Text

License Amendment Request Pursuant to 1O CFR 50.90: Request for Amendment to Extend Completion Time for Emergency Uninterruptible Power Supply Inverters
	ML051020400
Person / Time
Site:	Nine Mile Point
Issue date:	04/01/2005
From:	Spina J; Constellation Energy Group
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	NMP2L 2120
	Download: ML051020400 (84)
	v • d • e

Constellation Energy- P.O. Box 63 Lycoming, NY 13093 Nine Mile Point Nuclear Station April 1, 2005 NMP2L 2120 U.S. Nuclear Regulatory Commission Attn: Document Control Desk Washington, DC 20555-0001

SUBJECT:

Nine Mile Point Unit 2 Docket No. 50-410 Facility Operating License No. NPF-69 License Amendment Request Pursuant tolO CFR 50.90: Request for Amendment to Extend Completion Time for Emergency Uninterruptible Power Supply Inverters Gentlemen:

Pursuant to 10 CFR 50.90, Nine Mile Point Nuclear Station, LLC, (NMPNS) hereby requests an amendment to Nine Mile Point Unit 2 (NMP2) Operating License NPF-69. The proposed change to the Technical Specifications (TSs) contained herein would revise Required Action A.1 of TS 3.8.7, "Inverters - Operating," to extend the Completion Time for one emergency uninterruptible power supply (UPS) inverter inoperable from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 7 days. The Bases for TS 3.8.7 will be revised to reflect the proposed changes to the TSs.

This change is being proposed to support on-line corrective maintenance of the emergency UPS inverters and will have a negligible impact on plant safety. The current 24-hour Completion Time is insufficient for restoration of an inoperable inverter as it is not adequate to support the required repair activities and associated post-maintenance testing, which often includes confidence and bum-in runs. Implementation of this proposed Completion Time extension would provide increased operational flexibility for on-line repair of an inoperable emergency UPS inverter and could avert unplanned plant shutdowns.

The justification for extending the Completion Time for an inoperable emergency UPS inverter is based on risk-informed and deterministic evaluations, which incorporate two principal elements: (1) the availability of a dedicated safety-related transformer for powering the inverter loads and (2) the application of the site Configuration Risk Management Program for planned maintenance. These elements provide assurance that the power requirements for the critical instrumentation and control equipment are met during the proposed extended Completion Time.

The risk impact of extending the Completion Time associated with TS 3.8.7 Required Action A.1 was evaluated using the updated NMP2 Level 2 Probabilistic Risk Assessment (PRA) model. The Incremental Conditional Core Damage Probability and Incremental Conditional Large Early Release Probability for each emergency UPS inverter division meet the guidelines of

<5.OE-07 and <5.OE-08, respectively, such that the impact on plant risk is considered small, HE) V

Page 2 NMP2L 2120 consistent with Regulatory Guide 1.177, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications." Furthermore, the evaluation of the changes in Core Damage Frequency and Large Early Release Frequency due to the expected increased inverter.

unavailability have been shown to meet the risk-acceptance guidelines of <1.OE-06 and <1.OE-07, respectively, provided in Regulatory Guide 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant Specific Changes to the Licensing Basis."

This evaluation supports the increase in the Division 1 and 2 emergency UPS inverter Completion Time from a quantitative, risk-informed perspective consistent with plant operational and maintenance practices.

This amendment request is subdivided as follows:

1. Attachment 1 provides the supporting information and safety analyses for the proposed change.

2. Attachment 2 includes the marked-up TS page for the proposed change.

3. Attachment 3 includes the associated marked-up TS Bases page for information only.

4. Attachments 4 through 8 provide the required PRA quality information and PRA study results.

5. Attachment 9 provides relevant figures from the NMP2 Updated Safety Analysis Report.

Section 5.3 of Attachment 1 provides a list of the regulatory commitments associated with this submittal.

The proposed amendment is similar to the amendment request submitted for the Clinton Power Station on April 26, 2004, and the approved amendments for the Braidwood and Byron Stations (Amendments 129 and 135, respectively) and the North Anna Power Station (Amendments 235 and 217 for Units 1 and 2, respectively).

NMPNS requests approval of this application and issuance of the TS amendment by December 31, 2005. Once approved, the amendment will be implemented within 60 days. Pursuant to 10 CFR 50.91(b)(1), NMPNS has provided a copy of this license amendment request and the associated analyses regarding no significant hazards considerations to the appropriate state representative.

Very truly yours, J es A. Spina

,ice President Nine Mile Point JAS/DEV/sac

Page 3 NMP2L 2120 STATE OF NEW YORK :

TO WIT:

COUNTY OF OSWEGO :

I, James A. Spina, being duly sworn, state that I am Vice President Nine Mile Point, and that I am duly authorized to execute and file this request on behalf of Nine Mile Point Nuclear Station, LLC. To the best of my knowledge and belief, the statements contained in this document are true and correct. To the extent that these statements are not based on my personal knowledge, they are based upon information provided by other Nine Mile Point employees and/or consultants. Such information has been reviewed in accordance with company practice and I believe it to be reliable.

ames A. Spina,

/ Vice President Nine Mile Point Subscribed and sworn before me, a Notary Public in and for the State of New York and County of Oswego, this I s day of B 2005.

WITNESS my Hand and Notarial Seal:

SANDRA A. OSWALD Notary Public. state of New York No. 010S6032276 Oual'ified inOswego CunflY.

Notary Public My Commission Expires: 1l° AsI5 O-f II loS Date

Page 4 NMP2L 2120 Attachments:

1. Evaluation of Proposed Technical Specification Changes

2. Proposed Technical Specification Changes (Mark-up)

3. Changes to Technical Specification Bases Pages

4. Nine Mile Point Unit 2 Probabilistic Risk Assessment Peer Review Certification Information

5. NRC Review Comments Summary

6. Updated PRA Results Summary

7. Tier 1: Probabilistic Risk Assessment (PRA) Study Results

8. Dominant CDF and LERF Sequences that Contain the Emergency UPS Inverters

9. NMP2 Updated Safety Analysis Report (USAR) Figures Relevant to the Emergency UPS Inverters cc: Mr. S. J. Collins, NRC Regional Administrator, Region I Mr. G. K. Hunegs, NRC Senior Resident Inspector Mr. P. S. Tam, Senior Project Manager, NRR (2 copies)

Mr. John P. Spath, NYSERDA

ATTACHMENT 1 EVALUATION OF PROPOSED TECHNICAL SPECIFICATION CHANGES

Subject:

License Amendment Request Pursuant to 10 CFR 50.90: Request for Amendment to Extend Completion Time for Emergency Uninterruptible Power Supply Inverters

1.0 DESCRIPTION

2.0 PROPOSED CHANGE

3.0 BACKGROUND

4.0 TECHNICAL ANALYSIS

5.0 REGULATORY SAFETY ANALYSIS

6.0 ENVIRONMENTAL CONSIDERATION

Page 1 of 24

1.0 DESCRIPTION

This letter is a request to amend Operating License NPF-69 for Nine Mile Point Unit 2 (NMP2).

The proposed change to the Technical Specifications (TSs) contained herein would revise Required Action A.1 of TS 3.8.7, "Inverters - Operating," to extend the Completion Time for one emergency uninterruptible power supply (UPS) inverter inoperable from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 7 days. The Bases for TS 3.8.7 will be revised to reflect the proposed changes to the TSs.

This change is being proposed to support on-line maintenance of the emergency UPS inverters.

The current 24-hour Completion Time is insufficient for restoration of an inoperable inverter as it is not adequate to support the required maintenance and associated post-maintenance testing, which often includes confidence and bum-in runs. Implementation of this proposed Completion Time extension will provide operational flexibility by allowing additional time to perform corrective emergency UPS inverter maintenance and post-maintenance testing on-line, thereby improving inverter reliability.

The proposed changes to the TSs and associated changes to the TS Bases are indicated in the marked-up pages provided in Attachments 2 and 3, respectively. The TS Bases changes are provided for information only and do not require NRC issuance as they will be controlled by the NMP2 TS Bases Control Program (TS 5.5.10).

2.0 PROPOSED CHANGE

The proposed change revises Required Action A.1 to extend the Completion Time of TS 3.8.7 for an inoperable emergency UPS inverter from the current 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 7 days.

In addition to the above, the TS Bases will be revised to document the basis for the proposed Completion Time.

3.0 BACKGROUND

The emergency UPS inverters are the preferred source of power for the Division 1 and 2 120 VAC uninterruptible electrical power distribution subsystems. There is one emergency UPS inverter per divisional 120 VAC uninterruptible electrical power distribution subsystem, making a total of two emergency UPS inverters. The purpose of the emergency UPS inverters is to provide a continuous source of filtered 120 VAC power to the safety-related loads supplied from the associated electrical power distribution subsystems. The onsite power system, including the emergency UPS inverters and associated power supplies and distribution subsystems, are described in Section 8.3 of the NMP2 Updated Safety Analysis Report (USAR). USAR figures relevant to the emergency UPS inverters are provided in Attachment 9.

Each of the two independent emergency UPS inverters is a 25 kVA, 120 VAC, 1-phase unit. As shown on USAR Figure 8.3-5 (see Attachment 9), the inverter can be powered from a safety-Page 2 of 24

related 600 VAC supply via an internal rectifier or from the divisional safety-related 125 VDC battery supply. The inverter is normally fed from the 600 VAC supply via the internal rectifier.

If the normal AC supply is lost, the inverter is automatically fed from its backup 125 VDC supply without interruption. If an inverter failure or a large overload is sensed, the static transfer switch will automatically bypass the inverter and transfer the inverter loads to the alternate maintenance supply with no interruption of power to the inverter loads. The maintenance supply is provided from a divisional safety-related 600 VAC emergency lighting panel. A dedicated safety-related transformer is used to convert the maintenance supply 600 VAC input to the required 120 VAC output for powering the inverter loads. Each UPS also includes a manual transfer switch to bypass the static transfer switch, which enables servicing of the static transfer switch or the rectifier and/or inverter without interrupting power to the inverter loads.

The emergency UPS inverters are required to be operable in Modes 1, 2, and 3 to ensure that:

Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of anticipated operational occurrences (AOOs) or abnormal transients; and

Adequate core cooling is provided, and containment operability and other vital functions are maintained in the event of a postulated design basis accident (DBA).

The emergency UPS inverters ensure the availability of AC electrical power for the instrumentation and controls of systems required to shutdown the reactor and maintain it in a safe condition after an AOO or a postulated DBA.

Maintaining the emergency UPS inverters operable ensures that the redundancy incorporated into the design of the Emergency Core Cooling System (ECCS) instrumentation and controls is maintained. The two battery powered emergency UPS inverters ensure an uninterruptible supply of 120 VAC electrical power to the associated power distribution subsystems, even if the 4.16 kV emergency buses are de-energized. Operable emergency UPS inverters are required to be aligned to the associated 120 VAC uninterruptible power distribution subsystems, with output voltage and frequency within tolerances, and power input to the emergency UPS inverters from a 125 VDC divisional battery via the associated Class IE DC bus. Alternatively, power supply may be from the normal 600 VAC source via the internal rectifier, as long as the divisional battery is available as the uninterruptible supply.

Required Action A.1 of TS 3.8.7 currently allows only 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to repair an inoperable Division 1 or 2 emergency UPS inverter and return it to service. As stated in the TS 3.8.7 Bases, the 24-hour limit was based on engineering judgment, taking into consideration the time required to repair an inverter and the additional risk to which the plant is exposed because of the inverter inoperability.

The proposed change will extend the allowable Completion Time for the TS Required Action associated with restoration of an inoperable Division 1 or Division 2 inverter. Recent experience has shown that the current 24-hour Completion Time for restoration of an inoperable Division 1 or Division 2 inverter is insufficient in some cases to support on-line corrective maintenance and Page 3 of 24

post-maintenance testing while NMP2 is at power. Implementation of this proposed Completion Time extension will provide the following benefits:

Provide operational flexibility by allowing additional time to perform corrective maintenance and post-maintenance testing on-line, thereby improving inverter reliability.

Avert unplanned plant shutdowns.

4.0 TECHNICAL ANALYSIS

The emergency UPS inverters are the preferred source of power for the Division 1 and 2 120 VAC uninterruptible electrical power distribution subsystems because of the stability and reliability they achieve. There are two emergency UPS inverters, one for each 120 VAC uninterruptible electrical power distribution subsystem (see USAR Figure 8.3-4 provided in ). Each inverter can be powered from a safety-related 600 VAC supply via an internal rectifier or from the divisional safety-related 125 VDC battery supply (see Attachment 9, USAR Figure 8.3-5). The 600 VAC/rectifier or 125 VDC powered inverter provides an uninterruptible power source for the instrumentation and controls for the ECCS, as well as other critical plant loads. Additionally, each 120 VAC uninterruptible electrical power distribution subsystem can be powered from an alternate AC source (maintenance supply) via a dedicated safety-related transformer. The transformer is powered from a safety-related 600 VAC emergency lighting panel, thereby providing an interruptible source of power for the 120 VAC uninterruptible panels. The quality of the power provided by the maintenance supply is comparable to the inverters and has no adverse affect on operation or response of the loads powered by the associated 120 VAC power distribution subsystems.

4.1 Deterministic Evaluation 4.1.1 Defense-in-Depth Evaluation The impact of the proposed extension of the Completion Time for an inoperable emergency UPS inverter was evaluated and determined to be consistent with ihe defense-in-depth philosophy.

The limited unavailability of a single power source caused by entry into a TS action does not significantly change the balance among the defense-in-depth principles of prevention of core damage, prevention of containment failure, and consequence mitigation.

I The defense-in-depth philosophy requires multiple means or barriers to be in place to accomplish safety functions and prevent the release of radioactive material. NMP2 is designed and operated consistent with the defense-in-depth philosophy. The safety-related equipment required to mitigate the consequences of postulated accidents consists of three independent divisional load groups, Divisions 1,2, and 3. The Division 1 and 2 load groups can each be powered from either of two independent sources (one offsite source or the dedicated onsite diesel generator (DG)).

The Division 3 load group, consisting of high pressure core spray (HPCS) system equipment, can be powered from three independent sources (either of the two offsite sources or the dedicated onsite DG). Moreover, the loss of an entire load group (Division 1, 2, or 3) will not prevent the Page 4 of 24

safe shutdown of the plant in the event of a DBA. Accordingly, the unavailability of a single emergency UPS inverter by entry into a TS action statement for inverter maintenance does not reduce the amount of available equipment to a level below that necessary to mitigate a DBA.

The other two divisions of safety-related equipment and their associated offsite and onsite power sources will remain available and are designed with adequate independence, capacity, and capability to mitigate postulated accidents. Therefore, consistent with the defense-in-depth philosophy, the proposed change will continue to provide for multiple means to accomplish safety functions and prevent the release of radioactive material in the event of an accident.

The proposed extension of the emergency UPS inverter Completion Time does not introduce any new common cause failure modes, and protection against common cause failure modes previously considered in DBA analyses is not compromised.

Compensatory Measures Appropriate configuration risk management controls and compensatory measures will be established to assure that system redundancy, independence, and diversity are maintained commensurate with the risk associated with the extended emergency UPS inverter Completion Time. These include TS and Maintenance Rule (10 CFR 50.65) programmatic requirements, as well as administrative controls in accordance with the Configuration Risk Management Program (CRMP).

With an emergency UPS inverter out of service, the safety-related maintenance power supply (via the safety-related transformer) must be powering the loads aligned to the associated 120 VAC uninterruptible power distribution subsystems; otherwise, the Required Actions of TS 3.8.8, "Distribution Systems - Operating," would need to be entered. The maintenance supply is dependent on operation of the associated DG following a loss of offsite power (LOSP) event.

Entry into the extended inverter Completion Time concurrent with DG routine maintenance could have an impact on plant safety, since the LOSP event could leave the 120 VAC uninterruptible power distribution subsystem loads without power. Therefore, appropriate plant procedures will include provisions for implementing the restrictions and compensatory measures described in Section 4.2.5 of this Attachment when an emergency UPS inverter is removed from service for any extended Completion Time duration (greater than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months and up to 7 days).

While in the proposed extended emergency UPS inverter Compl&tion Time, additional elective equipment maintenance or testing that requires the equipment to be removed from service will be evaluated and activities that yield unacceptable results will be avoided.

4.1.2 Safety Margin Evaluation The proposed extension of the emergency UPS inverter Completion Time remains consistent with the codes and standards applicable to the onsite AC sources and electrical distribution subsystems. With one of the required 120 VAC uninterruptible power distribution subsystems being powered from the alternate safety-related maintenance supply, which is backed by the divisional DG, there is no significant reduction in the margin of safety. Testing of the DGs and associated electrical distribution equipment provides confidence that the DGs will start and provide power to the critical loads in the unlikely event of a LOSP during the extended 7-day Page 5 of 24

Completion Time. In addition, as further discussed below, the proposed extended Completion Time will not erode the reduction in severe accident risk that was achieved with implementation of the Station Blackout (SBO) Rule (10 CFR 50.63) or affect any of the safety analyses assumptions or inputs as described in the NMP2 USAR.

Design Basis Requirements and Safety Analyses Impact The initial conditions of the DBA and transient analyses described in Chapters 6, "Engineered Safety Features," and 15, "Accident Analyses," of the NMP2 USAR assume the engineered safety feature (ESF) systems are operable. The emergency UPS inverters are designed to provide the required capacity, capability, redundancy, and reliability to ensure the availability of necessary power to the ESF ECCS instrumentation and controls and other safety-related critical plant loads so that the fuel, reactor coolant system, and containment design limits are not exceeded. The operability of the emergency UPS inverters is consistent with the initial assumptions of the accident analyses and is based on meeting the design basis of the plant. This includes maintaining the Division 1 and 2 120 VAC uninterruptible electrical power distribution subsystems operable during accident conditions in the event of an assumed loss of all offsite AC power and a worst-case single failure.

The proposed extension of the emergency UPS inverter Completion Time will not affect any safety analyses inputs or assumptions as described in the NMP2 USAR. With an emergency UPS inverter inoperable, its associated 120 VAC uninterruptible distribution subsystem is inoperable if not energized. The maintenance supply provides an alternate (interruptible) source of power to the 120 VAC uninterruptible power distribution subsystems. A LOSP with an inoperable emergency UPS inverter (i.e., the maintenance supply powering the 120 VAC uninterruptible distribution subsystem) will result in an initial loss of power to the loads. Since the maintenance supply is from a safety-related 600 VAC emergency lighting panel, power would be restored to the affected 120 VAC uninterruptible panels once the associated DG re-energizes the 600 VAC emergency lighting panel. Following restoration of power to the 600 VAC emergency lighting panel, all loads supplied by the 120 VAC uninterruptible power distribution subsystem would be restored, with only a slight delay as compared to the response of the other division (i.e., the division with an operable emergency UPS inverter). There would be no adverse impact to the plant since the inverter in the other division would be available to power that division of ESF equipment, and Division 3 would also be available. In order for the 120 VAC uninterruptible power distribution subsystem to remain de-energized following the LOSP, the associated DG would have to fail or there would have to be a failure to re-energize the 600 VAC emergency lighting panel or the maintenance supply would have to fail (e.g., failure of the safety-related transformer).

