L-03-160, Response to a Request for Additional Information in Support of License Amendment Requests No. 180

From kanterella
(Redirected from L-03-160)
Jump to navigation Jump to search
Response to a Request for Additional Information in Support of License Amendment Requests No. 180
ML033020479
Person / Time
Site: Beaver Valley
Issue date: 10/24/2003
From: Pearce L
FirstEnergy Nuclear Operating Co
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
L-03-160
Download: ML033020479 (49)
v  d  e


Text

P FEC FENOC Beaver Valley Power Station

~~~~~~~~~~~~~

168 PO. Box4 FirstEnergy Nuclear Operating Company Shippingport. PA 15077-0004 L. illiamt Pearce 724-682-5234 Site 'ice President Fax: 724-643-8069 October 24, 2003 L-03-1 60 U. S. Nuclear Regulatory Commission Attention: Document Control Desk Washington, DC 20555-0001

Subject:

Beaver Valley Power Station, Unit No. 2 BV-2 Docket No. 50412, License No. NPF-73 Response to a Request for Additional Information in Support of License Amendment Requests No. 180 This letter provides FirstEnergy Nuclear Operating Company (FENOC) responses to the NRC Request for Additional Information (RAI) dated July 28, 2003, regarding License Amendment Request (LAR) 180, which was submitted by FENOC letter L-03-005 dated February 4, 2003. The changes proposed in the LAR modify Beaver Valley Power Station Unit No. 2 Technical Specification 3/4.3.2, "Engineered Safety Feature Actuation System Instrumentation," by extending the slave relay surveillance test interval from 92 days to 12 months. The proposed change is based on the methodology described in WCAP- 15887, "Probabilistic Risk Analysis of the Slave-Relay Surveillance Test Interval Extension for Beaver Valley Power Station, Unit 2," Revision 2, dated December 2002.

The RAI and responses are provided in Attachment A of this letter. RAI Number 2 requested an assessment of the recently completed peer review of the Beaver Valley Power Station Unit No. 2 Probabilistic Risk Analysis (PRA) model. Details concerning the Category A and B observations, and their resolution, are provided in Attachment B.

The responses contained in this transmittal have no impact on the proposed Technical Specification changes, or the no significant hazards consideration transmitted by FENOC letter L-03-005.

No new regulatory commitments are contained in this letter. If there are any questions concerning this matter, please contact Mr. Larry R. Freeland, Manager, Regulatory Affairs/Performance Improvement at 724-682-5284.

LOOMq

I Beaver Valley Power Station, Unit No. 2 License Amendment Request No. 180 RAI Responses L-03-160 Page 2 I declare under penalty of perjury that the foregoing is true and correct. Executed on October 24, 2003.

Sincerely, William Pearce Attachments:

A. Responses to RAI dated July 28, 2003 B. Peer Review Category A and B Observations.

c: Mr. T. G. Colburn, NRR Senior Project Manager Mr. P. C. Cataldo, NRC Sr. Resident Inspector Mr. H. J. Miller, NRC Region I Administrator Mr. D. A. Allard, Director BRP/DEP Mr. L. E. Ryan (BRP/DEP)

Attachment A to L-03-160 Responses to RAI dated July 28, 2003 RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION (RAI)

BEAVER VALLEY POWER STATION, UNIT NO. 2 (BVPS-2)

ENGINEERED SAFETY FEATUES ACTUATION SYSTEM (EFSAS)

SLAVE RELAY SURVEILLANCE TEST INTERVAL DOCKET NO. 50412 The Nuclear Regulatory Commission (NRC) staff has determined that the information below will be needed for the staff to complete its review of the licensee's request for amendment to allow extending the ESFAS slave relay surveillance test interval from 92 days to 12 months. The following questions relate to the licensee's application and accompanying topical report, WCAP-15887, "Probabilistic Risk Analysis [PRA] of the Slave-Relay Surveillance Test Interval Extension for Beaver Valley Power Station, Unit [No.] 2," Revision 1:

FirstEnergy Nuclear Operating Company FENOC) has confirmed with the NRC staff that the following questions relate to Revision 2 of WCAP15887 not Revision 1 as stated above and in the subject Request for Additional Information (RAI). It is also noted that questions 13, 14 and 15 inadvertently reference WCAP15877, insteadof WCAP-15887.

Furthernore,it should be noted that the ProbabilisticRisk Analysis (PRA) model used to develop the WCAP-15887 risk metrics, i. e., core damage frequency (CDF) and large early release frequency (LERF), was based on a pre-peer review model (BV2REV3A).

The sensitivity cases provided in response to these RAI questions were quantified using Revision 3B of the Beaver Valley Power Station Unit 2 (BVPS-2) PRA Model (BV2REV3B). This model revision incorporatedthe PRA Peer Review CategoryA and Category B observations that were found to potentially have an impact on the model.

These changes to the PRA model are frther addressed in response to RAI 2 and Attachment B. A comparison of the effects of the 12 month slave relay surveillance test interval (STI) extension to the Revision 3B Base Case is providedbelow:

Comparison of WCAP-15887, Rev. 2 Table 7-11 Effect of STIs on CDF and LERF WCAP-15887 Revision 3B Revision 3A Base Case 12 Month Base Case 12 Month CDF (per year) 1.64E-05 1.56E-05 1.62E-05 3.50E-05 3.54E-05 LERF (per year) 5.13E-07 5.55E-07 6.35E-07 1.13E-06 1.22E-06 ACDF (per year) 6.OE-07 3.8E-07 ALERF (per year) 8.0E-08 8.6E-08 Page 1 of3l

)

Attachment A (continued)

L-03-160

1. On page 4 of the enclosure to licensee's amendment request it is stated, "'Itihe master relays and slave relays are routinely tested to ensure operation. The test of the master relay energizes the relay, which then operates the contacts and applies a low voltage to the associated slave relays." For control circuits that include interposing relays, discuss how the test described in the submittal confirms the operability of the interposing relays.

Response to Question I The testing described in the subject paragraph on page 4 of the amendment request is the monthly testing of the master and slave relays from the Output Relay Test Panel of the Reactor Protection System. There are two types of quarterly tests performed that involve the interposing relays. These are GO testing and BLOCK testing. GO testing is performed for circuits that have equipment that may be operated during normal power operation. BLOCK testing is performed on circuits that the engineered safety feature (ESF) equipment cannot be safely operated during normal power operation. These tests are initiated from the Safeguards Test Cabinet.

In GO testing, the ESF end device is actuated by operating the associated slave relay and any interposing relay in the actuation circuit. This testing verifies that all protection equipment which is required to change status on an automatic actuation signal does so.

All equipment which can be repositioned on the signal without adverse affects on the unit will be actuated, then repositioned to its pre-actuation status. Operation of some equipment will have adverse effects on the unit, however, these components are tested as far as practicable without actually repositioning or operating the equipment. In cases such as this for valves or small pumps, a motor control center ( MCC) test set is used. As an example, a containment isolation Phase B (CIB) signal would close a particular valve.

However, closing the valve at power would result in adverse effects on the unit. Prior to testing this valve's slave relay, the power supply breaker to the valve is opened, thus preventing closure on a CIB signal. Control power fuses are removed, and the MCC test set is used as a replacement for control power for the valve contactor. After the slave relay is actuated, the MCC test set is used to provide contactor actuation.

In BLOCK testing, the actuation of the ESF actuated equipment is blocked. This testing is done for circuits that operate equipment that would have adverse impact on the unit during normal operation. This includes equipment that actuates for feedwater isolation, steamline isolation, turbine and feedwater pump trip, generator trip, reactor coolant pump underfrequency trip, and certain equipment actuated by containment isolation Phase A and containment isolation Phase B signals. The associated slave relay is operated and continuity through the slave relay contacts and the interposing relay in the circuit verifies operation of the slave relay. Testing of these interposing relays and actuated equipment is performed on a refueling basis. Section 7.1.2.4 of the BVPS-2 Updated Final Safety Analysis Report (UFSAR) provides a discussion of equipment not tested at power.

Page 2 of 31

Attachment A (continued)

L-03-160 A more detailed description of the slave relay testing is contained in Section 7.3.2.2.5 of the BVPS-2 UFSAR.

2. Regulatory Guide (RG) 1.174, Revision 1, discusses the quality of the PRA used to support an application with respect to scope, level of detail and technical acceptability. Topical Report WCAP-15887 states that the analysis is based on the plant-specific PRA model for BVPS-2. Provide a discussion on the applicability of RG 1.174, Section 2.2.3, "Quality of PRA Analysis" to WCAP-15887, Section 7.1.1, "Plant Model Acceptability." If a peer review was performed, provide the results of the peer review that specify A and B observations, and discuss the applicability and impact of any findings and their resolution to the proposed slave relay surveillance interval extension.

Response to Question 2 Regulatory Guide (RG) 1.174, "An Approach for Using Probabilistic Risk Assessment In Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis", Section 2.23 states that the quality of a PRA analysis used to support an application is measured in terms of its appropriateness with respect to scope, level of detail and technical acceptability, and that these are to be commensurate with the application for which it is intended.

For this solid state protection system (SSPS) slave relay STI extension application, the scope of the PRA model used encompassed both Level 1 and Level 2, internal and external initiating events during power operation. Shutdown risk was not evaluated, since the purpose of the application is to extend the interval of SSPS slave relay surveillance tests conducted at power. Therefore, it is determined that the scope of the PRA model used to develop the risk metrics (CDF and LERF) for this application is appropriate.

The level of detail required for the PRA model must be sufficient to model the impact of the proposed change. WCAP-15887, Section 7.1.1, "Plant Model Acceptability" addresses this issue by stating that a detailed fault tree was developed that represents various SSPS failure states specifically for this application. This fault tree was then used to develop the necessary SSPS split fraction failure probabilities used in quantifying the CDF and LERF. The level of detail in this SSPS model includes the following attributes:

Appropriate actuation signals are included, as necessary, in the model to account for containment spray actuation, containment isolation, auxiliary feedwater pump start, main steam system isolation, and emergency core cooling system injection and recirculation.

Page 3 of 31

Attachment A (continued)

L-03-160

  • The model includes details of the most important ESF actuation signals (see WCAP-15887, Table 7-2) as described in Technical Specifications Table 4.3-2 from the actuating relays (interposing or slave) down to the sensor instrument.
  • The model includes all slave-relays and interposing-relays that play an active roll in mitigating the CDF sequences created by the support-state model. This negates the need to have fault tree gates represent specific trips as shown in Technical Specifications Table 4.3-2.

By varying the basic event failure rates for the relays in question due to the increased STI, a direct cause and effect relationship is established, which can then be used to assess the impact of the proposed change in terms of CDF and LERF, and the change in these frequencies.

The PRA technical acceptability of the model used in the development of this risk informed application has been demonstrated by a peer review process. This peer review was conducted in July 2002, by the Westinghouse Owner's Group (WOG), with the final documentation of the review issued in December 2002. As stated earlier, the PRA model used to develop the original WCAP risk metrics was based on a pre-peer review model (BV2REV3A). After the peer review, the preliminary Category A and B observations that potentially impacted the model were entered into the BVPS Corrective Action Program, dispositioned, and incorporated into an updated PRA model (BV2REV3B).

This updated PRA model was then used to quantify the sensitivity cases developed in response to this RAI.

The peer review resulted in 5 Category A and 19 Category B observations that could potentially impact the BVPS PRA model. It is noted that one of the Category B observations was initially classified as a Category C observation. Of these 24 observations 10 had little impact on the slave relay STI extension since the proposed 12-month extension risk metrics remain within the acceptable RG 1.174 limits following resolution of the observations. Eleven did not impact the slave relay STI extension since they were shown not to impact the PRA model. Two of the observations slightly increased LERF, but had little impact on the slave relay STI extension since the proposed 12-month extension risk metrics remain within the acceptable RG 1.174 limits following implementation of the observations. One of the observations, the one initially classified as Category C, was previously identified and incorporated into the WCAP-15887 analyses (See Section 7.4.3 of the WCAP). Thus, none of the PRA peer review Category A or B observations resulted in the proposed 12-month extension risk metrics being outside the acceptable RG 1.174 limits. Details of observations are provided in Attachment B.

Page 4 of 31

Attachment A (continued)

L-03-160

3. Provide a description of the licensee's processes and procedures for the maintenance and update of the PRA model including PRA software and model configuration in order to demonstrate that the model reflects the as-built, as-operated condition of the plant. Provide information on date and content of the last update of the BVPS-2 PRA.

Response to Question 3 The maintenance and updating of the BVPS PRA models are controlled by Administrative Procedure 12-ADM-2033, "Risk Management Program", and Business Practice BVBP-DES-0001, "Probabilistic Risk Assessment Guideline." The administrative procedure ensures that the PRA models are kept current with the plant design and operation, and provides the general processes used for configuration control of the PRA models in the areas of plant and system models, and data analysis. It also contains the requirements for PRA model periodic updating. The business practice provides guidance details for maintaining and updating the PRA models.

Currently, the BVPS PRA models were developed using RISKMAN for Windows, Version 4.10 PRA software, which is maintained as Software Quality Assurance Category B in the FENOC usable software program. The software was installed and tested against the verification model provided by the vendor to ensure that it functions properly on the personal computers. The verification model was reviewed and validated to be an appropriate test case. Software configuration control is maintained by only having one version of RISKMAN for Windows installed on the PRA group personal computers. Periodic updates to the RISKMAN software are provided by the vendor as part of a user's group. These updates undergo verification in accordance with the vendors quality assurance program and include enhancements and resolutions to identified problem reports.

