Text

License Renewal Application, Amendment 4, Response to Request for Additional Information
	ML070370170
Person / Time
Site:	FitzPatrick
Issue date:	01/29/2007
From:	Peter Dietrich; Entergy Nuclear Northeast, Entergy Nuclear Operations
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	JAFP-07-0013, TAC MD2667
	Download: ML070370170 (317)
	v • d • e

hEntergy Entergy Nuclear Northeast Entergy Nuclear Operations, Inc.James A. Fitzpatrick NPP P.O. Box 110 Lycoming, NY 13093 Tel 315 349 6024 Fax 315 349 6480 January 29, 2007 JAFP-07-0013 Pete Dietrich Site Vice President

-JAF U.S. Nuclear Regulatory Commission Attn: Document Control Desk Washington, DC 20555-0001

REFERENCES:

1. Letter, Entergy to USNRC, "James A. FitzPatrick Nuclear Power Plant, Docket No. 50-333, License No. DPR-59, License Renewal Application," JAFP-06-0109, dated July 31, 2006 2. Letter, USNRC to JAFNPP, "Requests for Additional Information Regarding the Review of the License Renewal Application for James A. FitzPatrick Nuclear Power Plant (TAC No. MD2667)," dated November 29, 2006

SUBJECT:

Entergy Nuclear Operations, Inc.James A. FitzPatrick Nuclear Power Plant Docket No. 50-333, License No. DPR-59 License Renewal Application, Amendment 4

Dear Sir or Madam:

On July 31, 2006, Entergy Nuclear Operations, !nc. submitted the License Renewal Application (LRA) for the James A. FitzPatrick Nuclear Power Plant (JAFNPP) as indicated by Reference

1. Attachment 1 provides responses to the requests for additional information as detailed by the NRC in Reference

2. These requests were the result of NRC review ot LRA Appendix E concerning Severe Accident Mitigation Alternatives (SAMA).Should you have any questions concerning this submittal, please contact Mr. Jim Costedio at (315) 349-6358.I declare under penalty of perjury that the foregoing is true and correct. Executed on the day of January , 2007.PETE DIETRICH SITE VICE PRESIDENT A12-ýPD/cf Attachment January 29, 2007 JAFP-07-0013 Page 2 of 2 Cc: w/o attachment A Mr. N.B. (Tommy) Le, Senior Project Manager License Renewal Branch B Office of Nuclear Reactor Regulation U.S.'Nuclear Regulatory Commission Mail Stop 0-11-F1 Washington, DC 20555 Mr. Samuel J. Collins, Administrator Region I U. S. Nuclear Regulatory Commission 475 Allendale Road King of Prussia, PA 19406 NRC Resident Inspector U. S. Nuclear Regulatory Commission James A. FitzPatrick Nuclear Power Plant P.O. Box 136 Lycoming, NY 13093 Mr. John P. Boska, Project Manager Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Mail Stop O-8-C2 Washington, DC 20555 Cc: w/ attachment A Ms. Jessie M. Muir, Project Manager Environmental Branch B.Division of License Renewal Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Mail Stop 0-11-F1 Washington, DC 20555 Mr. Paul Eddy New York State Department of Public Service 3 Empire State Plaza, 1 0 th Floor Albany, NY 12223 Mr. Peter R. Smith, President NYSERDA 17 Columbia Circle Albany, NY 12203-6399 JAFP-07-0013 Docket No. 50-333 Attachment 1 James A. FitzPatrick Nuclear Power Plant License Renewal Application

-Amendment 4 JAFNPP SAMA Analysis -RAI ENTERGY RESPONSES TO JAFNPP SAMA RAIS DOCKET NO. 50-333 Table of Contents N R C R A I 1 .0 ...............................................................................................................................

3 Response to RAI 1.1 ...............................................................................

............

4 Response to RA l 1.2 ............................................................................

...... ................

4 Response to RAI 1.3 ...................................................................................................

4 Response to RA l 1.4 ...................................................................................................

7 Response to RAI 1.5 ..........................................................................................

................

7 Response to RAI 1.6 ..................................................................................................

8 Response to RA I 1.7 ...................................................................................................

8 Response to RAI 1.8 .............................................................................................

..... 9 N R C R A I 2 .0 .............................................................................................................................

1 4 Response to RAI 2.1 .........................................................................................................

14 Response to RAI 2.2 ........................................................................................................

16 Response to RAI 2.3 ....................................................................................................

16 Response to RAI 2.4 ...................................................................................................

16 NRC RAI 3.0 .......................................................................................

.... ....... .............

25 Response to RAI 3.1 ...................................................................................................

25 Response to RAI 3.2 ..................................................................................................

.. 26 Response to RAI 3.3 ....................................................................................................

26 Response to RAI 3.4 ....................................................................................................

26 Response to RAI 3.5 ....................................................................................................

26 N R C R A I 4 .0 ................................................................................

M .......................

.....................

2 6 Response to RAI 4.1 .........................................................................................................

27 Response to RAI 4.2 ....................................................................................................

27 Response to RAI 4.3 ....................................................................................................

28 Response to RAI 4.4 ....................................................................................................

28 Response to RAI 4.5 ....................................................................................................

28 N R C R A I 5 .0 ...........................................................................................................................

2 9 Response to RAI 5.1 .........................................................

30 Response to RAI 5.2i ....................................................................................................

31 Response to RAI 5.2ii ...................................................................................................

31 Response to RA l 5.3 ....................................................................................................

31 Response to RAI 5.4 ....................................................................................................

32 Response to RAI 5.5 ....................................................................................................

32 Response to RAI 5.6 ....................................................................................................

33 Response to RAI 5.7 ....................................................................................................

33 N R C R A I 6 .0 .............................................................................................................................

3 6 Response to RAI 6.1 .........................................................................................................

36 Response to RAI 6.2 ....................................................................................................

37 Attachment 1 Page 1 of 40 JAFP-07-0013 Response to RAI 6.3 ....................................................................................................

37 Response to RAI 6.4 ....................................................................................................

37 Response to RAI 6.5 ....................................................................................................

37 Response to RAI 6.6 .....................................................................................................

38 N R C R A I 7 .0 .............................................................................................................................

3 8 Response to RAI 7.1 ..................................................................................................

39 Response to RAI 7.2 ....................................................................................................

39 Response to RAI 7.3 ....................................................................................................

39 Response to RAI 7.4 ....................................................................................................

39 Response to RAI 7.5 ....................................................................................................

39 Response to RAI 7.6 ....................................................................................................

39 List of Attachments Attachment A Utility Participation and Internal Review Team Tables Table RAI 1-1 Accident Types and Their Contribution to Internal Core Damage Frequencies.

10 Table RAI 1-2 Major Non-SBO Accident Types Involving IE-T1 and Associated Phase II S A M A s .....................................................................................................................................

1 1 Table RAI 1-3 Phase I SAMAs Credited in Table E.1-2 But Not in the PSA Model ..............

12 Table RAI 2-1 Description of CET Release Modes ............................................................

17 Figure RAI.5-1 Revised Summary of Selected Phase II SAMA Candidates Considered in Cost-B e n e fit E v a lu a tio n .....................................................................................................................

3 5 Attachment 1 Page 2 of 40 JAFP-07-0013 NRC RAI 1.0 Provide the following information regarding the development of the James A. Fitzpatrick Nuclear Power Plant (JAFNPP) Probabilistic Safety Analysis (PSA) used for the Severe Accident Mitigation Alternatives (SAMA), i.e., Revision 2, October 2004: 1. Section E.1.4 discusses the differences between the Individual Plant Examination (IPE)and Revision 2, but does not discuss Revision 1. Provide additional detail about Revision 1, including:

1. The date of Revision 1 2. A summary of the changes between Revision 0 and Revision 1, and 3. The total Core Damage Frequency (CDF) and the major contributors to CDF.2. Section E. 1.4 states that the results of the peer review process are included in Section 5 of the "Individual Plant Examination for Internal Events," Revision 2, October 2004. Provide a copy of Section 5.3. The contributions to CDF (Section E.1) are very different from those in the IPE. Provide the reason for the changes in the major contributors to the CDF between each version of the PSA (i.e., the IPE, Revision I and Revision 2).4. It is stated that the PSA represents the plant operating configuration and design changes as of December 2003, and component failure and unavailability data as of December.2002. Identify any changes to the plant (physical and procedural modifications) since December 2003 that could have a significant impact on the results of the PSA and/or the SAMA analyses.

Provide a qualitative assessment of their impact on the PSA and their potential impact on the results of the SAMA evaluation.

5. There are inconsistencies in the CDF values reported in the ER, specifically:

The baseline CDF and the total release frequency used in the SAMA analysis is indicated to be 2.74x10 6 (page 4-36, and Table E.1-10, respectively), however, the point estimate CDF appears to be 3.11 x 10-6 (Table E. 1-1) and the mean CDF is given as 3.70x10-6 (Table E.1-3).The text below Table E.1-3 states that the ratio of the 95th percentile to the mean is 3.83; however, the ratio is actually 2.84.Rectify these inconsistencies.

If the mean CDF is different from the CDF used in the SAMA analyses, include an explanation of why the mean CDF was not used.6. Event IE-T1, Loss of offsite power, has a risk reduction worth (RRW) of 2.316 and frequency of 3.5x10-2 (Table E.1-2). Thus, the contribution of this event alone to CDF is about 57%. Given that station blackout (S80) is 43% of CDF (Table E.1-1), the loss of off site power is a major contributor to other accident types shown in Table E.1-1. However, all of the Phase II SAMAs listed for the event IE-T1 address provisions related to SBO, and do not address the contribution of this event to other accident types. Identify the other major accident types where the event IE-Tl is a contributor, and the SAMAs that address these accidents.

Attachment 1 Page 3 of 40 JAFP-07-0013

7. Table E.1-2 identifies numerous Phase I SAMAs that have been implemented.

For each of the Phase I SAMAs noted, confirm whether credit has been taken for the improvement in the current PSA.8. On page E. 1-85, it is indicated that the accident sequence quantification truncation limit was reduced from 10.9 to 10-1 1/yr in response to peer review recommendations.

Provide the truncation value used in each PSA revision, and where available, the change in CDF due to this reduction.

Response to RAI 1.1 1. The date of Revision 1 The revision 1 PSA model was issued in April 1998. A draft of the revision 1 PSA model was peer reviewed in December 1997 using the BWROG PSA Peer Review Certification Implementation Guidelines.

Some of the Facts and Observations from the BWROG peer review were addressed in the final revision 1 PSA model. The remaining items from the BWROG peer review were addressed in the revision 2 PSA model.2. A summary of the changes between Revision 0 and Revision I See Section 2 of JAFP-06-0167 Attachment 3 (LRA Amendment

1, dated December 6, 2006.)3. Revision 1 Core Damage Frequency (CDF) and major contributors to CDF In the revision 1 model, the total internal CDF was estimated to be 2.44 x 10 6/ry. The dominant contributors were transients (30 percent), transients initiated by loss of a DC bus (22 percent), station blackout events (15 percent), loss-of-containment heat removal (12 percent), and ATWS events (12 percent).

Loss of a 4.16kV AC bus contributed 4 percent and loss of both 125V DC divisions contributed 3 percent. Relay room flooding and LOCAs each contributed approximately 1 percent to CDF.Response to RAI 1.2 A copy of Section 5 of the "Individual Plant Examination for Internal Events," Revision 2, October 2004 is provided in Attachment A.Response to RAI 1.3 Reasons for changes in the major contributors to CDF between Revision 0 and Revision 1 The station blackout CDF contribution significantly decreased from Revision 0 to Revision 1 for the following reasons.-The loss offsite power (LOSP) initiating event frequency decreased 53 percent.Attachment 1 Page 4 of 40 JAFP-07-0013 A plant modification to the fire protection system and procedural enhancement were implemented to use the fire water system to provide EDG jacket cooling through the emergency service water system (ESW) cross-tie in the event of a loss of ESW system.The transient CDF contribution significantly increased from Revision 0 to Revision 1 for the following reasons.-Updated plant operating data lowered the initiating event frequencies for most transient events. However, the initiator frequency of the most dominant transient accident sequence, loss of the power conversion system (T2), increased by 19 percent.-Operators are directed to inhibit ADS (automatic depressurization system) for transients as well as for ATWS events. Therefore, a failure to manually depressurize the reactor vessel will fail ADS. Transient core damage sequences which entail immediate loss of high pressure systems, such as HPCI or RCIC, were revised to directly result in core damage upon subsequent failure to manually depressurize the reactor vessel.* The loss of a DC battery control board model was revised to assume loss of all AC power in the same division in which there is a loss of DC. This change significantly increased the loss of DC bus CDF contribution.

Refinements to the standby liquid control system (SLCS) model increased the ATWS contribution from Revision 0 to Revision 1. Human reliability probabilities were updated and a conservative assumption that core damage occurs given failure to initiate SLCS was added.* The core damage definition was changed from the original definition given in NUREG/CR-4550, "Analysis of Core Damage Frequency

-Internal Events Methodology", which defines core damage as reactor water level less than two feet above the bottom of the active fuel to the definition given in EPRI Report TR-105396,"PSA Applications Guide", which defines core damage as peak clad temperatures greater than or equal to 2200 0 F. The greatest impact of the change in core damage definition was a decrease in the time available for operators to perform post-accident actions and thus an increase in the human error probabilities (HEPs) for certain actions during transients and LOCA accident sequences." Catastrophic, non-recoverable failure of the reactor vessel was included as an initiator.

This resulted in a higher LOCA contribution to CDF.* Changes to the internal flooding analysis to include a relay room flooding scenario increased the internal flooding contribution.

Catastrophic common cause failure of both 125V DC battery control boards was included as an initiator, which results in a station blackout with loss of HPCI and RCIC and subsequent core damage.Attachment 1 Page 5 of 40 JAFP-07-0013

The addition of more common-cause equipment failure groups such as fans, check valves, dampers, and transmitters increased the overall CDF." The accident sequence quantification truncation limit was lowered from 10-9 to 10-11.This increased the overall CDF by inclusion of more accident sequence minimal cut sets.Reasons for changes in the major contributors to CDF between Revision 1 and Revision 2* The station blackout CDF contribution significantly increased from Revision 1 to Revision 2 for the following reasons.-The loss offsite power (LOSP) frequency increased by a factor of 1.29 (includes the 8/14/03 blackout event).-Battery depletion time changed from 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . Consequently, the available time for recovery of loss of offsite power during station blackout events decreased from 13 hours1.50463e-4 days 0.00361 hours 2.149471e-5 weeks 4.9465e-6 months to 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months .-Non-recovery probabilities were increased to reflect loss of offsite power events in NUREG/CR-5496, "Evaluation of Loss of Offsite Power Events at Nuclear Power Plants: 1980-1996," in conjunction with the EPRI TR-1 009889, "Losses of off-site Power at U.S. Nuclear Power Plants-Through 2003".To incorporate a recommendation from the BWROG PSA certification team, most of the system fault trees were modified to include additional electrical and I&C component common cause failure terms (circuit breakers, relays and transmitters).

In addition, a revised common cause failure analysis was developed using the NRC recommended alpha factor methodology.

The loss of containment heat removal CDF contribution increased from Revision 1 to Revision 2 for the following reasons.-The event trees for all the analyzed initiating events were completely revised to place the containment pressure control function before the core cooling injection function.-Continued operation of both HPCI and RCIC over the duration of an accident that involves a loss of containment heat removal is precluded because primary system depressurization would be required upon reaching the heat capacity temperature limit.-Additional initiating events and associated event trees were added for loss of non-safeguard 4.16kV AC Buses 10300 and 10400, loss of condensate system, loss of instrument air system, loss of ultimate heat sink, loss of reactor water level instrumentation reference leg and manual shutdown.-A more refined human reliability analysis was performed that more thoroughly evaluated the dependencies between post-initiator human actions and recovery actions.Attachment 1 Page 6 of 40 JAFP-07-0013

The loss of a vital DC bus (battery control board) frequency was decreased by a factor of 7.62 to reflect updated industry and plant-specific data. This change resulted in a significant reduction in CDF contribution from the loss of DC buses." Updated plant and industry operating data significantly lowered most of the initiating event frequencies for transients and LOCA events. Therefore, the CDF contribution, from transients with the loss of ECCS injection and from ATWS decreased from Revision 1 to Revision 2." Updated industry component data (NUREG/CR-5500) significantly lowered the instrument, master and slave trip unit failure data. Therefore, CDF contributions from transients, LOCAs, and loss of DC bus with the loss of ECCS injection decreased in Revision 2.Response to RAI 1.4 See Section 1 of JAFP-06-0167 Attachment 3 (LRA Amendment

1, dated December 6, 2006.)Response to RAI 1.5 The values presented in ER Table E. 1-3 correctly reflect the mean value and uncertainty distribution for the Revision 2 model. The values presented in Table E.1-1 represent the point estimate CDF values prior to combining and subsuming cutsets. Table RAI 1-1 contains the point estimate CDF values after subsuming.

The value presented in Table E.1-10, which represents the total point estimate CDF value after combining and subsuming cutsets, is used for SAMA analysis.The point estimate CDF is calculated from the cutsets produced by the accident sequence quantification of the event tree/fault tree model. Therefore, it is directly comparable with the CDF values calculated from analysis cases cutsets to assess the CDF reduction for the SAMA candidates.

The cutsets associated with the point estimate CDF are based on the mean values of individual initiating event frequencies and basic event failure probabilities.

On the other hand, the mean CDF presented in Table E.1-3 is generated from an uncertainty analysis program which uses a statistical sampling method useful for estimating lower and upper bound values.The uncertainty analysis program does not generate cutsets that can be used for assessment of CDF reduction for the SAMA candidates.

Therefore, it is appropriate to use the point estimate, rather than the mean CDF as the baseline for the SAMA analysis.Industry practice (NEI 05-01) is to use the ratio of the 95th percentile to the mean value to determine an uncertainty factor for sensitivity analysis.

As described following ER Table E. 1-3, the ratio of the 95th percentile to mean value was intended to be used to calculate the uncertainty factor. However, the ratio of the 9 5 th percentile to the point estimate was inadvertently used instead. Since this ratio results in a higher uncertainty factor, it provides additional conservatism in the estimated benefits with uncertainty for the SAMAs evaluated.

This additional conservatism does not alter the conclusions of the evaluation.

Therefore, the existing uncertainty factor is appropriate for the sensitivity analysis.Attachment 1 Page 7 of 40 JAFP-07-0013 Response to RAI 1.6 Those sequences initiated by loss of offsite power (IE-T1) resulting in core damage are associated with one of three accident types: Accident Type Conditional Probability Station Blackout (SBO) 81.6%Transients with Loss of ECCS 1.3%Transients with Loss of Containment Heat Removal 17.1%Total 100%The non-SBO sequences involve subsequent functional failures of systems that are the subject of Phase II SAMAs presented in Table RAI 1-2.Response to RAI 1.7 Except for Phase I SAMAs 094, 101, 120, and 267, the Phase I SAMAs mentioned in ER Table E.1-2 have been credited in the current PSA model. The qualitative impact of including Phase I SAMAs 094, 101, 120, and 267 in the PSA model is presented in Table RAI 1-3.ER Table E.1-2 lists Phase I SAMAs that have been implemented to indicate that these potential SAMAs do not have to be evaluated in the SAMA analysis since they have already been implemented.

The impact of those that have been credited in the PSA model is reflected in the RRW worth of associated events in Table E.1-2. The impact of those that have not been credited in the PSA model is not reflected in the RRW worth of associated events in Table E.1-2. However, as can be seen in Table RAI 1-2, the impact of including these modifications in the model would be to lower the RRW of associated events in Table E.1-2. This would decrease the benefit of the Phase II SAMAs evaluated for the same events. Therefore, the absence of these four implemented modifications from the PSA model adds conservatism to the benefit estimates for Phase II SAMAs credited for the associated events.Attachment 1 Page 8 of 40 JAFP-07-0013 Response to RAI 1.8 The JAFNPP IPE Revision 0 used a CDF truncation limit of 10-9/yr. Revisions 1 and 2 CDFs used a truncation limit of 10-1 1/yr. The different truncation limits are presented as follows.Model CDF (/ry) CDF (/ry)[Truncation tol 09 [Truncation to1011]IPE 1.92E-6 N/A Revision 1 N/A 2.44E-6 Revision 2 N/A 2.74E-6 The CDF calculated by a particular model revision is larger with a truncation of 10-11 than with a truncation of 10.9 due to inclusion of more accident sequence minimal cut sets. However, the actual difference has not been calculated for the JAFNPP PSA models and is, therefore, not available.

Attachment 1 Page 9 of 40 JAFP-07-0013 Table RAI 1-1 Accident Types and Their Contribution to Internal Core Damage Frequencies

% Contribution to Point Accident Type Point Estimate Core Estimate Core Damage AeDamage Frequency

(/y) Frequency Station blackout 1.27 x 10-6 46 Transients with loss of 7.78 x 10-7 28.4 containment heat removal Transients with loss of all 2.66 x 10-7 10 ECCS injection ATWS 1.38 x 10-7 5.1 Loss of a 4.16KV AC 1.18 x 10-7 4.5 safeguard bus Loss of both DC divisions 9.55 x 10-8 3 LOCAs 2.83 x 10-8 1 Loss of a division of DC power 2.60 x 10 8 1 Internal flooding 2.53 x 10 8 1 Attachment 1 Page 10 of 40 JAFP-07-0013 Table RAI 1-2 Major Non-SBO Accident Types Involving IE-T1 and Associated Phase II SAMAs Accident Type Applicable Phase II SAMAs SAMA Title Provide an alternate pump power-source for feedwater or condensate pumps so that they do not rely on offsite power.Create ability for emergency connections of existing or alternate water sources to Transients with 41 feedwater/condensate to provide backup water supply for the loss of ECwS feedwater/condensate systems.loss 45, 46, 4Install an additional active or passive high pressure system to improve prevention 44, 45, 46, 47, 48, and 49 of core melt sequences by providing additional injection capabilities.

Provide a tap from the fire protection system to RHR heat exchanger "B" via RHRSW header B to improve injection and containment heat removal capabilities.

Provide a cross-tie between RHRSW trains downstream of the RHRSW pump 59__discharge valves to improve injection and containment heat removal capabilities.

Install an independent method of torus cooling to decrease the probability of loss of containment heat removal.3, 20 Install a filtered containment vent to provide fission product scrubbing.

Install a passive containment spray system to decrease the probability of loss of 10 containment heat removal.Transients with 50 Modify EOPs to align diesel power to more air compressors to increase reliability loss of of instrument air after a LOSP.containment 54 Implement passive overpressure relief to prevent catastrophic failure of the heat removal containment by controlled relief through a selected vent path.Provide a tap from the fire protection system to RHR heat exchanger "B" via RHRSW header B to improve injection and containment heat removal capabilities.

Provide a cross-tie between RHRSW, trains downstream of the RHRSW pump discharge valves to improve injection and containment heat removal capabilities.

Improve turbine bypass valve capability to allow use of the main condenser as the 60 preferred decay heat removal system during a normal shutdown until reactor pressure drops to the point where RHR shutdown cooling can be placed in service.Attachment 1 Page 11 of 40 JAFP-07-0013 Table RAI 1-3 Phase I SAMAs Credited in Table E.1-2 But Not in the PSA Model Phase I SAMA ID number SAMA Title Result of Potential Enhancement Associated Table E.1-2 Event Names & Descriptions SAMA Disposition

& Qualitative Impact on PSA Results 094 Improve 4.16-kV SAMA would IE-T1, Loss of offsite power Implemented.

bus cross-tie ability improve AC IE-TAC3, Transient caused by Incorporation in the PSA model would reduce the CDF contribution power reliability, loss of 4160VAC bus 10300 from loss of offsite power and loss of 4160VAC buses.AC4-XHE-MC-UVRLA, Miscalibration of 4.16kv bus 10500 under voltage relay AC4-XHE-MC-UVRLB, Miscalibration of 4.16kv bus 10600 under voltage relay 101 Develop SAMA would IE-TAC3, IE-TAC5 & IE-TAC6, Implemented.

procedures to offer a recovery Transient caused by loss of repair or replace path from a 4160VAC buses Incorporation in the PSA model would reduce the CDF contribution failed 4 KV failure of the 10300,10500,&10600 from loss of 4160VAC buses.breakers breakers that AC4-XHE-MC-UVRLA, perform transfer Miscalibration of 4.16kv bus of 4.16 kV non- 10500 under voltage relay emergency AC4-XHE-MC-UVRLB, buses from unit Miscalibration of 4.16kv bus station service 10600 under voltage relay transformers, AC4-SBR-DN-10312, Circuit leading to loss breaker 10312 fails to close of emergency AC power. AC4-RCS-OO-94EA3, Relay 94-1 HOEA03 contacts fail to close AC4-PRY-HW-5GEA1, AC4-PRY-HW-5HA23, AC4-PRY-HW-5HEAl, & AC4-PRY-HW-67A20, Relays 51GS-1HOEA01, 51-1HOEA23, 51-1HOEA01,&

67-1 HOEA20 failures Attachment 1 Page 12 of 40 JAFP-07-0013 Table RAI 1-3 Phase I SAMAs Credited in Table E.1-2 But Not in the PSA Model-~Phase I SAMA ID number SAMA Title Result of Potential Enhancement Associated Table E.1-2 Event Names & Descriptions SAMA Disposition

& Qualitative Impact on PSA Results 120 9.g. AC Bus Cross- SAMA would IE-T1, Loss of offsite power Implemented.

Ties provide IE-TAC3, Transient caused by Incorporation in the PSA model would reduce the CDF contribution increased loss of 4160VAC bus 10300 from loss of offsite power and loss of 4160VAC buses.reliability of AC AC4-XHE-MC-UVRLA, power system to Miscalibration of 4.16kv bus reduce core 10500 under voltage relay damage and AC4-XHE-MC-UVRLB, release Miscalibration of 4.16kv bus frequencies.

10600 under voltage relay 267 Operator Action: This SAMA IE-RRFLOOD, Transient caused Implemented.

Visual Check the would prevent by internal flooding in relay room relay room within 5 flooding of the Incorporation in the PSA model would reduce the CDF contribution minutes of a fire relay room or to from internal flooding in the relay room.pump starting mitigate its consequences Attachment 1 Page 13 of 40 JAFP-07-0013 NRC RAI 2.0 Provide the following information relative to the Level 2 analysis: 1. Describe the process and assumptions used to group the numerous source terms for internal initiators into a much smaller number of source term groups.2. The JAFNPP source terms (Table E.1-11) appear amenable to grouping into three release time categories, e.g., 0-8, 8-24, and 24+ hours. However, the SAMA analysis, uses only two, i.e., <24 and >24 hrs. Explain the rationale for this coarse grouping, and how the use of just two release time categories affects the results of the population dose and risk reduction estimates.

Discuss whether this provides a conservative or non-conservative bias, and the magnitude of this bias.3. Interfacing-systems loss-of-coolant accident (ISLOCA) events contribute 28% of the large early release, and are assigned to the Early release mode in Table E.1-15.Provide the estimated population dose and off site economic cost risk values for an ISLOCA event and a comparison of these values to those for the Early release mode.4. It is stated on pg. E.1-60 that releases are integrated over a 36 hour4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months period following reactor pressure vessel (RPV) failure or event initiation (if no RPV failure occurs).However, information in Table E. 1-11 indicates that late releases do not start until about 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months and continue until about 80 hours9.259259e-4 days 0.0222 hours 1.322751e-4 weeks 3.044e-5 months , and early releases continue until about 50 hours5.787037e-4 days 0.0139 hours 8.267196e-5 weeks 1.9025e-5 months . Thus, it appears that the later portions of the releases may not be included in the"total integrated release".

Explain the overall accident time frame for the assessment,:

and justify that the release fractions reported in Table E. 1-11 include the majority of the fission products released for each release category.Response to RAI 2.1 The approach used to evaluate radionuclide releases and develop release categories is similar to that applied in the NUREG-1 150 analysis; i.e. a source term was associated with each containment event tree (CET) end state that was found to have a significant frequency.

The objectives were to establish the timing of the first significant release of radionuclides and estimate the magnitude of the total release.The first step in the source term assessment effort was to identify the sequence characteristics that are most important for defining the source term. These characteristics were identifiable from the plant damage state (PDS) characteristics and from the CET sequence characteristics since one of the primary objectives in the PDS grouping and CET evaluation was to define those events and conditions most important for source term assessment.

The set of sequence characteristics important to source term assessment was used as grouping criteria to define the release categories and the associated source term magnitude, composition and timing.The containment sequence characteristics selected for use in definition of the JAFNPP source term release categories are:* vessel breach* containment failure* torus bypass* core-concrete interactions Attachment 1 Page 14 of 40 JAFP-07-0013

fission product removal* reactor building retention The goal of the grouping process was to develop the minimum number of release categories necessary to distinguish the important combinations of sequence characteristics that can result in distinctly different atmospheric source terms.The second step was to classify the various progressions paths in the JAFNPP CET as unique release end states based on the sequence characteristics.

The release modes were categorized into the following general classifications." CET end states recovered in-vessel (no vessel breach).* CET end states recovered ex-vessel (vessel breach, but no core-concrete interactions)." CET end states that are late containment failures and therefore, source terms are significantly mitigated." CET end states that are early containment failure with no ex-vessel release." CET end states that are early containment failure with the potential for ex-vessel release and subsequent

'high' release.Each CET end state represents a particular release event or a recovered, degraded core state that may be characterized according to its potential for fission product releases to the atmosphere, its timing of release initiation relative to time of incipient core damage, and its release duration.The above binning criteria resulted in seven distinct release categories (as reported in ER Tables E.1-8 and E.1-10). To facilitate the MACCS2 calculations, the seven release categories were grouped into three distinct source term bins (consequence analysis release categories):

no containment failure, early release, and late release as described in the ER (page E. 1-73)., Table RAI 2.1 summarizes the possible containment event tree release categories for the spectrum of core melt accident sequences.

This table defines the various containment event tree release modes as early or late release events and containment damage states (i.e., failure modes), including recovered states and release mechanisms.

Each release mode represents a release path from the fuel through the primary coolant system and the containment atmosphere to the environment, should the containment ultimately fail or be bypassed.

The release path (including the associated removal mechanism) is related to a particular environmental source term.The consolidation of source term results for the containment event tree release categories presented in Table RAI 2.1 was accomplished by "binning" or grouping releases into release categories that represent all postulated accident scenarios that produce a similar fission product source term. The criteria used to characterize the release are the estimated magnitude of total release and the timing of the first significant release of radionuclides.

Attachment 1 Page 15 of 40 JAFP-07-0013 Response to RAI 2.2 As discussed in ER Section E. 1.2.2.2, use of two release category times was based on implementation of public protective actions.(1) Within 0-24 hours of accident initiation, minimal offsite protective measures would be accomplished.

(2) 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after accident initiation, offsite protective measures can be assumed to be fully effective.

This selection of release timing is deemed to have minimal impact on the results, since intermediate times (8-24 hours) are included in both the early and late releases.

A sensitivity case, reflecting the suggested three-part timing scheme, resulted in a population dose risk (PDR) of 1.66 person-rem/yr and an offsite economic cost risk (OECR) of 3,340 $/yr. ER Table E.1-15 reported a PDR of 1.63 person-rem/yr and an OECR of 3,340 $/yr. Since the sensitivity case predicts only a slight increase in PDR and no change in OECR, the release category timing used for the SAMA analysis is appropriate.

Response to RAI 2.3 The ISLOCA contribution to LERF reported in ER Figure E. 1-2 is 28% with an associated frequency of 2.58E-8/ry.

Using the release fractions for early high releases provided in ER Table E. 1-11, the ISLOCA estimated PDR is 0.03 person-rem/year and OECR is 7.1 OE+01 $/yr.Thus, ISLOCA is a small contributor to the early release mode, with approximately 4 percent of the total early release PDR of 7.58E-01 person-rem/year and OECR of 1.63E+03 $/yr.This comparison shows that although ISLOCA events make-up a significant fraction of large early release frequency, the greater frequency of medium and low early releases prevents ISLOCA sequences from dominating the early release frequency.

Response to RAI 2.4 Consistent with ER Table E. 1.11 in which release durations are greater than or equal to 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months after the start of the initial release, the final paragraph on page E.1-60 is clarified by replacement with the following.

The "total integrated release" as used in the above categories is defined as the release for a minimum of 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months from the time of initial release.Attachment 1 Page 16 of 40 JAFP-07-0013 Table RAI 2-1 Description of CET Release Modes AccidentCET Release Consequence Progression CET Sequence Description CeTore Analysis Bin Category Release Bin_ _Catego APB-1 Recovered in-vessel, no vessel breach, no containment failure NCF NCF APB-2 Reactor pressure vessel (RPV) at low pressure, recovered in-vessel, , no vessel Late Low Late breach, late containment failure, in-vessel fission product release goes to torus APB-3 RPV at low pressure, recovered in-vessel, no vessel breach, late containment Late Low Late failure, in-vessel fission product release mitigated in drywell APB-4 RPV at low pressure, recovered in-vessel, no vessel breach, late containment Late Low Late failure, in-vessel fission product release unmitigated RPV at low pressure, no vessel breach, no core concrete interactions (CCI), early Early Low Early APB-5 containment failure, ex-vessel fission product release not mitigated APB-6 Vessel breach, no containment failure NCF NCF APB-7 Vessel breach at low pressure, recovered ex-vessel, late containment failure, in- Late Low Late vessel fission product release goes to torus APB-8 Vessel breach at low pressure, recovered ex-vessel, late containment failure, in- Late Low Late vessel fission product release mitigated in drywell APB-9 Vessel breach at low pressure, recovered ex-vessel, late containment failure, in- Late Low Late vessel fission product release mitigated by the reactor building APB-10 Vessel breach at low pressure, no CCI, late containment failure, in-vessel fission Late Medium Late product release is unmitigated APB-1 1 Vessel breach at low pressure, CCI occurs, no containment failure NCF NCF APB-12 Vessel breach at low pressure, CCI occurs, late containment failure, in-vessel Late Low Late release goes to torus APB-13 Vessel breach at low pressure, CCI occurs, late containment failure, in-vessel Late Low Late release mitigated in containment Attachment 1 Page 17 of 40 JAFP-07-0013 Table RAI 2-1 Description of CET Release Modes Accidentas Consequence Accident CET Sequence Description CET Release Analysis Progression Category Release Bin Category APB-14 Vessel breach at low pressure, CCI occurs, late containment failure, in-vessel Late Low Late fission product release mitigated by reactor building APB-15 Vessel breach at low pressure, CCI occurs, late containment failure, in-vessel Late Medium Late fission product release not mitigated APB-16 Vessel breach at low pressure, no CCI, early containment failure, in- and ex- Early Low Early vessel fission product release mitigated by torus APB-17 Vessel breach at low pressure, no CCI, early containment failure, in- and ex- Early Low Early vessel fission product release mitigated by drywell sprays APB-18 Vessel breach at low pressure, no CCI, early containment failure, in- and ex- Early Low Early vessel fission product release mitigated by reactor building APB-19 Vessel breach at low pressure, no CCI, early containment failure, in-vessel fission Early Low Early product release to torus, ex-vessel and late fission product release not mitigated APB-20 Vessel breach at low pressure, CCI occurs, early containment failure, in- and ex- Early Medium Early vessel product release mitigated by torus APB-21 Vessel breach at low pressure, CCI occurs, early containment failure, in- and ex- Early Medium Early vessel product release mitigated by drywell sprays APB-22 Vessel breach at low pressure, CCI occurs, early containment failure, in- and ex- Early Medium Early vessel product release mitigated by reactor building Vessel breach at low pressure, CCI occurs, early containment failure, in-vessel APB-23 fission product release to torus, ex-vessel and late.fission product release not Early High Early mitigated_