In the unlikely event of a failure to energize the 120 VAC uninterruptible power distribution subsystem following a LOSP, the most significant impact on the plant is the failure of one division of ESF equipment (Division 1 or Division 2) to actuate. In this condition, the other two divisions of ESF equipment will automatically actuate to mitigate the accident, and the plant would remain within the bounds of the accident analyses. As previously evaluated in the NMP2 USAR, even with a loss of an entire division of safety-related electrical power, the remaining two electrical divisions are capable of supplying the emergency loads required for safe shutdown of the reactor in case of an accident. Because of the low probability of an accident requiring the Page 6 of 24

ESF equipment occurring simultaneous with a LOSP, a single failure, and inverter maintenance, there is minimal safety impact due to the proposed extension of the Completion Time for an inoperable inverter.

Station Blackout (SBO) Capability Assessment An SBO is defined as the complete loss of AC electric power to the essential and nonessential switchgear buses in a nuclear power plant. An SBO would result from a LOSP concurrent with a turbine trip and failure of the onsite emergency AC power system. To address the potentially significant risk of core damage associated with an SBO event, the NRC issued the SBO Rule, promulgated as 10 CFR 50.63, "Loss of All Alternating Current Power," and Regulatory Guide 1.155, "Station Blackout." The SBO Rule requires that a licensed nuclear power plant be able to withstand an SBO for a specified time and recover. The ability to cope with an SBO for a certain time period provides additional margin of safety to a potential severe accident should both offsite and onsite emergency AC power systems fail concurrently.

NMP2 is classified as a 4-hour duration coping plant with 0.975 target DG reliability (see USAR Section 8.3.1.5). The SBO coping analysis credits operation of the reactor core isolation cooling (RCIC) system in the manual flow control mode to assure that sufficient water inventory is maintained in the vessel for core cooling. The SBO coping analysis also credits operator action to control reactor pressure vessel (RPV) pressure by manually opening, from the control room, one of the main steam system safety relief valves (SRVs). The Division 1 emergency UPS inverter provides power to the instrumentation and controls required for automatic initiation and operation of the RCIC system and automatic initiation of the Division 1 automatic depressurization system (ADS) SRVs. In the event of an SBO with the Division 1 emergency UPS inverter out of service, automatic initiation of the RCIC system is defeated due to the loss of power to the governor and flow controller. To ensure the RCIC system remains capable of manual initiation and operation for the 4-hour SBO coping duration, a dedicated portable power supply will be connected to provide a continuous source of power to the RCIC system governor and flow controller. Operator actions associated with establishing this power supply will have been evaluated in accordance with the guidance of NUREG/CR-6689, "Proposed Approach for Reviewing Changes to Risk-Important Human Actions," to demonstrate that there is a high probability (> 0.9) of successfully performing these operator actions. Furthermore, the capability to manually open one of the seven ADS SRVs and eleven non-ADS SRVs for RPV pressure control would be unaffected, except that the number of times that one of the nine Division 1 SRVs could be opened would be limited. This is because the SRVs open on nitrogen pressure and the associated nitrogen make-up valves fail closed on loss of power, resulting in the inability to recharge the affected SRV nitrogen accumulators. In addition, in the event that the RCIC system is not functional during an SBO, the RPV can be depressurized by operation of SRVs and RPV makeup can be provided using the diesel fire pump (DFP) via the fire water to residual heat removal (RHR) system cross-tie.

Note that, because the RCIC system is only powered from Division 1, an SBO event with the Division 1 emergency UPS inverter out of service is more limiting than if the event occurred with the Division 2 emergency UPS inverter out of service. A postulated SBO event with the Page 7 of 24

Division 2 emergency UPS inverter out of service would have limited impact on the SBO event due to the loss of power to reactor vessel high water level (Level 8) instrumentation.

Therefore, the proposed extended Completion Time for an inoperable emergency UPS inverter is consistent with approved NRC staff positions regarding power source operability. Accordingly, the proposed change will have no adverse impact on the assumptions or conclusions of the SBO coping analysis or erode the reduction in severe accident risk that was achieved with implementation of the SBO Rule (10 CFR 50.63).

4.2 Probabilistic Risk Assessment (PRA)

To further assess the overall impact on plant safety of the proposed extended emergency UPS inverter Completion Time, a PRA was performed consistent with the guidance pertaining to risk-informed criteria specified in Regulatory Guide 1.177, "An Approach for Plant-Specific Risk-Informed Decisionmaking: Technical Specifications." The PRA provides a quantitative evaluation of the risk associated with the change in terms of average Core Damage Frequency (CDF) and average Large Early Release Frequency (LERF) produced by the extension of the Completion Time for an inoperable emergency UPS inverter. This evaluation included consideration of the Maintenance Rule program established pursuant to 10 CFR 50.65(a)(4) to control the performance of other potentially high risk tasks during an inverter outage, as well as consideration of specific compensatory measures to minimize risk. All of these elements were included in a risk evaluation using the three-tiered approach suggested in Regulatory Guide 1.177, as follows:

Tier 1 - PRA Capability and Insights Tier 2 - Avoidance of Risk-Significant Plant Configurations Tier 3 - Risk-Informed CRMP Evaluations addressing each of these tiers are provided below. The PRA model serves as the primary tool for these evaluations. Therefore, in order to establish the qualification of the PRA model, supplemental background information related to the development, certification, application, and quality of the PRA model in place at NMP2 is presented first.

4.2.1 PRA Model Development The NMP2 PRA is based on a detailed model of the plant that was developed from the NMP2 Individual Plant Examination (IPE) and NMP2 Individual Plant Examination for External Events (IPEEE) projects. The PRA model has undergone NRC review and Boiling Water Reactor Owner's Group (BWROG) certification. A summary of the NRC review comments are provided in Attachment 5 and the PRA peer review certification "A" and "B" Facts and Observations are provided in Attachment 4. The model was updated to incorporate review comments, current plant design, current procedures, recent plant operating data, current PRA techniques, and general improvements identified by the Nine Mile Point PRA team.

Page 8 of 24

Key milestones for the development of the NMP2 PRA model are as follows:

IPE submitted to the NRC in July 1992.

IPE Safety Evaluation Report (SER) received from the NRC in August 1994.

IPEEE submitted to the NRC in June 1995.

BWROG certification issued in May 1997.

IPEEE SER received from the NRC in August 1998.

NMP2 PRA model major update completed in August 1998 - Model U2L1497.

NMP2 PRA model limited update for proposed DG Completion Time extension completed in July 2002 - Model U2PRAO1A.

NMP2 PRA model limited update to correct ECCS room cooling dependencies related to service water- Model U2PRAOlB.

In addition to the above updates, the following enhancements have been incorporated into the NMP2 PRA model:

Additional initiating event contributions were included in basic event importance quantifications.

Multi-state conditional split fractions were replaced with multi-state boundary condition approaches.

Incorporation of exact system quantification using Binary Decision Diagram.

Key goals of the PRA model development process were to:

Understand the underlying plant risks and key sources of uncertainty.

Identify areas where cost-effective risk improvement opportunities exist.

Develop a tool to quantify nuclear safety and support a comprehensive risk management program.

Establish an in-house risk analysis capability to support plant decisionmaking.

An independent assessment of the NMP2 PRA, using the self-assessment process developed as part of the BWROG peer review certification program, was completed to assure that the NMP2 PRA was comparable to other PRA programs in use throughout the industry. The NMP2 PRA was certified by the BWROG in May 1997 following an inspection and review by a PRA peer review certification team. The certification review results were documented and evaluated for inclusion in the PRA model major update completed in 1998. The findings from the review primarily related to improvements in the areas of guidance, documentation, models, and the capturing of plant changes. Overall, the certification review provided high technical marks on the PRA, and there were no findings that significantly impacted the PRA results. The certification team assigned a Grade 3 to the NMP2 PRA, which is deemed suitable for applications such as single TS actions if supported by deterministic evaluations. Attachment 4 provides the key findings from the PRA certification inspection and review (significance level A and B findings and observations) and includes a summary of the qualifications and experience of the certification team members.

Page 9 of 24

4.2.2 PRA Model Maintenance The PRA model is applied and controlled as defined in administrative procedure NIP-REL-02, "Probabilistic Risk Assessment Program," and engineering department procedure NEP-REL-01, "Evaluations, Analysis, and Update of the Probabilistic Risk Assessment (PRA) Program."

Ongoing assessments of the PRA model and reports are part of the normal duties of the PRA engineers. When a change to plant procedures, plant design, or operational data is identified that impacts the PRA model, the PRA engineer uses the guidance in the following table to prioritize the change and assist in the development of an implementation schedule.

Grade Definition Action I Extremely important and necessary to address to Immediate update assure the technical adequacy of the PRA, the quality considered.

of the PRA, or the quality of the PRA update process.

2 Important and necessary to address, but may be Consider in next planned deferred to the next planned PRA update. . update.

3 Considered desirable to maintain maximum Consider in next 2-3 planned flexibility in PRA applications and consistency with updates.

the industry, but is not likely to significantly affect results or conclusions.

4 Editorial or minor technical item, low priority. Consider as update opportunity exists.

Planned updates to the PRA model are scheduled on a regular basis by the PRA team. Planned updates include an information gathering phase that is intended to capture plant changes that had not been previously identified by the PRA team. The normal scheduled (planned) update considers all aspects of the PRA.

An unplanned update is undertaken when a Grade 1 item is identified for immediate update. An unplanned update may also be undertaken to address a need for a specific application of the PRA. An unplanned update is considered a limited scope update and does not necessarily include a detailed plant information review or consideration of all aspects of the PRA. This type of update is intended to augment the PRA between normal planned updates as needed. A summary of the updated PRA model is provided in Attachment 6.

4.2.3 PRA Model Application The NMP2 Level 2 PRA model was used to determine the risk associated with removing an emergency UPS inverter from service for planned or corrective maintenance in accordance with the proposed 7-day Completion Time. The risk measures used are CDF and LERF. The base CDF is 3.5E-5/yr and the base LERF is 8.3E-7/yr. The PRA model is a consolidation of the NMP2 IPE and IPEEE, which explicitly includes fires and seismic events. A description of the CRMP is provided in Section 4.2.6 of this Attachment.

The PRA model is used by NMP2 work control and operations personnel throughout the online work planning and implementing processes. The PRA model is implemented through the use of Page 10 of 24

a Safety Monitor and color codes as described in administrative procedure GAP-PSH-03, "Control of On-Line Work Activities." The results obtained from the PRA model are used along with other inputs, such as TS requirements and operator system knowledge, in a blended approach to determine the final work schedule. The PRA model is currently not applicable to shutdown conditions; thus, the risk assessments for work activities during plant outages are performed consistent with the defense-in-depth philosophy as described in administrative procedure NIP-OUT-01, "Shutdown Safety."

The guidance contained in Regulatory Guides 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," and 1.177 was utilized to assure that the results of the PRA model are acceptable to support the proposed extension of the emergency UPS inverter Completion Time, as described below.

4.2.4 Tier 1: PRA Capability and Insights As noted previously, risk-informed support for the proposed extension of the Completion Time for an inoperable emergency UPS inverter is based on PRA calculations performed to quantify the change in average CDF and average LERF. To determine the effect of the proposed change with respect to plant risk, the guidance provided in Regulatory Guides 1.174 and 1.177 was used.

PRA Results An evaluation was performed based on the assumption that the full extended Completion Time (i.e., 7 days) would be applied once per inverter per refueling cycle. The total fuel cycle time was calculated to be the number of operating days based on the current 24-month fuel cycle (allowing for planned and unplanned plant outages). The incremental conditional core damage probability (ICCDP) and incremental conditional large early release probability (ICLERP) were calculated as recommended in Regulatory Guide 1.177. The results of the risk evaluation are presented in Attachment 7. These results were compared against the risk significance criteria in Regulatory Guide 1.174 for changes in the annual average CDF and LERF and Regulatory Guide 1.177 for ICCDP and ICLERP. The ICCDP and ICLERP were calculated for both the Division 1 and Division 2 emergency UPS inverters, which indicate that an outage of the Division 1 inverter is more limiting. Based on the limiting calculated values for the ICCDP and ICLERP, the proposed extended Completion Time has only a small quantitative impact on plant risk. The following table summarizes the results of the risk evaluation:

Risk Metric Acceptance Criterion Evaluation Results ACDFAVC < .OE-6/yr 4.2E-7/yr ALERFAve < 1.OE-7/yr 4.9E-9/yr ICCDPDiV I < 5.OE-7 3.0E-7V' ICCDPDiV2 < 5.OE-7 4.9E-7(l ICLERPDiI < 5.0E-8 3.2E-9 ICLERPDiv2 < 5.OE-8 5.1E-9 Page 11 of 24

(1) The portable power supply compensatory measure credited in the PRA evaluation has more impact on the Division 1 inverter failure analysis than on the Division 2 inverter failure analysis. Thus, the Division 1 inverter ICCDP is lower than that for the Division 2 inverter.

(2) When entering the extended emergency UPS inverter Completion Time (greater than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months and up to 7 days), the compensating measures and configuration risk management controls described in Section 4.2.5 below will apply. Many of the identified measures and controls were not credited in the PRA evaluation. Thus, there is inherent conservatism in the PRA results, such that the relatively small margin to the ICCDP acceptance criterion is acceptable.

Uncertainty and Sensitivity Analysis While no formal uncertainty quantification was performed, the PRA model inputs generally have a range factor (defined as the ratio of the 95h confidence to 5 th confidence levels) of approximately 10 or less. Thus, propagation of this uncertainty through the dominant sequences would lead to results with a range factor of 10 or less. More importantly, since the proposed extension of the emergency UPS inverter Completion Time involves a change in the risk calculation, the uncertainty distribution is less of an issue because the uncertainty parameters will act on the baseline model and the emergency UPS inverter out of service model uniformly. In addition, model uncertainty and completeness uncertainty have been minimized through the certification and update processes discussed above.

Several sensitivity analyses were performed:

1. Actual emergency UPS inverter maintenance completion time (decrease) - The actual completion time for an inverter is decreased to a most-likely duration of 4 days to estimate the sensitivity. This represents a risk reduction margin.

2. Actual emergency UPS inverter out-of-service time (increase) - The average CDF impact is assessed for two 7-day completion time extensions (14 days total). The risk increase is minimal.

3. Emergency UPS inverter failure rate (increase) - The inverter failure rate is doubled.

There is minimal impact on ACDFAVE and ICCDPI.

These sensitivity analyses are summarized in the following table.

Sensitivity Analysis Summary Case Case Impact After Change Before Change Difference Actual Set UPS inverter outage ACDFAvF=2.4E-7/yr ACDFAvE--4.2E-7/yr A = -1.8E-7/yr Completion time to 4 days. ICCDPI, =2.8E-7 ICCDP11 =4.9E-7 A = -2.1 E-7

_________ Time (decrease) _ _ _ _ _ _ _ _ _ _ _ _ _

Actual Out-of- Set total UPS inverter 2 Service Time outage time to 14 days. ACDFAvE=8.5E-7/yr ACDFAvE=4.2E-7/yr A = 4.3E-7/yr

_____ (increase) __ _ _ _ _ _ _ _ _ _ _ _ _

UPS Inverter Double UPS A and B ACDFAVE= 4.3E-7/yr ACDFAVE=4.2E-7/yr A = 1.OE-8/yr 3 Failure Rate inverter failure rate. ICCDPI 3.20E-7 ICCDPI = 3.OE-7 A = 2.0E.8

__ _ __ __ _ _ _ __ _ _ _ _ _ _ _ _ _ _ ICCDP 11= 5.0OE-7 ICCDP 11= 4.9E-7 A = 1.OE.-8 Page 12 of 24

Note that the LOSP frequency, non-recovery probability, and DG failure probability are important factors contributing to the CDF, due to the SBO-related sequences. Any variation in these parameters will have a directly proportional impact on the CDF. The compensating measures and configuration risk management controls described in Section 4.2.5 below will minimize the factors that could potentially adversely impact the LOSP frequency and DG failure probability. Since the LOSP frequency and non-recovery probabilities were developed from the latest data contained in NUREG/CR-INEEIJEXT-04-02525, "Station Blackout Risk Evaluation for Nuclear Power Plants (Draft)," January 2005, there is a high confidence in these values. The probability of a failure of all emergency AC power used in the NMP2 PRA model correlates well with this guidance.

Transition and Shutdown Risk The proposed change to extend the emergency UPS inverter Completion Time will reduce the probability of an unplanned manual shutdown initiated by online inverter unavailability. The risk associated with an unplanned manual shutdown has been included in the NMP2 PRA and can be considered here. Unplanned manual shutdowns are included in the scram initiators (i.e.,

SCRAM and BSCRAM). These initiators contribute to a manual shutdown related conditional core damage probability (CCDP) of 6.2E-7/yr in the revised baseline NMP2 PRA used in this analysis. The CCDP associated with a shutdown with an inoperable emergency UPS inverter would be somewhat higher. Thus, the incremental risk associated with extending the inverter online Completion Time would be at least partially offset by a reduction in risk associated with a shutdown with an inoperable UPS inverter.

4.2.5 Tier 2: Avoidance of Risk-Significant Plant Configurations As previously discussed, a CRMP is in place at NMP2 for compliance with the Maintenance Rule (10 CFR 50.65), and in particular, for compliance with paragraph (a)(4) of the rule. The CRMP provides assurance that risk-significant plant equipment configurations are precluded or minimized when plant equipment is removed from service. Accordingly, any increase in risk posed by the removal of an emergency UPS inverter from service and the potential combinations of other equipment out of service will be managed in accordance with the CRMP.

The following compensating measures and configuration risk management controls have been credited in the PRA evaluation, and will apply when entering the proposed extended emergency UPS inverter Completion Time (greater than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months and up to 7 days):

1. The RCIC system is available and no planned maintenance or testing activities are scheduled.

2. A dedicated portable power supply is available to provide power to the RCIC system governor and flow controller in the event of an SBO with the Division 1 emergency UPS inverter out of service.

Page 13 of 24

3. Operating crew briefings are conducted on the following important operator actions required during an SBO:

Manual RCIC system initiation and operation, including RPV water level control, the use of local RPV level indication, and prevention of RPV overfill.

Set-up and connection of the portable power supply for the RCIC system governor and flow controller.

The following additional compensating measures and configuration risk management controls, though not credited in the PRA evaluation, will also apply to the extent possible (considering equipment that may already be out of service) when entering the proposed extended emergency UPS inverter Completion Time (greater than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months and up to 7 days):

1. The other (opposite division) emergency UPS inverter is operable and no planned maintenance or testing activities are scheduled.

2. All three divisional DGs are available and no planned maintenance or testing activities are scheduled.

3. All three required divisional battery chargers are available and no planned maintenance or testing activities are scheduled.

4. Both offsite power circuits are available and no planned maintenance or testing activities are scheduled (115 kV transmission system and associated plant and switchyard equipment).

5. There are no planned maintenance or testing activities which could cause a plant scram, main turbine or generator trip, main steam isolation valve closure, or loss of the divisional batteries or the divisional AC or DC switchgear, except for required surveillances.

