuclear Plants Regarding Columbia Generating Station" (ADAMS Accession No. ML12096A334). The information regarding PSA revisions 6.2, 7.0, and 7.1 are included in NUREG-1437, Supplement 47, Volume 1, Section 5.3.2. In addition, the following statements of acceptability of the Columbia PSA model were made by the NRC in Section 5.3.2.

Internal Events "The Columbia internal events model has been peer-reviewed, the peer findings were all resolved and their impact assessed in a sensitivity analysis using the updated PSA model, and Energy Northwest has satisfactorily addressed NRC staff questions regarding the PSA. Based on this information, the NRC staff concludes that the internal events Level 1 PSA model is of sufficient quality to support the SAMA evaluation."

Seismic "The Columbia internal events modeling is an input to the seismic PSA model, the seismic PSA has been updated to a more recent external events PSA standard, the SAMA evaluation included a sensitivity analysis of the seismic CDF, and Energy Northwest has satisfactorily addressed NRC staff RAIs regarding the seismic PSA.

Based on this information, the NRC staff concludes that the seismic PSA model in combination with the sensitivity analysis of the seismic CDF provides an acceptable basis for identifying and evaluating the benefits of SAMA."

Fire "The Columbia internal events modeling is an input to the Fire PSA model, has been updated to incorporate industry fire data and NRC guidance, the fire PSA has been peer reviewed and the peer review findings were all addressed, and Energy Northwest has satisfactorily addressed NRC staff RAIs regarding the fire PSA. Based on this information, the NRC staff concludes that the fire PSA model provides an acceptable basis for identifying and evaluating the benefits of SAMAs."

"Other" External Events "The NRC staff reviewed the Level 2 methodology and found that Energy Northwest adequately addressed NRC staff RAIs, the Level 2 PSA model was reviewed in more detail as part of the 1997 and 2004 peer reviews, and the findings from these peer

GO2-16-119 Page 4 of 35 reviews have been resolved and their impact assessed in a sensitivity analysis using the updated PSA model. Based on this information, the NRC staff concludes that the level 2 PSA provides an acceptable basis for evaluating the benefits associated with various SAMAs."

Columbia has recently updated the PSA internal events model to Revision 7.2. Based on the previous NRC review and acceptability of the Columbia PSA Revision 7.1 model, the remainder of this section includes a general description of the PSA model and those changes from PSA Revision 7.1 to PSA Revision 7.2, and the basis for the technical adequacy of these changes.

General Description of the Columbia PSA Model The Columbia PSA is performed in accordance with the Capability Category II requirements of ASME / ANS Standard, as clarified by Regulatory Guide 1.200. The PSA is a full scope PSA (the shutdown PSA and the external events including earthquakes, fires and winds are reported elsewhere and not discussed in this section) which uses a Level 1 analysis to model core damage frequencies and a Level 2 analysis to model containment performance characteristics during severe accidents. In the Level 1 analysis, a mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> was generally assumed for all equipment which plays a role in providing core protection functions after a transient and in the Level 2 analysis, a period of up to 40 hours4.62963e-4 days <br />0.0111 hours <br />6.613757e-5 weeks <br />1.522e-5 months <br /> was used to simulate and monitor predictions of containment performance following the occurrence of an accident sequence initiating event. The phenomenological uncertainties embodied in the Level 2 analysis were held to a minimum by using referenced assumptions wherever possible.

The final results of the containment performance assessment are presented as "best point estimates."

The Columbia PSA uses the "large fault tree/small event tree" approach to identify and quantify individual accident sequences. With this approach, functionally descriptive event trees are used to model the possible accident sequences which result in core damage, and initiatorspecific containment event trees are used to represent possible containment behavior following a core melt accident. Detailed system fault trees are merged to quantify individual event tree sequences in both the Level 1 and Level 2 analyses. The CAFTA and PRAQuant computer codes are used to perform the quantification and both the RETRAN and MAAP computer codes were used to characterize plant, containment, and fission product behavior.

The effects of common cause failures are included as basic events in the Columbia system fault trees and are quantified by the alpha factor method. This method provides a numerical estimate for the common cause failure probability which should be assigned to account for the likelihood that the plant would experience simultaneous failures of two or more identical components in a single train or multiple trains in a single system.

GO2-16-119 Page 5 of 35 To ensure that the role of the operating staff is fully credited by the analysis, preaccident and majority of the postaccident human actions were explicitly modeled in the detailed system fault trees, and recovery actions were linked to the functional headings in the event trees. A plant specific human reliability analysis (HRA) is used to predict preaccident and postaccident human error probabilities for each of the modeled human actions. The potential dependencies between multiple operator actions performed in accident sequences modeled by the PSA have been evaluated and modeled. The HRA dependency evaluation examines potential influences on the failure likelihood for a task from the failure or success of the immediately preceding task.

The Level 1 and Level 2 PSA analyses were performed following the methodology and major tasks as described in NUREG/CR2300, "PSA Procedures Guide" for Level 1 and Level 2 PSA. The major Level 1 tasks include information gathering of plant specific data, P&IDs, test, maintenance, operating procedures, and physical room, containment, and building information. The system analysis methodology utilizes the small event tree

/ large fault tree approach. The event trees combine the initiating event with system functional successes or failures to delineate the accident sequences. The fault trees are developed to the component, relay, and sensor level of detail. The system modeling includes human reliability and common cause failure events, utilizing plant specific failure data to the extent possible. The human reliability analysis (HRA) primarily utilizes the Cause-Based Decision Tree (CBDTM) methodology to estimate cognitive error probabilities for actions not constrained by timing, and the Human Cognitive Reliability/Operator Reliability Experiments (HCR/ORE) methodology for timeconstrained actions, and Technique for Human Error rate Predication (THERP) to estimate execution error probabilities. Common cause modeling is performed with the alpha factor method utilizing data from the NRC Parameter Estimation database. The PSA is quantified using the CAFTA and PRAQuant computer codes.

The Level 2 tasks include grouping the Level 1 sequences into several bins or plant damage states, characterizing containment failure modes and locations, developing and quantifying logic trees and containment event trees, determining the magnitude of the radionuclide release, and performing sensitivity studies. The MAAP computer program was used to provide an integrated approach for modeling of plant thermal hydraulic response and fission product transport during severe accidents. In addition, research results in the open literature, Industry Degraded Core Rulemaking Group (IDCOR) task reports, the Shoreham and Limerick PRAs, NUREGs, and engineering judgment were used in understanding accident progression and quantifying event trees.

The Level 1 analysis is coupled with the Level 2 analysis through the binning of the multitude of the Level 1 sequences into several groups of plant damage states with similar Level 2 characteristics. Results of a structural analysis performed for Columbia are used to assess containment strength, failure size and location. MAAP calculations, analytical models, and widely accepted research results are employed in the accident progression analysis. Based on this information, containment event trees and logic trees were developed to provide a description of the containment damage states. The

GO2-16-119 Page 6 of 35 containment event trees were quantified using the CAFTA and PRAQuant codes. The end states of the containment event trees were then grouped into a limited but complete set of unique release categories. Representative MAAP calculations include Large Early Release Frequency (LERF) were performed to provide an estimate of the fission product release to the environment. Finally, a sensitivity analysis was performed to investigate important parameters that could have large impact on the likelihood or time of containment failure and the magnitude of the source term. The results were used to identify the areas for which potential improvements of the plant might be considered.

Because of the consistency throughout the process and the linking and merging capabilities of the CAFTA and PRAQuant codes, dependencies, common cause effects, and system interaction are accounted for by the PSA.

CAFTA and PRAQuant, PCbased programs developed by Electric Power Research Institute (EPRI), are used to quantify the Level 1 and Level 2 accident sequences.

CAFTA is used to convert the systemlevel fault trees into a single master fault tree that solves all event tree sequences from a single top gate (specifically, one top gate for the Level 1 solution, and one top gate for the Level 2 solution).

Verification of the CAFTA results was performed by installing the software on inhouse PCs, its fault tree and sequence results were checked against a CAFTA sample quantification. They were found to be identical. CAFTA has been verified and validated in accordance with Energy Northwest's computer code Verification and Validation procedure.

