Response to Request for Additional Information Regarding License Amendment Request to Adopt National Fire Protection Association (NFPA) Standard 805

ML17017A504
Person / Time
Site:	Davis Besse
Issue date:	01/17/2017
From:	Boles B FirstEnergy Nuclear Operating Co
To:	Document Control Desk, Office of Nuclear Reactor Regulation
References
CAC MF7190, L-16-371
Download: ML17017A504 (39)
v • d • e

Text

FE NOC Brian D. Boles Vice President - Nuclear January 17, 2017 L-16-371 ATTN: Document Control Desk U. S. Nuclear Regulatory Commission Washington, DC 20555-0001

SUBJECT:

Davis-Besse Nuclear Power Station, Unit No. 1 Docket No. 50-346, License No. NPF-3 5501 Norlh State Route 2 Oak Harbor, Ohio 43449 419-321-7676 Fax: 419-321-7582 Response to Request for Additional Information Regarding License Amendment Request to Adopt National Fire Protection Association !NFPAl Standard 805 CCAC No. MF7190l By letter dated December 16, 2015 (ADAMS Accession No. ML15350A314), as supplemented by letters dated March 7, 2016, July 28 1 2016, and December 16, 2016 (Accession Nos. ML16067A195, ML16210A422, and ML16351A330, respectively),

FirstEnergy Nuclear Operating Company (FENOC) submitted a license amendment request (LAR) to change the Davis-Besse Nuclear Power Station, Unit No. 1 fire protection program to one based on the National Fire Protection Association Standard 805, "Performance-Based Standard for Fire Protection for Light Water Reactor Electric Generating Plants," 2001 Edition. The Nuclear Regulatory Commission (NRC) requested additional information in a letter dated October 18, 2016 (Accession No. ML16256A066) to complete its review of the LAR.

it:*

In accordance with the October 18, 2016 letter, the FENOC response that is due within 90 days is attached.

There are no regulatory commitments contained in this submittal. If there are any questions or if additional information is required, please contact Mr. Thomas A. Lentz, Manager - Fleet Licensing, at 330-315-6810.

I declare under penalty of perjury that the foregoing is true and correct. Executed on January fl_, 2017.

Sincerely,

~J~

Brian D. Boles

Davis-Besse Nuclear Power Station, Unit No. 1 L-16-371 Page 2

Attachment:

Response to Request for Additional Information cc: NRC Regional Administrator - Region III NRC Resident Inspector NRC Project Manager Executive Director, Ohio Emergency Management Agency, State of Ohio (NRC Liaison)

Utility Radiological Safety Board

Attachment L-16-371 Response to Request for Additional Information Page 1 of 37 The NRC staff requested additional information to complete their review of a FENOC LAR for the Davis-Besse Nuclear Power Station (DBNPS). The LAR would change the current fire protection program to one based on the National Fire Protection Association Standard 805 (NFPA 805), Performance-Based Standard for Fire Protection for Light Water Reactor Electric Generating Plants, 2001 Edition. The NRC staffs request is provided below in bold text followed by the corresponding FENOC response.

Fire Protection Engineering (FPE) Request for Additional Information (RAI) 06 NFPA 805, Section 3.5.5, requires that each fire pump and its driver and controls be separated from the remaining fire pumps and from the rest of the plant by rated fire barriers. In connection to this requirement, LAR, Attachment L, Approval Request 4, requests approval for the remote start circuit separation configuration of the remote control circuits to each fire pump. The following information is needed for the NRC staff to review this approval request:

a. Approval Request 4 only discusses the fire effects on control cables associated with the fire pumps, and does not appear to discuss the routing or consequences of damage to the power cable to the electric pump. In addition, the licensee indicated that a loss of offsite power to the electric fire pump could occur due to a fire in fire compartments FF-01 and DD-01, but the licensee did not discuss the fire effects of a loss of offsite power coincident with the loss of remote and local control of the diesel fire pump.

Describe how at least one fire pump will remain available to supply the fire suppression systems, hydrants, and hose stations in the fire areas where the control cable for the diesel fire pump is affected by a fire, coincident with the loss of power to the electric fire pump.

Response

For those fire compartments where water-based fire suppression systems, hydrants, or hose stations are credited for NFPA 805 transition, at least one fire pump will remain available to supply the water. The only compartments containing control cables for both the electric and diesel fire pumps are BG-01, DD-01, and FF-01. As described in the following paragraphs, fire scenarios in these compartments that could damage the control circuits do not credit water-based manual or automatic suppression, except for one fire scenario in compartment DD-01. Compartment BG-01 credits water-based suppression, but the fire scenarios do not result in damage to the control circuits.

Fire pump cables are routed in separate raceways within fire compartments BG-01 (pipe tunnel), DD-01 (cable spreading room), and FF-01 (control room). The cable trays

Attachment L-16-371 Page 2 of 37

that house the cables for the diesel fire pump (located in Channel A trays) and the electric fire pump (located in Channel B trays) are configured with solid metal bottoms and sides and covered with ceramic fiber blankets on top. In the unlikely event of a fire that results in the loss of the electric fire pump and loss of the diesel fire pump control circuits prior to the pump receiving an auto-start signal, a fire pump could be locally started at the intake structure, even though auto and manual water-based suppression is not credited for a fire within the compartments. In this circumstance (a fire that results in the loss of both the electric fire pump and the diesel fire pump control circuit), a fire pump can be manually started by operations; however, as stated, water-based suppression is not needed in these scenarios but could be restored for additional availability of fire suppression.

Review of the subject fire compartments BG-01, DD-01, and FF-01 confirmed the following:

BG-01: The fire model for BG-01 credits water-based manual suppression for a single transient fire scenario. Automatic sprinklers are not credited in the fire model. Upon review of the single scenario that credits manual suppression, it was identified that the 317 kW transient fire does not result in any damaged cable trays or conduits. Review of the fire pump circuits confirmed that they are not damaged in the transient fire scenario where manual suppression is credited within fire compartment BG-01.

DD-01: Other than one fire scenario in the multi-compartment analysis (MCA) for DD-01 that initiates outside of DD-01, manual or automatic water-based suppression is not credited. A fire propagating from another fire compartment into DD-01 would cross through a fire-rated penetration, which provides a restricted propagation path; thereby limiting the damaging affects transferring into the room. The fire pump cables are located in separate channels of cable trays that include solid metal bottoms, and ceramic fiber blanket tops, which limit contribution of the cables to the available fire load. Based on the restricted propagation path, which increases the time for the heat to transfer into the adjacent fire compartment, and the cable tray configuration of solid metal bottoms with ceramic fiber tops, damage is expected to be limited to a single fire pump remote start circuit.

Fire suppression sprinklers were credited for DD-01 in an existing engineering equivalency evaluation (EEEE) as part of an analysis on structural steel integrity. Since the fire load is significantly reduced as a result of crediting solid bottom cable trays with ceramic fiber blankets on top, credit for sprinklers in this location is no longer required in order to compensate for a lack of structural steel fireproofing. The LAR Attachment S, Table S-2 implementation item DB-1825 will be modified to describe removing credit in the EEEE for the sprinklers. A revision to the LAR Attachment S will be provided in a future transmittal.

FF-01: Consistent with the guidance from NUREG/CR-6850, EPRI/NRC-RES Fire PRA Methodology for Nuclear Power Facilities, Final Report, the main control room fire

Attachment L-16-371 Page 3 of 37

analysis for fire compartment FF-01 credits handheld extinguishers for fire suppression.

Manual hose stations are not relied upon for fire suppression in this compartment; therefore, the fire pumps are not required.

Fire protection defense-in-depth: Fire risk evaluations for BG-01, DD-01, and FF-01 will be updated to limit credit of hydrants and hose stations. Where necessary for risk mitigation, use of portable extinguishers will be credited. These changes will be incorporated in the response to PRA RAI 03.

For the automatic suppression entry for fire compartment DD-01 in LAR Table 4-3, a note is hereby added stating that the system is only credited in a MCA scenario originating outside the compartment.

FPE RAI 06

b. Approval Request 4 states that in fire compartments BG-01 and DD-01, cables are routed independently in solid-bottom trays with a layer of ceramic fiber on top. Clarify if these passive fire protection features are credited to limit fire damage to both redundant fire pumps in fire compartments BG-01 and DD-01 to ensure that at least one fire pump will remain available to provide the required flow to credited fire suppression systems, yard hydrants, and hose stations.

Response

Table 4-3 of the LAR and a review of the detailed fire models for fire compartments BG-01 and DD-01 confirmed that credit was taken for all cable trays having a solid metal bottom and a ceramic fiber layer on the top to prevent them from becoming ignited during a fire. These passive fire protection features preclude additional heat release contribution of the cable trays to the associated fire scenarios and limit the damaging zone of influence. The response to probabilistic risk assessment (PRA) RAI 02(h) contains additional discussion regarding the credit for solid metal bottom trays with a layer of ceramic fiber on top. These passive fire protection features limit the possibility of simultaneous damage to both channels of cable trays that route the fire pump cables, thereby helping to ensure at least one fire pump will remain available.

A revision to the LAR Attachment L, Approval Request 4 that updates the basis for approval and acceptance criteria evaluation sections in their entirety will be provided in a future transmittal.

FPE RAI 06

c. In its discussion of impact on the NSPC, the licensee stated:

A fire in fire compartment BG-01, DD-01, or FF-01 that renders

Attachment L-16-371 Page 4 of 37

the starting circuits for both fire pumps inoperable would not affect the ability to supply the required fire water during a fire since the fire pumps are not relied upon for nuclear safety functions. In the event of damage to both fire pumps starting circuits, it would not affect the ability to perform an emergency start of the pump. The plant is also provided with an alternate means of manual suppression via fire extinguishers to contain the fire while the electric fire pump is being manually locally started.

In LAR Table 4-3, the licensee identified the automatic suppression systems in fire area DD-01 to be required to meet the NSPC.

Discuss how the delay in fire pump availability due to a manual local start will affect the results of the nuclear safety capability assessment (NSCA) for fire compartment DD-01. Describe how the fire protection defense-in-depth will be maintained if the fire pump availability is delayed to the sprinkler systems, hydrants, and hose stations.