6. The NMP2 DFP is available as a makeup source to the reactor pressure vessel.

7. RHR system trains A and B are available and no planned maintenance or testing activities are scheduled.

8. All required service water pumps are available and no planned maintenance or testing activities are scheduled.

9. No hot work permits will be active for the control building and the normal switchgear rooms.

10. Operating crew briefings are conducted on the following important operator actions required during an SBO:

Alignment of the NMP2 DFP to the RPV, including use of the Nine Mile Point Unit 1 DFP and crosstie.

Page 14 of 24

AC power recovery (offsite power and DGs).

HPCS crossties to Division 1 or 2.

Emergency depressurize RPV.

While in the proposed extended emergency UPS Completion Time, additional elective equipment maintenance or testing that requires the equipment to be removed from service will be evaluated and activities that yield unacceptable results will be avoided.

The dominant sequences in the NMP2 PRA have been evaluated to assure that important equipment is identified and evaluated when an emergency UPS inverter is out of service. Tables 1 through 4 of Attachment 8 provide the initiating event frequency for the CDF sequences greater than 1E-07/yr and LERF sequences greater than 1E-08/yr that contain the emergency UPS inverter. Two types of evaluations are considered:

1. Important systems and equipment are assessed to determine whether their unreliability has increased since the last PRA update based on plant operational experience.

2. Important equipment and human actions are assessed to determine whether compensating measures can be credited to reduce risk while the emergency UPS inverter is out of service.

Based on Tables I through 4 (Attachment 8), the following are identified as major risk contributors when an emergency UPS inverter is out of service:

Loss of offsite power initiating event (BLOSP or LOSP)

Instrument air initiating events (ASX)

Emergency diesel generator (Al, A2, HPCS)

Loss of feedwater event (LOF)

RCIC (U1, IC)

Failed Operator actions:

- AlignDFPtoRPV(S1)

- AC power recovery (offsite power and DGs)

- Align Division 3 (HPCS) DG to Division 1 or 2

- Emergency depressurize RPV (OD)

Each of the above-identified risk contributors is further discussed below.

LOSP Initiating Event (BLOSP or LOSP)

The LOSP frequency for the NMP2 baseline model was updated based on the data contained in draft NUREG/CR-INEEL/EXT-04-02525, "Station Blackout Risk Evaluation for Nuclear Power Plants," January 2005. These data include the August 2003 LOSP event. The resulting total Page 15 of 24

LOSP frequency used in this analysis is 5.68E-2/yr. The NMP2 baseline model was also revised to utilize the higher non-recovery probabilities contained in the draft NUREG.

Instrument Air Initiating Events (ASX)

The loss of instrument air results in the loss of feedwater. Subsequent failures of RCIC and HPCS require operators to depressurize the RPV to provide low pressure makeup. There have been no recent reliability problems identified which relate to the instrument air system and the frequency for this initiating event remains unchanged.

Emergency Diesel Generator (Al. A2, HPCS)

When an emergency UPS inverter is taken out of service, all three DGs will be operable. The PRA calculations did not take credit for this compensatory measure. There are no recent DG reliability problems, so DG reliability remains unchanged. The DG failure rate in the NMP2 PRA is comparable with that in draft NUREG/CR-INEEL/EXT-04-02525.

Loss of Feedwater Event (LOF)

The loss of feedwater and the subsequent failure of RCIC and HPCS require operators to depressurize the RPV to provide low pressure makeup. There have been no recent reliability problems identified which relate to the feedwater system and the frequency for this initiating event remains unchanged.

RCIC (Ul. IC)

Successful RCIC (Ul) system operation during an SBO is very important because it provides time for the operators to align the DFP as a backup in case of a subsequent RCIC failure before AC power is recovered. When an emergency UPS inverter is taken out of service, RCIC will be operable and a compensatory measure (a portable power supply to power the RCIC governor and flow controller) will be implemented to ensure that the RCIC system remains capable of manual initiation and operation for the SBO coping period. The PRA calculations take credit for establishing this power supply within 30 minutes, with a 0.9 probability of success. Operator actions required to establish this power supply may include set-up of the portable power source, running extension cords, and manually operating 120 VAC panel disconnects. A human factors evaluation will have been performed to ensure that there is a high probability (> 0.9) of successfully performing these operator actions. Functionality of the portable power supply will be periodically verified, and all necessary materials will be appropriately staged.

In the baseline NMP2 PRA model, RCIC is assumed failed given a loss of the Division 1 emergency UPS inverter in an SBO scenario. This assumption is modified allowing credit to be taken to recover RCIC based on the compensatory measure to provide temporary power to the RCIC system governor and flow controller. Accordingly, Top Event UI was modified with a new split fraction. For conservatism, RCIC recovery credit was not taken for non-SBO scenarios, and Top Event IC was not changed.

Page 16 of 24

The Division 2 emergency UPS inverter supplies power to the RPV Level 8 instrumentation.

Loss of the Level 8 trip signal would require operator action to prevent RCIC overfill of the RPV. Current NMP2 emergency operating procedures and associated operator training provide direction for controlling RPV level using the RCIC system. As such, the operator action failure probability to prevent RPV overfill to Level 8 during an SBO is reduced from 0.8 to 0.2.

Operator Actions Several operator actions have been identified as potentially important. A prescribed operator briefing and special precautions to be observed when taking an emergency UPS inverter out of service can improve operator reliability as compensatory measures against failed actions. The following are some of the operator actions:

AlignDFPtoRPV(S1)

AC power recovery (offsite power and DGs)

Align Division 3 (HPCS) DG to Division 1 or 2

Emergency depressurize RPV (OD)

No credit was taken for the operator briefing and special precautions. The operator reliability data used in this analysis is conservative and contributes to extra margin in the analysis.

4.2.6 Tier 3: Risk-Informed CRMP Consistent with 10 CFR 50.65(a)(4), and as indicated above, Nine Mile Point Nuclear Station, LLC (NMPNS) has developed a CRMP which provides assurance that the risk impact of out of service equipment is properly evaluated prior to performing a work activity. The administrative procedures and instructions governing this process are GAP-PSH-03, "Control of On-line Work Activities," GAP-OPS-1 17, "Integrated Risk Management," NAI-PSH-02, "Use of the Safety Monitor," and NIP-OUT-01, "Shutdown Safety." The guidance provided in GAP-PSH-03 and GAP-OPS-1 17 provides assurance that the risk associated with planned online work activities is evaluated and that the work activities are scheduled appropriately. The CRMP includes an integrated review (i.e., both probabilistic and deterministic) to identify risk-significant equipment outage configurations in a timely manner during the online work management process for both planned and emergent work. Appropriate consideration is given to equipment unavailability, operational activities (e.g., testing, load dispatching), and weather conditions. The CRMP includes provisions for performing a configuration-dependent assessment of the overall impact on risk of proposed plant configurations prior to, and during, the performance of online work activities that remove equipment from service. Risk is re-assessed if an equipment failure or malfunction, or other emergent condition, produces a plant configuration that had not been previously assessed.

For online work activities, a quantitative risk assessment is performed to assure that the activity does not pose an unacceptable risk. This evaluation is performed using the Safety Monitor. The results of the risk assessment are classified by color code in order of the increased risk of the activity. These color code classifications are described in the following table:

Page 17 of 24

Color Code Level Criteria Action GREEN CDF < 2 X PRA Baseline Risk level is acceptable, no (maintenance included) further actions are necessary.

YELLOW CDF Ž 2 X PRA Baseline; Risk level is high, requires CDF < 10 X PRA Baseline supporting PRA analysis of (maintenance included) acceptable duration.

RED CDF 2 10 X PRA Baseline Significant risk level, work (maintenance included) may require plant outage to perform.

Online requires supporting PRA analysis, compensatory action recommendations, and plant management approval to perform.

Emergent work is reviewed by work management and operations to evaluate the impact on the risk assessment performed during the schedule development process. Prior to beginning any work, the work scope and schedule are reviewed to assure that nuclear safety and plant operations remain consistent with regulatory requirements, as well as management expectations.

4.3 Maintenance Rule Program Controls The 10 CFR 50.65 Maintenance Rule performance and monitoring criteria at NMP2 are controlled by Maintenance Rule Manual Procedure S-MRM-REL-0 105, "Maintenance Rule Performance Criteria." The reliability and availability of the NMP2 UPS are monitored under the Maintenance Rule program as described in administrative procedures NIP-REL-01, "Maintenance Rule," S-MRM-REL-0101, "Maintenance Rule," and S-MRM-REL-0105.

The NMP2 Maintenance Rule program establishes reliability criteria at the Functional Failure (FF) level rather than at the Maintenance Preventable Functional Failure level. This provides assurance that all emergency UPS inverter FFs are assessed for possible 10 CFR 50.65(a)(1) goal setting and monitoring under the Maintenance Rule program, regardless of maintenance preventability. Any failure which causes loss of power to loads or the inability to power the emergency UPS inverter from the DC electrical distribution system, even though the loads remain energized, would be classified as a FF. The emergency UPS inverter system is currently classified in 10 CFR 50.65(a)(1) status (i.e., system performance and condition is being monitored to assure capability of fulfilling intended functions) for exceeding the performance criterion of one FF for each Division during the past 24 months. There have not been any events that resulted in a loss of power to the inverter loads.

The Division 1 emergency UPS inverter has not incurred any unavailability in the past 24-month rolling period while NMP2 was on line.

The Division 2 emergency UPS inverter was taken out of service in August 2003 (2 times),

August 2004, September 2004, and January 2005 for unplanned maintenance during the past 24-month rolling window while NMP2 was on line. Three of these five unavailability periods were for durations greater than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , and the average duration was 22.4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . In addition, the Page 18 of 24

Division 2 inverter was taken out of service for planned corrective maintenance for 5.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months in August 2003. The accumulated unavailability for the Division 2 inverter was 117.6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months during the past 24-month rolling window, resulting in the inverter being 0.72% unavailable.

A modification is in progress to install redundant emergency UPS inverters in each electrical division to improve overall system reliability and availability. The necessary tie-in points were installed during the last refueling outage to facilitate online installation of the inverters. The inverters are currently scheduled for installation in the summer of 2005.

Installation of the redundant emergency UPS inverters will allow NMPNS to perform planned maintenance on the inverters with minimal impact on unavailability. It is expected that this modification will reduce unplanned outage time and improve reliability and availability under the Maintenance Rule program.

4.4 Conclusion The proposed extension of the emergency UPS inverter Completion Time is based upon both a deterministic evaluation and a risk-informed assessment. The deterministic evaluation concluded that the proposed change is consistent with the defense-in-depth philosophy, in that (1) there continue to be multiple means available to accomplish the required safety functions and prevent the release of radioactive material in the event of an accident and (2) multiple barriers currently exist and additional barriers will be provided to minimize the risk associated with entering the extended emergency UPS inverter Completion Time so that protection of the public health and safety is assured. The deterministic evaluation also concluded that the proposed change will not erode the reduction in severe accident risk that was achieved with implementation of the SBO Rule or affect any of the safety analyses assumptions or inputs as described in the USAR. The risk-informed assessment concluded that the increase in plant risk is small and consistent with the NRC "Safety Goals for the Operations of Nuclear Power Plants; Policy Statement," Federal Register, Vol. 51, p. 30028 (51 FR 30028), August 4, 1986, as further described in Regulatory Guides 1.174 and 1.177. When taken together, the results of the deterministic evaluation and risk-informed assessment provide high assurance that the equipment required to safely shutdown the plant and mitigate the effects of a DBA will remain capable of performing their safety functions when an emergency UPS inverter is out of service for maintenance or repairs in accordance with the proposed extended Completion Time.

The proposed extension of the emergency UPS inverter Completion Time is consistent with NRC policy and will continue to provide protection of the public health and safety. The proposed change advances the objectives of the NRC's PRA Policy Statement, "Use of Probabilistic Risk Assessment Methods in Nuclear Activities: Final Policy Statement," Federal Register, Volume 60, p. 42622 (60 FR 42622), August 16, 1995, for enhanced decisionmaking and results in more efficient use of resources and reduction of unnecessary burden. The capability of performing on-line corrective maintenance on the emergency UPS inverters is expected to avert unplanned plant shutdowns and improve inverter reliability.

Therefore, based on the above evaluations and conclusions, NMPNS believes that the proposed change is acceptable and operation in the proposed manner will not present undue risk to public health and safety or be inimical to the common defense and security.

Page 19 of 24

5.0 REGULATORY SAFETY ANALYSIS 5.1 No Significant Hazards Consideration Analysis Nine Mile Point Nuclear Station, LLC, (NMPNS), is requesting a revision to Facility Operating License No. NPF-69 for Nine Mile Point Unit 2 (NMP2). The proposed change would revise Required Action A.1 of Technical Specification 3.8.7, "Inverters - Operating," to extend the Completion Time for one emergency uninterruptible power supply (UPS) inverter inoperable from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 7 days.

NMPNS has evaluated whether or not a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of amendment," as discussed below:

1. Does the proposed change involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No.

The proposed change does not affect the design of the emergency UPS inverters, the operational characteristics or function of the inverters, the interfaces between the inverters and other plant systems, or the reliability of the inverters. An inoperable emergency UPS inverter is not considered an initiator of an analyzed event. In addition, Required Actions and the associated Completion Times are not initiators of previously evaluated accidents. Extending the Completion Time for an inoperable emergency UPS inverter would not have a significant impact on the frequency of occurrence for an accident previously evaluated. The proposed change will not result in modifications to plant activities associated with inverter maintenance, but rather, provides operational flexibility by allowing additional time to perform inverter corrective maintenance and post-maintenance testing on-line and could avert unplanned plant shutdowns.

The proposed extension of the Completion Time for an inoperable emergency UPS inverter will not significantly affect the capability of inverters to perform their safety function, which is to ensure an uninterruptible supply of 120 VAC electrical power to the associated power distribution subsystems. A probabilistic risk assessment was performed which concluded that the increase in plant risk is small and consistent with the NRC "Safety Goals for the Operation of Nuclear Power Plants; Policy Statement," Federal Register, Vol. 51, p. 30028 (51 FR 30028), August 4, 1986, as further described in NRC Regulatory Guides 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," and 1.177, "An Approach for Plant-Specific, Risk-Informed Decision-Making: Technical Specifications." A deterministic evaluation concluded that plant defense-in-depth philosophy will be maintained with the proposed Completion Time extension.

Page 20 of 24

Therefore, operation in accordance with the proposed change would not involve a significant increase in the probability or consequences of an accident previously evaluated.

2. Does the proposed change create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No.

The proposed change does not alter the design, configuration, or method of operation of the emergency UPS inverters or their associated 120 VAC uninterruptible power distribution subsystems, nor does the change alter any safety analyses inputs and assumptions. The proposed extended emergency UPS inverter Completion Time does not reduce the number of emergency UPS inverters below the minimum required for safe shutdown or accident mitigation, and does not affect the parameters within which NMP2 is operated or the setpoints at which protective or mitigative actions are initiated. The use of the alternate safety-related maintenance supply to power the 120 VAC uninterruptible power distribution subsystem is consistent with the NMP2 design. If a Station Blackout (SBO) event occurred while an emergency UPS inverter is out of service, a dedicated portable power supply would be connected to provide a continuous source of power to the reactor core isolation cooling system governor and flow controller to ensure continued system operation. Minor plant modifications installed to facilitate this portable power supply connection will not introduce any new component failure modes or system interactions affecting the ability to safely shut down the plant or mitigate design basis accidents. Operator actions associated with establishing this power supply are of the same type already credited in the SBO coping analysis. These operator actions will have been evaluated in accordance with the guidance of NUREG/CR-6689, "Proposed Approach for Reviewing Changes to Risk-Important Human Actions," thereby assuring a high likelihood of success. Accordingly, no new failure modes, system interactions, or accident responses will be created that could result in a new or different kind of accident.

Therefore, operation in accordance with the proposed change would not create the possibility of a new or different kind of accident from any previously evaluated.

3. Does the proposed change involve a significant reduction in a margin of safety?

Response: No.

Margins of safety are established in the design of components, the configuration of components to meet certain performance parameters, and in the establishment of setpoints to initiate alarms or actions. The proposed change does not alter the design or configuration of the emergency UPS inverters or their associated 120 VAC uninterruptible power distribution subsystems, and does not alter the setpoints at which alarms and associated actions are initiated. With one of the required 120 VAC uninterruptible power distribution subsystems being powered from the alternate safety-related maintenance supply, which is backed by the divisional diesel generator (DG),

Page 21 of 24

there is no significant reduction in the margin of safety. Testing of the DGs and associated electrical distribution equipment provides confidence that the DGs will start and provide power to the associated equipment in the unlikely event of a loss of offsite power during the extended 7-day Completion Time.

Applicable regulatory requirements will continue to be met, adequate defense-in-depth will be maintained, sufficient safety margins will be maintained, and any increases in risk are small and consistent with the NRC Safety Goal Policy Statement. Furthermore, during the proposed extended Completion Time for the emergency UPS inverter, any increases in risk posed by potential combinations of equipment out of service will be managed in accordance with the NMPNS site Configuration Risk Management Program, consistent with 10 CFR 50.65, "Requirements for monitoring the effectiveness of maintenance at nuclear power plants," paragraph (a)(4).

Therefore, operation in accordance with the proposed change would not involve a significant reduction in a margin of safety.

5.2 Applicable Regulatorv Requirements/Criteria The proposed change has been evaluated to determine whether applicable regulations and requirements continue to be met. To fully evaluate the effect of the proposed emergency UPS inverter Completion Time extension, PRA methods and a deterministic analysis were utilized.

NMPNS has determined that the proposed change does not require any exemptions or relief from regulatory requirements, other than the Technical Specifications, and does not affect conformance with any General Design Criteria differently than described in the NMP2 USAR.

Applicable regulatory requirements will continue to be met, adequate defense-in-depth will be maintained, sufficient safety margins will be maintained, and any increase in risk is small and consistent with the NRC "Safety Goals for the Operation of Nuclear Power Plants; Policy Statement," Federal Register, Vol. 51, p. 30028 (51 FR 30028), August 4, 1986, as further described in NRC Regulatory Guides 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," and 1.177, "An Approach for Plant-Specific, Risk-Informed Decision-Making: Technical Specifications." The ICCDP and ICLERP for each inverter division meet the regulatory guidelines such that the impact on plant risk is considered small. Hence, the guidelines of Regulatory Guide 1.177 for the increased inverter Completion Time have been met.

Furthermore, the evaluation of changes in CDF and LERF due to the expected increased inverter unavailability, as mitigated by the compensating measures assumed in the analysis, have been shown to meet the risk significance criteria of Regulatory Guide 1.174.

NMPNS utilizes a CRMP consistent with 10 CFR 50.65, "Requirements for monitoring the effectiveness of maintenance at nuclear power plants," paragraph (a)(4). The goals of this program are to ensure that risk-significant plant configurations will not be entered for planned maintenance activities, and appropriate actions will be taken should unforeseen events place the plant in a risk-significant configuration during the proposed extended emergency UPS inverter Completion Time. To ensure the Completion Time does not degrade operational safety over time, the Maintenance Rule program will be used, as discussed above, to identify and correct Page 22 of 24

adverse trends. Compliance with the Maintenance Rule not only optimizes reliability and availability of important equipment, it also results in management of the risk when equipment is taken out of service for maintenance or testing per 10 CFR 50.65(a)(4).

