Text

Supplement to Amendment Request License Amendment Request (LAR) 2001-027, Emergency Diesel Generator Extended Allowed Outage Time, TS 3.8.1
	ML021190672
Person / Time
Site:	River Bend
Issue date:	04/22/2002
From:	King R; Entergy Operations
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	RBG 45934
	Download: ML021190672 (134)
	v • d • e

Entergy Operations, Inc.

River Bend Station 5485 U.S. Highway 61 R 0. Box 220 aEntefgy St. Francisville LA 70775 Tel 225 336 6225 Fax 225 635 5068 Rick J. King Director Nuclear Safety Assurance RBG 45934 April 22, 2002 U.S. Nuclear Regulatory Commission Attn: Document Control Desk Washington, DC 20555

SUBJECT:

River Bend Station, Unit 1 Docket No. 50-458 Supplement to Amendment Request License Amendment Request (LAR) 2001-027, Emergency Diesel Generator Extended Allowed Outage Time, TS 3.8.1.

REFERENCES:

(1) Letter RBG-45832 to USNRC from R. K. Edington dated September 24, 2001 (2) Letter from D. J. Wrona, USNRC to P. D. Hinnenkamp dated March 12, 2002.

Dear Sir or Madam:

By letter (Reference 1), Entergy Operations, Inc. (Entergy) proposed a change to the River Bend Station, Unit 1 (RBS) Technical Specifications (TSs) to extend the allowed out-of-service time for a Division I or Division II emergency diesel generator from 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to 14 days.

On February 14 and 27, 2002, Entergy and members of your staff held calls to discuss the proposed changes. As a result of the call, seven questions were determined to need formal response. These questions were formally transmitted to Entergy by Reference 2.

Entergy's response is contained in Attachments 1, 2, and 3.

In addition, Entergy notified the NRC Project Manager that information pertaining to the uncertainty analysis provided in Attachment 5 of Reference 1 needed to be revised due to an error discovered in the uncertainty analysis for the At-Power PSA model. Entergy discovered that the software code was incorrectly evaluating certain parametric uncertainties and that the basic event database used in the uncertainty analysis was missing some uncertainty parameters. The vendor has now revised the code and an Entergy internal qualification package was created for the revised software. Additionally, the basic event database has been completely populated with the uncertainty parameters. The uncertainty has been recalculated and a replacement page is included in Attachment 4. This minor change does not impact the conclusions of the submittal.

Changes to the page are denoted by revision bars.

RBG-45934 Page 2 of 2 Entergy has also enclosed copies of two procedures as requested by the NRC staff.

There are no other technical changes proposed. The original no significant hazards considerations include in reference 1 is not affected by any information contained in the supplemental letter. There are no new commitments contained in this letter.

If you have any questions or require additional information, please contact Ron Byrd at 601-368-5792.

I declare under penalty of perjury that the foregoing is true and correct. Executed on April 22, 2002.

Sincerely, RJK/RWB Attachments:

1. Response to Request For Additional Information

2. River Bend Plant Cumulative Risk Review

3. River Bend PSA Certification Summary

4. Revised Page for Attachment 5 to Letter RBG 45832, dated September 24, 2001

Enclosures:

1. ADM-0096, Risk Management Program Implementation and On-line Maintenance Risk Assessment

2. OSP-0037, Shutdown Operations Protection Plan cc: U. S. Nuclear Regulatory Commission Region IV 611 Ryan Plaza Drive, Suite 400 Arlington, TX 76011 NRC Senior Resident Inspector P. O. Box 1050 St. Francisville, LA 70775 U.S. Nuclear Regulatory Commission Attn: Mr. David J. Wrona MS 0 7D1 Washington, DC 20555-0001 Mr. Prosanta Chowdhury Program Manager - Surveillance Division Louisiana Department of Environmental Quality Office of Radiological Emergency Plan and Response P. 0. Box 82215 Baton Rouge, LA 70884-2215

Bcc:

File: G9.5, G9.42 File: LAR 2001-27 File: RBF1-02-0065

Attachment 1 To RBG-45934 Response to Request for Additional Information Related to License Amendment Request (LAR) 2001-027, EDG Extended AOT

Attachment I to RBG-45934 Page 1 of 20 Response to Request for Additional Information Related to License Amendment Request (LAR) 2001-027, EDG Extended AOT Question 1:

Discuss and provide information on the reliability and availability of offsite power sources relating to the proposed change. The discussion should include duration, cause, date and time of each loss-of-offsite power (partial or complete) event.

Response

As noted in Entergy's application (reference 1), information regarding grid stability was provided to the NRC staff in letter RBG-45293 from R. J. King of Entergy to the USNRC dated April 3, 2000, in support of the RBS power uprate amendment. The stability analysis showed continued stable performance at the new RBS power output level.

Also, as noted in the application, a loss of offsite power frequency of 0.035/year was used in the River Bend PSA. This frequency was obtained from industry data in NSAC/1 66, "Losses of Off Site Power at U.S. Nuclear Power Plants". The data covers the period from 1980 through 1990.

Further examination of data from EPRI CA: 2000.000000000001000158, "Losses of Off-site Power at U.S. Nuclear Power Plants - Through 1999", indicates that the assumed loss of offsite power frequency of 0.035/year from the 1980 through 1990 data remains conservative.

Within this industry data is one total loss of offsite power event that occurred at River Bend Station on January 1, 1986 at 10:44 a.m. The event lasted for 46 minutes and is documented in LER 86-002. The plant was in Mode 3 (Hot Shutdown) at the time of occurrence. The complete loss of offsite power was preceded by a partial loss of offsite power that occurred at 9:41 a.m.

when two of the four preferred station transformers tripped. Later at 10:44 a.m., the remaining two preferred station transformers tripped resulting in a complete loss of offsite power. It was determined that hand held radio frequency interference most likely caused spurious signals in the tone relaying transfer trip receivers of the preferred station transformers. Actions to preclude recurrence included the installation of shielding on the tone relaying equipment in the switchyard and rewiring the tone equipment such that both channels are required for a trip.

There have been four events in which River Bend Station has experienced a partial loss of offsite power including the partial loss discussed above. These are:

LER 86-002 - This partial loss of offsite power preceded the complete loss of offsite power event that is discussed above. This event occurred while the unit was already shutdown on January 1, 1986 at 9:41 a.m. when two preferred station transformers tripped. The event lasted 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and 3 minutes until the remaining two preferred transformers subsequently tripped causing a complete loss of offsite power. As discussed above, the partial loss of offsite power was caused by spurious signals in the tone relaying trip receivers of the preferred station transformers.

LER 88-006 - A partial loss of offsite power event occurred on February 11, 1988 at 12:40 a.m. and lasted for 14 hours1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months and 20 minutes. The event was caused by a phase to ground fault on a non-safety related neutral grounding transformer. The cause of the fault was indeterminate. However, based on an analysis by plant maintenance, the to RBG-45934 Page 2 of 20 failure was probably caused by either an overvoltage or overcurrent condition that resulted in a breakdown of the winding insulation. This event did not result in a reactor scram.

LER 97-001 - A partial loss of offsite power event occurred on May 6, 1997 at 9:01 a.m.

and lasted for 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months and 5 minutes. The event was caused by shorted wires in a cable that had been severed by insulators while removing low-density silicon elastomer from a floor penetration in the turbine building. This event occurred during power operation and resulted in a manual scram.

LER 2001-004 - A partial loss of offsite power event occurred on October 17, 2001 at 2:48 a.m. The event lasted 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months and 45 minutes. The cause was a failed optical isolator in the preferred station service primary protection circuitry. The failure was internal to the isolator card, and resulted in a false signal to the 4160-volt feeder breaker's trip coil. This event did not result in a reactor scram.

In the River Bend Station PSA model, a partial loss of offsite power frequency is 0.104/yr. This failure rate was determined by including plant specific data with generic data. The generic frequency for a partial loss of offsite power was estimated at 0.1/yr. This value is conservative based on the categorization of partial loss of offsite power events noted in EPRI TR-106306, "Loss of Off-Site Power at U.S. Nuclear Power Plants - Through 1995". This data included the one partial loss of offsite power event that resulted in a scram (LER 97-001). Bayesian Updating formulas from NUREG/CR-2300 were used to combine the generic frequency determined from EPRI TR-106306 partial loss of offsite power events and the one partial loss of offsite power event at River Bend Station that caused a scram.

The assumed frequencies for complete loss of offsite power and partial loss of offsite power, 0.035/year and 0.104/year, respectively, are reasonable. Both frequencies are based on industry data and plant specific data.

Question 2:

It is the NRC staff's understanding that the purpose of the requested amendment is to allow an increased outage time during plant power operation for performing EDG inspection, maintenance, and overhaul, which would include disassembly of the EDG. EDG operability verification after a major maintenance or overhaul may require a full load rejection test. If a full load rejection test is performed at power, please address the following:

(a) What would be the typical and worse-case voltage transients on the 4160-V safety buses as a result of a full-load rejection?

(b) If a full-load rejection test is used to test the EDG governor after maintenance, what assurance would there be that an unsafe transient condition on the safety bus (i.e., load swing or voltage transient) due to improperly performed maintenance or repair of a governor would not occur?

(c) Using maintenance and testing experience on the EDG, identify possible transient conditions caused by improperly performed maintenance on the EDG to RBG-45934 Page 3 of 20 governor and voltage regulator. Discuss the electrical system response to these transients.

(d) Provide the tests to be performed after the overhaul to declare the EDG operable and provide justification of performing those tests at power.

Response

The purpose of the requested amendment is to allow an increased outage time during plant power operation for performing EDG inspection, maintenance, and overhaul, which may include disassembly of the EDG. However, the EDG operability verification after a major maintenance or overhaul does not include a full load rejection test, such as Surveillance Requirements (SRs) 3.8.1.8 or 3.8.1.9, unless the speed control or voltage control components are replaced or require corrective maintenance for a problem identified during EDG operation. Both of these situations are infrequent and would be handled as separate tasks outside the scope of routine planned maintenance.

The current TS do not allow a full load reject test to be performed in MODE 1 or 2 except for unplanned events. The TS Bases for SRs 3.8.1.8 and 3.8.1.9 include two examples of unplanned events:

1) unexpected operational events which cause the equipment to perform the function specified by this Surveillance, for which adequate documentation of required performance is available; and

2) post corrective maintenance testing that requires performance of this Surveillance in order to restore the component to OPERABLE, provided the maintenance was required, or performed in conjunction with maintenance required to maintain OPERABILITY or reliability.

This proposed TS change does not alter the current restrictions or allowances for load reject tests provided by the TS. Therefore, since no elective maintenance that requires a full load reject test may be performed in Mode 1 or 2, the TS change would not introduce any new load reject tests while on-line or any voltage transients caused by any load reject tests as a result of on-line planned maintenance. Entergy plans to submit a separate request to remove this restriction in the near future and will address voltage transient concerns at that time. Until the TS restriction is removed, Entergy will not plan elective maintenance that requires a full-load reject test on-line.

Following an on-line overhaul of the EDG, the normal monthly TS SRs (i.e., 3.8.1.2 and 3.8.1.3) would be performed to demonstrate EDG operability. However, prior to performing these final surveillance tests, a series of post-maintenance engine runs at unloaded and varying load conditions is conducted to verify that the EDG is functionally sound.

Precautions are taken following an extended EDG maintenance period to ensure that any improperly performed maintenance on the diesel governor does not introduce possible transient conditions that would adversely challenge the EDG or the safety bus. The primary method of protecting the bus against a possible governor malfunction is to ensure that the governor provides customary stable control before connecting the EDG to the bus. The latter stages of to RBG-45934 Page 4 of 20 the planned maintenance activities include returning the EDG to governor control in a deliberate and controlled manner.

As further assurance against any possible malfunction, the overspeed trip is also assured to be functional before the first fast start. All of this is done before connecting the EDG to the bus for the first time. Therefore, any deleterious effects of a governor malfunction would be confined to the EDG alone. On a start, an engine overspeed is the only plausible significant consequence of a governor malfunction. A functional overspeed trip assures the protection of the EDG should this occur.

Once governor control is proven, the EDG is connected to the bus, paralleling with the grid, in the same manner as for a monthly surveillance test.

Routine governor maintenance and minor adjustments do not require load rejects to prove their success. The governor's ability to control a fast start, which is only done while disconnected from the bus, is sufficient to demonstrate that the response dynamic remains nominal or the same as demonstrated during the past surveillances.

A planned replacement of a governor such as the 10-year preventive maintenance task would be scheduled in a refueling outage because of the load reject mode restrictions currently in TS.

The setup of a new governor unit is more complex, and would likely require load reject testing to prove its success. A voltage regulator replacement would be approached in the same manner, although there is not currently a periodic replacement interval for this component and it requires no periodic adjustments. Replacement of either component for cause - due to a malfunction, could be performed online if necessary, within the current Bases for the load reject mode restrictions.

In summary, the load reject test is only allowed by TS during Mode 1 or 2 for unplanned events and a EDG overhaul does not require a load reject to be performed. Therefore the proposed TS change would not introduce any new load reject tests while on-line. Precautions are taken following major maintenance to ensure that any improperly performed maintenance on the governor or voltage regulator does not adversely challenge the EDG or the safety bus.

Attachment 1 to RBG-45934 Page 5 of 20 Question 3:

Do your Risk Management Procedures cover a comprehensive walk-down just prior to entering the period of reduced equipment availability (EDG extended maintenance on-line)?

Response

The Risk Management Procedures do not require a comprehensive walk-down just prior to entering the period of extended EDG maintenance. However, other programs and controls are adequate for this purpose and would not only be in effect just prior to entering the period of EDG maintenance, but would continue during the time of extended EDG maintenance. These include the routine daily rounds conducted by operators, access controls, and maintenance scheduling policies.

Operators conduct routine area and equipment checks twice per day with a general walk through of plant areas once per day. Operations section procedure OSP-0028, "Log Report Normal Switchgear, Control, and Diesel Generator Building", identifies the requirements for walk-through and monitoring of the Transformer Yard, the Normal Switchgear Building, the Control Building, and Diesel Generator Buildings. OSP-0029, "Daily Log Report - Auxiliary, Reactor, and Fuel Buildings", identifies walk-through and monitoring requirements for the Auxiliary Building, the Reactor Building, and the Fuel Building. OSP-0028 specifically requires that area/equipment checks of the Diesel Generator Buildings be conducted once per 12-hour shift in the first half of the shift. The procedure also requires additional monitoring of the Diesel Generator Buildings in the second half of the day and night shift whenever Diesel Generator "A" or "B" is out of service or whenever one circuit between the offsite transmission network and the onsite class 1 E distribution system is out of service.

Signs are posted at the access to the Diesel Generator Building which read "Access into the Diesel Generator Building is not permitted without OSS / CRS / WCS permission". The signs identify Operations, Fire watch, and security as the only exceptions. In addition, Operations Policy #009 establishes controls for access to and work in the Fancy Point switchyard and River Bend transformer areas. The policy is designed to assure the availability of offsite power and preclude the receipt of inadvertent actuation signals when performing work in these areas. This policy states that only the Operations Shift Superintendent / Control Room Supervisor can authorize access to areas with sensitive equipment. All non-routine work performed near sensitive equipment requires a brief to the crew performing the work and the Main Control Room Team. If entry is requested into the Fancy Point switchyard for any reason other than routine, non-intrusive activities, a River Bend site employee reviews the work activity to ensure it will not impact the unit. A River Bend site employee is assigned to accompany the individuals performing the work if any potential exists for impact. That individual is responsible for monitoring to ensure that the work activity remains within the predetermined scope and that the OSS/CRS remain informed of the work progress.

In addition, scheduled work would be limited to those areas associated with the EDG division that is out of service. River Bend uses a 12-week schedule on a four-week rotation. Currently, the first week is for Division I, the second week is for Division III, the third week is for Division II and the fourth week is for non-divisional work. This segregates the work on divisional equipment so that redundant systems or features are not impacted.

to RBG-45934 Page 6 of 20 Question 4:

It is stated that Division III EDG can be cross-connected to either Division I or Division II AC buses to provide an alternate AC power in the event of a station blackout. In this regard provide the following information:

(a) Is this a permanent cross-connection? How long would it take to accomplish this connection?

(b) Demonstrate that Division Ill EDG has enough capacity to power loads that are needed for a station blackout and loss of offsite power.

(c) Can this EDG be qualified as an alternate AC source according to the recommendation of Regulatory Guide 1.155, "Station Blackout."

Question 4(a):

Is this a permanent cross-connection? How long would it take to accomplish this connection?

Response

The electrical equipment that enables the cross-connection is permanent and was part of the original plant design. The original intent, however, was to allow the Division I or Division I1bus to be connected to a non-safety feed from an alternate transformer during outages. The Division III EDG can also be connected to one of these non-safety buses to support on-line testing. This configuration facilitates the cross-connection from Division III to the Division I or II bus through existing breakers and cables. These busses and transformer feeds are illustrated in Updated Safety Analysis Report (SAR) Figure 8.1-6, Station Service One Line Diagram.

The cross-connection is accomplished by stripping one of the de-energized buses (Division I or Division II) of its loads, defeating the HPCS LOCA automatic initiation signals, and performing breaker line-ups to load the Division III EDG with the desired loads. The ECCS systems may be filled and vented as needed, prior to starting the pumps. The PRA evaluation assumed that it took six hours to accomplish these actions. This assumption is conservative as it is expected that these actions can easily be accomplished within two hours.

Note that this cross-connection is only credited as a backup source of AC power for determining the risk associated with the extended allowed out-of-service time for the EDG. The cross connection is not credited as an alternate AC power source for the deterministic evaluation of a SBO. The ability of River Bend to cope with a four-hour SBO has been evaluated without reliance on this cross-connection capability as described in Appendix 15C of the RBS Updated SAR. The coping evaluation of Appendix 15C is not altered by the proposed change.

to RBG-45934 Page 7 of 20 Question 4(b)

Demonstrate that Division III EDG has enough capacity to power loads that are needed for a station blackout and loss of offsite power.

Response

The Division III EDG has a 2,000-hr rating of 2850 kW. The Division III maximum bus load is shown in Updated SAR Table 8.3-3. The remaining bus load without the High Pressure Core Spray (HPCS) pump motor is approximately 525 kW. This load includes the Division I Standby Service Water (SSW) pump SWP-P2C which is normally powered by the Division III EDG.

The rating of the Division I and Division II EDGs is limited to 3130 kW. The Division I and Division II automatically connected loads are listed in Updated SAR Table 8.3-2a and Table 8.3 2b. Assuming that the HPCS pump is not loaded, the Division III EDG can be cross-connected to the Division I bus to carry all of the Division I automatically connected loads except the Low Pressure Core Spray (LPCS) pump with a margin of 226 kW. Both Division I SSW pumps can be powered by the Division III EDG.

The Division III EDG can be cross-connected to the Division II bus to carry all of the Division II loads except Residual Heat Removal (RHR) pump C, which is used only for the Low Pressure Coolant Injection (LPCI) mode of operation, and one of the Division II SSW pumps, if Division I pump SWP-P2C is still powered by the Division III EDG. This provides a 255 kW margin. Only two standby service water pumps in each division are required; the Division I pump SWP-P2C is secured to allow both Division II standby service water pumps to be operated.

Reactor coolant system inventory control during the initial phases of a Station Blackout will be provided by the RCIC system. The RHR system success criteria for the Shutdown Cooling (SDC) or Suppression Pool Cooling (SPC) modes of operation is that one of the two available RHR trains equipped with RHR Heat Exchangers are capable of removing decay heat. RHR can remove decay heat by operating in either the SDC mode or the SPC mode. The Division I EDG is the normal supply for RHR Pump A and the Division II EDG is the normal supply for RHR Pump B. RHR Pump C functions only in LPCI mode as credited in LOCA analyses. Thus, the Division III EDG is capable of supplying the power to the one RHR pump needed for the RHR system to provide decay heat removal for the postulated scenario. It should be noted that because the subject scenario does not involve a large-scale mass and energy release as for a LOCA, the demands on various systems will be less than for the DBA-LOCA scenarios (which also assume a loss of offsite power). Thus, it is concluded that the Division III EDG is capable of supplying all the loads needed for a SBO or loss of offsite power.

Attachment 1 to RBG-45934 Page 8 of 20 Question 4(c):

Can this EDG be qualified as an alternate AC source according to the recommendation of Regulatory Guide 1.155, "Station Blackout"?

Response

RBS complies with the Station Blackout (SBO) Rule, 10CFR50.63 as a four-hour coping plant with no credit taken for the HPCS EDG as an alternate AC (AAC) power supply. Therefore, in the SBO analysis, the HPCS system is not relied upon as an injection source to the RPV during the SBO. EOI has reviewed the potential for qualifying the HPCS EDG as an AAC source in accordance with NUMARC 87-00. This review indicates that the HPCS diesel generator at RBS conforms to NUMARC 87-00 with the exception of Appendix B, Criterion B.8e, which states:

"No single point vulnerability shall exist whereby weather-relatedevent or single active failure could disable any portion of the on-site emergency power sources or the preferred power sources, and simultaneously fail the AAC power source(s)."

This criteria is met except for the unlikely failure of a common check valve in the cooling water piping shared by Division I and Division I1l. Specifically, the divisional standby service water (SSW) pumps are powered by either the Division I bus (1SWP*P2A), the Division II bus (1SWP*P2B and 1SWP*P2D), or the Division III bus (1SWP*P2C). Service water pumps 1SWP*P2A and 1SWP*P2C discharge into a common SSW header and hence, supply service water to both Division I and Division III safety-related components. This configuration is illustrated in Updated SAR Figures 9.2-1d and 9.2-1e.

Because of the shared SSW piping and associated valves, a single active failure could disable the SSW supply to both the Division I and Division III EDGs. Several potential failure scenarios were evaluated and resolved except for a scenario of a single active failure of standby service water check valve 1SWP*V172. Failure of this check valve could restrict service water flow to the Division I EDG and the Division III EDG causing both EDGs to fail. However, this valve is currently included in the Inservice Testing program and unobstructed flow through the common header is demonstrated through system operation to support routine EDG surveillances. Check valve failure in general is uncommon and it is highly likely that 1SWP*V172 will be operable when the HPCS diesel generator is called upon to start. Therefore, while the HPCS EDG does not meet this single failure criterion it is reasonable to conclude that the HPCS EDG will be available to respond to a postulated SBO.

In summary, the HPCS EDG cross-connection can be accomplished timely, the alternate loads are within the capability of the EDG and the EDG meets all the criteria for an AAC with the exception of Criterion B.8e of NUMARC 87-00. Therefore, it is reasonable for the risk analysis to credit use of the HPCS EDG as a backup source of AC power in the event of a SBO.