The WCAP-15887 version of the PRA model (BV2REV3A) was completed and issued January 31, 2002. The RAI sensitivity version of the PRA model (BV2REV3B), which incorporated the PRA peer review observations identified in the response to RAI 2 and Attachment B, was completed and issued May 31, 2003. The results presented in these models are based on a "freeze date" of May 31, 2001 for both plant configuration and internal initiating events data. Equipment unavailabilities were based on the past two Maintenance Rule 18-month periodic assessments using availability history from April 1, 1997 to May 31, 2000. Component failure data were updated with actual BVPS-2 plant equipment failures using EPIX through December 31, 2000.

Page 5 of 31

Attachment A (continued)

L-03-160

4. Did the PRA for BVPS-2 model the slave relays or was the PRA modified to include the slave relay functions? It is not clear why the conservatism in the slave relay probabilities would be exaggerated by the quantification process.

Discuss what is meant by the statement in Section 7.2.1 of WCAP-15887 that

"... a [slave] relay failure probability higher than best-estimate would tend to overstate the failure probability represented by the SSPS [solid sate protection system] split fraction."

Response to Ouestion 4 The BVPS-2 PRA model was modified, as part of this program, to develop plant specific models for the reactor trip (RT) and ESF actuation signals. Table 7-1 of WCAP-15887 provides the list of signals that are now included in the model. These signals are modeled in the top event for the SSPS referred to as SA for train A, SB for train B, and SX for both trains. This top event models the RT and ESF actuation signals from the sensors through the process protection system and the logic cabinets, to the master, slave, and interposing relays. The reactor trip breakers are modeled in a separate top event. Prior to this program generic values were used for the SSPS split fractions, also referred to signal unavailabilities. These generic values also represented the signals from the sensors to the slave and interposing relays, and were based on similar, but not BVPS-2 plant specific models.

With regard to the statement "...a [slave] relay failure probability higher than best-estimate would tend to overstate the failure probability represented by the SSPS [solid state protection system] split fraction" the basic model quantification process needs to be understood. The BVPS-2 PRA model is a support state model, also referred to as a large event tree/small fault tree model, that was quantified in two separate steps for this program. The first step quantifies the fault tree that models the RT and ESF actuation signals, and provides the 72 split fractions for these signals that are used as input for the SA, SB, and SX top events in the event tree models. The second step quantifies the event tree models, including the support state model, to determine CDF and LERF.

There are conservatisms associated with this approach that overstate the importance of the slave and interposing relays to signal development. For example, to simplify the model it is assumed that failure of any single slave or interposing relay will fail the associated SSPS train. This particular assumption is important considering the number of signals assumed to be required, and components to be actuated, to successfully mitigate an event. As an example, the following ESF actuation signals are required to mitigate a non-isolable small, medium, and a large break loss-of-coolant-accident (LOCA). See Table 7-1 of WCAP-1 5887.

Attachment A (continued)

L-03-160

  • Safety injection
  • Containment isolation, Phase A
  • Containment isolation, Phase B
  • RWST/sump switchover
  • Quench spray All these signals are not necessarily required to mitigate a LOCA. If core damage is prevented, then the containment related signals may not be necessary for the LOCA events. In addition, the safety injection signal provides signals to some components that will also be provided by other signals. Auxiliary feedwater start is such an example. It is conservative to require both signals to start the auxiliary feedwater (AFW) system.

Using this approach reduced the number of SSPS split fractions required which reduces the number of fault trees that need to be developed to model the SSPS. Although this approach simplifies the model, it results in a conservative model. In this case, additional slave and interposing relays are required to function whose failure would not impact event mitigation. This leads to an overstatement of the importance of the slave and interposing relays in the BVPS-2 PRA model, and makes the results of this analysis more sensitive to the failure probability used for the slave and interposing relays. Therefore, it is important in this analysis to select an appropriate relay failure probability.

5.a Provide a discussion on the applicability of using generic demand failure rate for the slave and interposing relays installed at BVPS-2. WCAP-13877 provides a reliability assessment for Westinghouse Type AR relays of 4.4E-08 failures per hour. WCAP-13877 also states that although Type AR relays are industrial control relays, the use of an industrial control relay in SSPS applications is not typical and further states that standard references for industrial control relay reliability have little relevance to the SSPS slave relay application.

Response to Question 5.a WCAP-13877' provides relay failure rates in terms of demands and hours based on nuclear industry experience. One of the conclusions from WCAP-13877 is that the probability of failure of these relays to actuate when demanded is not strongly dependent on the test interval. All components, including relays, can fail due to either the stress from the demand or due to failures between demands while the component is in standby.

If the predominant failure mode is due to failures between demands, then the failure probability of the relays would be expected to increase as the interval between demands increases. This was not seen to be the case in WCAP-13877. Therefore, the predominant

'The non proprietary version of WCAP-13877 is WCAP-14129 (Reference 4 in WCAP-15887).

Page 7 of 31

Attachment A (continued)

L-03-160 failure mode is due to the stress of the demand. Given this, the demand failure rate is the correct one to use.

The same demand failure probability was used for both slave and interposing relays.

This was done for the following two reasons:

  • Generic failure rate data is not available for different relay types. This is true for most components. For example, valves may be grouped according to their operator type; motor, air, or solenoid, but failure rates according to some other characteristic are not available. Relays are generally grouped into one large category or may be further divided into several categories that define the type of relays, such as, electromechanical relays, solid state relays, or timer relays. A further breakdown of relay types is not available. Therefore, this analysis was done consistent with available generic data and consistent with PRA models in general.
  • The data collected based on BVPS operating experience does not support different failure rates for the different relay types. This is apparent from examining the operating experience for the various relay types presented in Table 7-6 of WCAP-15887. There is nothing in the operating history to suggest that one type of relay is more or less reliable than another type.

If the hourly failure rate reported in WCAP-13877 was used in the analysis, then the probability of failure, for quarterly testing, would have been:

FP = XT/2 = 4.4E-08/hr x 730 hr/month x 3 months/2 = 4.8E-05 This is lower than the failure probability used in the analysis (1.4E-04/demand) and, if used, would result in a smaller impact on CDF and LERF related to the STI increase.

Therefore, using the demand failure rate is conservative.

The statement "... that the standard references for industrial control relay reliability have little relevance to the SSPS slave relay application", in Section 11.0 of WCAP-13877, refers to the use of AR relays as slave relays. WCAP-13877 states that for industrial control relays, reliability is based on the number of failures per 10,000, 100,000, or 1,000,000 relay operations. This is based on the expectation that relays in industrial applications will accumulate from 10,000 to (in excess of) 1,000,000 cycles of operation over their service life and often these relays are operating in ambient conditions which are not necessarily clean or climate controlled. When these relays are used in a nuclear power plant environment, as in the application to actuate safety systems to mitigate accidents, they are subject to milder environmental conditions and are not subject to other industrial application conditions, which challenge relay reliability. In addition, the relays associated with ESF actuation system are subject to approximately 1000 actuations in a 40 year life, much less than industrial applications. Based on this, the failure rates for Page 8 of 31

Attachment A (continued)

L-03-160 these relays in standard references are not consistent with the conditions these relays operate under as part of the ESF actuation system and, therefore, the standard references would not provide an appropriate failure rate to use in this analysis.

5.b Based on the sensitivity of slave relays to surveillance test interval extension as noted in WCAP-10271 Supplement 2, and the reliability analysis performed in WCAP-13878 and WCAP-13877, provide a basis for the generic application of relay failure data to the interposing relays installed at BVPS-2.

The NRC staff notes that Appendix E of WCAP-13877 states that since interposing relays can affect the ultimate function of the slave relay to actuate the required component, interposing relays reliability must be comparable to that of the associated slave relay. Please provide this comparison.

Response to Question 5.b The basis for applying generic relay failure data to the interposing relays was provided in the response to RAI 5a; i.e., generic failure rate data is not available for the different relay types, and the data collected based on BVPS operating experience does not support different failure rates for the different relay types.

The reliability of the slave and interposing relays were determined to be comparable based on a review of the BVPS-2 quarterly operating history for slave and interposing relays from 1996 to 2001. This review did not identify any specific issues regarding the reliability of either of these types of relays. In addition, the plant specific relay operating data collected for BVPS also supports using the same generic failure rate for the interposing relays that was used for the slave relays. That is, neither the interposing relays nor slave relays have a poor performance history. In fact, few failures of either have occurred. Therefore, it was considered appropriate that the same generic failure rate could be used for all slave and interposing relay types.

5.c Topical Report WCAP-15887 states that the approach used in WCAP-13878 and WCAP-13877 cannot be applied to other relay types or interposing relays because there is insufficient numbers of other slave relay types to develop meaningful component failure reliability values. It is noted that BVPS-2 utilizes slave relays of the type evaluated in the topical reports but does not use interposing relays covered in the topical reports. The failure rates used for the interposing relays are based on generic data not directly related to the earlier topical report evaluations. Discuss the applicability of generic data to the interposing relays installed at BVPS-2.

Response to Question 5.c As discussed in Section 7.2.2 of WCAP-15887, several data sources were reviewed to determine a generic relay failure rate. These included the following:

Page 9 of 31

Attachment A (continued)

L-03-160

  • Advanced Light Water Reactor Utility Requirements Document, EPRI (Reference 6 inWCAP-15887)
  • "Nuclear Computerized Library for Assessing Reactor Reliability (NUCLARR) -

Data Manual" (Reference 10 in WCAP-15887)

  • "Reliability Assessment of Westinghouse Type AR Relays Used as SSPS Slave Relays" (Reference 4 of WCAP-15887)
  • "Reliability Assessment of Potter & Brumfield MDR Series Relays" (Reference 5 of WCAP-15887)

As noted in the response to RAI 5a, relays are generally grouped into one large category or may be further divided into several categories that define a broad classification of relays, such as, electromechanical relays, solid state relays, or timer relays. Generic failure rates are not available for different relay types with regard to manufacturer or some other more specific characteristic, which is true for most components. Therefore, a further breakdown of relay types is not available in generic data sources, particularly for the application for these relays in an environment and with demand requirements typical for a nuclear power plant safety system.

The relay failure rates provided in the first two references are consistent with the industry's experience with AR and MDR relays. In addition, the plant specific relay operating data collected for BVPS also supports using the same generic failure rate for the interposing relays that was used for the slave relays. That is, neither the interposing relays nor slave relays have a poor performance history. In fact, few failures of either have occurred. Therefore, it was concluded that the same generic failure rate could be used for all relay types.

6. Provide a discussion on the applicability of WCAP 13877 and WCAP 13878 to the BVPS-2 slave relay extension request with respect to the conditions presented in the NRC staff safety evaluation report (SER) for each topical report. For example: (1) ensure that the revised surveillance interval is such that the licensee can detect an ESFAS subgroup relay failure prior to the occurrence of a second failure; (2) ensure that the procurement program for Potter and Brumfield relays is adequate to detect failures noted in the topical report; (3) ensure that all pre-1992 Potter and Brumfield MDR relays used in either normally energized, or a 20% duty cycle have been removed from ESFAS applications; (4) ensure that a contact loading analysis has been performed; (5) ensure that the qualified life for Type AR relays is based on plant-specific environmental conditions; and, (6) ensure that a program to evaluate the adequacy of the proposed test interval if two or more AR relays fail in a 12 month period is established.

Page 10 of 31

Attachment A (continued)

L-03-160 Response to Question 6 The approach used in WCAP-13877 2 and WCAP-13878 3 is based on a failure mode and effects analysis and an aging assessment, supplemented with a data collection effort to determine failure rates for relays tested at different intervals. The approach used in WCAP-15887 is based on the risk-informed approach described in RG 1.174 and supplemented by a data collection effort to determine the previous performance of slave and interposing relays with regard to reliability. The approach used in WCAP-15887 assumes the relay failure probability will increase linearly with the test interval. As noted in Section 2.3.3.1 of RG 1.175, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Inservice Testing", this is conservative in the sense that it scales the test-interval-independent contribution along with the test-interval-dependent contribution to component failure probability, and in that respect tends to overstate the effect of test interval extension. WCAP-13877 and WCAP-13878 did not assess the potential impact on risk using a risk-informed approach, but relied on studies to demonstrate that the test interval does not impact the failure probability of the relays or that the test interval has only a small impact. In addition, the approach used in WCAP-15887 examined the operating history for slave and interposing relays from 1996 to 2001. Based on this, no specific issues were identified regarding the reliability of these relays. The relays are highly reliable and no operating concerns were identified.

Given that 1) the two approaches are significantly different, 2) this program is not changing the relay design, relay operating environment, or contact loading requirements, and 3) no relay reliability issues have been identified via the data collection effort, then the acceptance conditions presented in the NRC Staff's SERs on WCAP-13877 and WCAP-13878 are not applicable to this study. Further, if issues with the operability of one of the relay types do develop in the future, it would be identified via the Maintenance Rule. Any necessary actions would be addressed and tracked through the BVPS Corrective Action Program. It is also noted that applicable NRC generic communications issued on relay types used in BVPS-2 would be addressed regardless of WCAP-15887.

7. With respect to external events, provide an assessment of the risk impact of seismic events, fires, floods and other external events on the proposed slave relay extended surveillance interval for both core damage frequency (CDF) and large early release frequency (LERF).

Response to Ouestion 7 The CDF and LERF values reported in WCAP-15887, as well as, the sensitivity cases performed in response to this RAI include both internal and external (seismic and fire) initiating events. As reported in the BVPS-2 Individual Plant Evaluation of External 2 The non proprietary version of WCAP-13877 is WCAP-14129 (Reference 4 in WCAP-15887).

