Response to December 26, 2002 Request for Additional Information Regarding Severe Accident Mitigation Alternatives

ML030410599
Person / Time
Site:	Ginna
Issue date:	01/31/2003
From:	Mecredy R Rochester Gas & Electric Corp
To:	Robert Schaaf Document Control Desk, Office of Nuclear Reactor Regulation
References
Download: ML030410599 (41)
v • d • e

Text

R j An Energy East Company wwwrge com ROCHESTER GAS AND ELECTRIC CORPORATION - 89 EASTAVENUE, ROCHESTER, N Y 14649-0001

• 585 546-2700 ROBERT C MECREDY VICE PRESIDENT NUCLEAR OPERATIONS January 31, 2003 U.S. Nuclear Regulatory Commission Document Control Desk Attn: Mr. Robert G. Schaaf (Mail Stop 0-12 D-3)

Office of Nuclear Reactor Regulation Washington, D.C. 20555-0001

Subject:

Response to December 26, 2002 "Request for Additional Information Regarding Severe Accident Mitigation Alternatives" R. E. Ginna Nuclear Power Plant Docket No. 50-244

Reference:

(1) Letter, Robert G. Schaaf (NRC) to Robert C. Mecredy (RG&E), December 26, 2002, "Request for Additional Information Regarding Severe Accident Mitigation Alternatives for the R. E. Ginna Nuclear Power Plant"

Dear Mr. Schaaf:

This letter is in response to your request as documented in Reference (1).

The Ginna Station Probabilistic Safety Assessment (PSA) was recently subject to an industry peer review. Although the results of the peer review were favorable, it was required that changes to PSA models be incorporated. Revision 4.2 of the Ginna PSA was completed in late December 2002. This revision is currently being used to evaluate the Severe Accident Mitigation Alternatives (SAMAs) generated for the License Renewal Application. Some dominant cut-sets and sequences have been affected by these changes. All current SAMAs are being reevaluated, and additional new SAMAs may be determined. Due to the short time frame available and extensive quantitative reanalysis required, certain responses to the December 16, 2002 request for additional information letter which require SAMA reevaluation are not able to be completed by January 31, 2003 as requested. In those cases, the information attached describes the methodology being employed to respond, as well as provides some meaningful insights. Other responses have been developed, and are attached. Our current schedule for completion of the responses requiring use of PSA Revision 4.2 and SAMA reevaluations is February 28, 2003.

Very truly yours, Robert C. Mecredy oood o o27_1.

Attachment xc: Regional Administrator, Region I U.S. Nuclear Regulatory Commission 475 Allendale Road King of Prussia, PA 19406 U.S. NRC Ginna Senior Resident Inspector Mr. Russ Arrighi, Project Manager Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission One White Flint North 11555 Rockville Pike Rockville, MD 20852 Mr. Denis Wickham Sr. Vice President Transmission and Supply Energy East Management Corporation P.O. Box 5224 Binghamton, NY 13902

ATTACHMENT RESPONSE TO NRC'S REQUEST FOR ADDITIONAL INFORMATION REGARDING ISEVERE ACCIDENT MITIGATION ALTERNATIVES (SAMAS)

FOR THE R. E. GINNA NUCLEAR POWER PLANT (GINNA)

1. Although the process used by Rochester Gas and Electric Corporation (RG&E) to identify and screen potential SAMAs is described in general terms in the environmental report (ER), additional details are needed to understand how RG&E arrived at the final set of eight candidate SAMAs and to conclude that the full set of SAMAs evaluated by RG&E address the major risk contributors for Ginna. For example, RG&E states in the ER that it identified potential SAMAs from the Ginna Station Probabalistic Safety Assessment (PSA) and SAMA analyses submitted for other nuclear plant license renewals (Section 4.14.1), and that it focused on the dominant risk sequences identified by the model as well as the results of other risk-importance studies to further focus the evaluation (Section 4.14.3). However, few specifics are given. RG&E provides the Ginna risk profile and the importance analyses in Sections 1.2 and 1.3, but little information is provided on how the risk profile and importance analyses were used to identify or screen potential SAMAs.

Additionally, the NRC staff notes that shutdown and fuel handling/spent fuel pool (SFP) cooling events are important contributors to core damage frequency (CDF) and large early release frequency (LERF), yet none of the SAMAs mentioned in the ER appear to address these contributors. In this regard, please provide the following additional information:

a. A description of how the dominant risk contributors at Ginna, including dominant sequences and cut sets from the PSA, were used to identify potential plant-specific SAMAs;

b. A description of how many sequences and cut sets were considered in the SAMA identification process and what percentage of the total CDF they represent;

c. A listing (more detailed than in Section E.1.3) of equipment failures and human actions that have the greatest potential for reducing risk at Ginna based on importance analyses and cut set screening;

d. A description of how many SAMAs were considered before arriving at the final set of eight candidates, and the process used to eliminate candidate SAMAs from further review or consideration; and

e. Justification that SAMAs that address each of the major risk contributors, including shutdown and fuel handling/SFP cooling events, have been adequately addressed.

Response to RAI Ia Ginna focused the process of identifying SAMAs by concentrating on those events that are dominant contributors to CDF and to LERF. RG&E staff reviewed the top cutsets to identify those important to the overall risk. However, given that this type of review can be biased by the dominance of one event, RG&E relied on the review of the top cutsets by sequence to identify ATTACHMENT the key failures that characterize an event's contribution to risk.

In addition, RG&E considered the importance analyses results to further target potential areas of improvement. Two importance measures, Fussel-Vesely (F-V) and risk achievement worth (RAW), were generated for initiating events, systems, components, and human actions. For each of these areas, the importance measures were combined to identify systems and components with "high" risk significance. Using this method, ifthe F-V value is greater than 0.05 at the system level (greater than 0.005 at the component level) and a RAW greater than 10 at the system level (greater than 2 at the component level), the system or component was identified as being "high" risk significant. If the system or component exceeded these criteria for only one of these measures, it was considered being "medium" risk significant.

As a result of these reviews, potential areas for improvement were identified. SAMAs identified by other license renewal applicants were reviewed specifically for concepts relative to these areas.

As conceptual ideas were developed, their estimated cost were considered against the maximum attainable benefit. Those clearly exceeding this cost threshold were not considered further.

Response to RAI lb The cutset review is generally discussed in the response to RAI 1a. As noted in the cover letter, RG&E will submit a revised SAMA analysis utilizing the current version of the PSA model (Rev.

4.2) with the completion of the RAI responses. Since additional cutsets will be reviewed in that process, RG&E will provide a response to this question in full relative to the revised analysis.

Response to RAI Ic The following table provides detailed results for the importance analysis. These results are generated by PSA Rev. 4.2. RG&E will clarify differences in the importance rankings from that discussed in the ER in the response to the remaining RAls.

I LEVEL 1IMPORTANCE ANALYSIS RESULTS NEW EIN DESCRIPTION PROB F-V RAW PROB Initiating Events FIOCR3-1 Fire in Zone CR-3 (Control 1.7E-03 1.58E-01 93.93 1.97E-03 Room Fire Scenario 1 or 2)

TXOOORHR Loss of RHR During 4.06E-04 1.51 E-01 374.32 4.73E-04 Shutdown FLOOOTB3 Steam Flooding Event in 6.32E-03 8.05E-02 13.65 8.29E-3 Turbine Building I LIOSGTRA Steam Generator Tube 2.44E-03 7.50E-02 31.65 3.26E-03 Rupture in SG A ACLOPSHTDN Loss of Offsite Power During 4.19E-04 7.49E-02 179.09 5.6E-4 24-hour Period when Shutdown LIOSGTRB Steam Generator Tube 2.44E-03 7.47E-02 31.51 3.26E-03 Rupture in SG B Human Errors ATTACHMENT LEVEL I IMPORTANCE ANALYSIS RESULTS NEW EIN DESCRIPTION PROB F-V RAW PROB FSHFDCR-3-X Fire brigade fail to manually 1.85E-02 1.90E-01 11.086 2.09E-02 suppress fire in Control Room XXHFGSGTRE Operators fail to respond to 2.OOE-03 8.55E-02 43.62 2.59E-03 signals indicating SGTR (Early)

RHHFDREC04 Operators fail to recover RHR 3.28E-01 8.05E-02 1.16 4.3E-01 system before onset of boiling (4-12 hours)

RCHFPCDTR2 Operator fails to cooldown 1.38E-01 7.84E-02 1.489 1.82E-01 RHR after SI fails - SGTR SWHFDSTART Operator fails to start SW 3.24E-01 7.80E-02 1.162 4.28E-01 pump IFHFDAFWSW Operators fail to locally align 6.56E-02 6.15E-02 1.876 9.24E-02 SW to TDAFW and SAFW suction following CR evacuation for floods or fires (ER-FIRE)

XXHFGNOAFW Operators fail to diagnose a 5.OOE-01 3.16E-02 1.03 8.98E-01 loss of all AFW IFHFDTBISL Failure to isolate large TB 9.66E-03 3.05E-02 4.13 1.76E-02 flood CVHFDPMPST Operators fail to manually 7.01E-01 2.56E-02 1.01 1.39E+0 load charging pump FSHFDTSCLT Operators fail to use the TSC 2.58E-02 2.45E-02 1.92 5.23E-02 Battery Charger for long-term loss of AC Train B I AXHFPSAFWX Operator fails to align and 1.OOE-02 2.22E-02 3.20 2.13E-02 start SAFW pumps C & D RRHFDRECRC- Operator fails to correctly 3.55E-04 2.19E-02 62.66 7.62E-04 M shift the RHR system to recirculation and isolate CS MBLOCA RCHFPCOOLD Operators fail to correctly 9.66E-03 1.98E-02 3.02 2.2E-02 shift the RHR after ARV sticks open or overfill occurs during SGTR RCHFPCDDPR Operators fail to cool down 8.21 E-02 1.97E-02 1.22 1.87E-01 and depressurize to prevent SG overfill during SGTR RHHFDREC24 Operators fail to recover RHR 6.44E-03 1.86E-02 3.86 1.52E-02 system before onset of boiling (12 - 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />)

MSHFPISOLR Operators fail to isolate a 1.39E-02 1.82E-02 2.28 3.31 E-02 ruptured steam generator Test and Maintenance Activities CVTMCHPMPA Test or maintenance renders 7.04E-02 9.03E-02 2.192 9.OOE-02 charging pump A unavailable ATTACHMENT LEVEL I IMPORTANCE ANALYSIS RESULTS NEW EIN DESCRIPTION PROB F-V RAW PROB DGTM00001B Diesel Generator KDG01B 1.74E-02 3.86E-02 3.177 2.87E-02 unavailable due to testing or maintenance DGTM00001A Diesel Generator KOG01A 1.55E-02 3.OOE-02 2.903 2.85E-02 unavailable due to testing or maintenance AFTMOTDAFW TDAFW pump out-of - 1.43E-02 2.57E-02 2.889 2.65E-02 service for maintenance Systems DG 3.20E-01 1919.596 RCS 2.92E-01 8351851 Fire Protection 2.84E-01 25145.02 RHR 2.21E-01 647980.3 Offsite Power 1.82E-01 10344.21 CVCS 1.71E-01 25145.02 MS 1.40E-01 164.3292 CCW 1.09E-01 13090.92 AFW 9.71 E-02 941888.8 SW 7.94E-02 8364.804 Motor-Operated Valves 738A I MOV 738A fails to open 3.90E-03 I 1.30E-02 14.315 1.15E-02 738B MOV 738B fails to open 3.90E-03 1.28E-02 4.257 1.16E-02 Air-Operated Valves 430 PORV PCV-430 fail to reseat 5.OOE-03 6.57E-03 2.306 2.41 E-02 after steam relief Pump, Compressors, and Fans PAF03 Failure of TDAFW pump train 9.68E-03 1.72E-02 2.762 2.38E-02 components Major Electrical Component KDG01B/run Diesel Generator B fails to 4.22E-02 8.01E-02 2.815 5.55E-02 run KDG01A/run Diesel Generator A fails to 4.22E-02 7.47E-02 2.693 5.65E-02 run KDG01Blstart Diesel Generator B fails to 1.01E-02 4.1OE-02 5.013 1.63E-02 start KDG01Nstart Diesel Generator A fails to 1.01E-02 3.96E-02 4.880 1.65E-02 start I I I I IBPDPCBCB 120 VAC Instrument Bus C 2.09E-05 I 1.57E-02 745.85 5.43E-05 I____ _ (IBPDPCBCB) bus faults I I Response to RAI ld RG&E reviewed many SAMAs evaluated in recent license renewal applications, trying to determine their potential applicability to Ginna. Within that review, many SAMAs that were clearly not cost-beneficial or applicable were qualitatively screened out. Following that industry review, the process described in response to RAIla was followed, and Ginna-specific conceptual modifications were identified. These ideas were either refined into the 8 SAMAs evaluated or ATTACHMENT eliminated due to physical limitations (e.g., installing a check valve in an area that would not have adequate access for installation) or implementation would cause inceased vulnerabilities to other areas. RG&E feels that this process generated "realistic" SAMAs specific to Ginna rather than generating and submitting a lengthy list of potential SAMAs that had limited potential for benefit or were not applicable to the plant, for the sake of numbers.