_ _APB-24 Vessel breach at low pressure, no CCI, early containment failure, ex-vessel Early Low Early fission product release mitigated by drywell sprays APB-25 Vessel breach at low pressure, no CCI, early containment failure, ex-vessel Early Low Early fission product release mitigated by reactor building Attachment 1 Page 18 of 40 JAFP-07-0013 Table RAI 2-1 Description of CET Release Modes Accident CConsequence Progression CET Sequence Description CET Release Analysis Bin Category Release Bin_ Category APB-26 Vessel breach at low pressure, no CCI, early containment failure, ex-vessel Early Low Early fission product release not mitigated APB-27 Vessel breach at low pressure, CCI occurs, early containment failure, ex-vessel Early Medium Early APB-27_ product release mitigated by drywell sprays 8 Vessel breach at low pressure, CCI occurs, early containment failure, ex-vessel Early Medium Early APB-28_ product release mitigated by reactor building APB-29 Vessel breach at low pressure, CCI occurs, early containment failure, ex-vessel Early High Early APB-29_ product release not mitigated APB-30 Vessel breach at low pressure, no containment failure NCF NCF APB-31 Vessel breach at low pressure, no CCI, late containment failure, in-vessel and Late Low Late late fission product release goes to torus APB-32 Vessel breach at low pressure, no CCI, late containment failure, in-vessel and Late Low Late late fission product release mitigated by drywell sprays APB-33 Vessel breach at low pressure, no CCI, late containment failure, in-vessel and Late Low Late late fission product release mitigated by reactor building APB-34 Vessel breach at low pressure, no CCI, late containment failure, in-vessel and Late Medium Late late fission product release mitigated by reactor building APB-35 Vessel breach at low pressure, CCI occurs, no containment failure NCF NCF APB-36 Vessel breach at low pressure, CCI occurs, late containment failure, in-vessel and Late Low Late late fission product release mitigated by torus APB-37 Vessel breach at low pressure, CCI occurs, late containment failure, in-vessel and Late Low Late late fission product release mitigated by drywell sprays Late LowLate APB-38 Vessel breach at low pressure, CCI occurs, late containment failure, in-vessel and Late Low Late late fission product release mitigated by reactor building _Attachment 1 Page 19 of 40 JAFP-07-0013 Table RAI 2-1 Description of CET Release Modes Accident CET Release Consequence Progression CET Sequence Description Category Analysis Bin CRelease Category APB-39 Vessel breach at low pressure, CCI occurs, late containment failure, in-vessel and Late Medium Late late fission product release not mitigated Vessel breach at low pressure, RPV injection not recovered, no CCI, early Early Low Early APB-40 containment failure, in- and ex-vessel fission product release mitigated by torus Vessel breach at low pressure, RPV injection not recovered, no CCI, early APB-41 containment failure, in- and ex-vessel fission product release mitigated by drywell Early Low Early sprays Vessel breach at low pressure, RPV injection not recovered, no CCI, early APB-42 containment failure, in- and ex-vessel fission product release mitigated by reactor Early Low Early building Vessel breach at low pressure, RPV injection not recovered, no CCI, early APB-43 containment failure, in-vessel fission product release to torus, ex-vessel and late Early Low Early fission product release not mitigated APB-44 Vessel breach at low pressure, RPV injection not recovered, CCI occurs, early Early Medium Early containment failure, in- and ex-vessel fission product release mitigate by torus Vessel breach at low pressure, RPV injection not recovered, CCI occurs, early APB-45 containment failure, in- and ex-vessel fission product release mitigate by drywell Early Medium Early sprays Vessel breach at low pressure, RPV injection not recovered, CCI occurs, early APB-46 containment failure, in- and ex-vessel fission product release mitigate by reactor Early Medium Early building Vessel breach at low pressure, RPV injection not recovered, CCI occurs, early APB-47 containment failure, in-vessel fission product release to torus, ex-vessel and late Early High Early fission product release not mitigated Vessel breach at low pressure, RPV injection not recovered, no CCI, early APB-48 containment failure, ex-vessel fission product release mitigated by drywell sprays Early Low Early Attachment 1 Page 20 of 40 JAFP-07-0013 Table RAI 2-1 Description of CET Release Modes Accident CET Release Consequence Progression CET Sequence Description Category Analysis Bin CRelease Bin____ Category Vessel breach at low pressure, RPV injection not recovered, no CCI, early APB-49 containment failure, ex-vessel fission product release mitigated by reactor Early Low Early building APB-50 Vessel breach at low pressure, RPV injection not recovered, no CCI, early containment failure, ex-vessel fission product release not mitigated Early Low Early APB-51 Vessel breach at low pressure, RPV injection not recovered, CCI occurs, early Early Medium Early containment failure, ex-vessel fission product release mitigated by drywell sprays Vessel breach at low pressure, RPV injection not recovered, CCI occurs, early APB-52 containment failure, ex-vessel fission product release mitigated by reactor Early Medium Early building APB-53 Vessel breach at low pressure, RPV injection not recovered, CCI occurs, early Early High Early containment failure, ex-vessel fission product release not mitigated APB-54 Vessel breach at high pressure, no containment failure NCF NCF APB-55 Vessel breach at high pressure, no CCI, late containment failure, in-vessel and Late Low Late late fission product release mitigated by torus APB-56 Vessel breach at high pressure, no CCI, late containment failure, in-vessel and Late Low Late late fission product release mitigated by drywell sprays APB-57 Vessel breach at high pressure, no CCI, late containment failure, in-vessel and Late Low Late late fission product release mitigated by reactor building APB-58 Vessel breach at high pressure, no CCI, late containment failure, in-vessel and Late Medium Late late fission product release not mitigated APB-59 Vessel breach at high pressure, CCI occurs, no containment failure NCF NCF APB-60 Vessel breach at high pressure, CCI occurs, late containment failure, in-vessel Late Low Late and late fission product release mitigated by torus APB-61 Vessel breach at high pressure, CCI occurs, late containment failure, in-vessel Late Low Late Attachment 1 Page 21 of 40 JAFP-07-0013 Table RAI 2-1 Description of CET Release Modes AccidentCET Release Consequence Progression CET Sequence Description CeTore Analysis Bin Category Release Bin Category and late fission product release mitigated by drywell sprays APB-62 Vessel breach at high pressure, CCI occurs, late containment failure, in-vessel Late Low Late and late fission product release mitigated by reactor building APB-63 Vessel breach at high pressure, CCI occurs, late containment failure, in-vessel Late Medium Late and late fission product release not mitigated APB-64 Vessel breach at high pressure, RPV injection not recovered, no CCI, early Early Low Early containment failure, in- and ex-vessel fission product release mitigated by torus APB-65 Vessel breach at high pressure, RPV injection not recovered, no CCI, early Early Low Early containment failure, in- and ex-vessel fission product release mitigated by sprays Vessel breach at high pressure, RPV injection not recovered, no CCI, early APB-66 containment failure, in- and ex-vessel fission product release mitigated by reactor Early Low Early building Vessel breach at high pressure, RPV injection not recovered, no CCI, early APB-67 containment failure, in-vessel fission product release to torus, ex-vessel and late Early Low Early fission product release not mitigated APB-68 Vessel breach at high pressure, RPV injection not recovered, CCI occurs, early Early Medium Early containment failure, in- and ex-vessel fission product release mitigated by torus Vessel breach at high pressure, RPV injection not recovered, CCI occurs, early APB-69 containment failure, in- and ex-vessel fission product release mitigated by drywell Early Medium Early sprays Vessel breach at high pressure, RPV injection not recovered, CCI occurs, early APB-70 containment failure, in- and ex-vessel fission product release mitigated by reactor Early Medium Early building Vessel breach at high pressure, RPV injection not recovered, CCI occurs, early APB-71 containment failure, in-vessel fission product release to torus, ex-vessel and late Early High Early fission product release not mitigated Attachment 1 Page 22 of 40 JAFP-07-0013 Table RAI 2-1 Description of CET Release Modes Accident CConsequence Progression CET Sequence Description CET Release Analysis Bin Category Release Category APB-72 Vessel breach at high pressure, RPV injection not recovered, no CCI, early Early Low Early containment failure mitigated by drywell sprays APB-73 Vessel breach at high pressure, RPV injection not recovered, no CCI, early Early Low Early containment failure mitigated by reactor building APB-74 Vessel breach at high pressure, RPV injection not recovered, no CCI, early Early Medium Early containment failure, ex-vessel fission product release not mitigated APB-75 Vessel breach at high pressure, RPV injection not recovered, CCI occurs, early Early Medium Early containment failure mitigated by drywell sprays Vessel breach at high pressure, RPV injection not recovered, CCI occurs, early Early Medium Early APB-76 containment failure mitigated by reactor building APB-77 Vessel breach at high pressure, RPV injection not recovered, CCI occurs, early Early High Early containment failure, ex-vessel fission product not mitigated BP-D12 Vessel breach at low pressure, RPV injection not recovered, no CCI, early bypass Early High Early containment failure, ex-vessel fission product release mitigated by drywell sprays Vessel breach at low pressure, RPV injection not recovered, no CCI, early bypass BP-D13 containment failure, ex-vessel fission product release mitigated by reactor Early High Early building BP-D14 Vessel breach at low pressure, RPV injection not recovered, no CCI, early bypass Early High Early containment failure, ex-vessel fission product release not mitigated BP-D19 Vessel breach at high pressure, RPV injection not recovered, no CCI, early Early High Early bypass containment failure mitigated by drywell sprays BP-D20 Vessel breach at high pressure, RPV injection not recovered, no CCI, early Early High Early bypass containment failure mitigated by reactor building BP-D21 Vessel breach at high pressure, RPV injection not recovered, no CCI, early Early High Early bypass containment failure, ex-vessel fission product release not mitigated Attachment 1 Page 23 of 40 JAFP-07-0013 Table RAI 2-1 Description of CET Release Modes Consequence Progression CET Sequence Description CET Release Analysis Bin Category Release Category BP-E12 Vessel breach at low pressure, RPV injection not recovered, CCI occurs, early Early Medium Early bypass containment failure, ex-vessel fission product release mitigated by sprays Vessel breach at low pressure, RPV injection not recovered, CCI occurs, early BP-E13 bypass containment failure, ex-vessel fission product release mitigated by reactor Early High Early building BP-E14 Vessel breach at low pressure, RPV injection not recovered, CCI occurs, early Early High Early bypass containment failure, ex-vessel fission product release not mitigated BP-E19 Vessel breach at high pressure, RPV injection not recovered, CCI occurs, early Early High Early BP-E19_ bypass containment failure mitigated by drywell sprays BP-E20 Vessel breach at high pressure, RPV injection not recovered, CCI occurs, early Early High Early____-E20___

bypass containment failure mitigated by reactor building EarlyHigh Early BP-E21 Vessel breach at high pressure, RPV injection not recovered, CCI occurs, early Early High Early BP-E21 bypass containment failure, ex-vessel fission product not mitigated Attachment 1 Page 24 of 40 JAFP-07-0013 NRC RAI 3.0 Provide the following information with regard to the treatment and inclusion of external events in the SAMA analysis: 1. The individual plant examination of external events (IPEEE) fire COF value is 2.56 x 10-5/yr 2. (page 4-46). However, the engineering report (ER) states that a more realistic value may be closer to one third this value, or 8.53 x 10-6/yr, based on the conservative assumptions listed on pages 4-46 and 4-47. These assumptions are generic and qualitative in nature. Provide a quantitative analysis of the conservative assumptions that justifies the factor of three reduction.

3. In the ER, the potential for risk reduction in external events is considered in the context of an upper bound assessment in which the internal event benefits are increased by a factor of 16 to account for the combined effect of external events and analysis uncertainties.

The impact of external events should be reflected in the baseline evaluation independent of the uncertainty assessment.

Provide a revised baseline evaluation (using a 7 percent discount rate) that accounts for risk reduction in both internal and external events, and an alternative case using the 3 percent discount rate.Reflect any corrections in the multiplier that may have resulted from addressing RAI 3a.4. Provide an assessment of the impact on the revised baseline evaluation if SAMA benefits are increased to account for uncertainties in the analysis.

Reflect any corrections in the multiplier that may have resulted from addressing RAI le.5. In Section E1.3.2, Entergy states that a number of fire-related improvements were identified and that these improvements have been implemented.

Despite these improvements, the fire zone CDF is a factor of three to nine greater than the current internal events CDF, depending on the level of conservatism assumed in the IPEEE fire analysis.

SAMA candidates identified based on internal risk contributors will not necessarily address the fire risk. Describe any further efforts made to determine if any SAMA candidates exist to address fire risk contributors beyond those already identified in the IPEEE, and explain why the fire CDFs cannot be further reduced in a cost-effective manner.6. NUREG-1 742 states that there is a fire-induced seismic vulnerability due to failure of the hydrogen line in the turbine building.

Given that the fire analysis shows a contribution to risk from a fire in the turbine building, provide details on actions taken to reduce the risk due to a seismic-induced fire, and whether a SAMA to further reduce the risk from this event is cost-beneficial.

Response to RAI 3.1 The conservative assumptions listed on ER pages 4-46 and 4-47 include general conservative assumptions applied to the fire analysis and conservatisms specific to fires scenarios that are significant contributors to fire risk. The fire scenario-specific conservatisms include use of conservative fire frequency and severity factors, no credit taken for certain plant operating procedures during fire events, and use of a simple fire suppression analysis.Attachment 1 Page 25 of 40 JAFP-07-0013 A sensitivity analysis shows that reduction of fire initiation frequency for zone CR-1, removal of the fire scenario-specific conservatisms for scenarios that are significant contributors to fire risk (As described in Section 7 of JAFP-06-0167 Attachment 3 (LRA Amendment

1, dated December 6, 2006.) for zones CS-1, RB-1 E and RR-1), and similar revision of the cable damage assessment for the remaining zones reduces the total fire CDF to approximately 6.77E-6/yr. This value could be further reduced by the addressing the remaining conservatisms listed on ER pages 4-46 and 4-47.The Staff has deemed similar conservatisms sufficient to support a similar reduction in prior SAMA evaluations

[NUREG-1437, Supplements 19, and 30]. Therefore, use of 8.53E-06/yr as the baseline fire CDF for the SAMA analysis is appropriate.

Response to RAI 3.2 See Section 4 of JAFP-06-0167 Attachment 3 (LRA Amendment

1, dated December 6, 2006.)Response to RAI 3.3 See Section 4 of JAFP-06-0167 Attachment 3 (LRA Amendment

1, dated December 6, 2006.)Response to RAI 3.4 See Section 7 of JAFP-06-0167 Attachment 3 (LRA Amendment

1, dated December 6, 2006.)Response to RAI 3.5 The hydrogen supply is protected by excess flow valves outside the turbine building that are intended to limit hydrogen release in the event of a line break. As indicated in Phase I SAMA 286 in Table S2 of JAFP-06-0167 Attachment 3 (LRA Amendment

1, dated December 6, 2006.), the risk of fire or explosion as a result of seismic-induced failure of a hydrogen line in the turbine building (252/272 foot elevations) can be further mitigated by closing hydrogen supply isolation valve 89A-H2HAS-1 during a seismic event. Plant abnormal procedure AOP-14,"Earthquake", was modified to require that plant operators close hydrogen supply valve 89A-H2HAS-1 following a seismic event.Section 7 of JAFP-06-0167 Attachment 3 (LRA Amendment

1, dated December 6, 2006.)discusses measures that have been taken to reduce risk in dominant fire zones and explains why the fire CDF for those zones cannot be further reduced in a cost effective manner. The turbine building fire risk listed in ER Table E.1-12 (which does not reflect the improvement in AOP-14) is less that 1 E-06 per year and is, therefore, not considered dominant.

Thus, the turbine building fire risk cannot be further reduced in a cost effective manner.NRC RAI 4.0 Provide the following information concerning the MACCS2 analyses: 1. The meteorological data used was obtained from the Nine Mile Point/JAFNPP meteorological monitoring system and regional National Weather Services stations.Identify where the monitoring stations are located relative to JAFNPP.Attachment 1 Page 26 of 40 JAFP-07-0013

2. The baseline evacuation speed (2.0 meters/s) is an average of the maximum and minimum speeds, and is said to be conservative.

Explain why the average value is considered conservative.

Explain why this value is not the same as for Nine Mile Point, which used 1.8 meters/second.

3. Entergy assumed 100% evacuation within the emergency planning zone (EPZ), which is non-conservative.

NUREG-1150 assumed a 99.5% evacuation within the EPZ, and previous SAMA analyses (including Nine Mile Point) have assumed 95% evacuation.

Address the potential impact on the off-site exposure risk and averted public exposure cost if 5% of the population fails to evacuate the EPZ.4. The MAACS2 analysis is based on a core inventory scaled by power, with an increase of 25% for long half-life nuclides.

Clarify whether the 25% increase of the long half-life nuclides is from the generic burnup data in MAACS2, and whether the scaling is considered a correction for the JAFNPP specific burnup. Confirm that the adjusted core inventory adequately reflects the fuel enrichment and burnup expected at JAFNPP.5. Provide the full reference identifications for the following:

1. National Hydrology Dataset 2. U.S. Department of Agriculture, 2002 3. Census of Agriculture, 2002 4. New York Statistical Information System 5. Northern New York Travel and Tourism Center 6. MACCS2 version used 7. Evacuation travel time estimate study Response to RAI 4.1 The meteorological monitoring station is located within the combined Nine Mile Point/JAFNPP site boundary, about a mile west of the JAFNPP reactor building.Regional mixing heights were calculated using data collected at National Weather Service (NWS) Station No. 725146 at the nearby Fulton-Oswego County Airport (approximately 10 miles south of JAFNPP) and NWS Station No. 14733 in Buffalo, NY (approximately 160 miles southwest of JAFNPP). These two weather stations were the closest NWS sources of data for local and upper air conditions.

Staff meteorologists at the National Climatic Data Center selected these two stations for data used to calculate seasonal mixing height values for the JAFNPP.area.

Response to RAI 4.2 The baseline evacuation speed (2.0 meters/second) is an average value obtained from the evacuation travel speed ranges in the evacuation time estimate study. Therefore, the value is better characterized as best-estimate, rather than conservative.

However, a sensitivity case described in ER Section E.1.5.3, using an evacuation speed of 1.0 meters/second concluded that a lower evacuation speed would not have significant effects on the offsite consequences or risks determined in this study. Therefore, use of the 2.0 meters/second for the SAMA analysis is appropriate.

The JAFNPP evacuation speed was based on evacuation times provided in the 2003 version of Attachment 1 Page 27 of 40 JAFP-07-0013 the evacuation time estimate (ETE) study. The Nine Mile Point evacuation time estimate was based on an ETE study performed in 1993.Response to RAI 4.3 The evacuation time estimate study of 2003 provides time to evacuate 100% of the affected population.

The assumption of 100% evacuation in the MACCS2 model is commensurate with the evacuation time and the corresponding evacuation speed.Sensitivity analyses show that if 95% evacuation was assumed for JAFNPP, only a slight increase of population dose would result. The maximal deviation in population dose would be less than 1% for the LATE release.Response to RAI 4.4 The reference core inventory for BWR in MACCS2 is based on a power level of 3578 MWTH.Because the power level at JAFNPP is 2536 MWTH, a scaling factor of 0.709 is applied to result in a power-scaled reference inventory for JAFNPP.To account for JAFNPP-specific burnup, best-estimate inventories of long-lived radionuclides Sr-90, Cs-1 34, and Cs-1 37 were derived from an ORIGEN calculation assuming 4.65%enrichment and an average burnup. It was found that the best-estimate inventory differed from the power-scaled reference inventory by less than 25%. Consequently, the inventory of long-lived radionuclides was increased by 25%. Thus, the resulting inventory reflects the expected core exposure and fuel management practices at JAFNPP.Response to RAI 4.5 1. National Hydrology Dataset National Hydrography Dataset. [online] US Geological Survey. Available:

http://nhd.usgs.gov/

[accessed April 21, 2005].2. U.S. Department of Agriculture, 2002 2002 Census of Agriculture.

[online].

US Department of Agriculture.

Available:

http://www.nass.usda.gov/census/

[accessed April 26, 2005].3. Census of Agriculture, 2002 2002 Census of Agriculture.

[online].

US Department of Agriculture.

Available:

http://www.nass.usda.gov/census/

[accessed April 26, 2005].4. New York Statistical Information System Brown, W. Baseline Population Projections NYsis Projects SEP02. [online] New York Statistical Information System. Available:

http://www.nysis.cornell.edu/data.html

[accessed May 12, 2005].5. Northern New York Travel and Tourism Center 2003 Economic Impact of Expenditures by Tourists on Northern New York: Regional Comparison Charts. [online] Northern New York Travel and Tourism Research Center.Available:

http://www.nnytourismresearch.org/reports.asp

[accessed May 12, 2005].6. MACCS2 version used Attachment 1 Page 28 of 40 JAFP-07-0013 I. Chanin, M. L. Young. 1997. Code Manual for MACCS2: Volume 1, User's Guide, SAND97 0594. Sandia National Laboratories, Albuquerque, NM.7. Evacuation travel time estimate study KLD Associates, Inc. August 2003. Nine Mile Point/JA Fitzpatrick Nuclear Facility Development of Evacuation Time Estimates.

Report KLD TR 370. 359 pp. KLD Associates, Commack, NY.NRC RAI 5.0 Provide the following with regard to the SAMA identification and screening process: 1. SAMA 61 was evaluated by eliminating failures of both DC battery chargers, i.e., 71 BC-1A and 71BC-1B. These events do not appear in Table E.1-2. Provide the risk reduction worth and the probability of failure of these events.2. Table E. 1-2 indicates that Phase I SAMAs to improve procedures and training have been implemented to address event NR-LOSP-7HR.

In spite of these improvements, this event is the highest risk reduction worth ranked non-initiator event. No Phase II SAMAs were recommended for this event. The risk reduction worth of this event can be reduced by reducing the probability of the event itself, or by implementation of SAMAs for other events in the accident sequences that include the event NR-LOSP-7HR (e.g., if emergency diesels were a "perfects" back-up, the RRW of NR-LOSP-7HR would be zero). Hence: Given that the human error contribution to the probability of the event has been addressed, identify and evaluate hardware-based SAMAs that could facilitate recovery of offsite power (e.g., automatic switching gear, redundant switching gear, or other hardware that facilitates operator recovery of offsite power, given the grid is available within 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months ).ii. Identify other events in the accident sequences involving power recovery that would reduce the risk reduction worth of NR-LOSP-7R, and identify and evaluate SAMAs for these events. Such events may already be identified in the Phase I and/or Phase II SAMAs, but not attributed and/or evaluated for NR-LOSP-7HR (e.g., SAMAs 26 through 36). Identify and evaluate potential SAMAs that might lower the importance of this event.3. Table E.1-2 indicates that SAMA 57 was evaluated to address event NVP-XHE-FO-LVENT (operator fails to initiate local containment vent). This SAMA, controlling containment venting within a narrow pressure band, would be subject to the same failure to vent human error as in the basic event. Conversion of the containment vent system to a passive design would appear to be more effective in reducing the risk from this event.Provide an evaluation of the costs and benefits of converting the vent system to a passive design.Attachment 1 Page 29 of 40 JAFP-07-0013

4. SAMA 53 was evaluated based on reducing CDF due to reactor protection system (RPS) failure (event C). However, event C, which has a RRW of 1.057, also has a large Risk Achievement Worth. The staff estimates that an order-of-magnitude increase in this event would increase CDF by 48%. Provide an assessment of SAMA 53 in the context of preventing an increase in likelihood of event C. Also, consider other SAMAs that could prevent a degradation of the RPS over time.5. Table E.1-2 indicates that SAMA 49 was considered to address event FXT-ENG-FR-76P1. This SAMA involves the addition of an entire new system. The addition of a redundant diesel fire pump would appear to be more cost effective.

Provide an evaluation of the costs and benefits of adding a redundant diesel fire pump, in lieu of SAMA 49.6. Table E. 1-2 identifies a procedure change for operator action to be taken within 5 minutes of fire pump starting to ascertain whether flooding is occurring in the relay room (event IE-RRFLOOD).

Explain why 5 minutes was used and whether corrective action is required within 5 minutes. Provide an assessment of the potential impact if no action is taken for some longer period. Justify why no additional SAMAs were identifiedto address internal flooding events.7. Table E.2-1 indicates that SAMAs 8, 14, and 22 were modeled by assuming that reactor building failures were completely eliminated.

However, no reduction in population dose are shown. Explain this apparent contradiction.

Response to RAI 5.1 A bounding analysis was conservatively performed for SAMA 61 by setting the CDF contribution due to loss of 125V-dc battery control boards BDC-2A and BDC-2B and DC battery chargers 71 BC-1A and 71BC-1B relevant basic events to zero in the Level 1 PSA model. These basic events are as follows: Event DC 1 -BCC-HW-BATCA DCl-BCC-HW-BATCB DCi -MAI-MA-BATCA DC1-MAI-MA-BATCB DC1-XHE-RE-CHGAD DCI-XHE-RE-CHGBD DC1-CRB-CO-CHGAD DC1-CRB-CO-CHGBD Description Failure of battery charger 71 BC-1A Failure of battery charger 71 BC-1 B 125VDC battery charger 71 BC-1A in maintenance 125VDC battery charger 71BC-1B in maintenance Charger 71 BC-1A DC breaker left in trip position after test Charger 71 BC-1 B DC breaker left in trip position after test Charger 71 BC-1A DC breaker fails to remain closed Charger 71 BC-1 B DC breaker fails to remain closed RRW 1.001 1.001 1.001 1.001 1.001 1.001 1.001 1.001 Probability

(/yr)2.45E-5 2.45E-5 1.99E-5 1.43E-4 1.60E-4 1.60E-4 6.48E-6 6.48E-6 To ensure a bounding analysis, the benefit evaluation for SAMA 61 has been revised to also set the following initiating events to zero in the Level 1 PSA model.Event IE-TDCA IE-TDCB Description Loss of 125VDC battery control board BDC-2A Loss of 125VDC battery control board BDC-2B RRW 1.015 1.009 Probability

(/yr)3.45E-04 3.45E-04 Attachment 1 Page 30 of 40 JAFP-07-0013 Revised benefit estimates for SAMA 61 are as follows.CDF reduction of 2.39%PDR reduction of 1.84%OECR reduction of 1.80%7% baseline benefit of $9,940 3% baseline benefit of $12,594 7% Baseline with uncertainty benefit of $39,760 Since the estimated cost for SAMA 61 is $10,000, the conclusion that this SAMA is potentially cost-beneficial is unchanged.

Response to RAI 5.2i Procedure and training improvements for restoring power to vital equipment following a recovery of the offsite power supply have been implemented.

However, the nature of the NR-LOSP-7HR non-recovery term is such that additional plant-specific improvements are not relevant to its risk reduction worth.The offsite power non-recovery terms (including NR-LOSP-7HR) are derived from historical data using the method described in NUREG/CR-5496 1.NR-LOSP-7HR represents a point on the flatter portion of the power recovery curve. Hardware improvements that could facilitate recovery of offsite power, such as automatic or redundant switching gear, would merely shift NR-LOSP-7HR to a slightly later time on the power recovery curve. Therefore, they would have little impact on the risk reduction worth of the event and would not be cost-beneficial.

Response to RAI 5.2ii Given that plant-specific improvements would have little impact on the RRW of NR-LOSP-7HR as described in the response to 5.2.i, and the fact that other events in accident sequences containing this event are themselves risk significant and listed in Table E.1-2, Phase II SAMAs were not listed for this event. However, implementation of SAMAs for other events in NR-LOSP-7HR accident sequences would reduce its CDF contribution.

NR-LOSP-7HR is applied to sequences resulting in battery depletion following loss of AC power to vital equipment.

Therefore, Phase II SAMAs 026 through 036, 061, and 062, for enhancing AC or DC system reliability or to cope with loss of offsite power and SBO events, are relevant to this event.Response to RAI 5.3 To assess the potential costs and benefits associated with converting the vent system to a passive design, an additional case was run in which the benefit was conservatively estimated by removing operator failure to implement torus venting (NVP-XHE-FO-LVENT was set to zero).Conversion of the existing torus vent to a passive torus vent resulted in the following:

CDF reduction of 17.6%PDR reduction of 20.25%1 Atwood, C.L. et al., Evaluation of Loss of Offsite Power Events at Nuclear Power Plants: 1980-1996, U.S. Nuclear Regulatory Commission, NUREG/CR-5496, November 1998.Attachment 1 Page 31 of 40 JAFP-07-0013 OECR reduction of 19.16%7% baseline benefit of $94,165 3% baseline benefit of $121,191 7% Baseline with uncertainty benefit of $376,658 The cost of changing the existing torus vent to a passive design is estimated to be greater than$1 million. Since hardware modifications cost more than the baseline with uncertainty benefit, the proposed enhancement to convert the existing torus vent system to a passive design is not cost effective.

Response to RAI 5.4 Event C represents failure of the reactor protection system (RPS); otherwise known as an ATWS event. Its probability is based the probability of mechanical failure of the control rods and hydraulic drive system, the probability of electrical failure of the control rod drive actuation, system, and the probability of operator failure to press the scram button. As stated in Table E. 1-2, several improvements have been implemented to minimize the risks associated with ATWS events including a SLC pump discharge line cross-tie, alternate rod insertion instrumentation, and alternate boron injection through the CRD system.As stated in Table E.2-1, SAMA 53, Diversify explosive valve operation, is intended to provide an alternate means of opening a pathway to the vessel for SLC injection, thereby improving the probability for successful reactor shutdown.

SAMA 53 was conservatively evaluated by eliminating common cause failure of the SLC explosive valves. SAMA 53 will enhance reliability of the standby liquid control system to mitigate the consequences of an ATWS event, but will not reduce the probability of event C, failure of the RPS. Thus, SAMA 53 will not prevent an increase in likelihood of event C.Degradation of the RPS over time is prevented by ongoing routine maintenance.

The components are maintained and will continue to be maintained during the period of extended operation in accordance with the plant's licensing basis. Replacing the entire system is a possible option to reduce the probability of RPS failure, although ongoing maintenance would still be required to prevent degradation over time. However, SAMAs to replace the electrical or mechanical portions of the RPS would cost more than the maximum attainable benefit. [The maximum attainable benefit ($2,008,752) is estimated by multiplying the total estimated present dollar value equivalent of internal events CDF from ER Table 4-3 ($125,547) by a factor of 16 to account for external events and uncertainty.]

Therefore, SAMAs that could prevent degradation of the RPS over time are not cost-beneficial.

Response to RAI 5.5 JAFNPP has three 100% capacity fire water pumps; one electric motor driven (76P-2), and two diesel engine driven (76P-1 and & 76P-4). A cost benefit analysis was performed to evaluate addition of a third redundant diesel fire pump to address event FXT-ENG-FR-76PI, Diesel Fire Pump 76P-1 fails to Run. A bounding analysis was performed by setting events FXT-ENG-FR-76P1 (RRW, 1.007) and FPS-MAI-MA-P4 (Fire water pump 76P-4 out for maintenance, RRW, 1.006) to zero in the PSA model, which resulted in the following:

Attachment 1 Page 32 of 40 JAFP-07-0013 CDF reduction of 1.0%PDR reduction of 1.23%OECR reduction of 1.20%7% baseline benefit of $5,035 3% baseline benefit of $6,606 7% Baseline with uncertainty benefit of $20,140 The cost of adding a redundant diesel fire pump is estimated to be $2 million. Therefore, adding a third redundant diesel fire pump is not cost effective for JAFNPP.Response to RAI 5.6 The guillotine rupture of a fire protection line within the relay room will release -2500 gpm of floodwater into the room. This will result in flooding to a depth of 11" within 15 minutes and a plant trip. Phase I SAMA 267 proposed a procedure change to check the relay room within 5 minutes of a fire pump start, providing time to stop the pumps and prevent the trip in this worst-case rupture event. The associated procedure change has been implemented, directing the operators to check the relay room for flooding and attempt to isolate the flood source; however the change was not credited in the CDF contribution associated with flooding of the relay room.The baseline model assumes that any rupture event capable of causing flooding to a depth of 11 " within 30 minutes causes the panel damage and plant trip; however, flood damage at lower levels of floodwater will provide sufficient cues to ensure isolation within 30 minutes. Thus, failure to accomplish the action within the five minute timeframe has no impact on the baseline model results.Since the core damage frequency contribution of the IE-RRFLOOD scenario is 2.5E-8/yr, the risk reduction worth of successful isolation is represented by eliminating that contribution.

Given a baseline CDF (including internal flooding) of 2.74E-6/yr, the RRW for that action is 1.009 as stated in Table E.1-2. Although the operator action proposed in Phase I SAMA 267 has been implemented, it is not reflected in the PSA model used for the SAMA analysis.

If it was, the RRW for this event would be lower. Thus, the event is not risk-significant.

Additional methods of mitigating this flood event would entail either moving the fire protection line or installing a guard pipe to channel floodwater out of the relay room. Since the event is not risk-significant and mitigative efforts would be costly, additional SAMAs were not identified to address this event. The remaining flood scenarios are not risk-significant (i.e., RRW is less than 1.005).SAMA candidates for these scenarios are not likely to be cost-beneficial and were, therefore, not postulated.

Response to RAI 5.7 The off-site dose reduction and estimated benefit values submitted in the ER have been revised for SAMAs which directly impact the containment event tree model and alter the distribution of releases within a release bin, including SAMAs 08, 14, and 22. The other Phase II SAMAs impacted by this revision -are 05, 06, 07, 09, 11, 12, 13, 16, 17, 19, 21, 23, 24, 25, and 39. The off-site dose reduction values for these SAMAs were estimated using the release magnitudes for the individual release categories in ER Table E. 1-11. The revised results, presented in Table RAI 5-1, resolve the noted contradiction, but do not change the analysis conclusions for the affected SAMAs.Attachment 1 Page 33 of 40 JAFP-07-0013 The off-site dose reduction and estimated benefit values for SAMAs 7 and 19 (flooding internal to the drywell to ensure the drywell head seal does not fail due to high temperature) remain zero because drywell head seal failure due to high temperatures is insignificant compared to other containment failure modes.In addition, the CDF reductions for Phase II SAMAs 11, 16, 17, and 39 have been changed to 0.0 percent to correct an erroneous table entry.Attachment 1 Page 34 of 40 JAFP-07-0013 Figure RAI.5-1 Revised Summary of Selected Phase II SAMA Candidates Considered in Cost-Benefit Evaluation Phase II CDF Off-Site OECR 3% discount Baseline With Estimated SAMA SAMA Title cDF Dose Reduction Baseline RWit Estimate Uncertainty Cost Conclusion ID SReduction Reduction Case 005, Create a large concrete 0.0% 63.79% 79.77% $34,354 $48,004 $137,417 >$100 million Not cost 006, crucible with heat effective 009, removal potential under 009, the base mat to contain molten core debris.007, Provide modification for 0.0% 0.00% 0.00% $0 $0 $0 >$1,000,000 Not cost 019, flooding the drywell head. effective 021 Enhance fire protection 0.0% 30.90% 40.46% $17,047 $23,821 $68,190 >$2,500,000 Not cost 008, system and standby gas effective 014, treatment system 022 hardware and procedures.

011, Strengthen primary and 0.0% 27.91% 26.97% $13,259 $18,527 $53,036 $12,000,000 Not cost 016, secondary containment, effective 017, 025 Increase the depth of the 0.0% 0.33% 0.19% $128 $178 $513 >$5,000,000 Not cost concrete base mat or use effective 012 an alternative concrete material to ensure melt-through does not occur.Provide a reactor vessel 0.0% 3.32% 3.08% $1,549 $2,164 $6,196 $2,500,000 Not cost exterior cooling system. effective 023 14.a. Provide a means of 0.0% 21.93% 26.97% $11,709 $16,361 $46,836 $2,500,000 Not cost flooding the rubble bed. effective 039 8.e. Improve MSIV 0.0% 19.60% 17.53% $8,997 $12,571 $35,987 >$1,000,000 Not cost design. I effective Attachment 1 Page 35 of 40 JAFP-07-0013 NRC RAI 6.0 Provide the following with regard to the Phase II cost-benefit evaluations:

1. For a number of the Phase Il SAMAs listed in Table E.2-1, the information provided does not sufficiently describe the associated modifications and what is included in the cost estimate, Provide a more detailed description of the modifications for Phase II SAMAs 18, 26, 27, 28, 30, 36, 38, 52, 59, and 60.2. In Table E.2-1, the percent change in CDF and population dose is reported for each analysis case. However, the change in the offsite economic cost risk (OECR) is not reported.

Provide the change in the QECR for each analysis case.3. In Table E.2-1, SAMA 25 is indicated to provide no CDF reduction.

Explain why the CDF reduction would not be equivalent to that for SAMAs 11 and 17.4. SAMA 57, control containment venting within a narrow band of pressure, is intended to eliminate failures associated with successful venting. The benefit of this SAMA was determined by reducing the operator failure to vent by a factor of three. It is not clear that reducing the failure to vent probability is related to the actual benefit from this SAMA. Also, the cost of $400,000 appears high for what appears to be a procedure and training issue. Justify the benefit and cost for this SAMA.5. The ER does not provide any indication of Entergy's plans regarding the five Phase II SAMAs found to be potentially cost-beneficial (Table 4-4). Describe Entergy's plans regarding these SAMAs, and any other potentially cost-beneficial SAMAs that may emerge from further analyses in response to these RAIs.6. Several Phase II SAMAs in Table E.2-1 provide a CDF and/or offsite dose reduction, but an estimated benefit of $0, i.e., SAMAs 43, 50, 53, 55, and 56. Provide the estimated benefits for these SAMAs.Response to RAI 6.1 SAMA 18 (Install improved vacuum breakers) would address the reliability of a vacuum breaker to reseat following a successful opening. The proposed design modification for this SAMA requires replacing existing valves with new valves and associated structural changes.SAMAs 26 (Provide additional DC battery capacity), 30 (Provide 16-hour SBO injection), and 36 (Extended SBO provisions) would extend station battery capacity and improve the capability to cope with longer station blackout scenarios.

The proposed design modification for this SAMA requires adding a battery, charger and cabling.SAMA 27 (Use fuel cells instead of lead acid batteries) would extend DC power availability in an SBO scenario.

The proposed design modification for this SAMA entails replacing existing batteries with fuel cells and associated structural changes.SAMA 28 (Incorporate an alternate battery charging capability) would improve DC power reliability.

The proposed design modification for this SAMA involves installation of a portable diesel driven battery charger.Attachment 1 Page 36 of 40 JAFP-07-0013 SAMA 38 (Increase frequency of valve leak testing) would reduce ISLOCA frequency.

This SAMA proposes increasing the testing frequency for valves that have the potential to cause an ISLOCA. The modification involves procedure and preventive maintenance database changes and training for on-line valve manipulation.

The potential for increased risk due to adverse consequences of on-line valve manipulation would also need to be assessed.SAMA 52 (Install an ATWS sized containment vent large enough to remove ATWS decay heat)would provide a means to remove decay heat during an ATWS event. The proposed design modification for this SAMA involves replacing the existing 20-inch containment vent pipe with a larger vent pipe. Engineering evaluation would be necessary to determine the size of vent pipe necessary to remove decay heat following an ATWS with MSIV closure and successful recirculation pump trip.SAMA 59 (Provide a cross-tie between RHRSW trains downstream of the RHRSW pump discharge valves) would improve injection and containment heat removal capabilities.

The proposed design modification for this SAMA involves installation of cross-tie piping and valves between RHR loops A and B.SAMA 60 (Improve turbine bypass valves capability) would improve the availability of the turbine bypass valves to reduce the transient core damage frequency contribution.

The turbine bypass valves depend on the electro-hydraulic control (EHC) system for valve operation.

The EHC system provides input necessary for opening the bypass valves when steam generated by the reactor can not be handled by the main turbine. The proposed design modification for this SAMA involves installation of a more reliable power supply for the EHC system to improve control and actuation reliability.

Response to RAI 6.2 See Section 5 and Table S1 of JAFP-06-0167 Attachment 3 (LRA Amendment

1, dated December 6, 2006.).Response to RAI 6.3 The Phase II SAMA 25 CDF reduction is correct and should be equivalent to that of SAMAs 11 and 17. As indicated in the response to RAI 5.7, the CDF reductions for Phase II SAMAs 11, 16, 17, and 39 have been changed to 0.0 percent to correct an erroneous table entry.Response to RAI 6.4 See Sections 8 and 9 of JAFP-06-0167 Attachment 3 (LRA Amendment

1, dated December 6, 2006.)Response to RAI 6.5 The potentially cost-beneficial SAMAs were entered into the engineering request (ER) process to be evaluated for implementation.

Additional potentially cost-beneficial SAMAs emerging from further analyses in response to RAIs would also be entered into the ER process to be evaluated for implementation.

The status of the ERs for potentially cost-beneficial SAMAs follows.SAMAs 26, 30, 36, and the additional SAMA identified in Section 10 of JAFP-06-0167 Attachment 3 (LRA Amendment

1, dated December 6, 2006.) were combined into a single ER Attachment 1 Page 37 of 40 JAFP-07-0013 to determine and implement the best approach to extend station battery capacity.

The ER has been assigned a management sponsor and a responsible engineer, and preparations are being made to present the ER to senior management for project approval and funding.SAMA 61 has been approved as a minor modification.

It is in the design process, with installation currently scheduled for late 2007.SAMA 62 was implemented by revising applicable annunciator response procedures.

Implementation was completed in November 2006.Response to RAI 6.6 SAMAs 43, 50, 53, 55, and 56 result in a very small reduction in CDF (the largest, SAMA 43, is 0.18%) and no offsite dose reduction.

Since the calculation of on-site benefits uses two places after the decimal point, this difference in CDF is so small that it is essentially zero. The baseline CDF is 2.74E-6/yr, reducing that by 0.18% results in a CDF of 2.735E-6/yr, which rounds to 2.74E-6/yr.

Since all the equations in the on-site benefit calculations include a delta-CDF term, the calculated benefit is $0.The benefit estimate for SAMA 43 would be about $132 if three digits were used after the decimal instead of two. Therefore, the estimated benefit for these SAMAs is very small and can be considered zero as reported in ER Table E.2-1.NRC RAI 7.0 For certain SAMAs considered in the ER, there may be lower-cost alternatives that could achieve much of the risk reduction at a lower cost. In this regard, discuss whether any lower-cost alternatives to those Phase II SAMAs considered in the ER, would be viable and potentially cost-beneficial.

Evaluate the following SAMAs (previously found to be potentially cost-beneficial at other plants), or indicate if the particular SAMA has already been considered.

If the latter, indicate whether the SAMA has been implemented or has been determined to not be cost-beneficial at JAFNPP.1. Enhance dc power availability (provide cables from diesel generators or another source to directly power battery chargers).

2. Provide alternate dc feeds (using a portable generator) to panels supplied only by the dc bus.3. Modify procedures and training to allow operators to cross-tie emergency ac buses under emergency conditions which require operation of critical equipment.

4. Develop guidance/procedures for local, manual control of reactor core isolation cooling following loss of dc power.5. Enhance loss of service water procedure to provide more specific guidance to deal with or prevent a complete loss of the system.6. Manual venting of containment using either a local hand wheel or gas bottle supplies (considered for Nine Mile Point Unit 1) as a possible alternative for containment pressure control.Attachment 1 Page 38 of 40 JAFP-07-0013 Response to RAI 7.1 See Section 10 of JAFP-06-0167 Attachment 3 (LRA Amendment

1, dated December 6, 2006.).Response to RAI 7.2 See Section 10 of JAFP-06-0167 Attachment 3 (LRA Amendment

1, dated December 6, 2006.)Response to RAI 7.3 See Section 10 of JAFP-06-0167 Attachment 3 (LRA Amendment

1, dated December 6, 2006.)Response to RAI 7.4 See Section 10 of JAFP-06-0167 Attachment 3 (LRA Amendment

1, dated December 6, 2006.)Response to RAI 7.5 Plant service water requirements are provided by three independent systems; normal service water (NSWS), emergency service water (ESW) and RHR service water (RHRSW).The NSWS provides cooling water to the condensate, turbine building closed loop cooling, and reactor building closed loop cooling systems. While loss of normal service water does not adversely affect function of a safety system, it could lead to plant trip due to loss of condenser vacuum.The ESW system provides cooling to the emergency diesel generators, provides backup cooling to NSWS loads (i.e., reactor building crescent area coolers, turbine building electric bay coolers), and provides backup cooling to reactor building closed loop cooling loads (i.e., RHR pump seal cooler, CRD pump coolers).The RHRSW system supplies cooling water to the RHR heat exchangers during transients or accident conditions. (The system also provides an additional unlimited source of water for post-accident core flooding and containment flooding via a cross tie to the RHR injection lines).Hence, total loss of service water requires gross equipment failures (three NSWS pumps, two ESW pumps and four RHRSW pumps) or complete loss of the intake structure due to natural phenomena (such as frazzle ice, zebra mussels).

Guidance to deal with individual failures and prevent total loss of service water is provided in plant procedures AOP-10, "Loss of Service Water Cooling," AOP-1 1, "Loss Reactor Building Closed Loop Cooling' and AOP-64, "Loss of Intake Water Level". Therefore, the proposed SAMA has already been implemented.

Response to RAI 7.6 This SAMA has already been considered and implemented.