3 The non proprietary version of WCAP-13878 is WCAP-14117 (Reference 5 in WCAP-15887).

Page 11 of 31

Attachment A (continued)

  • L-03-160 Events (IPEEE) submittal, other types of external events (e.g., external floods and transportation accidents) were below the NUREG-1407 screening criteria of 1.OE-06 per year, and were not evaluated further.
8. Cumulative risk - the amendment discusses current programs underway but does not provide details on previous risk informed submittals and their cumulative impact on the proposed slave relay surveillance interval extension.

Discuss any previous risk informed amendment requests besides the proposed extended power uprate and containment conversion, that might impact the results for this application. Verify that the proposed extended slave relay surveillance interval and Beaver Valley PRA reflect these changes including cumulative risk.

Response to Question 8 (Part 1)

A review was conducted of previously submitted risk-informed License Amendment Requests (LARs) to determine potential impact on the slave relay STI extension submittal. The review found only two risk-informed LARs that could potentially impact the slave relay STI extension submittal. One of these submittals was the accumulator allowed outage time extension request (LARs 285 and 156). This request was approved on February 25, 2003 as License Amendments 253 and 133. The other was the containment integrated leak rate test extension request (LARs 299 and 171). This request was approved on March 5, 2003 as License Amendments 254 and 134.

For the accumulator allowed outage time extension request, the CDF and LERF risk metrics were based on WCAP-15049-A, Revision 1, "Risk-Informed Evaluation of an Extension to Accumulator Completion Times." This WCAP concluded that there was a small increase in CDF using a multitude of conservative assumptions and data in the modeling. It also identified that the accumulator reliability has no direct impact on the containment performance, and LERF would only increase in direct proportion to the increased CDF due to accumulator failures. Furthermore, the PRA model periodic update process assesses plant data and adjusts the component failure rates accordingly during the data analysis updating portion.

For the containment integrated leak rate test extension request, CDF and LERF risk metrics were based on WCAP-15691, Revision 4, "Joint Applications Report for Containment Integrated Leak Rate Test Interval Extension." In this analysis the CDF was not changed as a result of the extended integrated leak rate test interval.

Additionally, the increase in LERF was due solely to a small increase (0.04/0) in conditional containment unreliability, which was considered to be a very conservative estimate of potential containment releases that may result from extension of type A containment leak rate testing. It is also be noted that the assumed containment liner failures contributing to the LERF from the integrated leak rate test extension would currently be precluded due to the subatmospheric containment design.

Page 12 of 31

Attachment A (continued) - -

L-03-160 These amendments were based on hypothetical increases in risk associated the extension of time periods and not on any physical changes to the plant. It was therefore, determined that incorporation of these license amendments would not directly impact the proposed slave relay STI extension.

A previous review was conducted for the extended power uprate and containment conversion submittals as addressed in the STI extension request submittal, i.e., FENOC letter L-03-005 dated February 4, 2003.

Please provide the cumulative impacts of implementing at BVPS-2, WCAP-10271, Supplement 2, WCAP-14333, and WCAP-15376, when combined with WCAP-15887.

Response to Question 8 (Part 2)

Table 1 provides a summary of the cumulative CDF impact. This includes the generic CDF impact from implementing the STI, allowed outage time (AOT), and bypass test time changes justified in WCAP-10271 including Supplement 2, WCAP-14333, and WCAP-15376 for the RT and ESF actuation signals. These are provided for 2/3 channel logic and 2/4 channel logic.

Table 1 - Cumulative CDF Impact of Changes to Reactor Protection System STIs, AOTs, and Bypass Test Times Case 2/4 Logic 2/3 Logic Pre WCAP-10271 to WCAP-15376 Changes 5.7E-07/year l.lE-06/year' WCAP-15887 Changes 6.0E-07/yeari 6.OE-07/year 2 Total CDF Impact 1.2E-06/year 1.7E-06/year Notes:

1 From Table 8.33 of WCAP-15376-P-A, Rev. 1.

2 From Table 7-11 of WCAP-15887, Rev. 2.

Table 8.33 of WCAP-15376 provides the cumulative CDF impact for 2/4 and 2/3 channel logic for the changes approved in WCAP-10271 including Supplement 2, WCAP-14333, and WCAP-15376. These values overstate the cumulative impact since the analyses used to calculate the impact were generic and conservative which was necessary to ensure they were applicable to all WOG plants. Therefore, several conservative assumptions form the basis for the analysis. These conservative assumptions are:

  • the full AOT is used for all maintenance activities
  • the full test time is used for test activities
  • testing is done in bypass, that is, the channel is not available Page 13 of 31

- 'Attachment A (continued)

L-03-160 In practice, the full AOT and the full test time are not used for all maintenance and test activities. It is common practice to use significantly less time. In addition, the BVPS tests analog channels in the tripped state, not the bypassed state. Testing in trip changes the trip logic from a 2/4 logic to a 1/3 logic, whereas testing in bypass changes the trip logic from a 2/4 logic to a 2/3 logic. Assuming the testing is done in bypass provides for conservative results, that is, the CDF impact is overstated.

The BVPS-2 analysis also overstates the impact of the slave and interposing relay STI increase on CDF. As discussed in the response to RAI 6, the approach used in WCAP-15887 assumes that the relay failure probability will increase linearly with the test interval. As noted in Section 2.3.3.1 of RG 1.175, this is conservative in the sense that it scales the test-interval-independent contribution along with the test-interval-dependent contribution to component failure probability, and in that respect tends to overstate the effect of test interval extension and therefore, the impact on CDF.

It should also be noted that BVPS-2 develops signals using both 2/3 logic and 2/4 logic, the actual cumulative impact applicable to BVPS-2 will be between the two CDF values reported above.

It is not possible to show a similar table for the cumulative LERF impact since ALERF values are not available in WCAP-15376 from implementing the STI, AOT, and bypass test time changes justified in WCAP-10271 including Supplement 2 and WCAP-14333.

But WCAP-15376 does provide the ALERF values for implementing the STI, AOT, and bypass time changes between WCAP-14333 and WCAP-15376. These values, along with the ALERF values from WCAP-15887, are provided in Table 2.

Table 2 - Cumulative LERF Impact of Changes to Reactor Protection System STIs, AOTs, and Bypass Test Times Case 2/4 Logic 2/3 Logic WCAP-14333 to WCAP-15376 Changes 3.1E-08/yearl 5.7E-08/year' WCAP-15887 Changes 8.0E-08/yeai J 8.OE-08/year 2 Total LERF Impact l.1E-07/year 1.4E-07/year Notes:

I From Table 8.32 ofWCAP-15376-P-A, Rev. 1.

2 From Table 7-11 of WCAP-15887, Rev. 2.

As discussed above, these values overstate the impact on LERF for the same reasons the impact on CDF is overstated.

Furthermore, if the STI, AOT, and bypass time changes do have an adverse impact on the availability of the reactor protection system, this would become evident through Maintenance Rule requirements, and appropriate actions would be taken to restore the availability for the system to appropriate levels.

Page 14 of 31

Attachment A (continued)

L-03-160 The amendment request states that a plant specific analysis would show a smaller impact - but the analysis for BVPS-2 does not include relaxations for the master relays, logic cabinets, or analog channels as analyzed by WCAP-10271, Supplement 2; thus a direct comparison is not valid. Essentially, the cumulative risk has been broken up with just a plant-specific request for the slave relays (12 months). WCAP-10271, Supplement 2, was not limited to slave relay assessment. Have these relaxations accepted in WCAP-10271, Supplement 2, been implemented at BVPS-2? See page 1-1 of WCAP-15887 of the submittal.

Response to Question 8 (Part 3)

The changes justified in WCAP-10271, Supplement 2, have not been implemented at BVPS-2. WCAP-10271, Supplement 2, evaluated changes to STIs, AOTs, and bypass test times for the ESF actuation signals. The specific components included the analog channels, logic cabinets, master relays, and slave relays. One of the conclusions from this study was that the analysis could not support slave relay STI changes from 3 months to 18 months. A conservative approach was taken in the WCAP-10271, Supplement 2 analysis, since it was generic and was required to be applicable to all WOG plants. It was also concluded that changes to slave relay STIs based on a risk approach could not be successfully completed using such a conservative, generic approach. The approach presented and used in WCAP-15887 builds on this experience and uses a plant specific approach that removes some of the conservatism required in the generic approach. The plant specific information used in WCAP-15887 included use of the BVPS-2 PRA model, BVPS slave and interposing relay reliability information, and BVPS-2 slave and interposing relay configurations. Therefore, the plant specific assessment used in WCAP-15887 was expected to show smaller, more realistic, impacts of the STI changes on CDF and LERF than the calculations supporting WCAP-10271, Supplement 2 provided. The statement on Page 1-1 of WCAP-15887 which begins "Plant specific evaluations using updated plant PRA models..." is in reference to the slave relay STI changes only, since that is the subject of WCAP-15887.

9. Discuss the applicability of WCAP-15887 to future acquisition of relays that may be used to replace the relays evaluated in the topical report.

Response to Question 9 As discussed in responses to RAI questions 5a, b and 5c, the same demand failure probability was used for both slave and interposing relays, consistent with available generic relay failure data and consistent with PRA models in general. See RAI question 5a for additional discussion on the use of generic relay failure data. Use of generic failure data for relays enables the use of different relays in the future. Since all relays are given the same failure rate replacing relays would not impact the PRA results. In Page 15 of 31

Attachment A (continued)

L-03-160 addition, the use of industry operating experience would be utilized in the design change process to identify and screen out potential poor performing replacement relays.

10. Provide additional information about BVPS-2 risk significant configurations and risk configuration management program (tier 2 and 3) that confirm the program's conformance to 10 CFR 50.65(a)(4) requirements regarding the proposed 12-month slave relay surveillance test interval.

Response to Question 0 A Tier 2 "Avoidance of Risk-Significant Plant Configurations" approach was used to identify any potentially high-risk configurations. The PRA model used in the evaluation of extended slave relay STI includes component unavailability due to maintenance and test configurations, which is based on actual BVPS-2 plant data collected as part of the Maintenance Rule program. Therefore, the CDF and LERF results presented in WCAP-15887 (and in response to this RAI) already account for average maintenance unavailability of components in addition to the supposed impact from the 12-month slave relay STI extension. Since these results did not identify any potentially high-risk configurations that could exist if equipment in addition to that associated with the change were to be taken out of service simultaneously, or other risk-significant operational factors such as concurrent system or equipment testing were also involved, the need for any additional Technical Specification constraints or compensatory actions are not warranted.

Conformance to the Tier 3 "Risk-Informed Configuration Risk Management" requirements is provided by the Maintenance Rule Administrative Procedure, l/2-ADM-2114, which defines how the Maintenance Rule (10 CFR 50.65) Program at BVPS is implemented, and also delineates the responsibilities for personnel involved in the removal of maintenance rule structures, systems and components (SSCs) from service.

Other procedures; NOP-WM-2001 "Work Management Process" and 1/2-ADM-0804, "On-Line Work Management and Risk Assessment", address consideration of safety impact for Modes 1 and 2, and optionally Mode 3. These procedures provide for the sequencing of maintenance activities using a 12-week rotating schedule, with a "protected train" concept. A PRA-based, daily risk profile analysis using Safety Monitor software is also used to assess the safety impact of removing SSCs from service. Each weekly work schedule is reviewed in advance by probabilistic safety assessment (PSA) personnel. Operations has overall responsibility to ensure that SSCs being removed from service, 1) are consistent with a PSA-reviewed work schedule, 2) do not significantly impact overall plant safety based on an evaluation which uses the PRA, or 3) are reviewed in advance by PSA personnel if the configuration has not been previously evaluated.

Page 16 of 31

Attachment A (continued)

L-03-160 Adherence to these procedures provides the establishment of an overall configuration risk management program at BVPS to ensure that other potentially lower probability, but nonetheless risk-significant, configurations resulting from maintenance and other operational activities are identified and compensated for in conjunction with the implementation of the proposed 12-month slave relay STI.

11. Discuss component setpoint issues (drift, calibration, analysis assumptions, and component drift accounted for) for timing relays. These characteristics are not discussed in the topical report. Are the failure modes of these relays consistent with non-timer relays? Should these relays be grouped with the rest of the population?

Response to Question 11 Extending the slave relay surveillance interval will have no impact on component setpoint issues. The timing relays are not calibrated on a quarterly basis. The only timing relays that have their time settings checked on a quarterly basis are the ART-ON timer attachments to K632A and K632B. Previously these relays were checked on an 18 month frequency, but were changed to quarterly as part of a procedure consolidation. If one of these relays is found outside of its desired range of 8 - 12 seconds (the required range is 3 -15 seconds), it is adjusted to fall within the required range. The time delay for the turbine driven auxiliary feedwater pump starting is part of the time that satisfies the Technical Specification 4.3.2.1.3 18 month ESF time response requirement located in Licensing Requirements Manual Table 3.2-1.

The additional failure mode associated with the timing relays is that the relay does not operate at the time which it is credited in the accident analyses. In the PRA this would only be considered a failure if the time of operation was not conservative with respect to accomplishing the required safety function. In this case, the PRA would treat the relay timing no differently than any failure on demand. If the timing was such that the safety function was still accomplished, then it would not be treated as a failure in the PRA.

From this standpoint, it is logical to group timing relays with other relays. Additionally, the response to RAI questions 5a and 5c discuss the grouping of the timing relays with other relays. The response to RAI question 16 provides results of sensitivity cases related to varying the failure rates of certain relay types.