Attachment 1 to RBG-45934 Page 9 of 20 Question 5:

The various attachments make little mention of corrective maintenance and provide no discussion of associated risks. For corrective maintenance:

(a) Discuss the risks associated with the proposed CTs - and in order to get some estimate of a bounding condition (b) For each EDG out of service for maintenance, prepare a table showing the estimated the risk importances of remaining risk significant equipment; (c) From the list of equipment that could cause the change in risk associated with the change in CT to significantly exceed what the staff considers small for a single TS AOT change, select the most important (from those permitted to be inoperable by LCO CT for, say, more than a day) which plant experience (e.g., as observed in the plant log) shows to have some out of service frequency (attempt to make the choice realistic and bounding), and with it and the EDG out of service, re-estimate the risk for the CT; and (d) Provide assurances that the risks associated with the LCO CT for corrective maintenance will be kept comparable with that which the staff considers small for a single TS AOT for preventative maintenance.

Questions 5(a) and (b)

(a) Discuss the risks associated with the proposed CTs - and in order to get some estimate of a bounding condition - (b) For each DG out of service for maintenance, prepare a table showing the estimated risk importances of remaining risk significant equipment.

Response

The River Bend Level 1 PSA contains basic events that represent average maintenance unavailability for various components in the model. They are typically maintenance unavailability for pumps and EDGs. The Equipment Out Of Service (EOOS) software at River Bend is used to adjust the Level 1 PSA to reflect plant conditions, such as lineups and components out of service. The EOOS software can also be adjusted to exclude basic event average maintenance unavailability. For the EDG AOT submittal, EOOS was adjusted so that average maintenance unavailability was included. Likewise, the average maintenance unavailability was included in the answers to the staff's questions concerning risk information.

Using EOOS software, each EDG was classified as being out of service and the model quantified. A risk ranking of the components was developed for each condition. The components were ranked by Risk Achievement Worth (RAW) values. Starting with the component that had the highest RAW value, the list was examined to determine which components would cause entrance into a TS shutdown action statement if it were out of service concurrently with an EDG. The components that caused entrance into a shutdown action statement that required the unit to be in Mode 3 in less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months were removed from the list. For example, if EDG A was out of service and subsequently EDG B became out of service, then Condition E of 3.8.1 AC Sources - Operating would be entered. By Required Action E.1, to RBG-45934 Page 10 of 20 one EDG would have to be restored to operable status within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . If one of the EDGs is not restored to operable status within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , then Condition F is entered. Required Action F1, requires the plant to be in Mode 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . This condition would therefore not be included in the list. The following tables list the components, by RAW, that if taken out of service concurrently with an EDG would allow the plant to remain at power for greater than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months as allowed by the TS.

The following tables list those components with the highest RAW values (i.e., RAW greater than 2.0) for when either EDG A (Division I) or EDG B (Division II) are out of service. The core damage frequency stated in both tables includes maintenance and test unavailability frequencies. In parenthesis is the CDF if maintenance and test unavailability frequencies were not included.

Table 1 - Importance Table for the Division I Diesel Generator Out of Service Core Da ..... F

... 7a ...e c ,1 1........ (10E....... RAW Component OOS Impact RAW SWP-P2B Loss of Standby Service Water pump will reduce 7.9 emergency service water redundancy.

SWP-2D Loss of Standby Service Water pump will reduce 7.9 emergency service water redundancy.

SWP-MOVF040B Loss of Standby Service Water discharge valve 7.9 (fails closed) will reduce emergency service water redundancy.

SWP-MOVF040D Loss of Standby Service Water discharge valve 7.9 (fails closed) will reduce emergency service water redundancy.

SWP-MOVF055A Loss of Division I service water 6.44 HPCS Pump Loss of high pressure core spray system causes 5.98 loss of a high pressure injection source.

HPCS EDG Loss of Division 3 D/G causes loss of a high 5.46 pressure injection system.

Diesel driven air Loss of back up air supply to safety relief valve air 3.8 compressor IAS-C4 accumulators.

Air compressor Loss of air supply to safety relief valve air 3.75 LSV*C3B accumulators.

Auxiliary Bldg. Loss of HVR-UC9 interrupts room cooling to LPCI 2.79 HVAC unit cooler pumps B and C.

HVR-UC9 Station Blackout Loss of the station blackout diesel interrupts DC 2.74 DIG power once the batteries have depleted.

Attachment 1 to RBG-45934 Page 11 of 20 Table 2 - Importance Table for the Division II Diesel Generator Out of Service Core Damane Frecitien.nv = R RflF--lRI/r (7 *R:NAr Component OOS Impact RAW SWP-MOVF055B Loss of Division II standby service water. 4.62 Auxiliary Bldg. Loss of HVR-UC6 interrupts room cooling to 4.15 HVAC unit cooler LPCI A and LPCS.

HVR-UC6 Station Blackout Loss of the station blackout diesel interrupts DC 3.95 D/G power once the batteries have depleted.

HPCS EDG Loss of the HPCS diesel when off site power is 3.59 unavailable to the Division III emergency bus will interrupt power to the HPCS pump and SWP P2C.

HPCS Pump Loss of the HPCS pump is a loss of high 3.55 pressure injection system.

Diesel driven air Loss of back up air supply to safety relief valve 2.33 compressor IAS-C4 air accumulators.

SWP-P2B Loss of standby service water pump will reduce 2.33 emergency service redundancy.

SWP-P2D Loss of standby service water pump will reduce 2.33 emergency service redundancy.

Questions 5(c) and (d):

(c) From the list of equipment that could cause the change in risk associated with the change in CT to significantly exceed what the staff considers small for a single TS AOT change, select the most important (from those permitted to be inoperable by LCO CT for, say, more than a day) which plant experience (e.g., as observed in the plant log) shows to have some out of service frequency (attempt to make the choice realistic and bounding), and with it and the DG out of service, re-estimate the risk for the CT. (d) Provide assurances that the risks associated with the LCO CT for corrective maintenance will be kept comparable with that which the staff considers small for a single TS AOT for preventative maintenance.

Response

An acceptance criteria of less than 1.OE-6 ICDP from NEI 93-01, "Industry Guidelines for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants" would normally be used to discuss acceptable risk of on-line maintenance activities. However, for this response, the more conservative criteria of less than 5.OE-7 from Regulatory Guide 1.177 is used as a basis of risk comparison.

From Tablel above, the highest instantaneous RAW noted is for failure of either the Division II Standby Service Water pumps or their discharge valves. The pumps are normally in standby with their discharge valves closed. The pumps will start on a LOCA signal or low normal service water pressure and their discharge valves will automatically open. In Regulatory Guide 1.177, "An Approach for Plant Specific, Risk Informed Decisionmaking: Technical Specifications", there is an incremental cumulative core damage probability (ICCDP) guideline of 5.OE-7 that is to RBG-45934 Page 12 of 20 established for TS allowed outage time changes. This guideline is met if the Standby Service Water pump/valve repairs are completed within 2.3 days. This has been calculated as follows:

ICCDP = (Instantaneous CDF - Baseline CDF) x (duration)

The baseline CDF for this risk comparison is the instantaneous CDF when the Division I EDG is OOS. The baseline CDF is 1.15E-5/yr) 5.OE-7 = [(7.9)(1.15E-5/yr) - (1.15E-5/yr)] x (duration) 5.OE-7 = (7.94E-5/yr) x (duration) 5.OE-7/7.94E-5/yr = duration 6.30E-3 yrs = duration (6.30E-3 yrs) x (365 days / year) = duration 2.3 days or 55 hrs. = duration The unavailability time in 2001 for the Division II standby service water pumps and their discharge valves was only 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months . This is an unavailability of 3.42E-4 and is much less than the duration limit of 2.3 days calculated. The PRA model assumes a higher unavailability of 2.OOE-3. Thus, the availability assumed in the model is conservative when compared to the actual data for 2001.

Another component in Table 1 is the Division III EDG. A similar computation was performed for comparison purposes. As shown below, an EDG would have to be restored to Operable status within 85 hours9.837963e-4 days 0.0236 hours 1.405423e-4 weeks 3.23425e-5 months to meet the RG 1.177 guidelines.

5.OE-7 = [(5.46)(1.15E-5/yr ) - (1.15E-5/yr)] x (duration) 3.6 days or 85 hrs. = duration In 2001, the Division III EDG was unavailable for 10.07 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months . This is an unavailability of 1.15E

3. Since the PRA model assumes 1.67E-2, the unavailability assumed in the model is conservative when compared to actual data for 2001. Note that per Technical Specifications 3.8.1, there is a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months action time when the Division III EDG and one of the other two EDGs are not OPERABLE, which is more restrictive than would correspond to the RG 1.177 guideline.

From Table 2 the highest RAW noted is for SWP-MOVF055B. This valve is normally closed and must open upon a Standby Service Water initiation signal so that service water can be routed to the standby cooling towers. If MOVFO55B failed while EDG B was out of service, valve repairs would have to be made in 5.7 days to be within the ICCDP guideline.

ICCDP = (Instantaneous CDF - Baseline CDF) x (duration)

The baseline CDF is the instantaneous CDF when the Division II EDG is OOS.

The baseline CDF is 8.80E-6/yr) 5.OE-7 = [(4.62)(8.80E-6/yr) - (8.80E-6/yr)] x (duration) 5.7 days or 137 hours0.00159 days 0.0381 hours 2.265212e-4 weeks 5.21285e-5 months = duration The actual unavailability for SWP-MOVF055B is much lower than the duration times calculated above. In 2001 the unavailability time for this valve was zero. At no time was the valve unavailable due to maintenance or testing.

to RBG-45934 Page 13 of 20 Table 2 also includes the Division III DG. Even though it does not have a higher RAW than SWP-MOVF055B a similar computation was done for it.

5.OE-7 = [(3.59)(8.80E-6/yr) - (8.80E-6/yr)] x (duration) 8 days or 192 hrs. = duration As noted for Table 1, the Division III EDG was only unavailable for 10.07 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months in 2001 and the unavailability assumed in the model is conservative when compared to actual data for 2001.

TS actions are generally more limiting than the duration times that could be justified based on risk alone. However, before performing maintenance activities, RBS assesses and manages the increase in risk that may result from maintenance activities as required by 10 CFR 50.65.

RBS uses color codes generated via EOOS to communicate and support the management of risk for preventative maintenance as well as emergent maintenance. The color codes are tied directly to specific core damage frequencies. In the following table are the color codes used at RBS along with the CDF that is tied to the color code break points. The CDF for the breakpoints are based on zero maintenance. In other words, component unavailability is not included in the quantification.

River Bend Station Color Determination Color Meaning Break Point Setting for On-Line Core Damage Maintenance Frequency Associated with Color Breakpoint Green Non-risk significant, no Lower limit corresponds to two 2 x 3.08E-6/yr = 6.16E action necessary times zero maintenance CDF. 6/yr Yellow Acceptable risk Lower limit corresponds to one 1.26E-4/yr increase, increase train of standby service water awareness of (SWP) out of service (train A).

maintenance advised.

Orange Potentially risk Lower limit corresponds to SWP 6.84E-4/yr significant, contingency train A and the train B diesel plans needed, generator out of service OR NEI 93-01 limit Red Risk significant, do not Risk greater than the above limit. Risk greater than enter voluntarily. 6.84E-4/yr RBS performs a risk assessment on the weekly schedule prior to the workweek and on a real time basis throughout the workweek. Plant personnel use a blended approach to assess and manage risk at RBS. The blended approach allows for managing risk via quantitative and qualitative risk assessments.

From a quantitative perspective EOOS is used to set plant conditions and remove systems/components from service. EOOS is used to quantify the PSA model. Quantification provides an instantaneous risk in core damage frequency and a corresponding color. The color represents the level of risk as described in the above table.

If the plant is in a YELLOW condition, measures are required to ensure that subsequent maintenance activities do not increase risk to a higher level color (ORANGE or RED condition).

Attachment 1 to RBG-45934 Page 14 of 20 This is achieved by determining the risk prior to taking additional components out of service for maintenance.

If the plant is in an ORANGE condition, written guidance /contingency plans are required if the condition will be entered voluntarily. General Manager / Designee approval for voluntary entry or notification upon emergent entry is required. On-Site Review Committee review and approval is required for preplanned ORANGE conditions. If an ORANGE condition is a result of emergent work, then steps are to be taken to restore any equipment out for testing that could take the plant from an ORANGE condition to a YELLOW condition.

If the plant encounters a RED condition actions are required to be taken to reduce plant risk by either restoring inoperable or unavailable equipment or to put the plant in a safer condition (e.g.,

reduce power or shutdown), taking into account any risk with the transient required to achieve the safer state.

If RBS were to be in Yellow for an entire week, the total incremental core damage probability risk for the week would be:

(6.16E-6/yr - 3.08E-6/yr)

7 days / 365 days/yr = 5.9E-8 Thus, while River Bend does not directly use a 5.0E-7 ICCDP as a screening criteria in its risk assessment process, the Green-Yellow breakpoint criteria used within EOOS does provide to some extent an implicit barrier to the RG 1.177 criteria, since it is desired to have a "green" determination as much as possible in the risk assessment process.

Note that Entergy currently uses a philosophy of setting the "Green-Yellow" transition breakpoint equal to twice the zero-maintenance CDF. This was adopted as part of Entergy's practice to manage the incremental risk due to plant on-line maintenance. This was considered a superior alternative to the previous practice at some plants of setting the CDF breakpoint at the permanent change criteria (Figure 4.1) of the EPRI/NEI PSA Applications Guide, EPRI TR-105396, as well as being superior to other alternatives that resulted in a higher transition breakpoint. Basing the "Green-Yellow" breakpoint on the zero maintenance activity has the advantage that plant maintenance history does not impact the breakpoint, and allows for a reasonable scope of maintenance that meets the criteria for a "Green" risk. Also, the total incremental risk for a week's maintenance (which usually includes several separate maintenance activities) is well within the RG1.177 guidance if the CDF remains less than the "Green-Yellow" breakpoint. Thus, by using the zero maintenance model to establish the acceptance criteria, maintenance activities will not incrementally increase the base case risk more than a factor of two above the zero maintenance model. The transition criteria would be such that the temporary increase in risk would be managed by limiting the CDF to an increase of two for a green evolution and the aggregate risk would be maintained as discussed above.

Planned maintenance that would place a plant in a "Yellow" CDF condition for an entire week is very infrequent.

In addition to using EOOS to quantitatively assess and manage risk, plant personnel are responsible for contributing qualitative risk insights in proportion to their knowledge and familiarity with the affected plant systems and the specific maintenance activity under consideration. Expectations are that EOOS is not the only tool that is to be used for assessing and managing risk. Plant operating experience and plant knowledge are used to verify or check the quantitative results with EOOS.

to RBG-45934 Page 15 of 20 Question 6: makes reference to a Configuration Risk Management Program (CRMP) in connection with the controlling and minimizing risk during CT outages.

(a) Provide us copies of administrative procedure ADM-0096, "Risk Management Program Implementation and On-line Maintenance Risk Assessment," and operational support procedure OSP-0037, "Shutdown Operations Protection Plan;"

(b) If not dealt with in the procedures, discuss the controls that limit at power preventative maintenance outage times and frequencies; (c) If not dealt with in the procedures, discuss application of the programs, or similar procedures, to corrective maintenance and emergent EOOS [unless already discuss in response to 5(d)] - it is noted that the reassuring contingency measures discussed in the attachment and the proposed TS Bases, and limitations on voluntary entry, are not applicable to corrective maintenance; (d) If the procedures do not contain quantitative criteria used by River Bend in making decisions on when a risk is small, and what level of risk (not color codes) triggers specific operational actions (not managerial levels of approval) together with the action associated with each level (e.g., discuss the point at which River Bend would voluntarily reduce the maintenance time to less than the LCO CT or shut down the plant), provide the information, and include discussion of qualitative considerations used by River Bend; and (e) Since significant increases in LCO CTs, such as those proposed, significantly increase the window during which other risk significant equipment can become inoperable, discuss the potential risk from overlapping equipment outages based on the plant log and current CTs and planned or proposed CT extensions.

Question 6(a):

Provide us copies of administrative procedure ADM-0096, "Risk Management Program Implementation and On-Line Maintenance Risk Assessment," and operational support procedure OSP-0037, "Shutdown Operations Protection Plan."

Response

Copies of the requested procedures are enclosed.

to RBG-45934 Page 16 of 20 Questions 6(b) and (c):

(b) If not dealt with in the procedures, discuss the controls that limit at power preventative maintenance outage times and frequencies; (c) If not dealt with in the procedures, discuss application of the programs, or similar procedures, to corrective maintenance and emergent EOOS [unless already discuss in response to 5(d)] - it is noted that the reassuring contingency measures discussed in the attachment and the proposed TS Bases, and limitations on voluntary entry, are not applicable to corrective maintenance;

Response

In addition to the program discussed in response to question 5(d) and 6(d), the River Bend Station uses On-Line Maintenance Guidelines. The guidelines require that planned activities be scheduled to be completed within one-half of the allowed Limiting Condition for Operation (LCO) completion time limit. This requirement applies to preventative and corrective maintenance.

LCO status is reviewed daily at the morning work planning meeting and at the morning management "Focus of the Day" meeting, which is chaired by the Manager of the Operations department or the Operations Shift Manager.

River Bend also has a Safety Function Determination Program (SFDP) established in accordance with TS 5.5.10 to ensure that a loss of safety function is detected and appropriate actions taken. The program recognizes the TS LCO CTs for individual support systems may not always address the condition of multiple inoperabilities that could affect a safety function. Under this program, certain limitations and remedial or compensatory actions may be identified to be taken as a result of a support system inoperability.

The SFDP contains the following elements:

a. Provisions for cross division checks to ensure a loss of the capability to perform the safety function assumed in the accident analysis does not go undetected;

b. Provisions for ensuring the plant is maintained in a safe condition if a loss of function condition exists;

c. Provisions to ensure that an inoperable supported system's Completion Time is not inappropriately extended as a result of multiple support system inoperabilities; and

d. Other appropriate limitations and remedial or compensatory actions.

Question 6 (d):

If the procedures do not contain quantitative criteria used by River Bend in making decisions on when a risk is small, and what level of risk (not color codes) triggers specific operational actions (not managerial levels of approval) together with the action associated with each level (e.g.,

discuss the point at which River Bend would voluntarily reduce the maintenance time to less than the LCO CT or shut down the plant), provide the information, and include discussion of qualitative considerations used by River Bend.

Response

RBS performs a risk assessment on the weekly schedule prior to the workweek and on a real time basis throughout the workweek.

Attachment 1 to RBG-45934 Page 17 of 20 If the plant is in a YELLOW condition measures are required to ensure that subsequent maintenance activities do not increase risk to a higher level color (ORANGE or RED condition).

This is achieved by determining the risk prior to taking additional components out of service for maintenance.

If the plant is in an ORANGE condition written guidance /contingency plans are required if the condition will be entered voluntarily. General Manager / Designee approval for voluntary entry or notification upon emergent entry is required. On-Site Review Committee review and approval is required for preplanned ORANGE conditions. If an ORANGE condition is a result of emergent work, then steps are to be taken to restore any equipment out for testing that could take the plant from an ORANGE condition to a YELLOW condition.

If the plant encounters a RED condition actions are required to be taken to reduce plant risk by either restoring inoperable or unavailable equipment or to put the plant in a safer condition (e.g.,

reduce power or shutdown), taking into account any risk with the transient required to achieve the safer state.

Question 6(e):

Since significant increases in LCO CTs, such as those proposed, significantly increase the window during which other risk significant equipment can become inoperable, discuss the potential risk from overlapping equipment outages based on the plant log and current CTs and planned or proposed CT extensions.

Response

In March of 2001, RBS performed a cumulative risk review that covered November 1997 to December 2000. These reviews are performed periodically to review plant historical risk performance and determine if any trend exists. It included plant specific unavailability data for the following systems: Division 1,11, and III EDGs, Division I and II standby service water, RCIC, HPCS, four instrument air compressors, LPCS, RHR A, RHR B, and RHR C. Monthly unavailability data due to maintenance and testing was used.

The results of the review are documented in Attachment 2. Revision 3 of the Level 1 PRA model was used to develop the curves in the attachment and not Revision 3A. Revision 3 is the version of the PRA model that is in effect at RBS until the EDG AOT submittal is approved.

Once the NRC approves the EDG AOT submittal Revision 3A of the PRA model will go into effect.

The results for Cycle 10 (starting April 2000) are more typical of the River Bend risk profile.

Cycle 9 was a short fuel cycle, extending from July 1999 to March 2000, due to the elevated crud levels and corrosion thickness discovered during Refueling Outage RF08 in the Spring of 1999. Cycle 10 represents a return to a normal 18 month fuel cycle.

Attachment 1 to RBG-45934 Page 18 of 20 Question 7:

Attachment 3 contains comments on the River Bend Probabilistic Safety Analysis Peer Review.

(a) Provide a summary of this review; (b) If not provided in the report, describe the criteria for element grades (e.g., what constitutes a Grade 3 element); and (c) Attachment 4 states "The Peer Review comments addressed as part of model revision 2D were those with a high potential to impact the calculated model results ...". If any of these model changes, or those made to revision 3, would affect which items are included in Table 2 of Attachment 3 or their risk impact characterization, describe the item and discuss the EDG AOT impact (or was the table prepared using revision 3).

Question 7(a):

Provide a summary of this review;

Response

The BWROG PSA Certification Team's assessment and review of the RBS PSA was documented in an October 1998 report. Attachment 3 of River Bend letter RBG-45832 provided information on the River Bend PSA Peer Review which was considered pertinent to the License Amendment Request. The report itself is a long and detailed document, including discussion of low-level recommendations and suggestions for enhancements or alternate approaches to consider in the PSA of the individual plant reviewed and with detailed technical discussions which can be misunderstood if taken out of context. The Results summary of the Certification report provides a useful overview description of the team's conclusions. Extracts from the Certification report are provided in Attachment 3 to this letter. The Results summary thus documents the conclusions of an independent assessment that the River Bend PSA is considered to meet the quality requirements for supporting risk-informed applications through a blended approach which incorporates deterministic insights, such as the RBS request to extend the EDG AOT.

Note that a Revision to the RBS Level 2 PSA had started at the time of the PSA Certification.

Because of this, the Certification team did not assess the then-current Level 2 PSA in detail.

Revisions to both the Level 1 and Level 2 PSA have been completed since the PSA Certification review, as discussed and documented in letter RBG-45832. Revision 2C of the Level 1 PRA was in effect when the BWROG PSA Certification Team reviewed the River Bend PRA.

This information from the Results summary of the independent peer review combined with the detailed information provided in letter RBG-45832 thus provides the information required to judge that the River Bend PSA meets the quality requirements for supporting the requested Technical Specification changes.

Attachment I to RBG-45934 Page 19 of 20 Question 7(b):

If not provided in the report, describe the criteria for element Grades (e.g., what constitutes a Grade 3 element).

Response

The peer review certification process uses four grades [Reference "BWROG PSA Peer Review Certification Implementation Guidelines," Revision 3, January 1997]. These four grades are as follows:

Grade 1 - Useful for Identifying Severe Accident Vulnerabilities, Accident Management Insights, and General Prioritization of Issues This grade requires the minimum standard and has satisfied NRC expectations for responding to Generic Letter 88-20. Most PSAs are expected to be capable of meeting these requirements. This grade of certification would serve as an industry standard.