Response

The response to FPE RAI 06(a) demonstrates that the automatic water-based fire suppression system is unnecessary in fire compartment DD-01. Fire protection defense-in-depth is maintained since water-based suppression is not necessary for a fire in this compartment, and thus there will be no delay in the suppression capabilities for a fire there. Additionally, the fire risk evaluation for this fire compartment will be updated to limit credit of hydrants and hose stations, and, where necessary for risk mitigation, use of portable extinguishers will be credited.

PRA RAI 02 - Fire Events PRA F&Os [Facts and Observations]

Attachment V, Fire PRA Quality, of the LAR provides information regarding the peer review of the fire PRA. The following questions relate to the disposition of the associated F&Os and supporting requirement assessments related to this peer review.

a) F&O PP-C3 Spatial Separation and Active Barriers F&O PP-C3-01 cites a lack of documented justification for non-rated fire barriers and refers to use of spatial separation and active fire barriers for which there are specific considerations that need to be addressed to credit them in the fire PRA. The disposition to the F&O does not explain whether or how spatial separation or active fire barriers were credited in the fire PRA.

Attachment L-16-371 Page 5 of 37

i.

If spatial separation is credited in the fire PRA, describe the physical characteristics that justify use of spatial separation and explain how the approach is consistent with the guidance in NUREG/CR-6850. Include a description of the distance used to define spatial separation, and describe the basis for justifying that this space is absent of combustibles and fire ignition sources. If the approach is not consistent with the guidance in NUREG/CR-6850, justify the approach, or confirm that an acceptable approach will be included in the integrated analysis provided in response to PRA RAI 03.

Response

Outdoor and indoor spatial separation was applied during the fire PRA plant partitioning.

DBNPS programmatic processes and controls, such as the design interface evaluations for plant modifications and the transient combustible control program, ensure combustibles and fire ignition sources in these spaces are limited to those analyzed.

Outdoor spatial separation:

The first type of spatial separation applied is outdoor spatial separation which was credited as part of the plant boundary definition and partitioning task as a screening criteria. The application of this type of screening criteria considers that a damaging hot gas layer (HGL) will not form, and that there is enough radial distance between screened structures so as not to contribute fire risk from one location to another. This is consistent with the guidance of Section 1.5.2 of NUREG/CR-6850, Fire PRA Methodology for Nuclear Power Facilities, Volume 2: Detailed Methodology.

Indoor spatial separation:

The second type of spatial separation applied is indoor spatial separation, which considered the impact of fire propagation across open doorways. A review of the fire PRA Task 1 report, Plant Boundary Definition and Partitioning Analysis, and the MCA determined the following five open boundaries were defined with a barrier failure probability of 1.0 (100 percent), consistent with the guidance of NUREG/CR-6850.

A-06 A-07: Door 205A (wire mesh door to annulus)

A-06 A-08: Door 308A (wire mesh door to annulus)

AB-02 AB-03: Door 201B (wire mesh door to annulus)

AB-02 AB-05: Door 307A (wire mesh door to annulus)

A-06 AB-02: Separation between two halves of containment annulus An EEEE provides justification for subdividing the containment annulus into two separate fire compartments. This EEEE also includes the evaluation of the four door locations described above. The door openings to the annulus consist of a solid metal plate on the lower half and wire mesh on the upper half. The lower metal plate limits the

Attachment L-16-371 Page 6 of 37

doorway open area for potential communication of fire effects. The immediate areas around the mesh doors contains no ignition sources and no intervening combustibles.

A review of Table 4 of the MCA identified that none of the subject fire compartments discussed above are capable of developing a damaging HGL. Therefore the only consideration for a fire to propagate across the boundary is if the fire ignition occurred at the boundary. Since there are no fixed ignition sources identified near the openings, the only local fire would be a transient fire. In the worst case, a transient 317 kilowatt (kW) fire is capable of developing the following ZOI:

Radiant heat flux ZOI of less than 4 feet Plume ZOI of less than 10 feet Fire modeling for the annulus area indicates that it is generally free of transient combustibles. Also, the area on either side of the opening is generally free of fixed or transient combustibles. Therefore, no fire spread is expected from a transient fire being located at the boundary. Indoor spatial separation is consistent with the guidance of NUREG/CR-6850.

PRA RAI 02(a) ii.

If active fire barriers are credited in the fire PRA, describe these systems and explain how the approach is consistent with guidance in NUREG/CR-6850. Include a discussion of possible fire impact on any cables associated with the active system or fire impacts on other parts of the system that could defeat the barrier. If the approach is not consistent with guidance in NUREG/CR-6850, justify the approach, or confirm that an acceptable approach will be included in the integrated analysis provided in response to PRA RAI 03.

Response

A review of the plant boundary definition and partitioning calculation, in conjunction with the fire hazards analysis report, fire risk evaluations, and the MCA identified credit for active fire barrier features. These active barrier features (water curtain suppression systems) were installed to preclude direct flame or fire communication between the specified adjoining fire compartments. Some openings also are configured with a passive barrier (solid metal panel) designed to open (blowout) for a compartment overpressurization event, in which case the active system will preclude fire communication.

Each of the following barrier penetrations are protected by automatic deluge water curtains, activated by heat detectors located on either side of the boundary:

Attachment L-16-371 Page 7 of 37

A-05 G-02: Opening between Rooms 124 (A-05) and 235 (G-02), open for ventilation A-07 G-02: Opening between Rooms 236 (A-07) and 235 (G-02), includes metal blowout panel for overpressurization A-08 II-01: Opening between Rooms 314 (A-08) and 326 (II-01), includes several openings configured with metal blowout panels for overpressurization There are no fixed ignition sources located in proximity to the subject boundaries; therefore, a transient fire is the applicable hazard for review. As defined in the response to PRA 02(a)(i), a worst-case transient 317 kW fire is expected to have the following ZOI:

Radiant heat flux ZOI of less than 4 feet Plume ZOI of less than 10 feet The subject openings between A-08 and II-01 and between A-07 and G-02 include metal blowout panels that would preclude direct flame propagation across the boundaries during normal plant operations. The area on either side of the subject boundaries are generally free of combustibles; therefore, there is no additional heat load to be evaluated beyond those summarized by the MCA.

The heat detector setpoints were reviewed in the plant database as either 190 degrees Fahrenheit (°F) or 225°F (88 degrees Celsius [°C] or 107°C, respectively). The electric cables in these circuits are of thermoset construction having a damage threshold of 330°C. The heat detector circuits are routed within conduits and junction boxes within these rooms, providing some additional thermal delay; therefore, it is expected that the heat detectors will activate prior to any heat detector circuit cable damage, and will thereby actuate the water curtain.

The passive and active boundary elements described above were credited 10 CFR 50 Appendix R (hereafter referred to as Appendix R) boundaries, which are monitored and maintained consistent with the current licensing basis. In addition, these same boundary elements have been treated appropriately within the MCA and fire risk evaluations, and determined acceptable for transition for their respective fire compartment adjacent pairs. Therefore, fire compartment separation based on these active fire barrier elements in conjunction with passive barriers is consistent with the guidance of NUREG/CR-6850.

PRA RAI 02 b) F&O CS-B1 Modeling Inadequate Circuits The disposition to F&O CS-B1-02 identifies calculations that, include some cases where protective device coordination is not confirmed, and describes specific instances of inadequate breaker fuse coordination. The disposition explains that, [i]n these cases, the components and busses

Attachment L-16-371 Page 8 of 37

were identified as failed (assigned to UNL [unlocated] in the Fire PRA).

Based on this, it is not clear how the inadequate circuits were modeled in the fire PRA.

i.

Explain how inadequate breaker/fuse coordination was modeled in the fire PRA and justify that this treatment addresses the failures that could occur as a result of the identified potential circuit inadequacies.

Response

Inadequate breaker/fuse coordination was modeled in the fire PRA in three different ways, depending on the risk significance and the effort required:

Some low-risk electrical distribution panels were known to have inadequate breaker/fuse coordination, but it was not cost effective to specifically identify or locate these associated cables. Instead, it was conservatively assumed that a fire in any compartment or scenario could result in fire damage to the cable. It was also assumed that the supply breaker to the load component would not open, thus cascading the fault to the next coordinated breaker (the feeder breaker to the panel) resulting in a loss of power to all loads requiring power from those panels. Because of this coordination issue, the distribution panels were failed for all fire scenarios using the UNL designation in the fire PRA. By failing these panels for all fire scenarios, it was deemed an adequate representation of the failure to provide power to their low-risk loads, and provides a conservative result.

A number of required cabinets were identified in the Fire Hazards Analysis Report (FHAR) Appendix C as having inadequate breaker/fuse coordination. Per the FHAR, the associated cables were not specifically identified or located, but they were known to remain within the same fire area as the cabinet itself. Since NFPA 805 fire compartments and scenarios can be smaller volumes than Appendix R fire areas, there may be fires for which the cabinet itself is free of fire damage, but for which one or more of the unidentified load cables could be damaged. To address this, it was conservatively assumed that a fire anywhere in each fire compartment or scenario associated with the Appendix R fire area where a particular cabinet was located could result in fire damage to a cable coming off of that cabinet. It was also assumed that the supply breaker to the load component would not open, thus cascading the fault to the next coordinated breaker (the feeder breaker to the cabinet) resulting in a loss of power to all loads fed from the cabinet. However, since the loads off these cabinets generally had higher risk significance than the cabinets discussed above, use of the whole plant UNL assignment was not appropriate.

Instead, new compartments, UNL-DD, UNL-FF, UNL-HH, UNL-J, UNL-K and UNL-R, were created and assigned to all scenarios originating in the associated fire area. For example, cabinet C3615 is known to have inadequate circuit coordination, but all associated cables are known to be located in fire area K. C3615 was assigned UNL-K, causing it to fail for all fire scenarios in fire compartments K-01 and

Attachment L-16-371 Page 9 of 37

K-02. By failing each cabinet only for all fire scenarios in the fire compartments associated with its fire area, it was deemed an adequate representation of the failure to provide power to its loads and provides a conservative result without introducing excessive conservatisms.