12. Provide additional discussion for the statement that the SSPS split fraction values are included in the CDF sequence cutsets and include contributions from reactor trip system (RTS) component failures. Page 7-3 of topical report.

Page 17 of 31

Attachment A (continued)

L-03-1 60 Response to Question 12 The top events in the BVPS-2 PRA that model the SSPS are SA, SB, and SX. SA models the unavailability of train A of the SSPS, SB models the unavailability of train B of the SSPS, and SX models the unavailability of trains A and B of the SSPS. The SSPS models include the components that are used to develop RT signals and ESF actuation signals. This includes the analog channels, logic cabinets, master relays, slave relays, and interposing relays. The reactor trip breakers are modeled in a separate top event. Since components required for generation of the RT signals, excluding the reactor trip breakers, are included in the same top event(s) as the components used to generate ESF actuation signals, then a component that would fail generation of a RT signal also would fail generation of an ESF actuation signal. But this is not always the case. Depending on the component failure, the RT signal may fail, but an ESF actuation signal could still be developed. For example, failure to generate a RT signal due to failure of the undervoltage driver card would not have an impact on generation of the ESF actuation signal since this card is only used to generate RT signals. Using this modeling approach simplifies the model, but will overstate the plant's CDF since it is assumed that any failure in the SSPS will lead to a failure of the ESF actuation signals. This leads to a conservative assessment of CDF.

13. Was BVPS-1 relay data analysis included? The last paragraph of page 744 of WCAP-15887 states that operating experience for both Beaver Valley units was reviewed. But the third paragraph of page 7-44 states that test data for BVPS-1 and 2 shows that there was only one failure in 4311 quarterly demands. Discuss why the Bayesian update includes only quarterly tests and did not include monthly data for BVPS-2 (see paragraph 4 on page 7-44).

What would be the effect of incorporating BVPS-1 monthly data in the analysis?

Response to Ouestion 13 Quarterly test data for slave relays was included from BVPS-1. All the slave relays on BVPS-1 are AR440AR type relays, but most are tested either at monthly or refueling intervals. Out of the 1556 quarterly test demands listed in Table 7-6 for AR440AR relays, only 150 are from BVPS-1. In addition, there were no failures associated with these BVPS-I tests.

Interposing relay failure information for BVPS-1 was not included in the analysis. In a subsequent review of BVPS-1 interposing relay test performance, one potential relay failure was identified. A relay timer on BVPS-1, that was not specifically identified in the test procedure as part of the test, did not start on a CIB signal from BVPS-2. In follow-up testing the relay operated correctly. Since BVPS-l interposing relay demand data was not used in the analysis, this potential relay failure was not included in the data analysis either. But a sensitivity analysis is included in the response to RAI 16 that Page 18 of 31

-Attachment A (continued) * .

L-03-160 doubles the relay failure probability used for slave and interposing relays. This sensitivity analysis supported the conclusions of the study.

The data analysis approach only included quarterly test data (demands and failures) from BVPS-1 and BVPS-2 since this is the base (or current) test interval to be extended on BVPS-2. Including the monthly test data from BVPS-1 would not be consistent with the test interval (quarterly) on BVPS-2 that is under consideration for extension.

Including the monthly test data from BVPS-1 would have the following impact on the results of the analysis. As stated above, all the slave relays on BVPS-I are AR440AR relays. The number of test actuations and failures from monthly tests are:

  • Number of demands in the monthly test - 1211
  • Number of failures in the monthly test - 1 Note that in Section 7.2.2 of WCAP-15887 it is stated that there were four failures of relays during tests on BVPS-1 and that three of these were during monthly tests. Further investigation showed there were actually five relay failures and that four of these occurred during monthly tests. But, only one of these failures actually resulted in failure to actuate equipment, therefore, the failure count is one.

Including the monthly failure data from BVPS-1 increases the total demand count to 5522 with 2 failures. Using this information to Bayesian update the prior value of 1.4E-04/demand provides a posterior value of 1.99E-04/demand. This value was then used as the failure rate for the slave and interposing relays for quarterly testing and increased by a factor of four for the 12 month test interval.

The BVPS-2 PRA model (Revision 3B) was requantified with the quarterly test interval value of 1.99E-04/demand and the 12 month test interval value of 7.96E-04/demand (1.99E-04/demand x 4). The results, in terms on CDF and LERF, are provided in Table 3.

Table 3 - Risk Results for the Relay STI Increase Including Monthly Relay Data Case Core Damage Frequency Large Early Release Frequency 3 Month Test Interval 3.50E-05/year 1.14E-06/year 12 Month Test Interval 3.55E-05/year 1.26E-06/year Increase 5.2E-07/year 1.2E-07/year The impact on CDF is less than L.OE-06 per year, which is defined as a very small impact in RG 1.174. The impact on LERF is slightly greater than L.OE-07 per year which is defined as a very small impact in RG 1.174. Therefore, both values meet the acceptance guidelines. The LERF value meets the guideline that states when the calculated increase in LERF is in the range of E-07 per reactor year to E-06 per reactor year, applications will be considered only if it can be reasonably shown that the total LERF is less than Page 19 of 31

-Attachment A (continued)

L-03-160 E-05 per reactor year. As shown in Table 3, the LERF is well below E-05 per reactor year. The BVPS-2 model includes both internal and external events.

14. Discuss why the primary contributors to SSPS split fractions discussed on page 741 of WCAP-15887 are single failures? WCAP-10271, Supplement 2, states that slave relay common cause is the major contributor to SSPS unavailability.

Earlier WCAPs noted that slave relay common cause failures are the major contributor to SSPS unavailability. Page 7-45 of WCAP-15887 states that the common cause probability is set to 0.1 and states that if the analysis is not sensitive to common cause then further investigation is not required. Provide a discussion on the slave and interposing relay sensitivity to common cause factors. Please also discuss the contribution of common cause relay failures.

Response to Question 14 The fault trees for the BVPS SSPS model were conservatively built, such that the failure of any single SSPS function, which was required to mitigate the initiating event (e.g.,

auxiliary feedwater or safety injection actuation), resulted in the failure of the top event.

Therefore, failures of a single relay (master, slave, or interposing) for the single train SSPS models resulted in a minimal cutset of the top event, so common cause failures between relays located in the same train were not modeled. Failure of both trains of SSPS did include a basic event for the common cause failure of slave relays.

In previous WOG studies, common cause failure of slave relays was identified as a significant contributor to signal unavailability for the two-train case, that is, failure of trains A and B of engineered safety feature actuation system (ESFAS). For failure of single trains of ESFAS, common cause failure of slave relays is not addressed since the failure of any single slave relay will cause failure of the automatic signal. As noted, the earlier WOG studies showed the slave relay common cause failure to be an important contributor to ESFAS unavailability for the two train case, but the importance of the common cause contribution to risk, as measured by CDF and LERF, is the key consideration. This common cause contribution only appears in accident sequences with failures of both trains of ESFAS. Very often, the sequences that are important to risk are those with failure of a single train of ESFAS and failure of a fluid safety system, such as emergency core cooling, on the other train. Therefore, the importance of slave relay common cause failure is determined by the risk analysis, not the two train unavailability analysis. The statement given in the RAI, that slave relay common cause failures are a major contributor to SSPS unavailability, is true in the WCAP-10271 study which was from the perspective of failure of both trains of the signals. In this current study, common cause failure of the slave relays is still a contributor to failure of both trains, but not an important contributor to risk since, as noted above, the single train failures are more important. With regard to the contribution of slave relay common cause failure to Page 20 of 31

Attachment A (continued)

L-03-160 dual train failure in the current study versus the WCAP-10271 study, this contribution is smaller in the current study due to the use of an improved industry specific slave relay failure rate and a more realistic slave relay Beta factor.

The common cause failures identified on Page 7-45 of WCAP-15887 were modeled between the two trains of SSPS. These were included in a dual train SSPS (SX) fault tree, which basically combined the two single SSPS trains through an AND gate. The split fractions obtained from using this fault tree are then mathematically combined with the single train SSPS split fractions to calculate conditional failure probabilities of the second train of SSPS (i.e., the probability that the second SSPS train fails is dependent on the outcome of the first train due to common cause failures). In the cases presented in WCAP-15887, the Beta factor for the slave relays was 0.1. This value is thought to be conservative when compared to the RISKMAN generic Beta factor of 0.07 for mechanical relays failing to actuate, and which is also a more typical Beta factor as discussed in WCAP -15887, Section 7.2.3. Since the cutsets obtained using this 0.1 value for the slave relay common cause factors did not show a significant contribution to the split fraction value (typically less than 2% for the 3-month test interval, and less than 3% for the 12-month test interval), further cases were not warranted.

Additionally, common cause failure of interposing relays was not explicitly modeled for the following reasons:

  • Initial sensitivity studies in the program demonstrated that common cause failure of slave and interposing relays is not important to CDF and LERF due to the relatively low importance of the SX (dual train) split fractions to CDF and LERF.

Single train ESFAS failures with the failure of a safety system train, such as emergency core cooling system, on the opposite train are more important.

  • Interposing relay common cause failure could be modeled with the same approach that was followed for the slave relays, and it is seen that slave relay common cause failure is not important. This is demonstrated in the sensitivity case that follows which doubled the slave relay common cause failure contribution, but showed only a small impact on CDF and LERF.
  • Interposing relays can be one of a number of different types of relays and common cause failures are not usually modeled across different component types.
  • For some component actuations, multiple relays provide the actuation signals, such as for the emergency diesel generators that have two start circuits on safety injection, with each actuated by a separate interposing relay.
  • Assuming that the failure of two interposing relays, which fail to actuate similar accident mitigation system components in opposite trains, fails all of the ESFAS is very conservative in many cases. Often other systems can be used to mitigate the same event.

Page 21 of 31

Attachment A (continued)

L-03-1 60

  • Each interposing relay actuates a limited number of components. To assume that event mitigation will fail due to common cause failure of two interposing relays (and the limited number of components that fail to actuate) is very conservative.

In response to this RAI, a sensitivity analysis was performed by setting the slave relay common cause Beta factor to 0.2. The results of this sensitivity, as well as, the base case values using a Beta factor of 0.1 in the BV2REV3B PRA model are presented in Table 4.

Table 4 - Risk Results for the Relay STI Increase Common Cause Factor Sensitivity Case Revision 3B Base Case (Beta=0.1) Core Damage Frequency Large Early Release Frequency 3 Month Test Interval 3.4975E-05/year 1.1300E-06/year 12 Month Test Interval 3.5357E-05/year 1.2164E-06/year Increase 3.81 E-07/year 8.64E-08/year Sensitivity Case (Beta=0.2) 3 Month Test Interval 3.4982E-05/year 1.1308E-06/year 12 Month Test Interval 3.5381E-05/year 1.2195E-06/year Increase 4.OOE-07/year 8.88E-08/year Note that 5 digits are necessary to show the small impact on CDF and LERF.

As shown in Table 4, by doubling the slave relay common cause factor from 0.1 to 0.2, the overall impact to CDF was less than 2.OE-08 per year (4.OOE 3.8 E-07), and the impact to LERF was slightly over 2.OE-09 per year (8.88E 8.64E-08). These represent less than a 5% increase to CDF and less than a 3% increase to LERF. This sensitivity further justifies the low impact of the slave relay common cause failures on the overall results presented in WCAP-15887.

15. In Table 7-6 on page 7-43 of WCAP-15887, total demands are listed as 4311 with 1702 demands coming from AR type relays with the only failure noted being an AR relay. There are 15 other relays listed with no failures noted. A combined demand failure rate is given. Are the uncertainties of the data accurately reflected in this result? With limited data for some of the other relays, is this an accurate demand failure rate for the relay population? The demand failure rate for AR relays would be 5.88E-4, significantly more than the 1.4E-4 selected as the previous demand failure rate or 1.56E-4 chosen as the updated demand failure rate. The plant-specific demand failure rate may be population-averaged which affects the resulting updated failure rates. Has this been accounted for (population variability curve)? In addition, the prior data, although limited to the same relay types, may be plant-averaged and may not represent the full uncertainty of the data. Please discuss these uncertainties.

Page 22 of 31

Attachment A (continued)

L-03-160 Response to Question 15 The problem with using only plant specific data is in obtaining a sufficient number of actuations to calculate a meaningful failure rate. The previous studies on AR relays (WCAP-14129, Reference 4 in WCAP-15887) and MRD relays (WCAP-14117, Reference 5 in WCAP-15887) collected data from a number of plants, so a relatively large amount of data was obtained. With a single plant, it is not always possible to collect a sufficient amount of data to calculate failure rates due to the low number of demands. This is particularly true for highly reliable components when numerically small failure rates are expected, such as with the slave relays. In such situations, pooling data across plants is a common and accepted practice.

The failure rate developed for the AR relays in WCAP-14129 is based on over 20,000 quarterly test demands. The BVPS data was collected and examined to determine if there is any reason to suspect that the BVPS plant specific experience is not consistent with the industry experience as presented in WCAP-14129. The BVPS data identified 1702 quarterly actuations for AR440AR, AR880AR, and ARD relays, as noted above, with only one failure. Based on only one failure, there is no evidence to conclude that the BVPS experience with these types of relays is inconsistent with the industry's experience, therefore, using the failure rate of 1.4E-04/demand for the prior in the Bayesian update process is acceptable.

Furthermore, it can be shown by using a binomial distribution that one failure in 1702 demands is not an unexpected result for failure rate of 1.4E-04/demand. One failure in 1702 demands does not discredit the failure rate.