Grade 2 - Useful for Risk Ranking with Deterministic Input This grade of certification requires a review of the PSA model, documentation and maintenance program. Certification at this grade would provide assurance that, on a relative basis, the PSA methods and models yield meaningful rankings for the assessment of systems, structures, and components, when combined with deterministic insights (i.e., a blended approach).

Grade 3 - Useful for Risk Significance with Deterministic Input This grade of certification extends the requirements to assure that risk significance determinations made by the PSA using absolute risk insights are adequate to support a broader range of regulatory applications, when combined with deterministic insights.

Grade 4 - Useful as a Primary Basis for Decision-Making This grade of certification requires a comprehensive, intensively reviewed study which has the scope, level of detail, and documentation to assure the highest quality of results.

Routine reliance on the PSA as the basis for certain changes is expected as a result of this grade. It is expected that few plants would currently be eligible for this grade of certification.

It should be noted that while each of the four application oriented grades have different characteristics as delineated above, the boundaries between grades are not sharp. Grades 2, 3, and 4 are considered consistent with Categories 1,11, and III of the ASME Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications, ASME RA-S-2001.

to RBG-45934 Page 20 of 20 Question 7(c): states "The Peer Review comments addressed as part of model revision 2D were those with a high potential to impact the calculated model results...". If any of these model changes, or those made to revision 3, would affect which items are included in Table 2 of or their risk impact characterization, describe the item and discuss the EDG AOT impact (or was the table prepared using revision 3).

Response

Table 2 of Attachment 3 was prepared based upon Revision 3 of the River Bend Level I PRA.

The discussion in the Table reflects changes that were made in the PRA through Revision 3.

Attachment 2 To RBG-45934 River Bend Plant Cumulative Risk Review (Nov. 1997 to Dec. 2000)

Attachment 2 to RBG-45934 Page 1 of 6 River Bend Plant Cumulative Risk Review (Nov. 1997 to Dec. 2000)

The attached figures provide core damage frequency (CDF) graphs for the past three years from Nov. 1997 to Dec. 2000. These graphs track the CDF on a monthly basis, based on the following systems: Diesel Generator Division 1,11, and Ill, Standby Service Water Division I and II, RCIC, HPCS, and the instrument air system (lAS). The graphs include monthly CDF and year-to-date cumulative Core Damage Probability (CDP) for each year. The inputs to the calculations were obtained from the Maintenance Rule Database.

The RBS Level 1 Rev. 3 PRA model was used in the calculation, which is the most recent revision. Since there were no major plant modifications in the past three years that would impact the PRA model significantly, the previous PRA models were not used. The baseline CDF value for Level 1 Rev 3 PRA model with a 1 E-9/yr truncation limit was calculated as 9.45E 6/yr. The zero-maintenance CDF value is 7.15E-6/yr and the break point for EOOS color code transition from "Green" to "Yellow" is at the CDF value of 1.43E-5.

Due to the lack of failure-to-run (FTR) and failure-to-start (FTS) data and the associated demand and run-time data, the monthly CDF's are based on the monthly unavailability data due to maintenance and testing only. This approach is less accurate in reflecting the plant risk profiles but should not have significant impact.

RBS Monthly CDF Graph The RBS monthly CDF graph is included as Figure 1. The monthly CDF values were normalized with the RBS Level 1 Rev 3 baseline CDF value. Both baseline CDF and the Green/Yellow transition CDF values are shown on the graph. Note that the CDF values were not calculated during refueling outages. The CDF values should be calculated based on the RBS Level 1 Shutdown EOOS model. For simplicity, these values are not listed here.

As shown in the monthly CDF graph, there were three monthly CDF values that exceeded the Green/Yellow transition line. The main contributors to the higher CDF values in these cases were unavailabilities of Diesel Generators and/or Standby Service Water Systems, as observed during the calculation of the "Rolling Average" CDF. This is consistent with the Level 1 Rev 3 PRA model system and component importance ranking. Following is a brief summary for these three cases:

Date Normalized Div I DG Div II DG Div III DG SSW B SSWA CDF Value Unavailability Unavailability Unavailability Unavailability Unavailability Oct-98 1.69 0.07177 0.03992 0.00188 0.00001 0.00001 Oct-99 1.91 0.02887 0.03720 0.00081 0.03720 0.03125 Jan-00 1.68 0.02917 0.00511 0.00054 0.03925 0.00001 The ACDF values of all three cases exceed the maximum percent change in permanent CDF considered to be Non-Risk-Significant (32.5% for the baseline CDF value of 9.446E-6/yr for RBS Level 1 Rev 3 PRA). However, even for the highest CDF change in Oct. 1999, the change in CDP in that month is (1.801E 7.15E-6)/yr

lyr/12 = 9.05E-7, which is acceptable according to the Quantitative Screening Criteria for Temporary Changes based on CDP values in the EPRI PSA Application Guide (TR-105396). Therefore, it is concluded that the risk to RBG-45934 Page 2 of 6 changes due to unavailability of risk significant equipment in the past three years were Non Risk-Significant.

Year-To-Date Cumulative CDP Figure 2 shows the year-to-date cumulative CDP plots for the past three years (1998 to 2000).

These figures show the cumulative plant risk over time on a yearly basis and how this relates to the baseline CDP and the CDP values corresponding to the Green/Yellow transition CDF value in EOOS. Since no monthly CDF was calculated for refueling outage months, the cumulative CDP values did not include those months also.

The Core Damage Probability (CDP) is defined as the incremental risk of core damage in a specified period of time per ADM-0096. CDP = ACDF

Atime where ACDF is the change in CDF with respect to the zero maintenance CDF.

The yearly baseline CDP values are weighted on the actual operating hours. The baseline CDP values for the past three years are 2.20E-6 for 1998, 1.67E-6 for 1999, and 2.01 E-6 for 2000.

Note, as expected, the baseline CDP is greatest for 1998 (a non-outage year) and lowest for 1999, due to the extended 3-month refueling outage. As a result of the 3 outage months, the baseline CDP for 1999 is almost 3/4 of the 1998 baseline CDP.

The cumulative risk profile in 1998 shows that the year-to-date CDP values were always below the baseline CDP. And the 1999 cumulative risk profile shows that the year-to-date CDP values were always above the baseline CDP's. However, it should also be noted that the CDP values were still well below the Green/Yellow transition lines. For the 2000 cumulative risk profile, although the figure shows the plant year-to-date CDP values were above the baseline CDP for most of the months, the final CDP value for 2000 was actually lower than the baseline value. It was the higher monthly CDF value in January 2000 that raised the CDP values significantly. As discussed in the previous section based on the monthly averaged CDF values, the risk changes in the past three years were Non-Risk-Significant.

==

Conclusions:==

The actual final cumulative CDP values for the past three years weighted on the actual operating times are:

Year Baseline CDP Cumulative CDP 1998 2.20E-6 1.93E-6 1999 1.67E-6 3.07E-6 2000 2.01 E-6 1.95E-6 These values are at the baseline risk level and within the Non-Risk-Significant range per PSA Application Guide. The Level 1 Rev. 3 PRA model was used in producing the risk profiles, which should reflect the plant conditions in the past three years most accurately. Although the CDF values were increased due to the PRA model update, there is no sustained trend evident in the monthly averaged CDF and the year-to-date CDP graphs.

to RBG-45934 Page 3 of 6 Figure 1 RBS Monthly Average CDF C raph (Nov. 1997 - Dec. 2000) 2.50 2.00 Yellow CDF 1.50 Value (Norm alized) 1.00 ,Bseie*

Re fue 0.50 ----- - I .-

0.00 . , . ^ , . . . .;. . .. . .. . . . .

N, Lie Ja re ivia Ap ma Ju Jul ,u Se c NoD Ja r-e Ma Ap Ma JU Jul Au e UC No ue Ja Fe Ma Ap Ma Ju Jul Au Se OC No ye Ja v- c- n- b- r- r- y- n- -98 g- p- t- v- c- n- b- r- r- y- n- -99 g- p- t- v- c- n- b- r- r- y- n- -00 g- p- t- v- c- n 97 97 98 98 98 98 98 98 98 98 98 98 98 99 99 99 99 99 99 99 99 99 99 99 00 00 00 00 00 00 00 00 00 00 00 01 Date to RBG-45934 Page 4 of 6 Figure 2 1998 Year-to-Date Cumulative CDP 3.OOE-06 2.OOE-06 CDP Value 1.OOE-06 O.OOE+O0 -

Jan-98 Feb-98 Mar-98 Apr-98 May-98 Jun-98 Jul-98 Aug-98 Sep-98 Oct-98 Nov-98 Dec-98 Month to RBG-45934 Page 5 of 6 Figure 3 1999 Year-to-Date Cumulative CDP 4.OOE-06 3.50E-06 "Year-to-Date CDP

-Baseline CDP

3. 0 0E-0 6 --

... Green/Yellow Transition CDP Yellow 2.50E-06 Green CDP Value 2.OOE-06 -________________________________ ___

1.50E-06 1.OOE-06 5.OOE-07 O.OOE+00 F Jan-99 Feb-99 Mar-99 Apr-99 May-99 Jun-99 Jul-99 Aug-99 Sep-99 Oct-99 Nov-99 Dec-99 Month to RBG-45934 Page 6 of 6 Figure 4 2000 Year-to-Date Cumulative CDP 3.OOE-06 4,

4 2.50E-06 Yellow

- S Green

\ =

4'4 2.00E-06 *

Baseline CDP

Value#

1.50E-06 Yel..w .

Green 0.00E+00 .6'":~

o i,

Jan-00 Feb-00 Mar-00 Apr-00 May-00 Jun-00 Jul-00 Aug-00 Sep-00 Oct-00 Nov-0 Month

Attachment 3 To RBG-45934 River Bend PSA Certification Summary to RBG-45934 Page 1 of 3 River Bend PSA Certification Summary:

"The following is a brief summary overview of the River Bend PSA Peer Review Certification Process results:

PSA ELEMENTS: All of the PSA elements identified as part of the BWROG PSA Peer Review Certification process were included in the River Bend PSA with the exception of a Level 2 analysis of Large, Early release frequency (LERF). No Level 2 analysis consistent with the updated Level 1 has been performed. In terms of the overall assessment of each element that was included, all were consistently graded as sufficient to support meaningful rankings for the assessment of systems, structures, and components, when combined with the deterministic insights (i.e., a blended approach).

INITIATING EVENTS (IE): The development of initiating events and their integration into the PRA model is good and consistent with industry practices. The guidance and documentation of the initiating event analysis is generally thorough. The grouping of categories, screening of special initiators, and calculation of transient frequencies is adequate for an IPE type study, but would be substantially strengthened if the following enhancements are included for use in the risk informed decision making environment. The key recommended enhancements are to: (1)

Include the RPV Rupture and Manual Shutdown initiators and quantify with event trees; (2) Separate out MSIV closure from Loss of Condenser Vacuum; (3) Assess the ISLOCA initiator using the NSAC-154 (or equivalent) approach; (4) Collect RBS specific transient event data and include in the initiating event frequency calculation.

ACCIDENT SEQUENCE EVALUATION (Event Trees) (AS): The River Bend model is comprehensive and in general covers the spectrum of potential risk significant sequences identified in BWRs. The level of detail in the model demonstrates that there has been a substantial amount of effort to investigate plant unique features.

The HRA, system analysis, and data evaluation are well integrated into the model.

The accident sequences are defined via a structured approach. Based upon these reviews, a solid level of accuracy has been achieved. Specific sequences may have issues related to their technical realism.

A few potentially important EOP actions were omitted from the accident sequences including some ATWS actions. Additional specific examples of the assessments that would enhance the PSA model are included in the Accident Sequence Fact and Observation sheets.

The modeling of the functional elements in the event tree forms the basis for all other aspects of the PSA model ..... The Fact/Observation sheets identify areas where potential improvements are identified to support higher level applications.

THERMAL HYDRAULIC ANALYSIS (TH): The River Bend PSA generally relies on applicable best estimate generic calculations to support success criteria.

to RBG-45934 Page 2 of 3 An area of potential enhancement was to provide more specific references to success criteria supporting calculations for ATWS. In addition, the times to core damage need to be reevaluated based on a plant specific analysis.

The overall process is judged adequate to support vulnerability assessment and is adequate for ranking type applications. It is judged that additional effort may be useful for the T/H area to support more demanding applications involving absolute risk determination...

SYSTEMS ANALYSIS (Fault Tree) (SY): The list of systems modeled is complete.

The fault tree models and system notebooks are a strength of the River Bend PSA study. The systems analysis is thorough and comprehensive...

DATA (DA): About half of the data used in the updated PSA appear to be plant specific. This is judged to be a strength. The data presentation and availability is also judged to be a strength of the PSA. In addition, the new data collection system, although not described, might allow better and easier data collection.

Common cause data treatment has referenced appropriate documents except the latest INEL data was not included. Common cause grouping appears not to have been documented.

Overall, the techniques support risk ranking applications when additional consideration is given to common cause grouping and quantification.

HUMAN RELIABILITY ANALYSIS (HR): Time available for operator action used in the HRA could be overestimated based on the definition of time to core damage.

Dependencies among operator actions in the same cutset when identified are considered.

Specific operator action modeling have been identified as in need of enhancement to fully support risk ranking applications ...

DEPENDENCIES (DE): Overall, dependencies were generally treated well .... with correction of the specific issues related to common cause failure. The common cause analysis covers the common mechanical groups normally seen in a PSA.

There are substantially fewer electrical common cause events seen in the model than mechanical.

STRUCTURAL RESPONSE (ST): A plant specific evaluation of the capacity for low pressure piping to withstand the pressure transient from an interfacing systems LOCA condition was not performed as part of the analysis.

The basis for determining RPV integrity was not identified in the documents reviewed by the Certification Team.

QUANTIFICATION AND RESULTS INTERPRETATION (QU): Dominant sequences (cutsets) are described in the summary of the results. Existing dominant cutsets to RBG-45934 Page 3 of 3 make physical sense and appear to have reasonable frequencies. New dominant cutsets could result from the enhancements to the quantification or other PSA elements.

The quantification approach is typical for a CAFTA model that explicitly employs fault trees and event trees. The results are well-documented .......

CONTAINMENT PERFORMANCE ANALYSIS (L2): There may be a slightly different perspective in the use of PSA for risk informed applications than in the use for identification of vulnerabilities. The intent is not to be conservative and not to throw away apparent non-contributors from the quantified model. Rather the desire is to provide a broad, robust model for use in applications. This means accurate importance measures are desirable and the absolute measures should also be robust to support changes. All this argues for inclusion of additional phenomena and actions that are currently screened from quantification.

The Level 2 has not been performed for the updated model and conclusions regarding its use for applications cannot be made.

The current NUCAP model does not include phenomena and nodes that are crucial for future application assessment: RPV vent, containment flood, deinerted operations, containment isolation.

PSA MAINTENANCE AND UPDATE (MU): A process is in place to perform PSA Updates ......

This information from the Results summary of the independent peer review combined with the detailed information provided in letter RBG-45832 thus provides the information required to judge that the River Bend PSA meets the quality requirements for supporting the requested Technical Specification changes.

Attachment 4 To RBG-45934 Corrected Page for Attachment 5 to Letter RBG-45832, Dated September 24, 2001 to RBG-45934 Page 1 of 1 UNCERTAINTY ANALYSIS An uncertainty analysis was completed for the At-Power PSA using the code Uncert Version 2.2. The results are summarized below:

Point Estimate Mean 5% 95%

Baseline 3.39E-6 3.92E-06 5.OOE-07 1.15E-05 TRANSITION RISK Transition risk refers to the risk associated with changing the operating mode of a BWR from its nominal full-power operating state to a lower power shutdown state. Transition risk issues are important when a reactor has to be shut down due to inoperable equipment. Transition risk is defined as the Core Damage Probability (CDP) associated with the transition of the plant from full-power operation to plant shutdown and back to full power.

For this evaluation, transition risk can be evaluated by comparing the conditional core damage probabilities for the following two sequences:

1) Shutting down the plant to repair the OOS EDG (INI-T3A)

2) At-Power Risk with the EDG OOS for 14 days Assumptions:

1. The Level 1 PSA model is sufficient to capture the risk of transitioning to Hot Shutdown (Mode 3).

2. EDG A OOS is bounding for both scenarios.

Based on the current TS requirements, the plant would remain at power for 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (3 days) then transition to hot shutdown in 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and cold shutdown in 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . Assuming a total repair time of 14 days, the plant would remain in cold shutdown a total of 9.5 days.

The following time line summarizes the transition to cold shutdown:

t=0 t=72hours t=84hours t=108hours t=14days I-------------------------- I ----------------- I--------------------------- I---------------------------------- I 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months AOT Transition to Transition to Cold Shutdown Hot Shutdown Cold Shutdown

G.12.1.1 ENTERGY RIVER BEND STATION STATION OPERATING MANUAL

ADMINISTRATIVE PROCEDURE

RISKMANAGEMENT PROGRAM IMPLEMENTATION AND ON-LINE MAINTENANCE RISK ASSESSMENT PROCEDURE NUMBER: *ADM-0096 REVISION NUMBER: *02 Effective Date:

SEP 2 3 2001 NOTE: SIGNATURES ARE ON FILE.

INDEXING INFORMATION RECEIVED SEP 2 3 2001 DOCUMENT CONTROL

TABLE OF CHANGES LETTER DESIGNATION DETAILED DESCRIPTION OF CHANGES TRACKING NUMBER ADM-0096 REV - 02 PAGE 1 OF 37

TABLE OF CONTENTS SECTION PAGE NO.

1 PUR PO SE ................................................................................................................................. 3 2 R E FERE N C E S ......................................................................................................................... 3 3 DEFIN IT ION S ......................................................................................................................... 4 4 RESPONSIBILITIES .......................................................................................................... 7 5 PROC E DUR E ........................................................................................................................... 9 6 DOCUMENTATION ........................................................................................................ 21 ATTACHMENT 1 - RIVER BEND STATION COLOR DETERMINATION ..................... 22 ATTACHMENT 2 - EOOS FEEDBACK FORM (TYPICAL) .............................................. 23 ATTACHMENT 3 - EOOS AND NON EOOS SAFETY SIGNIFICANT SYSTEM LIST ........ 24 ATTACHMENT 4 - QUALITATIVE EXTERNAL EVENTS AND LEVEL 2 SSC CONSIDERATION ................................................................................................. 26 ATTACHMENT 5 - LEVEL 1 OUT OF SERVICE GUIDANCE TABLE FOR USE WHEN EOOS IS UNAVAILABLE ..................................................................... 36 ADM-0096 REV - 02 PAGE 2 OF 37

1 PURPOSE 1.1 To meet the requirements of Maintenance Rule 10CFR50.65 (a)(4).

1.2 To ensure a proceduralized risk-informed process is in place to assess the overall impact of plant maintenance on plant risk, and manage the risk associated with equipment unavailability.

1.3 To enable actions to be taken or decisions to be made to minimize and control risk when performing maintenance on systems, structures and components (SSCs).

1.4 To enhance safe operation and PSA configuration control.

1.5 To provide guidance on how and when to perform risk assessments using quantitative and qualitative tools.

2 REFERENCES 2.1 Regulatory Guide 1.182, Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants 2.2 SECY-99-133, Final Revision To 10 CFR 50.65 To Require Licensees To Perform Assessments Before Performing Maintenance 2.3 NUMARC 93-01: Section 11.0: Assessment of Risk Resulting From Performance of Maintenance Activities 2.4 EPRI TR-105396, "PSA Applications Guide," August 1995 2.5 NEDC 32501, "Risk Management of On-Line Maintenance," BWROG Integrated Risk Based Regulation Committee, October 1995 2.6 "EOOS Monitor User's Manual," Science Applications International Corporation prepared for EPRI 2.7 Engineering Guide, EDG-PR-0001, "Reliability Monitoring Program" 2.8 Maintenance Rule Database 2.9 River Bend Station On-line Maintenance Guidelines 2.10 ENG-3-037, "Engineering Request Process" ADM-0096 REV - 02 PAGE 3 OF 37

2.11 EDP-AA-080, "Design Change Forms" 2.12 EDG-AN-01, "Guidelines for S&EA Review of Modification Request" 2.13 EDP-AN-01, "Control of System Notebooks for Probabilistic Safety Assessment" 2.14 EDG-AN-03, "Content and Review of System Notebooks for the Level 1 Probabilistic Safety Assessment (PSA) and Control of PSA Information" 2.15 OSP-0037, "Shutdown Operations Protection Plan" 2.16 GEN-00, "General Level 1 PSA Results System Notebook" 2.17 LI-101, "10CFR 50.59 Review Program" 3 DEFINITIONS 3.1 Available - The status of a system, structure or component (SSC) that is in service or can be placed in service in a functional state by immediate manual or automatic actuation.

Credit for immediate automatic action may be taken provided the response is rendered by a dedicated plant operator, the prescribed action is appropriately controlled by established procedures, and the action is expected to produce an automatic initiation (if required) of the out-of-service SSC in the event of an actual demand. For a SSC requiring manual action, established procedural guidance and any applicable time restraints must not be impaired in order to maintain availability. Otherwise, the dedicated operator rules apply to manual actuation as well as to automatic actuation. For example, weekly testing of the diesel air compressor does not incur unavailability time since manipulation of the diesel air compressor and all associated components are procedurally controlled. However, danger tagging the diesel air compressor outlet valve would incur unavailability time since extrordinary meaures must be taken to place the compressor in service.

Dedicated Operator Rules:

Dedicated Operators can only be used when the task involves a test (e.g., surveillance test, PEP, etc.)

o The approved test procedure for the task being performed must contain written instructions for the dedicated operator that include the actions necessary to restore the equipment as well as the cues which will require that action to be taken. Alternative procedures that contain similar restoration steps but are not specifically written for the test being performed may not be used.

Prompt restoration of the equipment must be possible by a dedicated individual stationed either remotely (control room) or locally.

The restoration tasks must be uncomplicated, such as a single action and not require diagnosis, repair or administrative control removal (e.g. clearing of protective tags).

ADM-0096 REV - 02 PAGE 4 OF 37

A locally stationed dedicated operator must be positioned at a location throughout the test which will not impede or delay restoration of the equipment if a valid demand should occur. A dedicated operator stationed in the Main or Auxiliary Control Room may be an onshifi watchstander; however they should not be performing tasks that will impede or delay restoration. Fire Brigade members should not be used as dedicated operators.

A locally stationed dedicated operator must establish communication with the control room.

A dedicated operator must be an individual on plant staff qualified to perform the required action. They do not necessarily need to be a member of the Operations Department.

3.2 Blended Approach to Risk Management - an approach to risk management which combines qualitative and quantitative perspectives to achieve a total risk understanding.

3.3 Core Damage - uncovery and heatup of the reactor core to the point where prolonged clad oxidation and severe fuel damage is anticipated.