Except as noted above, power sources with inadequate breaker/fuse coordination were fully modeled, and all associated circuits and cables were identified and located. The corresponding cables were added to the System Assurance and Fire Protection Engineering Software (SAFE) cable failure logics as required associated cables. Regarding damage to these cables, the supply breaker to the load component is assumed to not open, thus cascading the fault to the next coordinated breaker (the feeder breaker to the power source) resulting in a loss of power to all loads fed from those sources. By using the SAFE cable failure logics to model these failures, excessive conservatisms were avoided, and the resulting failures were reported to the fire PRA using the same SAFE reports and processes as any other required cable. No special modeling techniques were required in the fire PRA for these cables.

PRA RAI 02(b) ii.

Identify the failure modes addressed and discussion of how they were modeled in the fire PRA. Describe and justify the assumptions made in the fire PRA about how fire-induced faults associated with the inadequately coordinated circuits would impact components upstream and downstream from the fault.

Response

Fire-induced faults on any cable protected by a breaker or fuse was assumed to cause the breaker to trip or the fuse to blow to protect the cable from further damage. In the case of a coordinated circuit, the breaker/fuse nearest the fault would protect all upstream components from damage caused by the cable fault. The component(s) powered from the faulted cable would fail on loss of power, but power to other components would remain available. In the case of inadequate coordination, it was assumed that the breaker/fuse feeding the power source would trip or blow before the breaker/fuse closest to the fault, thus protecting downstream circuits from the fire-induced faults. The failure mode was identified as a loss of power to the panel, cabinet, or other power source, which would result in loss of power to all required components fed from that source. Power supplies upstream of the feeder breaker/fuse would be unaffected by the original fire damage.

Attachment L-16-371 Page 10 of 37

PRA RAI 02(b) iii.

If demonstration of breaker/fuse coordination relies on cable length (such a case is cited in the F&O), then justify that assumptions made for cables evaluated as part the fire PRA relying on cable length are consistent with guidance in NUREG/CR-6850. Guidance in NUREG/CR-6850 states that although commonly employed for Appendix R coordination, the use of cable length does not generically apply to fire PRA analysis, since compartment-level and scenario-level reviews are conducted. Alternatively, confirm that modeling of inadequate circuits associated with these cables will be included in the integrated analysis provided in response to PRA RAI 03.

Response

Breaker/fuse coordination no longer relies on cable length. During the peer review, two cables were initially identified in F&O CS-B1-02 as requiring cable length for coordination. As a resolution to this F&O, these two cables were assigned as required associated cables in SAFE cable failure logics, thereby treating them as non-coordinated and eliminating cable length as a factor. Since that time, these circuits were re-evaluated and determined to be fully coordinated. The cables were subsequently removed as required associated cables in the SAFE cable failure logics and are therefore modeled in the fire PRA as coordinated. A review of the FHAR did not identify any other cases where cable length is relied on for coordination.

PRA RAI 02(b) iv.

Confirm that the circuit protection is adequate for (1) cables associated with components modeled in the fire PRA, (2) cables in a common enclosure with cables associated with fire PRA components, and (3) cables that could produce a secondary fire or high energy arc fault that impacts cables associated with components modeled in the fire PRA.

Response

DBNPS uses a standard design methodology to provide circuit protection on power and control circuits whether related to a component modeled in the fire PRA or not. A determination is made for coordination between the upstream (feeder) and downstream (load) circuit. Due to the standard design, the protective devices preclude the occurrence of secondary fires or high energy arc faults for components. As such, circuit protection is adequate for component cables within the plant.

Attachment L-16-371 Page 11 of 37

PRA RAI 02 c) F&O PRM-B7-01 -Exclusion of Pilot-Operated Relief Valve (PORV) Failure Mode F&O PRM-B7-01 states that a thermal hydraulic analysis is needed to support the assumption made in the fire PRA regarding a failure of the PORV to reclose following closure of main steam isolation valves (MSIVs) or loss of main feedwater. The F&O further state that PRAs for similar plant designs have included this failure mode and have found it to be a measureable contributor to core damage. The disposition to F&O PRM-B7-01 states, in part, that:

... a simulator evaluation was run, which proved the PORV set point is higher than the pressure limits reached following closure of the MSIVs. Therefore, the PORV will not open, and a failure of the PORV to reclose was not added to the model.

The applicability of a simulator run as the basis for establishing success criteria for the fire PRA is not clear. Justify how a simulator run constitutes a thermal hydraulic analysis and provides an adequate basis to support exclusion of the cited PORV failure mode. Alternatively, provide a basis that does not rely on a simulator run or confirm that this failure mode will be included in the integrated analysis provided in response to PRA RAI 03.

Response

The updated final safety analysis report (UFSAR) was reviewed, and the peak reactor coolant system (RCS) pressure with a loss of feedwater and no pressurizer spray indicates the PORV or pressurizer safety valve (PSV) will lift. This would then bound the MSIV response as the PORV or PSV lift occurs for all fire scenarios. Therefore, the PORV or PSV failing to reclose following a loss of feedwater will be included in the PRA model, and the results will be included in the response to PRA RAI 03. The LAR Attachment V disposition to F&O PRM-B7-01 is hereby replaced with the following: As recommended by the peer review team, a discussion has been added to the fire PRA model notebook 10-02, Section 5. Per Section 15.2.8.4 of the UFSAR, it was identified that the PORV/PSV could lift following a loss of main feedwater (MFW). As MFW is assumed lost for all fire scenarios, a PORV/PSV challenge will be included in the fire PRA model with a probability of failing to reclose.

Attachment L-16-371 Page 12 of 37

PRA RAI 02 d) F&O PRM-B7 Update of the Fire PRA after Modifications are Complete The disposition to F&O PRM-B7-02 indicates that the PRA model management procedure requires that the fire PRA be updated when modifications are implemented. Implementation Item DB-1695, Revise PRA for Plant Modifications, in LAR, Attachment S, Table S-2, does not indicate which PRA is to be updated (i.e., the internal events PRA, fire PRA, or both) and does not specify a plan in the event that updated fire PRA results do not meet risk acceptance guidelines in RG 1.174, Revision 2, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, May 2011 (ADAMS Accession No. ML100910006). Also, Implementation Item DB-1695 does not indicate that updates to the fire PRA should include changes needed as a result of completing other implementation items such as an update of fire procedures.

Revise Implementation Item DB-1695 to include (1) updating the fire PRA following completion of modifications and other implementation items, and (2) a plan of action if the updated, as-built, as-operated fire PRA results in risk estimates that exceed RG 1.174, Revision 2, risk acceptance guidelines. The plan of action should include implementing additional modifications or refining the analytic estimates. Alternatively, justify why these revisions are not needed.

Response

The LAR Attachment S, Table S-2 implementation item DB-1695 will be revised to include the following:

1) Following completion of implementation items presented in LAR Attachment S, Table S-2, the fire PRA model will be updated as necessary to properly reflect the as-built, as-operated transitioning plant.

2) If the updated, transitioning fire PRA model results in risk estimates exceeding RG 1.174 Revision 2 risk acceptance guidelines, refinement of analytic estimates for the internal events and fire PRA will be made (that may include, but are not limited to, increased detailed fire modeling or circuit analysis, application of alternate NRC endorsed methodologies), or plant modification or procedure changes will be made, if necessary, prior to use of the model.

A revision to the LAR Attachment S will be provided in a future transmittal.

Attachment L-16-371 Page 13 of 37

PRA RAI 02 e) F&O PRM-B9 Fire PRA Modeling of FLEX Equipment The disposition to F&O PRM-B9-01 states that modeling of FLEX equipment credited in the fire PRA was expanded from a point estimate of 1E-2 into a system fault tree model. Implementation Item DB-1983 in LAR, Attachment S, Table S-1, identifies a modification consisting of two FLEX RCS charging pumps that are credited in the fire PRA model. LAR Attachment G, Table G-1 (pp. G-8 to G-10), identifies deployment of a 480 volt alternating-current generator and manual alignment of a FLEX RCS charging pump as part of the RA. However, the generator is not listed in Table S-1. It is not clear what FLEX equipment is being credited in the fire PRA, what failures were modeled, or how potential fire impacts on credited FLEX equipment were addressed.

i. Describe the FLEX equipment and operator actions credited in the fire PRA. Clarify whether or not the generator mentioned above is FLEX equipment. Include discussion of whether the equipment currently exists, where it is located, and whether the equipment needs to be relocated and installed before using.

Response

The flexible coping strategies equipment currently credited in the PRA (both internal events and fire) was onsite as of spring 2016. The generator mentioned is included and considered FLEX equipment in the fire PRA. Fire procedure development utilizing FLEX equipment is a planned implementation item (LAR Attachment S, Table S-2, item DB-0572). The planned procedures will either closely replicate or reference the FLEX procedure.

The process of installation and activation is as follows:

During a fire within the plant power block there is the potential to lose the main feedwater, auxiliary feedwater (AFW), the motor-driven feed pump (MDFP), and the start-up feedwater pump either due to dependencies or actual equipment failure. The main feedwater pumps and the start-up feedwater pump cables were not cable traced and therefore failed for all fire scenarios. This results in an over-reliance on the AFW and the MDFP. If AFW or the MDFP is available, it would be used as the primary means to maintain decay heat removal via the steam generators (SGs).

Fires resulting in a loss of AFW and the MDFP would be mitigated using the newly installed diesel-driven emergency feedwater system (EFW). The EFW system was installed in a new emergency feedwater facility (EFWF) building. This facility houses the majority of the N FLEX equipment with the exclusion of the FLEX RCS charging pumps. This facility also contains a tank containing approximately 217,000 - 290,000

Attachment L-16-371 Page 14 of 37

gallons of water, which is adequate to supply feedwater to the SGs for up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

The EFW pump (EFWP) has a fire-protected starting circuit that runs from the EFWF to the main control room (MCR) such that initiation is available from the MCR. If for some reason, the EFW pump fails to start, no local recovery action is credited in the PRA.