Response to RAI le Please see the responses to RAls 8b and 8d.

2. In Section 1.1 of Appendix E to the ER, RG&E states that Revision 4.1 of the Ginna PSA was used for the SAMA analysis, and a brief description of the major changes to the preceding models is given. To gain a better understanding of how the PSA model has evolved and the impacts of the changes made to the model, please provide the following:

a. A description of the major differences when comparing the Revision 4.1 PSA to the individual plant examination (IPE) model, which had an internal event CDF of 5.02E-05/y, including the plant and/or modeling changes that have resulted in the new CDF and LERF. According to Table E.1-2, the new internal-event CDF (not including shutdown and the "Fuel handling accidentlSpent Fuel Pool") is 23 percent of the total CDF or 9.15E-06/y.

Explain the principal reasons for this fivefold decrease in the full-power, internal events CDF, relative to the IPE results.

b. A list of plant improvements identified through the IPE and individual plant examination of externally initiated events (IPEEE), the status of each, and whether any improvements not implemented are among the SAMAs considered. (Note: plant modifications are provided in Section 1.4.2 of Appendix E to the ER, but it is not clear whether any of these were identified in the IPE or IPEEE as proposed modifications.) In particular, address the five "potential vulnerabilities" that were discussed in Section 11.1.3 of the Ginna revised IPE submittal.

c. A short description defining all the plant damage states (PDSs), and the accident sequences that dominate the PDSs (for the version of the model that was used for the SAMA analysis).

Response to RAI 2a:

As noted in the cover letter, RG&E will submit a revised SAMA analysis utilizing the current version of the PSA model (Rev. 4.2) with the remaining RAI responses. It is noted that Section E.1.1 of the License Renewal Environmental Report summarizes the PSA changes reflected in Revisions 1 through 4.0. In response to this RAI, RG&E will expand that summary to describe changes through Rev. 4.2 and provide the principal reasons for the decrease in the full-power, internal events CDF relative to the IPE results.

Response to RAI 2b:

RG&E completed the individual plant examination (IPE) in January 1997 and five items were identified as potential plant vulnerabilities. The status of each of these and their consideration in the SAMA analysis is discussed below.

Relays for SG Low-Low Actuation of AFW - this potential vulnerability dealt with the ATTACHMENT relays for an SG low-low level signal being powered by non-safeguards Instrument Bus D, which would unavailable upon loss of offsite power. RG&E determined to utilize a spare circuit from rack B2 to rack M2 to power the actuation logic. Since rack B2 is power from Instrument Bus C, a redundant electrical bus would now be provided for SG low-low level actuation. Since this modification has been implemented, it was not addressed in the SAMA analysis.

" Interfacing Systems LOCA (ISLOCA) through Penetration 111 - this potential vulnerability addressed the possibility for a LOCA outside containment through Penetration 111 to fail all RHR due to the low elevation of the RHR pump pits.

RG&E;s review through the IPE program indicated that adequate assurance of each check valve's reliability for seating is demonstrated through repeatedly good performance during leak testing and no further action was deemed necessary. This was evaluated further in the SAMA analysis by SAMA number 5.

"* SAFW System Out-of-Service Activities - this potential vulnerability was identified because both trains of SAFW can be removed from service simultaneously for as many as seven days. RG&E revised SPG-01, "Integrated Schedule Risk Assesment" to require that at least one SAFW train always by operable for elective maintenance.

Since this modification has been implement, it was not addressed in the SAMA analysis.

"* Charging Pump Suction - this potential vulnerability relected the possibility that charging pump suction from the VCT could be post upon loss of DC control power or instrument air. RG&E's review through the IPE program verified that sufficient time and guidance exists to permit manual realignment of charging pump suction to the RWST. This was evaluated further in the SAMA analysis by SAMA numbers 3 and 4.

"* Intermediate Building Ventilation - this potential vulnerability exists from ventilation concerns that during AFW operation due to the collocation of the preferred AFW pumps in the Intermediate Building basement. Upon further review, RG&E determined that the failure assumption in the IPE was overly conservative and reduce the vulnerability to no action and was not addressed in the SAMA analysis.

The individual plant examination for external events was completed in December of 2000. The review addressed seismic events, fires, high winds, external flooding, and other external events, as well as internal flooding. All vulnerabilities and items of concern were resolved except for seismically induced flooding resulting from the failure of the Reactor Makeup Water Tank and the Monitor Tank. This item is discussed further in response to RAI 4d. Given that RG&E is evaluating potential modifications to address this issue, it was not addressed further in the SAMA analysis.

Response to RAI 2c:

As noted in response to RAI 2a, RG&E will submit a revised SAMA analysis utilizing the current version of the PSA model (Rev. 4.2) with the remaining RAl responses. RG&E will address this question in full specific to Rev. 4.2 in that submittal.

3. In Section 2.1.2 of Appendix E to the ER, RG&E states that the source terms (STs) were obtained from the latest Level 2 Ginna Station PSA model analysis. Please provide more detailed information (e.g., a tabular list) on the release categories used in the SAMA analyses, including the definition, fractional releases, timing of releases, frequency, containment matrix (relationship between PDSs and release categories), and the associated conditional consequences. Confirm whether the STs are the same as in the IPE and, if not, explain howlwhy they are different.

ATTACHMENT Response to RAI 3:

As noted in the cover letter, RG&E will submit a revised SAMA analysis utilizing the current version of the PSA model (Rev. 4.2) with the remaining RAI responses. RG&E will address this question in full relative to PSA Rev. 4.2 in that submittal. Source terms used in the SAMA analysis were derived from the IPE MAAP analysis and have not changed.

4. In Section 4.14.2 of the ER, RG&E states that the Ginna Station PSA model includes internal events, external events, and shutdown events, and that the model has been upgraded since the completion of the IPE and IPEEE. Please address the following in this regard:

a. Describe how fires and internal floods are addressed in the current PSA model, and the major changes made to the PSA model to accommodate these events since the issuance of the IPEEE.

b. Based on the information provided in the ER, it is not clear to what extent, if at all, seismic events were evaluated in the SAMA analysis. Please describe how seismic events were addressed in the SAMA analysis, including:

(1) consideration of potential plant improvements to address risk significant seismic events, and (2) consideration of the additional risk reduction that internal event SAMAs (i.e., SAMAs intended primarily to address specific internal events) might offer in seismic events. Justify why the consideration of seismic events in the SAMA assessment is adequate.

c. In Tables E.1-1 and E.1-2 of Appendix E to the ER, fires are shown to be significant contributors to the CDF. The staff recognizes that RG&E has implemented procedural changes that deal with fire scenarios, and that one of the SAMAs considered is due to fire or flooding. Please describe the treatment of fires in the current PSA model and any other SAMAs that were considered that could reduce the risk due to fire. If no other SAMAs were considered, please justify why the consideration of fire in the SAMA assessment is adequate.

d. In the NRC technical evaluation report on the Ginna IPEEE, RG&E states that:

... the licensee's response to the RAI on the selection of a second success path mentions an outlier which is still being investigated. As discussed in Section 2.4 of this TER, a second success path, for small LOCA, was evaluatedby the licensee for potential failure due to seismically induced damage from otherequipment, and it was found to be vulnerable to failures causedby seismically induced flooding. The Reactor Makeup Water Tank and the Monitor Tank, if failed, can cause the interruptionof one or more of the systems selected for the second success path. According to the licensee's response to the RAI, "these tanks will be consideredoutliers and will be examined to determine the correct course of action to reduce as needed the core damage risks associatedwith a seismic event."

ATTACHMENT Please discuss whether this matter was considered as part of the SAMA assessment and, if not, explain why.

Response to RAI 4a:

FIRE EVENTS The fire analysis was a series of qualitative and quantitative assessments. This is due to the fact that the presence of fire hazards in a location alone may not necessarily induce significant risk to plant operation. The hazards must have the potential to initiate a plant transient or damage plant equipment required to mitigate accidents. Thus, spatial interactions between fire and smoke hazards and plant safety components govern fire risk to the plant operation.

The fire analysis employed a top-down approach to evaluate all plant locations within the controlled area of Ginna Station. The analysis began with the examination of the general layout drawings and plant description to identify the building/structures within the controlled area. A preliminary screening was performed to eliminate the buildings/structures deemed unimportant to the analysis.

A plant location was considered to be potentially important in a fire risk analysis if it satisfied either of the following criteria:

1. The location contains fire-susceptible safety-related plant equipment (a component, or its associated power or control cables, whose damage can cause an initiating event or interfere with the ability to mitigate accidents); or

2. The location contains a significant amount of combustibles that, if ignited, could result in a fire that could potentially damage safety-related plant equipment in its immediate area or propagate to a plant location containing fire-susceptible, safety-related equipment.

The following bases and assumptions were established for evaluating potential fire initiators:

1. All plant locations were assessed for core damage potential from fire and smoke hazards.

2. Only mishaps initiated by electrical and mechanical faults, and operator activities, were addressed. Mishaps resulting from sabotage or arson were excluded.

3. As assumed in the Ginna Safe Shutdown Analysis, a fire area is defined as a location surrounded by a two- to three-hour-rated fire barrier (door, wall, or penetration seal).

4. A fire zone is used to describe a plant location subdivided from a fire area. Generally, no barrier rating is required for a fire zone. Most plant locations were evaluated at the fire zone level, since this is the level of detail available from the cable database. All locations examined in this analysis are referred to as fire zones, though some may actually be fire areas.

The combustible loadings, supplemented by plant walkdowns, provided a rough estimated of the in-situ and transient amounts in each fire area. Included among combustibles are lube oil, cable insulation, charcoal, and paper. The Appendix R report also provides an estimate of the fire severity, fire detection and suppression capabilities, and fire barrier rating for each area.

Fire and smoke risks can also be produced by component faults. The following categories of components and locations were treated as sources of fire and smoke hazards.

• Equipment:

- Reactor Coolant Pump ATTACHMENT

- Turbine/Generator

- HVAC Chiller

- HVAC Fans

- Motor-Generator Sets

- Battery Charger/Inverter

- Battery

- Transformer- High Voltage (> 4.16 kV)

- Transformer - Low Voltage (< 4.16 kV)

- Transformer - Instrument Power

- Switchgear> 480 V

- Switchgear< 480 V

- Motor Control Center

- Low Power Cabinet

- Cables Location:

- Containment - Other than RCPs

- Auxiliary Building - Radwaste

- Auxiliary Building - Other than Radwaste

- Turbine Building - Other than Turbine/Generator

- Screenhouse

- Diesel Generator Rooms

- Control Room After preliminary screening, plant locations retained for further analysis were subdivided into smaller areas of manageable size for the subsequent analysis. The fire areas and sub-areas (zones) defined in the Ginna Station Fire Hazards Analysis were used as the basis. Generally, plant locations are grouped into a fire zone when they share the following characteristics:

1. Fire can propagate freely between the locations

2. The locations contain equipment whose failure causes similar impacts to the plant

3. The locations are protected by similar fire protection capabilities

4. The fire hazard contents are similar in the locations

5. A physical barrier separated the combined locations from the rest of the plant areas, with a significant time delay expected before a fire can propagate from the combined location to other areas.