3.4 Core Damage Frequency (CDF) - the frequency of combinations of initiators, equipment failure, and human error events leading to core damage. CDF is normally expressed in a per year of power operation basis.

3.5 Core Damage Probability (CDP) - The incremental risk of core damage in a specified period of time. CDP = ACDF

Atime where ACDF is the change in CDF with respect to the zero maintenance CDF.

3.6 Emergent Activities - Activities/equipment problems that are not part of scheduled work and that are not previously accounted for by Scheduling's risk evaluation.

3.7 Equipment Out of Service Monitor (EOOS) - the quantitative risk assessment tool used at River Bend. EOOS is based on the River Bend Level 1 PSA model, and provides output in the form of the Plant Safety Index (PSI) and color codes for key safety system functions.

3.8 External Events - An event that initiates outside of the plant systems that can affect the operability of plant systems, such as a seismic event, fire, or external flood.

3.9 Importance Measure - A measure that gives the relative significance of an item to the overall quantitative result. For the EOOS monitor, the Importance provided is a multiplier to core damage frequency if the SSC is removed from service.

3.10 Large, Early Release - A large, early release is a radioactive release from containment that is both large and early. Large is defined as involving the rapid, unscrubbed release of airborne fission products to the environment. Early is defined as occurring before the effective implementation of the off-site emergency response and protective actions.

3.11 Large, Early Release Frequency (LERF) - The likelihood of a large, early release of radioactive material from containment per year.

ADM-0096 REV - 02 PAGE 5 OF 37

3.12 Large, Early Release Probability (LERP) - The incremental risk of large, early release from containment in a specified period of time. LERP = ALERF

Atime.

3.13 Maintenance Rule: 10CFR50.65, "Requirements for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants" - The paragraph applicable to risk assessment is as follows: 10CFR50.65(a)(4): Before performing maintenance activities (including but not limited to surveillance, post-maintenance testing, and corrective and preventive maintenance), the licensee shall assess and manage the increase in risk that may result from the proposed maintenance activities. The scope of the assessment may be limited to those structures, systems, and components that a risk-informed evaluation process has shown to be significant to public health and safety.

3.14 On-Line Maintenance - For the purpose of this procedure on-line maintenance is any plant maintenance activity performed during Operating Modes 1, 2 or 3.

3.15 Probabilistic Safety Assessment (PSA) - PSA is a quantitative assessment of the risk associated with plant operation and maintenance. The risk is measured in terms of the frequency of occurrence of different events, including severe core damage. The Level 1 PSA determines core damage frequency. The Level 2 PSA models releases due to containment failures, as well as containment failure mechanisms.

3.16 Power Operating Condition - Plant modes I or 2.

3.17 Qualitative Risk Management - An evaluation of the risk of maintenance based on judgement in which a broad spectrum of potential impacts on plant safety and operation are considered. These may include, but are not limited to: Technical Specifications, defense in depth (redundancy), impact on key safety functions, external events, Level 2 impacts, licensing commitments, scram sensitivity, radiological/ALARA, personnel safety, economics, industry operating experience, engineering judgement, and relative risk impacts of on-line vs. shutdown maintenance.

3.18 Quantitative Risk Management - A technique involving the use of PSA calculations to assess the risks of taking equipment out of service to perform maintenance. At RBS, the EOOS computer monitor is used to perform the PSA calculations in support of risk assessments for maintenance activities.

3.19 Risk - the probability of an undesired accident consequence, such as core damage or the large early release of fission products to the environment.

3.20 Risk Increase - the amount of increase in the overall risk if a set of components were assumed completely unavailable.

3.21 Severe Accident - an accident that results in catastrophic fuel rod failure, core degradation, and the release of fission products into the reactor vessel, the reactor containment building, or to the environment.

3.22 Unavailable - The fraction of time in which a structure, system, or component is not available.

ADM-0096 REV - 02 PAGE 6OF 37 ADM-0096 REV-02 PAGE6OF37

4 RESPONSIBILITIES 4.1 Safety Analysis 4.1.1. Provide and maintain a PSA model for developing an EOOS model 4.1.2. Provide, support, and maintain the EOOS model for performing quantitative configuration risk assessments 4.1.3. Provide support in the performance of quantitative and/or qualitative assessments of plant risk, when necessary 4.1.4. Provide guidance to EOOS users on its limitations, and how to qualitatively evaluate External Events, Level 2 impacts, and SSCs outside of the EOOS scope 4.1.5. Provide training for the use of the EOOS model 4.2 Central Probabilistic Safety Analysis 4.2.1. Provide routine PSA model updates for the EOI sites 4.2.2. Provide PSA software (including EOOS) upgrade, testing, qualification, and error reporting support for the EOI sites 4.2.3. Provide guidance in developing PSA related processes and in assuring reasonable standardization between the EOI sites 4.2.4. Provide guidance for transferring PSA best practices at all the EOI sites 4.3 Planning & Scheduling / Outage 4.3.1. Perform a risk assessment of scheduled on-line maintenance based on the final schedule issued prior to the workweek using EOOS and qualitative guidance.

The assessment will be performed prior to the beginning of the workweek.

4.3.2. Perform a risk assessment of on-line maintenance during the workweek on a daily basis during normally scheduled workdays using EOOS and qualitative guidance. This assessment will look 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months in advance and will account for current emergent work items, emergent plant conditions, emergent external conditions, and changes in scheduled items.

4.3.3. Assist Operations with performance or review of emergent equipment out of service/unscheduled maintenance assessments when requested.

4.3.4. Ensure OSRC review and approval is obtained prior to a preplanned entry into an "Orange" risk level condition.

ADM-0096 REV - 02 PAGE 7 OF 37

4.3.5. Contact the department that is responsible for implementing a compensatory measure established as a risk management action to reduce the risk impact during a planned maintenance activity that is expected to be in place greater than 90 days or has been considered in the weekly risk assessment for greater than a two week time period. This is to ensure the department is aware of the requirement to perform a 50.59 review if the compensatory action is expected to be in effect during power operation for greater than 90 days.

4.4 Operations NOTE Risk assessments should normally be performedpriorto plant maintenanceincluding emergent work Risk assessmentsperformed due to emergent equipment out of service or unscheduled maintenanceshould not interfere with, or delay, the operatorand/or maintenancecrewfrom taking timely actions to restore the equipment to service or take compensatoryactions.

4.4.1. Perform/verify/review risk assessments of maintenance activities as they are actually performed including emergent equipment out of service/unscheduled maintenance conditions within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of occurrence using EOOS and qualitative considerations. IF the component has been returned to service before performance of the assessment, THEN no risk assessment is necessary.

4.4.2. Perform a risk assessment of on-line maintenance that looks 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months in advance on a daily basis during the days that are not normally scheduled work days for Planning & Scheduling / Outage (Saturday, Sunday, off Fridays and holidays).

EOOS and qualitative guidance will be used. The assessment will account for current emergent work items, emergent plant conditions, emergent external conditions and changes in scheduled items. Updates to the existing assessment should be done on night shift throughout the week as necessary.

4.4.3. Ensure General Manager / Designee approval is obtained prior to voluntary entry into an "Orange" risk level condition or the General Manager / Designee is notified upon emergent entry into an "Orange" or "Red" risk level condition.

4.5 All Organizations and Personnel 4.5.1. Responsible for contributing qualitative risk insights in proportion to their knowledge and familiarity with affected plant systems and the specific maintenance activity under consideration. Anyone performing plant maintenance or tests, which makes equipment unavailable is responsible for informing the Work Management Center, during normal working hours, or the Control Room prior to starting a maintenance/testing activity. This will ensure all maintenance is considered in the risk assessment.

ADM-0096 REV - 02 PAGE 8 OF 37 ADM-0096 REY-02 PAGE8OF37

5 PROCEDURE 5.1 Requirements 5.1.1. Paragraph (a)(4) of the Maintenance Rule (10CFR50.65) requires a proceduralized risk-informed assessment process to manage the risk associated with maintenance activities.

I. To be included in the power operating condition risk assessment are SSCs modeled in the site's Level 1 PSA model and high safety significant (risk significant) SSCs per the Maintenance Rule that are not in the PSA model,

2. To be included in the shutdown risk assessment are those SSCs necessary to support the following key shutdown safety functions:

"* Decay Heat Removal

"* Inventory Control

"* Power Availability

"* Reactivity Control

"* Containment In addition to the five key safety functions, other areas to be monitored on a qualitative basis are:

Internal / External Flooding

Severe Weather

Snubber Seismic Concerns 5.1.2. The risk assessment program at River Bend includes provisions for:

1. the control and implementation of a Level-1 internal events, PSA informed methodology (EOOS) to assess the risk of equipment maintenance,

2. performing risk assessments prior to scheduled maintenance activities,

3. performing risk assessments for unscheduled maintenance activities,

4. assessing the need for additional actions after discovery of equipment out of service, ADM-0096 REV - 02 PAGE 9 OF 37

5. qualitatively considering risk significant issues, such as containment performance and external events risks (safety impact of activities such as removing or rerouting safety related cables and removing or reclassifying fire barriers is controlled as part of the Appendix R Fire Protection Program),

6. performing risk assessments for maintenance and testing activities during modes 4 and 5 in accordance with OSP-0037, "Shutdown Operations Protection Plan".

5.1.3. A compensatory measure that is established as a risk management action to reduce the risk impact during a planned maintenance activity and is expected to be in effect during power operation for greater than 90 days shall have a 50.59 review performed on the impact of the measure taken. When a compensatory action is expected to be considered in the weekly risk assessment for greater than a 90 day period during power operation Planning and Scheduling / Outage will contact the department that is responsible for the implementation of the compensatory measure to ensure they are aware of this requirement. The department that implements the compensatory action is responsible for tracking the time frame and performing the 50.59 evaluation.

For cases where the compensatory measure is not expected to be in place for greater than 90 days during power operations Planning and Scheduling will still contact the responsible department if the compensatory measure is considered in the weekly risk assessment for greater than a two week time period to ensure advanced notice is made in case the compensatory measure is extended.

5.2 Key Elements of risk assessment and how Paragraph (a)(4) of the Maintenance Rule is met.

5.2.1. Key Element 1: Implementation of Paragraph (a)(4) of the Maintenance Rule

1. Included in the risk assessment for modes 1, 2 and 3 are SSCs modeled in the site's Level 1 PSA model and high safety significant (risk significant)

SSCs per the Maintenance Rule that are not in the PRA model. A risk assessment is performed when any SSC in this scope is taken out of service for scheduled, unscheduled or emergent maintenance activities.

These SSCs are included in the EQOS Tool or the qualitative guidance provided by this procedure.

2. The PSA-informed quantitative assessment tool used at River Bend is the EOOS risk monitor.

ADM-0096 REV - 02 PAGE 10 OF 37 ADM-0096 REV-02 PAGE100F37

3. The risk assessment requirements of Maintenance Rule paragraph (a)(4) for the different plant modes will be invoked as follows:

Mode 1 Planning & Scheduling / Outage will perform a risk assessment of scheduled on-line maintenance based on the final schedule issued prior to the workweek. The assessment will be performed prior to start of the workweek. When entering mode 1 after a plant shutdown this step may not be performed until a weekly schedule has been established.

Planning & Scheduling / Outage will also perform a risk assessment of on-line maintenance during the workweek on a daily basis during normally scheduled workdays using EOOS and qualitative guidance.

This assessment will look 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months in advance and will account for current emergent work items, emergent plant conditions, emergent external conditions and changes in scheduled items.

Operations will perform risk assessments of on-line maintenance as it is actually performed, including emergent equipment out of service/unscheduled maintenance conditions within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after occurrence. Plant conditions and all on-line maintenance that is being performed should be considered each time the risk assessment is performed. An assessment for emergent work is not required if the equipment has been returned to service prior to performing the assessment. Operations will also perform a risk assessment of on-line maintenance that looks 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months in advance on the days that are not normally scheduled work days for Planning & Scheduling / Outage (Saturday, Sunday, off Fridays and holidays). EOOS and qualitative guidance will be used. The assessment will account for current emergent work items, emergent plant conditions, emergent external conditions and changes in scheduled items. Updates to the existing assessment should be done on night shift throughout the week as necessary.

If an additional SSC becomes unavailable/non-functional during a scheduled activity, Operations personnel will perform a risk assessment within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months with the same exception as above.

ADM-0096 REV - 02 PAGRF I11I OF 17 ADM-0096 REV-02 PACE 0F37

Mode 2 and 3 Operations will perform risk assessments of maintenance as it is actually performed including emergent equipment out of service/unscheduled maintenance conditions within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of occurrence. Plant conditions and all on-line maintenance that is being performed should be considered each time the risk assessment is performed. An assessment for emergent work is not required if the equipment has been returned to service prior to performing the assessment.

If an additional SSC becomes unavailable/non-functional during a scheduled maintenance activity, Operations personnel will perform a risk assessment within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months with the same exception as above.

Mode 4 and 5

The risk assessment will be performed in accordance with OSP-0037, "Shutdown Operations Protection Plan" and the qualitative guidance provided in attachment 4 tables 2, 3 and 4.

5.2.2. Key Element 2: Control and Use of the Risk Assessment Tool

1. Plant modifications will be monitored, assessed and dispositioned by the Safety Analysis Group through the ER Review Process (References 2.10, 2.11 and 2.12). Safety Analysis will also review changes to Operations' procedures, which may impact the PSA model.

2. Evaluations of changes in plant configuration or PSA model features can be implemented by PSA model changes or by a qualitative assessment of the impact of the changes on the assessment tool. Since changes to the PSA take time to implement, the qualitative assessment is an effective risk assessment alternative that also facilitates sound engineering judgment.

3. Limitations of the on-line maintenance assessment tool are identified in this procedure.

4. This procedure provides guidance on the use of the on-line maintenance risk assessment tools, including the process for when outside the scope of the quantitative assessment tool. This procedure also describes the requirements and precautions for different resultant risk levels from the assessment tool.

5. Written guidance on the update and control of the Level 1 PRA model (the input to the quantitative assessment tool) is documented in Safety Analysis departmental procedures and guidelines (references 2.13 and 2.14).

ADM-0096 RIEV - 02 PAGE 12 OF 37 PAGEI2OF37 AiDM-0096 REV-02

5.2.3. Key Element 3: Level I Risk-Informed Assessment

1. The quantitative assessment tool is based on a Level 1, internal events PSA model. Assessments may use any combination of quantitative and qualitative input, including EOOS, pre-existing calculations, and new PSA analyses.

2. Quantitative assessments are the preferred method for Level 1 assessments, and should be performed when the EOOS model is available, with applicable qualitative considerations included. A blended approach combining qualitative and quantitative perspectives should be applied when using EOOS.

3. When the quantitative assessment tool is not available or the assessment scope is outside the scope of the EOOS risk monitor, qualitative assessments shall be performed. Qualitative assessments should consider applicable, existing insights from quantitative assessments previously performed. Guidance for making qualitative assessments for on-line maintenance is provided in this procedure 5.2.4. Key Element 4: Level 2 Issues/External events

1. Excluded from the scope of EOOS are, external events such as seismic, external floods, and Level 2 impacts. These issues are treated qualitatively, with the guidance provided in this procedure for on-line maintenance.

5.3 Risk Assessment Overview 5.3.1. The Risk Assessment Program is a "Risk- Informed Program", not a "Risk Tool Based Program". This means that the quantitative results provided by the EOOS software must be blended with the qualitative guidance, in order to provide a complete risk picture of the situation. Decisions should never be made based on the EOOS results alone.

5.3.2. EOOS is the software program used to calculate risk for a specific plant configuration. The output is color codes for key system functions and a value called the Plant Safety Index (PSI). EOOS, being a risk based tool, calculates Core Damage Frequency (CDF), based on specified equipment out of service, and converts CDF into the relative PSI scale. Qualitative factors (such as industry operating experience, personnel judgment, etc.) must also be used for fully assessing the effects of equipment out of service on plant risk.

ADM-0096 REV - 02 PAGE 13 OF -37 ADM-0096 REV -02 PAGE 13 OF 37

5.3.3. The Planning & Scheduling / Outage Department, with assistance from the other individuals involved in the work management process, normally performs qualitative and quantitative reviews on proposed maintenance schedules to verify that the scheduled activities represent an acceptable risk to both personnel and plant safety. The Operations Department plays a key role in evaluating the level at which the plant is at risk for Core Damage. Because risk is best calculated on existing plant conditions, on-shift personnel are in the best position to assess risk calculations for maintenance/testing as it is occurring and as emergent equipment out of service issues occur, so immediate actions to minimize plant risk can be taken when necessary.

5.4 Control of Cumulative Risk Cumulative risk is a measure of overall, continuous risk management. Cumulative risk data is developed from maintenance unavailabilities gathered by Reliability Systems personnel for the Maintenance Rule program. This information involves a set of significant systems and is incorporated into the River Bend PSA to estimate core damage frequencies for the time period in question. Safety Analysis tracks cumulative risk and periodically reports results to management, typically on a cyclical basis.

5.5 When to Use EOOS and/or Qualitative Methods 5.5.1. A risk assessment shall be performed for any mode of operation. The following provides guidance for each operational mode:

I. Mode 1 and 2: The on-line EOOS model and qualitative guidance in Attachment 4 should be used as the risk evaluation tools.

2. Modes 3: The on-line EOOS model and qualitative guidance in Attachment 4 should be used as the risk evaluation tools. In some cases the on-line EOOS model will be more conservative in mode 3 than in modes 1 and 2. Due to this conservatism the SA group may need to be contacted under certain conditions when using on-line EOOS in mode 3 (reference step 5.6.7).

3. Modes 4 or 5: Risk is assessed via the Shutdown EOOS model, the Outage Risk Assessment Team (ORAT), OSP-0037, Shutdown Operation Protection Plan and the qualitative guidance provided in attachment 4 tables 2, 3 and 4.

ADM-0096 AD-096 REV - 02 PAGE 14 OF 37

5.5.2. The scope of equipment included in the Risk Assessment Program for on-line maintenance is all SSCs modeled in the plant Level 1 PSA model and all high safety significant (risk significant) SSCs per the Maintenance Rule not in the PSA. Therefore, when one or more of these SSCs becomes unavailable an assessment which considers both the quantitative (EOOS tool) .dd qualitative (e.g., Level 2 and External Events) aspects of risk is performed. IF an assessment has been performed, AND an additional SSC within the specified scope becomes unavailable, THEN the assessment must be re-performed. iF the SSC in question is not in this scope, THEN no risk assessment is necessary.

5.5.3. In order to determine if an SSC is within the specified scope of the on-line maintenance program, EOOS, and Attachment 4, Qualitative External Events and Level 2 SSC Consideration should be referenced. IF the item is selectable in EOOS, THEN it is within the scope. Also, IF the item is discussed within Attachment 4, THEN it is within the scope.

5.5.4. IF the EOOS tool is not available for on-line maintenance assessments, THEN use attachment 5 along with qualitative assessment techniques. IF the SSC in question is not in EOOS AND is high risk significant per the Maintenance Rule, THEN perform a qualitative assessment. Guidance for the qualitative assessments for on-line maintenance is located in Section 5.8, How to Use Qualitative Methods. The degree of depth and rigor used in assessing and managing the risk of the SSC out of service should be commensurate with the complexity of the configuration under review.

5.5.5. Performance of the assessment should not interfere with or delay taking timely actions to restore equipment to service or taking compensatory actions. IF the component has been returned to service before performance of the assessment, THEN no risk assessment is necessary.

5.6 EOOS and PSA Limitations 5.6.1. The EOOS Monitor is based on the PSA analysis for River Bend Station. The PSA is only one element of risk management for a nuclear power plant. Other elements of risk management are addressed qualitatively.

5.6.2. The PSA attempts to realistically model the plant response to a number of plant transients. To do this realistic assumptions are made for system response, equipment failure rates, human reliability, etc.

5.6.3. The EOOS Monitor measures nuclear safety only with respect to core damage.

Intermediate measures such as need for ADS and risk beyond core damage such as containment failure and release of radiological dose to the public are not considered.

ADM-0096 REV - 02 PAGE ADM-0096 REV -02 PAGE 1515 OF OF 37 37

5.6.4. Core damage, as defined in the EOOS Monitor and other PSA-based applications, does not necessarily correspond to the fuel failure (i.e., clad damage) discussed in USAR Chapter 15 non-LOCA safety analysis events.

Core damage as measured by the EOOS Monitor and by PSA models refers to severe core damage due to long term loss of decay heat removal. Clad damage due to short term transients where fuel safety limits (e.g., MCPR) are exceeded can result in the release of fuel element gap activity without damaging the fuel pellets but is not considered as a CDF contribution.

5.6.5. No instrumentation necessary for plant monitoring and operation is modeled (i.e. - annunciators, etc.). Only instrumentation needed for automatic ESF actuation is modeled. It is the responsibility of the assessor to determine what effect the instrumentation will have on the safety function of a system, and take the system train OOS in EOOS if necessary.

5.6.6. In general, EOOS does not calculate the impact on risk due to accidents such as fire, seismic event, high winds, external flooding, and other external hazards. EOOS does have the capability to modify results based on weather severity and trip sensitivity. However, this does not include the full range or extent of possible external events. In most cases, the impact of external events is controlled by administrative procedures, such as the roving fire watch, the review of seismic qualification of scaffolding, design practices, etc. The safety impact of activities such as removing or re-routing safety related cables and removing or reclassifying fire barriers is controlled as part of the Appendix R Fire Protection program. A qualitative guide for assessing external events for on-line maintenance is found in Attachment 4.

5.6.7. The SA group may need to consider uncertainties for complex and unusual situations.

5.7 Operation of EOOS for On-line Maintenance Decision Making This guidance is appropriate for use by all plant organizations such as Operations, Planning & Scheduling / Outage Management and SA. Additional details about EOOS and its operation are available in Reference 2.6 (the EOOS User's Manual).

NOTE The PSA results alone are not adequateto control risk. Risk should be managed using a blended approach; accountingfor quantitativePSA based insights, engineeringjudgment, and operatingexperience (References 2.4 and 2.5).

ADM-0096 REV - 02 PAGE 16 OF 37 ADM-0096 REV-O2 PAGEI6OF37

5.7.1. Using EOOS to Determine Core Damage Frequency Risk

1. Use the Remove button to select systems, trains, or components to remove from service that will be unavailable.

2. Choose whether the activity is a system outage, a train outage, or component outage.

3. IF the activity is a system or train outage or a test, THEN select the item that most represents the activity. IF the activity is a component outage, THEN select the system designator and THEN the component.

4. Click on the item to highlight it. Then click on the Add button. The PSI value should change from a number to a question mark.

NOTE System alignments in EOOS need to be checked priorto runningcalculation to ensure that accurateresults will be generated.

5. Use the Alignment button on the BOOS Operator Screen to select the operating trains for the normally running systems in EOOS. The Alignment button gives alignments for such items as Control Building HVAC, Normal Service Water, Service Water Cooling, Reactor Plant and Turbine Plant Component Cooling Water, Instrument Air, and the suction sources for HPCS and RCIC (CST or Suppression Pool). System alignments can be important to the overall core damage risk to the plant.