Changes from PSA Revision 7.1 to PSA Revision 7.2 x PRA Update - Update to the current as-built, as-operated plant, this included incorporation of outstanding Engineering Changes, current procedure revisions, and new reliability information. Also included in the update of the PRA model to Revision 7.2, was Revision 3 of Emergency Operating Procedures/Severe Accident Guidelines that were approved and implemented for addressing Fukushima lessons learned.

x This update also involved conversion from WINUPRA computer code to CAFTA computer code. This involved reconciliation of all cutsets to Revision 7.1 event tree model above the Revision 7.1 truncation level, 5E-12 (55,000+ cutsets). By reconciling the cutsets this provides a high level of confidence in the conversion necessary for PRA applications and ensured continued support of Capability Category II.

x Resolved 109 of 131 self-assessment including peer review comments accumulated over the 5 years preceding submittal of the LAR for Adoption of Technical Specification Task Force Traveler (TSTF)-425, REVISION 3 in March 2015. There were two open findings from the 2009 peer review remain open with

GO2-16-119 Page 7 of 35 this minor update and are discussed below. This effort addresses comments /

suggestions judged to be medium-or-higher priority, with the highest priority applied to the items addressing modeling enhancements. Additional suggestions and self-assessment findings that are documentation-related were postponed based upon risk impact. Resolving these open comments / suggestions improved model realism to further support PSA Capability Category II.

x Discovered and corrected support system dependency modeling in motor control center heating and ventilation including containment venting.

x Credited and modeled a new operator action - Manual containment vent (MAN-VENTFAIL) x Updated the HRA dependency analysis to utilize the HRA Calculator dependency module. This update was needed to assess dependence for the new HFE added to the model for manual containment vent, as well as include risk-significant dependent combinations missing in Rev. 7.1 (300 cutsets were reviewed for dependent HFE combinations in Rev. 7.1 versus 1.3 million cutsets in Rev. 7.2).

x Updated the HRA Calculator development to utilize the CBDTM or human cognitive reliability / operator reliability experiment methods to estimate cognitive human error probabilities, rather than the combination sum (CBDTM + ASEP) approach, which follows industry and NRC guidance consensus.

x These changes to the modeling were specifically focused on aligning the PSA model with the as built and as operated facility. It improved the realism of the PRA model and with the incorporation of the outstanding changes and addressing open suggestions and findings resolved issues that had been identified with the model These changes to the modeling were specifically focused on aligning the PSA model with the as built and as operated facility. It improved the realism of the PRA model and with the incorporation of the outstanding changes and addressing open suggestions and findings resolved issues that had been identified with the model.

The two open findings from the 2009 peer review which were not addressed in the PSA model update from Revision 7.1 to Revision 7.2 are discussed as follows and the impacts identified:

F&O 2-2, Finding, SupR DA-C6:

Observation:

The number of plant-specific demands on standby components was mainly documented for the maintenance rule and MSPI components. Tier 3 PSA

GO2-16-119 Page 8 of 35 documents for PSA-2-DA-0002 show the details. Estimates based on the surveillance tests and maintenance acts as described in this SR should be performed even though the major components have been included in the MSPI data.

Estimates based on the surveillance tests and maintenance acts as described in DA-C6 and DA-C7 should be performed for significant components whose data are not tracked in the MSPI data.

(This F&O originated from Supporting Requirement DA-C6)

Recommendation:

Update the estimates for significant events based on surveillance test and maintenance records.

Impact:

As a sensitivity, the base data for these failure modes were replaced by the following generic data (NUREG/CR-6928) and the model was quantified. This change in data produces a bounding delta CDF increase of 2%, which is a risk-significant difference, but relatively unlikely to change the conclusions of risk-informed decisions. However, until this F&O finding is resolved, PRA applications will perform this sensitivity analysis to examine whether the application is impacted.

x C---W2 = 9.2E-5/hr (compressor loss of function) x C---W4 = 9.2E-5/hr (compressor loss of function) x FN--R3 = 4.6E-3 (fan fails to start) x FN--W4 = 1.1E-5/hr (fan fails to run) x AHUSS3 = 1.2E-3 (standby air handling unit fails to start) x AHURW4 = 1.4E-5/hr (running air handling unit fails to run)

F&O 2-14, Finding, SupR SY-A4:

Observation:

Interviews with plant system engineers or operators have not been documented and cannot be verified by the peer review team. Original interviews were performed for the original IPE.

System and operations change over time, and the system engineers and operators should be consulted with regard to the system models.

(This F&O originated from SR SY-A4)

GO2-16-119 Page 9 of 35 Recommendation:

Perform and document the interviews with the system engineers and/or operators to confirm that the systems analysis correctly reflects the as-built, as-operated plant. It may be reasonable to develop a process that, following an initial interviews, the confirmation the model matches the as-built, as-operated plant is confirmed through review or discussion with the system engineers -

typically through a periodic review of the notebook performed in accordance with plant procedures.

Impact:

SY-A4 only meets Capability Category I due to this open finding. Until this F&O finding is resolved, PRA applications will perform this sensitivity analysis to examine whether the application is impacted.

Conclusion Based on the above information, Energy-Northwest believes that the quality of the current PSA is sufficient to support Adoption of TSTF-425 and the remaining open F&Os do not unduly impact the result.

3.0 SUPPLEMENTAL INFORMATION AS A RESULT OF REQUESTS FOR ADDITIONAL INFORMATION ON THE LAR FOR ADOPTION OF TECHNICAL SPECIFICATION TASK FORCE TRAVELER (TSTF)-425, REVISION 3 3.1 Response dated September 17, 2015 (ML15260A570) to August 12, 2015 Request for Additional Information (ML15224B646)

NRC Request

1. The LAR mentions a number of peer reviews and a self-assessment:

x A peer review had been performed in 2004.

x A peer review had been performed in 2009 and a report issued in January 2010. Findings and Observations (F&Os) included those graded as capability category I (CCI) or not met.

x A self-assessment had been performed.

x A Fire Probabilistic Risk Assessment (PRA) peer review had been performed.

a. Please clarify which peer reviews (internal events PRA, Fire PRA, or other PRA) were full scope or focused scope, discuss the peer review guidance, standards, and regulatory guidance followed, and confirm the reviews were conducted consistent with applicable guidance and standards. Please clarify whether the

GO2-16-119 Page 10 of 35 internal events PRA was reviewed to the Addenda to American Society of Mechanical Engineers/American Nuclear Society (ASME/ANS) RA-S-2008 (i.e.,

ASME-ANS RA-Sa-2009). If reviews were not conducted consistent with applicable guidance and standards, please describe your plans to address any shortcomings in the review. With regard to the self-assessment, please describe when this was performed and the scope of the self-assessment, and whether it included a gap assessment between Regulatory Guide (RG) 1.200, Revision 1, An Approach for Determining the Technical Adequacy of a Probabilistic Risk Assessment Results for Risk-Informed Activities, (ADAMS Accession No. ML070240001) and RG 1.200, Revision 2 (ADAMS Accession No. ML090410014), for the internal events PRA. Please also provide additional information on the Fire PRA peer review describing when it was performed and what the peer review entailed.

b. Please provide the internal events PRA (including flooding) F&Os graded as CCI or not met and describe your disposition of these F&Os from the 2009 peer review and self-assessment.
c. If PRA models other than the internal events PRA model are used for detailed quantitative analysis versus for qualitative or bounding analyses, then please address the technical adequacy guidance of RG 1.200, Revision 2. If the LAR is requesting to use these PRA models as such, provide the F&Os graded as CCI or not met and describe your disposition of these F&Os from the peer reviews.

Energy Northwest Response:

1.a:

The following discussion clarifies which Columbia Generating Station (CGS) peer reviews (internal events PRA, fire PRA, and seismic PRA) were full scope or focused scope and discusses the peer review guidance, standards, and regulatory guidance followed. All reviews were conducted consistent with applicable guidance and standards.

Internal Events PRA In 2004 the CGS Revision 5.0 internal events PRA received a full scope peer review against the Capability Category II (CC-II) requirements of the ASME/ANS PRA Standard, ASME RA-Sa-2003, as clarified by Regulatory Guide (RG) 1.200 (DRAFT),

using the industry peer review process guidelines described in Nuclear Energy Institute (NEI) NEI-00-02, Revision A-3, Probabilistic Risk Assessment Peer Review Process Guidance.