Procedure EP-6, "Post Accident Containment Venting and Gas Control," instructs operators to manually operate the torus Attachment 1 Page 39 of 40 JAFP-07-0013 exhaust isolation valves if venting from the relay room is unsuccessful because of the loss of an AC bus or loss of instrument air to the valve controls.Attachment 1 Page 40 of 40 JAFP-07-0013 JAFP-07-0013 Docket No. 50-333 Attachment A James A. FitzPatrick Nuclear Power Plant License Renewal Application

-Amendment 4 JAFNPP SAMA Analysis -Supplement

)ATTACHMENT A UTILITY PARTICIPATION AND INTERNAL REVIEW TEAM JAMES A. FITZPATRICK PSA REVISION 2, OCTOBER 2004 1 of 273 Section 5 UTILITY PARTICIPATION AND INTERNAL REVIEW TEAM 5.1 IPE PROGRAM ORGANIZATION An important feature of the IPE is the involvement of the utility's staff in all aspects of the examination.

This, the NRC believes, will benefit the utility by facilitating integration of the knowledge gained from the examination into operating procedures and training programs.

The involvement of New York Power Authority (NYPA) staff was achieved by:* Having New York Power Authority staff manage the IPE and perform the bulk of the examination and, in particular, the event tree and system fault tree analyses.* Having utility engineers who are intimately familiar with design, controls, procedures and system configurations participate in the analysis as well as in the technical review.* Formally including an independent in-house review to ensure the accuracy of the documentation packages and to validate both the IPE process and its results. This independent review is addressed in Sections 5.2 and 5.3." Having plant staff review all insights gathered and recommendations made in the study.* Ensuring that staff are well trained in all technology and methodologies relevant to this examination.

As a result, New York Power Authority staff: Examined and understood the plant emergency operating procedures, design, operations, maintenance, and surveillance tests to develop potential severe accident sequence models for the plant* Quantified the expected accident sequences Determined the leading contributors to core damage and unusually poor containment performance Identified proposed plant improvements for the prevention and mitigation of severe accidents Examined each of the proposed improvements, including design modifications as well as changes in maintenance, operating and emergency operating procedures, surveillance tests, staffing, and training programs Rev. 2 5-1

Identified which of the proposed improvements will be considered for implementation.

While this IPE was conducted primarily by NYPA staff, outside consultants reviewed work completed by utility staff and provided particular expertise in specific areas, such as human failure data analysis and radionuclide release characterization in the back-end analysis.Lastly, before the completion of the IPE update, the NYPA participated in the BWR Owner's Group PSA peer review certification process. The PSA peer review Certification process used a team of experienced PSA and system analysts to provide both an objective review of the PSA technical elements and a subjective assessment based on their PSA experience regarding the acceptability of the PSA elements for potential applications.

The results and recommendations of the certification team are found in section 5.3.3 of this report.The staffs responsible for conducting this IPE and the IPE Update are identified in Table 5.1.1.1 and Table 5.1.1.2 respectively; a partial listing of relevant courses, workshops, and seminars staff has attended is presented in Table 5.1.1.3; staff participation in activities related to IPEs is described in Table 5.1.1.4.Rev. 2 5-2 IPE Task Direction and Management Accident sequence delineation and quantification Systems analysis Thermal-hydraulic analyses Plant specific data analysis Human error data analysis Pre-accident Post-accident Common cause data analysis Internal flooding analysis Vulnerability, decay heat removal, and USI and GSI screening Binning Containment failure characterization Containment event trees Radionuclide release characterization Insights and recommendations Table 5.1.1.1 Program Organization Primary Responsibility NYPA-NSA NYPA-NSA Review NYPA/SAIC NYPA-NSA NYPA-NSA NUS/NYPA-NSA NYPA RMA NYPA NYPA-NSA SAIC/NYPA-NSA JYPA-NSA NYPA-NSA NYPA-NSA NYPA-NSA NYPA-NSA/RMA SAIC/NYPA-NSA SAIC/NYPA-NSA NYPA-NSA SAIC/NYPA NYPA SAIC SAIC NYPA SAIC/NYPA NYPA NYPA NYPA NYPA Direction and Management Accident sequence delineation and quantification NYPA-NSA NYPA-NSA NYPA/Scientech NYPA NYPA-NSA SAIC NUS RMA New York Power Authority staff New York Power Authority Nuclear Systems Analysis Group staff SAIC Albuquerque staff NUS Corporation staff Risk Management Associates staff 5-3 Rev. 2 Table 5.1.1.2 IPE Update Program Organization Task Systems analysis Thermal-hydraulic analyses Plant specific data analysis Human error data analysis Pre-accident Post-accident Common cause data analysis Internal flooding analysis Vulnerability, decay heat removal, and USI and GSI screening Binning Containment failure characterization Containment event trees Radionuclide release characterization Insights and recommendations Primary Responsibility NYPA-NSA NYPA-NSA NYPA-NSA NYPA-NSA NYPA-NSA NYPA-NSA Risk Research Group NYPA/ Scientech NYPA-NSA NYPA-NSA NYPA-NSA NYPA-NSA NYPA-NSA Review NYPA/Scientech NYPA/Scientech NYPA/Scientech NYPA/Scientech Scientech NYPA-NSA NYPA/Scientech NYPA/Scientech NYPA/Scientech NYPA/Scientech NYPA NYPA -- New York Power Authority staff NYPA-NSA -- New York Power Authority Nuclear Systems Analysis Group staff Scientech

-- Scientech Staff Risk Research Group -- The Risk Research Group Rev. 2 5-4 Table 5.1.1.3 Training, Seminars and Workshops, Attended by NYPA Nuclear Systems Analysis Staff Course System Reliability Engineering SETS Computer Code HRA in Engineered Systems Analysis Reliability Engineering, Testing, and Maintainability Engineering CAFTA Code Training Course GO Modeling RISKMAN Computer Code SETS/SEP Code Applications Fundamentals of Reliability, Availability, Maintainability IPE Workshop Advanced Fault Tree Modeling PRA Seminar and Workshop Data Analysis Training Course PRA Management Training Course Root Cause Analysis PRA Fundamentals Training Course Date(s)6/81 6/83 7/82 6/83 10/86 12/86 12/86 4/87 5/87 5/87 5/87 6/87 2/88 5/88 6/88 6/88 7/88 Sponsor JBF Associates Sandia JBF Associates NY Polytechnic SAIC EPRI/EI PL&G El TRC Associates NRC El Westinghouse SAIC El EG&G El Rev. 2 5-5 Rev. 2 5-5 Table 5.1.1.3 (Continued)

Training, Seminars and Workshops, Attended by NYPA Nuclear Systems Analysis Staff Course Workshop on Risk-Based Tech Specs INPO Training on CFAR (NPRDS)Workshop on Common-Cause Failures SETS Code Training Course Guidance on IPE PSA NUMARC Severe Accident Issues Workshop APRIL Computer Code Seminar Workshop on HRA Date(s)9/88 9/88 12/88 12/88 2/89 4/89 10/89 4/90 7/90 Sponsor EPRI/Battelle INPO EPRI El NRC ANS-ENS NUMARC ESEERCO/RPI EPRI Rev. 2 5-6 Rev. 2 5-6 Table 5.1.1.4 Participation in Industry IPE Activities by NYPA Nuclear Systems Analysis Staff Activity Date(s)EPRI Systems Analysis Forum 1987 -present/continuing NUMARC/EPRI Severe Accident Meeting SAM Workshop NUMARC Joint Owners Group Accident Management Advisory Committee EPRI Nuclear Safety Technology Task force Safety Performance Subcommittee BWROG Meetings -Risk Assessment Issues/IPE

-Severe Accident Evaluation Committee 1989 1997 1990 -1993 1990 -present/continuing (Chairman 1991)1988 1990 Inter-RAM Conferences 1989- present/continuing PC-Parallel Processing System Users Group Meetings (sponsored by RMA)1989 BWROG IRBR Committee WOG RBTWG Committee BWROG PSA Certification 1992 -present/continuing 1994 -present/continuing 1997-1998 Rev. 2 5-7 Rev. 2 5-7 5.2 COMPOSITION OF THE INDEPENDENT REVIEW TEAM The methodology, data, results, and conclusions of both the original IPE and subsequent IPE update were reviewed at several levels: NYPA Systems Analysis Group staff and consultants examined each other's work at each stage of development.

These reviews focused on the accuracy and consistency of areas of specialized expertise:

thermal-hydraulic calculations, human reliability assessment, common-cause failures, data analysis, and internal flooding analysis.NYPA staff from the licensing, operating and maintenance, site engineering and technical services departments were kept apprised of the progress made; they reviewed the Methodology and Guidelines Document, the system work packages and accident sequences.

These reviews entailed the scrutiny of documents and plant site meetings to ensure the accuracy and adequacy of the models used. These reviews and meetings were an integral part of the information gathering process for the IPE and IPE update.The consultations were comprehensive and conducted to the satisfaction of the authors of the IPE and plant and other Authority staff.Cognizant departments at [[::JAF--licen|JAF--licen]]sing, operations, maintenance, design engineering training, instrumentation and control, planning, and technical services--reviewed the system work packages, internal flooding analysis and major accident sequences at two formal site reviews. They also reviewed the insights and recommendations derived from the study at a third, formal, review.Formal, independent, reviews were made of the draft final reports.Finally, the IPE underwent a review by the BWR Owner's Group for PSA Certification.

The independent review committees comprised both NYPA staff and prominent outside experts: 5.2.1 Original IPE (Rev. 0)NYPA Staff.Herschel Specter--Technical Advisor to the Executive Vice President, Nuclear Generation (Chairman of the Review Committee)

As chairman of the independent review committee, Mr. Specter coordinated the review and prepared a final report.George Wilverding--Manager, Nuclear Safety Evaluation; Chairman, Safety Review Committee (SRC)Mr Wilverding focused on the comparison of JAF and Peach Bottom.Frank Pesce--Director, Quality Assurance Rev. 2 5-8 Mr Pesce's review addressed conformance with the NRC guidelines for the development of the IPE.Verne Childs--Senior Nuclear Licensing Engineer, JAF Mr Childs' review focused on ensuring that systems, operating procedures, plant response to initiating events, and subtle dependencies were portrayed accurately.

Outside Consultants Dr. Norman C. Rasmussen, McAfee Professor of Engineering, Massachusetts Institute of Technology Professor Rasmussen provided an overview of the methodology, the application of fault trees and event trees, and confirmation of the "reasonableness" of the results when examined both in isolation and in comparison with Peach Bottom.Dr. Gareth W. Parry, NUS Corporation Dr. Parry confirmed the adequacy and applicability of the accident sequences and reviewed the scope of the analysis of subtle dependencies and data.Dr. Alan D. Swain Dr. Swain validated the human reliability analysis described in the draft report with respect to its methodology, adequacy, and accuracy of results.5.2.2 IPE Update (Rev. 1)The independent review committee of the IPE update comprised of three prominent outside experts from Scientech:

Mr. Robert Bertucio, Consultant, Scientech Inc.Mr. Bertucio reviewed the event trees, system analyses, data and results of the accident sequence quantification.

Mr. Jeff Julius Mr. Julius reviewed the human reliability analysis." Dr. James Fulford Dr Fulford reviewed the containment performance analysis and the overall reasonableness of the results.Rev. 2 5-9 Rev. 2 5-9 5.3 MAJOR COMMENTS AND THEIR RESOLUTION The comments of the internal reviewers were conveyed orally, as mark-ups of the draft report, or in detailed reports that addressed individual items in the draft report. The reviewers' comments can be characterized as being technical or editorial.

Technical comments and their resolution will first be summarized and then addressed in detail. Although editorial comments concerning the presentation of the methodology and results will not be described here, they were addressed by changes to the text.5.3.1 Comments on Original IPE (Rev. 0)5.3.1.1 Summary of Comments on Original IPE The consensus of the reviewers was that the report was "well laid out and clearly written." Professor Rasmussen also noted that he was able to take one of the dominant sequences and follow it through the study. The reviewers' suggestions for changes that would clarify statements and make the task of the reviewers and readers easier were adopted for the most part.Technical comments were both detailed and general. Professor Rasmussen found the methodology used to identify the accident initiating events "logical and consistent with current....

..practice." He also found the review of common-cause failures, data gathering, and human error probabilities to be good.Dr. Parry expressed two principal concerns:

the initial assumption that operator recovery actions in ATWS sequences were independent, and the use of a time-based failure probability rather than a demand-based failure probability for battery failure in station blackout sequences.

The first concern was resolved by the conservative assumption of complete dependency between operator recovery actions in ATWS sequences; the second by a recalculation of the probability of battery failure by treating it as a failure on demand. Dr. Parry's other comments concerned details of the human reliability analysis and the evolution of the accident sequences.

These were resolved in discussions with Dr. Parry and changes were made as appropriate to the analysis and this report.Dr. Parry concurred that there will be no significant difference between the common-cause data used in this study and that derived using the methodology presented in NUREG/CR-4780,"Procedures for Treating Common-Cause Failures in Safety and Reliability Studies." Dr. Swain's comments addressed the derivation of human error probabilities.

His concerns were resolved in discussions with NYPA staff and consultants.

Again, appropriate changes were made to the analyses and this report. He did state, however, that his overall impression was favorable.

In particular, he noted the use of information from simulator exercises and the fact that the use of ASEP HRAP methodology

[5] provided a built-in conservatism that would serve to counter any concern as to the levels of dependence and other performance aspects assessed.He was also impressed with the conservatism of the human reliability analysis of pre-accident tasks that is a corollary of the assumption of complete dependence for human errors in performing the same actions on different components in the same system--the assumption that an error in one action would be repeated.The internal review team's comments largely pertained to details of the analysis and the analysts Rev. 2 5-10 interpretation and depiction of systems and sequences of events. Their suggestions were incorporated in this report.To summarize, the independent review team concluded that the study had been performed in a logical, reasonable, and thorough manner, and that although certain changes were, recommended, none of these changes would require a major revision of the analysis or the results obtained.

The recommended changes were examined with the review team and appropriate changes were made to the analysis and the report.5.3.1.2 Detailed Review Comments on Original IPE The comments made about the original IPE by each member of the review team will now be summarized together with the response of the authors of the IPE to them.Herschel Specter (Technical advisor to the Executive Vice President, Nuclear Generation)

The majority of Mr Specter's questions and comments were made to clarify statements made in the draft report: "....(how can the 1O 8/year cut-off value for sequence development be reconciled with the 10-9 truncation value, excluding initiating event frequency, used in accident sequence quantification?)..." The 10-8 cut-off value for sequence development was applied to sequences in which:-The probability of the first two or three events (including the initiating event) was <10 8/year-Additional failure events with probabilities of 10-2 or less would have to occur to cause core damage.Therefore while the 10 8/year was quoted to curtail discussion of accident sequences in the IPE report, the cut-off value used to stop sequence development was actually 10-10/year or less. For example; sequences which entail a large LOCA (A) and loss of offsite power occasioned by random failures (B1) start with a probability of 6.73 x 10-9/year (the product of 10 4/year (A) and 6.73 x 10- (B1)). Because further events must be included in each sequence to cause core damage and these events have failure probabilities of 10-2 to 103, sequences containing the events A and B1 were developed no further.The 10.9 sequence probability, excluding initiating event frequency, was the value used to truncate sequence quantification in the sequences developed.

"(..the assertion that 'if containment fails before core damage, a greater release of fission products to the environment occurs' is not always true. For example, if the failure occurred in the wetwell air space, the releases would be less than those resulting from drywell failure that occurred after reactor vessel failure)." The report was modified appropriately.

Rev. 2 5-11 0 "...query the validity of certain dominant SBO accident sequences." These sequences were subsequently reevaluated with an additional emphasis on recovery actions."A decision to omit piping ruptures from system models cannot apply to breaks that initiate LOCAs." A correction was made to the text.Frank Pesce (Quality Assurance)

While Mr. Pesce and his colleagues found no specific deficiencies in the contents of the report, they did identify programmatic weaknesses in the documentation of internal reviews and the control of changes, software and records. The programmatic weaknesses are based on the assertion that the IPE should be treated as a safety-related document because of its use to support decisions relating to safety. However, the authors of the JAF IPE took the position that without a NRC-mandated formal record program with attendant quality program requirements, the retention of all documents essential to an audit required in Generic Letter 88-20 met all reasonable requirementsl.

Accordingly, no steps were taken to enhance documentation and control of changes, software and records.George Wilverding (Manager, Nuclear Safety Evaluation)

Mr. Wilverding's comments were essentially editorial in nature.Verne Childs (Senior Nuclear Licensing Engineer, JAF)Mr Childs' review focused on the accuracy of the descriptions of systems, their functions, and behavior.

For example, he pointed out that:* Discharge of reactor coolant through the RHR heat exchanger tube sheet gasket was not a feasible V sequence (interface system LOCA)." Success of high pressure coolant injection using RCIC with suction remaining on CST in small break LOCAs implied that RCIC provides reactor make-up during, rather than after, containment venting.* The operator may be required to realign loads supplied by the 4.16-kV electric power system during full load testing of the EDGs as well as upon loss of a bus." The double 4.16-kV bus tie/isolation breakers connecting safeguard buses to their non-safety-related normal supplies trip before, rather than upon, closure of the EDG output breakers to prevent EDG overload and to separate the safety-related and nonsafety-related IThese requirements are further detailed in NUREG-1407, "Procedure and Submittal Guidance for the Individual Plant Examination of External Events for Severe Accident Vulnerabilities," Appendix D, Pg D-4, Staff response to Question 1.5.Rev. 2 5-12 power distribution systems.In addition to the internal peer-review, three outside experts also made a detailed review of a draft of the final IPE report.Rev. 2 5-13 Professor Norman C. Rasmussen Professor Rasmussen summarized his comments by stating that he found the report to be "well laid out and clearly written. The essential information

... seems to all be there." He did, however, pose a number of questions and remark upon specific changes that he felt would be desirable.

Most of these questions and changes were editorial in nature and the text of the IPE report was changed to address them. Other changes and questions were technical.

These changes and questions and their resolution are as follows:[1] "Use of a 108 cut-off in the event sequences may cause concern unless you can show what is eliminated is much less (than) that what is kept." As noted in the response to Mr Specter's comment, a cut-off of <10-1°/year was used to curtail sequence development.

In event sequence quantification, a sequence probability of 10.9 excluding initiating event frequency, was used for event sequence truncation.

This cut off level ensured that the causes of at least 95 percent of the accident sequence frequency were computed.[2] "You eliminated floods (as a potential cause or contributor to core damage) but also suggested some changes to the plant to better cope with floods. This seems somewhat inconsistent." The internal flooding analysis did recommend that additional protection be provided to protect motor control centers BMCC1 (for RCIC) and BMCC2 (for HPCI) from spraying or splashing effects. These motor control centers are close to the stairways in the reactor building.

This recommendation was retained as it provides a simple and inexpensive way to eliminate a potential minor contributor to causes of core damage at JAF, regardless of the fact that its risk significance is low.[3] "A core melt starts at 11 hrs. so it is not clear that electricity recovered in 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months will save the day. It seems to me that this may not be conservative...

The probability of non-recovery of power is very important in determining (core damage frequency)." In the dominant sequences initiated by a loss of offsite power, recovery of offsite power was considered--a probability of 0.013 for the non-recovery of LOSP in 13 hours1.50463e-4 days 0.00361 hours 2.149471e-5 weeks 4.9465e-6 months was included for requantification.

This time allowed for HPCI failure on battery depletion after 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months and core damage after 13 hours1.50463e-4 days 0.00361 hours 2.149471e-5 weeks 4.9465e-6 months . It was assumed that core cooling would be implemented rapidly after power recovery.Rev. 2 5-14 Dr.Gareth W. Parry Dr. Parry in his summary of comments upon the IPE stated that "the project staff are to be complimented on the thoroughness of the analysis which will produce a high quality PRA.Because the team has done such a thorough job, I have relatively few comments to make that would significantly alter the results of the study, although I do feel the core damage frequency is a little low." Dr. Parry divided his comments into four main groups: accident sequence development, parameter estimation, sequence quantification and recovery analysis, and others.His non-editorial comments and their resolution follow.Accident Sequence Development

[I] "In the A TWS event trees, the need for blowdown to maintain pool temperature below the HCTL has not been addressed.

The significance of depressurization is that it allows low pressure systems to inject. While there is an instruction to secure all injection other than SLC, CRD, and RCIC, if the operators forget a low pressure system such as condensate, they could after blowdown experience a sudden injection of cold water. This may not be a significant effect numerically, so I wouldn't change the trees right now. However, it is worth discussing with training/operations to stress the need to think of the condensate systems. Condensate is picked out because it is (not) a safety system as such, and might be overlooked (and was in the case of one simulator exercise that was observed, although not at JAF)." Because of the low probability, the need for blowdown and securing a low pressure injection system was not addressed explicitly in the event trees. Furthermore, the Authority contends that the EOPs are clear and that level control procedures will mitigate any failure to secure the condensate system.Parameter Estimates[2] "The battery failure rate assumed a mission time model rather than a standby failure rate." The fault tree model was changed to reflect the use of a standby failure rate.[3] "The failure rates for the diesel generator...

as backed out from the CCF (common-cause failure) rates appear to be very low compared to other assessments ( 10.3 for fails to start, and 10-4 for fails to run). I think you ought to make sure that these are defendable." The probability of a common-cause failure of four diesel-generators to start was calculated as the product of a probability of 1.15 x 103, the plant-specific independent failure to start probability for a single diesel generator, and a beta factor of 0.038. The common-cause failure probability is therefore 4.37 x 10-5.The probability of a common-cause failure to start four diesel-generators was calculated with a beta factor of 0.013;the common-cause failure probability is 1.5 x 10-5. The beta factors were taken from NUREG/CR-4550, Volume 1, Revision 1, Table 6.2-1.[4] "The CCF analysis, using NUREG- 1150 values for the common cause factors, is not a plant specific analysis.

While the numbers that result appear in the right ballpark, the Rev. 2 5-15 way the analysis was done does not give any insight into why CCFs at the plant have such low values. I would strongly recommend that, at some point, the staff should review the data on which these parameter estimates are based... concentrating on failure mechanisms and defenses to enable the project staff to give plant-specific reasons why the CCF probabilities are expected to be low." This issue is addressed in detail in the response to Item 13. In summary, the basic methodology employed in the common-cause failure analysis was that described in NUREG/CR-4550, Volume 1, Revision 1, Section 6 and is described in the JAF IPE, Volume 1, Section 3.2.3.3. To account for potential common cause failures, redundant components were systematically examined and potential common-cause failures were included in the system models at appropriate levels. Because no JAF plant-specific common-cause failure data were identified, beta factors from NUREG/CR-4550, Table 6.2-1 were used in the development of all common-cause failure probabilities except those for battery failures.[5] "The use of actual train/component maintenance unavailability rather than using values pooled across the system, gives rise to an unwarranted model asymmetry.

What is done in the JAF PRA is not standard PSA practice." This issue is addressed in detail in the response to Item 8. In summary, if a train is rendered unavailable by the removal from service of certain components or subsystems within the train, then the unavailability of the train occasioned by tests and maintenance can be calculated as the sum of test and maintenance unavailabilities of the components or subsystems.

Estimates of train level unavailabilities occasioned by test and maintenance were based on the daily plant status reports (DSRs) issued at JAF and supplemented by data from the plant logs and the maintenance work order packages.The Authority believes that the use of actual train data is appropriate because these data reflect real differences between trains.Sequence Quantification and Recovery Analysis[6] "T1-33 (and others like it). The recovery action identified is recovery of offsite power to re-establish the condensate system as an injection source. Since the principal cutsets are associated with valve failures, manually opening these valves would be a more appropriate recovery action, given that it would take some time to restart the condensate systems." The possibility of recovery in accident sequences associated with valve failures was re-evaluated with credit taken for the manual opening of valves as a recovery action. This action is described in the JAF IPE, Volume 2, Section E3.3.1.[7] "There are many A TWS sequences with multiple recovery actions (that).. are treated as being independent... (However), these recovery actions..

are dependent." The ATWS tree was restructured such that failure to determine the need to inject SLC (event Cl) would preclude any subsequent recovery associated with power control.[8] "Use of the 10-8 cutoff on sequences.

I'm still a little concerned about losing some Rev. 2 5-16 contribution to core damage frequency, since with the very large number of basic events, caused by a more detailed decomposition than used in more "standard" PRA component boundaries, the combinatorial factors could mount up." This concern is addressed in the response to Professor Rasmussen's comment [1].Miscellaneous Items[9] "Some sensitivity studies would help. One that was identified was the use of a four hour rather than an eight hour depletion time under SBO conditions.

The allocation of a zero probability to the chance of the depletion time being less than eight hours is too optimistic." Sensitivity studies were performed for station blackout and for human recovery events.For station blackout, the mean core damage frequency from internal causes is dominated by long-term station blackout sequences.

This frequency was estimated assuming battery depletion in 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months and non-recovery of offsite power at 13 hours1.50463e-4 days 0.00361 hours 2.149471e-5 weeks 4.9465e-6 months . To determine the sensitivity of internal core damage frequency to the battery depletion time, two analyses were performed.

In these, the core damage frequency resulting from internal causes was recalculated assuming a) 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months battery depletion and non-recovery of offsite power at 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months and b) 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months battery depletion and non-recovery of offsite power at 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months . The results of these sensitivity analysis were presented in the JAF IPE, Volume 1, Table 3.3.6.9. It was concluded that the core damage frequency would rise from 1.92 x 10-6 to 2.56 x 106 /year if 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months battery depletion and non-recovery of offsite power at 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months were assumed.[10] "The distributions on certain basic event probabilities produce random samples with values greater than unity. Either use a distribution like beta, or a much smaller error factor to remove this unwanted, and unphysical, figment of the analysis." The few basic event probabilities with high means and error factor were treated as point estimates in uncertainty analysis to avoid errors.[11] "The treatment of the battery as a backup to loss of battery chargers in the D.C. fault trees should be looked at again. The mission time for the battery ought to be the average repair time for a charger or, if this time is longer than the depletion time, no credit should be taken." No credit was taken in SBO sequences for the possible repair of failed battery chargers.Dr. Alan D. Swain Dr. Swain's comments focused upon the human reliability assessment.

Dr. Swain stated that his"initial impression is largely favorable...

Obviously considerable thought has been given to the influence of potential human errors on the accident sequences evaluated.

There seems to be considerably more information about the role of operators in this PRA than in others I have evaluated.

One of the most impressive features of the HRA is the use of information from simulator exercises representing a large number of accident sequences analyzed in the PRA." Rev. 2 5-17 Dr. Swain also noted that "...the primary HRA method and data bank used are those presented in NUREG/CR-4772, Accident Sequence Evaluation Program Human Reliability Analysis Procedure (ASEP HRAP). The use of this generic procedure is intended to provide more conservatism in an HRA than would be the case were use made of the more analytical methodology and data bank in NUREG/CR-1 278, Handbook of Human Reliability Analysis With Emphasis on Nuclear Power Plant Applications.

Thus, even though there might be some uncertainty or disagreement among HRA experts as to levels of dependence and other performance aspects assessed in the JAF PRA, there is built in conservatism, which, in my opinion, is desirable in a risk assessment." The built-in conservatism associated with the ASEP HRAP is an important aspect of the HRA performed for the JAF IPE as it serves to allay concerns about the human error probabilities (HEPs) used.Dr. Swain asked many questions and made many comments.

While some of these were essentially editorial or related to problems with traceability or the correction of small errors, others were of more technical import. The latter questions and comments and the Authority's response to them are as follows:[1] "In the Peach Bottom PRA, the published HRA included a reluctance factor of 2 for activation of SLC. In my separate, unpublished HRA I felt this assessment was inappropriate, based on interviews with trainers and operators." In the JAF IPE, the reluctance factor for operation of SLC was based on actual simulator experience and interviews with trainers and operators.

As noted in the JAF IPE, Volume 2, Appendix E, Section E2.1.3, no reluctance to activate SLC was observed.[2] "Use of different crews for calibration of redundant channels is recommended.

Is this policy followed at JAF? Was credit taken for such a policy? Is this explained somewhere?

Reference here to some other section would be helpful." The schedule for the calibration of redundant channels at JAF is designed to ensure that they are calibrated at different times and by different crews. This schedule applies to instrument functional test and calibration of trip units and level and pressure switches, etc. Credit was taken in the IPE for the use of different crews to calibrate redundant channels.[3] "Have operators been training to use the firewater system as described, and does the EOP/AOP include this? Was PRA credit given for this possibility?

In general, I usually take the position that without adequate practice of operator recovery functions, there should be no credit given in the PRA. I hope this is covered elsewhere in the report." The operators have been trained to use the fire water system to inject water into the core through the RHRSW A header as described in OP-13. This notwithstanding, no credit was taken in the JAF IPE for use of the firewater system.[4] "Do system responses include human performance?

I note that human performance rarely appears in the system event trees beginning on p 3-15. This could be a cause for some criticism of the PRA. The tendency now is to put important operator terms into the Rev. 2 5-18 system event trees, as was done in the Grand Gulf PRA. Perhaps the document could state a few words on this point about how human performance has been incorporated into the event trees. Perhaps the absence of human performance terms is more apparent than real." The event trees were modified to include human actions.[5] "Observations (on the performance of the various operating crews) are very useful in a qualitative sense and can be used as a basis to lower or raise the tabled HEPs in the ASEP HRAP. If this is what was done, some detailed description of such adjustments should be made so that it can be evaluated, i.e., so that what was done is traceable.

One need not apologize for using such qualitative information to adjust estimated HEPs, but the procedure for doing so should be described." No specific rules were generated to apply these observations.

Rather, observations were made to ensure that there were no deficiencies that would undermine the determination of HEPs. While the quality of the crews demonstrated in simulator exercises provides a strong basis for the HEPs derived using ASEP HRAP, the findings based on observations of their behavior in simulator exercises were used conservatively.

[6] "Section 3.3.3.5, Pre-Accident HRA Results and associated tables: Traceability is inadequate at this point in the document.

Where is the source, e.g., ASEP table number and item number? I think this should go in the table, as was done in the Grand Gulf HRA. There is no way I can evaluate these estimated HEPs without further information.

Perhaps this information comes later in the report. If so, reference in Section 3.3.3.5 should be made to the appropriate place. (As I later discovered, the HRA document does not include this necessary information.)" A new table for the pre-accident results was constructed and an introduction describing the table was provided for Section 3.3.3.5. Subsequently, Dr. Swain wrote "I did review each HEP calculation, assuming that the claims for recovery factors and the number of activities assessed were indeed correct, and that these claims can be substantiated in a clearer and more detailed description of the underlying human activities for the task assessed.

I found each arithmetic calculation to be correct, but I emphasize this is only a check on the arithmetic."[7] "HEP (for miscalibration of steam line high flow transmitters) is questionable.

There appear to be some possible misapplications of the pre-accident assessment rules from the ASEP HRAP. If the following problems are only the result of inadequate written communication, and the assessment of recovery factors and number of critical actions is correct, then the assessed HEP is OK. At the very least, considerably more explanation is needed.a. Under "ACTIVITIES," it looks like Activity C has two critical actions while Activity D has a different two critical actions. Isn't it true that any one or more of the four"adjustments" would be considered a failure? If so, the equation for the NHEP for 23DPT-76 would have a multiplier of 4 rather than 2, an increase in NHEP by a.factor of 2.Rev. 2 5-19

b. The terms used in Activities C and D confuse me: "adjust zero adjust," "adjust zero," and "adjust span adjust," which is used twice.c. Under "DEPENDENCY," item (1) implies to me that Activity C applies to one component (e.g., 23DPT-76) while Activity D applies to the other component (e.g., 23DPT-77).

But in item (2) it states that there is only one component.

Very confusing language.d. Under "RECOVERY, " para 1 appears to be claiming too many recovery factors.1) First, there is no description of the activity involved in Step 5.3.3.4 or in Step 5.4.3.4 which are supposed to "verify" that the two separate steps in Activity C and the two steps in Activity D were carried out correctly.

What does "verify" mean? Is some kind of real test conducted, or does the original performer just look at some displays to see what the values are? I do not give any recovery credit for one person checking his own activities unless these checking activities are separated from the original activities in both time and space. I would need more description of what takes place before allowing any credit at all.2) Second, even if it were valid to allow credit for Optimum Condition

2 (the PC test), it does not seem correct to also allow credit for Optimum Condition

3. This smacks of double credit, in my opinion. Also it does appear that the "different time and place" requirement of T5-1 #4c(2) is not met. In short, I fail to see any rationale for any recovery credit from Optimum Conditions

2 and #3. Obviously, some clarification is needed here.e. Paragraph 3 under "RECOVERY," claims credit for a daily check (Optimum Condition

4). No mention is made of the use of a written checkoff list per T5-1#4d. If such a list were used for all daily checks, this information could be stated once in the introductory information related to the pre-accident HRA. Based on oral information from Ms. Drouin, I shall assume that a written checkoff list is used.f. If Optimum Condition

3 is not correct, but Optimum Conditions

2 and #4 are correct, the result is Case IX in T5-3. For this case, the HEP would be identical to the HEP assessed.

If only Optimum Condition

4 is correct, the HEP would have to be increased.

g. It would be helpful to a reviewer to include the correct Case number from ASEP HRAP Table 5-3 in the section on "RECOVERY" in the HRA for each HEP." The Authority's response to each item raised is as follows: a. In both cases the tasks are highly related and constitute one step in the written procedures.

Thus, complete dependence was assumed.b. This terminology is used in the procedure.

Rev. 2 5-20

c. The activities apply to each of the components.

d. 1. Admittedly this was confusing, but the post-calibration check is an actual calibration test directed by the procedure.

2. The verification task ensures that the restoration of the component is complete and it is checked-off (written check list) by a second individual.

In addition, there are several indicators in the control room that must clear after restoration and these are also checked.e. A written check-off list is used.f. The HEP is correct.g. RFs applied to each step or component were included in tables.Finally, Dr Swain noted that "The equation for the total NHEP in which any error on the calibration of one component is assumed to carry over to the second component provides conservatism, which many reviewers would find laudable."[8] "Are the JAF ROs (reactor operators) required to memorize the entry conditions for the 10 JAF EOPs? If so, how often are they tested to ensure that they really have memorized the entry conditions?

I note that the first entry in Table 3.3.3.2 assesses a negligible

<1E-5 HEP for entering the wrong EOP. Required memorization and frequent testing could provide a rationale for this HEP. Otherwise, why should a reviewer believe the <1E-57'Operators at JAF are required to memorize the entry conditions to the EOPs and practice them at least monthly during simulator exercises.

[9] "Another concern is the appearance of an arbitrary use of a factor of 5 or a factor of 10 reduction in the nominal HEPs obtained through use of the methodology and data base in NUREG/CR-4772, Accident Sequence Evaluation Program Human Reliability Analysis Procedure (ASEP HRAP). There are two points to be made here. First, insufficient rationale was sometimes provided to justify a reduction in the nominal HEP. Second, the ASEP HRAP itself provides for use of lower bounds of nominal HEPs if sufficient justification is provided." While not strictly in keeping with the ASEP HRAP methodology, reduction of nominal HEPs by factors of 5 or 10 was not arbitrary.

Lower bound values and recovery credits in the ASEP HRAP methodology generally result in reductions by factors of 5 or 10. In situations where the HEPs generated with ,XSEP HRAP resulted in values that seemed overly conservative given the circumstances in which the human action is expected to occur, judgement was used to determine the reduction factor. Reductions were based on such aspects as the simplicity of accident conditions, quality of the EOPs with regard to the accident conditions, operator training and familiarity with the accident scenario, the decision and response time available, criticality of the action under consideration, and crew performance during simulator exercises.

These issues were addressed in the Rev. 2 5-21 introduction to Appendix E of the JAF IPE, Volume 2, and each reduction was explicitly justified at the appropriate place in the text.[10] "Another concern was inappropriate use of Table 8-5 in the ASEP HRAP. In several cases, seemingly independent (or at least not fully dependent) human actions were assessed as the equivalent of one action, and a single HEP was assessed for the entire set of actions. This simplification could lead to optimistic estimates of critical HEPs. This problem is mitigated to some extent by the fact that the generic HEPs in Table 8-5 are deliberately conservative.

Part of this problem, at least for me as the reviewer, was the lack of sufficient documentation, especially drawings, information on specific training and practice provisions of critical tasks, minimum control room staffing and estimated times of arrival of other personnel after the initiation of some accident sequence, and so on, as described more fully in the attachment to this letter.Ms. Drouin and her staff will make a more detailed evaluation of what does constitute a set of completely dependent actions, and re-assess the resultant HEPs accordingly.

We went over a few of the operator actions involved, and it was apparent to me that some grouping of actions would indeed be appropriate.

It would also be most inappropriate, and grossly pessimistic, to consider each action to be completely independent, and assign a nominal ASEP HEP of 2E-2 to each such action." The resolution of what constitutes a completely dependent set of actions is not easy.The approach taken in the JAF IPE was to group actions and consider them dependent if the actions were "spelled out" in a logical sequence in a written procedure and if the actions were to be carried out to achieve a single goal. Other factors considered in determining whether complete dependence existed in a set of actions were whether operators will double check the procedural actions, the simplicity of the actions and procedure being followed, the time available, and the apparent understanding of the procedure demonstrated by the operators during the plant walkthroughs.

During discussions with Dr. Swain, agreement was not always reached concerning which actions should be considered dependent.

Where disagreements existed, justification for our position was provided in the JAF IPE.[11] "The treatment of error factors (EFs) is not that recommended in NUREG/CR-4 772, the ASEP HRAP. It is stated that "In general, if the desired HEP was a composite of several HEPs, the error factor selected was that associated with the dominant HEP." The ASEP HRAP provides a computer program for propagating the error bounds through an HRA event tree consisting of more than one HEP. The JAF method would result in a final EF than would be smaller than the EF derived by propagating the EF associated with each HEP in some set of actions. Frankly, this does not really bother me, as I think too much has been made of error bounds. Given the generic nature of the HEPs in the ASEP HRAP, the associated EFs are not to be considered accurate estimates.

In my work in HRA I preferred merely to use the median HEPs. With the data available for estimating HEPs, the careful statistical treatment of EFs provides verisimilitude that is most inappropriate." Rev. 2 5-22 Final EFs were determined as described in the text. The Authority agrees with Dr. Swain's comments regarding EFs and chose not to use the computer program for propagating error bounds.[12] "E2.1.2: I cannot tell from the document which operator is involved and what and where the displays are located. SAIC information indicates the RO is normally near Panel 09-5.I agree that "failure to diagnose" can be ignored. However, if NUREG/CR-4772 is being used as the HRA procedure and data base, rather than <1E 5 for failing to verify and initiate ARI and RPT and to override ADS, it would be more appropriate to assess the HEP for these immediate actions from T8-1 #9f and T8-5 #10 (my shorthand notation for Table 8-1, item #9f, and Table 8-5, item #10), and use 1E-3 as the nominal HEP. Then if one can justify (in the document) the use of the lower bound, the revised HEP would be 1E-4. In general, if one is using the ASEP HRA Procedure, rather than simply make some untabled (sic) estimate, it is preferable to refer to some ASEP HRAP table and item number and make appropriate adjustments from that starting point." In the JAF IPE, Volume 2,Appendix E, it was noted that when an HEP was determined to be negligible, it was assigned a value of "<10-5" and the "<" sign was dropped for systems analysis purposes.

ASEP HRAP allows the assignment of "negligible" HEPs in some circumstances, e.g., Table 8-1, item g. A negligible probability of failure is traditionally assigned a value of 105 and the differences in "negligible" do not seem critical.

Thus, the values were not changed.[13] "E2.2.5.2:

I assume that AOP-37 has each of the steps in this lengthy procedure fully documented.

If not, the assumption of a step-by-step task would be inappropriate.

The taking of time measurements in a simulation of the task is obviously far superior to taking someone's time estimates.

My problem here is the assessment of just one HEP for the entire task consisting of many apparently critical actions. I see many opportunities for errors of omission.

If the task is not practiced, errors of commission could also occur.Without more familiarity with this task, all I can say is that I believe the assignment of a single HEP for all the critical actions taken together is probably too optimistic.

I cannot agree with the HEP. Note the first footnote in T8-5 which states, "The HEPs are for independent actions or independent sets of actions in which the actions making up the set can be judged to be completely dependent..." The assessment of one HEP is equivalent to saying that if one of the many actions is done, the others will all be done.To me, this is not credible.

I would probably not think it reasonable to assess a .02 HEP for each critical action; there are bound to be some RFs and dependencies.

But with the information I have, I cannot make a realistic assessment." The Authority elected to stay with the assumption that all the actions were dependent.

The general reasons for making such an assumption are described in item [10] above.Furthermore, while the times listed for task performance in the report are single operator times, a second operator would be double checking the performance and could assist in carrying out the actions. In addition, a maintenance crew would also be available.