Of the 64 fire zones retained from the preliminary, qualitative screening, 48 survived and were later quantified in terms of fire ignition frequency.

Internal Fire Initiating Events Individual internal fire initiating events were identified in conjunction with information obtained from plant walkdowns. The following guidelines were used to identify the final listing of initiating events:

1. A fire zone can produce multiple fire scenarios. A scenario is used to describe the progress of a specific fire mishap in terms of: a specific location where the fire originates; the ignition source; combustible loadings, critical components, and location specific features that may foster or hinder a fire's growth or control; potential impact on the plant; and possible operator recovery actions to prevent core damage.

2. Fire propagation within (usually considered "local") and between fire zones was ATTACHMENT evaluated to ensure the risk impact was not underestimated.

In order to generate the appropriate ignition frequencies for the selected fire scenarios, it was important that the hazard occurrence frequencies consistently account for generic industry data and any plant-specific experience for the type of hazard that is being evaluated in the type of location that is being modeled. The industry event data are combined with actual plant-specific experience through a two-stage Bayesian analysis as described below.

The generic data have been collected from several sources, especially a proprietary database for fire events containing summaries of more than 750 fire events that have occurred at U.S.

nuclear power plants through the end of 1993. These event summaries have been extracted from NRC Licensee Event Reports (LERs), American Nuclear Insurers' data, and plant-specific data collected from selected other PSA studies. The generic fire event database for use in the Ginna study was limited to events occurring between January 1, 1980, and December 31, 1992.

The starting date accounts for substantial improvements in fire protection systems and personnel awareness different from those pre-1980. The end date accounts for possible incompleteness for reporting of post-1 992 events in the generic database.

Fire Event Categories Three general types of fire event categories were defined for the Ginna analysis. Two of these may be broadly characterized as "location type" and "equipment type." The third applies to control room fires. This classification scheme was applied to both generic and plant-specific fire events based on the type of location where the fire occurred or the type of equipment affected by the fire.

"* Location Fire Categories - Generally it is preferable to use location-type data for large areas that contain a variety of mechanical equipment. The composite fire event data account for the types of equipment (e.g., pump motors, valves, oil systems) that are typically found in such areas. The data also account for the types of operating, testing, and maintenance activities that occur around mechanical equipment, the possible presence of transient combustibles associated with these activities, and the general amount of personnel traffic in large open areas of the plant. The Ginna database specified the following five location-type categories: (1) Containment, other than RCP fires; (2) Auxiliary Building - Radwaste; (3) Auxiliary Building - other than Radwaste; (4) Turbine Building - other than turbine/generator fires; and (5)

Screenhouse.

" Equipment Fire Categories - Generally it is preferable to use equipment-type data for the following types of locations: (1) those containing only a single type of relatively unique mechanical component, such as diesel generators; (2) those containing equipment that represents a unique hazard source or possesses unique operational characteristics, such as RCPs; and (3) those containing electrical equipment, instrumentation, control cabinets, and cables. The following 16 equipment-type categories were employed for the Ginna database:

1. Reactor coolant pumps

2. Turbine/generator

3. Diesel generator sets

4. HVAC chiller

5. HVAC fan

6. Motor-generator sets

7. Battery charger/inverter ATTACHMENT

8. Battery

9. Transformer - high voltage

10. Transformer - low voltage

11. Transformer - instrument power

12. Switchgear > 480 V

13. Switchgear_< 480 V

14. Motor control center

15. Logic cabinet

16. Cable Control Room Fires - Due to its unique features, continuous occupancy, and strict administrative controls, a separate category is defined for fires that occur in main, auxiliary, or emergency control rooms. These include all fires that occur in plant control rooms, regardless of the cause or specific type of panel affected.

Not all events in the generic database were applicable to the design and operation of Ginna.

The information and defined boundaries for each fire event were carefully reviewed to determine applicability, resulting in a "reduced" generic database for Ginna Station, accounting for specific features of the plant. For example, Ginna Station's MFW pumps are motor-driven; therefore, all turbine-driven pump related fires were removed from the specialized database. Also, an event that can occur only during shutdown (certain maintenance and welding fires) was removed as non-applicable during power operation. The final database contains only events that can occur at Ginna Station during power operation.

A two-stage Bayesian analysis was performed to combine the industry data from the reduced Ginna generic database with the historic fires at Ginna. Stage one of the analysis developed a generic frequency distribution for each hazard that consistently accounts for the observed site to-site variability in the industry experience data. Stage two updates this generic frequency to account for the plant-specific fires. Plant-specific fire event data for Ginna were compiled from 18.5 years (1979 through mid-1997) of Ginna Internal Fire Brigade Reports. The events were screened to determine which events apply to the chosen fire event categories and plant locations. Initiating event frequencies for each fire category were then quantified through the two-stage Bayesian process.

To obtain a fire frequency for a Ginna fire zone, the total frequency of each component category is apportioned to the defined fire zones containing the component. The fire frequency reflects the variety and number of components, in-situ fuel sources, fuel loading, floor area, and personnel activities with the zone. The fire frequencies for each of the initiators were developed via these apportioning techniques.

Changes to the Internal Fire PSA Since the IPEEE The Ginna Station IPEEE was submitted to NRC on June 30, 1998 (Letter from R.C. Mecredy to G.S. Vissing, Ginna Station Fire IPEEE; Ginna Station Hydrogen Storage Facility; R.E. Ginna Nuclear Power Plant,Docket #50-224). In response to NRC questions related to their review of the submittal, a second letter was submitted to NRC on July 2, 1999 (Letter from R.C. Mecredy to G.S. Vissing, Response to Request for AdditionalInformation on IPEEE,R.E. Ginna Nuclear Power Plant,Docket #50-224). This submittal included a re-evaluation of the Fire IPEEE. Since the submittal of these two documents, the following major changes to the internal fire PSA have been incorporated.

1. The installed fire suppression systems have been explicitly modeled in the fault trees ATTACHMENT (versus previous use of a single failure value), with corresponding splitting of fire initiators in zones where suppression can succeed or fail into two initiators, one for each possibility.

2. Initiating events and scenarios for explosions of hydrogen and other combustible gases have been added.

3. Several human error events have been added, and a few deleted, to reflect more detailed modeling of specific fire scenarios, including ones associated with the new explosion scenarios (see item 2). Some previously assigned screening values for their probabilities have been subjected to detailed human error analysis to yield more accurate values for their probabilities. Periodic enhancements to the ER.FIRE procedure series, addressing Alternate Shutdown for Appendix R Fire Zones, have been reviewed and incorporated into the human error analysis as appropriate.

Internal Flooding Events The internal flooding initiating events analysis initially involved the qualitative screening of all Ginna Station plant buildings and areas. Qualitative screening criteria were implemented to eliminate buildings and areas that pose negligible risk due to internal flooding events on the basis that:

1. The building or area contained no equipment whose failure could cause a reactor trip;

2. The building or area contained no equipment modeled within the PSA that would be necessary to mitigate an accident or transient; and

3. There is no credible potential for floods spreading to other buildings or areas that could cause a reactor trip or affect accident mitigation related equipment.

A building or area had to meet all three criteria in order to be eliminated by the first qualitative screen. The following buildings were screened from further analysis:

1. Butler Building

2. Nitrogen Storage Area

3. Bob Smith Engineering Building

4. Project QC Storage

5. Receiving Dock

6. Radwaste Storage Building

7. Security Building

8. Steam Generator Building

9. Storage Building Southwest

10. Contaminated Storage Building After completing the qualitative screening, a database of historical internal flooding initiating events for U.S. nuclear power plants was reviewed, as well as the records for flooding events that have occurred at Ginna Station. This review allowed initiating event categories pertinent to Ginna Station to be identified, and enabled all relevant historical events to be matched with the appropriate category specific for Ginna Station. This categorization also allowed the initiating event frequency calculations to be performed.

The history of internal flooding throughout the nuclear industry was researched and organized by major building. Each historical flood event was categorized with respect to submerging or spraying equipment, along with whether or not the flood created a steam environment. Each flood was also sorted by size (i.e., very large, large, or small) and the potential for a reactor trip.

The next step was to better define internal flooding zones for the retained plant buildings and ATTACHMENT areas. The zone designation was performed by building, by building elevation, or by plant area on the basis that flooding events would have distinct consequences for each zone. Initially, flooding zones were categorized based on fire zones and areas since this provided a standardized approach for evaluation. Also, fire zones and areas are typically isolated from one another to prevent fire propagation. This could be expected to be sufficient to limit the flooding consequences between zones. Plant walkdowns were conducted to ensure that this assumption was valid with modifications to the fault tree models as necessary. Plant equipment contained in each flood zone was also assessed with respect to flooding and spray potential. The list of internal flooding zones was then combined to create a final listing of flooding initiators as described in the next paragraph.

Internal Flood Initiating Events Individual internal flood initiating events were identified in conjunction with information obtained from plant walkdowns to account for initiating events judged to be unique to Ginna Station and not adequately reflected by the data population. The following guidelines were used to identify the final listing of initiating events:

1. For some internal flooding zones, initiating event categories were combined into one event if no unique consequences were identified. For example, two initiating event categories apply to the diesel generator building - a spraying event and a submergence event. These two categories were combined into a single initiating event since the consequences for the events were postulated to be the same (i.e., loss of the diesel generator).

2. One initiating event was identified as part of plant walkdowns that was judged to not be adequately reflected by historical data: leakage or rupture of the RWST located in the auxiliary building since RWSTs are installed external to plant buildings at most U.S.

nuclear power plants. This initiator was retained for evaluation.

Ginna Station internal flooding initiating event frequencies are based on nuclear industry experience and actual Ginna experience and were quantified using a two-stage Bayesian data update technique. Historical event data used for the frequency calculations was compiled and binned as discussed above and was then used to generate initiating event frequencies using the following guidelines:

1. Historical flooding events were binned based on general plant locations as discussed above. The bins are: AB/IB/SAF - auxiliary building, intermediate building, and standby auxiliary feedwater pump room; CB - control building; DG - diesel generator building; RC

- reactor containment; SB - service building; SH - service water/circulating water screenhouse and pump area; TB - turbine building; OT-all other plant areas. Initiating event frequencies for each of these bins were calculated using a two-stage Bayesian data update technique.

2. The frequency bins were then further apportioned to apply the data to the actual internal flooding initiating events identified for Ginna Station. This apportioning was performed to further delineate flood locations, flood types and sizes, as well as damage likelihood where applicable.

3. In one instance, the historical flooding data was judged to not be representative of Ginna Station's specific equipment configuration. At Ginna the RWST is installed within the auxiliary building (these tanks are typically installed outside of plant buildings at U.S.

nuclear power plants). The initiating event frequency for floods involving this source was calculated based on the frequency of tank leakage/rupture.

ATTACHMENT Changes to the Internal Flooding PSA Since the IPEEE Revision 1 of the Ginna Station Internal Flooding Analysis was submitted to NRC on March 1, 1999 (Letter from R.C. Mecredy to G.S. Vissing, GenericLetter 88-20, InternalFloodingPSA, Rochester Gas & Electric Corp., R.E. Ginna NuclearPower Plant,Docket #50-244). In response to NRC questions related to their review of the submittal, a second letter was submitted to NRC on June 2, 2000 (Letter from R.C. Mecredy to G.S. Vissing, Generic Letter 88-20, Internal Flooding PSA FinalReport, Rochester Gas & Electric Corp., R.E. Ginna NuclearPower Plant, Docket #50-244). Since the submittal of these two documents, the following major changes to the internal flooding PSA have been incorporated.