In conclusion, based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

The proposed amendment is similar to the amendment request submitted for the Clinton Power Station on April 26, 2004, and the approved amendments for the Braidwood and Byron Stations (Amendments 129 and 135, respectively) and the North Anna Power Station (Amendments 235 and 217 for Units 1 and 2, respectively).

5.3 Commitments The following table identifies those actions committed to by NMPNS in this submittal. Any other statements in this submittal are provided for information purposes and are not considered to be regulatory commitments.

REGULATORY COMMITMENT DUE DATE Revise appropriate plant procedures to include provisions for Prior to implementing compensatory measures and configuration risk implementation of management controls when an emergency UPS inverter is the license removed from service for any extended Completion Time amendment.

duration (greater than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months and up to 7 days).

Install plant modifications to allow connection of a dedicated Prior to portable power supply to provide a continuous source of power implementation of to the RCIC governor and flow controller following a Station the license Blackout event. This power supply must be capable of being amendment.

established within 30 minutes with a probability of success greater than 0.9, as confirmed by a human factors evaluation in accordance with the guidance of NUREG/CR-6689.

6.0 ENVIRONMENTAL CONSIDERATION

A review has determined that the proposed amendment would change a requirement with respect to installation or use of a facility component located within the restricted area, as defined in 10 CFR 20, or would change an inspection or surveillance requirement. However, the proposed amendment does not involve (i) a significant hazards consideration, (ii) a significant change in the types or significant increase in the amounts of any effluent that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure.

Page 23 of 24

Accordingly, the proposed amendment meets the eligibility criterion for categorical exclusion set forth in 10 CFR 51.22(c)(9). Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed amendment.

Page 24 of 24

ATTACHMENT 2 PROPOSED TECHNICAL SPECIFICATION CHANGES (MARK-UP)

The current version of Technical Specification page 3.8.7-1 has been marked-up by hand to reflect the proposed change.

I.

Inverters-Operating 3.8.7 3.8 ELECTRICAL POWER SYSTEMS 3.8.7 Inverters-Operating LCO 3.8.7 The Division 1 and Division 2 emergency uninterruptible power supply (UPS) inverters shall be OPERABLE.

APPLICABILITY: MODES 1, 2, and 3.

ACTIONS' CONDITION REQUIRED ACTION COMPLETION TIME A. One emergency UPS A.1 ---------NOTE--------

inverter inoperable. Enter applicable Conditions and Required Actions of LCO 3.8.8, "Distribution Systems-Operating" with any 120 VAC uninterruptible panel de-energized.

Restore emergency UPS I inverters to OPERABLE status.

'B. Required Action and B.I Be in MODE 3. 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months associated Completion Time not met. AND B.2 Be in MODE 4. 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months NMP2 3.8.7-1 Amendment 4.

ATTACHMENT 3 CHANGES TO TECHNICAL SPECIFICATION BASES PAGES The current version of Technical Specification Bases page B 3.8.7-3 has been marked-up by hand to reflect the proposed changes. This Bases page is provided for information only and does not require NRC issuance.

Inverters-Operating B 3.8.7 BASES APPLICABILITY In MODES 4 and.5, the emergency UPS inverters are not (continued) required to be OPERABLE since, 'during these MODES, if a loss-of offsite power occurred (which could result in loss of power to the uninterruptible panels until the DG starts and energizes the associated emergency buses) coincident with an accident requiring the ECCS instrumentation to perform their function, the response time of the ECCS subsystems (which will be delayed due to the loss of power to the uninterruptible panels) is not as critical.

ACTIONS A.I With an emergency UPS inverter inoperable, its associated 120 VAC uninterruptible panels become inoperable until they are re-energized from their Class 1E regulating transformer (maintenance transformer) or emergency UPS inverter using the internal AC source. LCO-3.8.8 addresses this action; however, pursuant to LCO 3.0.6, these actions would not be entered even if the 120 VAC uninterruptible panels were de-energized. Therefore, the ACTIONS are modified by a Note stating that ACTIONS for LCO 3.8.8 must be entered immediately. This ensures the uninterruptible panels are re-energized within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months .

Required Action A.1 allows o fix the inoperable emergency UPS inverter and return it to service. The

'EEi3limit is based upon ii zu41,t , taking ino consi eration t e ime required to .repair an inverter I

. risk and the additional risk to which the plant is exposed Iue.-hon because of the inverter inoperability. This risk has to be balanced against the risk of an immediate shutdown, along with the potential challenges to safety systems that such a shutdown might entail. When the 120 VAC uninterruptible panels are powered from their constant voltage maintenance source (or the internal AC source/rectifier with the DC source inoperable),'they are relying upon interruptible AC electrical power sources (offsite and onsite.). The uninterruptible inverter source to the 120 VAC uninterruptible panels is the preferred source for powering instrumentation trip setpoint devices.

(continued)

,NMP2 B 3.8.7-3 Revision ATTACHMENT 4 NINE MILE POINT UNIT 2 PROBABILISTIC RISK ASSESSMENT PEER REVIEW CERTIFICATION INFORMATION The PRA peer review certification team identified the Facts and Observations (F&Os) with a significance level of "B." There were no F&Os with a significance level of "A." The significance levels for the F&Os are defined as follows:

A - Extremely important and necessary to address for ensuring the technical adequacy of the PRA, the quality of the PRA, or the quality of the PRA update process.

B - Important and necessary to address, but may be deferred until the next PRA update.

Table 1 below provides a summary of the qualifications and experience of the PRA peer review certification team members. Table 2 provides a listing of the individual F&O review items and the PRA team's initial response/resolution to each item assigned a significance level of"B". In each case, the PRA was either updated to resolve the comment or, based on the response/resolution, the item would have little or no impact on the important event sequences and equipment relative to the proposed emergency UPS inverter Completion Time. Note that some of these initial responses have subsequently been updated to reflect the availability of newer information.

Page 1 of 25

TABLE 1: PRA PEER REVIEW CERTIFICATION TEAM EXPERIENCE

___________ EXPERIENCE

SUMMARY

Years of Team Member Years PRAIPSA Degree Experience Experience Selected PRA/PSA Projects Lichung Pong BS, Nuclear 16 18

Responsible for Level 1 and 2 Engineering - Tsing PSA models for WNP-2 Hua University

On-Line Maintenance assessment for WNP-2 MS, Nuclear

Risk Ranking for WNP-2 Engineering - Univ.

Wisconsin Ph.D. - Nuclear Engineering - Univ.

Wisconsin Earl Page BS, Physics 40 9

Fermi 2 PE Project Manager

Fermi 2 IPEEE Project MS, Nuclear Manager Engineering

On-Line Maintenance Risk Evaluation Support for Fermi 2 E. T. Burns BS, Engineering 26 21

Technical reviewer of Level 1 Science - RPI IPEs for fifteen BWR plants

Manager, technical advisor, MS, Nuclear Science - or lead engineer on many RPI IPEs/PRAs for BWR plants

Lead engineer on several Ph.D., Nuclear containment safety studies Engineering - RPI Gary Smith BS, Mechanical Not Not

Project Manager for Grand Engineering - Available Available Gulf Nuclear Station (GGNS)

Louisiana State IPE University

Lead analyst for GGNS Fire PRA Rick Hill MS, Industrial 27 19

Reviewer of Reactor Safety Engineering Study

Developed human reliability BA, Biochemistry simulator data collection program

Project Manager for BWROG projects relative to PR E. E. Vezey BS, Mechanical 45+ 30+

17 years of BWR experience Engineering - Texas with GE NE A&M

Manager of Alto Lazio PSA

SBWR Project Team Page 2 of 25

TABLE 2: SIGNIFICANT PRA CERTIFICATION FINDINGS AND OBSERVATIONS (F&O)

Element / Sub- Level of Element PRA Certification F&O Significance Risk Impact - Response/Resolution Element: MU These are subelements which will not be B NEG-CA-001 Rev. 4 is currently being used to prioritize Subelements: 4, complete until the first and subsequent update PRA update/open items.

9,13,14 cycles are complete. Grades assigned are contingent upon follow-through by the PSA and associated groups.

Element: MU In addressing plant specific failure events during B As part of the PRA update, all initiating events at NMP2, Subelement: 5 the PS update, the UPS event which occurred at including the UPS event were evaluated and included in the NMP should be included in the basic events. PRA (Section 5.3.1). The impact of the UPS event of 8/13/91 was basically a loss of feedwater subsequent to a plant trip. Based on this event alone, the unavailability of feedwater is presently judged to be optimistic because it does not account for this event. However, the loss of feedwater initiating event increased from 0.05 (IPE) to 0.14 in the PRA update, which is judged to reasonably capture this event. The unavailability of feedwater, given it was not the initiator, was not increased because of the initiator frequency and the fact that measures have been taken to preclude the UPS event from recurring.

Element: MU There is in place a good system of archiving the B Tier I and 2 documentation for the PRA update are available Subelement: 6 PSA model and other related documents. This both in hard copy with signatures and electronically. The system should be well documented to insure that documentation also summarizes changes from the original this information is assessable in the event of 1PE. Background documentation (EPE and IPEEE and discontinuity in program management or other supporting information) is archived in files and on CD upset. ROM.

Page 3 of 25

Element / Sub- Level of Element PRA Certification F&O Significance Risk Impact - Response/Resolution Element IE 1. Should probably examine possible inclusion B 1. PRA update Section 5.3.3 was improved to explain why Subelement 7 of BOC (Break Outside Containment) as an the frequency of Core Damage and LERF are low.

initiator in light of its potential contribution 2. The frequency of multiple SRVs opening is on the same to early-high release, notjust CDF. order of magnitude as Large LOCA with less severe challenges to the containment. PRA update Section

2. Also might consider multiple stuck open 5.3.3 addresses this subject.

relief valves, as an initiator. 3. Manual shutdown events are now explicitly modeled in the PRA update (see PRA Section 5.3.1).

3. Should also examine the assumption of not analyzing sequences subsequent to a manual shutdown or manual scram. While these are usually "controlled" shutdowns, systems and operators are still challenged. In some cases, a manual scram would not be "completely controlled" depending on the need for the scram.

Element IE The scope of LERs and shutdown history is B The UPS event occurred after the IPE cutoff date. However, Subelement 8 described; events are shown in Tables A-3 and the event is explicitly included in the PRA update (see A-4 (Tier 2). However, it is not clear why the Section 5.3.1).

transformer/UPS event of 8/13/91 was not included in the initiator data base.

Page 4 of 25

Element / Sub- Level of Element I PRA Certification F&O Significance I Risk Impact - Response/Resolution Element 1E System 26 (P. 3.2.1.26-1 of IPE) B Based on the PRA update, LOSP frequency increased from Subelement 13 0.04 to 0.11 based on plant specific data. Then, NUREG-The LOSP frequency and the recovery are 1032 is used for recovery and includes weather events. The intimately tied together. The NUREG-1032 writeup was also improved during the PRA update (PRA recovery curves can be applied each on its Section 4.2.26 and 3.1) specific frequencies. However, it appears that the NUREG-1032 weighted recovery curve was used and applied to the LOSP frequency which was based solely on grid and plant centered data.

This appears to be optimistic relative to the NUREG-1032 assertions relative to severe weather because the magnitude and sample size of the plant specific data does not preclude a non-negligible weather component estimated after the guidance stipulated in NUREG-1032. It is advocated by the Certification team that the data only supports updating the plant centered data from 0.087/yr to 0.04/yr. Therefore, the weighted average of recovery should be recalculated coupling the new IE frequency which should include a 0.01 frequency for severe weather with the corresponding NUREG-1032 recovery curves.

Element LE LOSP frequency development should not LOSP recovery and use of NUREG-1032 has always Subelement 16 preclude non-negligible severe weather properly accounted for severe weather. This was rectified component. Its I in 100 year value can't be during the PRA update and write-up was improved.

precluded based on a short generating history. It should be added and included more appropriately in the recovery value.

Page 5 of 25

Element / Sub- Level of Element PRA Certification F&O Significance Risk Impact - Response/Resolution Element AS The evaluation of accident sequence response B SBO procedure N2-SOP-01 Rev. 4 Cautions the Operators Subelement 5 using RCIC can be strongly influenced by the that "operating with RPV pressure less than 200 psig can plant specific feature at NMP-2 of the Dikkers jeopardize RCIC availability." Also, most recent EOPs SRVs. The Dikkers SRVs have characteristics (1/l/99) provide new direction (EOP-6, Attachment 29) so associated with them that result in RPV that depressurization does not necessarily make RCIC depressurization to very low pressures when the unavailable. Also, MAAP calculations indicate that it takes EOP direction is followed to open all ADS at least 4-6 hours without containment heat removal (per SRVs. Following the emergency EOPs and operator training, RPV pressure is maintained depressurization directions results in the RPV below HCTL and other containment limits) before eventual pressure reduced to well below the pressure emergency depressurization may occur. Since the SBO required for RCIC operation whether or not the analysis ends at 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months this is not an important issue.

low pressure trip is bypassed. This effect is to make RCIC unavailable whenever emergency depressurization is directed by the EOPs.

Element AS Based on Calculation EC-129, the Division I B The SBO model has been revised as part of the PRA update.

Subelement 5 battery 2BYS*BAT2A Type NCN-35 is able to Recovery is now only allowed out to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months given supply loads during SBO for six hours. In this successful DC load shedding (based on latest analysis). This calculation, the loads not required during SBO has a minor impact because there was very little credit in the event are assumed to be shed within two hours. original analysis beyond 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months anyway (See Section The current assumption is that the station battery 3.2.1.3).

could last for 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months . Therefore, it is recommended that the event tree analyses for the SBO scenario be revised.

Element AS SBO B The latest GE analysis and procedures were reviewed and Subelement 6 considered in the PRA update and the SBO model was There is a revised SBO evaluation for NMP2 revised extensively (see previous observation). The SBO from GE which indicates that there are a number risk was reduced due to modeling changes (mostly due to of new constraints on the ability to cope with an changes in procedures to use HPCS to supply Div I or II SBO. These include reduced battery life, AC). The latest procedures and training incorporated requirements to depressurize within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , and insights from the IPE. Since LOSP frequency has increased higher RCIC room temperatures. These based on plant specific data, the overall effect of the update considerations are judged to adversely impact the was not a reduction in risk.

SBO accident sequence evaluation in the PSA.

Page 6 of 25

Element / Sub- Level of Element PRA Certification F&O Significance Risk Impact - Response/Resolution Element AS ROOM COOLING B Both the confusing documentation and the modeling of Subelement 11 room cooling have been corrected in the PRA update.

The treatment of room cooling for RHR and Gothic calculations (SAS-PRA2-S-RHS-CALC, June 1998)

LPCS operability is described in a confusing and show that the limiting room (RHR B room) is marginal and conflicting manner in the IPE documentation. realistically does not require room cooling. Still, the PRA For example, the room cooling requirement for model conservatively fails RHR rooms A and B if room RHR is not clearly delineated in the dependency cooling fails. The LPCS and LPCI C rooms clearly do not matrix and the method of room cooling treatment require room cooling and this dependency is no longer for loss of service water cases is highly included. The RHR A & B failures although conservative do dependent in the model on the operating action not impact the PRA results.

to open doors. This is not currently proceduralized and therefore should not be credited. There may also be calculations with GOTHIC that could justify not requiring an active room cooling system. These issues need to be clarified to ensure that system importances for applications are accurately reflected.

Page 7 of 25

Element / Sub- Level of Element PRA Certification F&O Significance Risk Impact - Response/Resolution Element AS DFP B The present model only allows a 0.5 probability of success Subelement 7 (0.2 operator action failure). The most recent EOPs ensure The diesel fire pump alignment under SBO when that the DFP will be aligned early (level below scram set essential lighting has been shed appears to be a point and stops in the EOPs have been removed); the difficult process. There is questionable evidence operators will not wait. SBO model only allows DFP that the alignment can be performed and the success if RCIC was successful for 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . The operators LPCI valve opened under SBO conditions. practice the physical alignment and the LPCI MOVs are accessible. This has not been practiced in a SBO condition where the operators have to use flashlights. However, given that this would be done by sending operations personnel out in pairs, the above EOP changes, and timing in the SBO model, a 0.2 probability of failure is judged reasonable if not conservative. We may pursue taking more credit for the operator in the future. A separate open item was whether the DFP can protect the core 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after event initiation (0.3 failure probability). Preliminary MAAP calculations indicate that a diesel fire pump with 1 of 2 injection paths is marginal. Therefore, the 0.5 SI failure probability may not be conservative, but is still considered reasonable given our present state of knowledge. This will be considered further relative to risk management and future updates.

Page 8 of 25

Element / Sub- Level of Element PRA Certification F&O Significance Risk Impact - Response/Resolution Element AS TRACEABILITY B The PRA update improves the documentation. Section 5.2 Subelement 10 identifies HRA event ZECOI and basic event The traceability of individual elements of the ISCZECMISCALIBOI as included in top event ECV which model are difficult in some cases. models common cause failure of all ECCS low pressure injection paths. When ECV fails, all low pressure injection The miscalibration of the low pressure paths fail in the PRA model.

permissives on the LPCI AND LPCS lines are identified as possible pre-initiator HEPs, but their basic event is:

not identified in the IPE discussion of the HEP

does not have a calculation to support the quantification of the HEP referenced in the IPE

is not included in the fault tree for the low pressure injection systems

is not included in the cutsets for the respective top events

is included in the ECCS initiation logic Page 9 of 25

Element / Sub- Level of Element PRA Certification F&O Significance Risk Impact - Response/Resolution Element AS S50 B The PRA update includes a major revision to the SBO Subelement 5 model. As discussed in response to other observations, the The accident sequence evaluation for SBO needs model only goes to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months (e.g., no credit is given to to be re-evaluated based on the revised SBO recovery beyond 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months ) and is based on latest analysis and report which substantially shortened the procedures. There was very little credit in the original model available time for coping from 19 hours2.199074e-4 days 0.00528 hours 3.141534e-5 weeks 7.2295e-6 months used in beyond 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . Refer to PRA Section 3.2.1.1.

the Rev I of the SBO calculation and in turn used as a basis for the WE to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months in Rev 2 of the SBO report. This is believed to have a major impact on the quantification of dominant core damage sequences. Because a realistic assessment of the Rev I results was used in the original IPE model, the quantified impact of Rev 2 is expected to be not large. This shows good judgment in the use of the original optimistic Rev I SBO report results.

Element AS The impact of load shedding assumptions on the B The PRA update includes a major revision to the SBO Subelement 13 PSA should be re-evaluated and their results model based on latest procedures and analysis. Although the documented. HRA has not been redone, the procedures are consistent and in some instances exceed the IPE assumptions. The model conservatively assumes core damage occurs early at 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months if load shedding fails.

Element AS DEPENDENCIES AND LOW PRESSURE B In the PRA update, miscalibration is included in top event Subelement 10 PERMISSIVE ECV. Failure of ECV fails LPCS and LPCI injection paths.