Given that the steps are clearly spelled out in the procedure and the fact that during the plant walkthroughs a reactor operator who had only been licensed for two days was found to be completely familiar with the procedure, it was felt that complete dependence was justified.

Rev. 2 5-23

[14] "E2.3.5. 1: Following is my original evaluation, which was based in part on a misunderstanding of the accident sequence: "It is difficult for me to try to evaluate the level of stress involved if things get so bad that depressurization is required.

Obviously, the analysts assumed only a moderately-high stress level. I think more justification is needed for that assessment, especially in view of the use of the lower bound diagnosis HEPs assessed.

My strong impression is that the assessment is unduly optimistic." My misunderstanding indicates that further information and justification is needed in the text.Mary Drouin pointed out that long before Emergency Depressurization would be required, the crew would have been trying to maintain level with all systems available.

And with the accident sequences being assessed, the need for rapid, full emergency depressurization would not likely occur. I think this could be made clearer in both Figure E2.15 (p E-47) and in the related text. It seems to me that two analyses could be made to assess: (1) the probability that the full-scale, rapid depressurization would have to be done, and (2) given (1), the probability that it would not be accomplished.

Moderately-high stress would be appropriate to (1), and extremely-high stress might well be appropriate to (2).Regardless of what is done, I still find no good justification for using the lower bound HEPs from Figure 8-1 in the ASEP HRAP." The Authority contends that all operators are particularly aware of the fact that they must depressurize to use the low pressure systems. In addition, they are trained extensively to do this when the appropriate situation arises. Thus, the lower bound was felt to be appropriate.

[15] "E3.3. 1.1: I disagree with the first sentence.

To me, this is analogous to a statement made by an NRC person at a meeting of HRA specialists.

He stated unequivocally that it does not matter how many annunciators are screaming for the operators' attention.

He believed that the operators will simply ignore those that are not relevant to the situation and concentrate on those that are relevant.

Para 1 in E3.3. 1.1 explains away all problems.

I find it not to be a credible statement.

If we are talking about a large LOCA, remember that an extremely-high stress level is assessed from t = 0.In discussions with Mary Drouin, she strongly believes that my assessment of extremely-high stress for a Large LOCA is no longer appropriate so many years after WASH-1400.

This is obviously a judgment call. I prefer to stick with the extremely-high stress assessment.

A large LOCA is never, I repeat, never anticipated. "It just cannot happen here." In my judgment, the incredulity effect will be great." The Authority believes that there are enough cues available for the crew to determine that a problem exists. Our experience with operating crews is that they attempt to diagnose problems and in this situation there are simple cues available and 50 minutes are available for the diagnosis.

Furthermore, extremely high stress was assessed for the LOCA case.[16] "E3.4.1.2:

The nominal HEP of .02 seems OK, but the factor of 10 reduction is not adequately justified.

At the most, from the description of skill levels involved in this task, only a factor of 5 reduction can be assessed per the ASEP HRAP." Rev. 2 5-24 This is clearly a matter of judgement.

However, given the simplicity of the task and the training the operators receive to make sure the task is accomplished, the reduction of 10 was felt to be appropriate.

[17] "E3.6. 1.1: The argument seems reasonable, but the diagnosis median HEP for 660 minutes in F8-1 is about 2E-5 rather than 1E-5." Dr. Swain is correct. The HEP was changed[18] "E3.6.1.2:

The assessment of task type and stress level seem appropriate, but the use of a single HEP for the combination of several actions is not given an adequate rationale.

Read the first footnote in T8-5." This task requires the operator to open or close a valve or breaker. With only one or two things to do, dependence seems appropriate.

In addition, with up to 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months available, there is likely to be plenty of time to recognize any problems.

However, because the actions are performed outside the control room, no credit was given for a second check.Accordingly, the 0.02 value used is conservative.

Finally, in summarizing the technical findings and recommendations made in the peer-review process, it should be noted that all members of the review team stated that they did not expect any of these comments to result in a major change to the predictions and conclusions of the JAF IPE.Rev. 2 5-25 Rev. 2 5-25 5.3.2 Comments on Updated IPE (Rev. 1)5.3.2.1 Summary of Comments on Updated IPE The consensus of the reviewers was that the report was technically sound.Mr. Bertucio had no major technical comments about systems analysis.

He did, however, have specific comments and questions about the results of the quantification.

In reviewing the human reliability analysis, Mr. Julius concluded that the "application of the ASEP HRA methodology for identification and quantification of individual human error probabilities is consistent and sound and meets the IPE guidelines." Dr. Fulford concluded that "the approach (used in the containment performance analysis) was reasonable and would provide the information needed, that is I concur with the NRC SER finding (that the IPE met the intent of GL88-20)." In both the original IPE and this update, the internal review team's comments largely pertained to details of the analysis and the analysts interpretation and depiction of systems and sequences of events. Their suggestions were incorporated in the reports.To summarize, the independent review team concluded that the study had been performed in a logical, reasonable, and thorough manner and that although certain changes were recommended, none of these changes would require a major revision of the analysis or the results obtained.

The recommended changes were examined with the review team and appropriate changes were made to the analysis and the report.5.3.2.2 Detailed Review Comments on Updated IPE The comments made about the updated IPE by each reviewer team will now be summarized together with the response of the authors of the IPE to them.Mr. Robert Bertucio Mr. Bertucio reviewed both the event tree and systems analyses and the results. His non--editorial comments and their resolution follow.Event Trees[1] It is not obvious what you do with CV (core vulnerable) sequences and undeveloped sequences.

Sequences that are labeled as being 'undeveloped' are those that have a frequency of 10 1 0/ry or less and that require additional failures for core damage to occur. Sequences that result in a vulnerable core were developed to core damage only when their frequency exceeds 10-1 0/ry.[2] It is not obvious what you do with the CtF and CtV sequences and the amount of feedback between the Level /I and Level I (analyses).

Rev. 2 5-26 CtF sequences are those in which containment failure occurs prior to core damage. CtV sequences are those in which core damage occurs at a time at which the containment has not failed. For such sequences, the potential for containment failure always exists.CtF and CtV sequences are addressed in the plant damage state binning process in which Question 10 asks about the containment state prior to core damage.[31 The PDS write-up implies you may need to bin sequences on a cut-set basis. If true, it must be a computerized sort because you could never control the QA of hand binning all cut sets. If this is not true, then you need to make sure the PDS categories are compatible with sequence end states.Sequences were binned by examining cut sets that contribute to the top 95 percent of all causes of core damage. The process is tedious but quite feasible.Systems Analysis[4] There are several places (in which) you make statements about the methodology or scope of investigation

... but then state that you dismissed some of the issues that you previously implied you were going to include .... I would rather you stated the disposition of these thinks and less on the intended scope and methods. For example, several times you say "CCDF was investigated or examined." This statement begs the question, did you include them or not. It does not appear that they were always included.I suggest you anticipate these questions and state what you included and what you omitted.The offending passages were clarified.

In particular, where mention is made of common-cause failures, it is now explicitly stated that they were modeled.[51 For MSIVs you omitted CCF's due to instrument air contamination, for no stated reason.Should contamination of the instrument air supply by excessive moisture or corrosion products occur, it will result in failures for supported end users. Therefore, any such contamination will be reflected in elevated plant-specific failure rates used for the instrument air system. The statement that implied that instrument air contamination was not addressed in any way has been deleted.[6] On all modes of the RHR pumps, the success criteria imply that an RHR pump can only do one mode of operation at once -CS or LPCI or SPC. Most PRA's don't require this because it means you need two RHR pumps, unless you have analysis to show how long you can terminate injection to the vessel without causing core damage.We do not agree that the event tree system success criteria imply that an RHR pump can only support one mode of operation at a time. On the contrary, the criteria and models do not allow for the possibility that the capacity of available RHR pumps will be inadequate to support more than one mode of operation.

This slight non-conservatism was introduced for modeling simplicity and has a minimal effect on quantification as the Rev. 2 5-27 dominant failure modes for the RHR system in its various modes of operation are associated with the low-pressure interlocks rather than with the pumps.Results of Quantification

[7] Why does A-45 only apply to TW sequences?

Why doesn't (T2-39) fall under the A-45 domain? (T2-39), sequence rank #1 -core damage occurs because you can not remove sufficient decay heat from the core. Why isn't that A-45?T2-39 is an accident sequence in which there is a failure to depressurize after high-pressure injection systems fail. Though the usual low-pressure decay heat removal systems may be available, we cannot depressurize to take advantage of them.Unresolved Safety Issue A-45 essentially addresses the adequacy of long-term decay heat removal (and thus for JAD the reliability and adequacy of the RHR system). Thus the characterization of T2-39 as a decay heat removal concern is not useful as almost all sequences that result in core damage do so because of an inability to remove decay heat.[8] Where is the SBO cut set that says T1 *BA T-CM. Recovery is not possible.

Where is this one hidden?This cut set (reflecting a Ioss-of-offsite power and the common-cause failure of the batteries) ranks 15th overall and thus is not listed in the text. It is the top cut set of sequence T1-38-TB-5 in which all injection is lost following an SBO. The frequency of the cut set is 2.41 x 10-8/ry (the T1 initiating frequency is 0.027/ry; the probability of the common-cause failure--DC1

-CCF-HW-BATTS-is 8.92 x 107).Mr. Jeff Julius Mr. Julius's comments focused upon the human reliability assessment.

Mr. Julius divided his comments into three groups: general comments, pre-accident human error probabilities and post-accident human error probabilities.

His non-editorial comments and their resolution follow.General Comments[1] The summary write-up in Section 3.3.3 discusses quantification of individual human error probabilities and does not describe how these were integrated into the sequence quantification.

Was a screening quantification done? What truncation was used in sequence quantification?

Individual human error probabilities were integrated into sequence quantification as follows. Pre-accident human error was, in all cases, modeled explicitly in fault trees.Human error in post-accident response actions was for the most part modeled in fault trees though, if human error dominated equipment failure as a cause of failure to complete the response action, it might also be modeled in the event tree. In contrast, recovery actions were applied to dominant cut sets where appropriate.

In all cases, human error probabilities were obtained from detailed calculations.

Therefore, no screening calculations were performed to eliminate human error from the models and cut sets: such screening as was done was employed only to restrict the Rev. 2 5-28 consideration of recovery actions to dominant sequences.

The truncation value used in event tree quantification was a frequency of 10-1 1/ry.The text of Section 3.3 was changed to clarify the issues raised in this comment.[2] References are needed for the timing estimates listed in Appendix E. When the write-up says there is a 45-minute time window, what is the source?The estimates for the times in which post-accident recovery and response actions must be taken were derived from thermal-hydraulic calculations.

[3] The lower bound value was used instead of the normal value for most of the quantification.

Was the impact of this assumption checked in a sensitivity study?The impact of this assumption was checked by calculating importance measures for human error as well as mechanical failures, etc. These important calculations are discussed and the results presented in Sections 3.3.5 and 3.3.6.[4] The general write-up for Appendix E. 1.1 should note that the diagnosis is modeled in two pieces, one general piece for failure to enter the EOPs and one for failure to diagnose the need for each specific action.This distinction was not made here as a failure to enter the EOPs was assigned a negligible probability.

[5] In Section E2.3.5, the quantification of Xl is non-conservative (because of an inconsistent treatment of the impact of recovery).

An error was fixed. It had no impact on the results of sequence quantification.

[6] (In) the seal leak write-up, E3.4. 1, it is not clear that the sump indication is sufficient to complete the diagnosis.

Is there one sump per pump or does the procedure isolate all pumps on the sump alarm?The section was reworded as follows: 'The operator is alerted to seal problems by annunciator and meter indication on panel 09-4 in the control room: seal cavity pressure indication and outer seal leakage high flow and seal staging high/low flow annunciators are provided."[7] (In) Section E3.6, it is not clear whether this recovery is of a Type A operator action [a pre-accident human error] (which I think it is) or of a T&M basic event (which may not be Rev. 2 5-29 recoverable).

I believe the recovery would apply to the test fraction of the T&M but this would have to be evaluated on a plant specific basis.Section E3.6 addresses the recovery of specific misaligned components, ie, the rectification of specific pre-accident human errors.[8] Dependencies in E4. 1. Was the event HEPEOP modeled as a common term in each HEP such that 1E-5 is the combined HEP? The write-up discusses dependencies with C3 but the text says this is for MSIVs closed and not open, that C1 is for MSIVs open.For Q1X-T and Cl-T-d it appears that the operator must diagnose the need for boron injection and then, if it fails, override the MSIV isolation within 2 minutes. It appears non-conservative to use a 0.4 conditional probability in this case. If it is C3, with MSIVs closed, a 45-minute time window exists for C3 (producing a diagnostic HEP of 1.4E-3 which is too low if the time window is really 2 minutes as indicated.

Regarding the dependence between operator actions C3 and Q1 X-T, the quantification does indeed assume that if the operators fail to diagnose the need for boron injection, that they will also fail to diagnose the need to override MSIV isolation.

Therefore, 0.4 conditional probability is correct.The event HEPEOP represents a common failure to enter any or all of the pertinent EOPs.As such its probability should provide a minimum HEP. However, two points can be made about such a minimum. First, the probability of HEPEOP is not 10 5 but rather < 105.Secondly, a review of combined HEPs shows only one to have a probability of <10 5.This event is described in Section E4.5.5 and is justified by operator training and the long time available to perform the action.Dr. Robert Fulford Dr. Fulford's comments focused upon the containment performance analysis.[1] It is my impression that the phenomenological material has remained as in the original submittal and has not been significantly updated. In any event, there is not a section providing a technical review of the state-of-the-art for advances since the original analysis.

This would be a useful adjunct for the Severe Accident Management Guideline implementation which requires that state-of-the-art information be incorporated.

Dr. Fulford is correct in his impression that in this update containment performance phenomena are addressed in a manner similar to how they were addressed in the original IPE. Updating the methodology and the treatment of containment performance phenomena would be a major undertaking and as such has been deferred to the next update.[2] The number of plant damage states has increased since the original submittal.

This leads to a better delineation of the spectrum of results, though four of the states contribute less than a percent of the total frequency.

Rev. 2 5-30 The results are presented on the basis of plant damage states. It would be helpful if these would be aggregated to an overall plant basis. Given that the CET quantification basis (split fractions) has remained as in the original IPE, the outcomes should be similar to the original submittals save for the different PDS spectrum and different frequencies.

The change in answers is then driven primarily by the updated changes in the Level 1 analysis and there is no reason to expect that the reasonableness and completeness of the results is significantly different from the original submittal as reviewed (by the NRC).[3] The EVNTRE format produces results that are difficult to interpret and manipulate.

For a living PRA, consideration should be given to transferring to a model platform that could more readily support plant day-to-day operations.

With the transition to the CAFTA based containment event tree model, the JAF revision 2 Level 2 is capable addressing plant 'day-to-day operation questions regarding containment performance issues.Rev. 2 5-31 5.3.3 BWROG PSA Peer Review Certification 5.3.3.1.1 Summary of Comments from the BWROG PSA Peer Review Certification The BWROG PSA peer review certification team consisted of two consultants from ERIN Engineering and Research, a member from GE Nuclear Energy and 3 members from the Utility Industry:* Dr. Edward T. Burns, consultant from ERIN Engineering and Research Dr. Burns reviewed the thermal hydraulic, structural, human reliability, and containment performance analyses as well as examining accidence sequence evaluation and quantification results.* Mr. Vincent M. Anderson, consultant from ERIN Engineering and Research Mr. Anderson reviewed human reliability, dependency, structural, containment performance, and data analyses as well as examining quantification results, initiating events and accident sequence evaluation.

Mr. Srinivasa Visweswaran, member of the GE Nuclear Energy Division Mr. Visweswaran reviewed systems, data, human reliability, dependency, structural, and containment performance analyses as well as examining quantification results, maintenance and update process, initiating events, and accident sequence evaluation.

Mr. Robert F. Kirchner, member of the Niagara Mohawk Power Corporation Mr. Kirchner reviewed systems and thermal hydraulic analyses as well as examining accidence sequence evaluation and quantification results.* Ms. Victoria A. Warren, member of the PECO Energy Company Ms. Warren reviewed systems, dependency and containment performance analyses as well as examining initiating events and accident sequence evaluation.

Mr. Wei He, member of the Public Service Electric and Gas Company Mr. He reviewed systems, data, and dependency as well as examining quantification results, maintenance and update process, initiating events, and accident sequence evaluation.

NYPA staff began preparation for the BWROG PSA peer review certification process with the mailing of relevant documents to the certification team before their schedule visit. The team visited the Authorities main office in White Plains for a duration of one week from December 8 to 12, 1997. Upon their arrival, NYPA staff conducted a presentation describing their IPE methodology and process to the reviewers.

During the course of the week the team evaluated eleven key process elements:

initiating Rev. 2 5-32 events(IE), systems analysis(SY), thermal hydraulics analysis(TH), data analysis(DA), dependency analysis(DE), human reliability analysis(HR), accident sequence evaluation(AS), quantification and results interpretation(QU), structural response(ST), containment performance analysis(L2), and maintenance and update process(MU).

The process evaluation consisted of the following: " development of insights in the form of facts and observations" determination of the IPE's applicability

depth of model, guidance and documentation, and technical bases* examination of the overall strengths and weaknesses of the IPE.The main purpose of the review was to summarize all facts and observations of the draft JAF IPE Rev 1 and provide this information to the NYPA staff. Once the review ended the team proceeded to send their insights and information to the Power Authority.

The insights were categorized by their respective key elements and assigned a level of significance (Table 5.3.3.1).

Furthermore, the team provided a possible resolution and a space for any response.Table 5.3.3.1 Levels of Significance Used in the Peer Review Certification Process Importance Level Definition A. Extremely important and necessary to address to assure the technical adequacy of the PSA or the quality of the PSA process (Contingent Item for Certification).

B. Important and necessary to address, but may be deferred until the next PSA update (Contingent Item for Certification).

C. Marginal importance, but considered desirable to maintain maximum flexibility in PSA applications and consistency in the industry.D. Editorial or minor technical items left to the discretion of the host utility.S. Considered a major strength of the PSA.The following is a brief summary overview of the results of the BWROG peer review certification of the JAFNPP PSA.PSA ELEMENTS:

All of the PSA elements identified as part of the certification process are included in the JAFNPP PSA. In terms of the overall assessment of each element, all were consistently graded as sufficient to support meaningful rankings for the assessment of systems, structures, and components, when combined with deterministic insights (i.e., a blended approach), and all elements are judged fully capable of supporting absolute risk determination to support Grade 3 applications when the footnoted items are performed.

INITIATING EVENTS (IE): The development of initiating events and their integration into the model is good and consistent with industry practices.

The guidance and documentation of the initiating event analysis is generally thorough.

The grouping of categories, screening of special initiators, and calculation of transient frequencies is adequate for an IPE type study, but would be substantially strengthened if the following enhancements are included Rev. 2 5-33 for use in the risk informed decision making environment.

The key recommended enhancements are to: (1) Include the RPV Rupture and Manual Shutdown initiators and quantify with event trees; (2) Separate out the Loss of Instrument Air and Loss of SW initiators from the broader categories and quantify separately.

(3) Assess the ISLOCA initiator using the NSAC-1 54 (or equivalent) approach; (4) Collect JAFNPP transient event data to power levels much lower than 85% (e.g., 10-25%) and include in the initiating event frequency calculation.

ACCIDENT SEQUENCE EVALUATION (Event Trees) (AS): The JAFNPP model is comprehensive and in general covers the spectrum of potential risk significant sequences identified for BWRs. The level of detail in the model demonstrates that there has been a substantial amount of effort to investigate plant unique features.

The HRA, system analysis, and data evaluation are well integrated into the model.The accident sequences are defined via a structured approach.

Based upon these reviews, a solid level of accuracy has been achieved.

Specific sequences may have issues related to their technical realism but, in general, the model is robust and comprehensive.

Examples of items that could be improved include the following:

support system initiators were grouped with transient initiators without complete accounting of dependencies

safety functions appear to be missing from the event trees (i.e., vapor suppression)

some credited success paths appear unrealistic The event trees generally reflect the accident sequence success criteria accurately.

THERMAL HYDRAULIC ANALYSIS (TH): The JAFNPP PSA generally relies on applicable best estimate generic calculations to support success criteria.An area of potential enhancement was to provide more specific references to success criteria supporting calculations for ATWS. In addition, the times to core damage need to be reevaluated based on 2200°F or RPV water level at 1/3 core height, not a temperature of 4000 0 F.In addition, no parameter file calculation has been documented and presented to the certification team. Typically a calculation is prepared to describe the source of all parameters included in the model. This calculation shows the source of the information, any necessary unit conversion, and any manipulation necessary to maintain consistency with computer code requirements.

Further, the MARCH or BWSAR codes may be less useful in the future than other more standard codes.The overall process is judged adequate to support vulnerability assessment and is adequate for ranking type applications.

It is judged that additional effort may be useful in the T/H area to support more demanding applications involving absolute risk determination.

Rev. 2 5-34 The overall process can be supportive of Grade 3 applications when the enhancements are included.Rev. 2 5-35 SYSTEMS ANALYSIS (Fault Trees) (SY): The list of systems modeled is complete.

The fault tree models and system notebooks are a strength of the JAFNPP PSA study. The systems analysis is thorough and comprehensive particularly in the instrumentation and electrical evaluation.

This system analysis fully supports Grade 3 applications.

DATA (DA): There is an extensive plant specific data collection effort. The following enhancements are believed important for the PSA model to reflect the plant: (1) fully document and provide basis for significant deviations from generic values, (2) electrical and instrument component CCF should be included in the CCF evaluation, (3) the failure modes should match with the Beta, (4) the raw data process should be transparent for future reference and validation, (5) the CCF analysis could be expanded to (a) include components matched with other BWR PSAs, and (b) include analysis of cutsets to find identical failures within a cutset.HUMAN RELIABILITY ANALYSIS (HR): The documentation of the calculation of HEP values is excellent.

Processes are generally clearly defined. Tabulations of post-initiating event action steps, timings, and HEP contributions are a strength.

HEPs are well summarized in tables and screening or sensitivity print-outs.

The analysis is a mix of screening and realistic assessments.

Quantified estimates have been revised in certain cases using the Cause-Based method, otherwise HEPs are primarily based on ASEP.Post-initiator actions have been identified and documented.

The HRA calculations are supported by simulator studies, thermal hydraulic analyses that estimate time available, walkdowns, and reviews of EOPs. The calculations are reproducible with the information provided in the PSA.Significant effort has gone into removing the conservatisms in the ASEP HRA values.However, certain operator response probabilities such as those for alternate boron injection and local LPCI injection valve operation are significantly more optimistic than industry methods support.Time available for operator action used in the HRA could be overestimated based on the definition of time to core damage.Dependencies among operator actions in the same cutset should be considered.

DEPENDENCIES (DE): Overall, dependencies were generally treated well and support Grade 2 applications with correction of the specific issues related to common cause failure. The common cause analysis covers the common mechanical groups normally seen in a PSA. There are substantially fewer electrical common cause events seen in the model than mechanical.

STRUCTURAL RESPONSE (ST): A plant specific evaluation of the capacity for low pressure piping to withstand the pressure transient from an interfacing systems LOCA condition was not performed as part of the analysis.Containment capability assessment is addressed in the PSA by a scoping study performed by CB&I comparing the JAFNPP Mark I containment structure with the detailed model developed by CB&I for the Peach Bottom Mark I. This is considered adequate for Rev. 2 5-36 applications with the exception of the high temperature assessment of the personnel hatch, equipment hatch and the CRD hatch. In addition, neither analysis addressed off-normal hydrodynamic loads and their impact on torus failure. Note that different conditional failure probabilities and failure locations are used in Level 1 versus Level 2 for the same or similar types of challenges.

The existing JAFNPP containment structural analysis is adequate to support Grade 2 applications.

Incorporation of dynamic and high temperature effects into the analysis, combined with probabilistic treatment of containment failure location would fully support Grade 3 applications.

The basis for determining RPV integrity was not identified in the documents reviewed by the certification team.QUANTIFICATION AND RESULTS INTERPRETATION (QU): Dominant sequences (cutsets) are described in the summary of the results. Existing dominant cutsets make physical sense and appear to have reasonable frequencies.

New dominant cutsets could result from the enhancements to the quantification or other PSA elements.The quantification approach is typical for a model that explicitly employs fault trees and event trees. The results are well-documented.

The model fully supports Grade 3 applications.

CONTAINMENT PERFORMANCE ANALYSIS (L2): There may be a slightly different perspective in the use of PSA for risk informed applications than in the use for identification of vulnerabilities.

The intent is not to be conservative and not to throw away apparent non-contributors from the quantified model. Rather the desire is to provide a broad, robust model for use in applications.

This means accurate importance measures are desirable and the absolute measures should also be robust to support changes. All this argues for inclusion of additional phenomena and actions that are currently screened from quantification.

Because of this and the EVNTRE format there is limited capability to provide an effective review of the results and assumptions.

This is considered a potential area of exposure in terms of usability, justification, and defensibility if the current PSA team expertise was not available to JAFNPP.The end state of Level 1 appears to be different than all BWR PSAs reviewed by the BWROG (13 plants). It would be more consistent to use core damage definitions from the industry PSA Applications Guide. Transfer of information from Level 1 to 2 is generally adequate to provide LERF determination.

Some system status information and failed operator action information that could be important in low frequency sequences is lost in the transfer process.Success criteria are generally adequate in the Level 2 assessment.

Overly conservative assumptions from NUREG-1 150 should be avoided (e.g., wet shell melt-through probabilities).

Level 2 does not appear to address degraded plant condition impacts on HEPs and the ability to perform actions such as venting and drywell spray. Containment flooding and RPV venting are EOP specified actions, with potential significant impact on Rev. 2 5-37 core melt progression, that are not included in the Level 2 assessment.

It may be useful to include quantitatively systems that may be reliable under nominal conditions but may be important under certain plant configurations, e.g., on-line maintenance

-containment isolation is an example.The LERF definition appears to be overly conservative and should be made consistent with the industry position submitted in the PSA Applications Guide. For example:* Large is too encompassing at >1% CSI.* Early should be based on JAFNPP specific EALs.Process The use of the EVNTRE code to perform the Level 2 evaluation has certain characteristics that are useful to periodically reevaluate.

These include the following:

EVNTRE depends on binning Level 1 end states into 11 plant damage states.These 11 bins do not carry all support system and front line system dependencies into the Level 2 assessment.

These can prove important in the assessment of Early High Releases, i.e., water availability.

The code is not user friendly; however the current PSA group is able to easily handle the process. As long as there is no turn over of personnel, the Level 2 assessment with EVNTRE can be performed.

The degree of sophistication in dependency treatment is very high in the Level 1 PSA but is less specifically treated in the EVNTRE code application.

The current EVNTRE model does not include phenomena and nodes that are crucial for future application assessment:

RPV vent, containment flood, de-inerted operations, containment isolation.

PSA MAINTENANCE AND UPDATE (MU): A process is in place to perform PSA updates.A review of the PSA is scheduled to be performed every 2 years, with updating as deemed necessary.

Changes to plant configuration and other potential changes to the model are tracked.Re-evaluation of current and revolving applications are well established.

The overall process is sound and well established.

5.3.4 JAF PSA Model Revision 2 The peer review identified zero category A, 92 category B, 73 category C, and 18 category D Facts &Observations (F&Os), and 8 strengths.

All the F&Os have been resolved and incorporated in the Revision 2 model. All the F&Os and their responses are documented at the Rev. 2 5-38 end of this section. Based on the BWROG peer review, the JAFNPP PSA can be effectively used to support Grade 3 applications involving relative risk significance; in addition, absolute risk determination applications can be performed with supporting deterministic analyses.In addition, the Revision 2 model was reviewed by Entergy Nuclear Systems Analysis Group staff at each stage of development.

These reviews focused on the accuracy and consistency of areas of specialized expertise; i.e. fault tree and event tree models, thermal-hydraulic calculations, human reliability analysis, common-cause failures, data analysis, accident sequence quantification, and containment performance analysis.JAFNPP system engineering reviewed the system analysis sections presented in the draft Revision 2 report and comments were incorporated prior to accident sequence quantification.

Cognizant departments at JAFNPP -- licensing, operations, maintenance, training, planning &scheduling, system engineering and design engineering

-- reviewed the final results, insights, and recommendations derived from the study.During JAFNPP MSPI program implementation, a self-assessment was performed for the supporting requirements (SR) identified in NEI 99-02, Appendix G, Table 4, taking into consideration Appendix B of draft RG 1.200, with particular attention to the notes in Table 4.The self-assessment did not identify any unresolved issues with regard to the ASME Standard elements identified in Table 4 as described above.Rev. 2 5-39 Rev. 2 5-39 Element IE 5 -40 Rev. 2 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 02 & 08 Initiating events at less than 85% full power were not included in calculation.

Some events are applicable to the full power model, though they occurred at power level < 85%. The practice could limit the applicable range of the model.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Analyze all initiating events to determine if they are applicable to full power model, excluding only events that are not applicable to full power model. Subsequent to the Certification meeting, NYPA identified that the historical experience on initiating events were reviewed and 13 additional initiating events in the T2 and T3A categories were identified.

NYPA indicated this will be included in the update. This would then satisfy this Certification Team comment.PLANT RESPONSE OR RESOLUTION The additional 13 events were already included for evaluation.

Revised T2 and T3A initiating event frequencies were calculated and included in the quantification for this current (second)update.Rev. 2 5-41 Rev. 2 5-41 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 3 & 14 It appears that credit is given for automatic valve closures and operator action in the ISLOCA analysis in section 3.1.4.2 without adequate technical justification.

The NUREG/CR-5124 that appears to have been used is not referenced in the guidance document.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Include NUREG/CR-5124 in the guidance and re-evaluate the above items.PLANT RESPONSE OR RESOLUTION Section 3.1.4.2 has been revised to address the concern on valve closures and operator action in this current update. NUREG/CR-5124 approach has also been included in the guidance document.Rev. 2 5-42 Rev. 2 5-42 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 3 Guidance is not provided for calculating special initiator frequencies or screening them out of the analysis.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Provide the above guidance.PLANT RESPONSE OR RESOLUTION Guidance was incorporated into the guidance document regarding the calculation of the special initiator frequencies or screening them out of the analysis.Rev. 2 5-43 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 3 Both the guidance and the update document state that the Loss of Bus initiator frequency is calculated using a "simple reliability model" with generic data; however, no reference or calculation is provided.LEVEL~ OF SIGNIFICANCE C POSSIBLE RESOLUTION Provide a reference and calculation to support the frequency estimation of 2.63E-3/yr for the Loss of Bus initiators.

PLANT RESPONSE OR RESOLUTION Fault tree model for loss of AC buses was developed and quantified to derive the initiator frequencies.

Fault tree model was referenced in the guidance documentation.

Rev. 2 5-44 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 4 Many initiating events commonly quantified with event trees in other industry PSAs (e.g., Loss of Instrument Air, Loss of Service Water) are grouped into larger categories, such as Loss of PCS. As the industry moves toward risk informed decision making, it may be appropriate to break out those initiators that can have a significantly more severe plant impact than the broader IE category models.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Break out key subsumed initiating events, as described above, and quantify using PSA model that explicitly accounts for the degraded condition of the support system.PLANT RESPONSE OR RESOLUTION In the current (second) update, Loss of ac buses 10300 and 10400, loss of instrument air system, loss of ultimate heat sink and loss-of condensate flow were modeled as separate initiating events. Others like loss of NSWS and TBCLCS were considered loss of IAS events and evaluated.

Rev. 2 5-45 Rev. 2 5-45 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSER VA TION Element IE Subelement 4 The intent of the PSA constructed for applications is generally to be as realistic as possible.As such, the explicit inclusion of manual shutdowns is desirable.

Inclusion of this initiator would be consistent with other industry PSAs.(See IE -5 & 10)NYPA has identified that this initiator may be subsumed into T3A and T2 initiating events.This is judged conservative.

LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Include the Manual Shutdown initiator as separate initiating event group and model with an event tree (set scram failure probability at 0.0).PLANT RESPONSE OR RESOLUTION Specific manual shutdown event tree has been developed.

Rev. 2 5-46 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION.

Element IE Subelement 5 It appears that only the initial or primary effect of the loss of a support system is considered not the pervasive effects. For example, loss of instrument air is MSIV closure scram but the effect on venting, PCS recovery and CRD is not considered.

This same comment can also apply to the incorporation of loss of condenser vacuum initiating events within the MSIV closure initiator.

LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Re-evaluate the support system special initiators and other subsumed events for all the effect on the accident progress.PLANT RESPONSE OR RESOLUTION In the current (second) update, Loss of ac buses 10300 and 10400, loss of instrument air system, loss of ultimate heat sink and loss of condensate flow were modeled as separate initiating events. Others like loss of NSWS and TBCLCS were considered loss of IAS events and evaluated.

Rev. 2 5-47 FA CT/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 5 Loss of more than one DC bus due to potential common cause effects is not evaluated.(See also DE 8.)LEVEL OF SIGNIFICANCE B -- A bounding analysis needs to be performed to determine if this is significant.

If not, the actual inclusion in the model would not be as significant.

POSSIBLE RESOLUTION First perform a bounding analysis to determine the effect on CDF of assuming multiple DC failures. (Consider insights from NUREG-0666.)

If this becomes a significant sequence, then the initiator should be explicitly developed.

Otherwise, the documentation should include a description of the analysis and its results.PLANT RESPONSE OR RESOLUTION Section 3.1.4.3 is revised to incorporate this comment.Rev. 2 5-48 Rev. 2 5-48 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 5 It does not appear that the loss of ultimate heat sink has been considered as an initiator, and its subsequent impact on PCS recovery included.(see IE 8, AS-4)LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Do a scoping study to determine the impact of this initiator on CDF. If the impact is significant, include this initiator in the PRA.PLANT RESPONSE OR RESOLUTION Event tree of the Loss of heat sink initiator event tree was developed and evaluated for the current (second) update.Rev. 2 5-49 Rev. 2 5-49 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 5 & 10 Degraded support systems can force the plant into a Technical Specification action statement for "immediate" shutdown.

Such a condition can be considered "equivalent" to a support system failure induced scram.In section 3.1.1.2, support systems are classed as initiators "if it results in a plant scram".Systems that do not cause a plant scram, but complicate the response of the plant to a TS required shutdown should be considered.

There are also latent failures that may exist in the plant that when coupled with a support system failure can lead to an immediate scram.(See IE-4)LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Re-evaluate support system special initiators based on the above.PLANT RESPONSE OR RESOLUTION The support system special initiators were expanded and associated event trees were developed and evaluated for the current (second) update.Rev. 2 5-50 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 6 The loss of offsite power database does not include the 1965 North East blackout, nor does it include the event that occurred in 1988 when the plant was shut down.LOSP frequency development should not preclude non-negligible severe weather component.

Its 1 in 100 year value can't be precluded based on a short generating history. It should be added and included more appropriately in the recovery value.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION It may be more appropriate to include in the data base a larger time period to evaluate this initiating event because of the very few occurrences of this type of event. Non-inclusion of shutdown events should be justified based on an atypical switchyard arrangement or it should be included.PLANT RESPONSE OR RESOLUTION JAF did not exist in 1965 and the plant shutdown configuration is much different from plant on-line configuration; therefore, it is appropriate to use the plant specific LOSP data and integrate it with industry generic data to derive the LOSP frequency.

Rev. 2 5-51 Rev. 2 5-51 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSER VA TION Element IE Subelement 8 The initiating event list of plant events shows three "loss of intake" type of events (10/19/90, 2/25/93, and 1/23/97).

These events are not discussed in the initiating event analysis.(see IE-5 & AS-4)LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Re-evaluate the Loss of Intake type of initiating event in light of the three JAF precursors (at a minimum, enhance the documentation to acknowledge these events).PLANT RESPONSE OR RESOLUTION These events have been reviewed, presented in Table 3.3.1.1 and included into the initiating events calculation.

Rev. 2 5-52 Rev. 2 5-52 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 9 BOC There are no breaks outside containment that survive the truncation imposed. This appears adequate to have met the IPE letter, but it is judged that for applications such as those addressing MOV isolation capability would require these to be included in the PSA model.These events also may need to be addressed because of potential impact on the LERF evaluation for applications.

LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Include BOC sequences in the quantification if above the IE-1 1/yr truncation value currently used for other sequences.

PLANT RESPONSE OR RESOLUTION This enhancement has been incorporated in the current (second) update. Specifically, ISLOCA initiators are assess by using the NSAC-154 approach.

It includes operator errors induced ISLOCA, valve isolation failures and best-estimate pipe rupture failure probabilities.

This enhancement has been incorporated in the current (second) update.Rev. 2 5-53 Rev. 2 5-53 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 9 Vessel Rupture is stated in section 3.1.1.1 not to be included as an initiator because of its low probability.

This section also states that this is a sequence (going to core damage ) in itself.A sequence with a potential frequency of 1 E-7 to 1 E-8/yr should not be discounted as it causes potentially significant backend challenges in the Level 2 analysis.

(1 E-7/yr is the PBAPS frequency for vessel rupture from NUREG-1 150.) This is also similar to a request made in NUREG-1560 (DRAFT).The Certification Team believes that the RPV rupture frequency of BWRs may be slightly smaller that PWRs however limited data would indicate that the failure sequence is important to consider.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Create a Level 1 sequence for vessel rupture and process in Level 2.PLANT RESPONSE OR RESOLUTION This enhancement has been incorporated in the current (second) update. Specifically an entire section (3.1.4.17) is develop for vessel rupture events.Rev. 2 5-54 Rev. 2 5-54 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 10 FMEAs were used to determine if support system failures could possibly initiate an accident sequence.LEVEL OF SIGNIFICANCE S POSSIBLE RESOLUTION N/A PLANT RESPONSE OR RESOLUTION Rev. 2 5-55 Rev. 2 5-55 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 10 An FMEA type table is used to disposition support systems as special initiators.

Although this is a positive feature of the JAF IPE, the approach to the dispositioning of special initiators could be more structured to provide guidance on the selection of systems to consider for assessment regarding special initiators.

LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Provide guidance on the selection of systems for consideration as special initiators.

Ideally, all the plant systems should be addressed in the FMEA type dispositioning table (obviously unimportant systems can be listed and easily dismissed).

PLANT RESPONSE OR RESOLUTION Guidance document was modified to address this observation and support system initiators were expanded and event trees were developed and evaluated in the current (second)update.Rev. 2 5-56 Rev. 2 5-56 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 11 Special initiators (support systems) that are dismissed because they cause a specific transient initiator such as MSIV closure do not appear to be quantitatively addressed in the IE frequency calculations.

LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Include subsumed initiator values in the frequency calculations.

PLANT RESPONSE OR RESOLUTION See comment to IE-5.Rev. 2 5-57 Rev. 2 5-57 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSER VA TION Element IE Subelement 11 The subsumed initiating events are generally traceable but in some cases are not bounded by the broader category into which they are subsumed.

For example, Loss of SW and Loss of IA have a more severe plant impact than an MSIV closure into which they are subsumed (e.g., in the case of Loss of IA, this initiator is loss of the PCS with loss of the containment vent). Also refer to comment for IE subelement 4.In addition, subsumed initiating events are represented in the dominant cutsets (specifically T2). Given this fact, the issue of subsuming key initiators into broader categories, as discussed in comments for IE subelements 04 and 11, is further highlighted and may obscure the importance ranking of systems such as instrument air.(See IE 13)LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Break out key subsumed initiating events and quantify using event trees.PLANT RESPONSE OR RESOLUTION In the current (second) update, Loss of ac buses 10300 and 10400, loss of instrument air system, loss of ultimate heat sink and loss of condensate flow were modeled as separate initiating events. Others like loss of NSWS and TBCLCS were considered loss of IAS events and evaluated.

The associated event trees were developed and evaluated.

Rev. 2 5-58 Rev. 2 5-58 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 13 Initiators/Recovery The assumption that the air or nitrogen accumulators are available and are adequate to support long term shutdown does not appear to be based on any deterministic evaluation.

It can be observed that in general at other BWRs: " MSIV accumulators leak down in approximately 15 -20 minutes following a Group 1 isolation event." The SRV accumulators at other BWRs have in the past encountered the potential for leak down when hard seat check valves were mistakenly installed.

The BOP system is degraded* The condensate system may be degraded" The vent capability is reduced because dependence on local manual action may be required.Loss of Instrument Air or Loss of Nitrogen contributions appear to be screened from support system initiators and from causing failures within systems by crediting accumulators provided for "Essentially all Safety Systems", however it is not clear that the accumulators will last for a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time.(See IE 11)LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION These observations argue for a special LOIA and loss of nitrogen initiator to be included in the process. Other initiating events include the following:

Calculate accumulator capability, perform time dependent assessment.