The diesel generators and the ECCS pumps should not be checked unless they are actually running. However, the standby lineup of the CST or suppression pool for HPCS and RCIC should be indicated, i.e., click on either the CST or the suppression pool for HPCS and also for RCIC to show its suction source. There is also a provision to indicate which Division is connected to the Division III EDG. Under the menu item called DIV3LEADS, either the Div I or the Div II lead to the Div III EDG should be selected. This feature adds realism to the model and enables risk evaluations involving on-line performance of 24-hour EDG tests.

Another menu item, ENS-ALN, called alternate ENS alignments, allows aligning the ENS-SWGIB bus to transformer RTX-XSR1C instead of its normal alignment to RTX-XSR1D. Similarly, the ENS-SWGIA bus can be aligned to RTX-XSRlD instead of its normal alignment to RTX XSR1C. Selections under this menu (ENS-ALN) should only be made if evaluation of an alternate ENS alignment is needed. The normal lineups require no selections under this menu.

ADM-0096 REV - 02 PAGE 17 OF 37 ADM-0096 REV-O2 PAGEI7OF37

NOTE When calculatingCDF,SA determines the authorizedmethod of quantification at the network level. Altering quantificationmodes can cause inaccurateresults.

6. Calculate the PSI value by clicking on the Calculate button.

5.7.2. Instantaneous Risk Color Codes in EOOS One output from EOOS is a number called the Plant Safety Index (PSI), which represent River Bend's risk for core damage with the specified equipment out of service. This number ranges from I to 10, in 0.1 increments. A value of 10 represents the safest plant configuration with minimal risk for core damage, while 1 represents a very unsafe condition. This range has been divided into four areas of risk significance, each with its own color designation.

Attachment 1 provides a description of the color transition points in terms of operational significance. Color code transition values and changes to them are approved by the Manager - SA. Below are the four-color codes associated with on-line maintenance risk assessment and the actions that should be taken:

Green is considered a minimal risk. Normal work controls are sufficient.

Yellow is considered an acceptable risk. Measures should be taken to ensure that subsequent maintenance activities do not increase risk to a higher risk level color (orange or red condition).

Orange is considered high risk. It is anticipated that entry into an "Orange" region will be relatively infrequent. While infrequent entry into an "Orange" condition is acceptable, written guidance/contingency plans should be developed if this condition will be entered voluntarily. General Manager /

Designee approval for voluntary entry, or notification upon emergent entry is required. OSRC review and approval is required for a preplanned "Orange" condition. Maintenance causing an "Orange" condition should be considered for continuous coverage. IF this condition is a result of emergent work, THEN steps should be taken to restore any equipment out for testing that could improve the Plant Safety index.

ADM-0096 REV - 02 PAGE ADM-0096 REV-02 PAGE IS 18 OF 0F3737

Red is considered an unacceptably high risk and should not be entered voluntarily. Note that a "Red" risk condition typically overlaps conditions prohibited by Technical Specifications or conditions requiring entry into a Technical Specification Action. General Manager / Designee notification is required upon entering a "Red" condition from emergent activities. IF an entry into a "Red" condition occurs (e.g., due to equipment failures), THEN steps should be taken to restore any equipment out for testing that could improve the plant PSI index. Timely actions should be taken to reduce plant risk by either restoring inoperable or unavailable equipment or to put the plant in a safer condition (e.g., reduce power or shutdown), taking into account any risk associated with the transient required to achieve the safer state.

When risk color codes are obtained from EOOS and one or more of the tables in attachment 4 then the highest risk color should be used for the overall plant risk color.

5.7.3. Running "What if?" Scenarios in EOOS ("What-if' Mode Selection)

1. The default mode of EOOS is a real-time monitor that writes to the EOOS history file. Running "What if' cases enables the user to evaluate hypothetical situations without writing to the EOOS history file. The default mode of EOOS should be used when the user wants to make an official entry into EOOS preserved by the history file. The what-if mode should be used when evaluating hypothetical situations.

2. Clicking on the "What if' button causes entry into the "What if' dialog box. This dialog box has the appearance of a split screen with the parent scenario on the left and the "What if' scenario on the right.

3. Clicking on the appropriate features, such as the operator status panel buttons, equipment removal screens, and calculate button should be done to develop and evaluate the "What if"' case. These features are only available for the "What if' case on the right side of the screen and they function just as they do in the default mode. All of the normal EOOS functions are available in the "What if' mode.

5.7.4. Other Variables (Environment)

1. The Environment button on the EOOS Operator Screen allows the user to account for other aspects that affect plant safety.

2. The Severe Weather bar allows the user to increase or decrease the likelihood of a loss of off-site power based, on the weather conditions.

This bar is especially important when performing Diesel Generator or Standby Service Water maintenance. This bar allows for 2 positions, normal weather (low risk) and AOP-0029 entry conditions (high risk).

The Severe Weather bar should be changed when AOP-0029 is entered and the PSI should be recalculated in EOOS.

ADM-0096 REV - 02 PAGE ADM-0096 REV-02 PACE 19 OF 37 190F37

3. The Scram Frequency bar allows the user to increase the likelihood of a scram based on scram sensitive equipment out of service. This bar has two positions, low risk and high risk. The bar should normally be on low risk and should be moved to high risk when a half scram will be inserted.

Repeated short term scram signal insertion 'for testing may be evaluated once by leaving the bar at high risk throughout the time period the scram signals will be inserted rather than moving the bar from low risk to high risk repeatedly.

5.8 How to Use Qualitative Methods 5.8.1. Qualitative methods should be used:

1. To supplement the internal risk analysis performed by EOOS

2. When assessing the risk significance of external events or SSCs not modeled in EOOS

3. When the EOOS program is not available 5.8.2. Attachment 4, Qualitative External Events and Level 2 SSC Consideration, and Attachment 5, Level I Evaluation Table for use when EOOS is out of Service, are available as tools to assist in the necessary on-line maintenance evaluations. These attachments should be used as follows:

"* Attachment 4: This attachment should be used in conjunction with EOOS or Attachment 5, depending on EOOS availability.

"* Attachment 5: This attachment should be used in conjunction with Attachment 4 for components in the PSA model, when EOOS is unavailable.

5.9 EOOS Monitor Configuration Management NOTE Only SA personnel are authorizedto make changes to the administrative features ofEOOS. This includes selection of quantificationmethod, color code transitionpoints, and any other administrator-levelfeatures of EOOS. In addition,files internal to EOOS are not to be changedby anyone except SA personnel or by the code itself duringa calculation. Failureto adhere to this guidance can result in inaccuraciesor disable EOOS.

ADM-0096 REV - 02 PAGE 20 OF -37 ADM-0096 REV -02 PAGE 20 OF 37

5.9.1. The EOOS Feedback form in Attachment 2 is provided to allow the user to request SA evaluation of model-specific information in the EQOS Monitor and document potential deficiencies in the EOOS Monitor. Examples of the uses of the form include; Plant Safety Index too high or low, the need to add or delete systems, trains or components within EOOS, and modifications to the system status panel.

6 DOCUMENTATION 6.1 No requirements currently exist for the documentation of the risk assessment process; however, it has been emphasized that the assessments should be repeatable and comprehensible. This is accomplished though the proceduralized process described above.

ADM-0096 REV - 02 PAGE 21 OF 37

ATTACHMENT 1 PAGE 1 OF I RIVER BEND STATION COLOR DETERMINATION COLOR MEANING BREAK POINT SETTING FOR ON LINE MAINTENANCE GREEN Non-risk significant, no action Lower limit corresponds to two times zero necessary maintenance CDF.

YELLOW Acceptable risk increase, Lower limit corresponds to one train of increase awareness of standby service water (SWP) out of service maintenance advised. (train A).

ORANGE Potentially risk significant, Lower limit corresponds to SWP train A contingency plans needed. and the train B diesel generator out of service OR NEI 93-01 limit', whichever is lower.

RED Risk significant, do not enter Risk greater than SWP train A and diesel Ivoluntarily. generator train B out of service.

Note: For color break point values refer to GEN-00 (reference 2.16) or the EgOS monitor.

NEI 93-01 Section 11.3.7.2 explains that the EPRI PSA Applications Guide (EPRI TR-105396), section 4.2.3.

includes guidance for evaluation of temporary risk increases. The guidance is as follows: The configuration specific CDF should be considered in evaluating the risk impact of the planned maintenance configuration.

Maintenance configurations with a configuration-specific CDF in excess of 10' 3/year should be carefully considered before voluntarily entering such conditions. If such conditions are entered, it should be for very short periods of time and only with a clear detailed understanding of which events cause the risk level.

ADM-0096 REV - 02 PACE 22 OF 37

ATTACHMENT 2 PAGE I OF 1 EOOS FEEDBACK FORM (TYPICAL)

S~ EOOS FEEDBACK FORM ENTERGY o Plant Safety Index "o Much larger Core Damage Frequency than expected "o Much smaller Core Damage Frequency than expected Situation:

ol System, Train, Component Addition/Deletion EJ System 0 Train C1 Component ID Name System Impact:

o Containment Failure Impact PSI Value SSCs Out of Service:

O System Status Panel O Add System to Status Panel O Add ability to take system/train in or out of service from Status Panel O Other

==

Description:==

11 Problem

Description:

Resolution:

ADM-0096 REV - 02 PAGE 23 OF 37

ATTACHMENT 3 PAGE I OF2 EOOS AND NON EOOS SAFETY SIGNIFICANT SYSTEM LIST EOOS Systems Name System Description System No 120VAC 120 Volt AC Electrical Distribution 304 125V 125 Volt DC Electrical Distribution 305 230KV 230 KV Electrical Distribution 300 ADS Automatic Depressurization System 202 B21 Nuclear Boiler Instrumentation 051 ClI Control Rod Drive - Hydraulic 052 C71 Reactor Protection System 508 CCP Reactor Plant Component Cooling Water 115 CCS Turbine Plant Component Cooling Water 116 CES Containment Atmosphere & Leakage Monitoring 552 CNM Condensate System 104 CNS Condensate Makeup Storage and Transfer 106 DIV 3 Division III Electric Power - 4.16 KV and 480 VAC 203 E22-DG HPCS Diesel Generator 203,309 EGA Standby Diesel Generator Air Startup System 309 EGE Diesel Generator Exciter Cabinets 309 EGF Standby Diesel Generator Fuel Oil System 309 EGO Standby Diesel Generator Lube Oil System 309 EGS Standby Diesel Generator System 309 EGT Standby Diesel Generator Jacket Cooling Water System 309 EHS Emergency 480 VAC Motor Control Centers 303 EJS Emergency 480 VAC Load Centers 303 ENS Emergency 4.16 KV Electrical Distribution 302 FPW Fire Protection Water 251 FWL Feedwater Water Lube Oil System 107 FWR Feedwater Pump Recirculation 107 FWS Main Feedwater System 107,501 G33 Reactor Water Cleanup System 601 HPCS High Pressure Core Spray 203 HVC Control Building HVAC 402 HVK Control Building Chilled Water System 410 HVP Diesel Generator Building I-VAC 405 HVR Aux. Building and Containment HVAC 403,409 HVY Yard Structure Ventilation (HVY UC 1 only) 414 LAS Instrument Air System 122 ISC Nuclear Steam Shutoff System (Note 1) 058 LPCS Low Pressure Core Spray 205 LSV Penetration Valve Leakage Control System 255 MSS Main Steam System 109 NHS Normal 480 VAC Motor Control Centers 303 NNS Normal 4.16 KV Electrical Distribution 302 NPS Normal 13.8 KV Electrical Distribution 301 NSW Normal Service Water 118 ADM-0096 REV - 02 PAGE 24 OF 37 ADM-0096 REV -02 PAGE 24 OF 37

ATTACHMENT 3 PAGE 2 OF 2 EOOS AND NON EOOS SAFETY SIGNIFICANT SYSTEM LIST EOOS Systems Continued RCIC Reactor Core Isolation Cooling 209 RCS Reactor Recirculation and Flow Control 053 RHR Residual Heat Removal System 204 SAS Air - Service 121 SLC Standby Liquid Control System 201 SPC Suppression Pool Cleanup, Cooling, and Alt. Decay Heat 656 Removal SVV Safety Relief Valves 202 SWC Service Water Cooling System 130 SWP Standby Service Water System 256 Note 1: Although the Nuclear Steam Supply Shutoff System (NSSSS) is not explicitly modeled, functions of the NSSSS (automatic actuations) are included in the model.

Non EOOS Safety Significant Systems CPP Containment Purge 254 CPM Containment Hydrogen Mixing 254 HCS Hydrogen Recombiner System 254 RVS Reactor Pressure Vessel and Internals 050 Primary Containment - CIVs 000 ADM-0096 REV - 02 PAGE 2525 OF ADM-0096 REV -02 _ PACE OF 37 37

ATTACHMENT 4 PAGE 1 OF 10 QUALITATIVE EXTERNAL EVENTS AND LEVEL 2 SSC CONSIDERATION Component:

Reason Out of Service:

Date/Time Out of Service:

Plant Mode (check one): 1 [-] 2F 3F STP/MAIICR number:

EVALUATION

1. Review Table 1 for all risk assessments.

2. For any applicable configurations, use additional tables referred to by Table 1.

3. Consider available contingency actions, as necessary:

Considerations Used and Reasoning (if applicable):

Contingencies (if applicable):

Performed by: /

(Signature) (Date/Time)

ADM-0096 REV - 02 PAGE 26 OF 37

-ATTACHMENT 4 PAGE 2 OF 10 QUALITATIVE EXTERNAL EVENTS AND LEVEL 2 SSC CONSIDERATION Table 1: Review this checklist for all risk assessments. IF all boxes are "No", THEN no further evaluation is required.

TABLE I ALL RISK ASSESSMENTS APPLICABILITY PLANT CONFIGURATION REFER TO:

[] Yes E- No Maintenance that could increase the likelihood of an internal flood Table 2 (Note 1)

E- Yes '- No Flood barrier within plant OOS Table 2 DJ Yes [-- No Seismic snubber OOS (Note 2) Table 3

[] Yes [] No Severe weather warning, with tornado missile barrier OOS Table 4 E- Yes 0 No Exterior flood barrier or missile barrier OOS for extended time Table 4 E] Yes E] No Hydrogen Igniters or Analyzers (CMS) OOS Table 5

["] Yes [] No Drywell Structure Table 5 L" Yes L" No Containment Isolation System (1 of 2) or (2 of 3) valves in a CI Table 5 penetration failed open El Yes E3 No Containment Isolation System pathway open Table 5 Note 1: Internal floods are leak or rupture events located within plant buildings that lead to equipment failure by intrusion of water through submergence, spray, dripping, or splashing. Examples of maintenance activities that could increase the likelihood of an internal flood include freeze seal use and disabling an isolation valve.

Note 2: IF work package review has determined that snubber unavailability would not increase the likelihood of failure during a seismic event or IF RBNP-078 evaluation has determined the degraded snubber would not increase the likelihood of a seismic event, THEN no evaluation is required.

ADM-0096 REV - 02 PAGE 27 OF 37

ATTACHMENT 4 PAGE 3 OF 10 QUALITATIVE EXTERNAL EVENTS AND LEVEL 2 SSC CONSIDERATION Table 2: Use this checklist for maintenance that could affect Internal Floods, TABLE 2 INTERNAL FLOODS PLANT CONFIGURATION RISKLEVELPOSSIBLE CONTINGENCY ACTIONS LEVEL Maintenance activities that Yellow

Establishing a flood watch could significantly increase the likelihood of an internal flood

Constructing temporary flood barriers that could disable safety significant equipment (Note 1)

Ensuring equipment capable of performing redundant functions are available and not subject to failure due Removal of key flood barriers Yellow to a common flood or repositioning of doors which increases the possibility of

Delaying or rescheduling the activity internal flooding disabling safety significant equipment

Minimize time in the condition (Note 1) ( Providing alternate barriers or closing doors to Maintenance that degrades or Yellow associated rooms removes flood equipment, such as opening floor plugs,

Increasing plant awareness to the vulnerability hindering floor drains, hindering flood-sensing devices 9 Ensuring flood monitors are functioning (Note 1) ( Suspending work with potential for initiating a flood event in associated area Note I: A more detailed PSA evaluation may determine a lower risk significance depending on the SSCs affected.

ADM-0096 REV - 02 PAGE 28 OF 37

ATTACHMENT 4 PAGE 4 OF 10 QUALITATIVE EXTERNAL EVENTS AND LEVEL 2 SSC CONSIDERATION Table 3: Use this checklist for maintenance involving a Seismic Snubber OOS with a potential significant impact on safety important equipment in a seismic event.

TABLE 3 SEISMIC SNUBBER OOS PLANT CONFIGURATION RISKLEVELPOSSIBLE CONTINGENCY ACTIONS LEVEL Seismic-induced failure of Green N/A component supported by snubber could not cause an internal flood or failure of a safety function, either directly or via support system failures (Note 1)

Seismic-induced failure of Yellow e Minimize time in configuration component supported by snubber could cause an internal

Ensure redundant components and backup systems flood (Note 2) are operable Seismic-induced failure of Yellow component supported by snubber could result in failure of a safety function, either directly 2r via support system failures (Note 1) (Note 2)

Note 1: Safety functions are: (1) reactivity control, (2) RCS heat removal (feedwater), (3) RCS inventory control (safety injection, including recirculation), and (4) Containment integrity (both isolation and pressure/temperature control).

Note 2: A more detailed PSA evaluation may determine a lower risk significance depending on the SSCs affected.

ADM-0096 REV - 02 PAGE 29 OF 37

ATTACHMENT 4 PAGE 5 OF 10 QUALITATIVE EXTERNAL EVENTS AND LEVEL 2 SSC CONSIDERATION Table 4: Use this checklist for Severe Weather or External Flooding, or maintenance that could affect plant response to these events.

TABLE 4 SEVERE WEATHER OR EXTERNAL FLOODING PLANT CONFIGURATION ... RISK LEVEL POSSIBLE CONTINGENCY ACTIONS Severe thunderstorm warning Yellow

Assume equipment protected by missile barriers is and tornado missile barrier is OOS and comply with Technical Specification OOS (Note 1) requirements Tornado warning and tornado Red

Restore missile barrier ASAP missile barrier is OOS (Note 1)

Exterior flood barrier or missile Yellow 0 Assume equipment protected by barriers is OOS and barrier OOS for an extended comply with Technical Specification requirements time (greater than 7 days) (Note

Install temporary barriers 1)

Exterior flood barrier or missile Orange

Restore barrier to service barrier OOS for an extended

Return any OOS redundant train equipment to service time (greater than 30 days)

(Note 1) _ _

Note 1: A more detailed PSA evaluation may determine a lower risk significance depending on the SSCs affected.

ADM-0096 REV - 02 PAGE 30 OF 37

ATTACHMENT 4 PAGE 6 OF 10 QUALITATIVE EXTERNAL EVENTS AND LEVEL 2 SSC CONSIDERATION Table 5: Use this checklist for PSA Level 2 Systems OOS.

TABLE 5 PSA LEVEL 2 SYSTEMS 00S PLANT CONFIGURATION RISK LEVEL LEVELPOSSIBLE CONTINGENCY ACTIONS Hydrogen Igniters or Analyzers Yellow

Comply with Technical Specification requirements

- 1 train OS Minimize duration of configuration Hydrogen Igniters or Analyzers Orange

- 2 trains OOS Drywell Structure Yellow

Comply with Technical Specification requirements I of 2 or 2 of 3 Containment Yellow

Comply with Technical Specification requirements isolation valve(s) in a penetration Failed Open (Note

Close or verify Closed other valves in flow path

1)

Minimize duration of configuration All Containment isolation Orange valves in a penetration Failed Open (< 6" diameter) (Note 1)

All Containment isolation Red valves in a penetration Failed Open (_>6 "diameter) (Note 1)

Note 1: A more detailed PSA evaluation may determine a lower risk significance depending on the SSCs affected.

ADM-0096 REV - 02 PAGE 31 OF 37

ATTACHMENT 4 PAGE 7 OF 10 QUALITATIVE EXTERNAL EVENTS AND LEVEL 2 SSC CONSIDERATION QUALITATIVE ASSESSMENT GUIDELINE BASES Table 2: The color codes selected for the internal flooding qualitative risk are intended to ensure a heightened awareness to these activities.

Table 3: Seismic snubbers only affect the plant risk during a seismic event. The likelihood of a seismic event at River Bend is on the order of 1 E-5/yr (Ref. NUREG-1488). From a risk standpoint, the seismic snubbers could result in an internal flood during a safe shutdown earthquake (SSE) or larger seismic event. Therefore, seismic snubbers have been included to ensure a heightened awareness to these activities Table 4: Increasing the LOOP frequency by a factor of 10 and taking one EDG OOS, the PSI is Yellow. Increasing the LOOP frequency by a factor of 100 and taking one EDGs OOS, the PSI is Red.

Table 5:

Large Early Release fraction is the figure of merit used in the Level 2 PSA analysis. A LERF is defined as a large release within the first 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months of the event or within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months of core damage. Large releases are those releases that are unscrubbed and rapidly depressurize the containment structure.

Hydrogen Igniters or Analyzers - Analysis has shown that there are no events that will threaten containment within the first eight hours (the applicable LERF time frame) of an event with the exception of uncontrolled hydrogen bums. One division of hydrogen igniters is sufficient to maintain the hydrogen concentration such that an uncontrolled bum is prevented.

Additionally, the hydrogen igniter system is extremely reliable. This can be seen in the fact that approximately 98% of the LERF frequency is caused by an SBO or an SBO-like event. In these events the igniters are failed due to loss of offsite power, therefore, the number of trains operable is irrelevant. Since only one train of hydrogen igniters is required to prevent a LERF and that the igniter system is extremely reliable removal of one train from service is considered a yellow condition. Given the importance of the system operation in preventing a LERF both systems out of service is considered to be orange.

Drywell Structure - The LERF frequency was found to not be dependent on the drywell structure, since even with drywell bypass the containment is not threatened during the LERF time frame, with the exception of the hydrogen burn. The drywell bypass does however, cause any release due to containment failure to be unscrubbed. Due to this, the drywell being inoperable is considered a yellow condition.

ADM-0096 REV - 02 PAGE 32 OF 37

ATTACHMENT 4 PAGE 8 OF 10 QUALITATIVE EXTERNAL EVENTS AND LEVEL 2 SSC CONSIDERATION QUALITATIVE ASSESSMENT GUIDELINE BASES (cont.)

Containment Isolation Valves - Failure of containment isolation during an event will cause a release, therefore, if 1 out of 2 or 2 out of 3 containment isolation valves are inoperable on a containment penetration the probability of a release is increased since only one component has to fail. Although a failure of any particular valve to close during an event is unlikely, this condition is considered yellow due to the increased possibility of a release. If all of the containment isolation valves are inoperable then a release will occur given a core damage event. However, a minimum of a 6-inch line is required to prevent containment pressurization and to depressurize the containment structure. Therefore, if the penetration is less the 6 inches by definition the probability of a LERF is not increased but a release will occur given a core damage event. Therefore, this condition is considered orange. If all containment isolations on a 6-inch or greater containment penetration are inoperable, then given a core damage event a LERF will occur. Therefore this condition is considered red.