1. The dominant accident scenarios, arising from a large Service Water flood in the Battery Rooms, have been eliminated as a result of a permanent plant modification in December 2000. All Service Water piping in the Battery Rooms was removed and thus this logic was removed from the model.

2. Several human error events, previously assigned screening values for their probabilities, have been subjected to detailed human error analysis to yield more accurate values for their probabilities.

3. Several flooding initiator frequencies have been revised, as well as some new ones added, to model certain zone-specific floods in greater detail.

Response to RAI 4b:

Seismic events were not explicitly treated in the SAMA analysis, because of the recent, and extensive, evaluations and modifications developed to meet IPEEE and SQUG. In NUREG 1742, "Perspectives Gained from the Individual Plant Examinations of External Events (IPEEE)

Program", it is noted that 52 outliers existed from the IPEEE analysis. It is further noted that RG&E would commit to expend no additional effort to address these outliers. Although this was our regulatory commitment, RG&E nonetheless decided internally to evaluate all of these issues.

By a combination of reanalysis, procedure changes, and modifications, only one item remains open. This item regards the second success path for mitigating a small LOCA in the event of a failure of the Reactor Makeup Water Tank and the Monitor Tanks, and is discussed in more detail in response to RAI 4d. Examples of changes at Ginna Station made to resolve the IPEEE outliers are:

• seismic reanalysis of motor control centers, certain block walls, and valves/operators

• modifications to switchgear, cable tray supports, valve operator restraints, duct hangers, vibration isolators, and CCW and RHR equipment anchorages

• procedure changes regarding use of safe shutdown instrumentation

• replacement of the station batteries and certain relays Because of the fact that Ginna Station has not performed a seismic PSA (and thus explicitly incorporating seismic into the Ginna PSA is not feasible), and due to the extensive recent changes made because of IPEEE and SQUG, RG&E considers that adequate seismic insights have been included in the Ginna Station design, without further SAMA assessments.

Response to RAI 4c:

The treatment of fires within the current PSA model is addressed in Response to RAI 4a above.

With respect to consideration of SAMA's that could reduce the risk due to fire, six of the eight SAMAs presented in the ER have elements of internal fire, as discussed in the following paragraphs.

SAMA 1. The proposed SAMA to add a skid-mounted 480V DG would mitigate accidents ATTACHMENT not only induced by SBO, but also induced by fire. The contribution to the total internal fire CDF (1.143E-05/yr) from DG-related failures to start or run and test/maintenance unavailability, including not only the two emergency DGs, but also the Security DG, is 7.70% (obtained by setting the corresponding failure probabilities to zero and recalculating the CDF or, equivalently, summing the corresponding Fussell-Vesely importance values).

SAMA 2. The proposed SAMA to add a third fire water source independent of the existing two fire pumps would serve to mitigate accidents from internal fires. The contribution to the total internal fire CDF from fire-pump-related failures to start or run and test/maintenance unavailability is 0.444% (obtained in a manner analogous to above).

SAMA 3. The proposed SAMA to add a standby charging pump independent of the existing three cites an impact on accident mitigation in the event of a fire in the Charging Pump Room. However, beyond this, it is found that the contribution to the total internal fire CDF from Charging-Pump-related failures to start or run and test/maintenance unavailability is 30.8% (obtained as noted above), nearly all arising from test/maintenance unavailability of Charging Pump A. (Note - an earlier SAMA was proposed to increase the availability of Charging Pump A by enhanced maintenance. However, this was deemed to be subsumed by the proposed SAMA 3.)

SAMA 4. The proposed SAMA to modify procedures to allow Charging Pump B or C to be realigned manually cites an impact on accident mitigation through the plant procedure ER.FIRE-1 "Alternative Shutdown for Control Complex Fire." In a manner analogous to SAMA 3, the contribution to the total internal fire CDF from just these two Charging Pump basic events is 0.436%.

SAMA 6. The proposed SAMA to modify the motor-driven AFW pump cooling system to be independent of Service Water cites an impact on accident mitigation in the event of a fire in the Screenhouse. The contribution to the total fire internal CDF from Screenhouse fires is 0.952% (obtained as above).

SAMA 7. The proposed SAMA to modify AOV 11 2C to fail closed and AOV 11 2B to fail open upon loss of Instrument Air would serve to mitigate accidents from internal fires. The contribution to the total fire internal CDF from failure to open/close of these valves is 0.181% (obtained as noted above). The role of the Charging Pumps in mitigating accidents due to fires has already been discussed in SAMAs 3 and 4, so one would expect some corresponding impact from these Charging Pump suction valves.

It should be noted that RG&E is using the new Rev. 4.2 results to review these SAMAs, along with evaluating the potential for additional improvements. This review will include additional fire considerations as appropriate. In addition to the estimates of the contributions of the SAMAs to the total internal fire CDF, a discussion of the treatment of fires in the current PSA model is also provided in the response to RAI 4a.

Response to RAI 4d:

As noted in response to 4b, RG&E has resolved all SQUG and IPEEE outliers by a combination of analysis, modifications, and procedure changes, with the exception of this particular issue.

ATTACHMENT RG&E is still pursuing resolution of this scenario, evaluating a variety of hardware modifications.

This process has not been completed as of yet. Because we were already pursuing a modification to the plant to address this issue as part of IPEEE resolution, and no seismic PSA model exists for Ginna Station to easily quantify the risk reduction of this issue resolution, we concluded that a SAMA assessment of this scenario was not warranted.

5. The SAMA analysis did not include an assessment of the impact that PSA uncertainties would have on the conclusions of the study. Some license renewal applicants have opted to double the estimated benefits (for internal events) to accommodate any contributions for other initiators (e.g., seismic) when sound reasons exist to support such a numerical adjustment, and to incorporate additional margin in the SAMA screening criteria to address uncertainties in other parts of the analysis. Please provide the following information to address these concerns:

a. An estimate of the uncertainties associated with the calculated core damage frequency (e.g., the mean and median CDF estimates and the 5 th and 9 5 th percentile values of the uncertainty distribution), and

b. An assessment of the impact on the SAMA screening process if the risk reduction estimates are increased to account for uncertainties in the risk assessment and the additional benefits associated with seismic events.

Response to RAI 5A and 5b:

As noted in the cover letter, RG&E will submit a revised SAMA analysis utilizing the current version of the PSA model (Rev. 4.2) with the remaining RAI responses. RG&E will address this question in full relative to Rev. 4.2 in that submittal.

RG&E notes that uncertainty inputs have been developed for the following parameters in the Ginna Station PSA: (1) generic component failure rates, (2) plant-specific component failure rates, (3) fire-dependent component rates, (4) initiating events, (5) human errors, and (6) common-cause failures. RG&E assumed that all parametric uncertainties can be represented by the lognormal distribution, whether provided directly from the original sources or converted via transformation. Furthermore, where no information other than a mean value could be obtained from an original source, RG&E assumed a lognormal distribution with the mean value taken from the original source and an error factor of 10 for the uncertainty input. RG&E used the EPRI Reliability and Risk Work Station computer code UNCERT to perform the uncertainty analysis.

Both Monte Carlo and Latin Hypercube sampling methods were examined for 10,000 simulations, with essentially no difference indicated between the results. The results of this uncertainty analysis for Rev. 4.2 indicate an estimated mean total CDF of 4.OOE-5/yr, with two sided 90% confidence bounds of 2.05E-5Iyr and 9.OOE-5/yr and a median CDF of 3.52E-5Iyr.

The results for the estimated mean CDF are essentially the same as the expected mean (3.98E 5/yr). Expected mean CDF is that formed by the summation of the cutset point-estimate means.

6. In Section 1.1 of Appendix E to the ER, RG&E states that an industry peer review was performed in May 2002, and that the findings of the peer review will be incorporated into future revisions of the model. RG&E also states that, while the peer review findings could not be incorporated into the model in time to support the ER submittal, it did account for anticipated model impacts in the analysis of ATTACHMENT the candidate SAMAs. Please provide details regarding the major findings of the peer review and the potential impact of these findings on the identification and dispositioning of potential SAMAs. Also, describe how the peer review findings were considered or accounted for in the SAMA evaluation.

Response to RAI 6:

As noted in the cover letter, RG&E will submit a revised SAMA analysis utilizing the current version of the PSA model (Rev. 4.2) with the remaining RAI responses. RG&E will provide a summary of the outstanding Findings and Observations that are not addressed by Rev. 4.2 of the model and a discussion of how the revised SAMA analysis accounted for these items.

7. During the staff's review of the SAMA analysis, numerous inconsistencies and apparent errors were noted, as summarized below. Please reconcile these differences.

a. Table 4.14-2 of the ER, indicates that SAMA 1 reduces CDF by 14.8 percent and has an estimated benefit of $813K. SAMA 5 reduces CDF by 3.3 percent and has an estimated benefit of $844K. Both of these benefits are close to the maximum attainable benefit (MAB) of $992K, and appear to be too high given their relatively small impact on total CDF. Please explain this apparent inconsistency.

b. Table E.1-1 indicates that the interfacing-systems loss-of-coolant accident (ISLOCA) CDF is 8E-71y (two percent of the total CDF) whereas Table E.1-3 indicates its contribution to LERF is 6E-9/y (2.09E-06/y times 0.3 percent),

and Table E.2-4 shows the ISLOCA Release Category contribution to be 4E 9/y. This suggests that there is greater than a two order-of-magnitude difference between the ISLOCA CDF and the ISLOCA LERF and release to the public. Most ISLOCAs in other PSAs are unattenuated containment by pass events with a conditional large early release probability of 1.0. Please explain the attenuation and mitigation features of ISLOCA events that justify the apparent conditional large early release probability of <1 percent.

c. Table E.1-2 indicates the CDF for fuel handling accident/SFP cooling is 1.3E-6/y (3.37 percent of the CDF) for a fully off-loaded core, whereas Table E.1-3 indicates the LERF for SFP cooling is 4.7E-7/y. Thus, the probability of a large early release, given a spent fuel pool cooling accident, is about 36 percent. Please explain why all of these core damage events do not result in a large early release.

d. In Table E.2-4, the sum of all frequencies is 4.03E-5/y versus the stated CDF of 3.97E-5/y. Although the difference is only 6E-7/y, and may be due to rounding, this is larger than many of the frequency entries in the table.

Please explain the reasons for the difference in these values.

e. In Table E.2-4, the sum of all Release Categories that would appear to be LERF contributors is 1.67E-6/y, which is less than the stated LERF of 2.09E 61y. Please explain the reasons for the difference in these values. Also identify which Release Categories are considered to contribute to LERF.

ATTACHMENT

f. Table E.2-4 reports the frequency of steam generator tube rupture (SGTR)

(WET) as 1.02E-6/y, but Table E.1-3 indicates it is 7.5E-7/y. Please explain the reasons for the difference in these values. Also, explain why all SGTR events are assumed to be wet.

g. SAMA I - The reduction in CDF is said to be 5.88E-6/y, but from Table E.1-2, SBO is only 2.43 percent of the total CDF, or 9.6E-7/y. Also, SAMA 1 indicates a reduction in population dose by 4.39 person-rem per year, but according to the text and Table E.2-4, the total population dose for all events is 4.09 person-rem per year. Please address these inconsistencies.

h. SAMA 5 indicates a reduction in population dose by 17.6 person-rem per year, but according to the text and Table E.2-4, the total population dose for all events is 4.09 person-rem per year. Please address this inconsistency.

I. Please define "Accident Scenario" and "Accident Type" as used in Tables E.1-1 and E.1.2, respectively. The terminology is confusing. For example, "small loss-of-coolant accidents" contribute 4 percent to CDF while "small break loss-of-coolant accidents" contribute 11.79 percent. What accidents, in addition to the "small loss-of-coolant accidents" are included in the "small break loss-of-coolant accidents"?