Also, make sure components without accumulators are not credited unless a clear option is justified.

PLANT RESPONSE OR RESOLUTION MSIV accumulators were not credited in the analysis of Loss of Instrument Air System. A calculation for SRV accumulator capacity was performed by JAF system engineers.

Loss of instrument air system initiator has been postulated, developed, quantified, and incorporated in the current (second) update.Rev. 2 5-59 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 13 Recovery The PCS recovery that is applied to isolation events (T 2) is taken form NUREG/CR-4550.

It is believed that this curve is optimistic for loss of condenser vacuum events. For this reason, the loss of condenser vacuum events are believed useful to quantify separately from the MSIV closure events.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Quantify Loss of Condenser vacuum initiation events separate from the MSIV closure events and use a more restrictive PCS recovery curve.PLANT RESPONSE OR RESOLUTION Loss of condenser vacuum initiating event tree was developed and quantified for this current (second) update.Rev. 2 5-60 Rev. 2 5-60 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 13 The existence of the discussion of recovery type actions in Appendix E of the Update is a positive feature of the model documentation.

LEVEL OF SIGNIFICANCE S POSSIBLE RESOLUTION N/A PLANT RESPONSE OR RESOLUTION Rev. 2 5-61 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 13 LOCA Initiating Event Frequency In general, conservative values of input parameters are regarded as less desirable for a realistic PSA to be used for applications.

LOCA initiator frequencies are from NUREG/CR-4550.

The BWROG IRBR has adopted an acceptable method for calculating LOCA initiating event frequencies.

This method would provide a traceable and consistent methodology that can be used effectively to segment the LOCA initiating event frequency.

This methodology or an equivalent should be used to refine the LOCA frequencies.

LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Evaluate LOCA initiating event frequencies using the BWROG IRBR adopted method.PLANT RESPONSE OR RESOLUTION After evaluating NUREG/CR-4550, GE Report "Pipe Break Probabilities in Boiling Water Reactors" and BWROG IRBR guidelines it was concluded that 4550 values were the most conservative.

Therefore they were selected as the bounding case.LOCA frequencies are generated using NUREG-5750 for this current (second) update.Rev. 2 5-62 Rev. 2 5-62 FA CT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 13 NUREG-1032 approach is judged to be an appropriate approach for LOOP initiating event frequency development because it includes loss of offsite power induced from events that are:* Grid centered* Plant centered* Severe weather related This approach has room to allow the use of appropriate and applicable plant and grid data for a part of this total initiating event frequency.

Grid and Plant Centered Loss of off-site power frequencies could be updated to more recent studies for LOOP. NSAC-166 or a later EPRI-TR document provides LOOP data through 1995. This could be used to lower the LOOP grid centered frequency.

The need to address the 1965 Northeast Blackout and the potential reduced recovery probability for severe weather events would appear to be two areas where enhanced analysis could lead to more realistic evaluations of LOOP sequences.

LEVEL OF SIGNIFICANCE Significance Level D (Minor technical comment, could reduce T1 frequency and reflect more recent data.)POSSIBLE RESOLUTION Use a more recent reference for T1 frequency.

PLANT RESPONSE OR RESOLUTION EPRI Report TR-106306 generic LOSP frequency integrated with JAF plant specific data is currently used for the JAF IPE update.Latest EPRI-1 008052 report including 2002 was used to develop the LOSP frequency.

Rev. 2 5-63 Rev. 2 5-63 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 15 It does not appear that the water level sensing line reference leg failure has been considered in the PRA.It was investigated by the Certification Team and found that 4 reference legs are available.

This aspect should be documented and an assessment of the need to do a quantification addressed.

LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Do a scoping study to determine the impact of this initiator on CDF. If the impact is high, include this initiator in the PRA. This can reference past BWROG work in this area (SLI-821 1, SLI-8218, SLI-8221)PLANT RESPONSE OR RESOLUTION Reference leg failure event tree was developed and evaluated in the current (second) update.Rev. 2 5-64 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 16 A comparison of JAF initiating event categories and frequencies to other industry PSAs is not contained in the JAF IPE. Incorporation of such a comparison would be an enhancement.

LEVEL OF SIGNIFICANCE D POSSIBLE RESOLUTION Include a comparison table of JAF initiating event categories and frequencies to other industry BWR PSAs.PLANT RESPONSE OR RESOLUTION This comparison was made by review of the NUREG/CR-5750.

Rev. 2 5-65 Rev. 2 5-65 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 18 The simplified diagrams for each of the ISLOCA pathways are a good feature of the documentation.

The text discusses the pathways and refers to the associated figure. A useful enhancement would be to include a dashed line on the simplified P&IDs showing the low pressure-high pressure interface.

LEVEL OF SIGNIFICANCE D POSSIBLE RESOLUTION Enhance the ISLOCA simplified P&IDs to include a dashed line identifying the interface of the low pressure and high pressure rated piping.PLANT RESPONSE OR RESOLUTION Section 3.1.4.16, "Interfacing System Loss of Coolant Accident' drawings have been revised in the current (second) update to reflect comment.Rev. 2 5-66 Rev. 2 5-66 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 21 The level of review performed for the JAF IPE and Update is a positive feature. Review of the comments on the IPE and the Update show that the key issues identified for IE as part of this PSA Certification Review (i.e., Why only events occurring at >85% power considered?, Why subsume Loss of Condenser Vacuum with MSIV Closure?)

were "dispositioned away" and not directly addressed in the models. (Note, the fact that this is traceable is a positive feature of the JAF IPE supporting documentation.)

LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Address these comments in the models.PLANT RESPONSE OR RESOLUTION See comment to 1 E-1.Rev. 2 5-67 Rev. 2 5-67 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element IE Subelement 21 Table 3.1.1.2 of the Update provides a good summary of initiating event group vs. event category.

To the uninitiated, the assignment of numbers to the various event categories, although discussed in the Guidance document, provides no useful information.

An enhancement to this good table would be to identify that the Event Category column refers to EPRI-801 event categories.

LEVEL OF SIGNIFICANCE D POSSIBLE RESOLUTION Enhance Table 3.1.1.2 to change column heading Event Category to EPRI-801 Event Category (or, NUREG/CR-3862, if that is the reference desired).PLANT RESPONSE OR RESOLUTION Table 3.1.1.2 has been revised to incorporate this observation.

Rev. 2 5-68 Element AS Rev. 2 5-69 Rev. 2 5-69 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSER VA TION Element AS Subelement 4 Support system initiators are subsumed in other initiators (i.e., loss of PCS). This treatment does not address the system dependencies given the support system initiator.(See IE-5, 8)LEVEL OF SIGNIFICANCE B -- Ranking type application could understate the importance of subsumed support systems.POSSIBLE RESOLUTION Add initiators for every support system that can cause a plant upset and impact mitigative equipment.

PLANT RESPONSE OR RESOLUTION See response to 1 E-5.Rev. 2 5-70 Rev. 2 5-70 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 6 Vapor suppression is identified in the success criteria for LOCA events but is not included in the model.LEVEL OF SIGNIFICANCE B -- Components related to vapor suppression may be ranked inappropriately for some applications.

Also, applications dealing with varying levels of vapor suppression reliability can not be readily evaluated.

POSSIBLE RESOLUTION Explicitly model vapor suppression.

PLANT RESPONSE OR RESOLUTION Large LOCA event tree was revised to add failure of the vapor suppression system (torus-to-drywell vacuum breaker valves) for the current (second) update. However, VSS was not considered for lesser LOCAs because the containment pressurization is not sufficient to warrant these valves.Rev. 2 5-71 Rev. 2 5-71 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 6 Pg. 3-36 and -37 of Event Tree Analysis Work Package indicate that the HPCI success and containment vent sequence T2-3, -16, -20, -36 leads to successful end state, however, HPCI cannot operate over the duration of an accident that requires venting because Emergency Depressurization would be required on HCTL. Another injection source is necessary, e.g., CRD, condensate, RHRSW.These are not currently asked in the analysis. (Same comment on sequence 7 of T2 (T2-7))LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Small quantitative impact, but desirable to include other systems required to achieve safe shutdown.

For example use the A2 transfer at sequence T2-4 rather than Al transfer.PLANT RESPONSE OR RESOLUTION This enhancement has been incorporated in the current (second) update. Section 3.1 of the main report has been revised to preclude long-term HPCI operation during a loss of containment decay heat removal accident progression.

Rev. 2 5-72 Rev. 2 5-72 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 6 ATWS Without Boron Injection The PSA includes accident sequences as non-core damage events for such conditions as follows:* Fail to scram* PCS available* SLC fails* Alternative Boron fails* Power level less than 25% power This condition is one of the reactor not shutdown, the PCS remaining available, and heat removal performed by the main condenser.

This configuration is not considered to be a safe stable state by the Certification Team. This should be evaluated to reach a shutdown configuration or assessed to determine if events may cause MSIV closure and core damage, e.g., high steam line radiation, instabilities, errors in RPV Level Control or Level Instrumentation, inadvertant closure of MSIVs, loss of condenser vacuum. This is not currently included in the PCS availability assessment.

LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Assess the accident sequence until shutdown.PLANT RESPONSE OR RESOLUTION This enhancement has been incorporated in the current (second) update. Specifically, the ATWS event tree as depicted in Section 3.1 of the main report has been revised to include appropriate ATWS related phenomenon and sequence development.

Rev. 2 5-73 Rev. 2 5-73 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS I Rev. 2 5-74 Rev. 2 5-74 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 6 Success Criteria Reactivity Control and RPV Pressure Control success when depending on ARI is generally contingent on requiring RPT success. This is currently not shown in the event trees nor the success criteria in the Event Tree Analysis Work Package (e.g., P. 3-65, P. 3-99 through 3-102).LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Not quantitatively significant, but desirable to include for assuring importance measures are correct for PSA applications.

PLANT RESPONSE OR RESOLUTION Both ATWS with MSIVs open and ATWS with MSIVs closed event trees were revised to reflect the requirement for RPT for successful ARI. This enhancement has been incorporated in the current (second) update.Rev. 2 5-75 Rev. 2 5-75 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 6, 7 Critical Safety Functions The critical safety functions are generally treated well for all accident sequences.

One low frequency challenge that may occur is related to vapor suppression failure and mitigating system capability.

Tables 3.1.1.1, .2, .3 of the event tree analysis notebook identifies the vapor suppression system as being required to mitigate 'A', 'Si' , and "S2" events. However, the accident sequence analysis appears to exclude the vapor suppression system on the basis of a low probability of failure.The LOCA evaluations do not include a quantification of the impact of vapor suppression failure. The potential failures of vapor suppression may include the following systems: " wetwell to drywell vacuum breakers fail open* suppression pool level This may also require failure of containment sprays.This may influence:

small break LOCA* medium and large LOCA* SORV/IORV cases with either: (1)tailpipe failure in the wetwell airspace; or, (2) tailpipe vacuum breaker stuck open and WW-DW vacuum breaker stuck open LEVEL OF SIGNIFICANCE C 5-76 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS POSSIBLE RESOLUTION Add to LOCAs and SORV cases the vapor suppression critical safety function and the system to support mitigation:

drywell sprays* depressurization

vent PLANT RESPONSE OR RESOLUTION This enhancement has been incorporated in the current (second) update. Specifically, the large LOCA initiator includes the impact of vapor suppression system failure.Rev. 2 5-77 Rev. 2 5-77 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 7 LOCA The failure to include in the sequence quantification the failure to scram node in the LOCA and some other event trees (see P. 3-9, P. 3-11, P. 3-13, P. 3-16 of Event Tree Analysis Work Package) based on truncation is judged to be undesirable.

The importance of LOCA and failure to scram are both influenced by this change. Therefore, PSA applications may be adversely impacted by this removal of a key function.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Quantify sequences with failure to scram node in the large LOCA event tree, intermediate LOCA (#$1), small LOCA (#S2), and small small LOCA because these are judged to be above the truncation value of 1 E-1 0/yr identified to the Certification Team. Ensure that the evaluation accounts for the possibility that the LOCA occurs below the TAF and results in loss of all boron and recriticality.

PLANT RESPONSE OR RESOLUTION LOCAs event trees were revised to consider a failure to scram event. This enhancement has been incorporated in the current (second) update.Rev. 2 5-78 Rev. 2 5-78 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 9 It is not clear that the credit taken for operators keeping MSIVs open in an ATWS is appropriate.

This action may be required within a relatively short time and the directions in the EOPs do not expedite the diagnosis and action while many actions are competing for the operators' attention, and time is critical.LEVEL OF SIGNIFICANCE B -- Optimism could affect SLC ranking as well as other functions.

POSSIBLE RESOLUTION Reconsider the current HRA modeling approach.

NYPA has stated that for the next update, it will be re-evaluated whether taking credit for keeping the MSIVs open during an ATWS is appropriate.

PLANT RESPONSE OR RESOLUTION We believe that credit for this action is appropriate.

Regarding the impact of HEP for this action on the ranking for other functions such as SLC, we would note that the HEP for overriding MSIV isolation is 0.42 and that the increase in CDF if the HEP were set to 1.0 is only 1%.Rev. 2 5-79 Rev. 2 5-79 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 9 Success Criteria The tabulation of the success criteria used in the event trees is excellent and considered a strength.LEVEL OF SIGNIFICANCE S POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION , o5-80 L yXV.

FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 9 RPT ATWS Success Criteria Table states [RPT and Timely SLC] are adequate for reactor subcriticality.

However, the Accident sequence analysis assumes that even with RPT failure SLC is successful. (See Attached Cutset Report.) This is judged to be an incorrect application of.what the success criteria table states.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Make the success criteria implemented in the quantification the same as that supported by the success criteria summary tables and the thermal hydraulic calculations.

PLANT RESPONSE OR RESOLUTION Both ATWS with MSIVs open and ATWS with MSIVs closed event trees were revised to incorporated RPT failure as a core damage sequence, irrespective of SLC operation.

Rev. 2 5-81 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 9 Success Criteria P. 3-101 of Event Tree Analysis Work Package has footnote reference, but no explanation of footnote.LEVEL OF SIGNIFICANCE D POSSIBLE RESOLUTION Add footnote PLANT RESPONSE OR RESOLUTION This enhancement has been incorporated in the current update. Section 3.1 of the main report has been totally revised.Rev. 2 5-82 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 9 Success Criteria -RCIC P. A-8 of the Event Tree Analysis Work Package says RCIC is used for injection for accidents with RPV pressure above 150 psig. This appears more stringent than the success criteria used in the quantified model, for example:* ED is required (see T 2 -3, 16, 20, 36)* LOCA occurs LEVEL OF SIGNIFICANCE D POSSIBLE RESOLUTION Editorial PLANT RESPONSE OR RESOLUTION This enhancement has been incorporated in the current update. Specifically, Section 3.1 of the main report and Section L5.3 Reactor Core Isolation Cooling System, of Appendix L describe the RCIC success criteria used in the current (second) update.Rev. 2 5-83 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 9 ATWS Success NYPA T/H analysis shows that in an ATWS with HPCI failure and RCIC initially successful, RPV level drops to a point where EOPs direct operators to depressurize.

Thus, the credit taken for RCIC operation in an ATWS does not appear to be supported by plant specific T/H analysis.RCIC is listed as a successful injection source for ATWS conditions when SLC is successful.

This assumption would require extensive T&H calculations to justify including the following considerations:

SLC success is assumed to be 1 pump at 20 minutes (20 min. in the HRA assumption and no time phased approach is used for early SLC)" At 20 minutes with only RCIC operating, RPV level is expected to be below MSCWLL which requires RPV depressurization.

RCIC would likely not be able to be successful under such conditions." With level below MSCWLL, operations would go to ED and use the low pressure injection systems. The probability of successful mitigation when using low pressure injection is judged lower than when using high pressure sources.(See TH-8)LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION RCIC as a success for isolation ATWS needs substantial technical justification which would include addressing the current EOP instruction to ED when level is below MSCWLL. Revisit T/H analysis, EOPs, and present modeling to eliminate RCIC injection as a success or provide additional justification for its use.Show the event sequence that develops from the operation of RCIC only and evaluate the impact of subsequent operator actions.Rev. 2 5-84 Rev. 2 5-84 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS PLANT RESPONSE OR RESOLUTION Both ATWS with MSIVs open and ATWS with MSIVs closed event trees were revised to eliminated RCIC as a viable core makeup option during ATWS for the current (second)update.Rev. 2 5-85 Rev. 2 5-85 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 9 End States The accident sequence end state assignments are crucial to the accurate assessment of the core damage frequency and the transfer of information into Level 2. It is noted that in the model reviewed the following two sequences appear to have not been transferred to core damage end states and therefore are not accounted for in the frequency:

TM-33* TM-34 These should be added to the core damage frequency.

These are believed to be examples of other sequences that are assigned "core vulnerable" or "OK" and not further evaluated despite the fact that they may lead to core damage at frequencies greater than the truncation value for the model.In addition, it is noted that orally these were said to be DHR type sequences for transfer to Level 2. However, it is judged that for power production cases at elevated pool temperature the torus is vulnerable to.failure at a higher failure probability than for DHR sequences.

LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Review those sequences screened from quantification to ensure that adequate justification is documented to support screening.

For sequences retained ensure that the end state classification is reasonable.

PLANT RESPONSE OR RESOLUTION This enhancement has been incorporated in the current update. For PDS, they behave the same as TM-35.Rev. 2 5-86 Rev. 2 5-86 FACT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 10 Sequences T2-34 to T2-37 include modeling of RHRSW to provide RPV injection and suppression pool cooling. It is not clear that the success of these functions is 1 of 1 rather than 1 of 2 (Specifically only one pump train of RHRSW should be credited for each function).

It is also not clear that the HRA addressed operator actions under such conditions.

The success criteria assumed may affect both the success states' and failure states'frequencies, therefore, the logic model needs to be evaluated to ensure that single loop failures do not preclude the assumed success states.LEVEL OF SIGNIFICANCE B -- Impacts the importance of a number of operators actions and SSCs. Also, suggests an expanded review of sequences should be considered.

POSSIBLE RESOLUTION Review credit taken for RHRSW and respective modeling.

Consider an expanded model review of such subtleties.

PLANT RESPONSE OR RESOLUTION The only sequence which goes to a unsuccessful endstate (CtF, CV) is T2-37 which involves failure of SPC and RHRCS. These front line systems have already failed due to the use of the RHRSW x-tie. RHRSW x-tie is only used for vessel injection.

This enhancement has been incorporated in the current update.Rev. 2 5-87 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 13 TIME PHASED APPROACH The use of a time phased approach for coping with LOOP initiators is included.

This is a strength of the PSA. Areas where some additional investigation could prove useful are:* 24 hr. mission time for diesels may be excessively conservative.

This could be revisited using mission times of 6 to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months similar to other BWR analyses including NUREG-1 150* The battery life may be dependent on load shed. This HEP is not addressed.

Bypass of HPCI/RCIC high temperature steam line trips do not appear to be included in the HRA* There is a probability not currently accounted for that-Batteries fail before 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months (i.e., batteries are degraded or battery calculation is inadequate)

-RPV depressurization (ED) occurs when HCTL is exceeded LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Consider refinements to the time phased approach to ensure realism in the model.PLANT RESPONSE OR RESOLUTION The HRA portion of the above observation is being addressed as part of the response to observations for Element HR, Subelement 16 on pg. HR-10.Rev. 2 5-88 FA CT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 14 The V sequences or bypass sequences may include either so-called interfacing system LOCAs (ISLOCA) in attached low pressure systems or breaks in systems outside containment (BOC) -- Both with a failure to isolate.Elimination of V sequence from the Level 1 analysis precludes its treatment and appropriate consideration in the Level 2.V sequence is typically a noteworthy aspect of L2 analysis at many BWRs.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Reconsider V sequence treatment.

PLANT RESPONSE OR RESOLUTION This enhancement has been incorporated in the current JAF PSA (revision

2) update.Specifically, ISLOCA initiators are assess by using the NSAC-154 approach.

It includes operator errors induced ISLOCA, valve isolation failures and best-estimate pipe rupture failure probabilities.

This enhancement has been incorporated in the current (second) update.Rev. 2 5-89 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 14 ISLOCA analysis only considers valve internal rupture/excessive leakage and does not consider human error initiated events. Such events are addressed in NSAC-1 54 and have been observed in the industry (e.g., Browns Ferry and Vermont Yankee).LEVEL OF SIGNIFICANCE B -- Generally noteworthy contributor at BWRs.POSSIBLE RESOLUTION Review NSAC-1 54 and consider model changes if appropriate.

PLANT RESPONSE OR RESOLUTION Extensive ISLOCA (or V-sequence) event trees have been developed.

Its impact on Level 1 is addressed appropriately.

This enhancement has been incorporated in the current (second)update.Rev. 2 5-90 Rev. 2 5-90 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 14 V-Sequence The assessment of ISLOCA or BOC would be useful to include quantitatively in the PSA. The specific aspects to consider when including quantitatively are:* NSAC-154 guidelines

Treatment of real pipe pressure capacity instead of assuming pipe failure* Inability to close MOVs during the RPV blowdown* Degree of benefit to be gained from RPV depressurization and operator actions given the length of time required to blowdown.These sequences affect Level 2 release estimates.

LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Include ISLOCA and BOC sequences quantitatively.

PLANT RESPONSE OR RESOLUTION The ISLOCA event trees are based on the methodology presented in NSAC-1 54. It includes operator errors induced ISLOCA, valve isolation failures and best-estimate pipe rupture failure probabilities.

This enhancement has been incorporated in the current (second) update.Rev. 2 5-91 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS I OBSERVATION Element AS Subelement 16 Success criteria table includes systems that are not credited in the analysis (i.e., RHRSW-RPV in LLOCA). This is confusing and leads to documentation that is not consistent with the model.LEVEL OF SIGNIFICANCE D -Editorial issue POSSIBLE RESOLUTION Revise success criteria to specify which systems/functions are not credited.PLANT RESPONSE OR RESOLUTION This enhancement has been incorporated in the current (second) update. Section 3.1 of the main JAF IPE report has been updated to clearly defined the appropriatesuccess for a given plant initiator.

Rev. 2 5-92 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 18 Loss of Containment Heat Removal Sequence Modelinq P 3-472 states that unmitigated TW sequences initiated by loss of 4.16 KV safety bus ultimately progress to containment failure with core vulnerable.

This, however, appears to be contrary to the EOPs. (e.g., RPV/L override and override at end of RC/P.)The failure of containment heat removal sequences appear to assume that adequate RPV injection can be maintained throughout the loss of containment heat removal sequence at least up to containment failure; however, there are a number of challenges to this assumption that need to be addressed in the sequence evaluation.

These challenges include the following:

Target Rock SRVs reclose when the differential pressure between the instrument nitrogen and the containment is too low (estimated to occur at a containment pressure 80 psi).* The EOPs state that above the MPCWLL (85 psig) external water injection must be terminated.

The model does not appear to accurately treat the EOP required termination of injection sources from external to the PC given conditions above MPCWLL. Thus, it appears as though HPCI, RCIC, and CRD, operating from the CST are credited in cases where EOPs would preclude their use.(see Attachment AS-1 8)LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Modify the modeling of loss of containment heat removal sequences such that they acknowledge the EOP instructions and the system limitations.

PLANT RESPONSE OR RESOLUTION Current EOPs allow injection from external sources, therefore, CRD, condensate and RHRSW system flow into the RPV is allowed. Systems failure on high containment pressures and temperatures are modeled. This enhancement has been incorporated in the current (second)Rev. 2 5-93 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS update.Rev. 2 5-94 Rev. 2 5-94 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 21 The current success criteria for core integrity is significantly different than those presented in the PSA Applications Guide. The current success criteria is also in disagreement with NYPA T/H calculations.

These T/H calculations indicate that at 2' of core coverage (current Fitzpatrick success criteria) the core temperature is in excess of 4000 0 F.This success criteria could affect timing and other success criteria throughout the model.(Also included for TH-4)LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Reconsider success criteria.

The change in timing of HRA actions may result and this effect may need to be considered with other HRA comments because of potential synergetic effects.PLANT RESPONSE OR RESOLUTION Core temperatures success criteria was revised to reflect EPRI's PSA applications guidance of 2200 F peak clad temperatures.

This enhancement has been incorporated in the current update.Rev. 2 5-95 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 22 The ability of the nitrogen system to support a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time for the SRVs is not documented.

This was verbally provided during the Fitzpatrick certification and should be documented.

This item has already been incorporated in the next IPE update -- as reported by Clem Yeh.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Revise PRA document.PLANT RESPONSE OR RESOLUTION Section 3.2.2.2 has been revised to address this enhancement in the current update.Rev. 2 5-96 Rev. 2 5-96 Element TH Rev. 2 5-97 FACT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element TH Subelement 1 RPT The basis for the success criteria for RPT does not appear to be based on specific thermal hydraulic calculations, but rather are inferred from other calculations.

LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Provide documentation regarding the basis for the success of postulated ATWS sequences for combinations of RPT successes, or resolve apparent discrepancy and use qualified plant specific calculations to interpret success criteria.

ODYN, TRAC, or equivalent are such codes.PLANT RESPONSE OR RESOLUTION Success criterion was taken from Peach Bottom NUREG-1 150 work; this is considered adequate, since JAF is similar to Peach Bottom. Hence, no plant specific calculation was deemed appropriate.

Rev. 2 5-98 Rev. 2 5-98 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element TH Subelement 1 Guidance It may by useful to provide a basis for the following:

Tabulation scheme for calculations to identify specific deterministic runs with an ID* Success criteria that use realistic evaluations

Limitations of codes* Code comparisons

Areas where realistic codes may be suspect LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Include overview and guidance on the use of realistic plant specific assessments.

PLANT RESPONSE OR RESOLUTION The MAAP code has been used to verily JAF success criteria and Level 2 containment performance analysis.

However, the documentation of these runs along with the above enhancements be re-evaluated in the future PSA update.Rev. 2 5-99 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSER VA TION Element TH Subelement 4 Two feet above BAF is used as basis for end of Level 1. This success criteria for core integrity is based on a generic assessment from NUREG/CR-4550.

This assessment is not consistent with industry practice (PSA Applications Guide) and conflicts with current NYPA T/H analysis.(Also included for AS-21, TH-7)LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Consider the applicability of current T/H calculations in lieu of generic analysis.

NYPA subsequently indicated that the impact of this would be investigated and its potential impact on available operator action time in the HRA would be considered.

The T&H evaluation of the impact of modifying the definition has been performed by NYPA.Examples of the evaluation are attached.

It is noted by the Certification Team that the overall time to core damage is reduced from -90 min. to 81 min., i.e., a 9 min. reduction or 10%.However, when addressing HRA evaluations the cue may not occur at t = 0 but rather may occur much later. For the assessment of RPV depressurization, it may be argued that the cue does not occur until TAF. This means the time available changes from 90 min. in original analysis to (81 -48) 33 min.PLANT RESPONSE OR RESOLUTION Core temperatures success criteria were revised to reflect EPRI's PSA applications guidance of 2200F peak clad temperatures for the current update.Rev. 2 5-100 Rev. 2 5-100 FACT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element TH Subelement 4 Success Criteria P. 3-64 and 65 of the Event Tree Work Package states that the success criteria for ATWS includes RPT and timely SLC however there are successes included in the event trees with: a) SLC failure b) RPT failure c) SLC success using CRD injection at 130 minutes (not considered timely by the Certification Team).LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION The documentation of what is used for success criteria is considered important for clarity.PLANT RESPONSE OR RESOLUTION The ATWS event trees have been revised to remove these successes.

Rev. 2 5-101 Rev. 2 5-101 FACT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element TH Subelement 4 Alternate Boron success with injection at 130 minutes is based on several assumptions that appear optimistic.

One of these is the power and level correlation used. Attached is the power input to containment.

It appears the power is 4% or lower. This power level is believed to be substantially below that which can be justified.

NRC review of BWROG EPG "stability' changes has resulted in an SER on the changes in which the NRC cited several analyses of Reactor power level. This information is summarized in the attached figure.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Re-assess assumptions included in the assessment of alternate boron success and provide a technical basis for the assumed 4% power level, i.e., TRAC calculations or recent NRC assessments.

Possible areas of discussion useful in documenting the accident sequence analysis: 1) HEP for operator action to lower RPV level at 4 min. and where it is accounted for 2) Basis for power level correlation different than proposed by NRC in attached figure 3) HEP for operator to control RPV level with low pressure systems 4) Basis for containment survivability with increased torus level (possibly as much as 650,000 gal.)PLANT RESPONSE OR RESOLUTION ATWS event tree model was revised to consider SLC within 15 to 20 minutes without adequate level. However, given level control at TAF or below, additional time is available to align boron injection with CRD.Rev. 2 5-102 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element TH Subelement 7 Reliance on plant specific analysis should include consideration of whether the code is capable of providing the necessary information.

For example, two items are believed not to be well modeled using MARCH or BWRSAR: a) The need or RPT to prevent reactivity and pressure excursion in the RPV within the initial 20 seconds of an ATWS b) The ability of a DBA LOCA to be mitigated in the short term (71 min.) by operation of con LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Review the use of the BWRSAR and MARCH codes to ensure that the use of plant specific evaluation is technically feasible.PLANT RESPONSE OR RESOLUTION The MAAP code has replaced MARCH and BWRSAR for plant specific evaluation.

Rev. 2 5-103 Rev. 2 5-103 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element TH Subelement 7 The MARCH code used by NYPA is judged to be outdated.

The limitations of the code that lead to the development of newer codes (i.e., MAAP, MECLOR) have not been explicitly addressed.(See TH-4, AS-21)LEVEL OF SIGNIFICANCE C -- Use of a newer, more widely used code will enhance the study and may alter success criteria.POSSIBLE RESOLUTION Consider the use of a more up-to-date T/H code. Be cautious about using MARCH for support of success criteria that are substantially different than other BWRs without confirmation of the calculations with accepted T&H codes.PLANT RESPONSE OR RESOLUTION The MAAP code has replaced MARCH and BWRSAR for plant specific evaluation.

Rev. 2 5-104 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element TH Subelement 7 Limitations The use of MARCH for determining times available for operator action is judged to be acceptable.

However, it is prudent to include the possible limitations which could lead to optimistic estimates of time available for operator actions:* Definition of core damage (use of fuel melt is judged not to be consistent with typical PSAs).* Code may not adequately address outside shroud injection sources.* Initial RPV level may not be accurate for conditions it is used.(See TH-4, AS-21)LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Assess possible optimistic evaluations.

PLANT RESPONSE OR RESOLUTION The MAAP code has replaced MARCH and BWRSAR for plant specific evaluation.

Rev. 2 5-105 Rev. 2 5-105 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element TH Subelement 8 Success Criteria There does not appear to be a T & H run that supports the use of RCIC as a success for ATWS cases either with a) SLC success (EOPs require ED on RPV level which is not included in MARCH cases)b) Boron injection with CRD (See AS-9)LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION ATWS sequences should delete RCIC as a successful injection method unless calculations consistent with EOPs are included.PLANT RESPONSE OR RESOLUTION Both ATWS with MSIVs open and ATWS with MSIVs closed event trees were revised to eliminate RCIC as a viable core makeup option during ATWS.Rev. 2 5-106 Rev. 2 5-106 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element TH Subelement 8 SBO The time to core damage for SBO is calculated to be 13 hours1.50463e-4 days 0.00361 hours 2.149471e-5 weeks 4.9465e-6 months when batteries deplete at 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . This appears optimistic for the following reasons: The assumption that RPV repressurization will occur is judged to be optimistic.

The staff will do all in their power to keep the RPV depressurized.

Assuming it repressurizes results in longer times to core damage and violates the EOPs which require the staff to use steam line paths if necessary.

The analysis in essence takes "credit' for the failure of depressurization to allow additional time to recover AC power.* The initial RPV water level should be taken to be at Level 2 when DC is lost* Despite DC depletion on one of the divisions, there may be DC power available on the other DC divisions.(See QU-18)LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Review the assumptions used in the SBO analysis.PLANT RESPONSE OR RESOLUTION No changes are expected for this comment. Current model is considered conservative and appropriate.

Rev. 2 5-107 Rev. 2 5-107 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element TH Subelement 8 The Drywell temperatures calculated under SBO conditions appear to be done with MARCH.The MARCH code may be suspect for this calculation and needs to be benchmarked with actual tests of heat transfer to the drywell from the primary system. Large margin currently exists between calculation and limit.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Document the basis for the use of MARCH for DW/T calculation.

PLANT RESPONSE OR RESOLUTION The MAAP code has replaced MARCH and BWRSAR for plant specific evaluation.

all o5-108 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element TH Subelement 8 Success criteria is based on a combination of plant specific and generic analyses.

It is not always clear in every case which is being used. A number of cases (i.e., Core integrity success criteria) exist where plant specific and generic analysis conflicts.

LEVEL OF SIGNIFICANCE B -- Important for comprehensive review and use.POSSIBLE RESOLUTION It is recommended that the basis for the success criteria be more definitively established by reference to specific cases and inconsistencies between sources be investigated.

PLANT RESPONSE OR RESOLUTION This enhancement has been incorporated in the current (second) update. Specifically, Appendix L was developed to document JAF success criteria.Rev. 2 5-109 Rev. 2 5-109 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element TH Subelement

.8 Success Criteria A direct reference to the specific thermal hydraulic calculation by date, case, or page number that supports the success criteria is considered highly desirable.

This is particularly important for those marginal cases such as (1) CRD success or (2) RCIC success under failure to scram conditions.

LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Add T&H references.

PLANT RESPONSE OR RESOLUTION The MAAP code has replaced MARCH and BWRSAR for plant specific evaluation.

Rev. 2 5-110 Rev. 2 5-110 FACT/OBSERVATiON REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element TH Subelement 8 Core Vulnerable There are sequences which have end states called core vulnerable in the event tree that are not further analyzed and may have been misclassified and could contribute to the CDF or LERF.* TM-4 ° TM-14 STM -5

TM-28* TM-1 2 ° TM-29* TM-13

TM-33 In addition, ATWS cases with an SORV are not addressed.

These may result in inadvertent condensate injection that could flush boron from the core.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION These states need to be reviewed and their disposition documented.

On the contrary NYPA subsequently indicated that an endstate of core vulnerable is the designation for sequences believed to be less than 10E-1 0/yr. (including the initiating event frequency).

However, following quantification, if core vulnerable sequences was found to be dominant, it was fully developed.

Otherwise development was stopped.However, the Certification Team believes this does not address the issue of misclassification of end states.PLANT RESPONSE OR RESOLUTION ATWS event trees have been revised to reflect this observation in the current (second)update.Rev. 2 5-111 Rev. 2 5-111 FA CT/OBSER VA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element TH Subelement 10 Room heatup calculations were performed using the GOTHIC code. These calculations demonstrated a significant state-of-the-art capability.

However, the results were inconsistent and it was determined that the calculations were not used in the analysis.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Basis for room heatup modeling could be clearly documented and NYPA should consider revising the GOTHIC calculations to allow them to support the model.PLANT RESPONSE OR RESOLUTION See response presented in SY-3.Rev. 2 5-112 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element TH Subelement 10 The calculation to support room cooling treatment in the model for RHRSW B&D & ESW room should be documented.

This room is the much smaller of the 2 RHRSW rooms.Could impact the support system dependency assessment.

LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Include basis for the room cooling treatment in the RHRSW B & D room.PLANT RESPONSE OR RESOLUTION See response presented in SY-3.Rev. 2 5-113 FACT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element TH Subelement 12 Documentation of T&H plant specific computer runs is limited in a number of important cases such as ATWS and does not readily support the analysis.

A parameter file basis calculation does not exist and model inputs are therefore not traceable.

Documentation of individual runs in many cases is excellent with a description of the case and its use, however, this is inconsistently applied.LEVEL OF SIGNIFICANCE B -Important for comprehensive review and use.POSSIBLE RESOLUTION A parameter file calculation should be developed.

Also, each run should have a run summary and a complete set of curves plotted to show a complete accounting of plant response (i.e., pressures, temperatures, flows, etc.)PLANT RESPONSE OR RESOLUTION The MAAP code has replaced MARCH and BWRSAR for plant specific evaluation.

Rev. 2 5-114 FA CT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element TH Subelement 14 No independent review was available for consideration.

LEVEL OF SIGNIFICANCE B -- Review of the model and output is important as many factors affect the usefulness of individual runs. Also, use of the code within its limitations should be confirmed.

POSSIBLE RESOLUTION Expand the T/H review process or provide the basis for the review of existing calculations.

PLANT RESPONSE OR RESOLUTION Currently, JAF is developing an MAAP model to address this observation.

Personnel familiar with JAF have reviewed the MAAP parameter file and selected MAAP success criteria runs.Rev. 2 5-115 Element S Y Rev. 2 5-116 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element SY Subelement 4 Some fault trees have gates that are not used in quantification (top gate in EDG for example)that are logically incorrect.

This may not affect the current quantification, but could lead to errors later if it would get used.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Ensure all gates whether used in the quantification or not are correct.PLANT RESPONSE OR RESOLUTION These gates were placed in the system notebook for reference purposes only. All gates were reviewed to ensure accuracy.Rev. 2 5-117 Rev. 2 5-117 FA CT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element SY Subelement 6 The level of detail in the fault trees is exceptionally comprehensive, especially with regards to electrical components.

LEVEL OF SIGNIFICANCE S -- Strength POSSIBLE RESOLUTION N/A PLANT RESPONSE OR RESOLUTION Rev. 2 5-118 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element SY Subelement 10 Room Cooling The room cooling related dependencies do not appear to be documented in the PSA. The PSA group leader was knowledgeable of all issues and the model reflected this knowledge.

However, the PSA documentation should specify that:* Active room cooling is not required for the North and South pump room. This will supersede the existing document (GOTHIC) that says it is required.* The North and South pump room dependency dampers should be included in the model along with the assessment of the damper fusible link reliability if the room temperature reads >2002 F.* The LPCI inverter room has been demolished and no longer requires room cooling to be successful.

This should be documented.

Specifically remove the statement that RHRSW pumps are in open rooms not requiring room cooling, and ensure that the smaller RHRSW has specific calculations to support room cooling dependency assessment.

The PSA documentation should clearly state these.LEVEL OF SIGNIFICANCE B -- Documentation only.POSSIBLE RESOLUTION Clarify room cooling dependencies.

PLANT RESPONSE OR RESOLUTION Room cooling dependencies were documented in the various system description sections and Appendix A. Furthermore, room cooling and heat up analyses for all rooms were performed and comments have been incorporated in the current update.-. ,5-119 Ixv. /-

FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element SY Subelement 12 AC Power/DC Power Is there a basis to allow the charger to carry all required DC electrical loads with the battery failed or severely degraded.

Specifically, will the DC loads following a LOCA signal be sufficiently high to overload the charger capacity if the battery is not available.

Note that a LOCA signal may be generated by events that cause high drywell pressure and/or low RPV level.In other BWRs, it is found that the charger can be overloaded if the battery is unavailable to act as a "buffer" during load sequencing.

The FitzPatrick design feature that addresses this should be referenced.

NYPA has indicated that the plant design and licensing basis is for a charger to carry all the division DC loads and charge a fully discharged battery. A spare battery charger may be used to supplant the battery under conditions where the battery is unavailable.

FSAR and DBD attached.The DBD and FSAR sections identified by NYPA were found by the Certification Team to not address the specific issue of no battery available and the adequacy of the charger alone to carry transient loadings without an over current trip.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Document in the system and fault tree model of the DC power system.PLANT RESPONSE OR RESOLUTION The DC success criterion is that the charger can carry all the dc loads during transients.

However, for LOCA, the deterministic licensing basis is that the combination of charger and battery carry dc loads. Use of a spare source of dc is in a maintenance procedure and is not safety-related.

Although in reality it will be used, the FSAR and DBD cannot take credit for it.This enhancement has been incorporated in the current update.Rev. 2 5-120 Rev. 2 5-120 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element SY Subelement 13 RPT Fault Tree Success Criteria P. A-4 of the Event Tree Analysis Notebook states that RPT on low RPV level is used to initiate auto RPT. The fault tree also makes this assumption.

However, for most sequences this initiation signal will occur too late to suffice for an effective auto initiation signal.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Remove credit for low level initiation of RPT.PLANT RESPONSE OR RESOLUTION The dominant failure mode of the RPT failure to function is the "breaker fails to trip". It contributes 88% of the RPT unavailability.

Removal of credit for low level initiation and credit with high reactor pressure initiation should not make a major contribution to RPT unavailability.