Success criteria will not allow low pressure makeup through The HRA discussion identifies the injection these paths from any source. See PRA Sections 4.2.4 and valve low pressure permissive as a potential CCF 3.2.1 event tree rules for SUP4, TRI, etc.

probability due to miscalibration.

No detailed calculation has been developed for this However, in the low pressure injection systems miscalibration HRA; the evaluation is described in PRA there is no identification of this CCF failure Section 5.2. See also the response to Element HR, mode. Subelement 6.

Page 10 of 25

Element / Sub- Level of Element PRA Certification F&O Significance Risk Impact - Response/Resolution This failure mode does not appear to be discussed in any other IPE section.

The basic event appears to have been put in the El, E2, E3 ECCS initiation logic which is assumed to be able to be backed up by manual actuation if auto initiation fails. IA and LB and LS are not affected by this failure if ME is successful. There may also be some additional HEP that could be included to address the question of locally opening the injection valve and bypassing the low pressure permissive by turning the valve hand wheel. No HRA is performed to support this action. There does not appear to have been a clear definition of what the HEP was, where it was calculated, or what logic model it applies to.

The impact is judged to be small but it cannot be readily confirmed because the dependencies associated with the failure of this permissive could adversely impact LPCI, LPCS, SW X-TIE, AND THE DIESEL FIRE PUMP.

Ensure the HEP for the low RPV pressure permissive is:

described in the LP injection systems

quantified in a calculation

treated among "tops" so that the dependency is accurately reflected Page 11 of 25

Element / Sub- Level of Element PRA Certification F&O Significance Risk Impact - Response/Resolution Element AS CONTAINMENT VENT B Major improvements have occurred since the IPE. Latest Subelement 5 improved EOPs have removed stops such that operators will The EOPs and the EOP-6 specific attachment for not wait for the high pressure condition that requires venting taken together represent the written basis venting. This was confirmed with Operations. In other for operator response to challenges to high words, with the knowledge of venting alignment difficulties containment pressure. and the improved EOPs, there is a high likelihood of success. Containment venting has been addressed in drills However, the vent that is allowed by these is and training and as part of the SAM process. Present EOPs assessed in the HRA to have a 1.0 failure and supporting procedures were found to provide adequate probability. Despite this, the model appears to flexibility and to address support states. The SAM process use a more optimistic HEP that was developed and TSC guidance will also help. The present analysis (same including assumptions regarding procedural as IPE) is judged reasonable to conservative.

modifications.

Recent emergency drill experience indicates that the operating staff in conjunction with the TSC could decide under certain conditions to vent the containment without requiring the extensive alignment of the "hard piped" system.

Element DA If there is a sufficient experience base, B Current plant specific maintenance unavailability is being Subelement 7 recommend replacement of maintenance used in the PRA update (Section 5.1).

unavailability data with plant specific data.

Element DA Numerical results for common cause failure of B NRC/INEL common cause data parameters are used in the Subelement 8 SRVs to depressurize appear to be quite low. PRA update and judged to be reasonable if not conservative (see Section 5.1.3).

Page 12 of 25

Element / Sub- Level of Element PRA Certification F&O Significance Risk Impact - Response/Resolution Element DA SRV/SOLENOID CCF 1 NRC/INEL common cause data parameters are used in the Subelement 9 PRA update for SRVs, SOVs, check valves, and are judged The SRV data and the associated solenoids can to be reasonable, if not conservative (see Section 5.1.3). The be expected to have a CCF term or terms. The simplistic model and values suggested above do not apply at NMP2 model has an extensive degree of CCF NMP2; detailed common cause modeling is utilized. Global terms. The IPE currently uses - 1E-6 as the CCF common cause (easiest comparison to simplistic approach) for all valves and 1E-5 for the sum of all in the NMP model is -2E-5 for all SRVs and -2E-5 for all multiple hardware failures of a CCF nature. This SOVs. Thus, the simplistic approach appears to be may be optimistic. However, a simplistic CCF conservative by an order of magnitude.

approach using generic SRV data results in estimating the CCF probability at 4E-4. This estimate should be checked against the design and possibility of a common cause failure.

Element DA The probability of a SORV conditional on its B The IORV initiator was recalculated based on plant specific Subelement 15 need to open for various transient initiators is not data (see Sections 5.3.1 and 5.3.3).

modeled. Transients with SORV are terminated and believed to be accounted for in the IORV/Small LOCA tree. This is adequate if the initiating event frequency for IORV adequately includes the SORV conditional probability which may change for sensitivity studies, applications, and updated transient data.

Element DA The value of and the rationale for the diesel B Systems analysis Tier I (Section 4.2.6) and Tier 2 identify Subelement 15 mission time is not documented. The only the fact that diesel mission time is 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The basis is that source of the value was a RISKMAN file. This the SBO model only goes to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months and recovery time is a fairly highly visibility and controversial PSA depends on when the diesel fails (e.g., time to core uncovery issue. after 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months of EDG success is much longer). Since these conservatisms are not accounted for in the SBO model, 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months was chosen as a reasonable, but conservative time.

Page 13 of 25

Element / Sub- Level of Element PRA Certification F&O Significance Risk Impact - Response/Resolution Element DA RPS (duplicate of SY-19) B INEEL/EXT-98-00670, October 1998, "General Electric Subelement 15 Reactor Protection System Unavailability, 1998 - 1995 The scram system description and the basis for (draft 2)" suggests an unavailability estimate of 3.8E-6/year.

the point estimate calculation for mechanical and The present NMP2 analysis is judged to be conservative.

electrical common cause failure are incomplete.

NUREG-0460 is referenced for the estimated failure probabilities, but this document does not justify the 4.3E-6 mechanical common cause failure probability. The basis for the cited value requires that the scram air header have a low pressure scram signal as input to the RPS. The system description does not define this and therefore the cited conditional probabilities do not apply._

Element hR The IPE does not provide any real insight into a B Pre-initiators were assessed for each system during the IPE Subelement 5 systematic process being followed to conclude and PRA update. They were not assumed to be subsumed that pre-initiator HIs could be assumed to be into maintenance unavailabilities. The revised evaluation is subsumed into maintenance unavailabilities. documented in the Systems Analysis and included in the PRA model summarized in Table 5.2-1.

Element RR The source and analysis behind the selection of B The likelihood of miscalibration is low as documented in Subelement 6 1.OE-5 for common cause mis-calibration of Section 5.2 of the PRA update. The -IE-5 value is similar to instrumentation is not adequate. A more NUREG results.

complete explanation and /or analysis should be provided in the update of the IPE.

Page 14 of 25

Element I Sub- Level of Element PRA Certification F&O Significance Risk Impact - Response/Resolution Element HR The tier 2 HRA document appears to be missing B This action is no longer included in the model because Subelement 10 the following: depressurization is not expected to occur during the SBO time window of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . Also, the procedure (N2-SOP-01)

HHU21-Stop RPV depressurization before cautions operators with regard to depressurizing too low and RCIC stalls. the latest EOPs contain guidance relative to not having to depressurize with RCIC running (EOP-6 Attachment 29).

This HEP is not evaluated in the HRA document See also the response to Element AS, Subelement 5.

even though it references another HEP. It uses a value of IE-2 as the failure probability even though there is no procedure to deal with the Dikkers SRV effect of allowing depressurization to below the RCIC operability point of 50 to 60 psig.

Element HR SBO B The operators are in the EOPs, which address the DFP, as Subelement 10 well as SOPs during SBO. The latest EOPs ensure that DFP HEPs for SBO may need to be re-evaluated will be aligned early without hesitation. This has been

-usingthe directions in SOP-01 and SOP-02. confirmed with Operations. In addition, DFP alignments are These directions may alter the assessed HEPs. likely to be accomplished before reducing essential lighting Neither SOP-01 nor SOP-02 specify pre- loads (DC load shed). The original HRA analysis is alignment of the DFP for injection prior to considered conservative. (See also the response to the reducing the essential lighting. This is judged to Element AS, Subelement 7).

result in a substantial degradation in DFP successful alignment probability.

Page 15 of 25

Element / Sub- Level of Element PRA Certification F&O Significance Risk Impact - Response/Resolution Element HR DFP B Power is not assumed available during SBO. An operator Subelement 11 must open MOV 24A locally. All valves can be turned by The HRA appears to be performed assuming that the crew. Confirmed with Operations that if the valve fails the power to MOV 24A is available to support to open or can not be opened due to no AC power, it is opening it during the assumed alignment for understood that it will be opened locally. See also the RPV injection. EOP-6 Attachment 6 does not responses to Element AS, Subelement 7, and Element HR, identify how the valves are to be opened or the Subelement 10.

difficulty involved in opening the valves under different conditions such as SBO or loss of service water. The HRA apparently assumes the following optimistic assumptions regarding DFP alignment under SBO conditions:

no load shed of essential lighting which is specified in SOP 01

all valves are accessible, but no information provided to justify this

- all valves can be turned by the crew, but no information provided

sufficient crew is on-site to carry out the actions

power is available to MOV 24A These are all judged to be optimistic, and the assumption that power is available to MOV 24A is clearly incorrect in the way the DFP is used in the PSA model.

Element HR FW FLOW CONTROL DURING ATWS B Re-establishing feedwater does not have to occur in the time Subelement 12 frame suggested and it was judged that there was some Re-establishing feedwater between 25 sec after chance. NMP does not believe in using 1.0 when there is an feedwater runback ("lockout" time) and 83 sec opportunity for success (based on HRA and interviews).

when Level 1 is passed isolating the condenser We judge that the 0.5 value is appropriate.

hotwell due to MSIV closure appears to be given too much credit at 0.5.

Page 16 of 25

Element / Sub- Level of Element PRA Certification F&O Significance Risk Impact - Response/Resolution Element HR The HRA analyst used a "cause based" analysis B There are several hours to perform this local action. The Subelement 16 procedure (EPRI-TR-100259) for developing TSC could also perform the action. NMP considers the HHAI. This is a stress related event and the value to be conservative.

EPRI procedure is judged not to be effective in differentiating between stress and non-stress sequences. Therefore this HEP may be lower than the sequence can justify.

Element HR LPCI/LPCS FLOW CONTROL UNDER ATWS B This action is performed after emergency depressurization Subelement 16 and the EOPs utilize LPCI A and B as the preferred ECCS EOP-6 Throttle ECCS Attachment 3 trains. Throttling is available in the control room from these trains, which makes the task much easier than having to This appears difficult to implement and is not the apply EOP-6 Attachment 3. Even if EOP-6 Attachment 3 is procedure evaluated as part of the HRA for this needed, it is straight forward and is performed in the control action. building. A re-evaluated HEP is judged unnecessary at this time.

Element HR HHMAI: MA & MB (Loss of SW) B Operator action has been removed from the model. Loss of Subelement 23 room cooling fails RHR A & B with no credit for operators.

This action is to open LPCI room doors to assure This is conservative based on a Gothic calculation.

room cooling. The HRA assumes a procedure is in place. However, a procedure could not be identified-neither EOP-6 nor SOP-01 specify opening LPCI doors or MCC doors for room cooling.

The HRA assumes a procedure exists and uses a value of 0.1 conditional failure probability (90%

success).

Element HR The HEP, HHU-2 1, is an action identified in B This has been removed from the model because the updated Subelement 28 Table 3.3.3-1 as "Stop depressurization before model stops at 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months before containment conditions RCIC stalls." There is no EOP for this action: becomes an issue. Also, see response to Element AS, therefore, the analysis (per the Table "see Subelement 5, and Element HR, Subelement 10.

HHOAI") is not a valid analysis since the timing, stress and steps to perform are not identified.

Page 17 of 25

Element / Sub- Level of Element PRA Certification F&O Significance Risk Impact - Response/Resolution Element DE It appears that the dependency matrix was B The dependency matrix was intended to address all Subelement 4 constructed with plant design basis in mind, dependencies that the engineers could identify during the rather than the realistic (as modeled) basis for the PRA development without requiring consideration as to PRA. This may be somewhat confusing for whether they were needed in the model. Note that seal future users. cooling during shutdown cooling is a dependency but shutdown cooling has not yet been added to the PRA. The Example: Noted dependency of RHR on normal Systems Analysis (PRA Section 4.2) identifies the AC, TBCLC and Service Water for pump seal dependencies that are modeled and why some may not be cooling. System discussion notes assumption modeled.

that seal cooling is not needed.

Component block Description tables (in system portion of the report) are good in that they define failure mode, initial state, actuated state, support system and state on loss of support. The matrix should relate to this better.

Element DE It is not apparent that pre-accident human actions B This was considered again during the systems analysis task Subelement 5 are incorporated in the modeling (common cause during the PRA update. It is better documented in the miscalibration or failure to restore from systems analysis (Section 4.2). Several misalignment pre-maintenance). initiator events were added to the model (Table 5.2-1).

Nothing significant was found or added to the model.

Element DE The evaluations are simplistic, e.g., room heat-up B This was considered during the PRA update with minor Subelement 9 evaluations, zebra muscles, etc. Each evaluation changes made (failure over a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time with the should be supported by quantitative analysis design and programs is not judged likely). No cost-benefit where appropriate rather than being a qualitative justification for further quantitative analysis could be made evaluation. given the present modeling, including common, etc. Loss of lake intake to service water was added to the PRA as an initiating event (LKX) to provide additional completeness.

Element DE The flooding screening criteria that states floods B Section 3.1.6 was clarified during the PRA update to say Subelement 9 which do not cause initiating events and impact that generally these types of failures are required in order to an important system should be eliminated. Such be important, which NMP still believes. The original write-criteria are very difficult to justify. A broader set up implied that this was a basis for modeling. Note that of floods should be considered. there are still some floods that were screened out that could be modeled in the future; this will be considered as a future update.

Page 18 of 25

Element / Sub- Level of Element PRA Certification F&O Significance Risk Impact - Response/Resolution Element QU The following assumptions are made in the B

The charger is credited in the PRA update as suggested.

Subelement 8 analysis:

The 0.1 probability event has been removed in the PRA update as not likely during the first 4 to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months .

In a loss of Div. I Emergency

EOP and SOP procedure changes improve the AC power event, it is assumed depressurization concern. See responses to Element AS, that the Div. II charger would Subelement 5, and Element HR, Subelement 10.

not be able to maintain the load.

During an SBO event, if RCIC is successful for the first 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , there is a probability (0.1, assumption) that the operator would improperly depressurize the vessel and cause the unavailability of RCIC.

Although the procedure (SBO-6) reminds the operating staff to use caution, no guidance is provided.

Discussion with a shift supervisor during the certification peer review indicated that if directed to emergency depressurize by the EOPs, RCIC availability would not be a reason to stop the depressurization.

Page 19 of 25

Element / Sub- Level ofT Element PRA Certification F&O Significance Risk Impact - Response/Resolution Element QU There are several operator actions that are B The room heat-up calculation has been completed and model Subelement 18 credited in the analysis but the procedure revised accordingly.

guidance is either not in place or not clear. For example: The updated model is based on procedures, training, and operator interviews. Note that there are some actions that are

venting the containment not explicit in the procedures, but are obvious and

.n o confirmed by interviews with Operations and Training. For

opening the doors to provide room example, if an MOV does not open or close, the operators cooling would send someone locally (e.g., HA01).

depressurization of the vessel when makeup is provided by RCIC during SBO.

Element SY Injection system piping "keep filled" systems are B The systems analysis documentation (e.g., PRA Section Subelement 7 not modeled because they are not considered to 4.2.1.11) was improved to explain why explicit modeling of cause failure if not functional. the keep fill system is not required.

The treatment of the keep fill system is a strong potential variable identified among different plants regarding its treatment in the PSA. The treatment varies from:

Not included in the model to

Included in the model and if unavailable causes the system to be unavailable (i.e., operators would not use the system if injection pipe known not to be full)

This variation is extremely different. There can be some plant specific design or procedural differences that affect this treatment.

Page 20 of 25

Element / Sub- Level of Element PRA Certification F&O Significance Risk Impact - Response/Resolution Element SY LOSP load shedding diesel start sequence and B This was considered during the PRA update. Failure of Subelement 7 reloading not modeled. diesel generator load sequencing is assumed to be included in the basic events for EDG start, MOV supply operation, and circuit breaker demand. The failure of the load sequencing is considered a small contributor in comparison

. to the other failure modes (PRA Section 4.2.6.11).

Element SY IPE documentation indicates that mis-calibration B This has always been in the IPE and the PRA update as Subelement 8 of ECCS pressure permissive is modeled. Such basic event ISCZECMISCALIBOI (see PRA Sections 4.2.4 an event could not be identified in the fault trees and 5.2).

for El, E2, Al or lB.

Element SY IPE indicates that there is potential for human B The documentation and fault tree has been revised in the Subelement 8 induced common cause failure for SLCB (failure PRA update. A single event is used to represent to restore). It is assessed to be 3E-3 (or 3E-4 unavailability of SLCS due to misalignment.

after some procedure changes). However, fault tree SL includes events "Valves Misaligned after Testing-Operator Error" and "Isolation Valve Misaligned After Quarterly Testing." Only the first shows up in the SL cutsets and then with a probability of 1E-5.

Element SY There is no common cause event for ECCS B Top event ST has been added to the PRA which models Subelement 10 suction (suppression pool) strainer plugging. common cause ECCS Suppression Pool suction strainer plugging (Section 4.2.1 and event tree SUP4 in Section 3.2.1.1).

Page 21 of 25

Element / Sub- Level of Element PRA Certification F&O Significance Risk Impact - Response/Resolution Element SY Support system requirements appear to be B Documentation has been clarified and the modeling Subelements 10 & accounted for in the model but the supporting revisions were made as part of PRA update (Section 4.2.11).

12 documentation is confusing and not clear in some cases. Example: HVAC requirements for RHR pumps. Indicates that pumps would fail with loss of cooling (- 5 hrs.) but do not model because loss of HVAC to MCC area is more restrictive because it fails two injection paths.

Discussion for MCC area coolers said that cooling would not be a problem until 9 hours1.041667e-4 days 0.0025 hours 1.488095e-5 weeks 3.4245e-6 months (and then only if RHR and LPCS had not started by then). Therefore, it was not important. This implies that HVAC for MCC areas is not modeled when it actually is.

Element SY RCIC may have temperature trips on high Main B High area temperature trips (RHR A and B rooms and Subelement 17 Steam Tunnel and RHR room temperature. RCIC) have been added to the RCIC model in the PRA These trips do not appear to be modeled in the update (Section 4.2.1.2).

RCIC system analysis. These trips need to be included in the RCIC model to account for common failures causing both MSIV closure and RCIC failure. A plant-specific room heatup calculation should be performed to insure that this is not a special initiator.