Should the EFW pump start, but fail to run after one hour, the low pressure (LP) diesel driven EFW Pump can be used. The LP EFW pump is only credited for failures of the EFW system to run; that is, it is not currently credited in the PRA to mitigate a run failure of the AFW or MDFP. The LP EFW pump is located in the EFWF and would require an operator to report to the EFWF to connect suction and discharge hoses. There is an operator aid with simple written instructions and pictures attached to the pump itself to perform pre-checks and pump startup. A procedure directs the mechanical alignment (suction, discharge, and fuel oil if required). As this is a diesel driven pump, electrical alignment is not required.

The EFW pump is also dependent upon direct current (DC) control power for continued operation. The batteries located in the EFWF are normally charged from the Oak Harbor feeder, which connects to the EFWF via substation YRDSUB-07. This offsite power source does not enter the auxiliary or turbine buildings, thus only fires outside have the potential to impact this feeder. If for some reason there is a failure of YRDSUB-07, the batteries would begin to deplete and would cause a failure of the EFW pump to run after 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. Within the timeframe that YRDSUB-07 is failed and the batteries deplete, operations can use the FLEX 480 Volt (V) generators to repower the EFWF and repower the battery chargers. The N 480 V generator is located within the EFWF and the N+1 480 V generator is located in Service Building 7. Both the N and the N+1 generators are credited in the PRA. There is an operator aid with simple written instructions and pictures attached to the generator itself that directs pre-checks, mechanical (fuel oil from the EFW fuel oil storage tank) and electrical connections, and starting the generator. All connections and equipment are within a close proximity of the N generator itself. The EFW fuel oil storage tank has a 6,000 gallon capacity and is expected to be able to supply the generator, the EFW pump, and other FLEX related loads for up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The N+1 generator would require relocation from Service Building 7 and would require a truck to haul the generator from there to just outside the EFWF where the connections are made.

If the fire would induce a reactor coolant pump (RCP) seal loss of coolant accident (LOCA), a PORV LOCA, or a PSV LOCA, and a loss of all emergency core cooling systems (ECCS) with feedwater to the SGs is available, operators can cooldown and depressurize the RCS within one hour and have up to eight hours to start one FLEX RCS charging pump to maintain the core covered with water and prevent core damage.

While two FLEX RCS charging pumps are located in the plant, only one is required for success. Power to the FLEX RCS charging pump comes from receptacles located close to the borated water storage tank (BWST) FLEX RCS charging pump in the auxiliary building room 100. Cables and hoses are also staged and located in this room for the BWST FLEX RCS charging pump. The clean waste receiver tank (CWRT) FLEX RCS

Attachment L-16-371 Page 15 of 37

charging pump is located within auxiliary building room 124, approximately 300 feet away from the receptacles in room 100. Cable carts are strategically stored between the two rooms. The power is distributed to the receptacle from the EFWF (powered by either YRDSUB-07, or the FLEX 480 V generator), and runs in a conduit underground.

The hoses required for suction and discharge for the CWRT FLEX RCS charging pump are located in the adjacent room. By the time the FLEX RCS charging pumps would be required, the fire would be extinguished. Therefore, operators are not entering a live fire area or smoke-filled room to perform the tasks. There is an operator aid with simple written instructions and picture attached to the pumps themselves providing pre-cautions, pre-start checks, and how to start the pump.

A summary of the current PRA-modeled FLEX equipment and the operator actions associated with the FLEX coping strategies are shown in the following table. Additional equipment may be credited in the future and will follow the PRA update and maintenance process

Attachment L-16-371 Page 16 of 37

Equipment Identification Equipment Description Location Requires Relocation? Basic Events Associated Operator Action Associated Operator Action Description Time to No Recovery Impact of Failing Action P310 Diesel Driven Feed Pump Emergency Feedwater Facility No QDP0310A - EFWP FAILS TO START QDP0310B - EFWP FAILS TO RUN DURING FIRST HOUR QDP0310F - EFWP FAILS TO RUN AFTER FIRST HOUR OF OPERATION QHADAFPE Operators fail to start the diesel driven feed pump 30 Minutes Loss of all feedwater to both SGs FX-P1P Alternate Low Pressure EFW Pump Emergency Feedwater Facility No QDPFP1PA - FLEX 'N' ALTERNATE LP EFW PUMP (FX-P1P) FAILS TO START QDPFP1PB - FLEX 'N' ALTERNATE LP EFW PUMP (FX-P1P) FAILS TO RUN IN FIRST HOUR QDPFP1PF - FLEX 'N' ALTERNATE LP EFW PUMP (FX-P1P) FAILS TO RUN AFTER FIRST HOUR QHALPFPE Operators fail to start LP EFW pump after EFW fails 1.75 Hours Loss of all feedwater to both SGs FX-K1P FLEX Turbine Marine 480 V Generator -

Primary Emergency Feedwater Facility No FFGXK1PA - FLEX 480 V TURBINE MARINE GENERATOR FX-K1P FAILS TO START FFGXK1PB-FLEX 480 V TURBINE MARINE GEN FX-K1P FAILS TO LOAD AND RUN DURING FIRST HR OF OP FFGXK1PF - FLEX 480 V TURBINE MARINE GENERATOR FX-K1P FAILS TO RUN AFTER 1 HOUR EHAFLXPE Operators fail to deploy FLEX 480 V generator 6 Hours*

Loss of battery for the diesel driven feedwater pump*

8 Hours Failure of FLEX RCS injection

Attachment L-16-371 Page 17 of 37

Equipment Identification Equipment Description Location Requires Relocation? Basic Events Associated Operator Action Associated Operator Action Description Time to No Recovery Impact of Failing Action FX-K1A FLEX Turbine Marine 480 V Generator -

Alternate Service Building 7 Yes FFGXK1AA-FLEX 480 V TURBINE MARINE GENERATOR FX-K1A FAILS TO START FFGXK1AB-FLEX 480 V TURBINE MARINE GEN FX-K1A FAILS TO LOAD AND RUN DURING FIRST HR OF OPERATION FFGXK1AF - FLEX 480 V TURBINE MARINE GENERATOR FX-K1A FAILS TO RUN AFTER 1 HOUR EHAFLXPE**

Operators fail to deploy FLEX 480 V generator 6 Hours*

Loss of battery for the diesel driven feedwater pump*

8 Hours Failure of FLEX RCS injection P296-1 BWST FLEX RCS Charging Pump Auxiliary Building Room 100 No FMP2961A - FLEX MOTOR-DRIVEN PUMP P296-1 FAILS TO START FMP2961B - FLEX MOTOR-DRIVEN PUMP P296-1 FAILS TO RUN IN FIRST HOUR FMP2961F - FLEX MOTOR-DRIVEN PUMP P296-1 FAILS TO RUN AFTER FIRST HOUR XHARCSME Operators fail to initiate RCS makeup/charging pumps to maintain inventory 8 Hours Failure of FLEX RCS injection XHACLDTE Operators fail to rapidly cooldown on loss of high pressure injection (HPI) or makeup (MU) 1 Hour RCS does not depressurize to reduce leakage XHACLDNE Operators fail to take local manual control of atmospheric vent valves (AVVs) 1 Hour Upon loss of air, manual action is required.

RCS does not depressurize to reduce leakage EHAFLXPE Operators fail to deploy FLEX 480 V generator 8 Hours Loss of control to the diesel driven feedwater pump Failure of FLEX RCS injection P296-2 CWRT FLEX RCS Charging Pump Auxiliary Building Room 124 No FMP2962A - FLEX MOTOR-DRIVEN PUMP P296-2 FAILS TO START FMP2962B - FLEX MOTOR-DRIVEN PUMP P296-2 FAILS TO RUN IN FIRST HOUR FMP2962F - FLEX MOTOR-DRIVEN PUMP P296-2 FAILS TO RUN AFTER FIRST HOUR XHARCSME Operators fail to initiate RCS makeup/charging pumps to maintain inventory 8 Hours Failure of FLEX RCS injection XHACLDTE Operators fail to rapidly cooldown on loss of HPI/MU 1 Hour RCS does not depressurize to reduce leakage XHACLDNE Operators fail to take local manual control of AVV 1 Hour Upon loss of air, manual action is required.

RCS does not depressurize to reduce leakage EHAFLXPE Operators fail to deploy FLEX 480 V generator 6 Hours Loss of control to the diesel driven feedwater pump 8 Hours Failure of FLEX RCS injection

• Limiting case

• • The EHAFLXPE operator action was originally identified as the same for both 480 V generators. Since the N+1 generator requires relocation (which was not initially accounted for), the EHAFLXPE operator action will be adjusted or an additional operator action created for FX-K1A (N+1 480 V generator) and included in the response to PRA RAI 03

Attachment L-16-371 Page 18 of 37

PRA RAI 02(e) ii. Describe the procedures and guidance that will be used to install and operate the FLEX equipment for fire scenarios. Include a discussion of the specific actions and instructions for the use of FLEX equipment in fire scenarios that are or will be included in these procedures and guidance. Confirm that the development of these procedures and guidance has been completed. Otherwise, provide an implementation item for LAR, Table S-2, to complete the relevant procedures or justify why it is not needed.

Response

The fire procedures to install and operate the FLEX equipment have not yet been developed. LAR Attachment S, Table S-2 implementation items DB-0572 (revise affected procedures to include credited NFPA 805 fire protection equipment) and DB-1943 (review and revise fire PRA human reliability analysis upon completion of procedure updates, modifications, and training) will encompass the updates to the fire procedures, including the FLEX equipment.

The updated fire procedures will work with the emergency operating procedures (EOPs) to mitigate the accident based on plant symptoms. The fire procedure will be updated to provide operators with indications that can be trusted during fires in different plant areas in order to accurately assess the situation. If all indication is lost in a certain fire area, then the operators will be procedurally driven to perform actions.

The EOPs currently direct use of the FLEX RCS charging pumps on a loss of sub-cooling margin when other equipment (high pressure injection, low pressure injection, or make up) does not respond as desired. In addition, the EOPs provide guidance to use the FLEX 480 V generator to restore power if there is a failure of power in the EFWF.

Finally, the fire procedure will be updated to include random failures such as a loss of feedwater from all the permanently installed equipment (EFW randomly fails after one hour), in which case, the low pressure EFW pump can be used to supply feedwater.