5-121¥ .

FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element SY Subelement 13 CAPACITY ASSESSMENT There are two items that have been identified related to the modeled capacity that may be important to reevaluate to determine their impact on the PSA. These items include the following:

the SRV accumulator capacity is not demonstrated as capable of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months at a maximum leak rate and multiple actuations.

See Attachments SY 13A, 13B* JAF has performed extensive engineering investigations to ensure that the SRV accumulators meet the design basis requirements of 5 to 7 cycles within a 30 min. time. The PSA currently assumes that the accumulators are adequate for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months despite potential leakage and multiple actuations (no limit on number of actuations cited). The Certification Team review of information provided by JAF supports the conclusion that the design basis requirements appear met. However, the justification for 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time could not be confirmed by the Certification Team.the battery capacity may be less than 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Ensure that the capacities used in the model are supported by referenced calculations.

SRV Accumulators Remove AND gate of accumulators and long term N 2 supply and replace with requirement for accumulators short term and long term N2.PLANT RESPONSE OR RESOLUTION A sensitivity analysis was performed for this update and no significant impact on ADS unavailability was found.ip,,, 5-122%Nk, V ..

FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element SY Subelement 14 The inclusion of the HPCI turbine governor and stop valves (hov-1 and 2) in the turbine failure basic event should be identified in the system notebook.

It is however listed in the basic event data listing.LEVEL OF SIGNIFICANCE D POSSIBLE RESOLUTION Add these valves to the model assumption part of the HPCI notebook.PLANT RESPONSE OR RESOLUTION HPCI notebook assumption section has been modified to include these valves.Rev. 2 5-123 Rev. 2 5-123 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element SY Subelement 14 RPS sensor modeling had sensor inputs deleted from the tree but not document in the system notebook.

Also RPS as a whole has been replaced with a point estimate (CE) but the obsolescence of the tree was not documented in the book or elsewhere.

This is also apparently true for MSIV.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Make the notebooks and other documentation consistent with actual modeling used in the quantification.

PLANT RESPONSE OR RESOLUTION Notebook and JAF IPE update section have been revised to incorporate this enhancement.

Rev. 2 5-124 Rev. 2 5-124 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element SY Subelement 16 Failure of Circ. Water due to traveling screen / trash rake blockage is not reflected in the fault tree even though there have been 3 plant shut downs listed related to this type of failure.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Include this failure for Circulating Water and any other systems that would be affected by this.PLANT RESPONSE OR RESOLUTION Added CCF of CWS traveling screens to the current (second) update.Rev. 2 5-125 Rev. 2 5-125 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element SY Subelement 16 In the feedwater fault tree, there is a basic event for failure to start of the feedwater pump. It was explained as the operator normally trips the feed water pumps in a transient then restarts them if needed. The prerequisite of the operator trip of the pump is not reflected in the fault tree documentation or the tree itself. Also the event would be more accurately be characterized as a restart.LEVEL OF SIGNIFICANCE D POSSIBLE RESOLUTION Change basic event to a restart and add operator trip of the pumps. Also add this assumption to the documentation.

PLANT RESPONSE OR RESOLUTION This enhancement has been incorporated in the fault tree model.Rev. 2 5-126 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element SY Subelement 24 Some gates in the fault trees (HPCI for example) are lacking in descriptive text. The lack of text makes it more difficult to follow the flow of the fault tree.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Fill in missing text.PLANT RESPONSE OR RESOLUTION Missing text has been incorporated in the fault trees.Rev. 2 5-127 Element DA Rev. 2 5-128 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element DA Subelement 1 The data guidance document provides guidance on the selection of generic data from industry sources. This is a positive feature of the JAF IPE documentation.

The guidance states that the preferred source is ASEP. This guidance may be enhanced to continue the order of preference (or to identify the least preferable source).LEVEL OF SIGNIFICANCE D POSSIBLE RESOLUTION Consider enhancing the data guidance to specify preference of generic data sources beyond ASEP.PLANT RESPONSE OR RESOLUTION The guidance documentation states "if no single source is uniquely applicable select the source with the widest acceptance,.." Therefore, ASEP was used if no other source could be found. Various sources were used such as IEEE-500, Browns Ferry IREP, WASH-1400, and EG&G if ASEP data was not available.

Rev. 2 5-129 Rev. 2 5-129 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DA Subelement 1 The data guidance document may be enhanced to provide guidance in the assignment of the proper error factor to assign for particular component failure rates (e.g., 3 for valves FTO or FTC, 10 for valves FTRC) when the error factors are not provided in the reference.

LEVEL OF SIGNIFICANCE D POSSIBLE RESOL UTION Consider the above enhancement to the data guidance document.PLANT RESPONSE OR RESOLUTION Error factors are excerpted from the same reference as failure rates. If none were found in the reference document the most conservative approach was used.Rev. 2 5-130 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DA Subelement 1 The data guidance document directs discussion with plant staff (e.g., operators, maintenance staff) to clear up misinterpretations in the raw data analysis.

This is considered to be strength of the process.LEVEL OF SIGNIFICANCE S POSSIBLE RESOLUTION N/A PLANT RESPONSE OR RESOLUTION 5-131 Rev. 2 FA CT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DA Subelement 1 The data guidance document includes appendices addressing data compilation and interpretation, component boundaries, Bayesian approach, and examples.

This is considered to be a strength of guidance.LEVEL OF SIGNIFICANCE S POSSIBLE RESOLUTION N/A PLANT RESPONSE OR RESOLUTION 5-132 Rev. 2 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DA Subelement 4 The data analysis subdivides the raw data into many small component groups.Some examples of individual failure probabilities for components appear very low and may not reflect the generic data for similar components.

The data calculations beginning with raw data up to entry to the spreadsheet were not reproduced by the Certification Team. However, after entry into the spread sheet the data evaluation was reproducible and is judged to be a strength.The data evaluation for the JAF has a number of features that deserve consideration in assessing the model quantification is adequate: " Control logic and instrumentation has been separated out from certain components such as pumps and valves. This results in the pump or valve failure probability to appear lower than some other PSA applications:

Some Other Component FitzPatrick Applications Pump 5E-4 3E-3 Pump Control 2.5E-3 ---Valve 3E-3 4E-3 (not confirmed)

Valve Control 3E-3 (not confirmed)

This difference in method is not judged to adversely impact individual component failure probabilities" When common cause assessments are added, it appears to the Certification Team that the CCF probability for both pump & pump control may not have been included.

NYPA has pointed out that this same comment was also made by Gareth Parry in his Independent Review in 1991. No resolution to the comment was reviewed by the Certification Team.Rev. 2 5-133 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION (cont'd)It is this second aspect of the data applications that is questioned by the Certification Team.Case Description pump Xcontrol Xpump + Xcontrol 1 *CKT CKT 1 Pooled Generic 5E-4 2.5E-3 3.OE-3 .05 1.5E-Data; Generic P3 4 2 Segmented generic 5E-4 Fault Tree 5E-4 .05 2.5E-data; CCF applied 5 to part of data In this example, segmenting the data and applying the generic P3 only to the residual piece of the "pump" appears to result in a lower CCF probability estimate.

Therefore, the treatment of component boundaries in applying CCF data can be important.

LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Pool the raw data into larger groups..PLANT RESPONSE OR RESOLUTION Rev. 2 5-134 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS A. Please review our attached response to IP3 IPE NRC question.

In addition, small component groups in individual system will not mask the root cause of component failure and performance criteria pertaining to system of interest for maintenance rule implementation.

B. Please review JAF IPE update Appendix C, Table C.1 and sample of NUREG/CR-4550 Volume 1 Data.C. Please review the soft copy we provided to the certification team before you make this conclusion.

D. Please review our attached response to IP3 IPE NRC question.E. Please be aware that the same comment had been raised by Gareth Parry during JAF IPE peer review on March 1991 (see attachment).

Therefore, we firmly believe that we do not have this problem.5-135 Rev. 2 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element DA Subelement 4 Appendix D of the Update contains a print-out of a number of JAF surveillance test results.Many of these surveillance results contain the word UNSAT (which would indicate a potential failure) yet the associated data analysis does not reflect this. For example, the EDGs are assessed as having no failures in the data analysis period, yet many of the surveillance tests listed in Appendix D are associated with the entry UNSAT.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Provide a short discussion in Appendix D that explains the UNSAT entries (i.e., as opposed to the SAT entries).PLANT RESPONSE OR RESOLUTION During the performance of the surveillance tests many events can occur to cause a test result to be unsatisfactory.

In the case of the EDG, a faulty speed indicator would cause the test to be UNSAT. UNSAT is not necessary meaning EDG function failure. All system's function failures provided By EPIX and maintenance rule records were reviewed and factored into component data analysis.Rev. 2 5-136 FACT/OBSERVATION REGARDING.PSA TECHNICAL ELEMENTS OBSERVATION Element DA Subelement 7 There is some question as to whether scheduled test and maintenance unavailabilities have been adequately treated in the JAF plant specific unavailability analysis.

The data guidance document indicates that such information should be excluded if it is "insignificant to the unavailability." It is not clear why this approach would be taken considering the difficulty in defining the cumulative effect of "insignificant." (1), (2)LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION It is suggested that scheduled unavailabilities be specifically included in the data analysis; else (though, less desirable), provide explanation and justification guidelines in the guidance document regarding the insignificance of scheduled unavailabilities.

PLANT RESPONSE OR RESOLUTION Guidance document was modified and maintenance rule information developed by system engineer was used for maintenance unavailability calculation.

(1) Means for individual sensors or logic trains it is not significant to include the scheduled unavailability in the fault tree.(2) Actual JAF unavailability data for valves and pumps etc. is used.Rev. 2 5-137 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DA Subelement 7 CCF DC The availability of DC power to support accident response has been identified in some other PSAs are important.

The unavailability of multiple DC supplies due to potential common cause failure (CCF) has also been identified and highlighted by the NRC in NUREG-0666.

There does not appear to be a CCF of 2 DC buses (power supplies) included in the analysis.NYPA subsequently indicated that using the guidance of NUREG-0666, the IE frequency of CCF of 2 battery control boards is 7.36E-7/yr.

The Certification believes this to be approximately correct and if implemented in the model would solve the comment.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION NUREG-0666 should be reviewed to assess the importance of the CCF. In addition, the CCF should be added to the model.PLANT RESPONSE OR RESOLUTION Section 3.1.4.3 is revised to incorporate this comment.Rev. 2 5-138 Rev. 2 5-138 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DA Subelement 9 The common cause failure (CCF) write-up should acknowledge that a CCF occurred at Monticello for the SQUIB valves.The common cause evaluation of SLC SQUIB valves apparently did not address the operating experience in the industry related to these valves (See Attached)LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Incorporate data or provide justification for rectification.

PLANT RESPONSE OR RESOLUTION Added CCF of SLC SQUIB valves tothe current fault tree model.Rev. 2 5-139 Rev. 2 5-139 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DA Subelement 9 Common cause of the EDG output breakers are not explicitly analyzed LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Calculate a common cause event for common cause failure of the EDG output breakers.PLANT RESPONSE OR RESOLUTION Added CCF of EDG output breakers to the current fault tree model.Rev. 2 5-140 Rev. 2 5-140 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DA Subelement 10 RHRSW/ESW All SW pumps for room cooling, RHR, and diesel generator cooling take suction from the same intake structure.

Therefore, failure mechanisms related to service conditions and clogging should be included.

These could address:* debris (including sand or mud)* Asiatic clams* Zebra mussels* Ice Frazzle* RHR Hx Tube ruptures due to corrosion or flow induced vibration.

NYPA subsequently provided the attached discussion which represents a thorough review of some of the potential CCF causes. The judgements regarding "no credible failure mechanisms" seems inconsistent with operating experience (see DE-9). The lack of published data on CCF does not preclude using engineering judgement to quantify these failure modes.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Add common cause failures to the RHRSW and ESW systems for all trains to the quantified model. Alternatively, use a strictly qualitative argument to dismiss all possible failure modes.PLANT RESPONSE OR RESOLUTION JAF has two procedures in place to prevent fouling and frazzle ice from impacting safe operations.

OP-7A and AOP-64 are in place to assure these conditions are monitored and controlled.

However, loss of ultimate heat sink initiating event was also evaluated for the current (second) update.Rev. 2 5-14 1 Rev. 2 5-141 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element DA Subelement 10 Common cause failure to run for the EDGs does not appear to be included in the models, as evidenced by the beta factor used for the EDG CCF estimation.

The beta factor used for CCF of the EDG is for the FTS failure mode.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Verify that common cause failure to run is not in the PSA and include or adequately justify its exclusion.

PLANT RESPONSE OR RESOLUTION CCF of EDG to run is included in the current fault tree model.Rev. 2 5-142 FA CT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DA Subelement 15 The mission time of the EDGs is conservatively set at 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Considering the importance of the EDGs in the plant risk profile, other industry PSAs have appropriately adjusted the EDG mission time to reflect the time phased approach to the LOOP initiator.

LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Adjust the EDG mission time to reflect the time phased approach to the LOOP initiator to account for the likelihood of offsite power recovery.PLANT RESPONSE OR RESOLUTION The mission time of the EDGs is still conservatively set at 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to align most of the PRA practices.

Rev. 2 5-143 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DA Subelement 16 Repair and Recovery According to discussions with NYPA, The repair and recovery curve used for DC bus failures is taken from NUREG/CR-4550.

The value for non-recovery at long times is IE-3. This is judged to be substantially below what can be justified.

NUREG/CR-4550 is not considered a useful or correct reference source.Recovery of DC bus faults is certainly a controversial issue and one that can be argued relative to the degree of the fault and the data used to characterize the fault and recovery from the fault. The use of IEEE 500 is also controversial because of the Delphi approach used to provide "data".NYPA should use the best technical information it deems available, however, the Certification Team believes that there is no legitimate technical support for a non-recovery probability of 1 E-3 for a DC bus failure at 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . As an example of potential controversy the enclosed IEEE 500 reference would indicate a mean time to repair of 70 hours8.101852e-4 days 0.0194 hours 1.157407e-4 weeks 2.6635e-5 months . This would appear to contradict the value of 2.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months quoted by NYPA to the Certification Team.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Provide an acceptable reference for the repair and recovery of DC bus failures or use a value more consistent with other PSAs or use the cited IEEE 500 reference.

If there are other failure modes of the DC supply that are modeled (e.g., breaker misposition or failure), these should be separated out in the fault tree, initiating event analysis, and in the recovery assessment.

The failure mode that is being referred to in this F&O is the failure of the bus itself not breaker misposition.

PLANT RESPONSE OR RESOLUTION The current model update was not considered the 2.5 repair time for the loss of DC bus failure.Rev. 2 5-144 Rev. 2 5-144 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DA Subelement 17 The surveillance test summaries provided in Appendix D are apparently, per discussion with NYPA personnel, a selected subset of the entire set of reviewed STs. The text does not indicate this is a sample, and therefore one would assume that this is the entire set of data.LEVEL OF SIGNIFICANCE D POSSIBLE RESOLUTION Provide the entire set of STs in the Appendix or revise the text to state that the included ST summaries are only a subset. Do the same for other summaries in the Appendix, if applicable.

PLANT RESPONSE OR RESOLUTION Data shown is the actually ST data.Rev. 2 5-145 FACT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DA Subelement 17 The reference to "Section B5" in Section B1 of the update document should be "Section B4".LEVEL OF SIGNIFICANCE D POSSIBLE RESOLUTION Correct the typographical error described above.PLANT RESPONSE OR RESOLUTION Error has been corrected and incorporated in the current update.Rev. 2 5-146 Rev. 2 5-146 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DA Subelement 19 Section E3 of the Update document provides discussions of recovery type actions. This explicit discussions are considered a positive feature of the JAF IPE documentation.

This section may be enhanced to include a short discussion (or bullets) regarding the application details of the recoveries (e.g., DC initiators not recovered, CCF of DC not recovered due to high failure probability).

LEVEL OF SIGNIFICANCE D POSSIBLE RESOLUTION Consider the above enhancement to the documentation.

If these details are discussed elsewhere in the documentation, provide a short reference to where this information may be found.PLANT RESPONSE OR RESOLUTION In response to another comment, a guidance document has been developed to discuss the application of recovery actions to specific sequences.

Rev. 2 5-147 Element HR Rev. 2 5-148 4 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 1 No guidance on treatment of recoveries.

LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION The basis for the recovery process is not discussed regarding the method for inclusion in model.NYPA has subsequently provided an excellent document that describes the intent of each of the recovery rules. It would be useful to also have a test of these rules to ensure they are appropriately implemented such that the final cutsets are appropriate.

PLANT RESPONSE OR RESOLUTION A verification of the accuracy of the recovery rule file was performed by reviewing the final cutsets to ensure that each recovery action was applied appropriately.

In addition, this cutset review was performed with the non-recovery probabilities set to 1.0 to ensure that recovery actions were appropriately applied to low frequency sequences.

Appendix M of the IPE update report was developed to provide recovery rule guidance.Rev. 2 5-149 Rev. 2 5-149 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 11, 17 Section E.3.3.1 is the HRA assessment of manually opening LPCI injection valves locally.It is a strength to include such actions, but when on the frontier of PSA assumptions, more substantive support than currently included is needed.The evaluation cites times available to perform these actions. It is believed that the times cited are generally optimistic and do not account for potential delays in the cues to begin actions and account for competing effects of multiple failures having occurred.Specific calculations are required to support the manual opening of the LPCI injection valves for a Large LOCA with core spray failed and LPCI injection valves failed closed: a) include condensate success in the event tree as required and provide a qualified T&H calculation to support this if this is to be assumed in the HRA b) calculate time available using the qualified T&H calculation c) demonstrate that with 2/3 core coverage and outside shroud drained there is no radiation or other accessibility issues for the local operator action.(RHR in pool cooling mode or drywell spray may be operating with consequential shine to the LPCI valve compartment.)

If these items cannot be supported by calculations, it would appear not prudent to make seemingly optimistic judgements regarding their outcomes.(See also HR-18)LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION 5-150 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS Document the performance shaping factors including reactor building radiation fields present under the postulated sequence conditions.

Similar evaluations if other plants indicate radiation fields of 500 R/Hr could be present due to shine and containment leakage.Ensure that local manual actions adequately address the time available and the performance shaping factors.PLANT RESPONSE OR RESOLUTION We maintain that the actual time to perform the action (20 minutes) is still valid and realistic.

However, we agree that less time may be available to perform the action if the time is measured from when the RPV is depressurized to core exit TCs reaching 2200 0 F. The HEPs have been re-quantified based on the new time-available T/H calculation.

Radiation levels present are not believed to preclude the ability of the operators to perform this action. Furthermore, it should be noted that the operators do have the capability of overriding the pressure interlock and opening the LPCI injection MOVs from the control room using key-locked bypass switches or by lifting leads in the relay room. Therefore, in the event that radiation levels were excessively high, use of the key-locked bypass switch or lifting leads are still an option.Rev. 2 5-151 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 11, 17 The use of FPS backup to ESW for D/G cooling is considered a strength because the procedure and capability exist. The PSA also models the issue. However, areas of potential enhancement include consideration that a LOOP event may involve induced LOCA signal such as high drywell pressure that can cause diesels to run despite high jacket temperature and potentially to destruction, i.e., before the FPS alignment can be made. It is noted that there may also be conservatisms in the modeling.It is believed that high drywell pressure will be present for LOOP cases without Diesel/ESW because of high drywell temperature, leakage, or SRV tail pipe stuck open conditions.

Because the failure mode of ESW to the diesels may be one that involves clogging of ESW intake or clogging of diesel cooling jacket, the loss of cooling to the diesel may not occur at t = 0, but may only occur after the diesel is running for a time and the high drywell signal has occurred.Therefore credit for Diesels automatically tripping on high coolant temperature is judged not to be appropriate.

Therefore, operator may not have 650 min to take action as assumed in the HRA.It is judged that there is not 600 minutes available to align the FPS to the diesel. There is not an HEP included in the model to stop the diesel from running to destruction.

There may also be a question regarding the accounting used to assess accident sequences that-have no SW initially, the diesels are stopped by the operators, and therefore require the use of HPCI or RCIC for 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months but incur a failure of HPCI and RCIC to start or to run. These failure sequences appear not to be quantitatively assessed.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Rev. 2 5-152 Rev. 2 5-152 FA CT/OBSERVAT ION REGARDING PSA TECHNICAL ELEMENTS Re-assess credit for the manual alignment and how the model incorporates this action in the time phased approach to LOOP/SBO events.Ensure that the non-recovery probability accounts for both operator error and hardware failure (i.e., could be as high as 0.05.) Account for the human action required to ensure that the diesels do not run to destruction.

This means the diagnosis time is 3 min. not 650 min.PLANT RESPONSE OR RESOLUTION While the reviewer is correct in pointing out that a high drywell pressure will be present for LOOP cases without diesels/ESW because of high drywell temperature, leakage, or stuck-open SRVs, it is important to consider when a high drywell pressure condition occurs. With the exception of sequences involving one stuck-open SRV, no credit was taken for aligning fire water to ESW to provide EDG cooling during LOCA conditions, and no credit was given to operators manually tripping the EDGs. For non-LOCA sequences or sequences involving one stuck-open SRV, the diesels are expected to automatically trip prior to the existence of high drywell pressure conditions.

In other words, while a high drywell pressure condition may occur during non-LOCA conditions, the diesels will automatically have tripped prior to the occurrence of high drywell pressure.Rev. 2 5-153 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 11 Interface of HRA and Accident Sequence The SLC initiation success following RPT failure appears to be considered in the event tree to be success, or conversely RPT failure alone does not lead to CDF sequences.

The SLC evaluation for initiation does not consider conditions associated with no RPT, i.e., power level quite high. Therefore, it appears that this sequence dependency is not incorporated in the HRA or conversely, the HEP is applied to an inappropriate sequence.NYPA has indicated in response to these observations that it is not completely accurate to say that SLC initiation is successful following RPT failure. Because of the low frequency associated with an ATWS event combined with failure of RPT, the sequence was not developed further as it has a low contribution to the overall ATWS CDF.The Certification Team believes RPT failure results in core damage for ATWS scenarios.

If that is not the case at FitzPatrick, there needs to be documentation to that effect. The RPT failure sequences are believed to be sufficiently important for assessing importance measures to be included in the model (e.g., 2/yr

3E-5

6E-4 = 3.6E-8/yr)

LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION This does not appear to be quantitatively significant, but RPT failure should be incorporated in the model consistent with success criteria.PLANT RESPONSE OR RESOLUTION In the ATWS event trees, failure of the operator to initiate SLC results in core damage, with or without success of RPT. While it is reasonable to conclude that there is some dependency between operator actions to initiate RPT and SLC, failure of RPT and SLC is much lower in probability than -the failure of SLC alone. It is not completely accurate to say that SLC initiation is successful following RPT failure. Because of the low frequency associated with an ATWS event combined with failure of RPT, the sequence was not developed further as it has a low contribution to the overall ATWS CDF. The reviewer correctly notes that the frequency of ATWS events with RPT failure is on the order of 3.6E-8/yr.

However, this sequence by itself does not constitute core damage, as additional failures must occur. Therefore, the CDF for this sequence is less than 3.6E-8/yr.

-. ,5-154 ev. z.

FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 11 Manual RPT (Section E.2.2.2)RPT performs two functions:

Immediate RPV pressure control* Longer term RPV power control The pressure control function should not credit manual initiation or low level automatic initiation of RPT beca0se it is required within 3 seconds of the initiator.

The HEP of 6E-3 for failure to manually initiate RPT is extremely low considering the time available.

The calculation in Appendix E does not even discuss time available, which is on the order of a few seconds (after which point the RPV pressure will proceed to spike to about 1500 psi in about 8-10 seconds).

Other industry PSAs do not credit manual RPT.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Provide a discussion in Appendix E regarding the short time frame in which to manually trip the recirculation pumps and set the HEP at 1.0. Alternatively, simply remove this action from the models.Not quantitatively significant.

PLANT RESPONSE OR RESOLUTION Agree. The manual RPT action does not credit the action for immediate RPV pressure control, only "longer term" RPV power control. This is evidenced by the fact that the RPT top event is included under the "Reactivity Control" heading in the event tree.The manual RPT function that is modeled is for longer-term power control, not immediate RPV pressure control. However, the reviewer is correct in that no mention is made in the write up of Appendix E as to the time available.

The time available to perform this action will be included in future IPE updates, although this is not anticipated to impact the results.Rev. 2 5-155 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 12 Consistency The Large LOCA initiator has the following characteristics:

credit is given to manually open LPCI, inject valves* HEP for RHRSW cross tie which is via remotely operated valves from the control room is set to 1.0 This appears to be an inconsistent application of HRA. For similar conditions, it would appear that the remote operation from the control room to open RHRSW cross tie valves would be given credit for success when the LPCI injection valves can be opened manually, i.e., both actions should be included in the PSA.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Consistency in assumptions regarding what can be credited is considered vital in developing a balanced, unbiased, realistic PSA for applications.

PLANT RESPONSE OR RESOLUTION The inconsistency being alluded to is not completely accurate.

Credit for manually opening the LPCI injection valves during a large LOCA is only taken when condensate is initially available.

The action to align the RHRSW cross-tie for injection assumes that no injection sources are initially available.

Without condensate being initially available during a large LOCA, the HEP for opening the LPCI injection valves would also be 1.0., .,5-156 iRxev. 2.

FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 16 There are a number of operating staff actions that appear to be credited in the analysis but are not explicitly quantified and included in the quantitative model as a separate identifiable entity.These include:* SBO: Load shed of battery to extend battery life* SBO: Bypass HPCI High Temperature Trip at 143 0 F (and RCIC)* SBO: Prevent FPS injection at 140OF in HPCI/RCIC rooms based on sprinkler actuation* SBO: Open Doors in RCIC* LOOP: Trip diesel if SW is unavailable NYPA stated that these are implicitly modeled in the timing for the probability of non-recovery of offsite power.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Include quantitatively in the model or ensure that the justifications are included in the documentation.

PLANT RESPONSE OR RESOLUTION Operator follows AOP-49 during SBO performing the above actions. However, a human error probability of performing load shed to extend battery has been modeled in the second update for quantification.

Room heat up calculation has demonstrated that RCIC can operate without room cooling during the SBO mission time.Rev. 2 5-157 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVA TION Element HR Subelement 18 Allowable Times The PSA includes a local manual action to allow opening LPCI injection valves after they fail to open automatically or remotely.

However, all allowable times used for NR-MANVLV derivations appear to be too long. The cue for this action appears to assume it is at t = 0 or the initiator.

In fact, the cue to begin this action is when the injection valves do not open as RPV pressure drops below 450 psig. Then and only then will the time clock for this action begin for the diagnosis and manipulation clock.(See also HR 11, 17 & HR-18)LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Reevaluate the available time for operator action for NR-MANVLV and ensure that other performance shaping factors such as radiation are also included.PLANT RESPONSE OR RESOLUTION We agree with the reviewer's comment. The time available to perform this action will be based on the time that RPV pressure falls below 410 psig to the time core temperature reach 2200 0 F. This is consistent with the notion that operators will not be aware of the fact that the LPCI injection valves didn't open until the pressure falls below the permissive setpoint of 410 psig. This change has been incorporated into the current IPE update.Rev. 2 5-158 FA CT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 18 HRA / T& H Support The HRA assessment for manually opening the LPCI injection valve under a loss of DC power was assessed using a T&H calculation that may be different than the actual conditions.

NYPA identified the following during the Certification:

LPCI injection valve recovery was only quantified for three cases: Large LOCAs (with condensate initially available), 1 stuck-open SRV with HPCI, and 2 stuck-open SRVs with HPCI. In the case of a loss of DC initiator with no stuck-open SRVs, the time available for recovery is bounded by the case where 1 SRV is stuck open and HPCI is available (i.e., NR-MANVLV-15RV).

In summary, use of NR-MANVLV-15RV is conservative but represents the most applicable recovery for this case.Based on page 1-39 of Appendix I, if HPCI and RCIC are lost, core damage will begin 44 minutes (i.e., 108 minutes -64 minutes) after ADS actuation.

While this time window is less than 60 minutes assumed to be available for the quantification of NR-MANVLV-1 5RV, the 44 minute value is conservative because it assumes that the SRVs remain open even after LPCI is capable of injecting into the RPV. In addition, the reduction in time available from 60 minutes to 44 minutes does not significantly increase the error probability for NR-MANVLV-15RV The areas of disagreement with this assessment are the following: " Core damage is believed to occur much sooner than the 44 minutes identified above, specifically when a value of 2200°F or 1/3 core height is used as the definition.

When ADS valves are open, the core uncovers and results in potential radiation shine from the RPV and containment to the reactor building.* All of the ADS SRVs will remain open by procedure and this is not conservative.

LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Review the basis for the HEP.Rev. 2 5-159 Rev. 2 5-159 FACT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS PLANT RESPONSE OR RESOLUTION The non-recovery probabilities associated with this action have been requantified using the 2200°F failure criteria, and the results have been incorporated into the IPE update. Regarding the issue of potentially excessive radiation levels, this issue is not currently judged to be a concern since the LPCI injection valve pressure interlock can be overridden from the control room by using key-locked bypass switches or in the relay room by lifting leads.5-160 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 18 The JPM and testing performed on some of the local reactor building actions involve walkthroughs of the procedure steps but not the actual manual opening and closing of valves.This observation is applicable to:* LPCI injection valves are not manual stroked* FPS backup to ESW for the Diesels* FPS backup to the RHRSW for Hx cooling Because of this, there needs to be a conditional probability that the manual action cannot physically be performed.

This could be related to crud build up or a design problem with the manual operator being inadequate for valve movement.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Include probability that valve cannot be opened manually.

If this action has never been performed, it would be difficult to justify failure probabilities lower than 0.5 for the manipulation error.PLANT RESPONSE OR RESOLUTION Hardware failures associated with the ability to manually align valves are already incorporated into the HEP quantification for cross-tying FPS to ESW and to RHRSW. Since these actions involve the alignment of manual valves locally, design problems associated with the manual operator are not considered to be an issue. With regard to hardware failures associated with manually opening the LPCI injection valves, a hardware failure probability will be included in the next update, although it is not expected to significantly impact the results. It should be noted, however, that the execution times do include the times associated with manually opening and closing valves.Rev. 2 5-161 Rev. 2 5-161 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 18 Alternate Boron The alignment HEP for alternate boron using CRD during an ATWS is judged by the Certification Team to be optimistic considering the action is performed in the reactor building and there is an ATWS scenario on-going.

-The performance shaping factors for alternate Boron do not address the following conditions: " Torus temperature of 270°F would lead to elevated reactor building temperature

RPV level as low as 2 ft. below TAF would lead to radiation streaming from containment

Fuel failures are likely and radiation shine from torus cooling operating and from torus are not accounted for* Local actions at the CRD filter station in the Reactor Building may not be possible because of high radiation caused by fuel failures during initial ATWS transient* The dumping of steam to the hot pool with elevated level could create substantial movement of the torus due to hydrodynamic loads Operator input indicated that this can be performed within 20 min. under conditions without severely adverse conditions.

LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Credit for alternate boron actions need to account for the degraded performance of operators trying to perform the local actions under potentially severe conditions.

Because local manual actions in the Reactor Building are not generally included in the ASEP methodology and there are substantial potential for adverse conditions, credit for these actions must be justified by calculations of conditions such as temperature, radiation, torus load impacts on stress rather than judgement.

Rev. 2 5-162 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS PLANT RESPONSE OR RESOLUTION We don't believe that radiation levels on the 272-ft elev. and 326-ft elev. of the RB (where the local actions will be performed) will be high enough to preclude performance of this action. In addition, the HEP for this action is 0.087, which is not believed to be overly optimistic.

According to the risk importance measures, if this action was set to a failure probability of 1.0, the CDF would only increase by 7%.Rev. 2 5-163 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 18 Time The time available used in the ASEP HRA method applied at JAF uses the entire time window from event initiation to the action assigned.

This can be optimistic in cases where the cue for an action does not occur until late in the sequence.

As an example, for depressurization the time used in the HRA is time from t = 0 to time to reach TAF due to boil down. The time available may be more appropriately estimated as the time from approaching TAF to the time of core damage.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Be aware that the times employed in the ASEP method may not correspond to the cues which will cause operating staff action.PLANT RESPONSE OR RESOLUTION Rev. 2 5-164 Rev. 2 5-164 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS We agree that the time available used to calculate the diagnostic portion of the HEP should be based on the time between the cue and failure (e.g., core damage). However, with respect to symptom-based procedures, the cue is oftentimes the initiator itself in that the initiator leads the operators to perform the required actions simply by following the applicable EOP.Examples of this are initiating SLC, controlling water level or overriding MSIV isolation during an ATWS and defeating the automatic transfer of HPCI suction to the torus. In all these cases, the operator is led by the EOP to perform the actions without the need for an additional cue.With respect to the example that the reviewer cited, we disagree that the cue for manually depressurizing the RPV is reaching TAF. TAF is the earliest point at which the operators are instructed by procedure to initiate emergency depressurization.

However, the need to perform this action should have been diagnosed prior to reaching TAF. In this case, the "cue" to the operators would be the fact that all high pressure injection systems have failed, which is conservatively assumed for thermal-hydraulic purposes to occur at time t=O. With regard to selecting TAF, and not core damage, as the failure end point, TAF was selected because beginning RPV depressurization at TAF will allow sufficient time for the RPV to depressurize and LPCI to inject successfully to prevent core damage. Thus, core damage was not selected as the end point because some time will be needed to depressurize the RPV and for LPCI to provide sufficient injection flow to prevent core damage.PLANT RESPONSE OR RESOLUTION (cont'd)With respect to actions involving, for example, providing alternative means of RPV injection, the preferred means of injection are assumed to be failed at time t=O. From a thermal-hydraulics standpoint, assuming the systems are failed at time t=O is generally conservative because the decay heat is higher at t=O which results in less time available to perform a given action.One recovery action where the time available has been re-evaluated is manually opening the LPCI injection valve. Previously, the time available to perform this action was based on the time from loss of injection to core temperatures reaching 4130 0 F. However, since the operators will not recognize that the LPCI injection MOVs failed to open until RPV pressure falls below the permissive setpoint of 450 psig, the cue for this action should begin from the time that the RPV is depressurized and pressure falls below 450 psig. In addition, failure is now defined as core temperatures exceeding 2200 0 F.Rev. 2 5-165 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 18 Time Required to Complete Action The times to complete actions are identified.

This is considered a strength.However the time required for some of the local manual actions appear optimistic.

LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Ensure that operations and training input are included on a sequence specific basis and that accident sequence performance shaping factors are addressed.

NYPA subsequently stated that the manipulation times are actually felt to be conservative in most cases. For example, where Job Performance Measures (JPMs) exist for actions, the manipulation time used in the analysis are less. In addition, where estimates are based on interviews with operations or training personnel, the times were doubled. In some cases, JPMs were not available and execution times were estimated based on actual walkdowns and simulation of the required actions. Other than these methods, there are very few alternatives to obtaining execution times.These should be documented for each action, this would satisfy the comment.PLANT RESPONSE OR RESOLUTION The above should state that, "where Job Performance Measures (JPMs) exist for actions, the manipulation time used in the analysis is greater (conservative)." Rev. 2 5-166 Rev. 2 5-166 FACT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 19 Success Criteria for Available Operator Action Times Core Damage is assigned if Level cannot be restored above 2 ft. above BAF (ABAF). This appears to be optimistic.

Most utilities use definitions consistent with the PSA Applications Guide such as: , Above 1/3 core height , Below peak temperatures of 1500 to 2200°F The use of 2 ft ABAF or equivalent MARCH calculations of 4130°F (melt temperature) are believed to be slightly non-conservative and result in using operator times for actions that may be longer than that which can be justified to prevent core damage.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Assess the operator action time based on consistent definition of core damage.PLANT RESPONSE OR RESOLUTION The time windows for performing actions which were based on core damage were re-evaluated to reflect the definition of core damage as core temperatures reaching 2200 OF.This change, however, did not result in significantly higher HEPs since in many cases the time to core damage was conservatively reduced or rounded off.Rev. 2 5-167 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 19 Accident Allowed Time The times allowed for operator diagnosis and operator action are identified in the HRA in Appendix E. This is a strength.

The relationship of these to T&H calculations are desirable.

Examples of questionable cases are:* Alternate Boron injection assumes 130 min. are available before initiation is required.This does not include time for injection nor does it then get translated into plant conditions that would exist if ATWS had progressed for 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months and 10 min.without boron injection.

Time available to manually open LPCI injection valves, e.g., Large LOCA time to core damage when ECCS fails of 71 min. (Condensate would appear not capable of reflood of the core as assumed in the HRA)* Alignment of FPS to cool the diesel generator gives in excess of 600 min.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Ensure that the allowed times are supported by specific calculations, especially those that are significantly different than those that have been confirmed by a number of generic sources.The Certification Team did not agree that the Thermal Hydraulic calculations using MARCH supported either of these timing estimates.

PLANT RESPONSE OR RESOLUTION All times for diagnosis are based on plant-specific thermal hydraulic calculations.

Regarding the 130 minutes for alternate boron injection, the time for injection is considered to be negligible.

In addition, the execution time of 75 minutes is felt to be quite conservative.

The 71 minutes calculated for the large LOCA time to core damage is based on a plant-specific T/H calculation, which assumes condensate is available for the 1 st 11 minutes. The time available to align fire water to cool the diesels was changed to 8 hr, or 480 minutes, to reflect the time until battery depletion.

Also, the time available to align fire water assumes that the diesels automatically trip on high temperature prior to any high drywell pressure condition which would cause the diesels to continue running.Rev. 2 5-168 Rev. 2 5-168 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 19 ADS Inhibit The HEP assigned to ADS inhibit is set at 1 E-5 for failure to scram sequences.

The Certification Team believes that there is insufficient simulator data or other source of "data" that can be used for the subject HEP to justify a value of 1 E-5 under high stress conditions with very little time available.

The justification for this value is considered optimistic.

A value for a heavily time dependent action with a very short time available is considered difficult to justify being lower than 1 E-3 especially any HRA method especially using the ASEP methodology.

Time available is not addressed.

LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Revise the ADS inhibit assessment to be consistent with time dependent actions.PLANT RESPONSE OR RESOLUTION The value 1 E-5 is based on simulator observations, the fact that the EOPs (EOP-3) instruct this action both in the power and level "legs" of the EOP, and the fact that there is an alarm that actuates 2 minutes prior to ADS automatically initiating.

Rev. 2 5-169 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 20 The estimated action times from walkthrough notes and the action Job Performance Measures (JPMs) do not coincide in many cases (e.g., boron injection using CRD uses 75 minutes whereas the JPM states 15 minutes).

This may not be crucial considering that the value used in the HEP calculations appear to be on the conservative side.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Provide a reference in the HEP calculations to the best estimate time to perform the action (i.e., the JPM values) if the calculation uses a different value, and provide the bases for the difference.

PLANT RESPONSE OR RESOLUTION Agree. The documentation for each action in Appendix E will cite the source (e.g, simulator, JPMs, talk-throughs, etc.). JPMs are used as the basis but where the analysis uses a more conservative value.Rev. 2 5-170 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 21 Recovery Rules One of the crucial aspects of the analysis is the application of recoveries to cut sets. These are done automatically using a set of rules that establish the non-recovery factor that should be added given the cutset composition.

There was no description of these rules or how they are derived during the Certification Team review. Subsequently, NYPA provided Attachment HR-21 which is an excellent summary of the rules.The Certification Team has not reviewed the technical adequacy of the recovery rule descriptions although it is noted that there are F&Os that address individual recovery assumptions.

LEVEL OF SIGNIFICANCE B'POSSIBLE RESOLUTION Document the process, the basis, and how the application of these rules are verified.Guidance Document exists and will be used in future. NYPA has subsequently provided an excellent document that describes the intent of each of the recovery rules. It would be useful to also have a test of these rules to ensure they are appropriately implemented such that the final cutsets are appropriate.

PLANT RESPONSE OR RESOLUTION Application of the recovery rule file has been applied to ensure recoveries are being credited appropriately for this current (second) model.Rev. 2 5-171 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 26 Dependency The enclosed cutset #57 that was performed for cases with "NfR" set to TRUE revealed that there may be multiple HEPs included in the same cutset. The dependency in cutset #57 attached is that 2 depressurization actions are multiplied together:* ADS-XHE-FO-XIT2

NR-TBV The combined probability for the depressurization function is -1.6E-5. P. E-87 and E-88 of the PSA update identifies the combined probability to be 1.6E-5, however no technical basis is provided to support the 1.6E-5 value.The diagnosis failure for SRVs or TBVs is judged to be the same and therefore cannot be less than 1 .E-4.The value of 1.6E-5 is noted to be far below the HEP that has been calculated for other Certified BWRs using currently available HRA techniques and is believed to be related to not accounting for the dependency between these two actions.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Review the cutsets with all post accident HEPs (i.e., XHE and NR) set to 0.1 or 1.0 to ensure all dependencies are incorporated into the evaluation.