PSA Level 2 Systems Not Included The following systems were not included in the quantitative or qualitative evaluations since they have minimal impact on risk. The qualitative evaluation may be considered GREEN for these systems during maintenance.

Containment Heat Removal - Analysis shows that there are no events that will threaten containment within the first eight hours of an event with the exception of uncontrolled hydrogen burns. Operation of the hydrogen igniters is sufficient to control hydrogen concentration and prevent an uncontrolled hydrogen burn. Uncontrolled hydrogen burns can result in no containment failure, penetration failure, or gross failure. Of these outcomes only gross containment failure can produce a LERF. The probability of these containment failure modes is determined by the initial containment pressure and hydrogen concentration. The containment heat removal systems affect the containment atmosphere in three ways:

1. limit containment temperature,

2. limit containment pressure, and

3. limit containment steam concentration The presence of steam in the containment helps to limit the probability of a hydrogen burn.

For steam concentration above 55%, the containment is basically inert. Use of the containment heat removal system reduces the concentration of steam in the containment during an event. This reduction in steam concentration actually increases the probability of a hydrogen burn. However, analysis has shown that at RBS the steam concentration never gets above 35% with or without containment heat removal. At these low steam concentrations, variations in bum probability with respect to steam concentrations are not significant.

ADM-0096 REV - 02 PAGE 33 OF 37

ATTACHMENT 4 PAGE 9 OF 10 QUALITATIVE EXTERNAL EVENTS AND LEVEL 2 SSC CONSIDERATION QUALITATIVE ASSESSMENT GUIDELINE BASES (cont.)

The containment temperature is not important to the Level 2 PSA analysis since the containment fragility analysis encompassed bounding containment temperatures. Therefore, changes in accident temperatures due to the unavailability of the containment heat removal do not affect the probability of containment failure.

The operation of containment heat removal also limits the peak containment pressure during an accident. The Level 2 analysis has shown that at higher hydrogen concentration (above 20%) the operation of the containment unit coolers reduces the probability of a gross containment failure due to hydrogen burns. However, this has an insignificant affect on LERF, since the hydrogen concentration is controlled by hydrogen igniters. Since the hydrogen igniters are extremely reliable, the only time that igniters fail is during loss of all Div I and Div 11 power. During these scenarios containment heat removal would help limit LERF. However, under these conditions the containment heat removal systems would also not operate.

Therefore as long as hydrogen igniters are available, containment heat removal has no affect on LERF. Removal of both trains of hydrogen igniters would have a significant increase in LERF, the additional removal containment heat removal would further increase LERF.

However, when compared to the increase due to removal of igniters the change would be insignificant. Therefore, containment heat removal is not considered to have a significant affect on LERF.

Standby Gas Treatment System - The Standby Gas Treatment system maintains a negative pressure in the annulus and auxiliary building. The system processes the air it draws off of these areas prior to releasing this to the environment. However, this system would not filter any release due to a LERF. Any failure of containment structure which would cause a LERF would immediately over pressurize the annulus. The limited flow rate of the SGTS is not sufficient to prevent the pressurization and failure of the shield building. Additionally, since the containment structure has a median failure pressure of 100 psig, the SGTS itself will fail due to the increased pressure in the annulus almost instantaneously.

Containment Venting - The containment vent path at River Bend is a three-inch line. The River Bend pressurization analysis has shown that a six-inch line is required to prevent containment overpressurization. Therefore, the containment vent will not prevent containment failure due to a hydrogen bum. The vent will, however, control the hydrogen such that a hydrogen bum will not occur. However, as with the containment heat removal system, the impact of the availability of the containment vent is not significant due to the presence of the hydrogen igniters. Since failure of the hydrogen igniters is dominated by failure of AC Power, failure of the igniters will most likely be accompanied with failure of the containment vent.

Therefore, the containment vent does not have a significant affect on LERF.

ADM-0096 REV - 02 PAGE 34 OF 37

ATTACHMENT 4 PAGE 10 OF 10 QUALITATIVE EXTERNAL EVENTS AND LEVEL 2 SSC CONSIDERATION QUALITATIVE ASSESSMENT GUIDELINE BASES (cont.)

Containment Structure - The integrity of the containment structure is the main determining factor of a LERF. If a containment leakage path equal to or greater the area of a 6-inch pipe is present, then give a core damage event a large early release will occur. However, if the containment integrity is lost then a one hour LCO is entered. If the containment is not restored within one hour the plant is shutdown. Given that the plant would only be allowed to run for a maximum of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months under these conditions, the containment structure is not included in the RBS level 2 Guidance.

Hydrogen Mixing/Purge/Recombiners - Hydrogen Mixing is not credited in the RBS Level 2 PRA. Mixing is important if the containment is highly compartmentalized, and hydrogen concentration can build up in one area. The RBS containment does not have small airtight rooms so mixing is not a risk concern.

Hydrogen purge is limited to use with containment pressures less than 2 psi and offsite release limitations. Therefore, it will have limited use during severe accidents. The hydrogen purge system will control the hydrogen in the drywell such that a hydrogen bum will not occur.

However, as with the containment heat removal system, the impact of the availability of the hydrogen purge is not significant due to the presence of the hydrogen igniters. Since failure of the hydrogen igniters is dominated by failure of AC Power, failure of the igniters will most likely be accompanied with failure of the hydrogen purge. Therefore, the hydrogen purge does not have a significant affect on LERF.

Hydrogen recombiners are not credited in the Level 2 PSA since the amount of hydrogen assumed to be generated for a LERF event is greater than the capability of the hydrogen recombiners.

Reactor Pressure Vessel - Typical pressure vessel failure frequencies are below the threshold for quantitative or qualitative modeling.

ADM-0096 REV - 02 PAGE 35 OF 37

ATTACHMENT 5 PAGE 1 OF2 LEVEL 1 OUT OF SERVICE GUIDANCE TABLE FOR USE WHEN EOOS IS UNAVAILABLE Division I Stby Sys PSI Systems to Avoid Placing Out of Service Concurrently SWP A2 7.5 fY) SWPB EDGB FPW SBO DG HPCS RCIC SWPA&EDGB 5.0 (R) SWPB EDG C SWP C IPCS RCIC SWPA, EDGA& 7.5(0) SWPB EDGB EDGC SWPC HPCS RCIC RHRA SWP A & EDG A 7.5'(Y) SWPB EDGB EDG C HPCS RCIC EDGA&RHRA 8.4 (Y) EDG B EDG C SWPB HPCS RCIC Note 1 EDG A 8.4 (Y) EDG B EDG C SWPB HPCS RCIC Note 1 LPCS 9.9 (G) HPCS EDG C EDG B RCIC SWP B ADS RIIR A 9.8 (G) HPCS EDG C EDG B RCIC SWP B ADS Division II Stby Sys PSI Systems to Avoid Placing Out of Service Concurrently SWP B- 8.5 (Y) EDG C EDG A RCIC SWPA SWPC HPCS SWPB&EDGA 5.5R) EDC SW(RA SWP C HPCS RCIC Note I SWP B, EDG B & 8.4 (Y) EDG C EDG A SWPA HPCS RCIC Note 1 RHRB SWP B, EDG B 8.5 (Y) EDG C EDG A SWPA HPCS RCIC EDGB&RHRB 8.4(Y) EDGC EDGA .SWPA SWPC HPCS EDGB 8.8 (Y) EDGC EDGA SWPA SWPC HPCS RHR C 10.0 (GI EDG C EDG A RCIC SWPA SWPC HPCS RHRB 9.9 (G) EDG C EDG A RCIC SWPA SWPC HIPCS Division III Stby Ss PSI Systems to Avoid Placing Out of Service Concurrently HPCS&EDGC 9.1(Y) ADS RCIC EDGA EDGB SWPA SWPB HPCS 9.2 ADS RCIC EDG A EDG B SWP A SWP B SWP C Pump 9.7 (G) EDG A EDG B S WP A SWP B RCIC ADS Other Systems PSI Systems to Avoid Placing Out of Service Concurrently FPW 9.1 (Y) EDG C HPCS RCIC EDG A EDG B ADS SWP-AOV599 9.8 (G) EDG A EDG B EDG C RCIC 9.6(G) ADS HPCS EDG C EDG A EDG B SWP SBO Diesel4 9.4(G) EDG A EDG B EDG C SWP RCIC FPW CRD 10.0(GI ADS Feedwtr HPCS RCIC 2 SWP A is defined as the following out of service: SWP-V172 and SWP-MOVFO55A.

3 SWP B is defined as the following out of service: SWP-V173 and SWP-MOVF055B.

4 The SBO diesel is defined as 125VDC BYS-EGI out of service ADM-0096 REV - 02 PAGE 36 OF 37

ATTACHMENT 5 PAGE 2 OF 2 LEVEL 1 OUT OF SERVICE GUIDANCE TABLE FOR USE WHEN EOOS IS UNAVAILABLE Note 1: For this configuration, the Division I (NNS-SWGIA) lead is aligned to the Division III EDG, and gives a slightly lower PSI value than the typical lineup using the Division II (NNS-SWGIB) lead.

General Notes:

This table was developed using EOOS. For the PSI values, the configuration used is the Division I (NNS-SWG1A) lead aligned to the Division III EDG. In some cases, this gives a slightly lower PSI value than the typical lineup using the Division II (NNS-SWG1B) lead. The Systems to Avoid Placing OOS Concurrently portion of the table was developed by reviewing the EOOS dominant sequences (cutsets) for each system when taken OOS. The systems are listed in no particular order.

In the EOOS model, EDG A is considered unavailable when SW? A is taken out of service. Likewise, when SWP B is taken out of service, EDG B is considered unavailable.

Other configurations, such as SWP Pump 2A, MOV 40A, and MOV 55A taken out of service will indicate lower risk values. SWP Pump C is included in the Division III systems.

Color codes are indicated in parentheses following the PSI values above. G = Green, Y= Yellow, and o = Orange. Note that the equipment out of service combinations defining the Orange and Yellow color code transitions are indicated in boldface above.

The PSI values presented in the above table represent estimated values. These values should be considered as estimates since there could be changes to the model that impact the PSI values in the table.

However, the impact may be insignificant. The significance of the impact will be determined by engineering judgement within Safety Analysis.

ADM-0096 REV - 02 PAGE 37 OF 37

G12.1.28

- llm wam ENTERGY RIVER BEND STATION STATION OPERATING MANUAL

OPERATION SECTION PROCEDURE

SHUTDOWN OPERATIONS PROTECTION PLAN (SOPP)

PROCEDURE NUMBER: *OSP-0037 REVISION NUMBER: *12 Effective Date:

SEP 212001 NOTE: SIGNATURES ARE ON FILE.

TemRev 2 AddCounter 28 Art Enc DS MSet REGULAR KWN OFF

mNDEXING INFORMATION RECEIVED SEP 2 1 200i DOCUMENT CONTROL

TABLE OF CHANGES LETTER DESIGNATION DETAILED DESCRIPTION OF CHANGES TRACKING NUMBER i

i

+/-

J.

OSP-0037 REV - 12 PAGE1 OF 58

TABLE OF CONTENTS SECTION PAGE NO.

1 PURPOSE......................................................

2 REFERENCES.. ..... . ...................-..... ............... 3 3 DEFINITIONS ......... 5...............................

4 PROCEDURE....................................................8 5 CONTINGENCY PLANS .............................................................................................. 15 6 R E C O RDS .............................................................................................................................. 17 ATTACHMENT 1 - SHUTDOWN COOLING FUNCTION COLOR STATES ................... 18 ATTACHMENT 2 - INVENTORY CONTROL FUNCTION COLOR STATES ................. 19 ATTACHMENT 3 - AC POWER CONTROL FUNCTION COLOR STATES .................... 20 ATTACHMENT 4 - FUEL POOL COOLING FUNCTION COLOR STATES .................... 21 ATTACHMENT 5 - CONTAINMENT CONTROL FUNCTION COLOR STATES ........... 22 ATTACHMENT 6 - FUEL BUILDING VENTILATION FUNCTION COLOR STATES ........ 23 ATTACHMENT 7 - REACTIVITY CONTROL FUNCTION COLOR STATES ................ 24 ATTACHMENT 8 - FIRE FUNCTION COLOR STATES ................................................... 25 ATTACHMENT 9 - THERMAL HYDRAULIC CURVES ................................................... 26 ATTACHMENT 10 - EOI CORPORATE OUTAGE MANAGEMENT NUCLEAR SAFETY PHILOSOPHY ....................................................................................... 53 ATTACHMENT 11 - APPROVAL FOR DEPARTURE FROM THE REQUIREMENTS OF THE SHUTDOWN OPERATIONS PROTECTION PLAN ........................... 56 ATTACHMENT 12 - GUIDANCE FOR PROTECTED DIVISION IDENTIFICATION .......... 57 OSP-0037 REV - 12 PAGE 2 OF 58

PURPOSE to This procedure provides guidelines for Operations and Outage Management personnel the EOI Corporate Outage evaluate the availability of plant equipment required to meet Management Nuclear Safety Philosophy (Attachment 10).

5 during scheduled, This procedure is intended for use when the plant is in Mode 4 or Mode forced (unscheduled), and refueling outages.

2 REFERENCES 2.1 ADM-0096, Risk Management Program Implementation and On-Line Maintenance Risk Assessment 2.2 AOP-0004, Loss of Offsite Power 2.3 AOP-0027, Fuel Handling Mishaps 2.4 AOP-0050, Station Blackout 2.5 AOP-0051, Loss of Decay Heat Removal 2.6 GOP-0002, Power Decrease/Plant Shutdown 2.7 OSP-0034, Control of Obstructions for Primary Containment/Fuel Building Operability 2.8 OSP-0041, Alternate Decay Heat Removal 2.9 SOP-0003, Reactor Recirculation System 2.10 SOP-003 1, Residual Heat Removal System operating procedure.

2.11 SOP-0091, Fuel Pool Cooling and Cleanup system operating procedure 2.12 SOP-0140, Suppression Pool Cleanup And Alternate Decay Heat Removal 2.13 Corporate, Entergy Outage Management Nuclear Safety Philosophy 2.14 NE-AM-94-0314, Fuel pool heat-up curves during RF-5 for use in shutdown protection plan OSP-0037 REV - 12 PAGE 3 OF 58

2.15 NE-AM-94-0316, Spent fuel pool (SFP) heat-up plots during RF-5 for use in AOP-5 1.

2.16 G13.14.0*159-0, Calculate-Reactor Vessel and upper pool time to boil and time to top of active fuel curves during RF-5.

2.17 G13 .18.14.0*61-0A, Calculation-Lower pool heat-up during RF-5.

2.18 ERIN memo, Shutdown condition tables for equipment requirements dated 1/27/1994-Dagan to Klco 2.19 Grand Gulf, Safety assessment of the RF06 outage schedule GIN 93-03837 2.20 Grand Gulf, Shutdown Protection Plan-Rev 1-October 4, 1993 2.21 ANO, Arkansas Nuclear One-Unit One-Shutdown Operations Protection Plan-Revision 1-dated 9/8/93 2.22 SA 90-004, "NRB Request to Evaluate the Vogtle Event as it Relates to River Bend Station."

2.23 SA 91-012, "Risk Assessment of Refueling Outage #4 (NSAG)."

2.24 NUMARC 91-06, "Guidelines for Industry Actions to Assess Shutdown Management."

2.25 INPO, INPO Outage Management Guidelines.

2.26 NSAC-175L, "Safety Assessment of BWR Risk During Operations (Grand Gulf)."

2.27 EPRI Draft Report, "BWR Generic Risk Management Guidelines."

2.28 A-15693, There will be a Standing Team for Outage Risk Oversight during future refueling outages.

2.29 10 CFR 50.65, Requirements for monitoring the effectiveness of maintenance at nuclear power plants.

2.30 DEAM SA-G-002-00 Configuration Risk Management Program Guidance.

2.31 G13.18.14.0*189, Time to Boil, Heat Up Rate, and Time to Top of Active Fuel Curves Accounting for Power Uprate 2.32 G13.18.12.3*171, Shutdown Safety Function Defense in Depth Color Codes OSP-0037 REV - 12 PAGE 4 OF 58

3 DEFINITIONS 3.1 Available - The status of a system, structure or component that is in service or can be placed in service in a functional state by immediate manual or automatic actuation. Credit for immediate manual or automatic action may be taken provided:

"* The response is rendered by a dedicated plant operator as described in ADM-0096.

"* The prescribed action is appropriately controlled by established procedures.

"* The action is expected to produce an automatic initiation (if required) of the out-of-service SSC in the event of an actual demand.

3.2 Color Codes - Color codes are used to represent the relative risk associated with outage activities.

"* GREEN - High level of safety and defense in depth exist.

"* YELLOW - Adequate level of safety and defense in depth exist.

Acceptable Risk.

"* ORANGE - Failure to meet adequate level of safety and defense in depth without specific contingency plans predermed and in place

"* RED - Failure to meet both an adequate level of safety and defense in depth.

3.3 Containment Closure - A containment condition integral barrier to the release of radioactive where at least one material is provided, within the specified limits using STP-057-3804.

3.4 Decay Heat Level - The heat generated as a result of fission product decay is designated as High, Medium and Low.

The break points between these designations are determined by the ability of specified equipment to remove the heat generated. For this procedure the break point between High and Medium Decay Heat Levels occurs when SFC and RWCU together can remove the expected Decay Heat generation.

The break point between Medium and Low is when RWCU alone can remove the expected Decay Heat. The ability of this equipment to remove the decay heat is based on the maximum temperature of the Reactor Water Closed Cooling System and the Maximum Reactor Coolant Temperature. These values are set prior to the outage to establish a time frame for removing equipment from service.

OSP-0037 REV - 12 PAGE 5 OF 58

3.5 Decay Heat Removal Capability - The ability to maintain reactor coolant system temperature/pressure and spent fuel pool temperature below specified limits following:

3.5.1. Shutdown Cooling - decay heat removal within the RCS 3.5.2. Fuel Pool Cooling - decay heat removal within the upper and lower fuel pools 3.6 Defense in Depth - For the purpose of managing risk during shutdown, defense in depth is the concept of:

3.6.1. Providing systems, structures and components to ensure backup of key safety functions using redundant, alternate or diverse methods; 3.6.2. Planning and scheduling outage activities in a manner that optimizes safety system availability; 3.6.3. Providing administrative controls that support and/or supplement the above elements 3.7 Defueled - All fuel assemblies have been removed from the reactor vessel and placed in the spent fuel pool.

3.8 High Risk Evolution - Outage activities, plant configurations or conditions where the plant is more susceptible to an event causing the loss of a key safety functions.

3.9 Inventory Control - Measures established to ensure that irradiated fuel assemblies remain covered with coolant to maintain heat transfer and shielding requirements.

3.10 Key Shutdown Function Areas - (1) Shutdown Cooling (2) Inventory Control (3) AC Power (4) Fuel Pool Cooling (5) Containment Control (6) Fuel Building Ventilation and (7) Reactivity Control, (8) Fire.

3.11 Operable - The ability of a system to perform its specified function with all applicable technical specification requirements satisfied.

3.12 Overall Risk - The most conservative color-code assignment found in the Shutdown Safety Level and Shutdown EOOS Safety Index.

approach insures that both defense-in-depth and core damage This risk are evaluated and the most conservative value is chosen.

3.13 Protected EquipmentlSystems - Equipment that is being relied upon to ensure a Key Shutdown Function is maintained available.

OSP-0037 REV - 12 PAGE 6 OF 58

3.14 Reactivity Control - Measures established both to preclude inadvertent criticalities, power excursions, or losses of shutdown margin, and to predict and monitor core behavior.

3.15 Requirement or Required - as used in this procedure are intended to mean available as defined in 3.1 above.

3.16 Safety Significant Change - Any change to the outage schedule that has a meaningful or notable impact on the required equipment, systems, or flowpaths.

3.16.1. A change in the outage schedule logic that alters the previously approved start or finish dates of a work activity associated with shutdown cooling, fuel pool cooling, electrical power distribution, RCS inventory control, containment control, fuel building ventilation, or reactivity control that the activity now enters another key safety functionsuch system outage window.

3.16.2. A change in the outage schedule logic caused by emergent work that affects the planned defense-in-depth associated with shutdown cooling, fuel pool cooling, electrical power distribution, RCS inventory control, containment control, fuel building ventilation, or reactivity control, fire, or an actual reduction in the planned defense-in-depth for these functions.

3.16.3. A change in the outage schedule logic that alters the previously approved start or finish dates or identified method of filling or draining the RCS.

3:16.4. A change in the outage schedule logic that alters the previously approved start or finish dates or identified method to perform work activities that could significantly change dose rates in a work area.

3.16.5. Any change in the outage schedule logic that causes a color change for a key shutdown function area.

Shutdown EOOS Safety Index - A measure of the core damage risk based on Probabilistic Risk Assessment (PAR) due to equipment out of service (EOOS). A computer code provides this assessment which is represented by a color code and number. Only the color code is used for this procedure.

Shutdown EOOS considers the Available (Definition 3.1) status of the equipment, rather then the Technical Specification Operability status.

OSP-0037 REV - 12 PAGE 7 OF 58

3.17 Shutdown Safety Level - The relative degree to which risk is increased and defense-in-depth is maintained. This is represented by a color code.

Defense-in-depth is measured by the degree of conformance with Technical Specifications in eight key shutdown function areas: (I)

Shutdown Cooling (2) Inventory Control (3) AC Power (4) Fuel Pool Cooling (5) Containment Control (6) Fuel Building Ventilation and (7)

Reactivity Control, (8) Fire, 3.18 Time to Roil/Time to Mode Change (2000) - For the Safety Assessment of this procedure, the term Time to Boil and Time to Mode Change are synonymous. The tables and curves have been based on reaching a temperature of 200°F. At 2000 F, a mode change occurs from Mode 4 to Mode 3, when all reactor vessel head bolts are fully tensioned.

If this mode change occurs the assumptions of this procedure are no longer valid. When one or more reactor vessel head closure bolts are less than fully tensioned, the times from the curves will be conservative by 121F, to account for local vs. bulk boiling potential.

Information given out to the site should be expressed as "Time to 200'F."

4 PROCEDURE 4.1 IMPLEMENTATION 4.1.1. When assuming the shift, or for unscheduled outage conditions, the Operating Crew will perform and/or review the following:

"* Operability of Shutdown Safety Equipment

"* Availability of Shutdown EOOS Equipment

"* Attachments I through 8, determine if any change has occurred.

"* The scheduled work for that shift.

"* Current plant and outage status.

"* Run the Shutdown EOOS computer program for the current alignment and unavailable equipment.

"* Determine the Overall Risk

"* Communicate this information to the Site.