Response to RAI 7a - 7h:

As noted in the cover letter, RG&E will submit a revised SAMA analysis utilizing the current version of the PSA model (Rev. 4.2) with the remaining RAI responses. RG&E will address this question in full relative to Rev. 4.2. RG&E recognizes and understands the inconsistencies noted in these questions, and attributes many of them to the inconsistent treatment of ISLOCA scrubbing in the SAMA analysis. The revised SAMA analysis to be submitted with the remaining RAI responses will address ISLOCA in a consistent manner eliminating the subject inconsistencies.

Response to RAI 7i:

For clarity, the subject tables have been combined into one table below. This table provides a breakdown of the accident's contribution to CDF by scenarios within that accident type. Data presented in this table is generated from PSA Rev. 4.2.

CDF CONTRIBUTIONS BY ACCIDENT TYPE Accident Percent Accident Accident Type Scenario CDF (1/yr) Type Total of CDF Type Total ATWS ATWS 2.03E-07 2.03E-07 0.51% 0.51%

Fire Fire - Aux Bldg 4.32E-07 1.09%

Fire - Battery Room 7.95E-07 2.00%

Fire - Control Room 7.56E-06 19 01%

Fire - DG 5.76E-07 1.45%

Fire - Turb Bldg 1.06E-06 2.67%

Fire - Other 1.01E-06 1.14E-05 2.53% 28.74%

Flood Flood - Aux Bldg 1.06E-06 2.67%

ATTACHMENT Flood - Relay Room 1.05E-06 2.64%

Flood - Turb Bldg 6.16E-06 15.49%

Flood - Other 5.06E-07 8.78E-06 1.27% 22.07%

LOCA < 2 inch SGTR 5.95E-06 14.95%

Small LOCA 2.55E-06 8.49E-06 6.40% 21.35%

LOCA > 2 inch ISLOCA 2.50E-07 0.63%

Med/Large LOCA 7.OOE-07 9.50E-07 1.76% 2.39%

SBO SBO 2.10E-06 2.1OE-06 5.28% 5.28%

Shutdown Shutdown - RHR 6.23E-06 15.67%

Shutdown - Other 5.75E-07 6.81 E-06 1.45% 17.11%

Transient HELB 5 81E-07 1.46%

Transient- Other 4.33E-07 1.01E-06 1.09% 2.55%

TOTAL I 3.95E-05 100.00%

Additional information relative to small-break LOCAs is provided in the following paragraphs.

RCP Seal LOCA Westinghouse has extensively studied seal LOCAs during station blackout sequences in which all support systems are lost and the RCPs are not running. The net result of these studies was that a seal LOCA with a Westinghouse designed pump can result in at most, 480 gpm per pump, or a total flow rate of 960 gpm. This represents the catastrophic failure of all three stages in both RCPs. Using standard conversions, this flow is equivalent to a fixed orifice diameter break of 1.08 inches. The calculation of 1.08 inches is further justified by the fact that a complete severance of a SG tube (0.664-inch inner diameter) results in approximately a 430 gpm leak per the UFSAR which, if ratioed to the tube break area, corresponds closely to that for the 960 gpm seal LOCA and 1.08 inches.

ATTACHMENT Pipe Breaks The SGTR event is analyzed separately from the small LOCAs in the UFSAR. RG&E made multiple MAAP runs by varying LOCA size and the available equipment. As a result of these runs, the LOCA break sizes for the Ginna Station PSA partition into four general categories as described below:

"* Small-Small LOCA (SSLOCA) (<1") - Cannot depressurize to SI setpoint on break size alone; therefore, need AFW. Require high-pressure recirculation if cannot depressurize RCS to reach RHR conditions before depletion of RWST. RCS inventory loss is small enough to allow rapid RCS depressurization to the RHR setpoint using AFW and SGs if one accumulator is available.

"* Small LOCA (SLOCA) (1" to 2") - Slowly depressurizes to SI setpoint on break size alone. Require high-pressure recirculation if cannot depressurize RCS to reach RHR conditions before depletion of RWST. RCS inventory loss is small enough to allow rapid RCS depressurization to the RHR setpoint using AFW and SGs if one accumulator is available.

"* Medium LOCA (MLOCA) (2" to 5") - Slowly depressurizes to RHR setpoint on break size alone, but SI is needed initially to avoid core melt.

"* Large LOCA (LLOCA) (greater than or equal to 5") - Depressurizes to RHR setpoint essentially immediately.

"* SGTR (0.664") - Same as SSLOCA except for numerous operator actions.

8. In Section 1.1 of Appendix E to the ER, RG&E states that the original PSA model has been expanded to include, among other things, shutdown operation. In Section 1.2 of Appendix E to the ER, RG&E provides the Ginna Station risk profile.

As part of the profile, RG&E indicates that LERF is dominated by loss of spent fuel pool cooling under full-core offload conditions and loss of containment heat removal. However, the ER does not provide sufficient details on these two particular areas to provide the staff with an understanding of how they were considered by SAMA analysis. Please address the following:

a. Provide details on how spent fuel pool cooling is modeled in the PSA, the dominant accident sequences related to the loss of spent fuel pool cooling, and their contributions to CDF and dose consequences. Describe how spent fuel cooling accidents that contribute to CDF are treated in the Level 2 analysis.

b. Identify and describe those SAMAs considered for preventing or mitigating the consequences of a loss of SFP cooling event. If none were considered, explain why.

c. Provide details on how shutdown operation is modeled in the PSA, the dominant accident sequences during shutdown, and their contributions to CDF and dose consequences. Describe how shutdown operation accidents that contribute to CDF are treated in the Level 2 analysis.

d. Identify and describe those SAMAs considered for preventing or mitigating the consequences of an accident during shutdown. If none were considered, explain why.

ATTACHMENT Response to RAI 8a:

Spent Fuel Pool Cooling System Description The SFP cooling system functions to remove decay heat from irradiated fuel assemblies stored within the SFP. The amount of cooling required is dependent on the time since the fuel assembly was last irradiated and its burnup rate.

The SFP cooling system consists of three cooling loops. The primary loop (Loop 2) is made up of SFP pump B, SFP heat exchangers B, and piping. The backup loops include installed Loop 1 (SFP pump A, SFP heat exchanger A and piping) and skid-mounted Loop 3 (skid-mounted SFP pump, SFP standby heat exchanger, and hoses). These two backup loops also have the capability to cross-connect with the primary loop's heat exchanger.

Loop 2 is designed to maintain the SFP water below 150°F with a safety basis heat lead (i.e.,

storing spent fuel plus a full, core discharge). It is also designed to maintain the SFP water below 120°F with a normal basis heat load (i.e., storing spent fuel plus a normal one-third core removal). These heat loads assume service water (SW) is 85 0 F.

Loop 1 and Loop 3 are each designed to remove the normal basis heat load with a pool temperature of 150'F and SW at 85°F. They are each capable of removing the normal basis heat load and when operated in parallel are capable of removing the safety basis heat load.

This is also true if they both use the Loop 2 heat exchanger.

Each of the three loops consists of a horizontal centrifugal stainless steel pump and a shell and U-tube type heat exchanger. Service water is circulated through the shell while SFP water is circulated through the tubes. Loop 2 is supplied with SW from SW loop B. Loops 1 and 3 are supplied with SW from SW loop A. Motor-operated valves provide automatic and remote manual isolation of the SW supply to the heat exchangers associated with SFP cooling Loops I and 2 and the component cooling water heat exchangers. These valves close automatically upon coincidence of safety injection and loss of offsite power. Handwheels are provided for manual operation. The SFP Cooling System is shown in the following figure.

ATTACHMENT SFP Cooling Modeling Description There is one top gate for the SFP cooling fault tree model. This gate is divided into two parts:

(1) Loss of SFP cooling with fuel still in the vessel, and (2) Loss of SFP cooling following with a full core offload. The two parts reflect the different success criteria for full core offloads versus the normal pool heat load. As describe above, the cooling loop with SFP Heat Exchanger B can handle the SFP heat loads under all conditions. The cooling loop with SFP Heat Exchanger A and the skid mounted heat exchanger can handle the SFP head loads under worst case conditions only ifoperated in parallel. However, under most conditions, either loop can provide adequate cooling.

The fault tree model for each of the 3 SFP cooling loops include failure of the pumps, heat exchangers, and suction and return paths. The SW system normally provides cooling water to the three heat exchangers; however, the model provides for necessary connections to the fire water system, and human failure events are included in the fault tree to address reliability of making this connection. In the fault tree, RG&E assumes success for suction paths through manual valves 781 or 782 for SFP Pump A and the skid-mounted pump. Both paths are required for SFP Pump B.

Because a loss of SFP cooling could have radiological consequences, this type of event has been evaluated in the Ginna Station PSA. Similar to the RHR system, the SFP cooling system can be in many different configurations depending primarily on the system heat load requirements. Since it is too difficult to assign one frequency that adequately addresses the loss of SFP cooling, initiator TXLOSSSF will be ANDed with the failure of all three SFP cooling trains (gate @ SFP). The number of SFP trains in service is dependent upon the system heat loads and requirements contained within the Technical Requirements Manual. The total CDF for loss of SFP cooling is 5.77E-06/yr.

For power operations, loss of SFP cooling events contribute 4.93E-06yr, and the dominant contributors are:

• floods, especially those in the Auxiliary Building which flood the basement and disable the SFP pumps (contributing 51.9% of at-power losses of SFP);

• failures within the SFP system itself, excluding flood and fire scenarios (18.0%); and

• fires (15.3%).

During shutdown, loss of SFP cooling events contribute 8.37E-07/yr, and the dominant contributor is the loss of SFP cooling initiator itself, due to combinations of failures of the SFP recirculation pumps to start and/or run, valves in the SFP recirculation system transferring closed, and valves in the service water lines to the SFP heat exchangers failing closed. This is followed by a failure of operators to restore SFP cooling prior to boil-off. These scenarios represent 71.3% of the shutdown loss of SFP cooling.

Although the complete spectrum of possible late releases has not been evaluated, two scenarios that do lead to releases which are not included in the LERF have been addressed. The first is a loss of SFP cooling (at power or during shutdown) which is not recovered prior to boiling in the pool. For the SFP, the recovery probabilities for the RCS level above 23 feet are based on the data from RG&E Design Analysis, DA-ME-98-115, Rev.1, Time to Boil Following Loss of RHR During Shutdown - 18 Month Cycle, November 1998, since the quantity of water and heat loads between the cavity and SFP are roughly equal. However, to compensate for any non conservatism, the data for 5.00 days after shutdown are assumed since fuel off-loading cannot begin until at least 4.2 days after shutdown. This implies more than 90 hours0.00104 days <br />0.025 hours <br />1.488095e-4 weeks <br />3.4245e-5 months <br /> to core uncovery to ATTACHMENT occur following a loss of SFP cooling. Therefore, this scenario is considered a late release, with a frequency of 4.42E-07/yr.

RG&E will address the close consequences resulting from loss of SFP cooling in the submittal for the remaining RAls.

Response to RAI 8b:

No SAMAs were considered for preventing or mitigating the consequences of a loss of SFP cooling event. As noted above, the spent fuel pool has such a significant volume, more than 230,000 gallons, that a worst case loss of cooling would not lead to damage for more than 90 hours0.00104 days <br />0.025 hours <br />1.488095e-4 weeks <br />3.4245e-5 months <br />. Because of the simple steps needed to recover, such as adding water (even unborated) into the spent fuel pool, using a variety of pumps (including portable pumps and hoses), RG&E concluded that no additional cost-effective means would be discovered in a SAMA assessment.

Response to RAI 8c:

Note that only those shutdown events that can lead to CDF are discussed in this response; see response to RAI 8a for discussion on those leading only to a late release.