PLANT RESPONSE OR RESOLUTION Comment: "...there may be multiple HEPs included in the same cutset. The dependency in cutset #57 attached is that 2 depressurization actions [ADS-XHE-FO-X1T2 and NR-TBV] are multiplied together.

The combined probability for the depressurization function is -1.6E-5....

however no technical basis is provided to support the 1.6E-5 value." Rev. 2 5-172 Rev. 2 5-172 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS PLANT RESPONSE OR RESOLUTION (cont'd)Response: Comment: Response: Comment: Response: Pages E-87 and E-88 of Appendix E state that "the probability that the operator fails to perform both methods of depressurization will be dominated by a diagnostic failure." Therefore, the 1.6E-5 value is derived from the diagnostic failure contribution to ADS-XHE-FO-X1T2, which is 1.6E-5 (i.e., 4.7E-5

0.41

0.81). This will be made clearer in the writeup for Appendix E during the next update.The diagnosis failure for SRVs or TBVs is judged to be the same and therefore cannot be less than 1 E-4.The reviewer is correct in that the diagnosis failure for these two actions are the same. This is why the combined HEP has a value of 1.6E-5, which corresponds to the diagnostic portion of the failure for manual depressurization using the SRVs. It is unclear, however, why the reviewer feels that the diagnosis failure cannot be less than 1 E-4."[The 1.6E-5 value] is far below the HEP that has been calculated for BWRs using currently available HRA techniques and is believed to be related to not accounting for the dependency between these two actions." Without an understanding of how other plants performed their human reliability analyses and how each plant differs in terms of design and operator training, it would not be appropriate for us to comment on the HEP calculated for other BWRs. In our opinion, dependency between these two actions has been accounted for. It should be noted that the HEP used for the operator action to depressurize using only the SRVs is 3.6E-4 for transients.

We are aware that this value falls within the range of values used by other BWRs. Regarding whether the combined HEP is well below that of other BWRs, as part of the next update we plan to review other IPEs to determine how (or if) this dependency was modeled. For now, we believe the value of 1.6E-5 for the combined HEP is appropriate.

Rev. 2 5-173 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 26 Dependency The treatment of operator actions to perform containment heat removal may be linked. This linkage does not appear to be addressed.

The following operator intensive actions are used in loss of heat removal sequences:

RHR initiation

RHRSW initiation

PCS recovery* Local Venting* Remote Venting* Align FPS to RHRSW for heat removal When multiple failures of these occur in the same cutset, there should be a justification for their presence.

Specific items include the following:

The PCS recovery at 7E-3 is judged not applicable to loss of condenser vacuum sequences.

Failure of venting locally and remotely are considered highly dependent and cannot be justified in the same cut set.* Failure of operator action to align FPS to RHRSW should not be included in sequences with other operator errors (see attached)LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Justify combinations of HEPs. NYPA subsequently agreed with these comments.PLANT RESPONSE OR RESOLUTION Comment: 'The treatment of operator actions to perform containment heat removal...does not appear to be addressed." Re.2 -7 Rev. 2 5-174 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS I PLANT RESPONSE OR RESOLUTION (cont'd)Response: Operator dependencies related to actions involved in performing containment heat removal were addressed.

Referring to Sections E4.5.4 and E4.5.5 of Appendix E, for example, dependencies between failure to vent containment locally and from the relay room were considered, as was failure to initiate drywell spray and suppression pool cooling. In both of these cases, failure to successfully diagnose the first action was assumed to guarantee failure to diagnose the subsequent action (e.g., failure to diagnose the need to initiate suppression pool cooling was assumed to result in failure to diagnose the need to initiate drywell spray.Likewise, failure to diagnose the need to vent containment from the relay room was assumed to result in failure to vent containment locally).

However, since only the diagnostic portions of the errors are considered to be highly dependent and not the post-diagnostic portions, failure of the first action does not guarantee failure of the second action. The treatment of dependencies between multiple operator actions is discussed in Section E4 of Appendix E.Comment: "The PCS recovery at 7E-3 is judged not applicable to loss of condenser vacuum sequences." Response: Agree. PCS recovery shall be eliminated, if found, from sequences involving loss of condenser vacuum. Separate loss of condenser vacuum event tree was developed for this current (second) update.Comment: "Failure of venting locally and remotely are considered highly dependent and cannot be justified in the same cutset." Response: Comment: Response: We agree that diagnosis between venting locally and remotely is highly (in fact, completely) dependent.

However, since som of the error probabilities are due to post-diagnosis errors which are not considered to be dependent, there is still some probability that local venting may be successful given that remote venting has failed. The cutset used as the example incorrectly assigned a failure probability of 1.9E-3 to local venting (NVP-XHE-FO-LVENT) given failure of remote venting in Cutsets 98 & 99. The correct value for NVP-XHE-FO-LVENT should have been 0.11. This will be corrected.

Failure of operator action to align FPS to RHRSW should not be included in sequences with other operator errors." We agree that failure of the operator action to align FPS to RHRSW should not be included in sequences where another operator action (one with more time available for diagnosis) has failed.Rev. 2 5-175 FA CT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 26 Multiple HEPs A search of the event trees has been performed in a thorough manner to address dependence among operator actions that are identifiable through this review. Additional consideration could be given to the identification of cutsets that have multiple HEPs and non-recoveries assigned to ensure that these cutsets are not screened out due to low frequency.

In addition, the use of a combined HEP of 1 E-8 to 1 E-1 1 for a sequence (when non-recovery of venting and PCS is included) may be below what can be technically justified.

NYPA provided one perspective as follows: The total operator error probability for W1 x W2 x Y is W1 n W2 x Y = 5.7E-6 x 1.9E-3 = 1.1 E-8. The actions to perform suppression pool cooling/drywell spray were considered to be independent of error associated with venting due to the very long time available (20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months ). In addition, zero dependence between W1 and W2 and Y was assigned based on the 3 rd bullet of page E-80 in Appendix E, which states"if the cue for the second event occurs after the time available to diagnose the first event has expired, zero dependence is assumed for diagnosis between the first and second events." LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Review low frequency cutsets to ensure multiple HEPs have dependencies accounted for.Ensure that the predefined rules that establish when zero dependence is to be assumed are appropriate for the circumstances of different sequences.

PLANT RESPONSE OR RESOLUTION Given the very long time window available to perform the above actions (20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months ), multiple operator action failure probability is expected to be negligible.

Sequence is expected to be dominated by hardware failures.

Review of low frequency cutsets will be better documented to explain how multiple HEPs/dependencies were accounted for.Rev. 2 5-176 Rev. 2 5-176 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 27 Dependencies The HEPs (both non-recoveries (NR) and post initiator HEPs) have not been set to 0.1 or 1.0 to identify multiple HEPs in single cutsets without loss of information.

LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Perform the review of cutsets after HEPs have been raised in probability to allow the cutsets with multiple HEPs to be identified.

PLANT RESPONSE OR RESOLUTION A more refined human reliability analysis was performed and presented in Appendix E.4 Dependencies between post-initiator human actions and recovery actions were more thoroughly evaluated in the updated JAFPSA model. Assigning screening values to the HEPs was not applied in the current PSA model but will be incorporated into the next model update. R e v. 2 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 27 Dependency The enclosed accident sequence cutset file shows the top cutset for TM 32 and TM 33 (T3A transfer) to be the case with operator fail to initiate SLC and Alternate Boron and Level control, respectively.

These two operator actions appear to be derived assuming success of one has occurred (see P. E-27).Therefore, this appears to be an incorrect cutset which should be removed from the model.Failure to diagnose initiation of SLC will also prevent the diagnosis to initiate Alternate SLC and to diagnose the need to use power/level control. This may be because the C2 fault tree model double counts the SLC initiation failure. Alternatively, this appears to be an HRA dependency that has not been accounted for.(The success term is believed to have not treated this failure cutset correctly.)

LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Review cutsets for other potential multiple HEPs.PLANT RESPONSE OR RESOLUTION The above sequence was indeed double-counting the SLC initiation failure. This has been corrected.

Rev. 2 5-178 Element DE Rev. 2 5-179 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DE Subelement 3 There is no guidance document regarding the treatment of various dependency issues throughout the PSA.However, Section 3.2.3, P. 3-368 provides a description of the approach.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Develop a guidance document that directs/discusses the treatment of inter-system dependencies, human interactions, common cause, spatial considerations, etc.PLANT RESPONSE OR RESOLUTION This guidance document has been developed in the current (second) update.5-180%IV_. ./-

FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DE Subelement 4 The component level dependency matrices are a positive feature of the analysis.

Train level dependency matrices would be an enhancement to the PSA, providing ease of communication of dependency and making the PSA consistent with other industry PSAs. The typical train level dependency used in the industry include: IE vs Frontline System, IE vs.Support System, Frontline vs. Support System, and Support System vs Support System, where the latter two are the most useful and important.

LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Consider developing and including the above types of dependency matrices for use in the JAF IPE.PLANT RESPONSE OR RESOLUTION Upper level dependency table has been included in Appendix A of the current update.Rev. 2 5-181 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DE Subelement 4 ,Dependencies are represented at a component level.LEVEL OF SIGNIFICANCE S POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION Rev. 2 5-182 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element DE Subelement 4 Very detailed component level dependency listing is provided but no summary, system level listing or matrix is provided.

Dependencies for a system are provided in the system notebooks.

A higher level listing is useful for "what if" analyses and other applications.

LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Create a summary level dependency document.PLANT RESPONSE OR RESOLUTION See response to DE-2.Rev. 2 5-183 Rev. 2 5-183 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DE Subelement 7 There are CCF that are not considered for the fault trees including things such as ESW pump suction strainers.

There is no CCF for both CRD strainers though there is an "anded" failure of the strainers at gate CRD-2.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Evaluate expanding scope of CCFs considered to include other pairs of components especially those with "anded" failures.PLANT RESPONSE OR RESOLUTION CCF terms added to current (second) update.Rev. 2 5-184 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element DE Subelement 7 There is no common cause failure of HPCI and RCIC even though an INPO evaluation shows that there is linkage between the two systems.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Add a common cause failure of HPCI and RCIC to the model.PLANT RESPONSE OR RESOLUTION CCF terms added to HPCI and RCIC fault tree model for the current (second) update.Rev. 2 5-185 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DE Subelement 7 A review of top 100 cutsets revealed a number of cutsets (e.g. #7, #8) contain independent failures of redundant components (e.g. pressure transmitter A & B). A review could be provided to determine if CCF should be modeled.(See QU-9)LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Review top cutsets to determine if CCF should be used instead of redundant independent failures.PLANT RESPONSE OR RESOLUTION CCF basic events for the ATTS pressure and level transmitters have been included in the current (second) update model and quantified for the CDF contribution.

Rev. 2 5-186 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DE Subelement 9 It is not clear that if support system initiators were quantified separately from the T2 initiator that they would not be the most dominant cutsets.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Break out the Loss of IA and Loss of SW initiators and quantify separately (refer to IE element comments).

PLANT RESPONSE OR RESOLUTION See Response to IE-5.Rev. 2 5-187 Rev. 2 5-187 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DE Subelement 9 Appendix H, flooding analysis indicates that the figures have the flood areas shown on them except for figure H.4.1.1.6 they do not. The area names are generally informative enough to figure it out with the information on the drawing.LEVEL OF SIGNIFICANCE D POSSIBLE RESOLUTION Put flood area designators on the remaining drawings.PLANT RESPONSE OR RESOLUTION Flood areas were marked in figure H.4.1.1.6 of the Appendix H in the current update.Rev. 2 5-188 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DE Subelement 9 The flooding analysis provides a good overview of the method and the general considerations at many of the locations.

However, explicit quantification event trees or sequences results should be provided to support the conclusions regarding the quantitative dismissal of certain rooms or sequences.

Specifically, the HEPs, dependencies, and contributing sequences would be useful to discuss.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Provide additional detail on the internal flood quantification process used to truncate sequences.

PLANT RESPONSE OR RESOLUTION As noted in section H3.3 of the report, the event trees developed and the data used to quantify internal flooding scenarios that might lead to core damage were based on those developed for the internal events PRA and the IPEEE fire PRA. The only changes made to quantify internal flooding scenarios were to designate initiating or enabling events that result from internal flooding as being TRUE and to assign an appropriate frequency or probability to these events.Where internal flooding acts as an initiating event, other initiating events were declared FALSE and the contribution to core damage sequence, the increase in core damage frequency resulting from the internal flooding scenario was calculated.

Rev. 2 5-189 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DE Subelement 9 Floodinq The lower level of the ADMIN Bldg. (272' El.) contains batteries and battery chargers.

In addition, there is a large fire protection header that runs in a corridor ceiling near these rooms and could lead to the flooding of these compartments.

This possibility does not seem to be addressed in the evaluation. (See P. H-74 of the PSA report reviewed by the Certification Team.)LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION This flood scenario should be explicitly dispositioned in the PSA either by qualitative arguments or included quantitatively.

PLANT RESPONSE OR RESOLUTION The battery rooms and battery room corridor are in fact a heater bay flood zone (HB272B)rather than in the administrative building flood zone. The flooding scenario of concern to the reviewers was examined in detail with the reviewers after certification meeting by performing a plant walk down. The fire protection header in the corridor is listed as a potential flood source in Table H4.1.3.2 of the report and the flooding scenario resulting from its rupture is evaluated in Section H4.3.2.1 of the internal flooding analysis report.Rev. 2 5-190 FA C TIOBSER VA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DE Subelement 9 The initiating event list of plant events shows three "loss of intake" type of events (10/19/90, 2/25/93, and 1/23/97).

These events are not discussed in Section 3.2.3 of the Update.These events appear to be at odds with the discussion provided by NYPA in the Attachment to DA-10.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Provide a discussion in the Update regarding the incipient "loss of intake" events that JAF has experienced.

PLANT RESPONSE OR RESOLUTION These events have been reviewed, presented in Table 3.3.1.1 and included into the initiating events calculation for this current (second) update as the loss of the ultimate heat sink.Rev. 2 5-19 1 Rev. 2 5-191 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DE Subelement 10 Per the Update documentation, the JAF IPE has benefited from the performance of 22 walkdowns (2 for functional test observations, 10 for internal floods, 1 for HVAC considerations, 3 for HRA, and 1 for Level 2). There is evidence in the IPE of the walkdowns being performed (e.g., discussion of spatial considerations in flooding analysis);

however, the supporting Tier 2 documentation is limited.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Consider documenting the walkdowns as separate supporting documents.

As the previous walkdowns are "past history", this may be applicable only to future walkdowns.

Such summaries for other industry PSAs have included:

purpose of walkdown, team members, dates of walkdown, areas visited, discussion of observations, findings/conclusions, and photographs.

PLANT RESPONSE OR RESOLUTION This enhancement was documented in the spread sheets to identify the spatial dependencies.

Rev. 2 5-192 Element ST Rev. 2 5-193 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element ST Subelement 4 RPV Pressure Limits One of the success criteria that is generally included in a PSA is that for RPV overpressure failure. This may come into play for failure of SRVs to open or failure of RPT under ATWS conditions.

This is currently not explicitly identified in the PSA and may not be evaluated for the spectrum of potential challenges, such as ARI success with RPT failure or credits for manual RPT.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Include the RPV pressure capability assessment in the PSA.PLANT RESPONSE OR RESOLUTION This enhancement is incorporated in the current (second) PSA update. Specifically, Section L2.2, "Maintaining Reactor Pressure Vessel Integrity" contains information on RPV overpressure criteria.Rev. 2 5-194 Rev. 2 5-194 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element ST Subelement 4 Appendix L of the Update discusses the number of SRVs opening or required to open to prevent overpressure.

However, the discussion does not provide success criteria regarding the pressure capability of the RPV.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Enhance the discussion in Appendix L to include the success criteria for the pressure capacity of the RPV. This discussion, ideally, should encompass the issue of RPT failure and the resulting pressure spike.PLANT RESPONSE OR RESOLUTION This enhancement is incorporated in the current (second) PSA update. Specifically, Section L4 of Appendix L contains information on the number of SRVs required to performed RPV pressure control.Rev. 2 5-195 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element ST Subelement 7 Dynamic Loads The survivability of the torus under failure to scram conditions with high torus water level, high torus temperature and 6-20% power discharge to the torus is not evaluated.

This is a major difference in the analysis of the containment structural capability that is not addressed in the assessment. (See L2-119 for further discussion.)

LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Add containment torus failure modes associated with dynamic loading.PLANT RESPONSE OR RESOLUTION This enhancement is incorporated in the current (second) PSA update, specifically the Level 2 analysis.Rev. 2 5-196 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element ST Subelement 10 Pipe Overpressure It appears that low-pressure pipe is assumed to fail immediately when exposed to RPV pressure for ISLOCA conditions.

This is judged to be conservative.

This conservatism is offset somewhat with the consideration of isolation capability of an ISLOCA that may be optimistic.

LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Reconsider the assumption of pipe rupture with a 1.0 failure probability when low-pressure rabid pipe is exposed to high pressure.

Us the Wesley or NRC estimates of pipe rupture capability given plant specific data inputs.PLANT RESPONSE OR RESOLUTION This enhancement is incorporated in the current (second) PSA update. ISLOCA modeling follows the guidance described in NSAC-1 54 and uses pipe failure rates listed in NUREG/CR 5102.Rev. 2 5-197 Rev. 2 5-197 Element QU Rev. 2 5-198 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 8 RPS It appears that "RPS" top event success is assumed if the ARI function operates regardless of RPT status. This is contrary to generic BWR calculations that prescribe that ARI success at-15 sec. requires RPT at 2 -3 sec. to avoid the RPV pressure peak at 9 sec.This dependency does not appear to be modeled.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Small quantitative impact.PLANT RESPONSE OR RESOLUTION This ARI and RPT were incorporated into the ATWS event trees and quantified in this current (second) update.Rev. 2 5-199 Rev. 2 5-199 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 9 There should be included, based on NUREG-0666, a common cause DC bus failure term that results in a higher conditional failure probability for the second DC bus given the first has failed.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Assess CCF of DC power sources or buses and include in model if appropriate.

PLANT RESPONSE OR RESOLUTION CCF of DC power buses has been incorporated and quantified in this current update.Rev. 2 5-200 FACT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 9 It is not clear that if support system initiators were quantified separately from the T2 initiator that they would not be the most dominant cutsets.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Break out the Loss of IA and Loss of SW initiators and quantify separately (refer to IE element comments).

PLANT RESPONSE OR RESOLUTION See response presented in IE-5.Rev. 2 5-201 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSER VA TION Element QU Subelement 9 Multiple random transmitter failures appear in the top cutsets.(See DE-7)LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Review top cutsets to identify those containing multiple like random failures and include the associated common cause failure term in the model.PLANT RESPONSE OR RESOLUTION CCF basic events for pressure and level transmitters have been included in the current (second) update model and quantified for the CDF contribution.

.Rev. 2 5-202 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 11 ATWS IORV scenarios are not present in the dominant cutsets.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Verify that ATWS IORV scenarios are not significant contributors to plant risk.PLANT RESPONSE OR RESOLUTION ATWS with SORV are accounted for in the model. PDS #9 reflects an ATWS with SORV.Rev. 2 5-203 Rev. 2 5-203 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 11 There are no RPV Rupture cutsets in the dominant cutsets.(See IE-7)LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Include the RPV Rupture initiator in the model quantification.

PLANT RESPONSE OR RESOLUTION RPV Rupture initiator has been incorporated in the current update.Rev. 2 5-204 Rev. 2 5-204 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 11 IORV T3C-1 is an accident sequence described in the Accident Sequence Work Package (P. 3-51)as using feedwater for successful mitigation of the IORV. In fact, feedwater will eventually be inadequate and heat will need to be removed from the torus. Historic evidence at BWR suggests that MSIVs will be closed during the sequence.

Therefore, heat removal from the torus is a likely requirement.

MSIV closure probability based on sequence dependency does not appear to be addressed in the Q cutsets or fault tree used in the T3C sequences. (See Attached)LEVEL OF SIGNIFICANCE C -- Not large quantitative impact.POSSIBLE RESOLUTION Reconsider the credit taken for use of steam driven feedwater under SORV/IORV conditions.

PLANT RESPONSE OR RESOLUTION Heat removal from torus cooling has been included in T3C event tree, This observation was incorporated in this current (second) update.Rev. 2 5-205 Rev. 2 5-205 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 12 ASYMMETRY There is asymmetry introduced into the PSA model by assumed conditions such as the following:

Assumed Recirculation suction line break LOCA location as always being in the "B" loop. This affects the importance of the LPCI injection valves.* The assumption regarding no alternate injection for most initiators.

The order in which "top" events are chosen in the PSA model LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION There should be an attempt to minimize the asymmetry in the model where this will not cause complication in running time. Where this is not feasible it should be well documented so that those users of the PSA can readily understand potential subtleties regarding the asymmetric results of the model due to assumptions.

PLANT RESPONSE OR RESOLUTION This observation is not applicable to JAF.Rev. 2 5-206 Rev. 2 5-206 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 12 Asymmetry The IE-TAC-6 had RAW)1) of 302 The IE TAC-5 has RAW() of 60 in Containment Heat Removal Sequence.What contributes to the asymmetry?

LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Document basis for results.NYPA has subsequently identified that a design modification known as the "Vermont Yankee Fix" is implemented at Fitzpatrick.

Some of the asymmetry that arises from the results is reflective of this "fix".Documentation of this fact and the degree to which it may impact systems and sequences would be beneficial.

PLANT RESPONSE OR RESOLUTION It is included in the Revision 1 report, section 3.4.5.(1) Modified definition of RAW for initiating events.Rev. 9 5-207 Rev. 2 5-207 FA CT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element OU Subelement 14 ISLOCA evaluations and other breaks outside containment (BOC) have been addressed in a comprehensive and thorough fashion for identification and grouping.

However, there are some additional detailed quantification items that could be considered.

Specifically, (1) the evaluation of the pipe overpressure failure probability for the low pressure pipe can be assessed using the latest techniques (see Attachment to IE-14). (2) the mitigation actions specified in the documentation (P. 3-79, 80 of Event Tree Analysis Work Package) are believed not to be effective or not effective in sufficient time. (3) The qualitative arguments are considered inadequate to address the issue for a PSA that is to be used in regulatory applications, i.e., Grade 3.The screening of BOC from the quantitative model may limit the PSA capability to address isolation valve applications such as GL 89-10 or IST.LEVEL OF SIGNIFICANCE B -- Refined calculations could pinpoint the lines most susceptible to potential LOCAs outside containment.

POSSIBLE RESOLUTION Modify the quantification as suggested in Attachment QU-1 4 (see also QU-1 1).PLANT RESPONSE OR RESOLUTION This enhancement has been incorporated in this current (second) update. Specifically, ISLOCA initiators are assess by using the NSAC-1 54 approach.Rev. 2 5-208 Rev. 2 5-208 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS I Rev. 2 5-209 Rev. 2 5-209 ATTACHMENT TO QU-14 The failure probability of low pressure pipe when exposed to high pressure as reported in NUREG/CR-5603 is found to be highly dependent on the pipe design pressure.

Therefore, the use of a generic estimate of 0.01 by Monticello without reference is judged to be an oversimplification and possibly non-conservative.

It is usually conservative, but there are situations when the pipe failure probability has been shown to be closer to 1.0.The ISLOCA frequency is judged to be strongly dependent on the frequency and method of testing the interfacing MOVs between the RPV and the low pressure systems. This does not appear to be addressed in the quantification.

References for this conclusion include: NSAC 154, 155, and 167. Specifically, the test frequency of interfacing valves has no apparent impact on the potential for ISLOCA initiation using the Monticello IPE methodology.

This method has not been updated in the Rev. 2a. This even though all BWR industry precursors have been initiated by this mechanism.

Quantification issues that are considered important to cite in order to establish whether the quantification and insights relative to these accident scenarios can be improved are as follows:-NUREG/CR-5603 provides a more realistic assessment of pipe rupture capability.

-Common cause failure of 2 and sometimes 3 series isolation valves to isolate (i.e., close on demand) appears not to be accounted for. This will substantially increase the failure frequency for certain lines.Rev. 2 5-210 Rev. 2 5-210 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 15 The use of the PSA for applications may be a slightly different perspective than it has had before. This new perspective is to be as realistic as possible and to avoid being conservative; this implies a goal of retaining "apparent' non-contributors.

The desire is to provide a broad, robust model for use in applications.

This means accurate importance measures are desirable and the absolute measures should also be robust to support changes. All this argues for inclusion of additional sequences and system response that is currently truncated in the model reviewed by the Certification Team.While the truncation limit of IE-1 1 appears to be used for sequences retained in the model; it appears that sequences have been truncated at higher frequencies earlier in the assessment such that these sequences never make it to the quantification step.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Retain sequences (i.e., include in the quantification) in the quantified model at lower truncation frequencies.

PLANT RESPONSE OR RESOLUTION The truncation of 10-11 is applied prior to recovery.

Post-recovery cutsets falling below 1011 are retained.Rev. 2 5-2 11 Rev. 2 '5-211 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 15 Figure 3.1.4.2 for ATWS with MSIV Closure Event Tree shows that RPT failure is not developed.

It is believed that this can not be truncated.

It should be retained to ensure that importance measures will accurately reflect system and component importance measures.NYPA subsequently indicated that for this sequence a frequency of 2E-8/yr is calculated.(See QU-8, HR-11)LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Quantify sequences with RPT and RPS failure.PLANT RESPONSE OR RESOLUTION The sequences with RPT and RPS failure were quantified in the current (second) update.Rev. 2 5-212 Rev. 2 5-212 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 18 Several items related to AC recovery evaluation may need to be reconsidered or additional justification provided to support the credit assigned to AC power recovery.

These include the following:

1) The HPCI system is identified in the attached sheet of the PSA to allow adequate injection for sufficient time to credit 13 hours1.50463e-4 days 0.00361 hours 2.149471e-5 weeks 4.9465e-6 months for AC recovery.

There are a number of issues related to HPCI operability including the HCTL requirement to depressurize.

This does not appear to have been factored into the sequence evaluation.

This early depressurization may also lead to adequate DC available to remain depressurized and therefore "credit' for RPV repressurization can not be included.2) The RCIC system operability leg -Sequence 2 & 4 take "credit" for RPV repressurization.

This is not considered appropriate.

HPCI division is likely available for DC support.3) Sequence (3) AC recovery is unknown.4) For sequence 6, the 7 hour8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months AC power recovery time does not appear to be supported.

The SORV and HPCI operation will result in rapid depressurization.

5) The P2 sequence allows 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months for AC recovery.

This appears inconsistent with the assumption of no recovery for HPCI & RCIC failure sequences (See TH-8)LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Reconsider the assumptions used in assigning non-recovery times to SBO sequences.

Provide plant specific T&H for each sequence.PLANT RESPONSE OR RESOLUTION SBO event tree has been revised. This observation has been incorporated in this current (second) update.Rev. 2 5-213 Rev. 2 5-213 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 18 There appear to be some inconsistencies in the application of recovery factors. Consider the SBO event tree. Non-recovery of LOSP in 2 hrs is applied to sequence #9 in which 2 SRVs are stuck open (HPCI and RCIC are not questioned in the sequence and must appropriately be assumed not to be viable), but no recovery is credited for sequence #5 in which the SRVs are shut and HPCI and RCIC fail. In the same tree, non-recovery of LOSP in 7 hrs is applied to sequence #6 in which HPCI is running with a stuck-open SRV. Reactor pressure would drop precipitously with HPCI and an SORV, such that a 7 hour8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months recovery time is judged to be optimistic without detailed calculations to support that timing.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Review the application of recoveries.

PLANT RESPONSE OR RESOLUTION SBO event tree and offsite power recovery rule have been revised. This observation has been incorporated in this current (second) update.Rev. 2 5-214 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 18 The probability for failure to repair a bus is considered highly optimistic at 1 E-3.(See DA-16)LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Reconsider the application of a 1 E-3 failure to repair bus recovery factor.PLANT RESPONSE OR RESOLUTION Failure to repair bus was not considered in the current (second) update.Rev. 2 5-215 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 21 Truncation For accident sequences retained in the model, the truncation is at 1 E-1 1 for most (or all)cases.The choice of accident sequences to fully develop versus those that are "screened" out from further consideration is usually a difficult call in the PSA evaluation.

Some cases in ATWS appear to be truncated at much lower frequencies and may be useful to continue to carry in the quantification.

In other words, there appears to be a number of accident sequences that have been truncated from the model before the quantification process is initiated, i.e., when the frequency drops below 1 E-8/yr.* Failure of RPT* Failure of ADS inhibit in ATWS sequences* SORV cases following failure to scram for isolation events. (Sequence TM-36 is truncated when it falls below 1 E-7/yr)Other BWR PSAs have indicated that these sequences could be noteworthy contributors to core damage and radionuclide release. Therefore, inclusion of these sequences would appear prudent to demonstrate their quantitative impact in applications such as on-line maintenance, Maintenance Rule, IST.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Consider expanding the number of sequences carried forward to ensure that applications are evaluated with a robust model.PLANT RESPONSE OR RESOLUTION This observation has been incorporated in this current (second) update. Specifically Section 3.1.3.4 Anticipated Transient Without Scram Event of the main report has been revised to include the full development of the above ATWS sequences.

5-216Y

FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS I Rev. 2 5-2 17 Rev. 2 5-217 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVA TION Element QU Subelement 26 The analysis includes statistical treatment for uncertainties of all basic events and initiating events. However, no qualitative presentation is available about other causes of uncertainty, such as:* possible optimistic or conservative success criteria,* suitability of the reliability data,* possible modeling uncertainties (asymmetry or other modeling limitations due to the method selected),* comprehensiveness inthe selection of initiating events,* possible spatial dependencies not required in IPE,* completeness of the model.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Include in the report a qualitative mapping of uncertainties based on the structure of the PSA, and evaluate each of the possible sources of uncertainty, to which direction each of them biases the CDF or LERF. Classify them by possible magnitude.

PLANT RESPONSE OR RESOLUTION Uncertainty mapping is incorporated in the current (second) update with the uncertainty importance.

The battery depletion time and key HEPs which have the greatest impact are further reviewed and sensitivity analysis were performed in the current update.Rev. 2 5-218 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 29 Uncertainty The uncertainty characterization can be considered appropriate if the limitations are spelled out. These limitations include:* parametric uncertainties only* correlated data or not (including RPS, all HEPs)The modeling and completeness uncertainties are not believed to be included, and the correlation of data does not appear to be addressed.

This results in an uncertainty band that must be characterized correctly to ensure that it does not understate the full uncertainty picture.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Clarify the uncertainty bounds and what limitations exist for these bounds.PLANT RESPONSE OR RESOLUTION The error factors including sources, if any, are contained in the basic event and failure rate databases.

A full tabulation of sources was considered.

Correlation is internally handled by the UNCERT code.Rev. 2 5-219 Element L2 Rev. 2 5-220 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 1 RHR is assumed inadequate for heat removal in Level 2. This is judged conservative.

LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Add RHR as possible success for containment heat removal.PLANT RESPONSE OR RESOLUTION THE RHR system is considered were appropriate.

Rev. 2 5-221 Rev. 2 5-221 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 1 The fact that a guidance document has been created to guide the development and future maintenance of the Level 2 analysis is a positive feature of the JAF IPE.LEVEL OF SIGNIFICANCE S POSSIBLE RESOLUTION N/A PLANT RESPONSE OR RESOLUTION Rev. 2 5-222 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 2 Process The use of the EVNTRE code to perform the Level 2 evaluation has certain characteristics that are useful to periodically reevaluate.

These include the following:

EVNTRE depends on binning Level 1 end states into 11 plant damage states.These 11 bins do not carry all support system and front line system dependencies into the Level 2 assessment.

These can prove important in the assessment of Early High Releases, i.e., water availability." The code is not user friendly; however the current PSA group is able to easily handle the process. As long as there is no turnover of personnel, the Level 2 assessment with EVNTRE can be performed.

The degree of sophistication in dependency treatment is very high in the Level 1 PSA but is less specifically treated in the EVNTRE code application." The current EVNTRE model does not include phenomena and nodes that are crucial for future application assessment:

RPV vent, containment flood, deinerted operations, containment isolation.

There is no effective way to review the EVNTRE evaluation and input, given the current documentation.

EVNTRE is adequate to assess the LERF calculation, given consistent definitions of Large and Early.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Consider putting Level 2 into CAFTA. Add the needed nodes to the Level 2 evaluation.

PLANT RESPONSE OR RESOLUTION For the current (second) update, the revised Level II analysis eliminates the use of the EVNTRE code. Instead the Level II model consists of fault trees and containment event trees.These trees are linked and quantify in similar manner to the Level I quantification.

Rev. 2 5-223 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 5 How the BWRSAR analyses results were factored into the Level 2 analysis is not obvious LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Clearly link the BWRSAR analyses results to the appropriate part of the Level 2 analysis.PLANT RESPONSE OR RESOLUTION The current text found in Section 4.3 and Appendix I, "Severe Accident Response Predications" adequately described the BWRSAR results into the Level 2 analysis.Rev. 2 5-224 Rev. 2 5-224 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 7 No containment bypass sequences are included in the evaluation for Level 2 for ISLOCA or break outside containment.

Truncation at 1 E-1 1/yr would appear to be appropriate, but frequencies below 1 E-1 1/yr are not believed appropriate for estimates of these sequences.

LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Include ISLOCA and BOC sequences to ensure that the LERF contribution is captured.This will allow applications that modify these frequencies to be incorporated in the application assessment.

Otherwise, the model can be used when it is noted that bypass impacts due to applications are not quantified, but are treated qualitatively.

PLANT RESPONSE OR RESOLUTION For the current (second) update, extensive ISLOCA (or V-sequence) event trees have been developed.

Its impact on Level is addressed appropriately.

The ISLOCA event trees are based on the methodology presented in NSAC-154.

It includes operator errors induced ISLOCA, valve isolation failures and best-estimate pipe rupture failure probabilities.

Rev. 2 5-225 FACT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 7 Core Melt Progression PDS-10 ATWS core melt progression assessment is heavily dependent on the treatment of plant conditions.

There does not appear to be a direct tie between accident progression and release characterization.

The assumed situation of high RPV'pressure and core melt progression with the containment above 85 psig would appear to result in all early releases because containment should fail immediately during the blowdown when RPV is breached at high pressure.

There should be no recovery. (Observe override in RC/L prohibiting the injection of external injection above 85 psig). The magnitude of release is governed by the subsequent treatment of shell melt through; but with reactor building decontamination factor set to 1.0 the releases should all be High.(Also review implications of L2-19)LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Re-consider the assignment of releases and conditional probabilities of success for PDS-10.PLANT RESPONSE OR RESOLUTION For the current (second) update, revised model takes into consideration high containment pressure and high RPV pressure on early containment failure.5-226ý V .

FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 7 PDS-5 No DC power available from 125V DC and initiated by LOSP.Potential reconsiderations: " The lack of containment flood and RPV vent questions in the Level 2 mean that the EOP impact on power recovered sequences for this PDS is not modeled correctly (non-conservative)" The degree of "recovery" assigned for restoration of water to the RPV or containment appears to be high given that critical DC support has been lost along with offsite power. The offsite power recovery curve is based on conditions with DC available.

Once DC is unavailable, the AC recovery probability is believed to be less likely and not supported by the AC recovery curve given in Appendix E.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Revise treatment of PDS-5.PLANT RESPONSE OR RESOLUTION Primary containment flooding and RPV venting as directed by the SAOGs are modeled in the current (second) updated Level II analysis.Rev. 2 5-227 Rev. 2 5-227 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 7 P. 4-31: Both ATWS and non-ATWS sequences are assigned to PDS-1 0. This appears to be poor selection of PDS.T3A

C

C1-1 T1

DC1

CCF-HW-13ATT Issues:* Containment status (torus temperature, torus pressure)* RPV status* Spray status* Vent status* Recriticality treatment There is substantial difference in the support system availability and in the RPV and containment conditions for these two sequences.

There would appear to be little basis to combine these to the same PDS.LEVEL OF SIGNIFICANCE D POSSIBLE RESOLUTION Review sequence and cutset PDS assignments. (This was subsequently identified as a typo in the report and should have been assigned to PDS-5 for the 2 nd sequence.)

PLANT RESPONSE OR RESOLUTION The current model has uses a revised binning scheme to generate the PDSs. Hence, the above sequences should be binned into the appropriate PDSs. This enhancement has been incorporated in this current (second) update.Rev. 2 5-228 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 7 PDS 9 Text says that PDS-9 has 2 SORVs and that core damage is initiated at high RPV pressure.This appears inconsistent.

LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Modify PDS-9 definition or provide definitions or provide additional explanation of the basis for this apparent inconsistency.

PLANT RESPONSE OR RESOLUTION For the current (second) update, the revised Level II consisted of 48 individual PDSs and sevens PDSs groups with a clear PDS description.

Rev. 2 5-229 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 7 The PDS definitions appear to be adequate for most applications.

There are missing PDS for: a) ISLOCA and BOC cases b) ATWS, failure to scram (with containment failing first)c) Loss of containment heat removal lIT, IIA, IlL. (PDS 11 has some of these needed characteristics.)

LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Include additional PDS for the above conditions from Level 1 so that if applications or PSA updates result in these, then the LERF can be developed.

PLANT RESPONSE OR RESOLUTION This enhancement has been incorporated in this current (second) update. Specifically, 48 PDSs are currently, modeled. The forty eight PDSs contains the following, seven LOCAs type PDSs, thirteen transients type PDSs, four station blackouts PDSs, four vessel rupture PDSs, seven anticipated transient without scram PDSs, eleven loss of containment heat removal (TW) PDSs and 2 ISLOCA PDSs.Rev. 2 5-230 Rev. 2 5-230 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 7 Reactor Building to Torus Vacuum Breaker The elastomer used in the containment vacuum breaker check valve seal is not identified and the characteristics under high wetwell temperatures are not discussed. (The butterfly valves associated with this flow path are normally closed and will open on loss of air.)LEVEL OF SIGNIFICANCE:

C -- During an SBO (and perhaps other severe accidents) the butterfly valves are likely to be open. If the seal could fail as a result of high wetwell temperatures, there could be a significant impact on the overall plant risk due to the large flow area associated with this failure path.POSSIBLE RESOLUTION Determine the elastomer material in the vacuum breaker and its failure temperature and other characteristics.

Clarify the state of the butterfly valves during containment challenges.

Incorporate these features in the CETs and the containment isolation failure assessment.

PLANT RESPONSE OR RESOLUTION Not consider important since generic failure rates were used for this aspect. In addition, this failure is not dominate when compared to other severe accident phenomena.

Rev. 2 5-23 1 Rev. 2 5-231 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 7 The plant state is well transferred into the Level 2 via the plant damage states but component failure information is not. Because of the structure of the Level 2 model, this is not significant now; but, if the Level 2 model structure changes, this could become important.

Explicit carry through of Level 1 cutsets into Level 2 during quantification of Level 2 and inclusion of system performance (fault trees) in the Level 2 to replace judgement will make the Level 2 model more useful for certain applications.

LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Change transfer method to allow more information on equipment state to be input to Level 2 if Level 2 structure is changed to allow this.PLANT RESPONSE OR RESOLUTION The current (second) updated Level II model, via the use of 'FLAGS' carries over detail system information deemed important to Level II analysis.Rev. 2 5-232 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 7 The type of questions used in binning PDSs are appropriate and consistent with other PSAs that use the PDS approach to Level 1/Level 2 information transfer.

However, considering that the Level 1 sequences are not extended to address all issues prior to PDS binning, it is not clear how the RHR and vent availability questions are answered for Level 1 loss of injection sequences.

LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Enhance the documentation to address the above issue. Ideally, consider extending the Level 1 sequences to address the necessary Level 2 systems that are not questioned in certain Level 1 sequences (this primarily is an issue for Level 1 loss of injection sequences).

PLANT RESPONSE OR RESOLUTION The current (second) updated Level II incorporates detail knowledge of both RHR and venting by the use of FLAGS to designation the availability of these systems for Level II analysis.5-233 Rev. 2 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 8 It is not clear that the Level 2 analysis considers the possibility of vessel melt-through occurring at a time when the containment is partially flooded and the vapor suppression systems is severely compromised.