Page 22 of 25

Element / Sub- Level of Element PRA Certification F&O Significance Risk Impact - Response/Resolution Element SY SRV DESCRIPTION B The original IPE and the PRA correctly account for the Subelement 26 Dikkers SRVs. In fact, the potential for depressurizing all The description of the SRV capability and its the way to -0 psi was a concern identified in the original characteristics are not provided. The Dikkers IPE as part of the SBO analysis. The EOPs now address this characteristics of importance to include in the potential cause for making RCIC unnecessarily unavailable.

description are the following: PRA Section 4.2.1.13 discusses the model, timing of nitrogen supply, etc. It was not deemed necessary to have a

nitrogen pressure required to open "Dikkers SRV" discussion, but this may be considered if SRVs under different containment necessary for specific applications. Relief valves on conditions pneumatic lines have been neglected as insignificant

Lowest RPV pressure that contributors.

emergency depressurization will bring the RPV to

leakage characteristics of the nitrogen supply

duration of the nitrogen supply

operator actions necessary to provide SRV capability

accident response

qualification temperatures and pressures of the SRV and solenoids

treatment of relief valves on the pneumatic lines Element SY DIESEL FIRE PUMP B Preliminary calculations and MAAP analysis have been Subelement 26 conducted which indicate that DFP is marginal in protecting The flow rate and the pressure capability of the the core. The 0.5 probability of success once thought to be DFP for RPV injection would be useful. conservative is considered reasonable until further analyses Specifically, a calculation that identifies whether are conducted.

the DFP can provide adequate core cooling and under what containment and RPV conditions.

Page 23 of 25

Element / Sub- Level of Element PRA Certification F&O Significance Risk Impact - Response/Resolution Element SY Identify the low pressure permissive logic and its B Non-SBO Model Subelement 26 configuration for all low pressure injection Common cause miscalibration is now in top event ECV in valves. Also define how this low pressure the PRA update. Failure of ECV guarantees failure of all permissive is included in the evaluation of the ECCS injection paths including top events IA and lB (RHR service water cross tie injection and the DFP A and B injection paths). If IA and IB fail (e.g., due to injection evaluation. Specifically, is the low ECV), then fire water and service water crosstie are also pressure permissive miscalibration failure mode failed in the model since they depend on IA and IB. This is included in all injection modes using SW and the all documented in the RISKMAN PRA model.

DFP.

SBO-Model ECV is neglected as an insignificant contributor to DFP failure (ECV failure << DFP).

Element TH Success Criteria related items that could use B

Room cooling treatment has been clarified and model Subselement 4 better documentation or model changes in the changed (Section 4.2.11).

update include the following:

DFP credit has not been changed. Preliminary analysis indicates that the model is reasonable.

room cooling treatment for

SBO analysis and model have been updated per the RHR and MCC rooms latest GE report (Section 3.2.1.3).

DFP alignment success

Emergency depressurization does not occur with RCIC probability when performed success in SBO for at least 4-6 hours (Sections 3.2.1.3 under SBO conditions and 3.3).

involving load shedding of

Model revised such that MLOCA and RCIC success all essential lighting lead to emergency depressurization success (Sections

RCIC and DFP success 3.2.1.5 and 3.3).

given revised GE SBO report

RCIC success following Emergency Depressurization

Depressurization requirement for Medium LOCA with RCIC initially available (conservative assumption)

Page 24 of 25

Element / Sub- Level of Element PRA Certification F&O Significance Risk Impact - Response/Resolution Element TH ROOM HEAT-UP B Documentation, calculations and models, including PRA Subelement 10 Section 4.2.11 and the event tree models in Section 3.2.1, There is an effective discussion of the room have been updated. See response to Element IE, heatup calculations that addresses various rooms Subelement 3.

in the plant relative to room cooling requirements. The dependency matrices and the documented discussion relative to system capability under loss of room cooling may not always be consistent. In addition, there may be more recent information to support more realistic modeling of the system capability under loss of room cooling.

Element TH There is very little discussion of the thermal B MAAP models have been updated as well as the Tier I and Subelement 12 hydraulic calculations that are used in the 2 documentation in Sections 3.3 and 3.4.

various aspects of the model.

Page 25 of 25

ATTACHMENT 5 NRC REVIEW COMMENTS

SUMMARY

The NRC SERs for the NMP2 IPE and IPEEE were reviewed and specific comments were identified and assigned as individual items for the NMP2 PRA update in 1998. Provided in the table below is a listing of each comment, along with the NMPNS PRA team response/resolution.

NRC Comments on IPE and IPEEE Item' Comments Response/Disposition IPE-Letter Description of IPE Description is reasonably accurate for the IPE. A description of Pages 2 & 3 results and unique the present PRA results will be different. For example, the features. statement "No credit is taken for recovery..... over 20 to 30 hour3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months containment failure" is no longer true in the PRA; improvements in recovery have been incorporated.

IPE-Letter NMPC developing This has not been incorporated into procedures, but is an Page 2 procedures to prevent obvious action (required within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months in SBO procedure SOP-RCIC trip under loss of 1) and TSC guidance (monitoring area temperatures, etc.) is service water. expected to identify this obvious action. Per the NMP2 Station Blackout Bases Document, RCIC room heatup calculations assume the door is closed, but it is open to allow lower room temperatures.

IPE Section To install valves in Subsequent to the IPE, this valve installation modification was 6.2 identifies SGTS to increase cancelled as not being cost-beneficial. As a result, training and NMPC plans reliability of procedure changes were pursued to assure that human reliability credited in containment venting. credited in IPE is reasonable. Several drills and training sessions IPE. If not addressed this aspect of the EOPs, including the last resort implemented option of SGTS Bldg blowout. The latest EOPs have removed NMPC stops in the procedure; now the operators continue in the PC-P should revise leg of procedure N2-EOP-PC and anticipate containment IPE to reflect venting alignment. In addition, TSC guidance and resources will as-built, as- improve the obvious need to anticipate this alignment and operated. provide resources. Although all these improvements in Need not procedures, training, resources, and etc. are judged to support or submit to improve the HRA value, the IWE values are still being used until NRC, but a re-evaluation of this HRA is performed.

retain Develop procedures to No procedure was developed and credit for operator actions has records for enhance Aux Bay room been removed from the IPE model. Gothic calculation (SAS-future. cooling during loss of PRA2-S-RHS-CALC, June 1998) shows that the limiting room service water. (RHR B room) is marginal and realistically does not require room cooling. Still, the PRA model conservatively fails RHR rooms A and B if room cooling fails. The LPCS and LPCI C rooms clearly do not require room cooling and this dependency is no longer included. The RHR A and B failures although conservative do not impact the PRA results.

Enhance SBO SBO procedures were not available at the time of the IPE.

procedures. Subsequent to the IPE, SBO procedures (SOP-1, 2 and 3) were developed and support the IPE assumptions.

Page 1 of 4

NRC Comments on IPE and IPEEE Item' Comments Response/Disposition Provide additional Additional guidance includes opening doors from outside that internal flood guidance. will remove water from the building. Guidance to isolate the flood is also included (see Alarm Response Procedure N2-ARP-01, Rev. 00 pages 1305-1307).

Improve test & Procedure change has not been made nor is it judged necessary.

maintenance procedures The PRA (Section 5.3.3) now incorporates the low probability of to reduce the likelihood a MOV being opened during testing & maintenance without of ISLOCA. procedure improvements; this contributor is an insignificant risk contributor. On-line risk monitoring ensures that the unlikely coincident activities needed to initiate this event are identified in advance (e.g., PRA model should be conservative).

IPEEE-SE 0.5g HCLPF for 24 hrs Clarification: The 0.5g HCLPF is for 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (see comments on Page 2 does not meet EPRI TE below).

SMA guidance.

IPEEE-SE Vulnerability definition The fact that no vulnerability definition is provided does not Page 6 not provided. provide a problem for NRC since the risk is obviously acceptable based on the NMP evaluation. See PRA Section 10 relative to risk management.

IPEEE-SE Plant improvements Seismic mounting of rack, cabinet and hoist assembly Page 6 needed. The plant modifications for the seismic mounting described have been made (IPEEE page 7-2).

CR Fire EOP-RPV is now retained at the remote shutdown panels. The control room fire risk in the PRA is judged to be conservative and is not dominating. There are no plans to add explicit TSC guidance or additional training.

IPEEE-TE No freeze date. This comment refers to a data freeze date beyond which Page vii additional data would not be considered. A date for data analysis for this PRA was implemented; however, other aspects of the PRA were allowed to change as appropriate to final sign-off.

IPEEE-TE Tornado screening No action to be taken. NRC's analysis also shows that risk from Page ix incomplete. high winds is low and can be screened.

Page 30 IPEEE-TE External flood bounding TE agrees that external flooding can be screened based on SRP Page ix, xii analyses appear flawed compliance, but disagrees with NMP simplistic bounding Pages 31-34, and incomplete. argument. It is very difficult to estimate the risk from floods and 44 there are numerous combinations of events that must be considered. It is NMP's position that a detailed analysis, considering plant procedures and timing, would lead to a low risk on the order of IE-6/yr. Since there is very little that can be done cost effectively to reduce this risk further, no additional analyses are planned.

Page 2 of 4

NRC Comments on IPE and IPEEE Item' Comments Response/Disposition IPEEE-TE 0.5g HCLPF for 24 hrs Clarification: The 0.5g HCLPF is for 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . Only when using Pages x, xii and not meeting EPRI success path reliability guidelines of EPRI SMA does a 0.23 Pages 7, 9, SMA guideline for HCLPF result unless we credit equipment not in analysis scope.

10, 11,41, success reliability. EPRI SMA is only guidance and justification for deviating is 43 provided by the PRA analysis. This was shown to be non-risk significant by NMP and TE seems to agree. Also, note that the NMP PRA success criteria are for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months not 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , including external events.

IPEEE-TE Additional equipment NMP does not know of any analyses to address this issue. If Page x, xii failures due to smoke new analyses become available NMP will consider this further.

Page 2, 24, and combustibles not 28, 44 adequately addressed.

IPEEE-TE No fire barrier failure Because of limited combustibles, limited active barriers, reliable Page x rates in analysis, cross detection and suppression, the screening and analysis is judged Pages 24, 28, zone fire analysis. conservative. Scenarios where fire barriers failed were judged to 44 be very low risk contributors. NMPC agrees that documentation of these judgments could be improved. The risk ranking of fire barriers will likely require this analysis improvement.

IPEEE-TE GI-103: No details of The FSAR re-evaluation was not repeated in submittal and there Page x re-evaluation in is no plan to do this as it adds no value.

Page 31 submittal.

IPEEE-TE Plant improvements The storage rack near the RCIC motor-operated valves has been Page xi identified during walk secured (IPEEE page 7-2).

Page 45 down.

IPEEE-TE Operator error rates for The most reliable operator action is used for only those fire Page xii control room fires are scenarios where the control room remains habitable and Pages 2, 26, highly optimistic, etc. equipment needed for immediate plant control is operating 43 successfully. Also see response to IPEEE RAI 11.1.

IPEEE-TE Heat release rate for No action to be taken as it does not appear to impact the analysis Page xii cabinet fire not conclusions.

Pages 2, 19, representative.

43 IPEEE-TE Seismic fires due to There are no known weakly anchored electrical cabinets at Pages 2, 27 weakly anchored NMP2.

cabinets not addressed.

IPEEE-TE Stuck open SRV and A stuck open SRV with RCIC success guarantees successful Page 7 Large LOCA not RPV isolation (nitrogen is not needed) and allows low pressure addressed. injection success. Therefore, the stuck open SRV event improves the number and reliability of success paths and is an insignificant risk contributor. Also, medium and large LOCAs due to pipe breaks are incorporated in the 0.5g HCLPF fragility in the PRA model.

Page 3 of 4

NRC Comments on IPE and IPEEE Item' Comments Response/Disposition IPEEE-TE SLC seismic capacity. The RPS system is very reliable with significant redundancy Page 8 built into the function. Because of this, RRCS and SLC need not be "safety related" nor "seismic Category I" under the Regulations. The 0.5g HCLPF fragility in the PRA model incorporates RPS seismic failure. The frequency of seismic initiator and failure of RPS (non-seismic) during seismic initiating event is low in the PRA. Given this low risk and dependency on the operators in the ATWS model, no RRCS or SLC seismic evaluations are needed.

IPEEE-TE HEP of 0.01 for Depressurization is redundant to RCIC and HPCS for the 0.23 Page 9 depressurization equates HCLPF success paths. This is included in the PRA.

to unreliability of all low pressure injection.

IPEEE-TE SBO procedure EOPs address how to conserve nitrogen, specifically, EOP-RPV Page 9 modification needed and EOP-C3. SOP-I and SOP-2 have specific actions on how to relative to conserve battery power. Separate criteria are given for blackout depressurization and in lieu of the normal HCTL limits in EOP-6 Section 29.

minimizing depletion of nitrogen.

IPEEE-TE Consideration of human Compliance with SMA is believed to be in the IPEEE. The TE Page 11 actions in the SMA not states that seismic PRA fully considered human actions and entirely in keeping with suggests safety significance is low.

SMA guidance.

IPEEE-TE Consideration of piping The 0.5g HCLPF fragility in the PRA incorporates this risk. The Page 13 degradation (e.g., wear) probability of degradation below this seismic capacity is and impact on seismic negligible.

flooding risk not included.

IPEEE-TE No dependency matrix NMP response to NRC questions provided IPE dependency Page 27 was provided and plant matrix. No other important or unique dependencies or unique phenomena were phenomena were identified.

not addressed.

IPEEE-TE Approach to identifying NMP did consider other external hazards listed in the PRA Page 35,36 other external events procedures guide. This was not documented because it was not was not comprehensive. requested by the IPEEE scope.

IPEEE-TE Little detail provided on NMP believes that the present effort is reasonable.

Page 36 systems interactions.

IPEEE-TE No specific information Smoke can affect fire fighting effectiveness and this is Page 36 was provided considered in training, etc.

concerning smoke impact on fire fighting effectiveness.

IPEEE-TE Seismic hazard This will not impact the results, but will be considered in a Page 43 assessment was future update.

truncated at 1.02g.

' SE = Staff Evaluation (Enclosure I to NRC letter); TE = Technical Evaluation (Enclosure 2 to NRC letter)

Page 4 of 4

ATTACHMENT 6 UPDATED PRA RESULTS

SUMMARY

Summary of Baseline Model U2BASER1 Internal and External Events CDF 3.5E-5/yr Internal and External Events LERF 8.3E-7/yr Shutdown CDF Not Evaluated Configuration Risk Management Tool Safety Monitor Accident Sequence Contribution to CDF Initiator ID Initiator Description %CDF Contribution BLOSP Loss of Offsite Power and Diesel Failure (SBO) 28.6 ASX Loss of Instrument Air 2.7 LOF Loss of Main Feedwater System 2.7 BFLCB Flood in the Control Building - Blackout 2.4 LOSP Loss of Offsite Power 1.7 BLOSP Loss of Offsite Power and Diesel Failure (SBO) 1.4 BLOSP Loss of Offsite Power and Diesel Failure (SBO) 1.2 MLOCA Medium LOCA 1.2 BLOSP Loss of Offsite Power and Diesel Failure (SBO) 1.2 ATT Turbine Trip - ATWS 0.9 Top 10 Dominant Baseline Core Damage Sequences Core Damage Sequence Description Freq (/yr)

A Station Blackout given an LOSP where the Operators fail to: align the Diesel Fire Pump; crosstie the 1.01E-5 HPCS Diesel; and recover the Offsite Grid or an Emergency Diesel Generator (Div. 1 or 2) in the first 30 minutes, with High Pressure Injection unavailable due to RCIC equipment and support failures.

Total Loss of Instrument Air where the Operators fail to depressurize the Reactor Pressure Vessel 9.6E-7 (RPV), with RCIC and HPCS unavailable due to equipment and support failures.

A Loss of Feedwater event where the Operators fail to depressurize the RPV, and RCIC and HPCS are 9.6E-7 unavailable due to equipment and support failures. l A Control Building Flood occurs during a Station Blackout event given a LOSP and Operators fail to 8.6E-7 isolate the water source, which leads to multiple vital equipment failures.

An LOSP occurs where the Offsite Grid is not recovered in the first 30 minutes and the Operators fail to 5.9E-7 depressurize the RPV, with RCIC and HPCS unavailable due to equipment and support failures.

A Station Blackout given an LOSP where the Operators fail to: align the Diesel Fire Pump; crosstie the 4.9E-7 HPCS Diesel; and recover the Offsite Grid or an Emergency Diesel within the first 30 minutes, with RCIC failed due loss of UPS support.

A Station Blackout given a LOSP where: the Offsite Grid or an EDG (Div. 1 or 2) is not recovered and 4.4E-7 Fire Water is not aligned within the first 30 minutes, with RCIC unavailable due to equipment failures.

In addition, the HPCS EDG crosstie to Div. I fails with the Div. 2 unrecoverable due to loss of DC power.

A Medium LOCA event where Operators fail to depressurize, with HPCS unavailable due to equipment 4.2E-7 and support system failures.

A Station Blackout given a LOSP where RCIC is successful; however, long-term (8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months ) Offsite Grid 3.7E-7 and EDG (Div. I or 2) recovery fails, and operators fail to crosstie the HPCS Diesel or align the Diesel Fire Pump.

An Anticipated Transient Without Scram Turbine Trip event where a mechanical scram failure occurs 3.2E-7 and Liquid Poison injection fails. I Page 1 of 3

Summary of Model U2UPSAR1 with the Division I Emergency UPS Inverter Failed and Compensating Measures in Place Internal and Extemal Events CDF 5.1E-5 Internal and External Events LERF L.OE-6 Shutdown CDF Not Evaluated Configuration Risk Management Safety Monitor Accident Sequence Contribution to CDF Initiator ID Initiator Description %CDF Contribution BLOSP Loss of Offsite Power and Diesel Failure (SBO) 41.2 BLOSP Loss of Offsite Power and Diesel Failure (SBO) 4.1 ASX Loss of Instrument Air 1.8 LOF Loss of Main Feedwater System 1.8 BFLCB Flood in the Control Building - Blackout 1.7 LOSP Loss of Offsite Power 1.1 BLOSP Loss of Offsite Power and Diesel Failure (SBO) 1.0 BLOSP Loss of Offsite Power and Diesel Failure (SBO) 1.0 BSCRAM SCRAM - Blackout 0.9 MLOCA Medium LOCA 0.8 Top 10 Dominant Core Damage Sequences for the Division 1 Inverter Failed Core Damage Sequence Description Freg (lyr)

A Station Blackout given an LOSP where in the first 30 minutes recovery of the Offsite Grid or an 2.1E-5 Emergency Diesel Generator (Div. 1 or 2), alignment of the Diesel Fire Pump, and crosstie of the HPCS EDG fails. RCIC fails with the Div. 1 inverter unavailable.

A Station Blackout given an LOSP where in the first 30 minutes recovery of the Offsite Grid or an 2.1E-6 Emergency Diesel Generator (Div. 1 or 2), alignment of the Diesel Fire Pump, and crosstie of the HPCS EDG fails. Manual initiation of RCIC fails with the Div. I inverter unavailable.

Total Loss of Instrument Air where the Operators fail to depressurize the RPV, with RCIC and HPCS 9.2E-7 unavailable due to failures. '

Total Loss of Feedwater occurs where operators fail to depressurize the RPV, and RCIC and HPCS are 9.1E-7 unavailable in the first 30 minutes due to equipment and support failures.

A Control Building Flood occurs during a Station Blackout LOSP event and Operators fail to isolate the 8.6E-7 water source, which leads to multiple vital equipment failures.