A detailed uncertainty analysis has not been performed as part of this study. Instead the failure rates used were demonstrated to be applicable for the situation and the generic failure rate was updated with plant specific test experience. In addition, a conservative approach was taken in the analysis with the results overstating the impact on CDF and LERF. Therefore, an uncertainty analysis was not considered necessary. Finally, the results of several sensitivity cases are presented in responses to RAI 13 and RAI 16.

The sensitivity case provided in response to RAI 13 includes the monthly surveillance demand and failure data from BVPS-1. This impacts the relay failure rate used in the analysis. With the increased relay failure rate, the CDF and LERF risk measures still meet RG 1.174 acceptance criteria. The response to RAI 16 includes the results of additional sensitivity cases. One of these again examined the impact of increased relay failure rates on the results and conclusions of this study.

16. Uncertainty is discussed in RG 1.174 and NUREG/CR-6141, "Handbook of Methods for Risk-Based Analyses of Technical Specifications," and indicates the licensees can perform sensitivity studies to demonstrate compliance with the guidelines by evaluating uncertainties related to modeling and Page 23 of 31

Attachment A (continued)

L-03-160 completeness issues. RG 1.174 states that, in general, the results of the sensitivity studies should confirm that the guidelines are met even under alternative assumptions. Provide the results of this analysis.

Response to Question 16 The following provides the basis for the approach used in the WCAP-1 5887 to justify a STI extension for slave and interposing relays.

  • Previous studies on AR relays (WCAP-14129, Reference 4 in WCAP-15887) and MRD relays (WCAP-14117, Reference 5 in WCAP-15887) demonstrated that the probability of the relay failing to actuate on demand is not strongly dependent of the STI.
  • In addition to the quarterly test interval data, BVPS-1 tests a large number of slave/interposing relays on a refueling interval and BVPS-2 tests several slave/interposing relays on a refueling interval, and data collection and analysis (relay actuations and failures) has not indicated a performance difference between relays tested quarterly and relays tested at a refueling interval.

Based on this, there is a strong argument to extend the test interval for quarterly tested relays. But a risk analysis was completed and provided in WCAP-15887 to further support this STI extension. This risk analysis conservatively assumed that the relay failure probability will increase linearly with the test interval. As noted in the response to RAI 6 and the second part of RAI 8, Section 2.3.3.1 of RG 1.175 states that this is a conservative approach in the sense that it scales the test-interval-independent contribution along with the test-interval-dependent contribution to component failure probability, and in that respect tends to overstate the effect of test interval extension, and therefore, overstates the impact on CDF. This risk analysis essentially was a sensitivity study that assumed the failure probability increases with test interval, even though previous studies and BVPS experience indicates this is not necessarily the case, or at least does not support increasing the failure probability at the extreme rate assumed in this analysis.

To further support the justification for an STI increase, the sensitivity case in response to RAI 13 included the monthly surveillance demand and failure data from BVPS-1. This impacts the failure rate used in the analysis. With the increased component failure rate (1.99E-04/demand), the CDF and LERF risk measures still meet RG 1.174 acceptance criteria.

Page 24 of 31

Attachment A (continued) ,

  • L-03-160 Several additional sensitivity case have been completed. These are related to:
  • Slave relay common cause failures (see the response to RAI 14)
  • Alternate generic failure rates for relays (see Sensitivity Case 1)
  • Alternate generic failure rates for relays with monthly STI data (see Sensitivity Case 2)
  • Relay failure rate increased by a factor of 2 (see Sensitivity Case 3)

Sensitivity Case 1: Alternate generic failure rates for relays Relays used as slave and interposing relays can be divided or grouped in different ways.

One grouping, by relay type, is provided in Table 7-6 of WCAP-15887. The problem with using this grouping in the risk analysis is 1) a number of the relay types have only a small number of actuations, and 2) failure rates for each relay type are not available. In addition, there is no current information that indicates this detailed division is necessary or will provide any meaningful information since none of these relay types have a unique operating history at BVPS.

Another grouping can be based on the type of relay at a higher level. This grouping would separate the relays into the following groups:

  • Electro-mechanical
  • Solid state
  • Electro-mechanical with timer
  • Solid state with timer Since none of the relays are solid state relays, all relays listed in Table 7-6 can be sorted into three groups. Generic failure rates for the three groups are based on failure rates in the PRA Key Assumptions and Groundrules Chapter of the Advanced Light Water Reactor Utility Requirements Document (Reference 6 of WCAP-15887). The plant specific data was used to perform a Bayesian update of these generic (prior) failure rates.

Table 5 provides the generic prior values and the Bayesian updated values for each relay group.

Table 5 - Summary of Relay Failure Rates for Alternate Grouping Relay Group Failure Rate (per demand) Failure Rate (per demand)

Generic Prior Value Updated Value Electro-mechanical 1.4E-04 1.13E-04 Electro-mechanical with timer 1.4E-03 1.60E-03 Solid state with timer 2.8E-04 2.75E-04 The BVPS-2 PRA model (Revision 3) was requantified with the above failure rates.

The results, in terms of CDF and LERF, are provided in Table 6.

Page 25 of 31

Attachment A (continued)

L-03-160 Table 6 - Risk Results for the Relay STI Increase Alternate Generic Failure Rates for the Relays Case Core Damage Frequency Large Early Release Frequency 3 Month Test Interval 3.50E-05/year 1.14E-06/year 12 Month Test Interval 3.56E-05/year 1.28E-06/year Increase 5.8E-07/year 1.4E-07/year The impact on CDF is less than 1.OE-06 per year, which is defined as a very small impact in RG 1.174. The impact on LERF is slightly greater than L.OE-07 per year which is defined as a very small impact in RG 1.174. Therefore, both values meet the acceptance guidelines. The LERF value meets the guideline that states when the calculated increase in LERF is in the range of E-07 per reactor year to E-06 per reactor year, applications will be considered only if it can be reasonably shown that the total LERF is less than E-05 per reactor year. As shown in Table 6, the LERF is well below E-05 per reactor year. As previously noted, the BVPS-2 model includes both internal and external events.

Sensitivity Case 2: Alternate generic failure rates for relays with monthly STI data Another sensitivity case was run similar to Sensitivity Case 1 above, but included the monthly test data discussed in the response to RAI 13.

For this sensitivity case, Table 7 provides the generic prior values and the Bayesian updated values for each relay group.

Table 7 - Summary of Relay Failure Rates for Alternate Grouping (includes monthly test data from BVPS-1)

Relay Group Failure Rate (per demand) Failure Rate (per demand)

Generic Prior Value Updated Value Electro-mechanical 1.4E-04 1.51 E-04 Electro-mechanical with timer 1.4E-03 1.60E-03 Solid state with timer 2.8E-03 2.75E-04 The BVPS-2 PRA model (Revision 3B) was requantified with the above failure rates.

The results, in terms of CDF and LERF, are provided in Table 8.

Table 8 - Risk Results for the Relay STI Increase Alternate Generic Failure Rates for the Relays (includes monthly test data from BVPS-1)

Case Core Damage Frequency Large Early Release Frequency 3 Month Test Interval l3.5 1E-05/year 1.I5E-06/year 12 Month Test Interval 3.57E-05/year 1.32E-06/year Increase l 6.9E-07/year j 1.7E-07/year Page 26 of 31

  • ri" -Attachment A (continued)

L-03-160 The impact on CDF is less than 1.OE-06 per year, which is defined as a very small impact in RG 1.174. The impact on LERF is slightly greater than L.OE-07 per year which is defined as a very small impact in RG 1.174. Therefore, both values meet the acceptance guidelines. The LERF value meets the guideline that states when the calculated increase in LERF is in the range of E-07 per reactor year to E-06 per reactor year, applications will be considered only if it can be reasonably shown that the total LERF is less than E-05 per reactor year. As shown in Table 8, the LERF is well below E-05 per reactor year. As previously noted, the BVPS-2 model includes both internal and external events.

Sensitivity Case 3: Relay failure rate increased by a factor of 2 A third sensitivity case was run based on the run that used the same failure rate for all the slave and interposing relays. This case increased the failure rate by a factor of 2. The new 3 month and 12 month failure probabilities used in this case are:

  • 3 month relay failure probability = 3.12E-04/demand
  • 12 month relay failure probability = 1.25E-03/demand The BVPS-2 PRA model (Revision 3) was requantified with the above failure rates.

The results, in terms of CDF and LERF, are provided in Table 9.

[ Table 9 - Risk Results for the Relay STI Increase Doubling of the Relay Failure Rate Case Core Damage Frequency Large Early Release Frequency 3 Month Test Interval 3.5 E-05/year 1.17E-06/year 12 Month Test Interval 3.60E-05/year 1.40E-06/year Increase 9.3E-07/year 2.3E-07/year The impact on CDF is less than L.OE-06 per year, which is defined as a very small impact in RG 1.174. The impact on LERF is slightly greater than L.OE-07 per year which is defined as a very small impact in RG 1.174. Therefore, both values meet the acceptance guidelines. The LERE value meets the guideline that states when the calculated increase in LERF is in the range of E-07 per reactor year to E-06 per reactor year, applications will be considered only if it can be reasonably shown that the total LERF is less than E-05 per reactor year. As shown in Table 9, the LERF is well below E-05 per reactor year. As previously noted, the BVPS-2 model includes both internal and external events.

Page 27 of 31

Attachment A (continued)

L-03-160

17. As this amendment request is a surveillance interval extension, shouldn't the demand failure rate that is used be the standby stress failure rate (time related failures). Were all failures noted for the slave relays test related, or does the data include non-test related demands as well? If all failures are used, is this conservative?

Response to Question 17 As discussed in the response to RAI 5a, WCAP-14129 (Reference 4 in WCAP-15887) and also WCAP-14117 (Reference 5 in WCAP-15887), provides relay failure rates in terms of demands and hours based on nuclear industry experience. One of the conclusions from these WCAPs is that the probability of failure of these relays to actuate when demanded is not strongly dependent on test interval. All components, including relays, can fail due to either the stress from the demand or due to failures between demands while the component is in standby. If the predominant failure mode is due to failures between demands, then the failure probability of the relays would be expected to increase proportionally to the interval between demands. This was not supported by the results in WCAP-14129 or WCAP-14117. Therefore, the predominant failure mode is due to the stress of the demand. Given this, the demand failure rate is the correct one to use.

Also as discussed in the response to RAI 5a, if the hourly failure rate reported in WCAP-14129 was used, then the probability of failure, for quarterly testing, used in the analysis would have been:

FP = XT/2 = 4.40E-08/hr x 730 hr/month x 3 months/2 = 4.8E-05 Therefore, using the hourly failure rate would provide a failure probability lower than the failure probability used in the analysis (1.4E-04/demand) and would result in a smaller impact on CDF and LERF related to the STI increase. So it is concluded that using the demand failure rate is conservative.

The data used in the failure analysis (relay demands and failures) are based on test related actuations only. Only test actuations were used to preserve the relationship with test interval. Non-test demands can occur any time between tests, and if included, the data would not accurately correspond to any particular test interval. The Transient Event Logs and Licensee Event Reports for each unit for the period from 1996 to 2001 were reviewed to ensure there were no failures for the slave or interposing relays for non-test related demands as well.

Page 28 of 31

b Attachment A (continued)

L-03-1 60

18. Include a discussion on the effects of the proposed change on dominant sequences (sequences that contribute more than 5% to risk, for example) to show that the proposed change to slave relay surveillance intervals does not create risk outliers or exacerbate existing risk outliers.

Response to Question 18 Tables 10 and 11 provide the top five sequences contributing to CDF for both the Revision 3B base case and the 12-month extension case, respectively. As can be seen in the tables, only the first sequence in both cases would be considered dominant, according to the RG 1.174 definition (i.e., sequences that contribute more than 5% to the risk).

Based on the comparison of these sequences, it can be seen that there are no differences in the top five sequences, other than the frequency at which they occur. This difference in frequency can be attributed to the success terms of the SSPS split fractions. Since there were no failures of the SSPS observed in these sequences, the 12-month case sequence frequency would be lower since the success term (one minus the failure term) would have a smaller value than for the base case, due to the higher failure term for the 12-month case.

Sequences 1 and 2 are initiated by either a loss of Train A (AOX) or Train B (BPX) emergency AC power, with probabilistic failures of the opposite Train of AC power and the AC power cross-tie to the BVPS-1 emergency diesel generators. Sequences 3 and 4 are also initiated by either a loss of Train A or Train B emergency AC power, but this time with probabilistic failures of the opposite Train Normal AC Bus and associated emergency diesel generator. The AC power cross-tie to the BVPS-1 emergency diesel generators is not credited due to the bus failures. Operators also fail to recover the power to the normal AC Bus from an offsite power source. Sequence 5 is an excessive feedwater event with the probabilistic failure of auxiliary feedwater and bleed and feed cooling.