PRA RAI 02(e) iii. Confirm that the modeling of the fire HFEs and a feasibility study of operator actions for the use of FLEX equipment in fire scenarios were performed, consistent with guidance in NUREG-1921, EPRI/NRC-RES Fire Human Reliability Analysis Guidelines - Final Report, July 2012 (ADAMS Accession No. ML12216A104). Otherwise, justify the basis for the human reliability analysis, or confirm that the human reliability analysis will be updated to be consistent with guidance in NUREG-1921 and included in the integrated analysis provided in response to PRA RAI

03.

Attachment L-16-371 Page 19 of 37

Response

The feasibility study from NUREG-1921 was followed for all FLEX-related operator actions and were found to be satisfactory. The modeling of FLEX-related HFEs performed within one hour followed the guidance presented in NUREG-1921. For FLEX-related HFEs that are performed after one hour, the internal events human error probability was used without alteration. After one hour, NUREG-1921 states, the fire can be assumed to be out and thus not continuing to cause delayed spurious activity and other late-scenario complicating disturbances, and that there is plenty of time available to diagnose and execute the action. Therefore, this was determined to be an acceptable modeling approach.

PRA RAI 02(e) iv. Explain how the fire scenario timeline for operator actions that implement FLEX actions was established. Describe the cues or indications operators will use to initiate use of FLEX equipment credited for fire scenarios and how the time available and time required to complete operator actions were estimated.

Response

Timelines for operator actions that implement the FLEX actions were established through the use of the FLEX feasibility study documented in the FLEX validation and verification (V&V). While the FLEX V&V may not be exact for the fire PRA, it does provide bounding timeliness metrics under the worst conditions the plants may expect during a beyond design basis event. While the fire brigade may not be able to respond during the first hour, there is still plenty of margin such that the timelines established proved adequate for inclusion into the fire PRA model. The cues credited for fire scenarios and timelines are explained further:

Operators fail to start the diesel-driven feed pump (QHADAFPE) o Cue: Low SG level, Auxiliary feedwater pump turbine speed/flow o Time available: 30 minutes per MAAP computer program runs representing a loss of feedwater and LOCA o Time required:

Cognitive: 5 minutes is estimated, based on inputs from operations personnel Execution: 4 minutes is estimated, based on input from operations personnel Align and start the LP EFW pump (QHALPFPE) o Cue: Low SG level, Annunciator 10-6-G (EFW trouble) o Time available: 1.75 hours8.680556e-4 days <br />0.0208 hours <br />1.240079e-4 weeks <br />2.85375e-5 months <br /> per MAAP computer program runs representing a loss of feedwater after 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> with no LOCA o Time required:

Attachment L-16-371 Page 20 of 37

Cognitive: Assumed 5 minutes to recognize failure of EFW pump and make decision to go to LP EFW pump Execution: 30 minutes based on operator interview Align the FLEX 480 V generator to provide power to the EFWF (EHAFLXPE) o Cue: Annunciator 10-6-G or loss of offsite power Since the power to the EFWF does not pass through the power block it is assumed to not be lost as often, but if failed from fire it can still be recovered o Time available: Limiting case is 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> until the EFWF battery depletes and the EFW pump stops on loss of control power o Time required:

Cognitive: Assumed time to assess and get to point in procedure (6 minutes)

Execution: Used the FLEX V&V study time (20.5 minutes) o Note: During development of the LAR, the EHAFLXPE operator action was identified as the same for both 480 V generators. Since the N+1 generator requires relocation (which was not initially accounted for), the EHAFLXPE operator action will be adjusted or an additional operator action created for FX-K1A (N+1 480 V generator) and incorporated in the response to PRA RAI

03.

Align and start the FLEX RCS charging pumps (XHARCSME) o Cue: Loss of subcooling margin with no MU or HPI o Time available: 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> to prevent core damage per MAAP computer program runs with various LOCAs (PSV, PORV, or RCP seal LOCA), no injection, and success of feedwater and a rapid cooldown o Time required:

Cognitive: Assumed time to assess and get to point in procedure (10 minutes)

Execution: Used the FLEX V&V study time (56 minutes)

PRA RAI 02(e)

v. Explain how the failure rates/probabilities of hardware failures (e.g.,

random failures, unavailability due to testing and maintenance) associated with setup and operation of the FLEX equipment in fire scenarios was estimated. Explain how, after transition, the failure rates/probabilities for FLEX equipment will reflect actual equipment performance. Include a description of how plant-specific failure data associated with FLEX equipment will be developed. Provide an implementation item for LAR, Table S-2, to update the FLEX equipment failure rates/probabilities to reflect actual equipment performance as part of the PRA maintenance and upgrade process, or justify why it is not necessary.

Attachment L-16-371 Page 21 of 37

Response

Random failures associated with the FLEX equipment were included in the PRA model.

The random failures modeled include:

EFW pump fails to start, run during first hour, and run after first hour FLEX LP EFW pump fails to start, run during first hour, and run after first hour FLEX 480 V generator fails to start, load, and run FLEX RCS charging pumps fails to start, run during first hour, and run after first hour The corresponding failure rates are discussed in the response to PRA RAI 02(f). The current 2010 updated failure rate for the FLEX equipment (positive displacement charging pumps and 480 V Turbine Marine generators) will be used in the integrated analysis in response to PRA RAI 03. After transition, the failure rates for the equipment will be updated following normal PRA processes as plant-specific or industry-generic data becomes available. Should a fire be located in the location where the FLEX equipment is stored, the equipment failure rate is increased to failed and not used to mitigate the event.

Beyond the FLEX specific component failures, failure of the suction and discharge valves are also included in the success path of the equipment. Unavailability due to testing and maintenance was determined by the following:

The EFW pump, since it is a standby system, may be made unavailable for testing and maintenance while at power. The probability for the maintenance event for the EFW system was set equal to the generic unavailability for diesel-driven pump test or maintenance (AFWS) listed in NUREG/CR-6928.

The FLEX LP EFW pump does not have an unavailability term. This is because per DBNPS reference material for specifications for FLEX equipment out of service, either the N or N+1 component will be available at all times. Since only the N pump is credited, it was determined that unavailability did not need to be monitored for the LP EFW pump.

FLEX 480 V generator and RCS charging pumps did not have terms associated to unavailability. This is because per DBNPS reference material for specifications for FLEX equipment out of service, either the N or N+1 component will be available at all times. Therefore, it was initially determined that unavailability did not need to be monitored for the listed components. In the response to PRA RAI 03, an unavailability term will be added, since both the N and the N+1 RCS charging pumps and 480 V generators are credited in the PRA model.

The FLEX RCS charging pumps unavailability term will use the generic value from NUREG/CR-6928 for positive displacement pump test and maintenance.

Attachment L-16-371 Page 22 of 37

The FLEX generators will use the generic value from NUREG/CR-6928 for diesel generator testing and maintenance.

After transition, the failure rates for FLEX equipment will be updated following normal PRA processes as plant-specific or industry-generic FLEX equipment data becomes available.

An implementation item is not required as this is a normal PRA process and will be maintained during every PRA model update in accordance with FENOC PRA procedures.

PRA RAI 02(e) vi. Explain how fire impacts to FLEX equipment were addressed in the fire PRA. If FLEX equipment needs to be relocated and installed, include discussion of the treatment of fire impact on the storage and installation locations of the FLEX equipment.

Response

The majority of FLEX equipment is pre-staged with the exception of the N+1 480 V generator. A fire in the compartments where the FLEX equipment is located results in failure of the equipment as it is assumed damaged in the fire.

The emergency feedwater pump is located in the new emergency feedwater building and is considered failed for fires in that building. EFW control cable failures were also postulated for certain other fire areas, since the proposed final control cable will not be fire rated for its entire length.

The FLEX RCS charging pumps are located in two different fire compartments, A-05 and B-01. Given there is approximately eight hours to initiate FLEX RCS charging prior to reaching a non-recoverable state, a fire elsewhere in the plant (where the pumps are not located) would not prohibit successful initiation.

The N+1 or alternate FLEX generator requires relocation from Service Building 7 to just outside the EFW facility. This would only be required if YRDSUB-07 would fail either due to fire effects or random failure, with a failure of the N FLEX generator. With six hours available, the fire is extinguished and the operators are now able to support relocation. This is a simple task as the generator is already on a trailer and the travel path should be unimpeded. Therefore, there were no fire impacts on the storage or installation location of this piece of FLEX equipment. If there were a fire in the EFWF, the connections for the N and N+1 generator are lost, and therefore, the function the N+1 generator was attempting to mitigate is failed.

Attachment L-16-371 Page 23 of 37

PRA RAI 02(e) vii. During the onsite audit, the licensee indicated that the following four functions provided by FLEX actions and equipment were being credited in the fire PRA: emergency feedwater, RCS charging, backup power to the RCS charging pumps, and backup alternate low-pressure emergency feedwater. Provide the risk reduction (i.e., CDF and LERF) for each of these functions separately and the total risk reduction for all four functions together.

Response

Due to necessary changes in the model required by other RAI responses, this final information will be provided in the response to PRA RAI 03.

PRA RAI 02 f) F&O PRM-B13 Failure-to-Run Rate for Diesel-Driven Pumps After 1 Hour F&O PRM-B13-01 discusses the new emergency feedwater system and indicates that the estimated failure-to-run rate for diesel-driven pumps after 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (9.48E-5/hour) is inconsistent with more recent experience (2.16E-3/hour). Based on the disposition to F&O PRM-B13-01, it appears that the licensee continues to use the 9.48E-5/hour failure rate published in NUREG/CR-6928, Industry-Average Performance for Components and Initiating Events at U.S. Commercial Nuclear Power Plants, February 2007, (ADAMS Accession No. ML070650650), and not the updated failure rate of 2.16E-03/hour provided on the NRC reactor operational experience results and databases website, Summary of SPAR [Simplified Plant Analysis Risk] Component Unreliability Data and Results.4 LAR Table W-3 indicates a very large risk reduction associated with the installation of the emergency feedwater system. This suggests that there could be a strong sensitivity in the fire PRA risk estimates to the cited failure rate.