A Loss of Offsite Power Event where Operators fail to depressurize the RPV, and RCIC and HPCS are 5.6E-7 unavailable due to failures and Grid Recovery fails during the first 30 minutes.

A Station Blackout given an LOSP where the Div. 1 inverter also fails and the Offsite Grid or one EDG 5.4E-7 is not recovered, and RCIC is failed during the first 30 minute. In addition, the HPCS EDG crosstie fails and the operators were unable to align the Diesel Fire Pump.

A Station Blackout given an LOSP where the Offsite Grid or one EDG is not recovered during the first 4.9E-7 30 minutes, and RCIC is unavailable due to ECCS auto initiation failure. In addition, the HPCS EDG crosstie fails and operators were unable to align the Diesel Fire Pump.

A Blackout Scram Event where operators are unable to recover the Offsite Grid, recover one EDG, or 4.8E-7 align the Diesel Fire Pump, and RCIC fails when the Div. I inverter is unavailable.

A Medium LOCA event where Operators fail to depressurize, with HPCS unavailable due to equipment 4.2E-7 and support system failures.

Page 2 of 3

Summary of Model U2UPSBR1 with the Division 2 Emergency UPS Inverter Failed and Compensating Measures in Place Internal and External Events CDF 6.IE-5 Internal and External Events LERF l.lE-6 Shutdown CDF Not Evaluated Configuration Risk Management Safety Monitor Accident Seauence Contribution to CDF Initiator ID Initiator Description %CDF Contribution BLOSP Loss of Offsite Power and Diesel Failure (SBO) 47.5 BLOSP Loss of Offsite Power and Diesel Failure (SBO) 2.1 ASX Loss of Instrument Air 1.5 LOF Loss of Main Feedwater System 1.5 BFLCB Flood in the Control Building - Blackout 1.4 A2X Loss of Division II AC Power 1.1 BSCRAM SCRAM - Blackout 1.0 LOSP Loss of Offsite Power 0.9 BLOSP Loss of Offsite Power and Diesel Failure (SBO) 0.8 BLOSP Loss of Offsite Power and Diesel Failure (SBO) 0.7 Top 10 Dominant Core Damage Sequences for the Division 2 Inverter Failed Core Damage Sequence Description Freq (lyr)

A Station Blackout given an LOSP where during the first 30 minutes operators are unable to recover the 2.9E-5 Offsite Grid, recover one EDG, align the Diesel Fire Pump or crosstie the HPCS EDG, and RCIC is unavailable due to equipment and support failures.

A Station Blackout given an LOSP where during the first 30 minutes operators are unable to recover the 1.3E-6 Offsite Grid, recover one EDG, align the Diesel Fire Pump or crosstie the HPCS EDG, and RCIC fails due to no initiation signal.

Total Loss of Instrument Air where the Operators fail to depressurize the Reactor Pressure Vessel 9.1E-7 (RPV), with RCIC and HPCS unavailable due to equipment and support failures.

A Loss of Feedwater event where the Operators fail to depressurize the RPV, and RCIC and HPCS are 9.1E-7 unavailable due to equipment and support failures.

A Control Building Flood occurs during a Station Blackout LOSP event and Operators fail to isolate the 8.6E-7 water source, which leads to multiple vital equipment failures.

Loss of Division 2 Emergency AC power and Low Pressure Core Spray (LPCS) Fails. 6.7E-7 A Blackout Scram Event where operators within the first 30 minutes are unable to recover the Offsite 6.5E-7 Grid, recover one EDG, crosstie the HPCS EDG, or align the Diesel Fire Pump, and RCIC fails when the Div. 2 inverter is unavailable.

An LOSP Event where the operators fail to depressurize and recover the Offsite Grid within the first 30 5.6E-7 minutes, when HPCS and RCIC are unavailable due to equipment and support failures.

A Station Blackout given an LOSP where operators are unable to recover the Offsite Grid within the first 4.9E-7 30 minutes, recover one EDG, crosstie the HPCS EDG or align the Diesel Fire Pump, and RCIC fails due to loss of the Div. I inverter when the Div. 2 inverter is unavailable for maintenance.

A Station Blackout given an LOSP where operators are unable to recover the Offsite Grid within the first 4.3E-7 30 minutes, recover one EDG, crosstie the HPCS EDG to Division 2 or align the Diesel Fire Pump, with RCIC unavailable due to equipment and support failures.

Page 3 of 3

ATTACHMENT 7 TIER 1: PROBABILISTIC RISK ASSESSMENT (PRA) STUDY RESULTS Methodology and Acceptance Criteria Regulatory Guides (RG) 1.174 and 1.177 describe the requirements for making risk-informed changes to the Technical Specifications (TS). This evaluation provides the risk quantification inputs to these requirements. The following risk metrics were used to evaluate the risk impact of extending the Nine Mile Point Unit 2 (NMP2) emergency UPS inverter Completion Time from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 7 days.

ACDFave = Change in the annual average Core Damage Frequency due to any increased online maintenance unavailability of an emergency UPS inverter due to the TS change. This risk metric is used to compare against the criteria in RG 1.174.

ALERFave = Change in the annual average Large Early Release Frequency due to any increased online maintenance unavailability of an emergency UPS inverter due to the TS change. This risk metric is used to compare against the criteria in RG 1.174.

ICCDP = Incremental Conditional Core Damage Probability with an emergency UPS inverter out of service for the new proposed TS duration of 7 days. This risk metric is used as recommended in RG 1.177 to determine whether the proposed TS change has an acceptable risk.

ICLERP = Incremental Conditional Large Early Release Probability with an emergency UPS inverter out of service for the new proposed TS duration of 7 days. This risk metric is used as recommended in RG 1.177 to determine whether the proposed TS change has an acceptable risk.

The change in annual average CDF due to the proposed change in emergency UPS inverter Completion Time, ACDFAve, is estimated as follows:

ACDFAVC = (TI/T)*CDFIout+ (Til/T)*CDFIioat+ [1-(Ti+Tll)/T]*CDFBaSe- CDFBase (1)

Where:

CDF10 ,t = CDF estimated with the Division 1 emergency UPS inverter out of service and compensating measures implemented.

CDFIIOt = CDF estimated with the Division 2 emergency UPS inverter out of service and compensating measures implemented.

CDFBase = Baseline annual average CDF prior to the proposed TS change.

T = Total fuel cycle time. The NMP2 fuel cycle is 2 years, and it is assumed that the plant is in planned and forced outages for a total of 40 days during the 2-year period.

Thus, T= 690 days (2*365 - 40 = 690 days).

Page 1 of 3

T, = Total time per fuel cycle that the Division 1 emergency UPS inverter is out of service for the extended TS Completion Time. The proposed TS value of 7 days is used.

TI, = Total time per fuel cycle that the Division 2 emergency UPS inverter is out of service for the extended TS Completion Time. The proposed TS value of 7 days is used.

The change in annual average LERF due to the proposed change in emergency UPS inverter Completion Time, ALERFAVC, is estimated as follows:

ALERFAVC=(Ti/T)*LERFIout+ (Tli/T)*LERFIiout+ [b{TI + Tl,)/T]*LERFBase- LERFBase (2)

Where:

LERFIOut = LERF estimated with the Division 1 emergency UPS inverter out of service and compensating measures implemented.

LERFIIoUt = LERF estimated with the Division 2 emergency UPS inverter out of service and compensating measures implemented.

LERFBase = Baseline annual average LERF prior to the proposed TS change.

The acceptance criterion for change in CDF and LERF in RG 1.174 is as follows:

< 1E-6 change in CDF is non-risk significant

< 1E-7 change in LERF is non-risk significant ICCDP and ICLERP are calculated using the definitions in RG 1.177 as follows:

ICCDP= (CDFI,,t - CDFBase)*(7 days) (3)

ICCDPI, = (CDFIio0 t - CDFBaSC)*(7 days) (4)

ICLERP, = (LERFIjut - LERFBasc)*(7 days) (5)

ICLERP 1 = (LERFIlout - LERFBase)*(7 days) (6)

The acceptance criteria for changes in RG 1.177 are as follows:

ICCDP < 5E-7 ILERP < 5E-8 RG 1.177 also discusses component importance measures, risk achievement worth (RAW) and Fussel-Vesely (FV) importance. This is provided for the baseline PRA without consideration of any compensating measures that may be taken to minimize risk impact.

Page 2 of 3

Assumptions The following are the key assumptions used in the analysis to support extension of the emergency UPS inverter Completion Time:

Assumptions contained in the NMP2 PRA apply to this evaluation.

The important configuration risk management controls and compensating measures assumed in this analysis are described in Section 4.2.5 of Attachment 1.

Data from draft NUREG/CR-INEELIEXT-04-02525, "Station Blackout Risk Evaluation for Nuclear Power Plants," January 2005, is used for the NMP2 LOSP frequency and non-restoration probabilities.

A 7-day emergency UPS inverter outage is assumed to occur once per fuel cycle.

A total of 40 days of planned and forced outage time per 2-year fuel cycle.

Compensating measures summarized in Section 4.2.5 of Attachment 1 and associated failure probabilities are assumed.

Calculations The following CDF and LERF values for an emergency UPS inverter out of service were calculated with the NMP2 PRA (see Attachment 6) to perform the risk metric calculations required by RGs 1.174 and 1.177, using a IE-12/yr truncation. Note that the calculations include the compensating measures included in the PRA model as described in Section 4.2.5 of .

CDFIut= 5.1E-5/year (Div. 1 inverter unavailable with compensating measures)

CDFiiout = 6.1E-5/year (Div. 2 inverter unavailable with compensating measures)

LERFIOut = l .OE-6/year (Div. 1 inverter unavailable with compensating measures)

LERF11 owt = 1.1 E-6/year (Div. 2 inverter unavailable with compensating measures)

The following CDF and LERF baseline values (see Attachment 6) are also required inputs to the risk metric calculations:

CDFBase = 3.5E-5/year (baseline average maintenance PRA model)

LERFBase = 8.3E-7/year (baseline average maintenance PRA model)

Using the above inputs and Equations (1) through (6), the following risk metric values are calculated:

ACDFAve = 4.2E-7/yr (acceptance criteria is <1E-6)

ALERFAve = 4.4E-9/yr (acceptance criteria is <1E-7)

ICCDP1 = 3.OE-7 (acceptance criteria is <5E-7)

ICCDPI, = 4.9E-7 (acceptance criteria is <5E-7)

ICLERPI = 3.2E-9 (acceptance criteria is <5E-8)

ICLERP11 = 5.1E-9 (acceptance criteria is <5E-8)

Page 3 of 3

ATTACHMENT 8 DOMINANT CDF AND LERF SEQUENCES THAT CONTAIN THE EMERGENCY UPS INVERTERS TABLES

,Page 1ofl7

Table 1 Division 1 Emergency UPS Inverter Core Damage Frequency (CDF) Sequences Top-Ranked Sequences Contributing to Group (Sorted by Frequency): CDF Rank IS/SF Value Sequence Description Bin Frequency Percent of Group I BLOSP 5.68E-002 BLACKOUT LOSP CLASSIB 1.8848E-005 36.46 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABSSA 9.99E-001 - System - DA and DB OGR1 7. 10E-001 - Offsite power recovery w/in 30 minutes A3FFJ 4.32E-003 - System - Al and A2 PCH1 9.60E-001 - Portable Charger UCFSAM 1.00E+000 - System - UA and UB E3FSB 9.88E-001 - System - E1 and E2 U17 2.OOE-001 - RCIC - Station Blackout (0-2 HRS)

Sl1 8.40E-001 - Diesel Fire Pump - SBO (2-8 HRS)

EDG3OM 9.10E-001 - EDG Recovery HPCS1 8.60E-001 - HPCS EDO Crossitie to Div I or II - SBO 2 BLOSP 5.68E-002 BLACROUT LOSP CLASSIB 2.0944E-006 4.05 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABSSA 9.99E-001 - System - DA and DB OGR1 7.10E-001 - Offsite power recovery w/in 30 minutes A3FPJ 4.32E-003 - System - Al and A2 PCH1 9.60E-001 - Portable Charger UCFSAM 1.00E+000 - System - UA and UB E3FSB 9.88E-001 - System - El and E2 ME1 1.00E-001 - Manual ECCS Actuation U17 2.OOE-001 - RCIC - Station Blackout (0-2 HRS)

Sil 8.40E-001 - Diesel Fire Pump - SBO (2-8 HRS)

EDG3OM 9.lOE-001 - EDG Recovery HPCS1 8.60E-001 - HPCS EDG Crossitie to Div I or II - SBO 3 BLOSP 5.68E-002 BLACKOUT LOSP CLASSIB 1.1493E-006 2.22 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABSSA 9.99E-001 - System - DA and DB OGR1 7.10E-001 - Offsite power recovery w/in 30 minutes A3FFJ 4.32E-003 - System - Al and A2 PCH1 9.60E-001 - Portable Charger UCFSAM 1.00E+000 - System - UA and US Page 2 of 17

Table 1 Division 1 Emergency UPS Inverter Core Damage Frequency (CDF) Sequences Top-Ranked Sequences Contributing to Group (Sorted by Frequency): CDF Rank lE/SF Value Sequence Description Bin Frequency Percent of Group E3FFB 1.20E-002 System - El and E2 Sil 8.40E-001 Diesel Fire Pump - SO t2-8 HRS)

EDG3OM 9.10E-001 EDG Recovery HPCS1 8.60E-001 HPCS EDG Crossitie to Div I or II - SBO ASX 1.40E-001 LOSS OF INSTRUMENT AIR CLASSIA 9.1626E-007 1.77 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABSSA 9.99E-001 - System - DA and DB KASSC 9.96E-001 - System - KA1 and KA2 KBSSC 9.96E-001 - System - KB1 and KB2 A3SSM 1.00E+000 - System - Al and A2 NABSSA 9.89E-001 - System - NA and NB PCH1 9.60E-001 - Portable Charger DC3SSA 1.OOE+000 - System - Div I (DC1) and Div II (DC2) Battery Chargers UCSSA 1.00E+000 - System - UA and UB E3SSA 9.75E-001 - System - El and E2 MABSSA 9.93E-001 - System - MA and MB ICl 1.76E-001 - RCIC - TRAN & SLOCA Response HS1 4.86E-002 - High Pressure Core Spray OD1 1.OOE-003 - Operator Depressurzes for LPI - TRAN & SLOCA LABSSA 9.53E-001 - System - LA, LB IABSSA 9.73E-001 - System - LPCI Injection Pathes A and B (IA, IB)

HCSSA 9.88E-001 - System - HA and HB P3SSA 9.95E-001 - System - PA and PB CCSSA 9.82E-001 - Containment Spray System - CA and CB 5 LOF 1.40E-001 LOSS OF FEEDWATER CLASSIA 9.1463E-007 1.77 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABSSA 9.99E-001 - System - DA and DB KASSC 9.96E-001 - System - KAl and KA2 KBSSC 9.96E-001 - System - KB1 and KB2 A3SSM 1.00E+000 - System - Al and A2 NABSSA 9.89E-001 - System - NA and NB PCH1 9.60E-001 - Portable Charger Page 3 of 17

Table 1 Division 1 Emergency UPS Inverter Core Damage Frequency (CDF) Sequences Top-Ranked Sequences Contributing to Group (Sorted by Frequency): CDF Rank ZE/SF Value Sequence Description Bin Frequency Percent of Group DC3SSA l.OOE+000 - System - Div I (DCl) and Div II (DC2) Battery Chargers UCSSA 1.OOE+000 - System - UA and UB E3SSA 9.75E-001 - System - El and E2 MABSSA 9. 93E-001 - System - MA and MB IC1 1 .76E-001 - RCIC - TRAN & SLOCA Response HS1 4. 86E-002 - High Pressure Core Spray OD1 1.OOE-003 - Operator Depressurzes for LPI - TRAN & SLOCA LABSSA 9.53E-001 - System - LA, LB IABSSA 9.73E-001 - System - LPCI Injection Pathes A and B (IA, IB)

HCSSA 9.88E-001 - System - HA and HB P3SSA 9.95E-001 - System - PA and PB CCSSA 9.82E-001 - Containment Spray System - CA and CB 6 BFLCB 9.30E-004 Flood in the Control Bldg CLASSIB 8.5740E-007 1.66 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS IER1 1.00E-003 - Initiating Event Recovery DABSSA 9.99E-001 - System - DA and DB KASSC 9.96E-001 - System - KA1 and KA2 KBSSC 9.96E-001 - System - RBI and KB2 NABSSA 9.89E-001 - System - NA and NB PCH1 9.60E-001 - Portable Charger 7 BLOSP 5.68E-002 BLACKOUT LOSP CLASSIB 7.8532E-007 1.52 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABSSA 9.99E-001 - System - DA and DB OGR1 7.10E-001 - Offsite power recovery w/in 30 minutes A3FFJ 4.32E-003 - System - Al and A2 UCFSAM 1.00E+000 - System - UA and UB E3FSB 9.88E-001 - System - El and E2 U17 2.00E-001 - RCIC - Station Blackout (0-2 HRS)

Sil 8.40E-001 - Diesel Fire Pump - SBO (2-8 HRS)

EDG3OM 9.10E-001 - EDG Recovery HPCSl 8.60E-001 - HPCS EDG Crossitie to Div I or II - SBO LOSP 5.68E-002 LOSS OF OFFSITE AC CLASSIA 5.6521E-007 1.09 Page 4 of 17

Table 1 Division 1 Emergency UPS Inverter Core Damage Frequency (CDF) Sequences Top-Ranked Sequences Contributing to Group (Sorted by Frequency): CDP Rank IE/SF Value Sequence Description Bin Frequency Percent of Group POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABSSA 9.99E-001 - System - DA and DB OGR1 7.10E-001 - Offsite power recovery w/in 30 minutes A3SSJ 9.07E-001 - System - Al and A2 PCH1 9.60E-001 - Portable Charger DC3SSA 1.OOE+000 - System - Div I (DCl) and Div II (DC2) Battery Chargers UCSSA 1.OOE+000 - System - UA and UB E3SSA 9.75E-001 - System - El and E2 SxxSSC 1.OOE+000 - System - Service Water (SWS, SWA)

MABSSA 9.93E-001 - System - MA and MB ICl 1.76E-001 - RCIC - TRAN & SLOCA Response HS2 1.14E-001 - High Pressure Core Spray ODI 1.00E-003 - Operator Depressurzes for LPI - TRAN & SLOCA LABSSA 9.53E-001 - System - LA, LB IABSSA 9.73E-001 - System - LPCI Injection Pathes A and B (IA, IB)

HCSSA 9.88E-001 - System - HA and HB P3SSA 9.95E-001 - System - PA and PB CCSSA 9.82E-001 - Containment Spray System - CA and CB 9 BLOSP 5.68E-002 BLACKOUT LOSP CLASSIB 5.4099E-007 1.05 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABSFA 4.22E-004 - System - DA and DB OGR1 7. 1OE-001 - Offsite power recovery w/in 30 minutes A3FFH 5.09E-002 - System - Al and A2 PCH1 9.60E-001 - Portable Charger Sl1 8.40E-001 - Diesel Fire Pump - SBO (2-8 HRS)