Shutdown Event Evaluation Considerations The at-power Level 1 analysis defined an initiating event as an "upset condition which results in either a manual or automatic reactor trip." Since the reactor is already tripped when the plant is shutdown, this definition is not applicable for the purposes of an evaluation with respect to shutdown events. Therefore, a new definition must be developed with respect to shutdown event initiators.

The first term that must be defined is "shutdown." The obvious answer is based on the status of the reactor core whereby shutdown refers to being subcritical. However, the Ginna Station Improved Technical Specifications (ITS) further define shutdown based on Reactor Coolant System (RCS) temperature and the status of the reactor vessel head closure bolts. This is due to the fact that there are different plant requirements based primarily on whether or not the RCS is pressurized. For example, with RCS temperatures above 200 0 F, there is a larger likelihood of a primary system pipe rupture (with different consequences) than with the reactor head closure bolts removed and the system open to containment atmosphere. Consequently, some form of emergency core cooling system (ECCS) and containment closure are required until the RCS temperature is less than or equal to 200 0 F.

For the purposes of this evaluation, shutdown will be defined with respect to the point at which the plant transfers from auxiliary feedwater and steam generator cooling of the primary system to the residual heat removal system. This typically occurs between 330°F and 350°F (or Mode 4 per the ITS). As such, this evaluation will consider shutdown as when the RCS is less than or equal to 350*F (i.e., Modes 4, 5, and 6). Since continued cooling of spent reactor fuel is also an important consideration, defueled conditions (i.e., all fuel in the spent fuel pool) will be evaluated.

Now that shutdown has been defined, the term "event initiators" must be considered. Once the plant is brought to subcritical conditions following either a reactor trip or manual shutdown, many systems are isolated or realigned due to changing plant needs. The primary needs during shutdown are to provide a means of continuously removing the reactor residual heat and to maintain subcritical conditions. If either one of these requirements is affected, core damage and/or radiological releases could occur. Therefore, the development of potential shutdown event initiators will be based on a review of events which inhibit the ability to remove fuel residual heat or maintain the reactor subcritical with the RCS temperature less than or equal to ATTACHMENT 350°F or under defueled conditions.

Shutdown Event Initiators RG&E identified potential shutdown event initiators from various industry and Ginna Station specific sources including the UFSAR, at-power Level 1 analysis, and various industry documents related to shutdown risk. Many of those identified were similar enough to be considered the same event. Those determined to be applicable to Ginna Station are discussed in the following paragraphs. Also, using a naming convention similar to that for the at-power Level 1 analysis, transient initiators are identified with the prefix X" and LOCA initiators are identified with the prefix "LX".

Loss of Residual Heat Removal (RHR) - The definition of a shutdown event initiator is one which occurs when RCS temperature is less than or equal to 350°F and results in either the loss of decay heat removal capability or a criticality event. Since RHR will be assumed to be in service when RCS temperature is less than or equal to 350°F in order to provide decay heat removal capability, its loss must be considered as a shutdown event initiator.

There are many potential configurations of the RHR System when shutdown, including operation of one, two, or no trains (i.e., defueled conditions). Consequently, the failure of support systems will have various effects on the ability of RHR to remove decay heat. The failure of Service Water, Component Cooling Water, Instrument Air, and electrical power must therefore be considered with respect to the status of the RHR System and cannot be considered as their own separate initiators. As such, support systems are not considered as their own shutdown event initiators, but will be addressed in the development of other initiator frequencies (e.g., loss of RHR, loss of SFP cooling). The loss of RHR initiator class is identified by TXOOORHR.

Boron Dilution Event- Immediately following a plant trip or shutdown, the reactor is maintained subcritical by insertion of the control rods. However, reactor poisons that have built in over the course of power operation begin to decay, adding positive reactivity. This is compensated for by the use of chemical poisons (boron) to ensure that the reactor remains subcritical. The loss of this added boron has the potential to result in a criticality event depending on the fuel geometry within the reactor vessel and water level (the mass of water within the SFP is considered sufficiently large to prevent a boron dilution event). This initiator class is identified as TXOBORON.

Loss of CoolantAccident (LOCA) - Depending on its break location, a LOCA has the potential to directly result in a loss of the RHR System (e.g., RHR suction line from RCS Loop A). For other break locations, a LOCA has the potential to sufficiently drain down the RCS to uncover the core and cause fuel damage. Therefore, LOCAs must be considered as potential shutdown event initiators. However, unlike the at-power Level 1 analysis, only one LOCA size will be considered. This is due to the fact that the at-power evaluation had to consider the need for the AFW System, accumulators, and the number of ECCS pumps based on RCS pressure. During shutdown conditions, the worst case LOCA requires either one SI pump through two injection lines, or one RHR pump per ITS. Since the AFW System is primarily considered in the at-power Level 1 analysis to help depressurize the RCS and to rapidly reach RHR conditions, it can be ignored under shutdown conditions since the plant is already on RHR. Also, the accumulators have been isolated at this point and are most likely out-of-service due to cold overpressurization concerns. Consequently, there is no need to consider RCS break sizes except for timing considerations with respect to human actions. This will be addressed as needed during the human error data calculations. Therefore, only one break size will be considered as initiator class LXOOLOCA. Two other LOCAs are considered in MODE 6: (1) a loss of the cavity boot

-24 -

ATTACHMENT seal during MODE 6, which would result in draining the reactor cavity (LXBTLOCA); and (2) a failure of nozzle dams within the steam generators, which could result in a loss of inventory ifthe steam generator primary side manways are opened (LXNDLOCA).

In addition to a pipe break, transient induced LOCAs are also be considered. Specifically, challenges to the RCS overpressurization protection system (discussed in the following paragraph) with subsequent failure to isolate are considered and identified as part of initiator class TXOOORHR.

RCS Overpressurization- During Modes 4 and 5 when the reactor head is bolted to the vessel and the RCS is water-solid (or nearly water-solid), there exists the potential for an overpressure event to rapidly overpressurize the RCS and cause a failure. Ginna Station has specifically addressed this concern by the addition of the Low Temperature Overpressure Protection (LTOP)

System and administrative controls. The failure of this system or administrative controls could directly lead to a LOCA or reactor vessel failure. The four overpressurization events considered are:

• Inadvertent safety injection;

• Charginglletdown mismatch;

• Loss of RHR in Mode 4; and

• RCP start with steam generator temperature at least 50°F warmer than RCS.

While the UFSAR and ITS also list the inadvertent actuation of the pressurizer heaters as a potential consideration, the time available to the operators to identify the event is sufficiently long to warrant its exclusion. This class of initiators is identified as LXOLTOP1 (Inadvertent SI actuation), LXOLTOP2 (Charging/Letdown Mismatch), LXOLTOP3 (Loss of RHR in Mode 4), and LXOLTOP4 (RCP start).

Initiating event trees are provided in Figures 1 through 4.

Shutdown Events - Success Criteria The determination of the success criteria for shutdown events was based on the approach used for the at-power Level 1 analysis. That is, each of the initiating events identified above was evaluated against the four functions: reactivity control, RCS pressure control, RCS inventory control, and decay heat removal. This evaluation determined the minimal set of equipment and operator actions which were necessary to mitigate the event.

Reactivity Control- For shutdown events, there are two possible scenarios with respect to maintaining reactivity control. First are those events which directly challenge reactivity control (e.g., boron dilution event). Second are those events which indirectly challenge reactivity control as the result of the failure of a system or function.

Following a plant trip or shutdown, the reactor is maintained subcritical by the insertion of the control rods. In order to compensate for the decay of reactor poisons which have built up during power operation, chemical poison (i.e., boron) is added to the RCS to ensure the reactor remains subcritical. Any imbalance in the boron concentration or core configuration has the potential to cause a loss of reactivity control. This in turn can create a condition where the heat generation rate exceeds the heat removal capability, causing loss of cooling water inventory due to boiling, further accelerating the heat generation/removal rate mismatch. This is then followed by fuel damage and release of radionuclides to the atmosphere. Consequently, each of the shutdown events must be evaluated for either the direct or indirect loss of reactivity control.

-25 -

ATTACHMENT

1. Loss of RHR - The sustained loss of the RHR System's capability to remove the heat generated within the primary system creates the potential for boiling within the primary system and release of radionuclides to the atmosphere. However, this boiling actually causes an increase in boron concentration as only the water is boiled off and not the boron. Consequently, the loss of RHR does not fail reactivity control or require mitigating actions.

2. Boron Dilution Event - The loss of boron concentration while shutdown directly challenges reactivity control functions. This event is evaluated in the Ginna Station UFSAR [Section 15.4.4.2] assuming that two reactor makeup pumps are operating and taking suction from an unborated water source (i.e., reactor makeup water storage tank) along with three charging pumps. Times are provided to reach critical conditions during Mode 6 (30 minutes) and Mode 5 (15 minutes) operations. The analysis assumes that, with the audible control room source range counters, the operators could successfully terminate the event. However, the UFSAR does not discuss the necessary actions to restore the primary system boron concentrations. For the purpose of this evaluation, one safety injection (SI) or one charging pump from a borated water source is considered successful to restore required subcritical margins.

3. RCS Overpressurization - An RCS overpressurization event is only of concern with respect to reactivity control if there is an uncontrolled loss of RCS inventory (i.e., a LOCA). In this instance, the RCS inventory control mitigating equipment provides the necessary boron addition requirements.

4. LOCAs - Similar to an RCS overpressurization event, the RCS inventory control mitigating equipment provides the necessary boron addition requirements.

RCS PressureControl Success Criteria- RCS pressure control is an important consideration since overpressurization of the RCS can lead to a LOCA. However, during shutdown conditions, there are many instances where the RCS is depressurized and open to the containment atmosphere such that no pressure control is required. Consequently, the only shutdown conditions that must be evaluated occur in Modes 4 and 5 since Mode 6 assumes that the reactor vessel head bolts are disengaged. In addition, events which directly cause a LOCA do not need to be considered since RCS overpressure protection is no longer required.

Of the shutdown events, only the loss of RHR and RCS overpressurization events need to be evaluated with respect to RCS pressure control. For the loss of RHR, depending on the initial plant condition (e.g., Mode 4 immediately after initiating RHR following a long at-power run),

RCS pressure can rapidly increase to the setpoint of the LTOP System due to decay heat levels unless operators quickly reduce system pressure. If the LTOP System is required, then the event becomes a transient induced RCS overpressurization event. In this instance, the accident analysis requires either one of two PORVs or a RCS vent path >1.1 square inches [ITS LCO 3.4.11]. The shutdown risk model will assume the same mitigating requirements.

RCS Inventory Control Success Criteria- Based on a review of the shutdown events, loss of RHR, RCS Overpressurization, and LOCAs need to be considered with respect to RCS inventory control. A loss of RHR can occur during normal shutdown operations or during special evolutions (e.g., reduced inventory). In either case, the loss of RHR will cause a heatup of the primary system and potential for boiling and loss of cooling water inventory. The time to boil is primarily based on initial decay heat levels and water levels; hence, at reduced inventory operations, the consequences of a loss of RHR are much more severe. Based on these consequences, and the fact that the loss of RHR could be due to inadequate NPSH, station emergency procedures require refilling the primary systems if RHR is lost under reduced

-26 -

ATTACHMENT inventory operations prior to performing any RHR recovery actions. Nonetheless, for any loss of RHR, if it is for a long enough period, RCS inventory control must be provided. To simplify matters, the inventory requirements for a long-term loss of RHR under normal shutdown conditions will be treated the same as the restoration requirements per Ginna Station Procedure AP-RHR.2, Loss of RHR While Operating at RCS Reduced Inventory Condition, under reduced inventory conditions. Consequently, all loss of RHR events require one of the following: (1) restoration of RHR cooling (except for reduced inventory conditions), (2) 1 of 3 charging pumps to 1 of 2 cold legs, (3) 1 of 3 SI pumps to 1 of 4 RCS legs, or (4) gravity feed from the RWST (reduced inventory only).