In 2009, the CGS Revision 7.0 internal events PRA received a full scope peer review from the Boiling Water Reactor Owners Group (BWROG) against the ASME/ANS PRA

GO2-16-119 Page 11 of 35 Standard ASME/ANS RA-Sa-2009, as clarified by Regulatory Guide (RG) 1.200, Revision 2, using the industry peer review process guidelines in NEI-05-04, Revision 2, Process for Performing Follow-On PRA Peer Reviews Using the ASME PRA Standard.

CGS Fire PRA The fire PRA has not been upgraded to meet CC-II for the supporting requirements (SRs) of the combined ASME/ANS Standard, ASME/ANS RA-Sa-2009. There are no plans to perform a peer review of the current version of the fire PRA.

In 2004, the CGS Revision 1 fire PRA (FPRA) received a full scope peer review as part of the internal events peer review. At the time, the fire PRA peer review process had limited industry and regulatory guidance available. The following is an excerpt from the 2004 Peer Review report on the guidance used:

a technical checklist for conducting a FPRA Peer Review was developed based on the available references for use in the PRA Peer Review of the CGS Fire PRA.

In general, the objectives of the checklists are to provide a structured process to confirm:

1. Use of acceptable methodology in comparison with current state of the art and industry practices.
2. Appropriateness of methodology and analysis scope given intended application.
3. Analysis is free of obvious errors or misapplications
4. Acceptable level of detail to support the specific application under review -

S/G AOT Extension The Fire PRA Peer Review checklists were developed based in ERINs standard practices for FPRAs, the guidance provided in NEI 00-02, The [Electrical Power Research Institute] EPRI Fire PRA Implementation Guide, the industry responses to the NRC Generic RAIs, and Regulatory Guide (RG) 1.200. ERINs standard project approach for conducting a FPRA formed the basic framework and structure for the checklist. The NEI 00-02 document provided guidance for the depth of review while the RG 1.200 and EPRI documents provided specific issues for review. Based on this Information, the checklists are structured using six topical areas:

1. Fire Areas and Fire Compartments (FC)
2. Cable and Equipment Location Data (CE)
3. Developments of Fire Ignition Frequencies (FI)
4. FPRA Model Development - Plant Response (FM)

GO2-16-119 Page 12 of 35

5. Fire Scenario Development (FS)
6. FPRA Model Quantification (MQ)

CGS Seismic PRA The CGS seismic PRA (SPRA) has not been peer reviewed. The SPRA has not been upgraded to meet CC-II for the supporting requirements of the combined ASME/ANS Standard, ASME/ANS RA-Sa-2009. There are no plans to perform a peer review of the current version of the seismic PRA.

PRA Self-Assessment Process No gap assessment between RG 1.200 Revision 1 and Revision 2 has been performed on the CGS PRA. CGS Revision 7.0 internal events PRA received a full scope peer review from the BWR Owners Group against the ASME/ANS PRA Standard, ASME/ANS RA-Sa-2009, as clarified by Regulatory Guide 1.200, Revision 2, using the industry peer review process guidelines in NEI 05-04, Revision 2.

A Self-Assessment as described in the submittal refers to the process in which PRA modeling self-identified facts and observations (F&O) are entered into the CGS F&O database for inclusion in the next modeling update.

1.b:

The 2009 internal events peer review and self-assessment findings assigned to SRs that were graded as CC-I or not met are presented in Table 1. Dispositions of findings are provided in Table 2.

Table 1 F&Os for SRs Graded as CC-I or Not Met by the 2009 Peer Review and Self-Assessment SR 2009 Peer F&Os Review Assessment IE-C14 Not Met 1-10, 1-14 SY-A4 CC-I 2-14 SY-A14 Not Met 2-16, 2-17 SY-A24 Not Met 3-11 SY-B1 Not Met 6-10, 6-8, 6-9 SY-C2 Not Met 2-14, 2-16, 2-17 HR-D2 CC-I 1-23 HR-D3 CC-I 1-23 HR-D4 Not Met 1-23 HR-G3 CC-I 1-3 DA-D1 CC-I 3-1 LE-C7 Not Met 1-3, 1-33, 1-42, 1-43

GO2-16-119 Page 13 of 35 Table 1 F&Os for SRs Graded as CC-I or Not Met by the 2009 Peer Review and Self-Assessment SR 2009 Peer F&Os Review Assessment LE-D4 Not Met 1-10, 1-14, 1-43 LE-G6 Not Met 2-18 IFPP-B3 Not Met 2-28 IFQU-A6 Not Met 1-3, SA-IF-E5a-1 MU-C1 Not Met 4-7

GO2-16-119 Page 14 of 35 Table 2 Disposition of Findings from the 2009 Peer Review and Self-Assessment for Supporting Requirements Graded as CC-I or Not Met Finding Observations Recommendations Source Resolution F&O 1-10 High Pressure Core Spray (HPCS) notebook does not Consider the quarterly test of V-4 Peer Resolved: YES SupRs: include the Surveillance Test for HPCS-V-4. Additionally, the in the ISLOCA analysis. Update Review To resolve this finding, an ISLOCA assessment was IE-C14 screening for HPCS in the ISLOCA Section of the Initiating the HPCS notebook to include IST performed for the HPCS system, including consideration of Event Notebook (appendix E) does not account for the for HPCS valves, including V-4. HPCS-V-23, HPCS-V24, and the inservice testing of LE-D4 possibility of ISLOCA during testing of this valve. A possible HPCS-V-4 and as discussed in the finding. Documentation scenario is, prior to V-4 test, the injection Check Valve V-5 of this assessment was added to Appendix E, ISLOCA has failed open, and once the test has completed, V-4 does Initiating Event Frequency, of the initiating events notebook.

not close and V-24 fails (may be CC). The result is ISLOCA to low pressure piping.

OSP-HPCS/IST-Q701 lists V-4 as being tested quarterly. V-23 is open during the test, given reactor is at pressure.

F&O 1-14 ISLOCA analysis applies a conditional probability of valve ISLOCA analysis should be revised Peer Resolved: YES SupRs: closure from NSAC-154, but applies this to NUREG/CR- to remove NSAC-154 factors, and Review The ISLOCA event tree was modified to address this peer 6928 data. See IE notebook, Table E-1. Application of The apply factors based on the latest review finding.

IE-C14 NSAC data does not appear appropriate when applied to valve failures in NUREG/CR-6928. The ISLOCA analysis was revised to replace older valve LE-D4 NUREG/CR-6928.

failure data published by NSAC-154 with the latest valve The new valve failure data, such as check valve internal failure data published in NUREG/CR-6928, wherever newer rupture, is not applicable to the older factors for valve re- data was available.

closes. For example, CV closes following pipe failure (0.01)

A review of NUREG/CR-5124 revealed that the conditional is based on older data, while the NUREG/CR-6928 data for probability of check valve closure (event tree node CV) is check valve rupture would typically have screened failures applicable only to scenarios in which a testable check valve where the check valve stuck open (fails to close), but later is held open due to reverse air flow to the controller. The reclosed. ISLOCA is risk significant, and the factors affect 0.01 credit had minimal impact on the ISLOCA sequence multiple sequences.

cutsets, as the significant check valve failures are leakage and rupture. Therefore, event tree node CV was removed from the ISLOCA event tree.

Event tree node SML (small leak through the high/low pressure interface) is moved to an earlier position in the event tree, as leaks through the high/low pressure boundary are judged to be isolable (the 900-pound MOVs that are present at the boundaries are judged to be capable of closing against a leak). The model retains the assumption that MOVs would not likely close if a piping rupture and interface rupture were to occur, per NUREG/CR-5124 guidelines.

Also, the event tree node ISOVAV (early isolation of the ISLOCA) probability has been changed to a 0.1 based on documentation provided with the CGS SPAR model.

From the CGS SPAR model documentation:

GO2-16-119 Page 15 of 35 Table 2 Disposition of Findings from the 2009 Peer Review and Self-Assessment for Supporting Requirements Graded as CC-I or Not Met Finding Observations Recommendations Source Resolution Without doing detailed pressure capacity calculations and F&O 1-14 detailed modeling of the expected internal pressures and temperatures expected in the connected systems, it is SupRs:

impossible to predict the location of potential ruptures. Even IE-C14 with detailed calculations and modeling, precise rupture LE-D4 locations are impossible to identify. Nevertheless, some general observations can be made based on the GI-105 research. For most situations the RHR heat exchanger, and pump suction pipe are the components with the lowest pressure capacities. Generally, these components are positioned within the systems such that one or more valves are available to isolate a rupture, should an ISLOCA occur at these locations. However, it is possible that if the pressure isolation interface were to fail, that either the available valves would not successfully isolate the rupture, or the rupture could occur in a location that cannot be isolated. To account for these possibilities, a generic 10%

probability is assumed that if a rupture were to occur, it cannot be isolated.