OSP-0037 REV - 12 PAGE 8 OF 58

4.1.2. For Mid-Cycle Outages, the tables and curves are applicable when the Before Shuffle curves and values are used. This is conservative, since the Before Shuffle tables and curves are based on decay heat produced as a result of a full cycle of fission product production. If mid-Cycle Outage tables and curves become available, they may be used provided Attachment 11, Approval for Departure from the Requirements of the Shutdown Operations Protection Plan is completed and a cover letter indicating limitations for the use of the tables and curves is attached.

4.1.3. Protected Division is a condition where credit is being taken for certain equipment to be available and/or operable to fulfill the requirement of this procedure. This condition may exist during most of the outage due to safety function equipment being taken out of service or testing. An Overall Risk colors of Yellow or Orange may be an indication that a Protected Division condition is warranted. When this occurs and at the direction of the On-Shift Operations Superintendent, or Control Room Supervisor the areas around these protected systems should be controlled with physical barriers and signs.

Locations of the areas and equipment should take into consideration are power supply MCC's, transformers motors/pumps, instrumentation, HVAC, battery/inverter rooms, remote shutdown division rooms. Sign locations should be prominently displayed on the door entering the room or cubical. If it is not practical to display on a door, use of barrier tape/flagging s"hould be used to prevent approach to the equipment. In some cases protected division equipment may be in an area where restrictions on travel can not be implemented (i.e. Diesel Generator Control Rooms, HVK Chiller Rooms) because this area is an access route to other equipment. In these cases, a sign indicating no work is allowed in this area can be. displayed. Special precautions should be taken and pre-job briefings should be conducted for activities taking place within these controlled areas.

Attachment 12, Guidance for Protected Division Identification, is used by the OSM/CRS to aid in determination of locations for and in the documentation of Protected Division sign placement.

OSP-0037 REV - 12 PAGE 9 OF 58

4.1.4. Communications of the Overall Risk to the site should be done on a regular basis, and when a change of risk occurs.

The information should include: Overall Risk, when divisions are protected, which shutdown cooling trains are available, time to mode change/boil, and the Color State the various Safety Functions. This communication can be through a combination of posters, television displays, Daily Outage Reports, and meeting plant status. Additional information may be appropriate during high-risk evolutions and when contingency plans are entered.

4.1.5. Key shutdown function equipment that has been removed from service, should be returned to service as soon as maintenance and/or testing is complete. WHEN the equipment is returned to service, THEN the availability and operability of the equipment should be restored as soon as practicable to restore defense in depth and reduce the impact on the rest of the outage.

4.1.6. The Outage Manager has the responsibility to monitor scheduled activities with respect to changes to the original scheduled sequence, and to approve any significant variations.

Any changes which deviate from the guidelines in Sections 4.2 through 4.8, require the completion of Attachment 11, Approval for Departure from the Requirements of the Shutdown Operations Protection Plan. Where a change impacts a note in the Function Color State tables, Attachment 11 will be used to document the calculations and data needed for approval, For any Contingency Plans put effect during an Orange Condition, Attachment 11 will into be used to document and retain the contingency plan. This Attachment may not be used to allow deviation from Technical Specifications.

4.1.7. A multi-discipline team (Outage Risk Assessment Team ORAT) will be formed prior to any refueling outage to review outage safety. This team remains intact through the end of the outage for the review of changes to the schedule logic.

The team will use a blended approach, which employs EOOS, transition flow, and major evolutions during the outage.

(Commitment A- 15893).

OSP-0037 REV - 12 PAGE 10 OF 58

4.2 SHUTDOWN COOLING GUIDELINES 4.2.1. The Emergency Diesel Generator associated with the operable Residual Heat Removal System shall remain operable.

4.2.2. WHEN credit is taken for an alternate means of decay heat removal (e.g., RWCU or SFC), THEN one Residual Heat Removal System should normally be available as a backup.

4.2.3. Activities on the Decay Heat Removal equipment should be scheduled in detail.

4.2.4. Residual Heat Removal system outage durations should be minimized.

C 4.2.5. During shutdown operations with time to 200°F less than two hours per this procedure, or any updated curves if provided by Safety and Engineering Analysis, one or more of the following methods of core circulation is REQUIRED:

"* one operating reactor recirc pump,

", one operating RHR shutdown cooling loop, or

"* the SPC system operating in the ADHR mode C 4.2.6. STP-050-0700, RCS Pressure/ Temperature Limits Verification, is required to be performed when changing decay heat removal modes or systems, and when there is an inadvertent or intentional loss of decay heat removal.

4.2.7. During periods of medium or high decay heat and greater than 23 ft. of water above the RPV flange with only one RHR Shutdown Cooling loop in operation, an alternate decay heat removal system is maintained available to be placed in within one hour. (Reference Tech Spec. 3.9.8 Action service A) 4.2.8. Flooded up condition requires greater than 23 ft in the Reactor Cavity and the Cavity Gate open.

4.3 INVENTORY CONTROL GUIDELINES 4.3.1. The Emergency Diesel Generator associated with one operable Emergency Core Cooling system shall remain operable.

4.3.2. Emergency Core Cooling system outage should be minimized.

4.3.3. Activities on the Emergency Core Cooling systems should be scheduled in detail.

OSP-0037 REV- 12 PAGE 11 OF 58

4.3.4. Work activities shall not be allowed on the operable Emergency Core Cooling Systems.

4.4 ELECTRICAL POWER DISTRIBUTION 4.4.1. Two offsite sources of power shall be maintained available during high risk evolutions (i.e. RPV pressure test).

4.4.2. Work shall not be allowed at the Fancy Point Switchyard until a contingency plan has been established for electrical power distribution during periods of orange conditions.

4.4.3. At least one Diesel Generator shall be maintained operable and associated with one available Emergency Core Cooling System, the available shutdown Cooling System and the Fuel Pool Cooling system.

4.4.4. Offsite power sources should be clearly identified on the refueling outage schedule.

4.4.5. Refueling outages should be divisional, This means the major work of an outage will be concentrated on one division only, while the other division remains operable.

4.4.6. A coordinator should be assigned to specifically plan the divisional bus outages and help identify temporary power requirements.

4.5 REACTIVITY CONTROL 4.5.1. Standby Liquid Control System outages should be minimized.

4.5.2. To ensure adequate neutron instrument response (e.g.

coupling) at least two fuel bundles should be maintained around each required operable detector string.

For the purpose of criticality monitoring only the Source Range Monitors are required to be coupled.

4.5.3. Detailed shutdown margin assessments should be obtained to ensure adequate shutdown margins exists, assuming control rod withdrawal errors, fuel load errors and mis-orientation errors.

4.5.4. Rod movement should not be allowed in a cell loaded with fuel once core loading has commenced, until after core verification.

OSP-0037 REV - 12 PAGE 12 OF 58

4.5.5. Fuel loading shall only be allowed into fuel cells where the control rod is fully inserted.

4.6 CONTAINMENT CLOSURE 4.6.1. Operations maintains a list of breaches to Primary Containment per OSP-0034, Control of Obstructions for Primary Containment/Fuel Building Operability.

4.6.2. Specific individuals are assigned responsibility for closure of the containment equipment hatch, the 113' airlock and the 171' airlock, per OSP-0034, should the action be initiated by the Shift Superintendent or Outage Manager.

4.7 FUEL POOL COOLING 4.7.1. Work in the Fuel Pool Cooling System should be done non outage if possible. IF work is required on the Fuel Pool Cooling System during the outage, THEN it should be done as early as possible in the outage and not after fuel offload (when the heat load is the highest). IF wo-rk'is required after fuel offload, THEN a contingency plan shall be in place prior to removing the system from service.

OSP-0037 REV - 12 PAGE 13 OF 58

4.8 FIRE 4.8.1. The Fire Protection System is operable per Tech Specs.

4.8.2. Fire Brigade requirements of ADM-0022, Conduct of Operations are satisfied.

4.8.3. All personnel, including contractors, are trained in the proper fire notification procedures.

4.8.4. A fire is a higher risk when Division I equipment is out of service. This is due to Division I being the protected for a fire in the main control room. The high risk division condition applies only to a fire in the Main Control Room.

4.8.5. With Division I in an outage, a fire in the Division 2

equipment could remove the plant's ability to operate a single division from the remote Shutdown Panel.

OSP-0037 REV - 12 PAGE 14 OF 58

5 CONTINGENCY PLANS Contingency Plans should be developed for situations where the systems availability drops below the planned defense-in-depth (i.e. Condition Orange) and should be available when entering the higher risk evolution for which they were developed.

The personnel required to implement the contingency plan should be identified and familiar with the plan.

5.1 DECAY HEAT REMOVAL 5.1.1. Reactor Coolant System Decay Heat Removal Reactor Coolant System Decay Heat Removal contingencies are covered in AOP-005 1, Loss of Decay Heat Removal.

This procedure references SOP-003 1, Residual Heat Removal System operating procedure which contains guidance for shutdown cooling operations and OSP-0041, Alternate Decay Heat Removal if the required cooling is not available.

The operators are aware at all times which systems are available provide Reactor Coolant System Decay Heat Removal to to meet Technical Specification Requirements.

5.1.2. Containment Pool Cooling Containment Pool Cooling contingencies are covered in AOP-005 1, Loss of Decay Heat Removal. This procedure references SOP-009 I, Fuel Pool Cooling and Cleanup System as the primary method for cooling. SOP-003 1, Residual Heat Removal System operating procedure is also referenced as a backup method when operated in the Fuel Pool Cooling assist mode.

5.1.3. Spent Fuel Pool Cooling Spent Fuel Pool Cooling contingencies are covered in AOP-005 1, Loss of Decay Heat Removal. This procedure also contains procedural guidance for providing backup cooling to SFC heat exchangers in the event of a loss of service water/standby service water.

OSP-0037 REV - 12 PAGE 15 OF 58

5.2 Reactor Coolant System Inventory Makeup 5.2.1. Reactor coolant system inventory control contingencies are covered in different locations. The order in which procedures are implemented depends on plant activities. Initial guidance is provided by AOP-0027, Fuel Handling Mishaps.

Emergency makeup sources are identified in this procedure.

Routine level control for the upper pool or reactor controlled using SOP-0091, Fuel Pool Cooling andare Cleanup, SOP-0031, Residual Heat Removal, or FHP-0001, Control of Fuel Handling and Refueling Operations.

5.3 Electrical Power Distribution 5.3.1. Electrical Power contingencies are provided in AOP-0004, Loss of Offsite Power (including the procedure for backfeeding to the Normal Station Service transformers) and AOP-0050, Station Blackout. Specific guidance for loss of electrical power to Spent Fuel Pool cooling pump is contained in AOP-0051, Loss of Decay Heat Removal.

5.3.2. Operations Policy #009 provides controls to assure the availability of offsite power. This policy defines sensitive equipment and established controls for switchyard activities.

5.4 Reactivity Control 5.4.1. AOP-0027, Fuel Handling Mishaps directs the operators to scram the reactor if an inadvertent criticality should occur during fuel handling operations. In addition, reactor coolant temperature is monitored by STP-000-0005, Daily Refueling Logs and ARP-P680-3A-E08, Reactor Water Low Temperature. Reactor Engineering is notified if temperature falls below 70WF (above the minimum analyzed temperatures).

5.5 Containment Closure 5.5.1. Containment closure contingencies are covered in OSP-0034, Control of Obstructions for Primary Containment/Fuel Building Operability. This procedure provides controls for containment penetrations and guidance for rapid closure should the need to set containment integrity occur.

OSP-0037 REV - 12 PAGE 16 OF 58

5.6 Fire 5.6.1. Communicate high risk evolution at the daily meeting. Do not allow potential fire hazards to occur in or around Division II equipment. Hang "PROTECTED DIVISION" signs as necessary.

6 RECORDS 6.1 WHEN Attachment 11, Approval for Departure from the Requirements of the Shutdown Operations Protection Plan, is completed, should be kept in the Control Room for seven days. The THEN it completed forms for the duration of the outage are kept in the Ops area for two years for possible retrieval for various agency inspections.

OSP-0037 REV - 12 PAGE 17 OF 58

ATTACHMENT 1 PAGE I OF I SHUTDOWN COOLING FUNCTION COLOR STATES Plant Conditions Hi Med Low Hi Med Low Med Low Decay Decay Decay Decay Decay Decay Decay Decay Heat/ Heat/ Heat/ Heat/ Heat/

Shutdown Not Heat/ Heat/ Heat Not Not Flooded Flooded Cooling Systems Flooded Flooded RPV RPV Flooded Flooded Up Up Up Available UP Up Pressure Pressure Up Note 5 Note 5 Note 5 RHR A Red. Test Test R9 Rtd;.: Yellow Yellov

_(TS) ~' Green ADHR J"k "w: :0

! i Rid: 'ed "" `R F. . 'Yellow Oa Yellow rne Gr n,.'..z'e Oag e 1 RWCU/SFC RWCU Orange Note 1 NSFC Note 2 RHR A&B Yellow Yellow Green ireen Green (TS) (TS) (TS) areen

-RHR+ADHR Oae Orne Yellow "' e Gre -G

_RH-R+RWCU/SFýC Green RHR+RWCU ellow * *Green NRHR+SFC

-ADHR+RWCU/SFC Note 3 Green Yellow i +RWCU ma calne i Green ADHR+SFC Note 4 TRWCU+SFC 2RHR+ADHR o Gaee Green Green !Green Green IGreen Green-M Note RWCU 1 cannot remove all of the decay heat produced at the medium decay heat level. A contingency plan to use another source to provide shutdown cooling (such as Condensate or MSL flooding) must be credited to be considered Orange in this condition.

Note 2 This may be Orange if calculations show that SFCialone is capable of removing all the decay heat.

Note 3 This may be Green if calculations show that SFC alone is capable of removing all the decay heat.

Note 4 This may be Yellow if calculations show that SFC alone is capable of removing all the decay heat.

Note 5 Flooded up condition requires that the cavity gate to be open

[l At least one of the indicated systems is incapable of removing that level of decay heat.

Therefore this combination of systems cannot fill the Shutdown Cooling requirements.

OSP-0037 REV -_12 PAGE 18 OF 58

ATTACHMENT 2 PAGE I OF I INVENTORY CONTROL FUNCTION COLOR STATES Plant Conditions RPV level < RPV level > RPV level < RPV level >

- 23' above 23' above 23' and 23' and Number of Inventory RPV Flange RPV Flange OPDRV OPDRC Control Systems Available 0 ECCS Trains RdIe * ",,....' .::* .

..." i '-* :!** c i~*; *:::::: 64 1 ECCS Train .. :... ..

.. Yellow Orange 2 ECCS Trains Yellow (TS) Green Orange (TS) Green 3 or more ECGS Trains Green Green Green Green OSP-0037 REV - 12 PAGE 19 OF 58

ATTACHMENT 3 PAGE I OF I AC POWER CONTROL FUNCTION COLOR STATES AC Power Control 0 Offsite 1 Offsite 2 Offsite Available power circuits power circuit power circuits No Diesels Red,. .

Div. I Diesel R.. :.R*>,*,...:.*,:**::. ** ::*.,*,,,,.. .. :**Yellow Yell"w (TS)

(TS)

(Div III req'd)

Div. I DieselRd Yellow (TS) Green (Div III not req'd)

Div. II Diesel Red : ' Yellow (TS)

(Div III req'd)

Div. II Diesel ;R Yellow (TS)

(Div III not req'd)

Div. III Diesel Ri:*7' {. ` .

Div. I and II Diesels Red . . . s.i Green Green Div. I and III DGs Reedlo " ,' :' .:*:. Yellow'(TS) S:*" Green Gree.n

"(DivIII req'd) ________________

Div. I and III DGs Green Green (Div III not req'd)

Div. II and III DGs Red.Yellow (TS) Green (Div III req'd) ....

Div. II and III DGs Red Green Green (Div III not req'd) .... ___..... .....

A l I " T ,: ^ I.. .a,*:'¥ i':.:..,.. ;' :]*;.

sels : "..:,'

" : , :i ;* . . ii;2G-reen Green OSP-0037 REV - 12 PAGE 20 OF 58

ATTACHMENT 4 PAGE I OF I FUEL POOL COOLING FUNCTION COLOR STATES Fuel Pool Cooling 0 SFC Heat 1 SFC Heat 2 SFC Heat Available Exchangers Exchangers Exchangers No SFC Pumps . - R.... .R.. .

1 SFC Pumps P Orange Yellow 2 SFC Pumps ]Red Yellow Green OSP-0037 REV - 12 PAGE 21 OF 58

ATTACHMENT 5 PAGE I OF I CONTAINMENT CONTROL FUNCTION COLOR STATES Plant Status Normal OPDRV Fuel Handling Fuel Handling OPDRV and OPDRV and

>11 Days <11 Days Fuel Handling Fuel Handling

>11 Days <11 Days Containment Status Containment Yellow (TS) :i. . .......

Open ___________________

Containment Green Yellow (TS) Green Yellow (TS) ...

C lo sed _, ":_.: -

OSP-0037 REV - 12 PAGE 22 OF 58

ATTACHMENT 6 PAGE 1 OF 1 FUEL BUILDING VENTILATION FUNCTION COLOR STATES Plant Status FB Fuel No Movement of Recently Irradiated Handling* Fuel in the Fuel Building Number of Fuel Building Ventilation Trains Available 0 HVF Trains AN, 0..

1 HVF Train Orange Yellow 2 HVF Trains Yellow (TS) Green

These color codes pertain only to the movement of recently irradiated fuel in the Fuel Building. The color codes are meant to represent TS 3.6.4.7 where "recently irradiated fuel" is defined as "fuel that occupied part of a critical reactor core within the previous 11 days." If the fuel being moved in the Fuel Building is not recently irradiated fuel or no fuel is being handled in the Fuel Building, the color codes are relaxed as indicated in the 3 rd column.

OSP-0037 REV - 12 PAGE 23 OF 58

ATTACHMENT 7 PAGE 1 OF I REACTIVITY CONTROL FUNCTION COLOR STATES Plant Status Mode 4 and 5 (Note 1)

Reactivity Control Available All Rods In Green One Rod Withdrawn Yellow (TS)

More than one Rod Red Withdrawn Note 1 For Mode 5, the number of rods withdrawn does not count those rods with all the fuel assemblies removed.

OSP-0037 REV - 12 PAGE 24 OF 58

ATTACHMENT 8 FIRE FUNCTION COLOR STATES PAGE I OF I rmmln -Conditions Hoiit in

-Work Main Control Hot Work in Hot Work in Room Division I Division II 3 Fire Pumps Operable- Y__ellow Equipment Areas Equipment Areas Green Green 2Fire Pumps Operable Yellow (TS Yellow (TS) Yellow (TS) 1 Fire Pump Operable ' Orange (TS) Orange (TS) Orange (Ts) 0 Fire Pumps Operable Division 17E-quipment Orange (ECCS) Out-of Service Orange Green Division 11 Equipment (ECCS) Out-of Service Yellow Orange I Green OSP-0037 REV - 12 PAGE 25 OF 58

ATTACHMENT 10 PAGE 10F3 EOI CORPORATE OUTAGE MANAGEMENT NUCLEAR SAFETY PHILOSOPHY Entergy Operations' safety philosophy for the conduct of shutdown operations is to integrate nuclear safety into the planning, scheduling and implementation of outage activities. The key attribute of this process is the concept of Defense in Depth which includes: identification of shutdown risk as an element of the planning of outage activities, minimization of shutdown risk through the scheduling of activities, and providing systems, structures and components to provides a backup for key safety functions through redundant, alternate or diverse methods. Successful safe and efficient implementation of outage activities depend on the dedication and teamwork among the outage team including contractors, and meticulous performance of outage activities. The following principles are used to assure the successful management of outages at Entergy Operations:

Outage Management Strategy

"* Planned outages are conducted to perform corrective maintenance, preventative maintenance, required surveillances, and plant modifications to allow the plant to operate safely until it's next planned outage, and for the remainder of its forty year operating license. Outage activities are selected consistent with this purpose to: reduce radiation exposure, improve personnel safety, improve plant operation, and meet regulatory requirements. Lists of approved activities are developed in advance to allow adequate time for design, procurement, and pre-installation activities. The Entergy Operations goal for outage duration is to conduct the shortest possible outage, while accomplishing the outage scope with the highest level of both personnel and plant safety.

" NUMARC 91-06, "Guidelines for Industry Actions Assess Shutdown Management" is used to assess and improve outage safety by minimizing shutdown risk. The key element of this approach is the concept of Defense in Depth.

" Defense in Depth is the concept of ensuring that the systems and alternates that perform key safety functions are available when needed, particularly during high risk evolutions. The use of the Protected Train methodology, coupled with an understanding of plant conditions and risk conditions, is a key element in minimizing shutdown risk.

" The recommendations contained in SOER 9 1-01 will be used to assure the safe conduct of Infrequently Performed Tests and Evolutions. These recommendations include the use of pre-test briefings, clear and concise test procedures, and the establishment of criteria for terminating the test.

OSP-0037 REV - 12 PAGE 53 OF 58 OSP-0037 RE-1 PAE5OF8

ATTACHMENT 9 PAGE 1 OF 27 THERMAL HYDRAULIC CURVES TIME TO 200 F BEFORE FUEL SHUFFLE WITH RX WATER LEVEL AT 85 INCHES AND RX WATER TEMPERATURE AT 110 DEGREES 70 60 so-S, o4 I.-

20 10 0

0 10 15 20 25 30 TIME AFTER SHUTDOWN (HOURS)

I OSP-0037 REV - 12 PAGE 26 OF 58

ATTACHMENT 9 PAGE 2 OF 27 THERMAL HYDRAULIC CURVES OSP-0037 REV - 12 PAGE 27 OF 58

ATTACHMENT 9 PAGE 3 OF 27 THERMAL HYDRAULIC CURVES I

HEAT UP RATE BEFORE FUEL SHUFFLE FOR RX WATER LEVEL AT 85 INCHES 12

!0 1100 L~ I 1 - - -- F 100 0 900 80 w

IU ILl

'U, 70

\ I 60 a 50 Before Fuel Shuffle I

1,

,,< 40 30 LIi 20 10 0

0 5 10 15 20 25 30 35 40 TIME AFTER SHUTDOWN (DAYS)

OSP-0037 REV - 12 PAGE 28 OF 58

ATTACHMENT 9 PAGE 4 OF 27 THERMAL HYDRAULIC CURVES TIME TO TOP OF ACTIVE FUEL BEFORE FUEL SHUFFLE FOR RX WATER LEVEL AT 85 INCHES AND RX WATER TEMPERATURE AT 110 DEGREES 20 19 I-k-V -r--r--r-r -r-- -r-. -mmr- -,1--r-I

-u - T-I 18 17 16 15 = ;Top 14 I 13 Beor FulSufl 12 11 10 I A U.