Justify that the failure-to-run rate used for the new emergency feedwater system has an insignificant impact on the transition risk estimates and will have an insignificant impact on post-transition risk estimates supporting self-approval. Alternatively, confirm that the current NUREG/CR-6928 failure rate for the cited failure mode will be used in the integrated analysis provided in response to PRA RAI 03.

4 http://nrcoe.inel.gov/resultsdb/publicdocs/AvgPerf/ComponentUR2010.pdf.

Response

The current 2010 updated failure rate for the EFW system will be used in the integrated

Attachment L-16-371 Page 24 of 37

analysis in response to PRA RAI 03. After transition, the failure rates for the equipment will be updated following normal PRA processes as plant-specific or industry-generic data becomes available. The disposition for F&O PRM-B13-01 in LAR Attachment V, Table V-1 is hereby updated to state that the 2010 failure rate data is used.

PRA RAI 02 g) F&O PRM-B15 Basis for Excluding Containment Buckling Scenario The disposition to F&O PRM-B15-01 states that discussion of the LERF scenario identified in the F&O was added to the fire PRA documentation, but no change was made to the fire PRA model because subatmospheric containment pressure created by the scenario is not expected to challenge containment integrity.

Provide a basis for the statement that the cited scenario would not challenge containment integrity. Include a discussion of the normal leak rate and operator actions to vent containment and the extent to which they would offset negative pressure for the scenario. Alternatively, confirm that this scenario will be included in the integrated analysis provided in response to PRA RAI 03.

Response

The F&O resolution was reviewed and did not provide sufficient basis for excluding containment buckling. Spurious closure of containment vacuum breakers and spurious start of the containment spray pumps, or actuation of the safety features actuation system (SFAS), could result in a subatmospheric containment pressure and containment buckling. Therefore, this scenario will be included in the integrated analysis provided in response to PRA RAI 03. The disposition for F&O PRM-B15-01 in LAR Attachment V, Table V-1 is hereby replaced with the following: The spurious closure of containment vacuum breakers and spurious start of the containment spray pumps, or the applicable SFAS actuation, could result in subatmospheric containment pressure resulting in containment buckling. Therefore, this scenario will be added to the fire PRA model and documentation.

PRA RAI 02 h) F&O FSS-C8 Fire PRA Credit for Use of Kaowool The disposition for F&O FSS-C8-01 states that fire modeling calculations credits use of Kaowool. Explain how Kaowool is credited in the fire PRA and provide justification for this credit. Discuss the performance characteristics of Kaowool relative to how it is credited in the fire PRA and how it is monitored to ensure its continued performance.

Attachment L-16-371 Page 25 of 37

Response

The majority of cable trays at DBNPS are provided with solid bottom covers and sides, and Kaowool blankets covering the top. Kaowool is a noncombustible, flexible, ceramic-fiber blanket. When placed around cables in a cable tray, Kaowool has been shown to restrict the amount of oxygen capable of reaching the cables, which results in charring of the cables rather than ignition. Cable trays provided with solid bottom covers and Kaowool ceramic fiber blankets have been credited in the DBNPS fire PRA to prevent ignition of the cables within the trays and fire propagation. Kaowool is not credited to maintain cable functionality. Kaowool was not credited to prevent cable tray ignition if the tray did not have a solid bottom cover, if gaps in the blankets were identified, or if the Kaowool was within the zone of influence of a high hazard event (high energy arc fault, hydrogen, or transformer explosion).

Testing was performed and is documented in NUREG/CR-0381, A Preliminary Report on Fire Protection Research Program Fire Barriers and Fire Retardant Coatings Tests, for various configurations of cable trays with bottom covers and ceramic wool blankets.

The test results provide reasonable assurance that the credit taken for cable trays with solid bottom covers and Kaowool blankets at DBNPS is appropriate. These test results are summarized as follows:

Test numbers 24, 25, 37, and 38 did not result in ignition of IEEE-383 qualified cables in cable trays provided with solid bottom covers.

Test number 34 resulted in cable ignition at 20 minutes for nonqualified poly ethylene and polyvinyl chloride (PE/PVC) cables in cable trays provided with solid bottom covers. The fire burned for approximately four minutes before self-extinguishing and subsequent attempts at igniting the cables failed.

Test number 22 was a 1-inch ceramic wool blanket on top of nonqualified PE/PVC cables in an open-ladder tray. The cables ignited at five minutes, due to the open ladder tray; however, the fire failed to penetrate the ceramic wool cover during the entire duration of the test even when exposed to a large area of burning cables underneath.

Test number 28 was a 1-inch ceramic wool blanket on top of nonqualified PE/PVC cables in open ladder trays. The cables ignited in the bottom tray at 15 minutes, due to the open ladder tray; however, the ceramic wool blanket was successful in preventing propagation to cables in the top tray.

Test numbers 40, 41, and 42 also had either a solid top, or a solid bottom cover and did not propagate fire to the second tray.

Based on the results of the testing it is reasonable to conclude that cables within a cable tray provided with a solid bottom cover and Kaowool blanket on top of the cables would prevent fire propagation. Therefore, this configuration is not considered to contribute to

Attachment L-16-371 Page 26 of 37

the overall heat release rate of a fire.

Kaowool blankets will be included in the monitoring program, discussed in the LAR Attachment S, Table S-2, implementation item DB-1744, to ensure its continued performance. The configuration control process will be utilized to maintain the Kaowool blanket credited in the fire PRA.

PRA RAI 02 i) F&O FSS-G2 Multi-Compartment Scenario Screening The disposition to F&O FSS-G2-01 states that the multi-compartment scenarios were screened based on estimated scenario frequency using guidance from NUREG/CR-6850, Section 11.5.4.4, without regard to the cumulative risk of screened scenarios.

i) Explain how DBNPS ensures that the cumulative risk contribution from the screened multi-compartment scenarios is insignificant for the transition to NFPA 805. Demonstrate that the cumulative risk contribution of screened multi-compartment scenarios has an insignificant impact on the fire risk estimates determined by the integrated analysis provided in response to PRA RAI 03.

Response

The cumulative risk contribution from the screened multi-compartment scenarios wasnt performed. Per NUREG/CR-6850 Section 11.5.4.4, fire scenarios can be screened based on the likelihood of occurrence. Section 11.5.4.5 states: Those scenarios that survive the preceding screening steps may be screened based on their CDF.

Scenarios were screened in accordance with Section 11.5.4.4, and the guidance did not require a conditional core damage probability (CCDP) and core damage frequency (CDF). Thus, none of these scenarios were quantified. The LAR Attachment V disposition to F&O FSS-G2-01 is hereby updated to replace everything after the second sentence in the disposition section with: The multi-compartment analysis scenarios screened based on FOC [frequency of occurrence] will be quantified, and the contribution from the screened scenarios will be less than 1E-07 per year for CDF and 1E-08 per year for LERF.

In response to PRA RAI 03, MCA scenarios will be evaluated in the post-transition model to calculate a CDF and large early release frequency (LERF) for each MCA scenario. A scenario screening value will be chosen such that the cumulative risk for screened scenarios will be less than 1E-07 per year for CDF and 1E-08 per year for LERF.

Attachment L-16-371 Page 27 of 37

PRA RAI 02(i) ii) Confirm that the cumulative risk contribution of screened multi-compartment scenarios is evaluated as part of updating the fire PRA.

Otherwise, add an implementation item to LAR, Table S-2, to determine the cumulative risk contribution of screened multi-compartment scenarios and to include the cumulative screened contribution in fire risk estimates in future self-approved changes, if significant, or justify why this is not needed. The response should consider that the proposed threshold for self-approved changes to the fire protection program is a risk increase less than 1E-07/year for CDF and less than 1E-08/year for LERF.

Response

A new implementation item DB-2067 will be added to Table S-2 of the LAR. In order to confirm that the cumulative risk contribution of screened multi-compartment scenarios is evaluated as part of updating the fire PRA, a step in the fire PRA quantification notebook will be added to ensure the screening criteria for the CDF and LERF thresholds (stated in the response to PRA RAI 02(i)(i)) are not surpassed. A revision to the LAR Attachment S will be provided in a future transmittal.

PRA RAI 02 j) F&O IGN-A8 Modeling Self-Ignited Cable Fires in Containment The disposition for F&O IGN-A8-01 explains that self-ignited cable fires in containment do not meet the definition for fires to be included for fire ignition frequency Bin 12 (plant-wide self-ignited cable fires) and, therefore, the cable weight of containment cables was not included as part of the Bin 12 cable weight. From this explanation, it appears that self-ignition of containment cables was not addressed in the fire PRA. NUREG/CR-6850, Appendix R.1, states that, self-ignited cable fires should be postulated in rooms with unqualified cables only or a mix of qualified and unqualified cables. Justify that self-ignited cable fires in containment have an insignificant impact on the application. Alternatively, confirm that modeling of self-ignited containment cable fires will be included in the integrated analysis provided in response to PRA RAI 03.

Response

Self-ignited cable fires were not postulated in containment. The guidance provided in NUREG/CR-6850, Table 6-2, definitions of generic plant location descriptions and weighting factor for plant-wide components is described as All plant locations inside the fence other than the containment, fuel handling building, office buildings, maintenance yard, maintenance shop, etc. During the LAR development, it was interpreted that cable weight inside containment could be excluded. During the audit, it

Attachment L-16-371 Page 28 of 37

was clarified that the cable weight inside of containment will need to be included. Bin 12 Plant Wide Components, Self-Ignited Cable Fires should be applied to containment since it does contain unqualified power cables. The Bin 12 ignition frequency for cable fires in containment is calculated as follows:

Current plant-wide cable weight (excluding containment): 258,570 pounds (lbs)

Cable weight inside containment: 17,585 lbs Plant-wide cable weight (including containment): 276,155 lbs Bin 12 frequency from NUREG-2169, Nuclear Power Plant Fire Ignition Frequency and Non-Suppression Probability Estimation Using the Updated Fire Events Database: 2.77E-04 The Bin 12 ignition frequency for cable fires in containment is therefore:

This frequency will be applied to the highest CCDP raceway within containment as described in FAQ 13-0006 (ML13212A378), and included in the integrated analysis provided in response to PRA RAI 03.