This 10% probability for the rupture being non-isolable can be considered to be a reasonable estimate for a number of reasons. First, virtually every rupture location examined as part of the GI-105 research program was found to be potentially isolable. The pipe and other components (e.g.,

pump suction pipe and RHR heat exchangers) that are most susceptible to over-pressure induced rupture, are located deeper within the connected system such that a number of valves are typically available for isolating the rupture. Further, the typical failure mode postulated in the ISLOCA analysis for motor operated valves is spurious operation. The few actual instances of this observed in the operating experience were all recoverable from the control room. However, one factor that affects the ability to isolate the rupture is local accessibility. If a rupture were to occur, the resulting local environment would likely preclude access to the immediate vicinity. Therefore, if local access was necessary, and if the potential isolation valves were located close to the rupture then isolation would be unlikely. Again, the research performed to support resolution of GI-105 included an assessment of induced flooding and the resultant environment. That work concluded these effects

GO2-16-119 Page 16 of 35 Table 2 Disposition of Findings from the 2009 Peer Review and Self-Assessment for Supporting Requirements Graded as CC-I or Not Met Finding Observations Recommendations Source Resolution would not significantly affect the ISLOCA risk. Therefore, F&O 1-14 the non-isolable ruptures are assumed to compose 10% of the potential ISLOCA ruptures.

SupRs:

The accident sequence notebook was updated to reflect all IE-C14 of these changes to the ISLOCA model.

LE-D4 F&O 1-23 The quantification of pre-initiating events using 3 surrogate Re-Analyze pre-initiating events for Peer Resolved: YES SupRs: events to represent all pre-initiating events does not provide all significant HEPs, taking into Review Procedure-specific pre-initiator HEP calculations were an accurate assessment of each HEP, taking into account account the component specific developed for the top three pre-initiator human failure HR-D2 plant specific or component specific attributes. Appendix A.4 testing, maintenance and events when sorted by RAW and the top three pre-initiator HR-D3 for example, provides a "generic" assessment of operations attributes affecting the human failure events when sorted by Fussell-Vesely based HR-D4 miscalibration with dependencies, without actually including HEP. Use of surrogate or generic on the CGS Rev. 7.0 Level 1 PRA model results. This the specific attributes for the procedure affecting events it is analysis should be limited to non- resulted in a total of five pre-initiator human failure events applied. For pre-initiator failure to restore events, the use of significant events, with some for which to perform procedure-specific HEP calculations.

the surrogate event does not account for post-maintenance justification that the surrogate is (Note - Five are evaluated, rather than six, because the top testing, operations walkdowns, and when the system may representative or bounding for the pre-initiator human failure event when sorted by RAW was be operated again. For pre-initiator miscalibration, the HEPs it is applied. also the top pre-initiator action when sorted by F-V).

surrogate event does not represent the plant specific Section 3.0a and Appendix A.0 were added to the HRA calibration procedures. In Appendix A.4, the following is Notebook to document the updated procedure specific pre-provided in the generic analysis "The results of these initiator HEP calculations.

evaluations indicate that, depending on the methods used to verify the adequacy of the calibration and the assumptions The five revised pre-initiator HEPs were subsequently used in the quantitative evaluation, there can be substantial incorporated into the final HRA Calculator file CGS 2008 variation in the common cause miscalibration error HRA.HRA probability." This statement is true, which is why plant-specific attributes are needed for this analysis.

Numerous Pre-Initiating Events in all three categories are risk-significant, based on table E-2 of the QU notebook.

Comparison with other PRAs shows that variation between component/action specific HEPs is expected, and the range of differences from one component to the next can be several orders of magnitude. For mis-calibrations, for example, depending on whether the mis-calibration can be quickly recognized or whether there is a second check on the calibration can greatly affect the results. Variation in dependent failures and failure to restore is equally large within a PRA.

CGS provides discussion on this F&O suggesting the important pre-initiating events were represented by the "representative" actions, and the procedures for each action

GO2-16-119 Page 17 of 35 Table 2 Disposition of Findings from the 2009 Peer Review and Self-Assessment for Supporting Requirements Graded as CC-I or Not Met Finding Observations Recommendations Source Resolution were similar. The following procedures were reviewed for F&O 1-23 this follow-up:

SupRs: Representative Procedures:

HR-D2 SOP-CN-FILL (for CN-HUMNTK--1X3XX), ISP-LPCS/RHR-HR-D3 X301 (for LPSHUMNFIS-4XLL)

Significant HEP Procedures:

HR-D4 Calibration:

ISP-RCIC-Q901 (HEP: RCIHUMNPS13AX3LL), 10.27.86 (HEP: RCIHUMNPS--6X3LL)

Restoration:

OSP-SW/IST-Q702 (HEP: SWB-XHE-RE-RHRSW), OSP-SW/ISP-Q701 (HEP: SWA-XHE-RE-RHRSW), SOP-COLDWEATHER-OPS (HEP: SW-HUMNV218-X3LL), OSP-HPCS/IST-Q701 (HEP: HPC-XHE-RE-MAINT)

Based on a review and comparison of the representative procedures versus the procedures for significant HEPs, it is clear the procedures, associated critical steps, and verification steps are significantly different.

F&O 1-3 Analysis for HEPs apply low stress to post-accident Apply high stress factors per Table Peer Resolved: YES SupRs: situations for almost all HEPs, even though the criteria in 17-1 of NUREG/CR-1278 to HEPs Review After reviewing the peer review F&Os, no changes to the NUREG-/CR-1278 recommends High Stress especially where time pressure is present calculated post-initiator HEPs were judged necessary to HR-G3 when the time window is short. See HPSHUMN-SP-H3LL, during an accident situation. address the post-initiator stress levels. Section 4.4 of the LE-C7 OP-SW-PMP, SLC-XHE-FO-LLVCT and others. Benchmarking against other PRAs HRA documentation has been enhanced to further justify IFQU-A6 Supplemental guidance was provided by CGS personnel as performed by alternate vendors to the position that the post-initiator stress levels are treated a result of this issue. The CGS argument included an determine how the Stress Factors appropriately in the CGS PRA.

argument that there was not extensive use of simulator from 1278 were applied can be The use of high stress for the manipulation errors in the training prior to the development of NUREG/CR-1278, and useful for this issue.

post-initiator HEPs is performed on a case-by-case basis.

that this training affects the application of stress to simple The blanket requirement that all manipulations in the plant actions where training occurs. A second set of justification for the first hour of an event are high stress does not agree was provided, with discussion that basically justified with the intent of NUREG/CR-1278 nor common practice moderate or low stress would be appropriate, given enough within the industry as confirmed with the developers of the training for the operators. Review of this new guidance does HRA Calculator and the Chairman of the EPRI committee not provide sufficient justification for the revised application on HRA. Results from the CGS inquiry of the industry and of NUREG/Cr-1278 Guidance. Two points are important to alternative vendors, the time consideration for the stress this finding: a) stress will affect actions occurring during an factor for Internal Events PRA is NOT typically treated as accident in comparison to non-accident actions making the interpreted by the peer review team. HRA leaders in the actions less reliability, and b) Stress is based on an overall industry do not agree with the position on time pressure sense of being pressured and/or threatened in some way

GO2-16-119 Page 18 of 35 Table 2 Disposition of Findings from the 2009 Peer Review and Self-Assessment for Supporting Requirements Graded as CC-I or Not Met Finding Observations Recommendations Source Resolution with respect to what they are trying to accomplish. Training (less than 1 hr = high stress) associated with Finding 1-3.

cannot fully remove the treat or pressure during an actual The Columbia upgrade project specifically used the most event. current methodology from EPRI (HRA Calculator) available.

F&O 1-3 Stress factors assumed to be nominal are also in the Level II The general consensus is there have been improvements SupRs: in knowledge and methodology since NUREG/CR-1278 model and flooding model for short duration HEPs.