9 I F I I 8 I- T t A 7

6 - + i C-7f - -i -

5 * - ulitliplier ITemp 4 S-ull.87 170 3 0.92 150 4I 2 1 1 -1 f 1 - 141- 1-4I-4I-m m 0.96 130 I 1.00 110 1 17 i i r-ir- iI

-- T--

1.04 90 0 1 1 1 1r 1j. 1i 1T 1 I i IT*-.1 I i I i I Sm*JI -- -I -F

- I -

I - I .- AI I I---i 1-H 0 5 10 15 20 25 30 35 40 TIME AFTER SHUTDOWN (DAYS)

OSP-0037 REV - 12 PAGE 29 OF 58

ATTACHMENT 9 PAGE 5 OF 27 THERMAL HYDRAULIC CURVES TIME TO MODE CHANGE (200 deg. F) BEFORE FUEL SHUFFLE FOR RX WATER LEVEL AT MAIN STEAM LINES AND RX WATER TEMPERATURE AT 110 DEGREES 4

3 0

C0 2

I 0

0 30 35 40 TIME AFTER SHUTDOWN (DAYS)

OSP-0037 REV - 12 PAGE 30 OF 58

ATTACHMENT 9 THERMAL HYDRAULIC CURVES PAGE 6 OF 27 OSP-0037 REV - 12 PAGE 31 OF 58

ATTACHMENT 9 PAGE 7 OF 27 THERMAL HYDRAULIC CURVES I

TIME TO TOP OF ACTIVE FUEL BEFORE FUEL SHUFFLE FOR RX WATER LEVEL AT THE MAIN STEAM LINES AND RX WATER TEMPERATURE AT 110 DEGREES 25 1 1 1 1 1 1-1 1 1 1 1 1 1 1 1 1 1 l i l l 1 1 1 1 20

0. 1 15 a

IIWi Before Fuel Shuffle -- ILW L-10

- - -.. [" Befre ue Sh ff1 , . 04 9

-Multiplier Tamp

-- 0.87 170 5

0 0 5 10 15 20 25 30 35 40 TIME AFTER SHUTDOWN (DAYS)

OSP-0037 REV - 12 PAGE 32 OF 58

ATTACHMENT 9 PAGE 8 OF 27 THERMAL HYDRAULIC CURVES LEVEL AT TIME TO MODE CHANGE (200 deg. F) BEFORE FUEL SHUFFLE FOR RX WATER THE FLANGE AND RX WATER TEMPERATURE AT 110 DEGREES 5

4 U.

0 0

0 Before Fuel Shuffle U

F

_Multiplier Temp 0.33 170 1 0.66 150

_ 0.78 130

_ 1.00 110 1.22 so 0 I An in I 10 15 20 25 30 35 40U 0 5 TIME AFTER SHUTDOWN (DAYS)

OSP-0037 REV - 12 PAGE 33 OF 58

ATTACHMENT 9 PAGE 9 OF 27 THERMAL HYDRAULIC CURVES HEAT UPRATE BEFORE FUEL SHUFFLE FOR RX WATER LEVEL AT FLANGE 100 90 80 70 60 0.

LI wU 50 SBefore Fuel Shuffle 40 30 20 10 0

0 5 10 15 20 25 30 35 40 TIME AFTER SHUTDOWN (DAYS)

OSP-0037 REV - 12 PAGE 34 OF 58

ATTACHMENT 9 PAGE 10 OF 27 THERMAL HYDRAULIC CURVES TIME TO TOP OF ACTIVE FUEL BEFORE FUEL SHUFFLE FOR RX WATER LEVEL AT FLANGE AND RX WATER TEMPERATURE AT 110 DEGREES Cl)i 35 20- - - 1 1

..* ,vBefore fuel Shuffle I ..

1 - --- Multiplier Temp

/ 0.90 1703 0.93 160 i 5 ~0.97 130 _. _

SI1.00 110 ,

I1.04 90 in 1R 9*n "25 30 35 40 0 0U lb . Z TIME AFTER SHUTDOWN (DAYS)

OSP-0037 REV - 12 PAGE 35 OF 58 OSP-0037 REV -12 PAGE 35 OF 58

ATTACHMENT PAGE 11 OF 279 THERMAL HYDRAULIC CURVES OSP-0037 REV - 12 PAGE 36 OF 58

ATTACHMENT 9 PAGE 12 OF 27 THERMAL HYDRAULIC CURVES HEAT UP RATE BEFORE FUEL SHUFFLE FOR FLOODED CONDITIONS 17

' I -' - - - - - - - - - - - - - - - - - - - - - - - - - -

16 15 14 13 I II, I I 12 IZ 11

'U

'U 10 a

Iul 9

3

'4 8 -- -- - -- -- - Before Fuel Shuffle 7 ....

I- 6 5

4 2

10 15 20 25 30 35 40 a 5 TIME AFTER SHUTDOWN (DAYS)

OSP-0037 REV - 12 PAGE 37 OF 58 OSP-0037 REV-12 PAGE 37 OF 58

ATTACHMENT 9 PAGE 13 OF 27 THERMAL HYDRAULIC CURVES OSP-0037 REV - 12 PAGE 38 OF 58

ATTACHMENT 9 PAGE 14OF 27 THERMAL HYDRAULIC CURVES TIME TO MODE CHANGE (200 deg. F) AFTER FUEL SHUFFLE WITH RX WATER LEVEL AT 85 INCHES AND RX WATER TEMPERATURE AT 110 DEGREES 6

5 After Fuel Shuffle -"- -" -

4 uJ 2

- --- -- Multiplier Temp 2 00

-- 0.33 170 0.56 150 0.78 130

--- 1.00 110 1 122

.--- s90

-- -- --- -- ---- t--1 1-- - --- --

0 0 5 10 15 20 25 30 35 40 TIME AFTER SHUTDOWN (DAYS)

OSP-0037 REV - 12 PAGE 39 OF 58

ATTACHMENT 9 PAGE 15 OF 27 THERMAL HYDRAULIC CURVES HEAT UP RATE AFTER FUEL SHUFFLE WITH RX WATER LEVEL AT 85 INCHES 60 50 40 F--r -T 30 After FueliShufflo 20 10 0

0 5 10 15 20 25 30 35 40 TIME AFTER SHUTDOWN (DAYS) i OSP-0037 REV - 12 PAGE 40 OF 58

ATTACHMENT 9 PAGE 16 OF 27 THERMAL HYDRAULIC CURVES TIME TO TOP OF ACTIVE FUEL AFTER FUEL SHUFFLE FOR RX WATER LEVEL AT 85 INCHES AND RX WATER TEMPERATURE AT 110 DEGREES 30 25 20

~15 00,After Fuel Shuffle 10 fill

--- ----- --- --- - - - - - - - - Mulitiplier Temp 5

1.00 110 0

0 5 10 15 20 25 30 35 40 TIME AFTER SHUTDOWN (DAYS)

OSP-0037 REV - 12 PAGE 41 OF 58

ATTACHMENT 9 PAGE 17 OF 27 THERMAL HYDRAULIC CURVES TIME TO MODE CHANGE (200 deg. F) AFTER FUEL SHUFFLE FOR RX WATER LEVEL AT THE MAIN STEAM LINES AND RX WATER TEMPERATURE AT 110 DEGREES 6

5 I

4 oe U.

a 0

I UJ SAfter Fuel Shuffle

- - - -- -- - - - - - - - - -i i - -

Loo 2

Multiplier Temp 0.33 170 0.56 150 1 0.78.. 130 1.00 110 S 1.22 go 0

0 5 10 15 20 25 30 35 40 TIME AFTER SHUTDOWN (DAYS)

OSP--0037 REV - 12 PAGE 42 OF 58 OSP-0037 REV- 12 PAGE 42 OF 58

ATTACHMENT 279 PAGE 18 OF THERMAL HYDRAULIC CURVES MAIN STEAM LINES AFTER FUEL SHUFFLE HEAT UP RATE FOR RX WATER AT THE 60

= ---

50 40 LIL

= _

After Fuel Shuffle

'a w 30 I-.

IL 20 10 40 3U rA 20 25 35 40 1 45-n is 30 ou -- I 0 1Z)

TIME AFTER SHUTDOWN (DAYS)

OSP-0037 REV - 12 PAGE 43 OF 58

ATTACHMENT 9 PAGE 19 OF 27 THERMAL HYDRAULIC CURVES TIME TO TOP OF ACTIVE FUEL AFTER FUEL SHUFFLE FOR WATER LEVEL AT THE MAIN STEAM LINES AND RX WATER TEMPERATURE AT 110 DEGREES 30 25 20 I 0 After Fuel Shuffle 151 U.

4 I-10 Mulitiplier Temp 0.87 170 5 0.92 150 0.96 130 1.00 110 1.04 90 I 0

J.....I 0 S 10 15 20 25 30 35 40 TIME AFTER SHUTDOWN (DAYS)

OSP-0037 REV - 12 PAGE 44 OF 58

ATTACHMENT 9 PAGE 20 OF 27 CURVES THERMAL HYDRAULIC OSP-0037 - 12 REV PAGE 45 OF 58

ATTACHMENT PAGE 21 OF 279 THERMAL HYDRAULIC CURVES OSP-0037 REV - 12 PAGE 46 OF 58

ATTACHMENT 9 PAGE 22 OF 27 THERMAL HYDRAULIC CURVES OSP-0037 REV - 12 PAGE 47 OF 58

ATTACHMENT 9 PAGE 23 OF 27 THERMAL HYDRAULIC CURVES TIME TO MODE CHANGE (200 deg. F) AFTER FUEL SHUFFLE FOR FLOODED CONDITIONS AND RX WATER TEMPERATURE AT 110 DEGREES 40 I I¶ I¶ I 1- - - - -

II I I I I I I I II I I I I I I I I 1 1-L I I

---f7ý I

I i

35 44..44444. -ii H-1-J.

i i 30 i i 1 1 1 - -

i i i i i i i

~25 i i a v i m i i f LL i i i i I I (0 20 0 a-t-t -t After Fuel Shuffle -

w ff i i p15 -i-'

i i i i i 10 i p i Multiplier Temp 0.33 170 m-i-0.56 150 5 0.78 130]

v!--1 1.00 110 It-l 1.22 I

0 1-2 I90I--

I f 1 I I I 0 5 10 15 20 25 30 35 40 TIME AFTER SHUTDOWN (DAYS) 25 30 35 40 OSP-0037 REV - 12 PAGE 48 OF 58

ATTACHMENT 9 PAGE 24 OF 27 THERMAL HYDRAULIC CURVES HEAT UP RATE FOR FLOODED CONDITIONS AFTER FUEL SHUFFLE 8

7 w After Fuel Shuffle -

0. SHE:

U1 x 3ue5Sh40l

- A Afte 21 0 I I' -,..-

4 0T5U1 AFTER SHUTDOWN(

TIME AFTER SHUTDOWN (DAYS)

OSP-0037 REV - 12 PAGE 49 OF 58

ATTACHMENT PAGE 25 OF 27 9 THERMAL HYDRAULIC CURVES F I SHUFFLE FOR FLOODED CONDITIONS AND RX TIME TO TOP OF ACTIVE FUEL AFTER FUEL WATER TEMPERATURE AT 110 DEGREES 400 oad-*

350 I L

-IL 300 250 S 200 -- --- --

- - 20

- -5 U

I 150 Mtlier Tm 100 50 30 40 0 30 35 5 10 15 20 25 0

TIME AFTER SHUTDOWN (DAYS)

OSP-0037 REV - 12 PAGE 50 OF 58

ATTACHMENT 9 PAGE 26 OF 27 THERMAL HYDRAULIC CURVES BEFORE FUEL SHUFFLE Decay Heat Up Heat Up Heat Up Heat Up Time To Time To Time To Time To Time To Time Time Time Heat Rate Rate Rate Rate Mode Mode Mode Mode Top Of To Top To Top To Top Flooded Flange MSL 85 in. Change Change Change Change Active Of Of Of Flooded Flange MSL 85 in. Fuel Active ActivelActive Flooded Fuel Fuel Fuel Flange MSL 85 in.

(MBtu/hr) (F/Hr) (FIHr) (FIHr) (F/Hr) (hrs) (hrs) (hrs) (hrs) (hrs) (hrs) (hrs) (hrs) 66.8 16.05 86.81 108.56 109.63= 5.61 1.04 0.83 0.82 61.32 6.85 4.37 4.28 54.1 13.00 70.31 87.92 88.79 6.93 1.28 1.02 1.01 75.72 8.46 5.40 5.28 47 11.28 61.08 76.38 77.14 7.97 1.47 1.17 1.17 87.16 9.73 6.21 6.08 42 10.09 54.58 68.26 68.93 8.92 1.65 1.32 1.31 97.53 10.89 6.96 6.80 38.3 9.20 49.77 62.24 62.86 9.78 1.81 1.45 1.43 106.96 11.95 7.63 7.46 35.9 8.62 46.62 58.29 58.92 10.44 1.93 1.54 1.53 114.20 12.76 8.15 7.96 33.4 8.02 43.41 54.28 54.82 11.22 2.07 1.66 1.64 122.65 13.70 8.75 8.56 31 7.45 40.29 50.38 50.88 12.09 2.23 1.79 1.77 132.14 14.76 9.43 9.22 28.2 6.77 36.65 45.83 46.28 13.29 2.46 1.96 1.94 145.26, 16.22 10.36 10.13 20.8 5.00 27.03 33.80 34.14 18.01 3.33 2.66 2.64 196.95 22.00 14.05 13.741 15.2 3.65 19.751 24.70 24.951 24.651 4.56 3.64 3.61, 269.50 30.10 19.23 18.80 OSP-0037 REV - 12 PAGE 51 OF 58

ATTACHMENT 9 PAGE 27 OF 27 THERMAL HYDRAULIC CURVES AFTER FUEL SHUFFLE

___________ 2 Time To Time . -Time . -Time -To 1:Time Time To Time To To Time To Time Days After Decay Heat Heat Up IHeat I.

Up T-1

-ý-I Heat -F Heat!

Time To HeatL i Time Mode To Time T-1 Mode To I Time To I Time To I Time Top To Of I'Top Of rl To ime To F Top Of Rate Rate Up Up Active Active Top Of Active Active Shutdown Change Change Mode Mode Flange Rate Rate Fuel Fuel Fuel Flooded Flooded Flange Change Change Fuel MSL 85 in. MSL 85 In. Flooded Flange MSL 85 in.

(hrs) (hrs) (hrs) (hrs) (hrs) (hrs)

(hrs) (hrs)

(Days) (MBtu/hr) (Fihr) (Fihr) (F/hr) I (Flhr) 2 3 1.84 137.10 15.31 9.78 9.56 12.54 2.32 1.85 4 29.88 7.18 38.83 48.56 49.04 2.01 150.33 16.79 10.72 10.49 44.72 13.75 2.54 2.03 11.21 5 27.25 6.55 35.41 44.29 2.15 160.52 17.93 11.45 33.17 41.47 41.85 14.69 2.72 2.17 12.03 6 25.5 6.13 2.33 2.31 172.37 19.25 12.30 38.62 39.00 15.77 2.91 12.96 7 23.77 5.71 30.88 2.51! 2.49 185.71 20.74 13.25 35.85 36.20 16.99 3.14 14.24 8 22.06 5.30 28.67 2.76 2.73 204.16 22.80 14.56 32.61 32.93 18.67 3.45 19.31 20.07 4.82 26.08 3.74 3.71 276.79 30-91 19.75 10 24.05 24.29 25.32 4.68 26.43 20 14.8 3.56 19.23 5.07 378.78 42.31 27.02 14.06 17.58 17.75 34.64 6.40 15.12 40 )l 10.82&I 2.60 ilI il ji J1I

ýj -- ,!ýL J. - I- - - ' - ____________- _____________

I- a - - -

OSP-0037 REV - 12 PAGE 52 OF 58

ATTACHMENT 10 PAGE 2 OF 3 EOI CORPORATE OUTAGE MANAGEMENT NUCLEAR SAFETY PHILOSOPHY Conservative decision making should be used to guide the day to day management of the Entergy units, including outage. Conservative decision making applies to outage planning functions such as selection of corrective maintenance and design changes as well as to the operational decisions to support outage activities. A high priority should be placed on equipment problems that require operator compensatory actions (workarounds).

Equipment deficiencies should be periodically reviewed to assess the cumulative or aggregate effects of degraded equipment on operator ability to respond effectively to plant transients. Priorities for resolution should be adjusted if needed. Compensatory measures for special outage conditions should be clearly communicated to the Operating shift. The procedure and conditions requiring closure of the containment hatch are one example of a compensatory measure.

Outage Planning Outage planning is the process of selecting and reviewing outage activities to establish scheduling requirements based on Technical Specification, operational, and implementation requirements, and shutdown risk considerations.

Outage planning must include a review of Infrequently Performed Tests and evolutions to ensure adequate precautions are taken. Management oversight during test review and performance, pre-shift briefings, and the establishment of test termination criteria are some of the measure employed to ensure proper test conduct.

Outage Scheduling

"* Outage scheduling is the process of integrating outage activities into a coordinated schedule which efficiently and safely accomplishes the outage scope within the restraints identified through outage planning.

" Key milestones are established to identify pre-outage activities, such as the scope freeze date, Design Change Package issue date, and work package.

issue date. These milestones will be established in advance to allow time for shutdown risk assessment, work implementation planning, and parts procurement.

Input for the detailed outage schedule is provided by past outage successes and a review of outage projects and scope, and the resources available. The schedule must take into account an assumed reserve of resources to deal with emergent issues. The reserve is based on past outage performance and management judgment of potential for emergent work based on the planned outage activities. The detailed outage resource loading must consider the need for personnel to have a reasonable amount of time off.

OSP-0037 REV - 12 PAGE 54 OF 58

ATTACHMENT 10 PAGE 3 OF 3 EOI CORPORATE OUTAGE MANAGEMENT NUCLEAR SAFETY PHILOSOPHY The detailed outage schedule is developed to meet the Technical Specification, operational and implementation requirements in a manner that provides for Defense in Depth under all shutdown conditions. The minimum combination of safety equipment required to maintain critical safety functions is established for each phase of the outage. Projects representing special risk conditions will be scheduled during periods when the risk is minimized due to a combination of plant condition and equipment availability. Special emphasis will be given to the scheduling of work with the potential to adversely affect Shutdown Cooling, the availability of AC power sources, and periods-when the combination of reactor inventory and decay heat load could result in a short time to boiling. An independent review of shutdown risk conditions and the equipment providing critical safety functions is performed as part of the final schedule approval.

Outage Implementation

"* The outage organization will be structured to provide clear project responsibility and a clear reporting relationship for both pre-outage and outage activities. This organization and the project responsibilities will be communicated to all outage personnel. Outage management shift coverage will be structured to provide outage oversight and decision making capability available on site when necessary. Clear communications through the use of scheduled outage meetings and management tours of outage work areas are used to keep the outage team informed, and to emphasize the importance of safe and efficient outage conduct.

" While the completion of outage activities generally reduces the shutdown risk, as the plant is returned to a normal operational alignment, the period just before plant restart presents a time of high activity with a heightened potential for personnel errors. Continued management shift coverage, equivalent to that employed during the major portion of the outage, should be considered during this period and the startup testing period. This enhanced coverage may be beneficial until the unit reaches a stable point in the post outage power ascension.

Outage Critique

A comprehensive critique is used following each major planned outage to provide a mechanism for continued improvement. The input for these critiques is structured to facilitate input from all levels of plant personnel.

The critique items are tracked between outages and reviewed as part of the planning process for the next outage to ensure that corrective actions are taken. Critiques are shared between the plant sites to allow each plant to benefit from the lessons learned.

OSP-0037 REV - 12 PAGE 55 OF 58

ATTACHMENT 11 PAGE I OF I APPROVAL FOR DEPARTURE FROM THE REQUIREMENTS OF THE SHUTDOWN OPERATIONS PROTECTION PLAN The Shutdown Operations Protection Plan is a set of specific guidelines and minimum equipment requirements established to maintain nuclear safety during shutdown operations. Approval for departure from guidelines contained in the Shutdown Operations Procedures Plan is obtained by filling out this Attachment and obtaining the appropriate signatures. Deviations from guidelines containing a "should" require approval from the Manager Operations. Deviations from guidelines containing a "shall" require approval from the General Manager Plant Operations. This approval does not allow the deviation from Technical Specifications.

1. Description of departure - what specific requirement will not be satisfied?

2. Why is this departure necessary?

3. Estimated duration departure will be in effect?

4. Will contingency/compensatory actions be taken or in place? (Attach Contingency Plans)

5. Will this departure result in a major scheduling change requiring a "Level 2 Schedule Change Request" and Outage Risk Assessment Team review? (If so attach a copy of ORAT request)

/ /

Originator Date SRO Review Date

/

Approved By:* Date

per above guidelines OSP-0037 REV - 12 PAGE 56 OF 58

ATTACHMENT 12 PAGE 10F2 GUIDANCE FOR PROTECTED DIVISION IDENTIFICATION This attachment provides guidance for determination of locations for placement of Protected Division signs. Additionally, this attachment provides for documentation of placement to ensure that appropriate signs are removed when a change in the Protected Division occurs. The guidance contained in this attachment is designed to aid the OSM/CRS in determining locations for postings and is not all encompassing. The final control and decision for posting is at the discretion of the OSM/CRS. For protection of SPC/ADHR, sign placement is performed per the written protection/contingency plan.

Below are some areas to be evaluated for posting if protecting Division I:

Division I Standby Diesel Generator, Division I Switchgear Room, Division I Battery and Inverter Rooms, Division I RPS, Low Pressure Core Spray Room, RHR A Room, Division I Standby Cooling Tower Switchgear Rooms, SWP-P2A Pump Room, Applicable Main Control Room Panels Below are some areas to be evaluated for posting if protecting Division II:

Division II Standby Diesel Generator, Division II Switchgear Room, Division II Battery and Inverter Rooms, Division II RPS, RHR B and RHR C Rooms, Division II Standby Cooling Tower Switchgear Rooms, SWP-P2B and SWP-P2D Pump Rooms, Applicable Main Control Room Panels Below are some areas to be evaluated for posting if protecting Division III:

Division III Diesel Generator, Division III Switchgear Room, Division III Battery and Inverter Rooms, SWP-P2C Pump Room, Applicable Main Control Room Panels OSP-0037 REV - 12 PAGE 57 OF 58

ATTACHMENT 12 PAGE 2 OF 2 GUIDANCE FOR PROTECTED DIVISION IDENTIFICATION PROTECTED DIVISION (circle one)

Division I Division II Division III Location Posted Init/Date Removed Init/Date Location L

____ i

-t

-t t I-

_____________________________________________ J OSM/CRS Review of Placement:

Signature/KCNJDate OSM/CRS Review of Removal Signature/KCN/Date OSP-0037 REV - 12 PAGE 58 OF 58

ML021190672

Contents

Text

SUBJECT:

REFERENCES:

Dear Sir or Madam:

Enclosures:

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Description:

Navigation menu

ML021190672

Text

SUBJECT:

REFERENCES:

Dear Sir or Madam:

Enclosures:

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Description:

Navigation menu

Search