[ Table 10 - BV2REV3B Base Case CDF Seauences Rank Initiator Frequency Failed and Multi-State Split Fractions 0/ of CDF 1 AOX 1.9383E-06 ZXF*AOF*BP1*XTD*MlF*M2F*M3F*M4F*WAF*WBF*CSF*CCF*TBF* 5.5%

PL1*HHF*HCF*SEF*RL1*LHF*LCF*RRF*NRF*NMF*QSF*SMF*REF*S SF*CG1 2 BPX 9.4935E-07 ZXF*AO1*BPF*XTG*MlF*M2F*M3F*M4F*WAF*WBF*CSF*CCF*TBF* 2.7%

PL1*HHF*HCF*SEF*RL1*LHF*LCF*RRF*NRF*NMF*PQSF*SMFPREF*S SF*CG1 3 BPX 8.4668E-07 ZXF*NA1*AO2*BPF*XTF*MlF*M2F*M3F*M4F*WAFWBF*CSF*CCF* 2.4%

TBF*PL1*HHF*HCF*SEF*RL1*LHF*LCF*RRF*NRF*NMF*QSF*SMF*RE 5A*SSF*CG1 4 AOX 7.2696E-07 ZXF*ND2*AOF*BPS*XTF*MlF*M2F*M3F*M4F*WAF*WBF*CSF*CCF* 2.1%

TBF*PL1*HHF*HCF*SEF*RL1*LHF*LCF*RRFPNRF*NMF*QSF*SMF*RE 5A*SSF*CG1 5 EXFW 6.2562E-07 ZXF*PL1*AF1*MFPOB1*CDF*ODPRRF*NRF*NMF*REPSSF*CG1 1.8%

Page 29 of 31

Attachment A (continued)

Attachment A (continued) *". %!,* **

L-03-160 I Table 11 Month STI Extension Case CDF Seauences Rank Initiator Frequency Failed and Multi-State Split Fractions 0/0 of CDF 1 AOX 1.9281E-06 ZXF*AOF*BP1*XTD*M1F*M2F*M3F*M4F*WAF*WBFCSF*CCF*TBF* 5.4%

PL1* HHF*HCF*SEF*RL1*LHF*LCF* RRF*NRF*NMF*QSF*SMF* REF*S SF*CG1 2 BPX 9.4433E-07 ZXF*AO1*BPF*XTG*MlF*M2F*M3F*M4F*WAF*WBF*CSF*CCF*TBF* 2.7%

PL1*HHF*HCF*SEF*RL1*LHF*LCF*RRF*NRF*NMF*QSF*SMF*REF*S SF*CG1 3 BPX 8.4220E-07 ZXF*NA1*AO2*BPF*XTF*MlF*M2F*M3F*M4F*WAF*WBF*CSF*CCF* 2.4%

TBF*PL1*HHF*HCF*SEF*RL1*LHF*LCF*RRF*NRF*NMF*QSF*SMF*RE 5A*SSF*CG1 4 AOX 7.2311E-07 ZXF*ND2*AOF*BP8*XTF*MlF*M2F*M3F*M4F*WAF*WBF*CSF*CCF* 2.0%

TBF*PL1*HHF*HCF*SEF*RL1 *LHF*LCF*RRF*NRF*NMF*QSF*SMF*RE 5A*SSF*CG1 S EXFW 6.2231E-07 ZXF*PL1*AF1*MFF*OB1*CDF*ODF*RRF*NRF*NMF*REF*SSF*CG1 1.7/

Tables 12 and 13 provide the top five sequences contributing to LERF for both the Revision 3B base case and the 12-month extension case, respectively. As can be seen in the tables, only the first two sequences in the base case and the top three sequences in the 12-month case would be considered dominant, according to the RG 1.174 definition.

Based on the comparison of these top five sequences, it can be seen that the only difference, other than the frequency at which they occur due to the success term, was in the fourth ranked base case sequence. This particular sequence is the third ranked sequence in the 12-month case, which increased by a factor of approximately 2.4 over the base case sequence frequency. This sequence is initiated by a steam generator tube rupture (SGTR) and has probabilistic failures of both trains of SSPS (SA4

  • SB4F; SGTR with all support system available) and failure of the operator to manually actuate safety injection (OS1). Although, this sequence more than doubled in frequency, it does not create a risk outlier since its increase in LERF is less than 6.1E-08 per year.

Since there were no failures of the SSPS observed in the remaining sequences the difference in frequency can be attributed to the success terms of the SSPS split fractions.

Sequences 1 and 3 (4 in the 12-month case) are all initiated by a SGTR with probabilistic failures to isolate the secondary leakage to atmosphere (SL1) and failure to makeup to the RWST, either probabilistically (WMl) or consequentially (WMF). Sequence 2 is an interfacing systems LOCA, which bypasses containment. Sequence 5 is also a SGTR, but with probabilistic failures of high head safety injection (H1) and isolation of the secondary leakage.

Page 30 of 31

Attachment A (continued)

L-03-160 Table 12 - BV2REV3B Base Case LERF Sequences Rank Initiator Frequency Failed and Multi-State Split Fractions l/ of LERF 1 SGTR 5.3013E-07 ZXF*SL1*WM1*NRF*NMF*REF*SSF*CP1*BY2*LB2 46.9%

2 VSX 2.5128E-07 ZXF*REF*SSF*CP1*BY2*LB2 22.2%

3 SGTR 4.5696E-08 ZXF*NA1*ND3*SLl*WMFNRF*NMF*REF*SSF*CP1*BY2*LB2 4.0%

4 SGTR 4.2135E-08 ZXFSA4*SB4F*OS1*ATPOFF*OBF*HHF*NRF*NMF*QSF*LHPFSMF* 3.7%

REF*SSF*CP1*BY2*LB2 5 jSGTR 2.2265E-08 ZXF*HH1*SL1*NRF*NMF*REF*SSF*CP1*BY2*LB2 2.0%

Table 13 Month STI Extension Case LERF Sequences Rank Initiator Frequency Failed and Multi-State Split Fractions  % of LERF 1 SGTR 5.1249E-07 ZXF*SL1*WM1*NRF*NMFPREF*SSF*CP1*BY2*LB2 42.1%

2 VSX 2.4292E-07 ZXF*REF*SSF*CP1*BY2*LB2 20.0%

3 SGTR 1.0278E-07 ZXF*SA4*SB4F*OS1*ATF*OFF*OBF*HHF*NRF*NMF*QSF*LHF*SMF* 8.4%

REF*SSFCP1*BY2*LB2 4 SGTR 4.4178E-08 ZXFNA1*ND3*SL1*WMF*NRF*NMF*REFSSF*CP1*BY2*LB2 3.60 5 SGTR 2.1524E-08 ZX*HH1*SL1*NRF*NMF*REF*SSF*CP1*BY2*LB2 1.8%

Based on this comparison of the dominant sequences for both CDF and LERF, no risk outliers were created.

Page3l of 31

Attachment B to L-03-160 Peer Review Category A and B Observations The following provides details of the Category A and B Observations from the peer review of the Beaver Valley Power Station Probabilistic Risk Analysis Model. Included is a summary of the observation, the observation's resolution and its impact on the proposed slave relay surveillance test interval (STI) extension. This information is provided in support of the response to Request for Additional Information (RAI) question 2.

Categorv A Observations (CR 02-09037)

Corrective Action 02-09037-01 Summary: This observation was identified in the Accident Sequence Analysis Sub-element regarding the reactor coolant pump (RCP) seal loss-of-coolant-accident (LOCA) model. It was recognized that the Beaver Valley Power Station RCP seal LOCA model used the Westinghouse Owners Group (WOG) 2000 as a basis, but in a way that is more optimistic than most other Westinghouse plants. The BV2REV3A Probabilistic Risk Analysis (PRA) model, RCP seal LOCA success criteria was developed from best estimate Modular Accident Analysis Program (MAAP),Version 4.0.4, runs performed specifically for Beaver Valley Power Station Unit No. 2 (BVPS-2). Since certain MAAP results did not go to core uncovery in the assumed 24-hour mission time for the smaller break seal LOCA sizes, they were binned into the success (non CDF) end state, even though electric power or service water was not restored. The peer review team felt that additional MAAP analyses should be performed to investigate the impact of varying MAAP input parameters on the resultant time to core uncovery, and extend the run time to show stable plant conditions.

Resolution: Additional MAAP uncertainty cases for BVPS-2 were performed using pessimistically biased values along with setting input parameters to their high or low limits. These cases were run out to 48-hours or until core damage occurred. The success state for the BV2REV3B PRA model was redefined as any case (including uncertainties) that did not go to core damage before 48-hours. For cases that went to core damage before 48-hours but after 20-hours, additional electric power recovery values were used, based on NUREG/CR-5496. For cases that lead to core uncovery before 20-hours, a plant specific electric power recovery model was used. If electric power recovery was successful for these cases, the sequence was also binned to the success end state.

Impact: As shown in WCAP-15887 and the RAI sensitivity cases, this observation had little impact on the slave relay STI extension since the proposed 12-month extension risk metrics are still within the acceptable Regulatory Guide (RG) 1.174, "An Approach for Using Probabilistic Risk Assessment In Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis", limits.

Page 1 of 16

Attachment B (continued)

L-03-160 Corrective Action 02-09037-02 Summary: This observation was identified in the Thermal Hydraulic Analysis Sub-element regarding room heatup calculations. This observation found that the loss of ventilation room heatup analysis for the safeguards building, which houses auxiliary feedwater (AFW), low head safety injection, and quench spray pumps, used heat loads based on non-design basis accident conditions with only the AFW pump operating. This resulted in a room heatup that was well below the equipment qualification (EQ) temperature limits, and therefore, the ventilation dependency for these pumps was not modeled in the BV2REV3A PRA model. The peer review team recommended that the room heatup calculation be re-evaluated using the appropriate design basis accident (DBA) heat loads, and determine the impact on the effected components.

Resolution: A new room heatup analysis was performed for the safeguards building using realistic time-dependent DBA heat loads, based on MAAP generated success criteria. The results of this analysis were reviewed and compared to the EQ temperature limits to see if the necessary components to mitigate core damage or containment failures would be functional at the time that they were required to function (up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />). It was concluded that all PRA modeled equipment located within the Safeguards Building would be available to perform its PRA function during a loss of all ventilation for up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Therefore, it was determined that the safeguards building ventilation system is not required for support of the PRA modeled equipment located within the area, and the BV2REV3A PRA modeling assumptions regarding this remain valid. The BV2REV3B PRA model was not changed as a result of this observation.

Impact: This observation did not impact the slave relay STI extension since it was shown not to impact the PRA model.

Corrective Action 02-09037-03 Summary: This observation was identified in the Data Analysis, Failure Probability Sub-element. It was observed that the number of demands for several components seemed very high, and that the BVPS-2 plant specific Bayesian updating of independent failure data for these components resulted in more optimistic failure rates than most other Westinghouse plants. The peer review team recommended that the component demands be verified.

Resolution: As a resolution to this PRA peer review observation, the success data (demands and hours of operation) for all BVPS-2 components that used Bayesian updating of their failure rates were checked against the Maintenance Rule estimated success data and were revised as needed if discrepancies were found. Additionally, all RISKMAN failure data distributions that were Bayesian updated in the BV2REV3A PRA model were revised in the BV2REV3B PRA model using the results of review for estimated demands and hours of operation. All top events were requantified in the Page 2 of 16

Attachment B (continued)

L-03-160 BV2REV3B PRA model using these revised component failure rates, which were then used to requantify the CDF and LERF.

Impact: The slave relay failure rates were not impacted by this observation since they were not developed using RISKMAN. As shown in WCAP-15887 and the RAI sensitivity cases, this observation had little impact on the slave relay STI extension since the proposed 12-month extension risk metrics are still within the acceptable RG 1.174 limits.

Corrective Action 02-09037-04 Summary: This observation was identified in the human reliability analysis (HRA),

Post-Initiator Human Actions Sub-element. It was observed that the BVPS human error rates were developed using the Success Likelihood Index Methodology (SLIM) based on calibration curves from other plant HRAs from the mid-1980's. The peer review team recommended that these calibration curves be updated with current operator performance in the nuclear power industry.

Resolution: As a resolution to this PRA peer review observation all operator actions having a Risk Achievement Worth (RAW) greater than 2 (generally accepted as the risk significant threshold) were compared to similar actions for all Westinghouse plants by using the WOG/B&WOG PSA comparison database (Revisions 2 and 3). Additionally, a smaller subset of these plants were examined. These consisted of; Westinghouse 3-loop plants (since these were assumed to have similar operation action completion times based on plant power to heatup volume ratios), plants that also used the SLIM process, and Indian Point 2, which received a superior finding in their human reliability analysis peer review. The results of this comparison show that the human error rates used in the BV2REV3A PRA model are all within the range of both comparison groups defined above, except for human action OPRCD3, i.e., operator fails to cooldown and depressurize during a steam generator tube rupture (SGTR). However, the BV2REV3A value is of the same order of magnitude as most of the other plants reviewed and is not considered to be an outliner. It is therefore believed that the basic error curves used in the calibration of the BV2REV3A HRA are not out of date, and that the current human error rates used in the PRA model are acceptable as is. Moreover, as a final resolution to this observation, future updates of the BVPS PRA models will use the EPRI HRA Calculator, which uses a more current and robust methodology. The BV2REV3B PRA model was not changed as a result of this observation.

Impact: This observation did not have an impact on the slave relay STI extension since it was shown not to impact the PRA model.

Page 3 of 16

Attachment B (continued)

L-03-160 Corrective Action 02-09037-05 Summary: This observation was identified in the Data Analysis, Dependence Among Actions Sub-element. It was observed that the BVPS HRA did not have a documented process to perform a systematic search for dependent human actions credited on individual sequences and a method to adjust dependencies between multiple human error rates in the same sequence. The peer review team recommended that a robust technique be developed, documented, and used for the identification and quantification of dependent HERs.