HR-G3 was issued over 30 years ago that support execution error NUREG/CR-1278 recommends applying optimum stress to LE-C7 activities such as maintenance and calibration activities, evaluations to be assessed considering current training IFQU-A6 regimes and the simple nature of such actions.

reading an annunciator light, or scheduled readings in the control room. On the other hand, Page 17-7 states that 'In general, situations that impose time pressure on the performers are classified as heavy task load situations.' In almost all of the Post-Initiator HEPs where optimal stress is assumed, time is a factor with Core Damage occurring between 30 minutes and an hours. This time stress is typically modeled as high stress in HRA using NUREG/CR-1278.

Numerous HEPs where this is applied are risk-significant.

Discussions with CGS staff indicated that the low stress was applied to actions that are relatively simple. However, since this simple actions are already low if failure rate, the stress factor is still applicable in order to differentiate between a simple action performed as a routine action, and a simple action performed in order to avoid core damage. Nominal stress is also applied for level II actions, such as failure to provide injection after the control rods fail (10 minute window) just prior to core damage. The general rules for this as applied by CGS do not appear consistent with NUREG/CR-1278 or other PRAs reviewed for this issue.

GO2-16-119 Page 19 of 35 Table 2 Disposition of Findings from the 2009 Peer Review and Self-Assessment for Supporting Requirements Graded as CC-I or Not Met Finding Observations Recommendations Source Resolution F&O 1-33 HEPs are calculated using the HEP calculator, and are Add all missing HEPs from the Peer Resolved: YES SupRs: realistically treated in most cases consistent to the Level II analysis into the HRA Review This finding was resolved by adding Level II human failure LE-C7 Applicable procedures. However, documentation on several section, including events set to 1.0. events to the HRA Calculator and the summary Table 5.1-2 actions was not found in the HRA notebook: Additionally, provide basis for HEP of the HRA Notebook. Also, as documented in Table C.4.7-

1) L2-HUMN-MUPHNOWS L2-HUMN-RCVR-SYS equal to 0.9 2 of the CGS Level 2 notebook, the basis for the screening
2) L2-HUMN-RCVR-SYS (since it is risk-significant), HEP for L2-HUMN-RCVR-SYS is engineering judgement.

including information on timing, Note this is just a sampling of the notebook, so others may cues, procedures or other aspects also be missing. causing little credit for the HEP.

L2-HUMN-MUPHNOWS is mentioned in Section C.16 of the LERF notebook, but not in the HRA notebook. Based on discussion with CGS, this HEP is set to 1.0 based on engineering judgment.

L2-HUMN-RCVR-SYS is listed as using the HRA calculator, but is set to 0.9 based on engineering judgment.

L2-HUMN-RCVR-SYS is risk-significant. Based on the Internal Events and Flooding HRA review, other HEPs are likely missing in the documentation (HRA notebook) that are credited in the analysis).

F&O 1-42 HEP Dependency Analysis included in Appendix D of the Complete a dependency analysis Peer Resolved: YES SupRs: HRA notebook does not included in the Level II Analysis. for Level II similar to the Level I Review To resolve this peer review finding, a Level II HEP Level II modeling includes new HEPs not in the Level I HRA. analysis in HRA appendix D. dependency analysis was performed and documented in LE-C7 LERF may be underestimated if dependent HEPs are not Section 5 and Appendix D of the HRA Notebook.

included along with the independent HEPs.

F&O 1-43 HRA events RHRHUMN-V--803XX and 903XX are included Either: a) Add a dependency Peer Resolved: YES SupRs: in the ISLOCA analysis but do not include dependency analysis for these events, or b) Review This peer review finding has been resolved. The RHR-V-8 considerations. See the top cutset in Appendix D, Provide justification for deletion of and RHR-V-9 have interlocks that prevent valve opening at LE-C7 dependency analysis. the cutset, and add the normal RPV pressures above about 125 psig. Therefore LE-D4 combination to the mutually Based on discussion with CGS, the cutset with 2 operator human failure events RHRHUMN-V--8O3XX and failures is not valid, since the valves are interlocked. exclusive event file. RHRHUMN-V--9O3XX have been removed from the Since these are ISLOCA cutsets, and significant for both ISLOCA initiating event fault tree (that is, even in operators CDF and LERF, dependency will be significant. mistakenly select valve OPEN from the control board for either or both valves, the valves will not open).

GO2-16-119 Page 20 of 35 Table 2 Disposition of Findings from the 2009 Peer Review and Self-Assessment for Supporting Requirements Graded as CC-I or Not Met Finding Observations Recommendations Source Resolution F&O 2-14 Interviews with plant system engineers or operators have Perform and document the Peer Note: Resolution provided here is from Energy Northwest SupRs: not been documented and cannot be verified by the peer interviews with the system Review response was submitted under Letter GO2-15-145, dated SY-A4 review team. Original interviews were performed for the engineers and/or operators to October 29, 2015 (ML1530A492) original IPE. confirm that the systems analysis SY-C2 correctly reflects the as-built, as-System and operations change over time, and the system Resolved: YES engineers and operators should be consulted with regard to operated plant. It may be reasonable to develop a process The open F&O, 2-14, for SR SY-A4 has been resolved to the system models.

that, following an initial interviews, meet CC-II for SY-A4. Finding 2-14 was resolved as part of the confirmation the model the risk-informed technical specification initiative 5b license matches the as-built, as-operated amendment request. System reviews with the system plant is confirmed through review engineers were completed for all PRA systems with a focus or discussion with the system on confirming that the PRA system analyses correctly engineers - typically through a reflect the asbuilt, asoperated plant, as well as to discuss periodic review of the notebook recent operating history and any problems in system performed in accordance with plant operation. The interviews and reviews were documented, procedures. and this documentation will be added to the system notebooks in the next PRA update. Discrepancies identified by the system engineer interviews had no impact on the PRA modeling and were documentation-related only, with the exception of two modeling conservatisms related to the Reactor Feedwater system model and the Standby Liquid Control (SLC) model. The first model conservatism is the current Reactor Feedwater system PRA model only has two paths modeled for possible injection into the vessel when there are three possible paths. The second model conservatism is the current SLC system PRA model contains a component failure event that, based on system design, is conservative. Both of these modeling conservatisms do not have a risk-significant impact on the PRA results.

GO2-16-119 Page 21 of 35 Table 2 Disposition of Findings from the 2009 Peer Review and Self-Assessment for Supporting Requirements Graded as CC-I or Not Met Finding Observations Recommendations Source Resolution F&O 2-16 Failure modes have been considered in development of the Consider adding documentation for Peer Resolved: YES SupRs: system models adequately. However, the exclusion of both the inclusion and exclusion of Review This peer review finding was resolved. A Tier 3 calculation SY-A14 some failure modes was not adequately documented. the failure modes with justification was prepared to ensure that failure modes have been Some failure modes could be important to system models. for components included the considered in development of the system models SY-C2 A sample review of the system models show that the system boundary. Consider adequately, with evaluation for both the inclusion and following failure modes may not have been fully adding more failure modes into the exclusion of the failure modes for components within the investigated: system models if the exclusion system boundary, including justification. Failure modes (d) failure of a closed component to remain closed requires additional quantitative were added or corrected in the system models and system especially for standby components where the failure would evaluations. notebooks were updated based on this evaluation.

not be identified quickly - say months or greater).

(f) failure of an open component to remain open (see above)

(g) active component spurious operation (h) plugging of an active or passive component (i) leakage of an active or passive component (j) rupture of an active or passive component (k) internal leakage of a component (l) internal rupture of a component (m) failure to provide signal/operate (e.g., instrumentation)

(n) spurious signal/operation For example, in the [Residual Heat Removal] RHR system model, valves RHR-V54A/B could have a failure mode for fail to remain closed, which is not included in the model.

The exposure time on these valves would rely on the surveillance tests.

GO2-16-119 Page 22 of 35 Table 2 Disposition of Findings from the 2009 Peer Review and Self-Assessment for Supporting Requirements Graded as CC-I or Not Met Finding Observations Recommendations Source Resolution F&O 2-17 The following requirements associated with system Consider adding the Peer Resolved: YES SupRs: modeling are determined to be not adequate: documentation associated with Review This peer review finding was resolved by enhancing system S Y-A14 (e) actual operational history (such as [Significant Operating items (e), (l) and (q). Also consider modeling documentation items associated with items (e),

Experience Reports] SOERs) indicating any past problems enhancing the documentation for (l), (q), (f) and (k). For item (e), significant operating SY-C2 the following two items:

in the system operation [not documented], experience has been collected, but this information has not (l) the components and failure modes included in the model (f) system success criteria and yet been incorporated into the system notebooks. This and justification for any exclusion of components and failure relationship to accident sequence information will be incorporated into the system notebooks modes [also see F&O 2-16], models during future PRA update.