PRA RAI 02

k. F&O CF-A1 Use of Updated Guidance on Circuit Failure Mode Likelihood F&O CF-A1-01 and its disposition indicate that updated guidance on circuit failure mode likelihood analysis provided in NUREG/CR-7150, Joint Assessment of Cable Damage and quantification of Effects from Fire (JACQUE-FIRE), Volume 2: Expert Elicitation Exercise for Nuclear Power Plant Fire-Induced Electrical Circuit Failure, May 2014 (ADAMS Accession No. ML14141A129), have not yet been applied to the fire PRA. New guidance on using conditional probabilities of spurious operation for control circuits is contained in a letter dated April 23, 2014, from Joseph Giitter, NRC, to Michael Tschiltz, NEI, Supplemental Interim Technical Guidance on Fire-Induced Circuit Failure Mode Likelihood Analysis (ADAMS Package Accession No. ML14111A366), and in Section 7 of NUREG/CR-7150. This guidance includes:

i. Replacement of the conditional hot short probability tables in NUREG/CR-6850 for Option #1 (including removal of credit for control power transformers and conduit) with new circuit failure probabilities for single-break and double-break control circuits (Option #2 in Frequency Bin t

Containmen including Weight Cable Wide Plant Weight Cable t

Containmen 12

)

(

year per E

year per E

lbs lbs 05 76

.1 04 77

.2 155 276 585 17

Attachment L-16-371 Page 29 of 37

NUREG/CR-6850 is no longer an adequate method and should not be used).

ii. Replacement of the probability of spurious operation duration shown by Figure 1 in FAQ 08-0051, Hot Short Duration, dated April 1, 2010 (ADAMS Accession No. ML100900052),5, for alternating-current control circuits and additional guidance to address duration for direct-current control circuits.

iii. A method for incorporation of the uncertainty values for the circuit failure probabilities and spurious operation duration in the state-of-knowledge correlation for developing the mean CDF and LERF.

iv. Recommendations on the hot short probabilities to use for other cable configurations, including panel wiring, trunk cables, and instrument cables.

Provide an assessment of the assumptions used in the fire PRA relative to the updated guidance in NUREG/CR-7150, Volume 2, specifically addressing each of the items (i through iv) above. If the fire PRA assumptions do not bound the new guidance, justify each difference or confirm that the guidance in NUREG/CR-7150, Volume 2, will be used in the integrated analysis provided in response to PRA RAI 03.

5 Also see NUREG/CR-6850, Supplement 1, "Fire Probabilistic Risk Assessment Methods Enhancements," September 2010 (ADAMS Accession No. ML103090242).

Response

An assessment of the assumptions used in the fire PRA relative to the updated guidance in NUREG/CR-7150, Volume 2, is provided below for the four specific items:

i. The conditional hot short probabilities from NUREG/CR-6850, Option 1 were utilized, but will be replaced with the guidance in NUREG/CR-7150, Volume 2 in the integrated analysis provided in response to PRA RAI 03. NUREG/CR-6850, Option 2 was not utilized.

ii. Hot short duration probability has not been credited in the fire PRA. However, if hot short duration probability will be credited in response to PRA RAI 03, then the guidance in NUREG/CR-7150, Volume 2 will be utilized, and its use will be explicitly identified.

iii. Uncertainty values for the NUREG/CR-6850 circuit failure probabilities were previously unknown. However, uncertainly values for circuit failure probabilities and spurious operation duration utilized in response to PRA RAI 03 will utilize the guidance in NUREG/CR-7150, Volume 2.

Attachment L-16-371 Page 30 of 37

iv. The fire PRA assumptions used in the integrated analysis provided in response to PRA RAI 03 will be consistent with the guidance in NUREG/CR-7150, Volume 2 with regard to hot short induced spurious operation probabilities for panel wiring, trunk cables, and instrument cables.

PRA RAI 11 - Main Control Room (MCR) Abandonment on Loss of Habitability Section W.3.7 of the LAR and other sections indicate that fire modeling was performed to determine when the MCR needs to be abandoned due to loss of habitability and that the conditional core damage probabilities (CCDPs) of associated scenarios were evaluated using a simplified fault tree model. LAR, Table W-2, presents a single MCR abandonment scenario due to loss of habitability in the list of dominate fire scenarios but states that this single scenario represents the summation of all scenarios leading to abandonment. The LAR did not describe the event tree logic that would define multiple scenarios for MCR abandonment due to loss of habitability. It is not clear whether the treatment of MCR abandonment due to loss of habitability addresses the complexity associated with the range of fire impacts that can occur from fires in the MCR. The NRC staff notes that use of overly conservative assumptions in the compliant plant model can lead to underestimation of the transition change-in-risk.

a) Describe how MCR abandonment was modeled for loss of habitability for the post-transition and compliant plant. Include an explanation of how the CCDPs and conditional large early release probabilities (CLERPs) were estimated. Include identification of the actions required to execute successful alternate shutdown and how they are modeled in the fire PRA, including actions that must be performed before leaving the MCR.

Response

MCR abandonment was modeled for loss of habitability using a simplified fault tree for the post transition plant. This simplified tree assumes core damage results if: a) auxiliary and emergency feedwater is lost; b) there is a loss of RCS integrity; or c) the operators fail to abandon the control room and successfully implement alternate shutdown. This logic is combined with the scenario initiating events and a factor corresponding to the probability that the fires are not suppressed prior to reaching habitability thresholds in the MCR.

The habitability thresholds (smoke layer at 200°F or optical density of the smoke is greater than 3.0 meter-1) were determined separately for electrical cabinets and transients using the CFAST computer program. The cabinet analysis used a bounding configuration for the MCR (qualified cable with more than one bundle) and the heat release rate (HRR) distribution provided in Table E-3 from NUREG/CR-6850. The transient analysis applied the HRR distribution from Table E-9 from NUREG/CR-6850 and also included a separate case for 1000 kilowatt (kw) to address the bookshelf located in the administrative portion of the MCR. Based on this analysis, the evacuation probability for habitability due to electrical cabinet fires is 4.34E-03 and the probability

Attachment L-16-371 Page 31 of 37

for transient fires is 1.46E-02.

The CCDPs are estimated by applying the fire-induced failures for the various scenarios and quantifying the simplified fault tree. CLERPs are estimated as a fraction of CCDP based on a comparison of all scenarios from the LAR submitted fire model and using the highest CCDP or CLERP value. This is also discussed in the response to PRA RAI 11(c).

The actions required for successful alternate shutdown are modeled as a single Human Failure Event (HFE) in the simplified fault tree. This HFE includes the decision to abandon the MCR, as well as operator actions required to execute successful alternate shutdown, including actions to be taken prior to abandoning the MCR, and actions taken after abandoning. The initial actions prior to abandoning the MCR addressed in the HFE are:

A reactor operator will be directed to close the PORV block valve A reactor operator will be directed to trip all four reactor coolant pumps (RCPs)

Operators would trip the reactor and main turbine prior to performing the actions above, but the trip actions are not specifically addressed by the HFE. This is because the actions listed above represent the minimum actions necessary to successfully abandon the MCR. Tripping the RCPs causes a steam feed rupture control system (SFRCS) actuation. This will cause a trip of the main turbine, a trip of the anticipatory reactor trip system, lineup the auxiliary feed pump (AFP) one with SG one and AFP two with SG two, lineup steam lines from either SG to both auxiliary feedwater pump turbines, and initiate AFW flow. In addition to the SFRCS actuation, tripping the RCPs avoids a potential RCP seal LOCA due to the design of the Flowserve N-9000 seals.

Once these steps are completed, the at-the-control Reactor Operator (RO), balance of plant RO, shift manager, and unit supervisor abandon the MCR and regather at the fire brigade equipment room and obtain a captains lantern, radio and fresh batteries, a copy of the serious control room fire procedure, and fuse pullers. The operators are then each directed to perform the appropriate attachment of the procedure. The shift manager is assigned Attachment 1, the unit supervisor is assigned Attachment 2, the at-the-control RO is assigned Attachment 3, and the balance of plant RO is assigned.

The primary focus of Attachment 1 (shift manager) is to control the auxiliary feed pump turbine speed to maintain SG level.

The primary focus of Attachment 2 (unit supervisor) is to isolate air from the AVVs by closing the isolation valve. By doing so, the secondary side RO can then manually operate the valve through communication with the shift manager.

Attachment L-16-371 Page 32 of 37

The primary focus of Attachment 3 (at-the-control RO) is to open breakers from within the low voltage switchgear rooms or electrical penetration rooms to prevent spurious valve operation.

The focus of Attachment 4 (balance of plant RO) is to communicate with the shift manager and manually control the AVVs with handwheels to cool the plant down.

The above actions are expected to be continued once the procedures have been updated during implementation.

The cumulative human error probability of the actions from the attachments as well as the actions prior to MCR abandonment total 5.40E-02.

The post-transition and compliant evaluations use the same model. The post-transition case quantifies the scenarios applying all related fire-induced failures. For the compliant case, the variance from deterministic requirements (VFDRs) were evaluated separately through the removal of failures from the fire scenarios. In regards to the contribution from MCR abandonment, the compliant plant contribution to core damage and large early release due to abandoning was set to 0.00E+00 representing successful cool down of the plant from outside the MCR and no additional equipment failures occur.

From a high level, the MCR included the typical set of VFDRs based on Nuclear Safety Performance Criteria (NSPC) with the addition of a VFDR for MCR abandonment.

PRA RAI 11 b) Explain how various possible fire-induced failures are addressed in the CCDP and CLERP estimates for fires that lead to abandonment due to loss of habitability. Specifically, include in this explanation a discussion of how the following scenarios are addressed:

i. Scenarios where fire fails only a few functions aside from forcing MCR abandonment and successful alternate shutdown is straightforward; ii. Scenarios where fire could cause some recoverable functional failures or spurious operations that complicate the shutdown but successful alternate shutdown is likely; and, iii. Scenarios where the fire-induced failures cause great difficulty for shutdown by failing multiple functions and/or complex spurious operations that make successful shutdown unlikely.