Such scenarios would lead directly to containment failure.This scenario is appropriately included in many industry Level 2 analyses, and is specifically an issue associated with proceeding with containment flooding that must be addressed in accident management implementation.

LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Verify that this issue is not addressed and consider its inclusion and applicability considering the JAF EOPs (i.e., do the JAF EOPs allow containment flooding outside the RPV).PLANT RESPONSE OR RESOLUTION For the current (second) update, this is considered in the Level II analysis as modeled in the occurrence of ex-vessel steam interactions and the potential for steam explosions, containment overpressurization, or ROCKET event.Rev. 2 5-234 Rev. 2 5-234 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 8 The control rod material has been shown experimentally to reach melting and drop out of the core region before fuel melting occurs. This phenomena could result in situations where any core damage class could lead to ATWS-like power levels if RPV injection is restored during the time when control material has relocated but fuel is generally in the normal configuration.

Discussion of recriticality impact on Level 2 analysis for initially non-ATWS accident sequences does not appear to be included.

The attached discussion could be added to the Level 2 documentation.

LEVEL OF SIGNIFICANCE C -- Quantitative treatment is not significant except for the assumption that FW can be recovered after core damage and restore debris cooling in-vessel; therefore, it may not have an impact on results.POSSIBLE RESOLUTION For core damage sequences recovered in-vessel, there should be an evaluation of the potential for recriticality during reflood.Add the attached documentation to Level 2. (See also L2-7)PLANT RESPONSE OR RESOLUTION The discussion of recriticality has been included in the current (second) update.Rev. 2 5-235 Rev. 2 5-235 ATTACHMENT FOR L2-8 Research on the core melt progression models for BWRs has indicated that as the temperature rises in the core region, for a uniformly drying out core, the first components that are subject to loss of integrity are the control rods. This research indicates that for a small window of time, the control rods can be postulated to be melted away from a relatively intact core fuel assembly.During a severe accident, the neutron absorbing control blades are expected to melt before the fuel rods. This occurs because the control materials are contained in metallic structures which have lower melting points than the oxide (UO 2) fuel rod material.

Thus, the control rods and fuel rods will become separate during the core melt; and subsequent reflooding of the core has the potential to result in recriticality.

Due to modeling and phenomenological uncertainties related to void fraction, debris bed size, particle size, etc. and the lack of an analytical tool capable of performing the complex analyses required to address these parameters, a conservative bounding analysis was conducted by the NRC contractor in NUREG/CR-5653.

The NUREG/CR-5653 approach is characterized by the authors as a conservative bounding analysis to determine the feasibility of the phenomena.

Therefore, the probabilistic assessments can be considered both conservative and applicable only to NUREG-1 150 assumed dominant accident sequences.

The report concludes that any recriticality event (if it could occur) will most likely not generate a pressure pulse significant enough to fail the vessel. Instead, there may be some possibility that a quasi-steady power level would result. The continued power production would result in the containment pressure and temperature increasing until the containment failure pressure is reached, unless actions are taken to terminate the event.Analyses of severe accident phenomenology in BWRs indicate that, while the core is in the process of heating and melting, among the first components to melt and relocate are the steel blades that contain the B 4 C control material.

The stainless steel control blades have a much lower melting point (2550 0 F) than the zirconium fuel cladding and the fuel itself (4800 0 F). Therefore, as the core heats up, the control blades may melt and leave the core prior to significant fuel relocation.

If the core were to be reflooded following the melt of the control blades and prior to the relocation of the fuel, the possibility exists for the core to become critical again without an adequate means of control.One issue that has been addressed is a super prompt-critical excursion which would result in rapid disintegration of fuel, rapid molten fuel coolant interaction, and the production of a large pressure pulse capable of directly failing the reactor vessel. The analyses conducted in NUREG/CR-5653 indicate that a maximum power excursion during reflood without control rods inserted (i.e., melted away) produces a fuel enthalpy of 73 cal/g, corresponding to a temperature rise of 1300OF in the fuel. Doppler feedback is the principal mechanism for terminating rapid transients in low enriched uranium-water systems and is adequate to limit the energetics of reflood recriticality to a level below which the reactor vessel would be threatened by a pressure pulse.Rev. 2 5-236 Rev. 2 5-236 ATTACHMENT FOR L2-8 (cont'd)If the reactor remains critical following an initial excursion at the time of reflooding (i.e., reflood is conducted without boration), it will either enter an oscillatory mode in which water periodically enters and is expelled from the core or it will approach a quasi-steady power level. In either case, the average power level achieved will be determined by the balance between the reactivity added (inventory and make up rate) and the feedback mechanisms (Doppler Reactivity Coefficient).

Based on the analyses conducted in this study, a recriticality event is likely to produce core power levels less than about 20% of normal power (and probably not much more than 10% of normal power), but may be significantly above the decay heat level (.2% after 15 minutes).Another possible concern of remaining critical during and after reflood becomes the increasing temperature for the suppression pool and the potential for containment overpressurization.

If the reactor is not shutdown or other actions taken, the containment will become over-pressurized and the suppression pool will reach saturation conditions, which may adversely impact the core cooling systems' operation.

This could subsequently lead to further core damage and a direct release path to the environment.

To shutdown an intact fuel lattice without the availability of control blades (which may have relocated from the core), boration is required.

Analyses indicate that approximately 700 ppm 1°B are required to ensure subcriticality for all conditions, including standing fuel rods. The standby liquid control (SLC) system, which is the primary method of emergency boration, is designed to provide boration in one-half to two hours, depending on the flow rate of boration pumps.Therefore, the boration rate appears to be marginally adequate to avoid containment over-pressurization, if it is initiated at the same time as the core reflood and if the boration concentration is adequate to terminate the reaction.

The time allowed for boration is increased if RHR suppression pool cooling is utilized at full capacity in the suppression pool cooling mode.Relative Timing of Control Blade and Fuel Rod Meltinq Two experiments, DF-4 and CORA 16, confirm that the early melt relocation of the control blades is possible.

These experiments show that control blade melting and relocation occurs at approximately 2300 0 F. Control blade sheathing is made of stainless steel which has a melting point temperature of 2550 0 F. Melting of the neutron absorption material B 4 C occurs at about 250°F below the melting point of stainless steel due to alloying reactions with the boron carbide.MARCH code calculations in NUREG/CR-5653 were performed for Peach Bottom and Grand Gulf accident scenarios.

The melting temperatures used in these calculations were:* Control blades: 2600°F Channel boxes: 3365 0 F Fuel rods: 4870°F Rev. 2 5-237 Rev. 2 5-237 ATTACHMENT FOR L2-8 (cont'd)Based on examination of TMI-2 core debris, the experimenters of NUREG/CR-5653 determined that the fuel melting temperature used in NUREG-1150 (4130 0 F) was unrealistically low and that 4870°F is more realistic.

Also note that the current thinking is that control blades will melt and relocate at approximately 2300 0 F, so the 2600°F blade melting temperature used in these runs may be slightly non-conservative.

However, the time difference between control blade temperature of 2300°F and 2600°F during a core boil off scenario is typically on the order of a few minutes.Therefore, the use of the actual melting temperature of stainless steel in these MARCH runs does not affect the resulting insights regarding the recriticality time window.MARCH calculations indicate control blade melting is strongly correlated to the average core temperature, with melting starting when the average core temperature increases to approximately 1500OF and about half of the control blades melt when the average core temperature reaches 2750 0 F. This indicates that about half of the control blades can be expected to melt before there is significant fuel rod melting. This is important because early melting of the control blades makes recriticality, during BWR core reflood with unborated water, a credible occurrence.

Therefore, the time window for recriticality may be conservatively taken to be the difference of: The time of substantial control blade melting (average core temperature above 1500 0 F) and The time of substantial fuel melting (Average core temperature above 2750 0 F)Based on the MARCH runs in NUREG/CR-5653, the recriticality time window ranges from 5 to 67 minutes, depending on the accident scenario.

For accidents with no injection the time window is on the order of ten minutes; and indeed, the time windows in the majority of these MARCH runs are under fifteen minutes. For accidents in which the time to core melt is greatly extended (e.g., due to intermittent or short term injection) the recriticality time window may be significantly longer.As previously mentioned, these time windows are conservative in that the end of the recriticality time window is taken to be the melting and relocation of the fuel rods. The consideration of fuel rod shattering could lessen this time window by shortening the time to "substantial" fuel rod failure.Because the fuel is extremely overheated during core uncovery scenarios, water injection could cause the fuel to shatter due to thermal stress. Experiments indicate that substantial fuel rod shattering can occur during reflooding at temperatures ranging form 2300°F to 2600 0 F.Core Geometry Chan-ges Occurring During Meltinq and Core Reflood During a severe accident in which core cooling has been lost, substantial changes to the as-designed fuel geometry would be expected.

During an accident, the grid spacers and end fittings which define the rectangular spacing may melt or collapse, resulting in a loss of the geometry.Similarly, the fuel rod cladding could melt or break releasing fuel pellets in a random manner and the fuel pellets may shatter, forming smaller, irregularly shaped particles, or may melt, forming larger particles.

Rev. 2 5-238 ATTACHMENT FOR L2-8 (cont'd)For an overheated core, there is significant potential for fuel rod shattering and debris bed formation when reflooded with water. The shattering of fuel rods has been observed in a number of experiments.

Based on grab samples of TMI-2 core debris, it is expected that debris beds, formed from shattered fuel rods, would probably be under-moderated and thus not a recriticality concern.Based upon a survey of the available evaluations of recriticality, it is judged that the best estimate evaluation should be characterized as follows: A rapid pressure pulse during reflood of a core without control rods will fail the RPV or containment with an assessed probability of 1 E-6.* The recriticality of the core to begin producing power is a function of:-Restoration of flow to the core within a specific 10 minutes of the core melt progression (estimated at 1 E-4)-The fuel remaining intact during the reflood (estimated at 1 E-2)-No SLC injection (estimated at 1.0 given current EOPs)Therefore, a failure of containment associated with recriticality of the core is assessed to require the following:

Control rods melt prior to fuel and Operator actions adequate to restore water injection during the time when control rods have been melted, but before fuel rod integrity is compromised and Fuel rod integrity is maintained during the core reflood injection and SLC is not injected or is washed out (e.g., a LOCA).Rev. 2 5-239 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 8 Containment Flooding There are features of the EOPs regarding containment flooding that do not appear to be reflected in the Level 2 evaluation:

1) Flooding would occur with external sources as quickly as feasible using RHRSW.2) Injection to outside the RPV does not appear to be addressed.

3) Containment flooding could compromise the vapor suppression function and RPV debris discharge could occur at high or low pressure into a partially flooded containment.

4) RPV venting does not appear to be addressed.

LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION The importance of including a LERF assessment as part of the PSA update has been identified previously, however, it is also important that potential contributors to the LERF are addressed.

PLANT RESPONSE OR RESOLUTION Primary containment flooding and RPV venting as directed by the SAOGs are modeled in the current (second) updated Level II analysis.Rev. 2 5-240 Rev. 2 5-240 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 8 Shell Melt-throuqh It appears that the shell melt-through impact on radionuclide release is considered to be a High magnitude release for PDS-8 (TQUV) but for the ATWS PDS (PDS-1 0) the shell melt-through is called a Medium-low.

This appears to be inconsistent and the documentation does not support such a difference.

LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Assess the shell melt-through release magnitude variation among PDS cases.PLANT RESPONSE OR RESOLUTION The inconsistency has been revised in the current (second) update; both are considered high early release.Rev. 2 5-241 Rev. 2 5-241 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 8 Phenomena Deinerted Plant Operation is not included.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Incorporate quantitatively the deinerted operation in the assessment of LERF.PLANT RESPONSE OR RESOLUTION The current (second) updated Level II has incorporated the potential containment failure due hydrogen phenomena given a deinerted containment.

Rev. 2 5-242 Rev. 2 5-242 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 9 It is not clear that the time available from the onset of core damage (Level 1 end state) to the point at which the core melt can not be maintained in-vessel is explicitly addressed.

This available time frame is a function of the time after scram at which core melt begins and sets the timing for operator recovery actions (e.g., conditional probability for failure to depressurize given failure in Level 1). For example, depending on the thermal hydraulic code used, assumptions made, and the core design, such a time frame may range from approximately 40 minutes to 1.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months for a short term loss of injection core damage event.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Verify that this issue is explicitly considered and is discussed adequately in the documentation.

PLANT RESPONSE OR RESOLUTION The current update defines a Level 2 mission time of 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months after reactor vessel breach or, should the vessel not breach, 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months after accident initiation.

This mission time is used as minimum limit to defined release duration.

No other references are currently documented.

Rev. 2 5-243 Rev. 2 5-243 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 11 The discussion of containment isolation in section 4.5.4 does not appear to allow for failure of large penetrations to close on receipt of an isolation signal. For example the Drywell purge valves are typically butterfly valves and can have difficulty closing against pressure and can be open during operation.

LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Include possible failures to isolate of large lines in the containment isolation analysis.PLANT RESPONSE OR RESOLUTION The primary containment isolation fault tree model has been revised in the current (second)update to reflect the failure of a number of containment isolation valves.Rev. 2 5-244 Rev. 2 5-244 FA CT/OBSER VA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 11 Drywell Sprays No mention of the ability to meet the drywell spray initiation limits before using drywell sprays is included in the Level 2 discussion.

NYPA subsequently indicated that the purpose of drywell sprays use (for Level 2), is to examine the effects that sprays have on containment failure and fission products release. The fact that drywell spray initiation limits may prevent drywell sprays was deemed not important for the Level 2 analysis.

Therefore, a level of significance of "C" is appropriate.

The Certification Team believes that if the sprays are procedurally prohibited, then the operators will not initiate the sprays and therefore quantitative effects of spraying the drywell cannot be taken advantage of.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Consider the Drywell Spray Initiation Limit Restrictions in its use.PLANT RESPONSE OR RESOLUTION Use of the revised EOPs/SAOGs drywell sprays are incorporated in the model. Namely, drywell sprays are credited for sequences in which RHR decay heat removal is available.

As a result, for these sequences the drywell spray limitations are not approach.Rev. 2 5-245 Rev. 2 5-245 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 11 Based on responses from the PSA team the following was stated: 1) The only Level 2 specific HEP modeled is failure to vent containment, which is assigned an error probability of 0.1.2) The drywell spray assessment for Level 2 does not address the operator failure probability

-- operator action to initiate drywell spray is addressed in Level 1. In Level 2, if RHR is available, drywell spray is also assumed to be available, in terms of the operator action.The treatment of operator action is found to be non-conservative because it does not address dependencies or sequence specific restrictions such as the DWSIL curve.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Incorporate best estimate operator actions in the Level 2 that address system and sequence dependencies.

PLANT RESPONSE OR RESOLUTION The current (second) updated Level II has incorporated a number of operator actions. These actions were assigned failure value of 0.052.5-246 Rev. 2 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 11 EVNTRE Still retains Peach Bottom nomenclature for FitzPatrick.

Example HPSW is referenced instead of RHRSW. Other more subtle differences may also exist.LEVEL OF SIGNIFICANCE D POSSIBLE RESOLUTION Likely editorial issue.PLANT RESPONSE OR RESOLUTION Not Applicable to the current (second) update.Rev. 2 5-247 Rev. 2 5-247 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 11 A review of the Level 2 PSA indicated several areas where EOPs could be reflected more precisely in the model or the documentation:

Possibly missing a containment failure mode related to flooding and loss of vapor suppression (see separate item under L2-11)" RPV vent not accounted for* Drywell spray initiation limitcurve is not included in the assessment of the drywell spray viability.

The ability to use drywell sprays if inadequate core cooling is observed (RPV level not restored) is not discussed or questioned in the documentation.

LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Include EOP directions in modeling of Level 2 mitigation responses.

PLANT RESPONSE OR RESOLUTION The current (second) updated Level has considered these severe accident phenomena as directed by the SAOGs.Rev. 2 5-248 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 13 Containment Failure Modes The containment failure modes used in various parts of the PSA appear to be different and loosely connected with the CB&I plant specific analysis.

The different situations include the following:

Assigned Failure Modes* Level 1 P. 3-475 taken from NUREG/CR-4551

ATWS in Level 2 Assumed Torus Airspace(1)* Other Level 2 (2)The conclusion from a PDS 10 EVNTRE printout (see attached) is that the failure probabilities by location are in fact different than those in Level 1. In fact, the wetwell failure below the water line does not appear to be accounted for in PDS-1 0. The issues with the PDS-1 0 containment failure location assessment are as follows:* No wetwell failure below the water line is addressed* The wetwell vent probability does not appear appropriate for this accident sequence.

The vent would not be able to be opened in sufficient time during blowdown.Leakage failures may not be sufficient to control containment pressure given the magnitude of the RPV breach blowdown at high containment pressure.(1) Stated in the oral presentation on Level 2 to the Certification Team.(2) Not reviewed by the Certification Team. Orally told that it is different than Level 1 (see attached).

LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Address containment failure modes in Level 1 and Level 2 in a consistent fashion. Use CB&I information, not other NUREG information.

5-249 Rev. 2 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS PLANT RESPONSE OR RESOLUTION This enhancement has been incorporated in the current (second) update. Specifically, a detailed description of containment failure modes is documented in Appendix N, "Containment Event Tree Quantification," and Section 4.5, "Containment Failure Characterization".

5-250 Rev. 2 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 13 The Level 2 analysis apparently does not include the random probability of containment isolation failure (e.g., pre-exiting leak, random line isolation failures).

Such scenarios are typically analyzed in industry PSAs as leading directly to a high release (plant specific analyses may be performed that would show lesser magnitudes) and early with respect to the sequence type.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Include the possibility of random containment isolation failure in the CET quantification.

PLANT RESPONSE OR RESOLUTION The current (second) updated primary containment isolation fault tree takes into consideration the potential for either a large or small pre-existing containment leakage.Rev. 2 5-251 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 16 The containment isolation evaluation appears to have been truncated based on low frequency at 1 E-8/yr. This appears to be much too high of a threshold for eliminating these component contributions to Level 2. The failure of containment isolation should address:* Reactor Building to torus vacuum breakers* The sump drain line isolation failure* Pre-existing leaks Applications involving ranking the isolation system or considering configurations that have altered reliability for containment isolations would be adversely impacted by the non-inclusion of containment isolation.

LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Include containment isolation valves in the assessment.

PLANT RESPONSE OR RESOLUTION The current (second) updated primary containment isolation fault tree takes into consideration, vacuum breaker failures, pre-existing leaks, and drywell equipment/sump drains isolation failure.Rev. 2 5-252 Rev. 2 5-252 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 19 Containment Failure There may be an inconsistency between the Level 1 model and the assumed containment failure modes should be reconsidered.

The definition of containment failure during an ATWS and its size and location should be identified.

The attached discussion of ATWS induced dynamic loads is included for your use in considering the FitzPatrick specific evaluation.

Attachment L2-19 provides some consideration regarding containment failure modes that may require consideration under ATWS conditions.

LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION The containment failure mode for failure to scram events is key to LERF assessment and should be assigned consistent with the NYPA evaluation of ATWS. The containment failure probability may more appropriately be assigned a failure probability of 1.0 for the wetwell. This means drywell failure is -0.0. The wetwell air space failure probability would be 0.5 and the torus below the water line failure probability would be 0.5 due to dynamic loads.PLANT RESPONSE OR RESOLUTION This enhancement has been incorporated in the current (second) update. Specifically, a detailed description of containment failure modes is documented in Appendix N, "Containment Event Tree Quantification," and Section 4.5, "Containment Failure Characterization".

Rev. 2 5-253 L2-19 CONTAINMENT DYNAMIC LOADING LIMITS USED IN THE PROBABILISTIC EVALUATION L2-19.1 Introduction Postulated accident sequences cover a broad spectrum of events. The purpose of this section is to present the technical basis used in establishing the failure of the containment under postulated degraded conditions for which the following may be present:* High suppression pool temperature with substantial continuous blowdown occurring (i.e., equivalent to greater than 6% power), or* High suppression pool water levels coupled with LOCA -equivalent loads and the consequential hydrodynamic loads.L2-19.2 Overview This summary identifies the issues that provide the technical basis for the selection of 260 OF as the equivalent bulk suppression pool temperature during an ATWS, above which containment integrity cannot be assured. This criterion is subject to substantial variation depending upon the availability of plant-specific and sequence-specific deterministic calculations.

However, this criterion has been used in industry PSAs performed to date and the Utility Group on ATWS evaluation presented to the NRC.The containment failure criterion (i.e., suppression pool temperature

= 260 OF) used in the ATWS evaluation is intended to set the allowable operator action time to take effective mitigation actions for terminating an ATWS event. Subsequent to that time, it is assumed that the operator actions for complete mitigation and safe shutdown are confounded by degraded plant and instrumentation conditions.

Containment failure occurs as a result of: (1) exceeding the calculated ultimate strength; (2) hydrodynamic loads; or (3) by premature failure due to the phenomena discussed in this section.Rev. 2 5-254 Thermal and Pressure Induced Containment Growth Figure E.3-11 Containment Penetration and Possible Failure Points Rev. 2 5-255 Information available that has led to the selection of 260 OF as a point beyond which the current state-of-the-technology may not support assumptions regarding containment adequacy include the following:

KWU and Caorso tests with "rams-head" quencher devices have shown smooth condensation (i.e., excessive vibration loads were not induced on the suppression chamber) at temperatures up to 140 OF at elevated reactor pressures.

For much lower reactor pressures the smooth condensation has been demonstrated up to 190 OF.It appears that at low reactor pressures, smooth, complete condensation of saturated steam can be assured up to local temperatures of 260 OF when"T"-quencher devices are being used.Presently, dynamic loadings of sufficient magnitude to warrant concern regarding containment integrity have not been observed.

However, it is judged that at elevated temperatures this concern, based on experimental evidence, may be relevant.Because of the lack of data for suppression pool temperatures above 260 OF and the anomalies that may accompany SRV discharge during ATWS scenarios, a calculated thermal equilibrium bulk suppression pool temperature of 260 OF is used as a criterion in the evaluation of allowable operator action times during high power, high pressure ATWS conditions.

In addition, other issues or phenomena exist under these postulated scenarios that may compromise critical containment functions which in turn make the containment vulnerable to alternate failure mechanisms.

One of the criteria included in the PSA ATWS analysis is the aforementioned value of 260 OF suppression pool temperature as a value above which ATWS mitigation is not considered achievable.

Although it may be a worthwhile effort to pursue relaxing this criterion to make ATWS sequence evaluations as realistic as possible, it appears that the effort required to accomplish this objective would be substantial.

L2-19.3 Discussion As the suppression pool temperature rises during the progression of an ATWS event, there are a number of containment phenomena that begin to affect the determination of an appropriate response for reaching a safe stable state. Some of these phenomena affect system operability while others mayimpact containment integrity.

The following discussion attempts to address the specific phenomena and related issues, and the information available relative to the phenomena affected by high suppression pool temperatures during an ATWS.The discussion is divided into three subsections:

Section L2-19.4: Issues related directly to the 260 OF temperature criterion for calculated bulk suppression pool temperature Rev. 2 5-256 Section L2-19.5: Other containment issues that could impact the criteria selection if 260 OF is found too conservative Section L2-19.6: Other possible issues related to selecting ATWS success state criteria.[2-19.4 Issues Related Directly to Selection of 260 OF Bulk Suppression Pool Temperature L2-19.4.1 Issue I: Condensation Phenomena Introduction Currently, limited information exists in the engineering literature relative to two complex issues related to containment performance and capability.

These issues can be summarized as follows:* Whether the containment can withstand dynamic loads caused by high pressure blowdown at high suppression pool temperatures; and,* Whether conditions could exist which would cause incomplete condensation; and consequently, vapor bypass to occur through the pool.A.A. Sonin states that SRV discharge line physical processes

"...involve highly complex, often intermittent flow and transport processes, and accurate analysis of the dynamic flow problem from first principles is impractical if not impossible, given the present state of the art." The intent of this issue discussion is to provide a brief synopsis of the current state of knowledge regarding these issues, attempt to qualitatively identity the experimental and analytical uncertainties associated with the research in these areas, and describe the 260 OF suppression pool temperature criterion which is an integral part of the ATWS probabilistic analysis.History Previous research on BWR containments has indicated that SRV quencher devices successfully dampen pool dynamic loads and provide adequate condensation of high energy steam discharged to a pool for temperatures up to the range of 200 OF Sonin has presented a model and supporting experimental data to indicate that the two questions previously posed regarding dynamic loads and complete condensation can be answered over an extended range of variables using previous analyses.The range of variables investigated by Sonin extends those analyses or experiments to represent higher suppression pool temperatures.

The range of variables used by Sonin to extend the applicability of past evaluations is characterized as follows:* Small scale experiment 0 Well mixed pool (i.e., no stratification)

Rev. 2 5-257 50 psig steam discharge pressure Sonic discharge steam flow Saturated steam Pool temperatures of 212 OF to 250 OF No accounting for air clearing loads No non-condensible gas entrained in discharged steam 0 Thermodynamic equilibrium exists between the airspace and the pool.The small scale experiments of Sonin verified the analytic models using these input parameters.

The experiments indicated that: 0 "The dynamic pressures are strongly affected by the geometry of the exhaust nozzle. With a simulated typical quencher device operated at 200-600 kg/m 2 s based on exit area, maximum loads occurred at 25-30 K pool subcooling and were a factor of eight lower than those of a single-jet discharge with comparable exit area and mass flux.""Condensation is complete down to local subcoolings of the order of the present measuring accuracy of plus or minus 1 K. The process of pressurization of a closed pool by a submerged discharge occurs smoothly without dynamic instabilities or significant loads on the pool boundaries." The uncertainty associated with the results of these small-scale experiments are only exacerbated when considering the effects on containment caused by SRV discharge of a steam-hydrogen mixture. Sonin states that upon core collapse during an ATWS scenario, the initial flow rate through the SRVs may be about 1.3 x 105 Ibm/min. steam mixed with 0.025 x 105 Ibm/min.hydrogen which is discharged into an essentially equilibrated suppression pool system. Moreover, Sonin continues to conjecture that:... the amount of non-condensible hydrogen which is mixed in with the steam may be sufficient to drastically reduce the steam condensation rate on the pool water. As a result, the steam in the mixture may not condense as it is discharged, as the Battelle code apparently assumes, but may instead pass through the pool together with the non-condensible hydrogen and enter the wetwell airspace directly.

The consequence of this would be that the wetwell airspace would be pressurized much more rapidly at this point than the Battelle code is predicting.

BWROG Evaluation of Suppression Pool Temperature Limits The Sonin efforts indicate that the SRV quencher devices are effective in suppressing dynamic Rev. 2 5-258 loads and assuring thorough steam condensation over the range of variables considered.

Some of the open items that remain and which contribute to the imposed suppression pool temperature criterion of 260L]F for ATWS include the following:

0 Lack of data representative of high pressure RPV blowdown into a pool at temperatures greater than 200 OF (i.e., RPV saturated conditions with water temperature greater than 500 OF).* Lack of data on the air clearing containment load effects at elevated pool temperatures.

The lack of inclusion of non-condensibles (e.g., hydrogen which may result from clad damage during ATWS low water level operation) in these experiments that could result in the entrainment of steam in non-condensible bubbles, thereby, bypassing the suppression pool.Water slug flow causing SRV cycling as a result of power excursions.

Such slug flow could then cause flashing of the superheated water within the discharge device.Pool stratification; whereby, participation of only a portion of the pool which is in thermal equilibrium during the blowdown is considered. (Refer to Issue II below.)L2-19.4.2 Issue II: Temperature Profile at the Quencher It is logical to question how there could be sufficient circulation around the approximately 350 ft.circumference of the pool to justify the assumption of a well-mixed pool. Without such circulation, only water in the vicinity of a discharging T-quencher could act as a heat sink; incomplete condensation of SRV discharge would begin much sooner, and primary containment pressure would build up faster.With T-quencher discharge at high flow into an uncirculated and nearly saturated suppression pool, it is possible that the local subcooling would be less than 20 OF and might be lost entirely, allowing direct bubble-through of steam into the wetwell atmosphere.

Without any condensation of SRV discharge at operating pressure, it would take about 20 minutes to pressurize the primary containment from 74 psig to the primary containment failure pressure.The suppression pool temperature local to the quencher device during SRV discharge has been shown in tests to be higher than the pool bulk temperature; the Sonin test results must be understood in the context of this information (i.e., the tests were performed under thermal equilibrium pool conditions and therefore are not representative of that anticipated in the real situation).

If a single SRV is being used to discharge the steam to the suppression pool, then the continuous discharge of steam into local areas can result in higher localized temperatures.

This may result not only in vertical stratification, but also circumferential stratification around the wetwell. Such localized effects have been inferred to occur during SRV discharge through rams-head devices at Rev. 2 5-259 elevated suppression pool temperatures with RHR pumps operating.

Additionally, there were observed differences of 38 OF between bulk temperature and local temperatures surrounding T-quencher devices during the 1977 Monticello plant tests. Therefore, there may not be full participation of the pool in the thermodynamic heat transfer process during blowdown.

Specifically, the local pool temperatures may govern the time to reach 300 OF at the quencher because only a fraction of the suppression pool is participating in heat transfer from the blowdown (e.g., the time to achieve local pool temperature of 300 OF may be equivalent to the time to reach 260 OF if we assume that the entire pool is in thermal equilibrium).

In this case, 260 OF is not so much a limit as it is a surrogate pool temperature to be used in computer code calculations if the suppression pool model assumes thermal equilibrium to crudely estimate the time to reach actual temperatures of 300 OF at the quencher device.TBULK = 220T 0 F"ýL2-19.4.3 Issue II: Calculational Models The calculational models used in previous evaluations of the suppression pool temperature phenomena assume that smooth condensation of the discharged steam and complete thermal mixing occurs for the duration of the blowdown.

Therefore, essentially the entire suppression pool volume is approximately at thermal equilibrium.

The thermal equilibrium assumptions in the thermal hydraulic codes may underestimate the containment pressurization rate during an ATWS scenario for which pool stratification or steam bypass exists if the following conditions exist:* High local temperatures,* Less than thorough steam condensation,* Entrainment of steam in non-condensible bubbles,* Stratification of the pool either radially or vertically,* Entrainment of water in high-flow and high-energy steam discharge.

L2-19.5 Related Issues Associated With Degraded Containment Conditions That May Affect ATWS Sequence Evaluations Given that the issues discussed in the preceding section can be resolved, a new criterion must be selected for determining an acceptable time frame during which the operator has to take corrective action to prevent containment overpressure.

The following issues should be addressed in selecting this new criterion.

L2-19.5.1 Issue IV: Drywell Sprays and Vacuum Breaker Performance Rev. 2 5-260 Extended severe accident conditions for cases with control rods not inserted and power being produced and directed to the suppression pool may cause the following events to occur: RPV pressure cycling;SRVs and their tailpipe vacuum breakers opening and closing; and Drywell sprays may be operating from external sources or through the RHR heat exchangers, injecting cool water to the drywell.Therefore, the drywell pressure may correspond to pool saturation temperature and then drop significantly below saturation pressure depending upon spray effectiveness.

These intermittent changes in SRV position and drywell to wetwell pressure differential may result in cycling the vacuum breakers on the: (1) SRV tail pipe; and (2) the wetwell to drywell interface.

The result of this cycling may facilitate direct pool bypass from SRVs via stuck open tailpipe vacuum breakers and stuck open wetwell to drywell vacuum breakers. (The situation with a stuck open SRV tailpipe vacuum breaker during ATWS conditions is analogous to a LOCA condition).

L2-19.5.2 Issue V: Containment Structural Integrity There is some uncertainty regarding the ultimate internal pressure capability of containments.

The uncertainty about the calculated ultimate failure strength of containment during energetic scenarios is related to accurately accounting for the following phenomena:

Temperature effects on structural integrity 0 Penetration interactions

Structural discontinuities

Hydrodynamic loads* Sequence pressure and temperature traces Therefore, there is a likelihood that a containment failure could occur during ATWS conditions before reaching the estimated ultimate failure pressure which is usually calculated by a slow steady state increases in pressure.L2-19.5.3 Issue VI: Cyclic Pressure The containment may be subjected to significant cyclic loads if drywell sprays (with the water being supplied from either external water sources or through the RHR heat exchangers) are used during operation at elevated pressures in containment during an ATWS condition.

L2-19.6 Tertiary ATWS Related Issues Rev. 2 5-261 The following additional issues may have an impact on the relaxation of 260EOF as a criterion, or the selection of a comparable criterion as a measure of the time available for operator action.These issues are judged to be of lower probability.

L2-19.6.1 Issue VII: Primary System Status If during the postulated ATWS, failure of an SRV tail pipe or its vacuum breaker occurs due to loadings associated with high pool temperature, the steam flow would occur directly to the drywell.Under such conditions, the condensation capability of the suppression pool, and the dynamic loading imposed on the containment by discharge to the suppression pool through the downcomers, could be significantly different and potentially more challenging than that associated with the SRV T-quencher devices. The issues related to suppression pool performance at elevated temperatures also need to include the possibility of non-condensable gases which may be entrained in the steam. (See also Issue IV.)L2-19.6.2 Issue VIII: Elevated Pool Water Levels It may be possible during the postulated ATWS scenario for the suppression pool level to rise substantially if external water sources are employed for RPV inventory control as directed by the Rev. 4 BWROG EPGs. If the suppression pool level should encroach on the SRV tailpipe limit and the operator is unable to control water level or RPV pressure below these limits, then an SRV tailpipe failure in the wetwell airspace could induce a rapid containment pressurization event resulting in similar consequences as the conditions described in L2-19.6.1.

In addition, hydrodynamic loads at high pool levels can result in substantial loading of the torus. No available containment structural analysis has been performed regarding the torus capability under such hydrodynamic loads (i.e., high SRV discharge rates at elevated pool levels).L2-19.7 Summary The 260[1F suppression pool temperature is considered to be a technically defensible limit in model calculations to estimate the containment structural adequacy under ATWS conditions.

Rev. 2 5-262 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 21 PDS Definitions There appears to be a potential disconnect between the Level 1 accident scenarios and the Level 2 processing of information.

Examples include the following:

ATWS without SLC is said to cause core damage due to torus failure and loss of injection (oral presentation).

However, all injection is said to be available in the PDS definition.

With torus failure before core damage, all injection would appear not to be available.

Subsequently sprays are used to mitigate the accident.In a subsequent transmittal, NYPA stated that the ATWS with SLC failure leads to core damage with an intact containment.

Apparently, the oral presentation was in error.However, the success probability of internal and external injection sources at torus temperatures above 300OF and external sources with pressures in containment above MPCWLL were not discussed.

The survivability of the torus at high torus water levels when high power production is occurring is not justified.

See L2-19.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Revise the treatment of Level 2 PDS to be consistent with the Level 1 sequence definitions.

PLANT RESPONSE OR RESOLUTION An ATWS without SLC leads to core damage, containment bypass, and although the RPV injection systems are available, no injection is corrected.

Rev. 2 5-263 Rev. 2 5-263 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 21 Release Categorization The release categories have been assigned to the end states of the Level 2 analysis using insights from previous Sandia work and judgements regarding the effectiveness of various release pathway mitigation measures.

It is considered prudent to have a deterministic code calculation to support the subtle differences in the sequence that can influence release.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Use plant specific calculations when feasible.PLANT RESPONSE OR RESOLUTION The MAAP code (version 4.0.5) is used to generate the plant specific source terms used in the JAF License Renewal SAMA evaluation.

The results of these MAAP runs are currently documented in Engineering Report, JAF-RPT-05-00158, Revision 1.Rev. 2 5-264 Rev. 2 5-264 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 22 LERF Currently defining:* Large = > 1 %1 release* Early = before or within several hours of vessel breach This definition should be revised to be consistent with the industry position set forth in the PSA Applications Guide. This would likely mean the following:

Large = > 10% I release* Early = before effective protective actions can be taken. EALs can be used to assist in defining this timing.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Make LERF consistent with PSA Applications Guide, otherwise the LERF could be overestimated in estimating impacts.PLANT RESPONSE OR RESOLUTION For the current (second) update, the LERF definition has been revised to be consistent with the commented industry definition.

Rev. 2 5-265 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 24 EOP/AOP The EOPs are not followed in Level 2 for two specific actions: containment flooding and venting. These actions result in potential early releases that need to be addressed for an accurate assessment of LERF.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Include RPV venting and containment flooding in the assessment of LERF.PLANT RESPONSE OR RESOLUTION Primary containment flooding and RPV venting as directed by the SAOGs are modeled in the current (second) updated Level II analysis.Rev. 2 5-266 Rev. 2 5-266 FA C T/OBSER VA TION REGA RDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 24 In-vessel steam explosion probabilities are 1 E-2 for RPV at low pressure and 1 E-3 for RPV at high pressure.

These probabilities may be reduced to 1 E-4 and 1 E-5 based on the following references:

USNRC, Steam Explosion Working Group, A Review of the Current Understanding of the Potential for Containment Failure Arising from In-Vessel Steam Explosions, NUREG-1116, June 1985 or its update NUREG-1 524.Theofanous, T.G., et al., An Assessment of Steam Explosion Induced Containment Failure, NUREG/CR-5030, February 1989.LEVEL OF SIGNIFICANCE C POSSIBLE RESOLUTION Consider reducing the above probabilities given the provided references.

PLANT RESPONSE OR RESOLUTION The current (second) updated Level II analysis reflected the work performed in the Steam Explosion Working Group, A Review and Theofanous, T.G., et al., An Assessment of Steam Explosion Induced Containment Failure, NUREG/CR-5030, February 1989.Rev. 2 5-267 Rev. 2 5-267 FA CT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement

/25 The update of Level 2 (main text) does not show updating of the phenomenological aspects with more recent information as is indicated in the guidance document.LEVEL OF SIGNIFICANCE B POSSIBLE RESOLUTION Look at NRC and EPRI containment reports for phenomenology resolutions to make the Level 2 analysis more realistic.

PLANT RESPONSE OR RESOLUTION This enhancement has been incorporated in the current (second) update. Specifically, the work of T.G. Theofanous has documented in NUREG/CR-5423, "The Probability of Liner Failure In a Mark-I Containment", August 1991 is considered; the "Estimation of Containment Pressure Loading Due to Direct Containment Heating," by Tutu, N.K., et al., in NUREG/CR-5282, BNL-NUREG-52181, March 1991 is considered and the "Generic Framework for IPE Back-End (Level 2) Analysis," as documented in EPRI NSAC/159, Vol. 3, October 1991 forms the basis for the updated Level 2 containment event tree model.Rev. 2 5-268 Rev. 2 5-268 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS I 5-269 Rev. 2 FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 27 In section 4.5.7 it is stated that PBAPS does not have the outside the reactor building bypass path of plugs above the torus or rooms surrounding the torus. PBAPS does have these type of outside plugs but apparently NUREG 4550 did not consider them as a release path.LEVEL OF SIGNIFICANCE POSSIBLE RESOLUTION Correct text description.

PLANT RESPONSE OR RESOLUTION Not Applicable to JAF IPE.Rev. 2 5-270 Rev. 2 5-270 Element MU Rev. 2 5-27 1 Rev. 2 5-271 FA CT/OBSERVAT ION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element MU Subelement 6 Models and data were backed up but no process for controlling this function could be found.Some models are on the network, some are on "ZIP" disks and some are on floppies LEVEL OF SIGNIFICANCE C -- Level of control could be improved.POSSIBLE RESOLUTION Develop a system for backup, control, and archiving of information.

PLANT RESPONSE OR RESOLUTION ENN-DC-1 51 PSA Model Update and Maintenance has been developed to address these issues.Rev. 2 5-272 Rev. 2 5-272

v t e Letter Sequence Response to RAI
TAC:MD2667, (Approved, Closed)
Initiation Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, ... further results\|Request]] Acceptance Administration Meeting, Meeting, Meeting, Meeting Questions 7 November 2006 29 November 2006 22 November 2006 29 November 2006 20 August 2007 Answers 29 January 2007 Results Approval Other: JAFP-06-0167, Environmental Analysis of Aquatic Conditions, JAFP-07-0019, License Renewal Application, Amendment 9, ML062160557, ML062480235, ML063250406, ML063480585, ML063480596, ML063550121, ML073380132, ML073380155, ML073380404
MONTHYEAR2006-12-26 [Table View]

JAFP-07-0013, License Renewal Application, Amendment 4, Response to Request for Additional Information

Text

REFERENCES:

SUBJECT:

Dear Sir or Madam:

Navigation menu

JAFP-07-0013, License Renewal Application, Amendment 4, Response to Request for Additional Information

Text

REFERENCES:

SUBJECT:

Dear Sir or Madam:

Navigation menu

Search