(q) the sources of the above information (e.g., completed (k) assumptions or simplifications (e) actual operational history (such as SOERs) indicating checklist from walkdowns, notes from discussions with plant made in development of the any past problems in the system operation was collected, personnel) [also see F&O 2-14]. system models (i.e., provide a and will be added to the system notebooks in a future PRA bulleted list of major assumptions update, The following should be enhanced:

in each system notebook). (f) documentation of system success criteria and (f) system success criteria and relationship to accident relationship to accident sequence models was enhanced in sequence models the system notebooks, (k) assumptions or simplifications made in development of (k) documentation of assumptions or simplifications made the system models.

in development of the system models was enhanced in the The inadequate documentation limits the review of the system notebooks, completeness of the system models.

(l) the components and failure modes included in the model and justification for any exclusion of components and failure modes, and (q) the sources of the above information (e.g., notes from discussions with plant personnel) were documented.

F&O 2-18 The quantitative definition used for significant accident Add the quantitative definition used Peer Resolved: YES SupR: progression sequence was not documented. for significant accident progression Review This peer review finding was resolved. Section 6.3 of the sequence in the LE notebooks. Level 2 Notebook was enhanced to add the quantitative LE-G6 definition used for significant accident progression sequence.

GO2-16-119 Page 23 of 35 Table 2 Disposition of Findings from the 2009 Peer Review and Self-Assessment for Supporting Requirements Graded as CC-I or Not Met Finding Observations Recommendations Source Resolution F&O 2-28 Sources of model uncertainty and related assumptions for Investigate and document the Peer Resolved: YES SupR: flood plant partitioning were not documented in the flooding sources of model uncertainty and Review The PRA Quantification Notebook Table 5-3, documents IFPP-B3 notebooks. Neither do the Internal Flooding items included related assumptions for flood plant uncertainties and related assumptions for the overall PRA, in PSA-2-QU-0001 Tables 5-2 and 5-3. partitioning. Perform sensitivity including uncertainties and related assumptions for flood Sources of model uncertainty and related assumptions for studies if deemed necessary. plant partitioning. This information was added to the IF flood plant partitioning are not documented. notebooks for completeness.

Sensitivity studies, other than the standard set of sensitivities, i.e., CCFs set to 5th and 95th percentile and HEPs set to 5th and 95th percentile, are not directed for the base PRA model per the EPRI Uncertainties/Assumptions methodology, 1016737, and were not performed.

GO2-16-119 Page 24 of 35 Table 2 Disposition of Findings from the 2009 Peer Review and Self-Assessment for Supporting Requirements Graded as CC-I or Not Met Finding Observations Recommendations Source Resolution F&O 3-1 The process of developing plant-specific parameter data Consider using screening criteria Peer Resolved: YES SupRs: updates based on plant-specific experience and generic more consistent with criteria used Review This peer review finding has been resolved. Screening DA-D1 data is described in PSA-2-DA-0002, Bayesian Update of for important plant applications of criteria consistent with important plant applications of the CGS PSA Data. the base PRA (e.g., Maintenance base PRA are now used, per RG 1.200, Rev. 2 (footnote The process is focused on significant basic events. Rule) to ensure that potentially risk page 10: Significant basic event/contributor: The basic However, the process used to determine which events are significant failures reflect plant events (i.e., equipment unavailabilities and human failure significant and should be Bayesian updated appears to be experience. events) that have a Fussell-Vesely (FV)importance greater faulted. A set of screening criteria based on risk than 0.005 or a risk-achievement worth greater than 2):

achievement worth, F-V, and Birnbaum importance - The identification of plant-specific parameter data updates measures is applied, but the criteria for determination of now uses a risk-achievement worth (RAW) value greater significant (i.e., per PSA-2-DA-0002, "RAW value of 3 is than 2 as one screening criterion, and typically used in risk ranking initiatives to identify risk

- A FV of greater than 5E-3 is typically used in risk ranking important initiatives to identify risk-significant components. The components.") differs from those applied in risk-informed identification of plant-specific parameter data updates now applications (e.g., Maintenance Rule, where RAW of 2 and uses a FV of 1E-4, because it was practical to do so.

F-V of 0.005 are normally used). In the DA screening, a RAW of 3 is used as the criterion, so it is possible that some significant basic events could be screened from consideration using the process in PSA-2-DA-0002 (i.e., in Table 4 there would be a lower value for the CDF change for which a failure would be a candidate for Bayesian updating).

Capability Category 2 for SR DA-D1 requires that realistic parameter estimates be calculated for all significant basic events. The process used to define which events are significant is not adequately objective and uses criteria that are inconsistent with selection criteria used for risk-informed applications (e.g., MR ), and may result in underestimating the set of significant events.

After discussion with CGS PRA personnel, they performed a sensitivity evaluation to estimate the impact of using more appropriate screening criteria. This exercise identified one additional component type (RV/SV) for which there were no EPIX failures.

GO2-16-119 Page 25 of 35 Table 2 Disposition of Findings from the 2009 Peer Review and Self-Assessment for Supporting Requirements Graded as CC-I or Not Met Finding Observations Recommendations Source Resolution F&O 3-11 The accident sequence model includes top event EAC, Provide a sound basis for the Peer Resolved: YES SupR: recovery of onsite AC power. The text of the AS notebook present-day validity of the repair Review This peer review finding was resolved by enhancing SY-A24 refers to Appendix D of that notebook for the onsite power probabilities, or remove the credit Appendix D of the accident sequence notebook to further recovery calculation. Appendix D is a portion of ERIN letter from the model. support that the existing EDG non-recovery values based C1069805-3919 Completion of CGS PSA Model on SECY-93-190 are judged to be appropriate for CGS.

Modifications to Address PSA Certification Comments Further, the Emergency AC Power recovery values from (P.O.00303454), August 3, 1999. titled Emergency AC SECY-93-190 used in the CGS PRA were compared with Power Recovery. That analysis uses as its basis a 1993 more recent data from NUREG/CR-6890. The SECY regulatory analysis, SECY-93-190. There are 2 issues with 190 data produces non-recovery probabilities that are this. First, the basis for the onsite AC power recovery is a higher relative to the NUREG/CR-6890 data. The following set of emergency diesel generator (EDG) repair data from comparison is made:

before 1993, i.e., significantly more than 16 years old, and originally based on relatively few data points. Second, this Recovery Time (hr),SECY-93-190,NUREG/CR-6890 represents credit for repair of failed equipment without 0.5, 0.89, 0.86 checking against plant-specific experience. 2, 0.86, 0.65 Credit should not be taken for repair of failed equipment, 3, 0.78, 0.56 particularly EDGs, without sound plant-specific basis. 4, 0.71, 0.48 Significance may be increased if tied to the F&O on 6, 0.59, 0.37 consequential LOOP.

10, 0.4, 0.24 15, 0.29, 0.14 24, 0.23, 0.24 The SECY-93-190 data provides higher non-recovery values for the entire range of EDG recovery times.

Although the NUREG/CR-6890 diesel non-recovery data development is more recent, there is one prominent concern about the NUREG/CR-6890 data for purposes of the Columbia PSA modeling. The NUREG/CR-6890 non-recovery values assume that the diesel generator that is most straightforward to repair will be chosen for recovery.

What is not clear from the NUREG/CR-6890 treatment is how the SPAR models address the possibility that the DG that is easiest to repair actually wont be restored because the associated SW pump or RHR pump is out of service.

The Columbia model assumes a 50-50 percent likelihood for recovery of DG1 or DG2, unless the SW or RHR pump on one of the diesel generators is out of service. Due to this potential conflict, the NUREG-6890 data was not used.

The SECY-93-190 data is judged to be the most applicable and realistic.