Resolution: In the initial development of the Individual Plant Examination (IPE) HRA, an effort was made to eliminate the dependency between human actions by adjusting the split fraction value of the second dependent action, given that the first action failed. For example, if the operators failed to manually reestablish main feedwater following the failure of auxiliary feedwater, the human error rate for implementing bleed and feed cooling later in the accident progression was adjusted upwards. If the dependent actions were required to take place in the same period of time during the accident progression, the second dependent action was assigned to be a guaranteed failure. For example, if the operators failed to cooldown and depressurize the reactor coolant system (RCS) by using the secondary coolant system, no credit was given to the operators to depressurize the RCS using the pressurizer power operated relief valves (PORVs). However, as a resolution to this PRA peer review observation a method was established to verify that all dependent operator actions were captured by reviewing sequences with two or more failed split fractions that have a contribution from human actions. Of the sequences reviewed, the human actions were either previously adjusted during the IPE HRA, or were determined to be independent between split fractions. This independence was based on the actions not being conducted by the same set of operators (e.g., control room reactor operator action vs. local auxiliary plant operator action), or different procedures being used separated by sufficient time in the accident progression (e.g., actions to makeup to the refueling water storage tank (RWST) given safety injection (SI) recirculation failures, following operator actions to align a spare service water pump earlier in the accident sequence progression). Human actions that are modeled in a single top event have appropriate dependencies modeled in the fault trees. Moreover, as a final resolution to this observation, future updates of the BVPS PRA models will use the EPRI HRA calculator, which uses a more current and robust methodology. The BV2REV3B PRA model was not changed as a result of this observation.

Impact: This observation did not have an impact on the slave relay STI extension since it was shown not to impact the PRA model.

Page 4 of 16

Attachment B (continued)

L-03-160 Category B Observations That May Impact the PRA Model (CR 02-09042)

Corrective Action 02-09042-01 Summary: This observation was identified in the Initiating Event Sub-element regarding the plant-specific experience data. The subtier criteria required that initiating event data from the initial year of commercial operation be excluded from the initiating event frequency determination, which was contrary to the BV2REV3A PRA model since data from 1987 was used.

Resolution: The initiating event frequencies were reanalyzed using data from January 1, 1989 through May 31, 2001. In addition, LOCA initiating event frequencies were reanalyzed to address aging-related failure mechanisms based on the interim LOCA frequencies from Table 4.1 of the "Technical Work to Support Possible Rulemaking for a Risk-Informed Alternative to 10CFR 50.46 / GDC 35, Revision I", dated July 2002. The results of this reanalysis were incorporated into the BV2REV3B by updating the initiating event frequencies.

Impact: As shown in WCAP-15887 and the RAI sensitivity cases, this observation had little impact on the slave relay STI extension since the proposed 12-month extension risk metrics are still within the acceptable RG 1.174 limits.

Corrective Action 02-09042-02 Summary: This observation was identified in the Initiating Event Sub-element regarding the data and consistency with industry experience. The peer review team identified that although the interfacing systems LOCA initiating event frequency was consistent with current industry values, it was derived from references developed in 1985.

The peer review team recommended that the interfacing systems LOCA model be checked against more recent references.

Resolution: The interfacing systems LOCA initiating event frequency was reanalyzed using the following documents:

1. G. Bozoki, P. Kohut, and R. Fitzpatrick, "Interfacing Systems LOCA Pressurized Water Reactors," prepared for U.S. NRC, NUREG/CR-5102, BNL-NUREG-52135, February 1989.
2. E. T. Burns, K. Mohammadi, T.P., Mairs, V. M. Anderson, and B. Hannaman, "ISLOCA Evaluation Guidelines," prepared for Electric Power Research Institute, NSAC-154, September 1991.
3. D. A. Wesley, T. R. Kipp, D. K. Nakaki, H. Hadid-Tamjed, "Pressure-Dependent Fragilities for Piping Components - Pilot Study on Davis-Besse Nuclear Power Station," prepared for U.S. NRC, NUREG/CR-5603, T191 002465, October 1990.

Page 5 of 16

Attachment B (continued)

L-03-160 The results of this revised analysis were incorporated into the BV2REV3B by updating the interfacing systems LOCA initiating event frequency.

Impact: As shown in WCAP-15887 and the RAI sensitivity cases, this observation had little impact on the slave relay STI extension since the proposed 12-month extension risk metrics are still within the acceptable RG 1.174 limits.

Corrective Action 02-09042-03 Summary: This observation was also identified in the Initiating Event Sub-element regarding the data and consistency with industry experience. The peer review team identified concerns that the use of Bayesian updating data with zero failures would result in posterior values much lower than the prior or what plant specific data could justify.

The peer review team recommended developing rules that limit Bayesian updating of data whenever there are zero failures, or when one failure occurs with the number of demands/hours much lower than the implied prior.

Resolution: While there are indeed situations that Bayesian updating with zero failures could cause the posterior mean to be significantly lower than the prior mean, these are due to the use of using moment matching. This refers to the practice of changing a prior that is presumably a lognormal distribution, to a gamma distribution by matching the mean and the standard deviation. After the gamma distribution is updated with plant data analytically, the resulting gamma distribution is converted back to the lognormal distribution again using the moment matching method. It is known that in this practice, if there should be zero failures, the resulting posterior gamma distribution has a mean value significantly lower than the prior mean.

The BVPS analysis did not use the moment matching methodology. Instead, the Bayesian update functionality provided by RISKMAN was used. There are two classes of priors used in the BVPS analysis. The first class are the lognormal distributions based on parameters from industry studies (e.g., LOCA initiators). Updating a lognormal distribution with zero events in about 10 years does not change the mean in most cases (or there is a slight change in the third significant number).

The second class, which is a more general type of priors, is the industry data. These priors consists of three parts. The first and most important part is the failure and success data for a set of pressurized water reactor power plants. The second part is the so-called grid, which consists of a set of values for the median (of the assumed prior curve), and a set of values for the range factor (of the assumed prior curve). The selection of median and range factor should be such that the resulting distribution should not be skewed toward either end of the median or range factor in the grid (grid is the matrix of median and range factor values). The third part of a prior is the so-called lambdas, which is a set of values for the possible bin values that the distribution can locate. The lambdas do not affect the posterior mean distribution as long as it has sufficient range and sufficient Page 6 of 16

Attachment B (continued)

L-03-160 number of values (typically 20 bins are sufficient for a distribution). It should be pointed out that for the industrial data type of prior, updating it with zero failures typically results in a smaller mean value for the posterior then the prior. However, the decrease is much smaller in magnitude than the moment matching approach, and it should be treated as a normal behavior of the Bayesian analysis (i.e., zero failures always provide information leading to a lower estimate).

In response to this observation, each posterior distribution that was Bayesian updated with zero failures was reexamined to assure that there was no skewing of results on the grid, and that there were no abnormally large values (excessive probabilities) in a single lambda bin. In some cases a few more lambdas were added to actually bring the probability per each lambda lower than 0.1. However, in these cases the posterior distribution changed little compared to the BV2REV3A original set of lambdas (note, the grid was not changed in this response because these were checked in the original analysis and quality was assured). The results of the review did not identify any concerns, so confidence in the Bayesian update results using zero failures based on the discrete probabilistic distribution approach, which is a robust process, was maintained.

For the BV2REV3B PRA model, since the success time changed from 11 critical years to 9.93 critical years in response to Corrective Action 02-09042-01 (to remove the first year of commercial operation), the posterior mean shifted slightly higher than the original BV2REV3A PRA model analysis.

Impact: As shown in WCAP-15887 and the RAI sensitivity cases, this observation had little impact on the slave relay STI extension since the proposed 12-month extension risk metrics are still within the acceptable RG 1.174 limits.

Corrective Action 02-09042-04 Summary: This observation was identified in the System Analysis (Fault Trees) Sub-element regarding the support system requirements. The peer review team identified that although the components required to swap the charging/high head safety injection (HHSI) pump suction source over to the RWST for the loss of component cooling water due to the increased volume control tank (VCT) suction temperatures were modeled, the operator action to do so was not. The peer review team recommended that an analysis be performed to determine the increase in charging pump suction temperature and determine if/when this would result in the potential for common cause failure of all charging pumps.

Resolution: An evaluation was performed to see at what temperature the available net positive suction head (NPSH) would be lower than the required NPSH at the charging/HHSI pump design flowrate. The results of this evaluation revealed that the VCT temperature would have to increase by more than 123 0 F for this condition to be true and result in a loss of NPSH. With multiple high temperature alarms coming in at more than 1000 F prior to reaching this temperature, there would be plenty of time available to Page 7 of 16

Attachment B (continued)

L-03-160 operators to perform mitigating actions. Moreover, a loss of NPSH would only impact the running charging pump, since the standby pump does not automatically start, unless a Safety Injection Signal is present, in which case the suction would automatically swap over to the RWST. The third pump would only be manually aligned and started following the failure of the first of two normally aligned pumps. Therefore, this observation was not considered to be a valid common cause failure mechanism of the charging/HHSI pumps, so the operator action was not included in the BV2REV3B PRA model.

Impact: This observation did not have an impact on the slave relay STI extension since it was shown not to impact the PRA model.

Corrective Action 02-09042-06 Summary: This observation was identified in the System Analysis (Fault Trees) Sub-element regarding the modeling of generic system failure modes observed in the industry.

The peer review team identified that some initiator dependent component failure modes associated with the low head safety injection (LHSI) pump mini-flow did not appear to be modeled. The peer review team recommended that the LHSI system fault tree be revised to include initiator dependent failure modes for the pump mini-flow components. They also recommend that other systems be reviewed to determine the potential for initiator specific success criteria.

Resolution: The LHSI initiator success criteria was reviewed to address the specific PRA peer review concerns. Once such concern was that the LHSI fault tree modeled the failure to open of the mini-flow motor operated valves (MOVs) during a small break LOCA, but did not model the transfer closed failure. Typically the PRA only modeled passive failures (e.g., transfer closed) if there were no active failure modes (e.g., failure to open) modeled, since the active failures dominate the components failure probability (usually by three orders of magnitude). Therefore, this concern was not incorporated into the BV2REV3B PRA model update. Another concern was that the LHSI fault tree always queried the opening of the pump mini-flow valves even though they would not be required to open during a large break LOCA, and that doing so may provide a flow diversion. To address this concern the BVPS-2 LHSI fluid flow model was reviewed for large LOCAs with and without the mini-flow value opened. It was concluded that the difference in flow delivered to the reactor vessel was less than 75 gpm if the mini-flow valve remained open. Therefore, this was not determined to be a valid flow diversion path and was not incorporated into the BV2REV3B PRA model. Additionally, while including the mini-flow valve failure to open for large break LOCAs is not required, the large break LOCA contribution to total CDF is less that 0.1 percent, so it was not considered to be vital to remove it from the BV2REV3A PRA model. The other top event fault trees for systems with mini-flow protected pumps were reviewed to ensure that there were no obvious potential for initiator specific success criteria missing from the Page 8 of 16

Attachment B (continued)

L-03-160 model. It was found that the recirculation spray system trains C and D also have the same type of mini-flow valve failure modes modeled as the LHSI pumps, so the above justification also applies. All other systems with mini-flow valves were not considered to be dependent on the initiating event.

Impact: This observation did not have an impact on the slave relay STI extension since it was shown not to impact the PRA model.

Corrective Action 02-09042-08 Summary: This observation was identified in the System Analysis (Fault Trees) Sub-element regarding the availability of system inventory requirements for the entire mission time. The peer review team identified that the ultimate makeup source to the RWST credited in the PRA model was from an unborated service water supply. Since this function was shown to be important in the BV2REV3A PRA model, the peer review team suggested that a stronger technical basis be developed to ensure that recriticality does not occur during the mission time due to boron dilution of the RCS.

Resolution: An evaluation was performed using the BVPS-2 Cycle 10 core design analysis (WCAP-15779, Rev. 0) boron requirements for shutdown at beginning of life and hot zero power as the minimum required boron concentration to prevent recriticality.

The results of this evaluation determined that the boron concentration delivered to the RCS would be above the minimum required to maintain subcriticality for the entire 24-hour mission time, when using unborated water for makeup to the RWST at the flowrates determined in the MAAP LOCA success criteria analyses. Additional operator actions to add boron to the RWST via the spent fuel pool, to increase the shutdown margin, could be implemented, but were not credited in the PRA model. The BV2REV3B PRA model was not changed as a result of this observation.

Impact: This observation did not have an impact on the slave relay STI extension since it was shown not to impact the PRA model.

Corrective Action 02-09042-10 Summary: This observation was identified in the Data Analysis, Guidance Sub-element to ensure that sufficient detail is provided for reproducing the evaluation. It was observed that the estimated average number of demands per year computed by the peer review team did not match the demands used in the BV2REV3A PRA model. The peer review team recommended that the information used for the number of demands for BVPS-2 components be captured in the documentation.

Resolution: This is a documentation issue that does not impact the PRA model; however, the estimated number of demands were revised as part of the resolution to Corrective Action 02-09037-03, identified earlier, so it is included.

Page 9 of 16

Attachment B (continued)

L-03-160 Impact: The slave relay failure rates were not impacted by this observation since they were not developed using RISKMAN. As shown in WCAP-15887 and RAI sensitivity cases, this observation had little impact on the slave relay STI extension since the proposed 12-month extension risk metrics are still within the acceptable RG 1.174 limits.

Corrective Action 02-09042-13 Summary: This observation was identified in the Data Analysis, Failure Probability Sub-element. It was observed by comparing failure probabilities, that the diesel generators were far more reliable than their circuit breakers and 4V feeder breakers, which was though to be counter-intuitive. The peer review team recommended that the data for the diesel generator and circuit breakers be verified.

Resolution: As part of the resolution to Corrective Action 02-09037-03, identified previously, the diesel generator and circuit breaker failure probabilities were revised.