For LOCAs and RCS Overpressurization events in which there is an uncontrolled loss of RCS inventory (e.g., PORVs fail to reclose), inventory makeup is required in order to prevent the core from becoming uncovered, causing fuel damage and leading to a release of radioactive materials. Based on the discussion in the ITS bases [ITS LCO 3.5.3], for the largest potential LOCA in Mode 4, both the SI and RHR Systems are required. However, due to concerns with respect to inadequate NPSH for the RHR pumps in Mode 4 (i.e., switching suction to "cold" RWST from the RCS hot leg), analyses have been performed to show that RHR is only required for the recirculation mode and not necessarily for the injection mode. If RHR is not available for the injection phase, then one SI pump through 2 injection legs (versus the normal 1 leg) is necessary to meet flow requirements. In either case, SI is only required for the injection phase.

As such, 1 of 3 SI pumps during the injection phase and 1 of 2 RHR pumps during the recirculation phase will always be required. Depending on the availability of the RHR pumps during the injection phase, SI through 1 or 2 of 4 injection lines is also required.

Decay Heat Removal Success Criteria- As discussed previously, the purpose of this analysis is to evaluate shutdown events which are defined as conditions where the ability to remove reactor residual heat or maintain the reactor subcritical is interrupted. Normally during shutdown conditions, one train of RHR is in service providing the necessary decay heat removal.

Consequently, it can be assumed that one train of RHR is always successful. In addition, during Modes 4 and 5, one steam generator with an adequate source of feedwater is adequate for heat removal, provided that the RCS is pressurized and capable of supporting circulation [ITS LCO 3.4.7]. Therefore, adequate decay heat removal is defined as 1 of 2 RHR pumps (with I of 2 RHR heat exchangers) or during MODE 4 and 5 under non-LOCA conditions, 1 of 2 steam generators with a source of feedwater. The latter will use the same requirements as the at-power model (i.e., one AFW, MFW, or SAFW train).

Containment Isolation Success Criteria - The status of containment isolation is not normally evaluated under Level 1 PSAs since this is a Level 2 consideration. However, most shutdown conditions consider the status of containment since there is the opportunity for a rapid radiological release. Therefore, the status of containment isolation will be evaluated for events that occur within containment that have the potential for a release of radioactive material. This includes the events where one or more of the four success criteria are not met for loss of RHR cooling, boron dilution, and RCS overpressurization; and LOCAs.

The success criteria for these accidents will be based on ITS LCO 3.9.3, which essentially requires one boundary between containment and the environment for all penetrations. This boundary does not need to be pressure retaining except when at least 1 of 4 fan coolers is not available. For LOCAs, at least one fan cooler must be available to support containment cooling and sump recirculation. This success criterion is the same as for the at-power model for large LOCAs.

-27 -

ATTACHMENT Shutdown Event Initiators - Quantification The development of initiating event frequencies for shutdown events is more difficult than that for the at-power model due to the large number of potential plant configurations and changing success criteria requirements. In addition, data for several types of events is not typically available while in other instances, fault tree models must be used to generate the data. The calculation of each shutdown initiator frequency is described below.

Many of the shutdown initiator calculations rely on determining the time spent in various shutdown modes. This determination was made based on reviewing plant historical data spanning January 1999 through September 2001. Using data prior to January 1999 becomes non-representative of current practices as outage lengths continue to get shorter. However, the fault tree models are developed to rapidly incorporate these types of changes through flags as listed below:

"* MODES 1, 2, or 3 - During the data window used, Ginna Station operated in MODES 1, 2, or 3 92.3% of the time. The remaining 7.7% of the time (0.077

• 8760 hr = 675 hr on an annual basis) was spent in lower modes (SDAZPROB29).

"* MODE4 - 5.21% of the 675 hours0.00781 days <br />0.188 hours <br />0.00112 weeks <br />2.568375e-4 months <br /> were spent in MODE 4. Of these 35 hours4.050926e-4 days <br />0.00972 hours <br />5.787037e-5 weeks <br />1.33175e-5 months <br />, 32.82% occurred during the initial shutdown with high decay heat levels (SDAZHETHI4) while 67.18% occurred during startup with lower decay heat levels (SDAZHETLO4).

"* MODE5 - 33.56% of the 675 hours0.00781 days <br />0.188 hours <br />0.00112 weeks <br />2.568375e-4 months <br /> were spent in MODE 5. Of these 227 hours0.00263 days <br />0.0631 hours <br />3.753307e-4 weeks <br />8.63735e-5 months <br />, 49.76% were spent with RCS loops filled (MODE5_FILLED) and the remaining 50.24% with the RCS loops not filled (MODE5_FILLEDX). Also, of these 227 hours0.00263 days <br />0.0631 hours <br />3.753307e-4 weeks <br />8.63735e-5 months <br />, 37.81% occurred during the initial shutdown with high decay heat levels (SDAZHETH15) while 62.19% occurred during startup with lower decay heat levels (SDAZHETLO5).

"* MODE6 - 30.80% of the 675 hours0.00781 days <br />0.188 hours <br />0.00112 weeks <br />2.568375e-4 months <br /> were spent in MODE6. Of these 208 hours0.00241 days <br />0.0578 hours <br />3.439153e-4 weeks <br />7.9144e-5 months <br />, 50%

were assumed to be at high decay heat levels (SDAZHEATHI) and 50% at lower decay heat levels (SDAZHEATLO).

"* MODE7 - 30.42% of the 675 hours0.00781 days <br />0.188 hours <br />0.00112 weeks <br />2.568375e-4 months <br /> were spent in an off-loaded condition.

TXOOORHR - Loss of Residual Heat Removal-Based on differing operational needs during shutdown operations, the RHR system can be in various configurations (e.g., two trains operating, one train operating with second in standby). Also, support system configurations can be very diverse. Consequently, it is very difficult to identify one frequency that adequately addresses the loss of RHR under all conditions. As such, the fault tree models will be used to generate this initiator's frequency that can change as plant conditions change to better reflect shutdown operations. The fault tree models will be ANDed with the initiating event designator (TXOOORHR) as described below. The resulting initiator frequency is 4.06E-04/yr.

The following were assumptions made with respect to RHR under shutdown configurations:

"* MODE4 - both trains of RHR are in service. If RHR is lost during initial shutdown (SDAZHETHI4), there is only a limited amount of time for recovery (RHHFDREC01).

If RHR is lost during startup (SDAZHETLO4), there is more time for recovery (RHHFDREC24). Recovery options would include AFW and the steam generators.

"* MODE5 - Only one train is assumed operating (thus the second train must start). If RHR is lost during initial shutdown (SDAZHETHI5), there is only a limited amount of time for recovery (RHHFDREC04). If RHR is lost during startup (SDAZHETLO4),

there is more time for recovery (RHHFDREC24). Recovery operations would include ATTACHMENT AFW and the steam generators ifthe RCS loops are filled (MODE5_FILLED).

MODE6 - Only one train is assumed operating (thus the second train must start).

Recovery options and time available are based on initial heat loads (SDAZHEATHI and SDAZHEATLO) and inventory conditions (MODE6 >23, MODE6 <23, midloop).

RG&E compared the calculated frequencies and recovery probabilities with the values in EPRI TR-1 003113, An Analysis of Loss of Decay Heat Removal Trends and Initiating Event Frequencies(1989-2000), November, 2001, and found relative consistency.

TXOBORON- Boron Dilution Event-A boron dilution event as analyzed within the UFSAR is the result of both reactor makeup water pumps operating and taking suction from the unborated reactor makeup water storage tank and injecting into the RCS via the three charging pumps.

This could lead to critical conditions within 15 minutes in Mode 5 and 30 minutes in Mode 6.

ANSI Standard ANS-51.1 (Table 3-3) lists the frequency of an "inadvertent chemical shim dilution" as 1E-01/yr. However, this number is based on at-power conditions and does not reflect the different plant conditions when shutdown. Therefore, a base value of 1 E-01/yr with the following adjustments was used:

" To reflect shutdown conditions, the base frequency will be adjusted by a ratio of the time spent in Modes 1, 2, and 3 versus Modes 4, 5, 6, and 7 (i.e., the Modes being considered). This equates to 0.0834.

" Under refueling conditions, the charging system is typically removed from service (or most pumps isolated), and the RHR System is pumped through the CVCS demineralizers and used for RCS cleanup. Therefore, there is only a very small window in which plant conditions would support the necessary configuration to allow a boron dilution event. As such, a factor of 10 will be used to account for this configuration.

Therefore, the final frequency for initiating event TXOBORON is 8.34E-04/yr (or 1E-01/yr

• 0.0834

• 0.1).

LXOOLOCA - Shutdown LOCA - WCAP-1 2476, Evaluation of LOCA During Mode 3 and Mode 4 Operation for Westinghouse NSSS, November, 1991, was published by Westinghouse as an attempt to evaluate the frequency of a shutdown LOCA and to identify the necessary mitigating system requirements using thermal hydraulic models. The later portion is the basis for ITS LCO 3.5.3 and the associated success criteria. The shutdown LOCA frequencies were based on a structural reliability and risk assessment. This evaluation resulted in the calculation of shutdown LOCA frequency ratios with respect to Mode 1 and 2 LOCA frequencies. In Mode 4, Section 3.6 of the WCAP lists a ratio of 1/28.7. Using the Ginna Station medium LOCA frequency of 6.1OE 05/yr (2" to 6" break), the frequency of a Mode 4 LOCA at Ginna Station would be 2.13E-06/yr.

This value appears appropriate in that only 35 hours4.050926e-4 days <br />0.00972 hours <br />5.787037e-5 weeks <br />1.33175e-5 months <br /> per year are spent in Mode 4.

Two other LOCAs are considered in MODE 6 beyond those presented in WCAP-12476, a Westinghouse survey of percentage of times plants operate in different modes. Specifically, a loss of the cavity boot seal during MODE 6 would result in draining the reactor cavity (LXBTLOCA). Also, a failure of nozzle dams within the steam generators could result in a loss of inventory if the steam generator primary side manways are opened (LXNDLOCA).

Frequencies for these two events were calculated as follows:

• LXBTLOCA - the cavity boot seal is a gasket material that uses instrument air to ATTACHMENT minimize leakage. However, failure of instrument air should only result in increased leakage from the seal and not catastrophic failure. Therefore, two possible events were considered. The first involves a failure of gasket material itself. The second involves a loss of instrument air with failure of the gasket to reseat correctly (SDAZBOOTSL). Solving the internal fault tree yields a frequency of 1.69E-05/yr.

LXNDLOCA - nozzle dams are used during outages to support inspection of the steam generators by allowing the reactor cavity to remain filled since the steam generator manways are at a lower elevation that the RCS loop piping. Failure of the nozzle dams through the steam generator primary side manways could result in a significant loss of primary system inventory. The frequency of this failure was based on the generic value of pipe break frequency (5.65E-07/hr) times 8760 hr/yr, or 4.95E-03/yr. Since the nozzle dams are not used every outage, and are not used for the entire window of MODE 6 operation, this frequency is adjusted by a flag representing the fraction of time during Modes 6 that the nozzle dams are used (SDAANOZZLE).

The calculated frequencies for shutdown LOCAs compare favorably with the values in EPRI TR 1003113.

LXOLTOP* - RCS OverpressurizationEvent- As discussed previously, there are four potential scenarios. The frequency of each scenario is calculated below.

Inadvertent safety injection -- Based on a review of Ginna LERs, a total of 5 spurious SI events have occurred at Ginna Station from 1980 through 2001 while at shutdown conditions (LERs 84-06, 85-04, 89-03, 95-04, and 97-05). Assuming a criticality factor of 0.871 for these years [RG&E Design Analysis, DA-MS-99-001, Revision 2, Determination of Loss of Offsite Power Values, Ginna Station, PSA Project, November 2002.], this equates to a frequency of 5/[22 yr * (1 - 0.871)] = 1.76/yr.