GO2-16-119 Page 26 of 35 Table 2 Disposition of Findings from the 2009 Peer Review and Self-Assessment for Supporting Requirements Graded as CC-I or Not Met Finding Observations Recommendations Source Resolution F&O 4-7 While consideration of pending model changes has occurred Consider revising SYS-4-34 or Peer Resolved: YES SupR: for important applications (e.g. DGAOT), there was no other procedure/instruction to Review The peer review finding was resolved. A new Section 4.4 MU-C1 identified Columbia process that requires that pending address this issue. was added to the model maintenance and update changes be considered for applications. A industry model process for procedure, SYS-4-34, that documents the Columbia Having such a process is an explicit requirement of the performing Maintenance and process that requires pending model changes to be standard. Update is provided in the BWROG considered for applications. Also, a list of current document TP-09-012 Living PRA applications that require a consideration of pending model Configuration Control and Model changes in applications was added in SYS-4-34, Maintenance, however use of this Attachment 8.2.

process is not a requirement of the ASME Standard.

F&O 6-10 A variety of common cause basic events exist in the model Provide a basis for all CCF values, Peer Resolved: YES SupR: without documentation provided to substantiate their basis. including events set to 0.0, based Review This peer review finding has been resolved. The For example, Table 1 of PSA-2-DA-0004 lists 13 CCF on the CCF analysis process. documentation of CCF events has been refined and SY-B1 events with probabilities of zero related to relays, vacuum improved. The bases for all CCF values are provided, breakers, and nitrogen bottles. Table 1 also lists two events based on the CCF analysis process.

that are termed CCF place keepers but not true CCF events.

These are not further discussed. Table 1 lists CCF events with apparently generic values (1E-6), but no discussion or justification is provided to substantiate the value. Table 1 lists CCF events for 5 of 7 ADS valves and 5 of 11 SRVs, with values of 1.24E-6, but no discussion / justification is provided. Table 2 lists an event (CRDSV--24567C8LL) for "8 of 8", but uses the NRC data for "2 of 2" instead of the closer "6 of 6" value. Upon review, CGS noted that this event is not needed in the model and will be removed in the next update.

GO2-16-119 Page 27 of 35 Table 2 Disposition of Findings from the 2009 Peer Review and Self-Assessment for Supporting Requirements Graded as CC-I or Not Met Finding Observations Recommendations Source Resolution F&O 6-8 Several issues were identified in the review of CCF: Add CCF grouping methodology to Peer Resolved: YES SupR: 1) The process to develop common cause groups is not PSA-2-DA-0004, and add formulae Review This peer review finding has been resolved. The process to SY-B1 documented in the CCF NB and therefore justification is not for the CCF basic event probability develop common cause groups is now documented in PSA-provided for the grouping scheme. Per CGS, selection of calculations. Add reference in the 2-DA-004. CGS employs staggered testing of redundant CCF groups was performed following the guidance of data notebook to NUREG/CR- trains modeled in the PRA. Therefore, CCF probabilities NUREG/CR-5485 based on similarities in service conditions, 5485. Re-evaluated CCF values, were recalculated using the CCF equations for staggered environment, design or manufacturer, and maintenance. based on the revised methods. testing, and these equations are documented in PSA-2-DA-NUREG/CR-5485 is not currently referenced in PSA-2-DA- 004, and the PRA was updated.

0004.

2) There are limited formulae documented in the CCF data package PSA-2-DA-0004. As a result, the bases for the calculations embedded in the spreadsheets are not fully documented. Discussions with CGS staff indicates the Alpha CCF calculations were performed incorrectly. Moreover, based on the formulae in NUREG/CR-5485, the CCF basic event probabilities may be slightly more conservative.
3) As a result of the above, CCF basic events are incorrectly calculated.

F&O 6-9 Per Section 2 of PSA-2-DA-0004, the common cause Redevelop CCF approach using Peer Resolved: YES SupR: calculations are based on a non-staggered testing scheme staggered approach where Review This peer review finding has been resolved. CGS employs based on the prior use of this scheme for the original PRA appropriate. staggered testing of redundant trains modeled in the PRA.

SY-B1 and the fact that current CGS test intervals / test information Therefore, CCF probabilities were recalculated using the has not been developed for the current data update. PSA CCF equations for staggered testing, and these equations DA-0004 notes that the non-staggered approach is are documented in PSA-2-DA-004, and the PRA was conservative. The staggered approach should be utilized updated.

where appropriate to reflect plant practices.

GO2-16-119 Page 28 of 35 Table 2 Disposition of Findings from the 2009 Peer Review and Self-Assessment for Supporting Requirements Graded as CC-I or Not Met Finding Observations Recommendations Source Resolution SA-IF- No documentation was found of how scenario-specific Review all HEPs for actions that Self- Resolved: YES E5a-1 impacts were addressed for operator actions taken in could be taken following an internal Assessme This self-assessment finding has been resolved. The SupR: response to an internal flooding event. Supporting flood and address how they would nt internal flooding HRA assesses scenario-specific impacts requirement IFQU-A6 requires the following: be impacted by the flood. on PSFs, including additional workload and stress, cue IFQU-A6 Document this review and modify availability, effect of flood on mitigation, required response, For all human failure events in the internal flood scenarios, the analysis accordingly. timing, and recovery activities flooding-specific procedures INCLUDE the following scenario-specific impacts on PSFs and training. These enhancements to the HRA are for control room and ex-control room actions as appropriate documented in the HRA Calculator and in the HRA to the HRA methodology being used: Notebook.

(a) additional workload and stress (above that for similar sequences not caused by internal floods)

(b) cue availability (c) effect of flood on mitigation, required response, timing, and recovery activities (e.g., accessibility restrictions, possibility of physical harm)

(d) flooding-specific job aids and training (e.g., procedures, training exercises)

GO2-16-119 Page 29 of 35 1.c:

No PRA models other than the internal events PRA will be used for detailed quantitative analysis.

NRC Request

2. The LAR indicates that PRA models other than the internal events PRA model may be used. Please confirm that these PRA models reflect the current plant configuration and operation. If this is not the case, please explain how the PRA models support the application, using Nuclear Energy Institute (NEI) 04-10, Revision 1, Risk-Informed Technical Specifications Initiative 5b, Risk-Informed method for Control of Surveillance Frequencies, April 2007 (ADAMS Accession No. ML071360456) guidance, and whether current plant configuration and operation is considered in their use.

Energy Northwest Response:

No PRA models other than the internal events PRA will be used for detailed quantitative analysis.

The qualitative assessment of fire risk and other external event risk will include a review of applicability to the current plant configuration and operation. For example, some STI change evaluations, per Step 10b qualitative reasoning and very low ¨CDF and ¨LERF results from the internal events analysis may be sufficient to support the STI change evaluation where Step 10b reads in part:

Alternative evaluations for the impact from external events and shutdown events are also deemed acceptable at this point. For example, if the CDF and LERF values have been demonstrated to be very small from an internal events perspective based on detailed analysis of the impact of the SSC being evaluated for the STI change, and if it is known that the CDF or LERF impact from external events (or shutdown events as applicable) is not specifically sensitive to the SSC being evaluated (by qualitative reasoning), then the detailed internal events evaluations and associated required sensitivity cases (as described in Step 14) can be used to bound the potential impact from external events and shutdown PRA model contributors.

Therefore, by following the NEI 04-10, Rev. 1 guidance, the evaluation of fire risk and other external events supporting this application will qualitatively reflect and consider the current plant configuration and operation.

GO2-16-119 Page 30 of 35 NRC Request

3. The impact of the open F&O for supporting requirement (SR) SY-A4 states that sensitivity analysis will be performed. It is not clear how a sensitivity analysis could be defined to address the lack of documented interviews that confirm that system analyses represent the as-built, as-operated plant. The TSTF-425 program considers capability category II for the internal events PRA model; therefore, please address this F&O to meet capability category II and provide the disposition of the F&O.

1 Energy Northwest Response:

Open F&O 2-14 as documented in the August 2009 peer review is as follows:

Interviews with plant system engineers or operators have not been documented and cannot be verified by the peer review team. Original interviews were performed for the original IPE.

System and operations change over time, and the system engineers and operators should be consulted with regard to system models.

(This F&O originated from [supporting requirement] SR SY-A4)

The open F&O, 2-14, for SR SY-A4 has been resolved to meet capability category (CC)

CC-II for SY-A4. Finding 2-14 was resolved as part of the risk-informed technical specification initiative 5b license amendment request. System reviews with the system engineers were completed for all PRA systems with a focus on confirming that the PRA system analyses correctly reflect the asbuilt, asoperated plant, as well as to discuss recent operating history and any problems in system operation. The interviews and reviews were documented, and this documentation will be added to the system notebooks in the next PRA update. Discrepancies identified by the system engineer interviews had no impact on the PRA modeling and were documentation-related only, with the exception of two modeling conservatisms related to the Reactor Feedwater system model and the Standby Liquid Control (SLC) model. The first model conservatism is the current Reactor Feedwater system PRA model only has two paths modeled for possible injection into the vessel when there are three possible paths. The second model conservatism is the current SLC system PRA model contains a component failure event that, based on system design, is conservative. Both of these modeling conservatisms do not have a risk-significant impact on the PRA results.