Impact: The slave relay failure rates were not impacted by this observation since they were not developed using RISKMAN. As shown in WCAP-15887 and RAI sensitivity cases, this observation had little impact on the slave relay STI extension since the proposed 12-month extension risk metrics are still within the acceptable RG 1.174 limits.

Corrective Action 02-09042-15 Summary: This observation was identified in the Data Analysis, System/Train Maintenance Unavailabilities Sub-element. The peer review team observed that the test and maintenance unavailabilities for the Beaver Valley Power Station Unit I (BVPS-1) diesel generators, used for the electric power crosstie during a station blackout, might not include periods during shutdown conditions. The peer review team recommended that the BVPS-1 diesel generator test and maintenance unavailabilities during shutdown conditions be verified to be properly accounted for in the PRA model.

Resolution: As resolution to this observation, the diesel generator system engineer was contacted to obtain the historical diesel generator unavailability during plant shutdown conditions. For the BVPS-1 emergency diesel generators, the shutdown unavailability was based on data obtained from October 1997 through September 2001. These values were then combined with the assumed on-line maintenance unavailability values to determine the total BVPS-1 emergency diesel generator unavailability, which was used in the BV2REV3B electric power cross-tie model.

Impact: As shown in WCAP-15887 and the RAI sensitivity cases, this observation had little impact on the slave relay STI extension since the proposed 12-month extension risk metrics are still within the acceptable RG 1.174 limits.

Page 10 of 16

Attachment B (continued)

L-03-160 Corrective Action 02-09042-16 Summary: This observation was identified in the Thermal Hydraulic Analysis Sub-element regarding room heatup calculations. It was observed by the peer review team that the BVPS-2 Ventilation and Room Cooling Analysis Notebook lists an operator action to setup portable fans in the control room following the loss of all ventilation; however, this action was not included in the PRA model. The peer review team recommended that an operator action to add portable fans be incorporated into the PRA model or that the control room HVAC be included in the PRA model.

Resolution: The BVPS-2 Ventilation and Room Cooling Analysis Notebook only looked at a loss of ventilation in the BVPS-2 side of the control building. In reality, the BVPS control rooms are located within the same building separated by a partial wall (there is no wall above the "egg crate" ceiling), so a loss of ventilation at one unit will not result in the total loss of ventilation to the common control building. As resolution to this observation, a separate calculation (8700-DMC-3467, Rev. 1) was reviewed, which was previously performed in response to an Appendix R BVPS-l control room ventilation fire. This calculation combined the control room volumes and heat loads, and took credit for the BVPS-2 HVAC to cool both control room areas. While it was noted that this calculation was performed assuming a loss of BVPS-I HVAC it was determined to be applicable to a loss of BVPS-2 HVAC as well, since the HVAC flow rate were similar at each unit. The results of this analysis concluded that during a loss of ventilation at one unit, the control building temperature would remain below the equipment qualification limits during a 24-hour mission time, even without setting up portable ventilation fans.

This analysis assumed a homogenous mixture of air existed between the control rooms, so it was assumed that the operators would open the common doors between the control rooms to aid in cooling. This action was assumed to be a guaranteed success in the PRA model, since both control rooms are continuously manned and human nature would drive the operators to do so after they begin to feel uncomfortable. It was determined that this observation did not impact the PRA model, so the recommend changes were not incorporated into the BV2REV3B PRA model.

Impact: This observation did not have an impact on the slave relay STI extension since it was shown not to impact the PRA model.

Corrective Action 02-09042-17 Summary: This observation was identified in the Accident Sequence Sub-element regarding the interface with emergency procedures. The peer review team observed that the operator action to trip the RCPs prior to implementing bleed and feed, as stated in the success criteria notebook, was not accounted for in either the human error rate (HER) or elsewhere in the model. The peer review team recommended the inclusion of this operator action for tripping the RCPs and that the impact on the timing for this action from the MAAP runs be documented.

Page 11 of 16

Attachment B (continued)

L-03-160 Resolution: As resolution to this observation, existing documents were reviewed.

Based on the emergency operating procedure (EOP) background document for FR-H.1, steam generator dryout is expected to occur at 33.1 minutes if all RCPs remain running during a loss of all secondary cooling. If the RCPs are tripped 5 minutes after the reactor trip, steam generator dryout is expected to occur at 40.9 minutes. This difference of less than 8 minutes is not expected to significantly impact the human error rates calculated for top event (bleed and feed), since the actions to trip the RCPs, initiate SI and open a PORV are fairly simple actions that can be accomplished within minutes. Therefore, these actions are all assumed to be accounted for in the current human action failure rate, so the HER was not revised in the BV2REV3B PRA model.

Impact: This observation did not have an impact on the slave relay STI extension since it was shown not to impact the PRA model.

Corrective Action 02-09042-18 Summary: This observation was identified in the Human Reliability Analysis Modeling Sub-element regarding the consideration of pre-initiator human interactions in the model. The peer review team observed that miscalibration errors were not considered in the model. The peer review team recommended verification that the generic common cause database includes miscalibration errors within the equipment failures, or that miscalibration errors that fail redundant trains be included in the model.

Resolution: This observation is not totally correct, since the SSPS model did include instrument string miscalibration errors in the fault tree model. Additionally, common cause miscalibration errors between trains are considered to be rare events since the On-line Maintenance Program is developed to alternate work between trains on different weeks. Furthermore, a search in the Corrective Action database and EPIX did not reveal any such miscalibration errors between trains at BVPS. Therefore, this observation was considered resolved by the instrument string miscalibration errors already accounted for in the SSPS model. No further miscalibration errors were incorporated into the BV2REV3B PRA.

Impact: This observation did not have an impact on the slave relay STI extension since it was shown not to impact the PRA model.

Corrective Action 02-09042-23 Summary: This observation was identified in the Dependency Related Grades Sub-element regarding the identification of susceptible structures, systems and components (SSCs) located in the flood area to flood induced failure mechanisms. The peer review team observed that there was no discussion of the impact of failure mechanisms on SSCs from flood initiators in the flooding documentation. The peer review team recommended that the flood locations modeled in the PRA be reviewed for potential impacts.

Page 12 of 16

Attachment B (continued) ......

L-03-160 Resolution: In response to this observation, the work that was completed for the BVPS-2 Risk-Informed In-Service Inspection (RI-ISI) Indirect (Spatial) Consequence Evaluation was reviewed. As a part of this evaluation process, an assessment of the postulated indirect (spatial) consequences associated with piping failures was made in order to further distinguish the piping segments. The indirect effects assessment was accomplished through an investigation of existing plant documentation on pipe breaks, flooding, and plant layout along with a focussed plant walkthrough. The indirect effects that were specifically looked at included; pipe whip, jet impingement, sprays, and flooding resulting from pipe breaks or leaks. The results of this indirect effects evaluation did not identify any viable SSC impacts due to flood induced failure mechanisms that were not already addressed in the PRA flooding analysis documentation. No further flooding impacts were incorporated into the BV2REV3B PRA.

Impact: This observation did not have an impact on the slave relay STI extension since it was shown not to impact the PRA model.

Corrective Action 02-09042-27 Summary: This observation was identified in the Dependency Related Grades Sub-element regarding the consideration of flood barrier structural capacity when credited for limiting flood propagation. The peer review team observed that the flooding analysis has not been updated since the PE, which treated flood barriers deterministically and were thought to succeed. The peer review team recommended that the flooding analysis be updated to address potential failures of flood doors and other flood barriers.

Resolution: In response to this observation, the work that was completed for the BVPS-2 Risk-Informed In-Service Inspection (RI-ISI) Indirect (Spatial) Consequence Evaluation, as well as, several updated flooding analyses performed after the IPE submittal were reviewed. The results of this review determined that the flooding analyses did consider the potential of flood barrier failures due to the flood water static head on the door latching mechanisms. It was concluded that the IPE flooding analysis assumptions regarding the propagation of floodwaters did consider flood barrier failures, and remains valid. No further flooding impacts were incorporated into the BV2REV3B PRA.

Impact: This observation did not have an impact on the slave relay STI extension since it was shown not to impact the PRA model.

Corrective Action 02-09042-28 Summary: This observation was identified in the Quantification Related, Dominant Sequences/Cutsets Sub-element. The peer review team observed that the dominant sequences were based on a Level 2 quantification, so the individual sequences for core damage were getting split up (fractionalized). This fractionalizing of the sequences made Page 13 of 16

... Attachment B (continued) -.

L-03-160 them appear less dominant and difficult to compare with industry values for similar sequences. The peer review team recommended that the containment event tree be suppressed in the CDF quantification, so that the Level 1 results could be better compared to expected values and insights.

Resolution: In response to this observation, a new top event was included in the BV2REV3B PRA model, which contained a switch to bypass the containment event tree top events. This allowed for the Level 1 (CDF only) sequences to be quantified and reviewed, while also maintaining the ability to provide Level 2 sequence results, when needed.

Impact: As shown in WCAP-15887 and the RAI sensitivity cases, this observation had little impact on the slave relay STI extension since the proposed 12-month extension risk metrics are still within the acceptable RG 1.174 limits.

Corrective Action 02-09042-32 Summary: This observation was identified in the Quantification Related, Non-Dominant Sequences/Cutsets Sub-element. Several concerns were identified during the review of the non-dominant sequences regarding the split fraction logic rules used in the CDF quantification. The peer review team recommended that the split fraction logic rules be verified, and establish an explanation if they are justified, or correct them if in error.

Resolution: In response to this observation, the split fraction logic rules were re-examined and compared to the dependency matrices. The specific concerns identified by the peer review were reviewed and corrected in the BV2REV3B PRA model when in error. The BV2REV3B PRA model was then quantified using only the Level 1 top events so that a review of the CDF sequences could be performed to verify that the revised split fraction logic rules made sense. This included looking at non-dominant sequences 5 orders of magnitude lower than the total CDF value. Other concerns identified that were not in error, were determined to have sufficient justification provided in the system notebooks and dependency matrices.

Impact: As shown in WCAP-15887 and the RAI sensitivity cases, this observation had little impact on the slave relay STI extension since the proposed 12-month extension risk metrics are still within the acceptable RG 1.174 limits.

Corrective Action 02-09042-35 Summary: This observation was identified in the Quantification Related, Uncertainty Sub-element regarding the use of a point estimate value for the interfacing systems LOCA initiating event frequency. The peer review team noted that the Monte Carlo generated value was slightly higher and would only result in a minor CDF increase, but Page 14 of 16

Attachment B (continued) .

L-03-160 that the increase would impact LERF to a higher degree. It was recommended that the Monte Carlo value be used for the interfacing systems LOCA initiating event frequency.

Resolution: In response to this observation, the Monte Carlo value generated for the updated interfacing systems LOCA initiating event frequency in response to CA 02-09042-02 previously identified, was used in the quantification of the BV2REV3B PRA model.

Impact: Although the implementation of this observation resolution slightly increased LERF, it had little impact on the slave relay STI extension since the proposed 12-month extension risk metrics are still within the acceptable RG 1.174 limits, as shown in WCAP-15887 and the RAI sensitivity cases.

Corrective Action 02-09042-36 Summary: This observation was identified in the Containment Performance Analysis, Containment Capability Assessment Sub-element regarding the inclusion of both leakage and large failures in the analysis. It was observed by the peer review team that all SGTR core damage sequences with wet steam generators (i.e., successful AFW) were classified in the small early release frequency without regard to specific sequence conditions, based solely on scrubbing as the justification. The peer review team recommended that supporting sensitivity analyses be performed to further justify that scrubbed SGTRs do not result in large releases.

Resolution: In response to this observation, the BV2REV3B PRA model was revised to incorporate WCAP-15955 "Steam Generator Tube Rupture PSA Notebook" classification of SGTRs into LERF. In the BV2REV3B PRA model update, all steam generator tube ruptures that are faulted and have a depleted RWST, or have a loss of all secondary cooling and consequential challenge to the steam relief valves are considered to be LERF contributors. For these cases it is assumed that leakage from the RCS will continue indefinitely through a faulted steam generator and the core will uncover after the RWST depletes.

Impact: The implementation of this resolution increased LERF by almost a factor of three; however, it had little impact on the slave relay STI extension since the proposed 12-month extension risk metrics are still within the acceptable RG 1.174 limits, as shown in WCAP-15887 and the RAI sensitivity cases.

Page 15 of 16

Attachment B (continued) -

L-03-1 60 Corrective Action 02-09043-25 This peer review observation was initially Categorized as a "C" observation in the draft B VPS PRA Peer Review Report, but was subsequently changed to a "B" in the fnal report.

Summary: This observation was identified in the Quantification Related Grades regarding the dominant sequences/cutsets. The peer review team observed that the simplified assumption regarding the subsequent failure of operators to emergency borate, given the failure of the operators to trip the reactor as an immediate action is overly conservative. The peer review team recommended that the anticipated transients without scram model be revised to appropriately account for human error rates in the EOPs, giving consideration to the timing and dependencies between the actions.

Resolution: In response to this observation, the BV2REV3B PRA model was revised to incorporate giving credit for the longer term operator action to emergency borate, even though the earlier actions to manually trip the reactor or to insert the control rods may have failed.

Impact: Implementation of this resolution was already identified and incorporated into the WCAP-15887 analyses, as discussed in Section 7.4.3 of the WCAP submittal.

Page 16 of 16

Retrieved from "https://kanterella.com/w/index.php?title=L-03-160,_Response_to_a_Request_for_Additional_Information_in_Support_of_License_Amendment_Requests_No._180&oldid=2639963"