However, this value must then be adjusted by the probability that the SI System is capable of injecting into the RCS. By ITS requirements [LCO 3.4.12], the LTOP System must be available with the SI System rendered incapable of injecting into the RCS whenever the RHR System is in service and a vent <1.1 square inches is not available. During a normal refueling outage, while the plant is shutting down, the LTOP System is placed into service prior to dropping to 330°F or less with the SI System being rendered incapable of injecting into the RCS by two independent means (e.g., pump in pull stop with discharge valve closed). As the plant descends through lower modes, an adequate RCS vent is established; however, SI remains isolated until the plant is brought back above 330°F.

This is verified periodically by Procedure 0-6.13. Procedure 0-2.2 directs the isolation of SI. Based on steps 5.3.9.6 through 5.3.9.11, there are three possible ways the operators could fail to isolate SI. The first is by failing to close SI pump A discharge valve 878B and failing to place SI pump A in pull stop (i.e., successfully performing either of these steps will isolate SI). The second is by failing to close SI pump B discharge valve 878D and failing to place SI pump B in pull stop. The last is by failing to place SI pump C in pull stop from Bus 14 or Bus 16, and failing to close valve 878B or 878D. Using the value of 0.02 from Item (3) of Table 8-5 of NUREG/CR-4772, Accident Sequence EvaluationProgram, February 1987, for failure of the operators to perform each of these critical actions (which is somewhat conservative given that these actions are not occurring post-accident and stress ATTACHMENT levels are expected to be low), the resulting probability of failing to isolate SI becomes:

0.02

• 0.02 + 0.02

• 0.02 + (2

• 0.02

• 2

• 0.02) = 0.0024, EF = 5 Assuming a single recovery event with a probability of 0.2 [Item (6) of Table 8-5 of NUREG/CR-4772], and applying a multiplier of 1.61 for an error factor of 5, results in a final value of:

0.0024

• 0.2

• 1.61 = 7.73E-04 for failure to isolate SI. Thus, the final frequency for this event is 1.76/yr

• 7.73 E-04

= 1.36E-03. This event is represented by initiator LXOLTOPI.

Charging/letdown mismatch -- This event is caused by isolation of letdown while charging continues. As the plant begins to shut down, it transfers from normal letdown via AOV 427 to RHR letdown via HCV-1 33. In this manner, a portion of RHR is sent through the demineralizers to continue cleanup of the RCS. Since the shutdown model assumes that the plant is on RHR, it is this letdown path that will be addressed. Upon reviewing the plant drawings, this letdown path contains several AOVs and many single failure points. However, common cause failures of these AOVs also affect charging (i.e., cause discharge valves to close and the pumps to ramp due to minimum speed settings). Therefore, the frequency will be based on: (1) the failure rate of a CVCS AOV transferring closed over the refueling outage window multiplied by ten to address many single failure points, and (2) the operators failing to rapidly identify and terminate the event (assumed to be 0.1). As such, a frequency of 4.71E-4/yr results ([6.99E-07/hr] * [8760 hrs/1 yr]*[0.077 outage yr/yr]*[10 valves]*[0.1 op error]). This event is represented by initiator LXOLTOP2.

Loss of RHR in Mode 4 - This frequency will be determined by solving the loss of RHR fault tree. This is then ANDed with the probability that operators fail to reduce RHR pressure in MODE 4. The resulting frequency is 2.02E-07/yr. This event is represented by initiator LXOLTOP3.

RCP start with steam generator temperature at least 50°F warmer than RCS - This event can only occur during startup operations with the first start of the RCPs in Mode 5 during RCS fill and vent activities, since at all other times the RCS is in forced or natural circulation. This is an extremely rare condition, believed to have never occurred in the U.S. Nuclear industry. To approximate this probability, we cite 1832.1 calendar years of nuclear power plant operation based on EPRI TR-1 002987, Losses of Off-site Power at U. S. NuclearPower Plants - Through 2001, April 2002.

An estimate of the average industry criticality factor can also be obtained from that EPRI report, yielding a value of 0.747 [RG&E Design Analysis, DA-MS-99-001, Revision 2, Determinationof Loss of Offsite Power Values, Ginna Station, PSA Project, November 2002.]. An estimate of the shutdown-years over this period becomes (1 - 0.747)

• 1832.1 = 464 shutdown-years.

Green and Bourne [Green, A. E., and Bourne, A. J. Reliability Technology. Wiley Interscience, London, 1972] provide a means of estimating an upper bound on the failure rate when no failures have been observed, based on a Poisson distribution of ATTACHMENT failures. To approximate the mean for the occurrence of the 50°F temperature mismatch between the SG and RCS, we choose the 50th percentile value, yielding a failure rate of 0.7/(464 shutdown-years) = 1.51 E-03/shutdown-year (Figure A.29

[Reliability Technology]). As mentioned previously, the Ginna Station is shutdown 7.7% of the year. Thus, an estimate of the frequency for this initiating event at Ginna Station becomes (1.51 E-03fshutdown-yr) * (0.077 shutdown-yr/yr) = 1.16E-04/yr, on an equivalent annual basis. This event is represented by initiator LXOLTOP4.

Shutdown Events - Contribution to CDF The total CDF due to shutdown events is 6.81 E-06Iyr (18.4% of total CDF). This is dominated by a loss of RHR (6.23E-06/yr or 88.5% of shutdown CDF), followed by RCS overpressurization events (3.54E-07/yr or 5.2%) and boron dilution events (1.70E-07/yr or 2.5%).

The top component failures include failures of the EDGs (independent, common cause, and test and maintenance unavailability) following a loss of offsite power, loss of instrument bus C (loss of flow control during reduced inventory conditions), and the common cause failure of CCW and RHR pumps. Significant human actions include the recovery of RHR cooling, which is dependent on decay heat levels and refueling cavity levels.

Importance Analysis Results for Shutdown Initiators The initiating events of highest importance included the following shutdown initiators:

1. TXOOORHR, Loss of RHR During Shutdown;

2. ACLOPSHTDN, Loss of Offsite Power During 24 Hour Period When Shutdown.

These initiators were of high importance since they substantially contributed to the final results (i.e., had a Fussel-Vesely [F-V] value > 5.OE-02) and, if the initiator were assumed to occur with a frequency of 1/yr, would have a significant impact on CDF (i.e., had a RAW value > 10). The loss-of-RHR-during-shutdown initiator itself (i.e., failures within the RHR system itself) is important due to the limited options available for RCS heat removal once RHR is lost. A loss of offsite power when shutdown is not an initiator by itself, but is a large contributor for loss of RHR cooling. That is, a loss of RHR cooling requires failure of all cooling sources. A loss of power will not directly fail these cooling sources, but leads to a challenge to the diesel generators, which must successfully operate.

Simplified Level 2 Analysis Considerations During Shutdown NUREGICR-6595, An Approach for Estimating the Frequenciesof Various Containment Failure Modes and Bypass Events, January 1999, describes an approach for performing a simplified Level 2 analysis once the Level 1 analysis has been completed. Implementation of the simplified approach for Ginna Station during shutdown is discussed below for each of the branches on the containment event tree (see Figure 5).

ContainmentStatus DuringShutdown - The evaluation of containment failures when shutdown includes fault tree models for components addressed in Ginna Station Improved Technical Specifications during shutdown, and assumptions with respect to the status of containment during periods when fuel is not being moved and containment isolation is not required.

RCS DepressurizedBranch During Shutdown - The shutdown evaluation of RCS pressure assumes that the RCS is depressurized following a LOCA or whenever the plant is in Mode 6, Mode 5 with loops not filled, and with fuel offloaded.

ATTACHMENT Core DamageArrested Without Vessel Breach Branch During Shutdown - The only recoverable core damage scenarios relate to restoring offsite power or SW after core damage occurs, but prior to vessel breach. The decay heat level for accidents during shutdown is significantly lower than for accidents initiated during power operation. Consequently, more time is available for restoring offsite power for accidents initiated during shutdown. During shutdown these are modeled similar to power operation events.

No Potentialfor Early FatalitiesBranch During Shutdown - These are evaluated similarly to at power events. However, they use a probability of 0.1 given the isotope decay (CTAZLAT1FT).

Simplified Level 2 Results -- Shutdown The simplified Level 2 analysis consisted of solving the merged Level 1 and containment fault tree models. The frequency of core damage with a large early release (i.e., large early release frequency or LERF) using the simplified Level 2 analysis is 3.788E-06/yr. The frequency of core damage was calculated to be 3.977E-05/yr. Consequently, the potential for a large early release is a factor of 10 less than core damage indicating that there is sufficient prevention against bypassing or failing containment.

The LERF is dominated by SGTRs (60.2%), loss of containment heat removal functions (17.3%)

during fire and flood events, containment isolation failures (11.0%) caused by control room or battery room fires and relay room floods, and containment failures at vessel breach with high RCS pressure (10.9%). All remaining scenarios, including shutdown events, contribute < 2% to LERF.

ATTACHMENT Figure 1 Loss of RHR Cooling Event Tree ATTAC HM ENT Figure 2 Boron Dilution Event Tree a

A ci cc 0t L1l1 U,

t.

a I . ILU L-tz U

ATTACHMENT Figure 3 RCS Overpressurization Event Tree ATTACHMENT Figure 4 Shutdown LOCA Event Tree Ll U

U, It:

I:

0 U

wU 8*

i U

V ATTACHMENT Figure 5 Containment Event Tree ATTACHMENT Response to RAI 8d:

As shown in 8c above, shutdown risk for Ginna Station is significantly lower than power generation risk in terms of CDF and LERF. Therefore, only a limited SAMA assessment was performed. Failure of RHR support systems, such as the diesel generators, component cooling water pumps, and service water pumps were the largest contributors to shutdown risk, since their failure could cause common-mode failure of RHR (also possible through failure of the RHR pumps themselves). SAMA #1 addresses increasing the reliability/availability of emergency power. Other changes considered, such as adding CCW, SW, or RHR pumps, were quickly screened as not cost-effective. No other shutdown-related SAMAs were considered using Rev 4.1 of the Ginna PSA.

As we perform a revision to the SAMA analysis using PSA Rev 4.2, we will consider additional evaluations to determine if any shutdown-related SAMAs are cost-effective.

9. The Ginna IPE indicated that a management tracking tool has been implemented to ensure that all vulnerabilities are appropriately evaluated and which provides a mechanism to initiate plant changes, as required. As indicated in the ER, RG&E will continue to refine the risk evaluation and consider implementation of these potentially cost-beneficial modifications through the current plant change process.

Please provide a brief description of the management tracking tool, the current plant change process, and how a cost-beneficial modification is expected to be processed.

Response to RAI 9:

At Ginna Station, Regulatory Commitments are incorporated into our Commitment and Action Tracking System (CATS) or our Corrective Action System (ACTION reports). As an example, the potential plant change described in item 4d is CATS 10602. CATS items are assigned to a responsible individual and prioritized. In the CATS process, resolution choices are evaluated as to whether the problem can be resolved by analysis, procedure changes, or plant modifications.

If it is determined that a modification is warranted, various design options are evaluated in the Plant Change Request (PCR) process. These options are evaluated for effectiveness, interfaces/interferences, safety implications, and cost and schedule. A cost-benefit analysis is performed of the options being studied, and the cost-benefit analysis is factored into the decision regarding proposed changes.

The RG&E cost-benefit analysis is performed if proposed expenditure costs are greater than

$50,000, or the proposed solution corrects significant safety deficiencies or increases reliability.

Then a review is performed to ascertain ifthe project is economically justified. This review includes comparing net capital costs associated with the project to all real or perceived benefits related to the expenditure. Perceived benefits include risk avoidance both from a regulatory and a safety perspective.

When it has been decided to pursue a particular modification, a determination of its priority is made, and a budget evaluation is pursued in order to best determine when the modification should be implemented.

Based on all of the above, the change is then incorporated into the plant design.