1 The response to question 3 was sent under letter GO2-15-145, Dated October 29, 2015 (ML1530A492)

GO2-16-119 Page 31 of 35 NRC Request

4. The peer review F&O on SR DA-C6 is related to meeting the data requirements for standby components (SR DA-C6) as well as for surveillance requirements (SR DA-C7). The F&O states: Estimates based on the surveillance tests and maintenance acts as described in DA-C6 and DA-C7 should be performed for significant components whose data are not tracked in the MSPI data. SR DA-C6 and SR DA-C7 include consideration of plant-specific data. Please explain the basis for concluding that the proposed sensitivity analyses, which are based on generic data, are considered bounding if these two SRs are graded at not met or capability category I. If use of plant-specific data consistent with SR DA-C6 and SR DA-C7 cannot be demonstrated to be bounding with respect to the proposed method to perform sensitivity analyses for relevant components, then please complete the work to meet SR DA-C6 and SR DA-C7 provide the disposition of the F&O.

Energy Northwest Response:

The 2009 peer review graded supporting requirements DA-C6 and DA-C7 as met for CC-II:

x DA-C6 Assessment: MET for Capability Categories I-III x DA-C7 Assessment: MET for Capability Categories I-III The SRs were met because the major components maintenance activities were based mainly on MSPI data. Finding 2-2 applies to non-MSPI components that were based on estimates.

A sensitivity study was performed by replacing the base data for these failure modes with generic data from NUREG/CR-6928. It was determined that the finding is unlikely to change the conclusions of risk-informed decisions.

Although Finding 2-2 is open, the SRs are graded at met for CC-II and the impact is unlikely to affect the results.

NRC Request

5. Do the failure probabilities of structures, systems, and components modeled in the CGS internal events PRA include a standby time-related contribution and a cyclic demand-related contribution? If not, please describe how standby time-related contribution is addressed for extended intervals.

GO2-16-119 Page 32 of 35 Energy Northwest Response:

The failure probabilities of structures, systems, and components modeled in the CGS internal events PRA include either a standby time-related contribution or a demand-related contribution.

The standby time-related failures will be evaluated in accordance with NEI-04-10, Revision 1 by direct change in the test interval for those SSCs that include a standby periodically tested failure mode along with the appropriate adjustments to common cause failure events. For demand-related events an appropriate time-related failure contribution will be determined for each component that is uniquely impacted by the proposed STI change to obtain the maximum test-limited risk contribution.

3.2 Response dated April 7, 2016 (ML160984A387) to March 9, 2016 Request for Additional Information (ML16069A359)

NRC Request PRA RAI 1.1 (Follow up to PRA RAI 1)

In response to PRA RAI 1, the licensee provided the internal events PRA 2009 peer review facts and observations (F&Os), self-assessment findings, and their dispositions.

Please address the following regarding F&O 1-3.

a. The peer review F&O 1-3 states In almost all of the post-initiator Human Error Probabilities (HEPs) where optimal stress is assumed, time is a factor with core damage occurring between 30 minutes and an hours.

Clarify if these post-initiator HEPs were assumed to be optimal stress in all cases involving this time frame or if such HEPs were determined on a case-by-case basis to represent optimal stress or high stress as appropriate. Please describe your process to make this determination.

b. The peer review also observed, A second set of justification was provided, with discussion that basically justified moderate or low stress would be appropriate, given enough training for the operators. The peer review recommendation stated: Apply high stress factors per Table 17-1 of NUREG/CR-1278 to HEPs where time pressure is present during an accident situation.

Please clarify if high stress factors were used on a case-by-case basis from this table, and, if not provide justification. Please discuss whether time pressure was used to determine whether an execution operator action justified the application of a high stress factor.

GO2-16-119 Page 33 of 35 Energy Northwest Response:

As part of the Rev. 7.2 PRA update performed in 2014, the assignments of stress levels were reviewed for all Columbia Generating Station (CGS) post-initiator human failure events, and all post-initiator human failure events now utilize the stress levels recommended by the Human Reliability Analysis (HRA) Calculator. The stress level recommended by the HRA calculator was reviewed by the HRA analyst and in some cases increased to a higher stress level. In this manner, the full intent of F&O 1-3 has been resolved.

By utilizing the HRA Calculator, the stress levels assigned to the CGS HFEs follow the NUREG/CR-1278 guidelines, including addressing the impact to stress levels from time pressure.

NRC Request PRA RAI 4.1 (Follow up to PRA RAI 4)

The NRC staff reviewed the response to PRA RAI 4 and found the response did not address the issue. The peer review observation in the LAR states:

Estimates based on the surveillance tests and maintenance acts as described in DAC6 and DA-C7 should be performed for significant components whose data are not tracked in the MSPI [Mitigating Systems Performance Index] data.

The peer review recommendations states:

Update the estimates for significant events based on surveillance test and maintenance records.

The response to PRA RAI 4 states:

A sensitivity study was performed by replacing the base data for these failure modes with generic data from NUREG/CR-6928. It was determined that the finding is unlikely to change the conclusions of risk-informed decisions.

Supporting requirements (SRs) DA-C6 and DA-C7 are not limited to the MSPI systems.

SR DA-C6 and SR DA-C7 include consideration of plant-specific data, and it is not clear how generic data has been demonstrated to be bounding for the non-MSPI components. That is, if the peer review recommendation were to be performed it is not clear that the generic data would necessarily be bounding.

Please provide justification why the use of generic data for performing sensitivity analyses is bounding without updating applicable component estimates with plant specific data consistent with SR DA-C6 and SR DA-C7, or compete the work to meet

GO2-16-119 Page 34 of 35 SR DA-C6 and SR DA-C7 for applicable components and provide the disposition of the F&O.

Energy Northwest Response:

Finding F&O 2-2 against SR DA-C6 and SR DA-C7 from the 2009 peer review has been resolved. The disposition of the F&O is as follows:

Estimates for significant events not tracked in the Mitigating Performance System Index (MSPI) data are now based on plant-specific surveillance test and maintenance records.

Resolution of F&O 2-2 impacts the following component failure modes:

x C---W2 (compressor fails to start),

x C---W4 (compressor fails to run),

x FN--R3 (fan fails to start),

x FR--W4 (fan fails to run),

x AHUS---S3 (air handling unit fails to start),

x AHUR---W4 (air handling unit fails to run).

The resolution to this F&O has been incorporated into a working model. This working model will be used for all Risk informed Technical Specification (RITS) 5B assessments until a model of record revision is released which contains the resolution to this F&O.

3.3 Response dated June 22, 2016 (ML16174A432) to May 31, 2016 Request for Additional Information (ML16152A737)

NRC Request:

The licensee is asked to resubmit the response to RAI question PRA RAI 1.1 a) submitted to the licensee on March 9, 2017 which states;

a. The peer review F&O 1-3 states In almost all of the post-initiator Human Error Probabilities (HEPs) where optimal stress is assumed, time is a factor with core damage occurring between 30 minutes and an hours.

Clarify if these post-initiator HEPs were assumed to be optimal stress in all cases involving this time frame or if such HEPs were determined on a case-by-case basis to represent optimal stress or high stress as appropriate. Please describe your process to make this determination.

Energy Northwest Response:

These post-initiator HEPs were not assumed to be optimal stress in all cases, including the time frame of 30 minutes and an hour.

GO2-16-119 Page 35 of 35 Post-initiators HEP stress levels were determined on a case-by-case basis to represent optimal (Low), moderate stress or high stress as appropriate, including those where time is a factor with core damage occurring between 30 minutes and an hour. The determination of stress was made using the Execution Stress decision tree in the Human Reliability Analysis (HRA) Calculator.

Retrieved from "https://kanterella.com/w/index.php?title=GO2-16-119,_License_Amendment_Request_for_One-Time_7_Day_Extension_of_Completion_Time_for_TS_Condition_3.5.1.A,_3.6.1.5.A,_and_3.6.2.3.A&oldid=2442200"