Response

The three scenarios in this question are all handled in the same manner as described in the response to PRA RAI 11(a). The increasing complexity of the scenarios is accounted for by the fault tree and the impacts of the fire-induced failures that could complicate the operators ability to mitigate the fire-induced failures.

Attachment L-16-371 Page 33 of 37

PRA RAI 11 c) Provide the range of CCDP and CLERP values determined for the post-transition and compliant plant models.

Response

The CCDP range of values ranged from 4.2E-02 to 1.0 for the post-transition model.

This model represented the conceptual design of the EFW system. Since the conceptual design has been modified and is now installed, the CCDP and CLERP values will be updated in the response to PRA RAI 03. Furthermore, as discussed in the response to PRA 11(a), the actions completed prior to abandoning the MCR were initially assumed successful without any potential failure. The failures of actions required to be completed prior to abandoning the MCR will now be included in the operator action HFE, and raise the contribution from operator action failure from 4.2E-02 to 5.4E-02.

Due to the nature of LERF, in order to account for the phenomenological effects, a ratio of CLERP/CCDP was chosen to be multiplied to the CCDP value. The value came from comparing all scenarios from the LAR-submitted fire model and finding the highest CLERP/CCDP value.

The MCR analysis (which was used to determine the contribution to CDF and LERF) used a ratio of 1.96E-02. Thus, the range of CLERP values for MCR abandonment scenarios due to loss of habitabilty were 8.23E-04 to 1.96E-02 for the LAR-submitted model. The MCR analysis CLERP/CCDP ratio was incorrectly typed into the table and should have been 1.96E-01. Had the proper value been used, the CLERP values would range from 8.23E-03 to 1.96E-01.

As stated earlier, since the EFW system is now installed, the CLERP/CCDP value will be updated and the range of CCDP and CLERP values will be reported in the response to PRA RAI 03.

In regards to the CCDP or CLERP ranges from the MCR abandonment for the compliant plant, the contribution to core damage and large early release due to abandoning was set to 0.00E+00 representing successful cool down of the plant from outside the MCR and no additional equipment failures occur. Therefore, the range for both CCDP and CLERP is 0.00E+00 for the compliant plant.

PRA RAI 11 d) Provide the frequency of MCR abandonment scenarios due to loss of habitability for the post-transition and compliant plant cases.

Attachment L-16-371 Page 34 of 37

Response

The frequency of MCR abandonment for each ignition source is the product of the ignition source frequency, the severity factor, and the probability of abandonment. The ignition sources in the MCR can be grouped into three types; electrical cabinets, the main control board (MCB), and transients. Determination of the probability of abandonment was discussed in the response to PRA RAI 11(a), and is the same for electrical cabinets and MCB. The table below provides the frequency of MCR abandonment due to loss of habitability for the post-transition and compliant plant cases:

Fire Source Sum of Ignition Frequencies Times Severity Factor Probability of Abandonment Frequency of MCR Abandonment (Habitability)

Electrical cabinets 4.09E-03 4.34E-03 1.78E-05 MCB*

7.65E-04 4.34E-03 3.32E-06 Transients 1.51E-04 1.46E-02 2.19E-06

• Note: MCB C5715 (described in the response to PRA RAI 12(e)) is not included in the table values since operators would abandon due to loss of function, which is assumed to occur prior to reaching habitability thresholds. For the compliant case, the frequency of MCR Abandonment due to loss of habitability remains the same; however the CCDP is set to 0.00E+00 thus the total contribution of MCR Abandonment for the compliant case is 0.00E+00 per year.

PRA RAI 12 - Loss of Control from the MCR The NRC staff reviewed the MCR analysis (C-FP-013.10-35) as part of its audit of licensee documents. The analysis indicated that the fire PRA treats scenarios where there is a loss of control from the MCR the same as any other fire scenario in which the control room remains habitable, with the exception of one scenario involving the whole panel burn of electrical distribution panel C5715. The LAR does not describe how the fire PRA modeled these loss of control scenarios.

Fires that lead to loss of control in the MCR are inherently different from other fires in the MCR for which control is maintained.

The LAR does not indicate if the loss of control scenarios are conservatively modeled by assuming that such fires lead to core damage. The LAR also does not indicate if actions taken from the alternative shutdown panel were credited as RAs when command and control is retained in the MCR. The NRC staff notes that the information in the MCR analysis would not be sufficient to address these questions.

a) Indicate those locations in the plant for which fire could lead to loss of control in the MCR.

Attachment L-16-371 Page 35 of 37

Response

Although fires in multiple locations can disable the ability to control various equipment from the control room, command and control will always be maintained in the MCR except for certain fires in the MCR itself. Equipment operators can be dispatched from there, if required, to perform local operator actions.

The abandonment philosophy will be finalized prior to the response to PRA RAI 03.

Should there be a change from the current modeling, the fire PRA model will be updated and the change provided in the PRA RAI 03 response.

The responses to the remaining parts of PRA RAI 12 are stated as currently modeled.

PRA RAI 12 b) Explain how fire scenarios in the MCR or other locations that could lead to loss of control, such as the cable spreading room, were modeled. Explain whether RAs from the alternate shutdown panel are credited.

Response

Fire scenarios are modeled consistently in all plant locations, including the cable spreading room. The damage set is determined based on fire modeling methods and the equipment failures are propagated and quantified by the fire PRA. Command and control is maintained in the MCR and equipment operators can be dispatched from there, if required, to perform local operator actions unless habitability conditions force abandonment.

MCR abandonment is only credited in one scenario due to loss of control. The scenario is a whole panel failure of MCB cabinet C5715. MCB C5715 contains electrical controls of the emergency diesel generators (EDGs), 13.8 kilo volt alternating current (VAC) distribution hand switches, 4160 VAC distribution hand switches, 480 VAC distribution hand switches, and DC indication. Upon failure of this cabinet, operators will be directed to abandon the MCR and initiate the mitigating actions that are to be developed. The evacuation probability for a fire impacting the entire cabinet is assigned a 1.0, thus the frequency of MCR abandonment is equal to the ignition frequency of the cabinet multiplied by a severity factor (SF) based on the distance between targets utilizing Figure L-1 from NUREG/CR-6850. This is the only case where recovery actions (RAs) are credited from the alternate shutdown panel for loss of control.

The abandonment philosophy will be finalized prior to the response to PRA RAI 03.

Should there be a change from the current modeling, the fire PRA model will be updated and the change provided in the PRA RAI 03 response.

Attachment L-16-371 Page 36 of 37

PRA RAI 12 c) Provide an explanation of how various possible fire-induced failures are addressed in the CCDP and CLERP estimates for fires that lead to abandonment due to loss of control from the MCR. Specifically, include in this explanation a discussion of how the following scenarios are addressed. As a part of this response, indicate if the plant response is fully integrated into the PRA.

i.

Scenarios where fire fails only a few functions aside from forcing MCR abandonment and successful alternate shutdown is straightforward; ii.

Scenarios where fire could cause some recoverable functional failures or spurious operations that complicate the shutdown but successful alternate shutdown is likely; and, iii.

Scenarios where the fire-induced failures cause great difficulty for shutdown by failing multiple functions and/or complex spurious operations that make successful shutdown unlikely.

Response

As discussed in the response to PRA RAI 12(b), alternate shutdown due to loss of control is only applied in one scenario. However, the quantification of CCDP and CLERP is handled in the same manner as described in the response to PRA RAI 12(d),

and in the response to PRA RAI 11. The increasing complexity would be accounted for by the fault tree and the impacts of the fire-induced failures that could complicate the operators ability to mitigate the fire-induced failures.

PRA RAI 12 d) For MCR abandonment scenarios due to a loss of control, identify the range of CCDP and CLERP values determined for the post-transition models. Identify those scenarios that have a CCDP of 1, or explain why there are no such scenarios.

Response

The model originally represented the conceptual design of the EFW system. Since the conceptual design has been modified and is now installed, the EFW tree is being updated and will provide updated CCDP and CLERP values in the response to PRA RAI 03. In addition, the actions completed prior to abandoning the MCR (tripping the RCPs and closing the PORV block valve as identified in the response to PRA RAI 11(a)) were assumed successful without any potential failure. They are now included into the operator action HFEs and raised the contribution from operator action failure from 4.2E-02 to 5.4E-02.

Attachment L-16-371 Page 37 of 37

The CCDP range of values for the LAR submitted model ranged from 4.2E-02 to 6.03E-02. Since abandonment was caused by failures of electrical distribution in C5715 or other panels adjacent to C5715, controls for AFW and EFW remain unaffected. In addition, the PORV can be closed from the MCR, and RCPs can be tripped locally in the event the MCR controls are damaged from fire effects. With feedwater available, and reasonable opportunity for operator actions to mitigate RCS integrity challenges, no scenarios with a CCDP of 1.0 were calculated due to MCR abandonment caused by loss of control.

Due to the nature of LERF, in order to account for the phenomenological effects, a ratio of CLERP/CCDP was chosen to be multiplied to the CCDP value. The value came from comparing all scenarios from the LAR-submitted fire model and finding the highest CLERP/CCDP value.

As stated in the response to PRA RAI 11(c), the MCR analysis (which was used to determine the contribution to CDF and LERF) incorrectly used a ratio of 1.96E-02. The range of CLERP values for MCR abandonment scenarios due to loss of control were 8.23E-04 to 1.18E-03 for the LAR-submitted model.

As the EFW system is now installed, the CLERP/CCDP value will be updated and the range of CCDP and CLERP values will be reported in the response to PRA RAI 03.

PRA RAI 12 e) Indicate how the decision to abandon the MCR due to a loss of control is incorporated into the PRA model.

Response

As noted in the responses to PRA RAIs 11(d) and 12(b), the fire PRA only models MCR abandonment due to loss of control for MCB cabinet C5715. The decision to abandon the MCR from a fire within cabinet C5715 will be made when a loss of two identical voltage essential buses are lost and indication on other panels confirms the power failure (for example, the reactor coolant pumps trip). The abandonment portion of the fault tree is evaluated as described in the response to PRA RAI 11(b).