EDG30 9.30E-001 - EDG Recovery HPCSS 8.62E-001 - HPCS EDG Crossitie to Div I or II - SBO 10 BLOSP 5.68E-002 BLACKOUT LOSP CLASSIB 4.8648E-007 0.94 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABFSA 4.22E-004 - System - DA and DB OGRI 7.10E-001 - Offsite power recovery w/in 30 minutes A3FFE 4.63E-002 - System - Al and A2 Page 5 of 17

Table 1 Division 1 Emergency UPS Inverter Core Damage Frequency (CDF) Sequences Top-Ranked Sequences Contributing to Group (Sorted by Frequency): CDF Rank 1Z/SF Value Sequence Description Bin Frequency Percent of Group PCHl 9.60E-001 Portable Charger UCFSAZ 1.00E+000 System - UA and UB E3FSB 9.88E-001 System - El and E2 Sil 8.40E-001 Diesel Fire Pump - SBO (2-8 HRS)

EDG30 9.30E-001 EDG Recovery HPCS3 8.62E-001 HPCS EDG Crossitie to Div I or II - SBO 11 BSCRAM 4.80E+000 BLACKOUT SHUTDOWN OR SCRAM CLASSIB 4.8001E-007 0.93 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS OG1 3.01E-004 - Offsite Grid DABSSA 9.99E-001 - System - DA and DB OGRI 7.10E-001 - Offsite power recovery w/in 30 minutes A3FFJ 4.32E-003 - System - Al and A2 PCH1 9.60E-001 - Portable Charger UCFSAM 1.00E+000 - System - UA and UB E3FSB 9.88E-001 - System - E1 and E2 U17 2.00E-001 - RCIC - Station Blackout (0-2 HRS)

Sl1 8.40E-001 - Diesel Fire Pump - SBO (2-8 HRS)

EDG3OM 9.10E-001 - EDG Recovery HPCS1 8.60E-001 - HPCS EDG Crossitie to Div I or II - SBO 12 MLOCA 3.OOE-003 MEDIUM LOCA CLASSIIIB 4.1759E-007 0.81 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABSSA 9.99E-001 - System - DA and DB KASSC 9.96E-001 - System - KA1 and KA2 KBSSC 9.96E-001 - System - KB1 and KB2 A3SSM 1.OOE+000 - System - Al and A2 NABSSA 9.89E-001 - System - NA and NB PCH1 9.60E-001 - Portable Charger DC3SSA 1.00E+000 - System - Div I (DC1) and Div II (DC2) Battery Chargers UCSSA 1.00E+000 - System - UA and UR E3SSD 9.95E-001 - System - El and E2 MABSSA 9.93E-001 - System - MA and MB HS7 5.93E-002 - High Pressure Core Spray Page 6 of 17

Table 1 Division 1 Emergency UPS Inverter Core Damage Frequency (CDF) Sequences Top-Ranked Sequences Contributing to Group (Sorted by Frequency): CDF Rank IB/SF Value Sequence Description Bin Frequency Percent of Group OD2 3.00E-003 - Operator Depressurzes for LPI - TRAN & SLOCA LABSSA 9.53E-001 - System - LA, LB IABSSA 9.73E-001 - System - LPCI Injection Pathes A and B (IA, IS)

HCSSD 9.91E-001 - System - HA and HB P3SSA 9.95E-001 - System - PA and PB CCSSA 9.82E-001 - Containment Spray System - CA and CB Total Quantified Frequency of Sequence Group a 5.1694E-005 Page 7 of 17

Table 2 Division 2 Emergency UPS Inverter Core Damage Frequency (CDF) Sequences Top-Ranked Sequences Contributing to Group (Sorted by Frequency): CDF Rank IE/SF Value Sequence Description Bin Frequency Percent of Group I BLOSP 5.68E-002 BLACKOUT LOSP CLASSIB 2.5345E-005 41.48 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABSSA 9.99E-001 - System - DA and DB OGR1 7. 10E-001 - Offsite power recovery w/in 30 minutes A3FFJ 4.32E-003 - System - Al and A2 PCH1 9.60E-001 - Portable Charger UCSFAM 1.00E+000 - System - UA and US E3SFC 9.87E-001 - System - El and E2 U16 2.69E-001 - Rcrc - Station Blackout (0-2 HRS)

Sil 8.40E-001 - Diesel Fire Pump - SBO (2-8 HRS)

EDG30M 9.lOE-001 - EDG Recovery HPCS1 8.60E-001 - HPCS EDG Crossitie to Div I or II - SBO 2 BLOSP 5.68E-002 BLACKOUT LOSP CLASSIB 2.8164E-006 4.61 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABSSA 9.99E-001 - System - DA and DB OGR1 7.10E-001 - Offsite power recovery w/in 30 minutes A3FFJ 4.32E-003 - System - Al and A2 PCH1 9.60E-001 - Portable Charger UCSFAM 1.OOE+000 - System - UA and UB E3SFC 9.87E-001 - System - El and E2 ME1 1.OOE-001 - Manual ECCS Actuation U16 2.69E-001 - RCIC - Station Blackout (0-2 HRS)

Sil 8.40E-001 - Diesel Fire Pump - SBO (2-8 HRS)

EDG30M 9.10E-001 - EDG Recovery HPCS1 8.60E-001 - HPCS EDG Crossitie to Div I or II - SBO 3 BLOSP 5.68E-002 BLACKOUT LOSP CLASSIB 1.2671E-006 2.07 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABSSA 9.99E-001 - System - DA and DB OGR1 7. 10E-001 - Offsite power recovery w/in 30 minutes A3FFJ 4.32E-003 - System - Al and A2 PCH1 9.60E-001 - Portable Charger UCSFAM 1.00E+000 - System - UA and UB Page 8 of17

Table 2 Division 2 Emergency UPS Inverter Core Damage Frequency (CDF) Sequences Top-Ranked Sequences Contributing to Group (Sorted by Frequency): CDF Rank Iz/SF Value Sequence Description Bin Frequency Percent of Group E3FFC 1.33E-002 System - El and E2 Si1 8.40E-001 Diesel Fire Pump - SBO (2-8 HRS)

EDG3OM 9.10E-001 EDG Recovery HPCSl 8 .60E-001 HPCS EDG Crossitie to Div I or II - SBO 4 BLOSP 5.68E-002 BLACKOUT LOSP CLASSMB 1.0560E-006 1.73 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABSSA 9.99E-001 - System - DA and DB OGR1 7.10-001 - Offsite power recovery w/in 30 minutes A3FFJ 4.32E-003 - System - Al and A2 UCSFAM 1.00E+000 - System - UA and UB E3SFC 9.87E-001 - System - El and E2 U16 2.69E-001 - RCIC - Station Blackout (0-2 HRS)

Sil 8.40E-001 - Diesel Fire Pump - SBO (2-8 HRS)

EDG3OM 9.10E-001 - EDG Recovery HPCS1 8.60E-001 - HPCS EDG Crossitie to Div I or II - SBO 5 ASX 1.40E-001 LOSS OF INSTRUMENT AIR CLASSIA 9.1455E-007 1.50 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABSSA 9.99E-001 - System - DA and DB KASSC 9.96E-001 - System - KAI and KA2 KBSSC 9.96E-001 - System - KB1 and KB2 A3SSM 1.00E+000 - System - Al and A2 NABSSA 9.89E-001 - System - NA and NB PCH1 9.60E-001 - Portable Charger DC3SSA 1.00E+000 - System - Div I (DC1) and Div II (DC2) Battery Chargers UCSSA 1.00E+000 - System - UA and UB E3SSA 9.75E-001 - System - El and E2 MABSSA 9.93E-001 - System - MA and MB ICl 1.76E-001 - RCIC - TRAN & SLOCA Response HS1 4.86E-002 - High Pressure Core Spray OD1 1.00E-003 - Operator Depressurzes for LPI - TRAN & SLOCA LABSSA 9.53E-001 - System - LA, LB IABSSA 9.73E-001 - System - LPCI Injection Pathes A and B (IA, IB)

Page 9 of 17

Table 2 Division 2 Emergency UPS Inverter Core Damage Frequency (CDF) Sequences Top-Ranked Sequences Contributing to Group (Sorted by Frequency): CDF Rank XE/SF Value Sequence Description Bin Frequency Percent of Group HCSSA 9.88E-001 - System - HA and HB P3SSA 9.95E-001 - System - PA and PB CCSSA 9.82E-001 - Containment Spray System - CA and CB 6 LOF 1.40E-001 LOSS OF FEEDWATER CLASSIA 9.1292E-007 1.49 POSA 9.90E-00l - Top Event for Setting Plant Mode/POS DABSSA 9. 99E-00l - System - DA and DB KASSC 9.9GE-00l - System - KA1 and KA2 KBSSC 9.96E-00l - System - KB1 and KB2 A3SSM 1. OOE+000 - System - Al and A2 NABSSA 9.89E-002. - System - NA and NB PCHI 9.60E-00l - Portable Charger DC3SSA l.00E+000 - System - Div I (DCl) and Div II (DC2) Battery Chargers UCSSA l.OOE+000 - System - UA and UB E3SSA 9 .75E-001 - System - El and E2 MABSSA 9. 93E-001 - System - MA and MB

'Cl 1.76E-001 - RCIC - TRAN & SLOCA Response HS1 4. 86E-002 - High Pressure Core Spray OD1 1.OOE-003 - Operator Depressurzes for LPI - TRAN & SLOCA LABSSA 9.*53E-001 - System - LA, LB IABSSA 9.73E-001 - System - LPCI Injection Pathes A and B (IA, IB)

HCSSA 9. BBE-00l - System - HA and HB P3SSA 9. 95E-001 - System - PA and PB CCSSA 9. 82E-001 - Containment Spray System - CA and CB 7 BFLCB 9. 30E-004 Flood in the Control Bldg CLASSIB 8.5740E-007 1.40 POSA 9.90E-00l - Top Event for Setting Plant Mode/POS IERl 1.*OOE-003 - Initiating Event Recovery DABSSA 9.99E-00l - System - DA and DB KASSC 9.*96E-001 - System - KA1 and KA2 KBSSC 9. 96E-001 - System - KB1 and KB2 NABSSA 9.89E-001 - System - NA and NB PCH1 9. 60E-001 - Portable Charger 8 A2X 6.01E-003 Loss of Emergency AC Div II CLASSID 6.7311E-007 1.10 Page 10 of 17

Table 2 Division 2 Emergency UPS Inverter Core Damage Frequency (CDF) Sequences Top-Ranked Sequences Contributing to Group (Sorted by Frequency): CDF Rank IR/SF Value Sequence Description Bin Frequency Percent of Group POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABSSA 9.99E-001 - System - DA and DB KASSC 9.96E-001 - System - KA1 and KA2 KBSSC 9.96E-001 - System - KB1 and KB2 A3SFI 1.00E+000 - System - Al and A2 NABSSA 9.898-001 - System - NA and NB PCHl 9.60E-001 - Portable Charger DC3SFP 1.OOE+000 - System - Div I (DC1) and Div II (DC2) Battery Chargers UCSFU 1.OOE+000 - System - UA and UB E3SFC 9.87E-001 - System - El and E2 SWS14A 4.26E-003 - Service Water Div I & II Pump Trains - Crosstie Open LS1 3.26E-002 - Low Pressure Core Spray IABSFC 9.86E-001 - System - LPCI Injection Pathes A and B (IA, IB) 9 BSCRAM 4.80E+000 BLACKOUT SHUTDOWN OR SCRAM CLASSIB 6.4548E-007 1.06 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS OG1 3.01E-004 - Offaite Grid DABSSA 9.99E-001 - System - DA and DB OGR1 7.10E-001 - Offsite power recovery w/in 30 minutes A3FFJ 4.32E-003 - System - Al and A2 PCH1 9.60E-001 - Portable Charger UCSFAM 1.00E+000 - System - UA and UB E3SFC 9.87E-001 - System - El and E2 Ul6 2.69E-001 - RCIC - Station Blackout (0-2 HRS)

Sil 8.40E-001 - Diesel Fire Pump - SBO (2-8 HRS)

EDG3OM 9. lOE-001 - EDM Recovery HPCS1 8.60E-001 - HPCS EDM Crossitie to Div I or II - SBO 10 LOSP 5.68E-002 LOSS OF OFFSITE AC CLASSIA 5.6415E-007 0.92 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABSSA 9.99E-001 - System - DA and DB OGR1 7.10E-001 - Offsite power recovery w/in 30 minutes A3SSJ 9.07E-001 - System - Al and A2 PCH1 9.60E-001 - Portable Charger Page 11 of 17

Table 2 Division 2 Emergency UPS Inverter Core Damage Frequency (CDF) Sequences Top-Ranked Sequences Contributing to Group (Sorted by Frequency): CDF Rank lZ/SF Value Sequence Description Bin Frequency Percent of Group DC3SSA 1.OOE+000 - System - Div I (DCl) and Div II (DC2) Battery Chargers UCSSA 1.OOE+000 - System - UA and UB E3SSA 9.75E-001 - System - El and E2 SxxSSC 1.00E+000 - System - Service Water (SWS, SWA)

MABSSA 9.93E-001 - System - MA and MB IC1 1.76E-001 - RCIC - TRAN & SLOCA Response HS2 1.14E-001 - High Pressure Core Spray OD1 1.00E-003 - Operator Depressurzes for LPI - TRAN & SLOCA LABSSA 9.53E-001 - System - LA, LB IABSSA 9.73E-001 - System - LPCI Injection Pathes A and B (IA, IB)

HCSSA 9.88E-001 - System - HA and HB P3SSA 9.95E-001 - System - PA and PB CCSSA 9.82E-001 - Containment Spray System - CA and CB 11 BLOSP 5.68E-002 BLACKOUT LOSP CLASSIB 4.9252E-007 0.81 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABFSA 4.22E-004 - System - DA and DB OGR1 7.10E-001 - Offaite power recovery w/in 30 minutes A3FFE 4.63E-002 - System - Al and A2 PCH1 9.60E-001 - Portable Charger Sil 8.40E-001 - Diesel Fire Pump - SBO (2-8 HRS)

EDG30 9.30E-001 - EDG Recovery HPCS3 8.62E-001 - HPCS EDG Crossitie to Div I or II - SBO 12 BLOSP 5.68E-002 BLACKOUT LOSP CLASSIB 4.2639E-007 0.70 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABSSA 9.99E-001 - System - DA and DB OGR1 7.10E-001 - Offsite power recovery w/in 30 minutes A3SFJ 4.20E-002 - System - Al and A2 PCH1 9.60E-001 - Portable Charger DC3SFP 1.OOE+000 - System - Div I (DC1) and Div II (DC2) Battery Chargers UCSFU 1.OOE+000 - System - UA and UB E3SFC 9.87E-001 - System - El and E2 XTC3 1.69E-003 - Service Water Cross-tie Fails to Close on Demand Page 12 of 17

Table 2 Division 2 Emergency UPS Inverter Core Damage Frequency (CDF) Sequences Top-Ranked Sequences Contributing to Group (Sorted by Frequency): CDF Rank IE/SF Value Sequence Description Bin Frequency Percent of Group U1 6 2.69E-001 RCIC - Station Blackout (0-2 HRS)

Sil 8 .40E-001 Diesel Fire Pump - SBO (2-8 HRS)

EDG3 0 9.30E-001 EDG Recovery HPCS3 8.62E-001 HPCS EDG Crossitie to Div I or II - SBO 13 MLOCA 3.00E-003 MEDIUM LOCA CLASSIIIB 4.1759E-007 0.68 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABSSA 9.99E-001 - System - DA and DB KASSC 9.965-00i - System - KA1 and KA2 KRSSC 9.96E-001 - System - RB1 and KB2 A3SSM 1.00E+000 - System - Al and A2 NABSSA 9.89E-001 - System - NA and NB PCH1 9.60E-001 - Portable Charger DC3SSA 1.00E+000 - System - Div I (DCl) and Div II (DC2) Battery Chargers UCSSA 1.00E+000 - System - UA and UB E3SSD 9.95E-001 - System - El and E2 MABSSA 9.93E-001 - System - MA and MB HS7 5.93E-002 - High Pressure Core Spray OD2 3.00E-003 - Operator Depressurzes for LPI - TRAN & SLOCA LABSSA 9.53E-001 - System - LA, LB IABSSA 9.73E-001 - System - LPCI Injection Pathes A and B (IA, IB)

HCSSD 9.91E-001 - System - HA and HB P3SSA 9.95E-001 - System - PA and PB CCSSA 9.82E-001 - Containment Spray System - CA and CB Total Quantified Frequency of Sequence Group a 6.1108E-005 Page 13 of 17

Table 3 Division 1 Emergency UPS Inverter Large Early Release Frequency (LERF) Sequences Top-Ranked Sequences Contributing to Group (Sorted by Frequency): LERF Rank SZ/SF Value Sequence Description Siin Frequency Percent of Group 1 BLOSP 5.68E-002 BLACKOUT LOSP EHI 5.4836E-008 5.46 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABSSA 9.99E-001 - System - DA and DB OGR1 7.10E-001 - Offsite power recovery w/in 30 minutes A3FFJ 4.32E-003 - System - Al and A2 PCH1 9.60E-001 - Portable Charger UCFSAM 1.00E+000 - System - UA and UB E3FSB 9.88E-001 - System - El and E2 U17 2.OOE-001 - RCIC - Station Blackout (0-2 HRS)

Sil 8.40E-001 - Diesel Fire Pump - SBO (2-8 HRS)

EDG3OM 9.10E-001 - EDG Recovery HPCS1 8.60E-001 - HPCS EDG Crossitie to Div I or II - SBO GV2 9.90E-001 - CETI - Combustible Gas Venting CZB 5.50E-003 - CETi - Containment Isolated and Intact 2 BFLCB 9.30E-004 Flood in the Control Bldg EHI 4.8068E-008 4.78 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS IER1 1.00E-003 - Initiating Event Recovery DABSSA 9.99E-001 - System - DA and DB KASSC 9.96E-001 - System - KA1 and KA2 KBSSC 9.96E-001 - System - KB1 and KB2 NABSSA 9.89E-001 - System - NA and NS PCH1 9.60E-001 - Portable Charger IS3 1.05E-001 - CET1 & 3 - Containment Isolation RB7 9.90E-001 - CET2 - Reactor Bldg Effectiveness 3 BLOSP 5.68E-002 BLACKOUT LOSP EHI 4.3641E-008 4.34 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABSSA 9.99E-001 - System - DA and DB OGR1 7.10E-001 - Offsite power recovery w/in 30 minutes A3FFJ 4.32E-003 - System - Al and A2 PCH1 9.60E-001 - Portable Charger UCFSAM 1.00E+000 - System - UA and UB E3FSB 9.88E-001 - System - El and E2 Page 14 of 17

Table 3 Division 1 Emergency UPS Inverter Large Early Release Frequency (LERF) Sequences Top-Ranked Sequences Contributing to Group (Sorted by Frequency): LERF Rank IE/SF Value Sequence Description Bin Frequency Percent of Group U17 2.OOE-001 - RCIC - Station Blackout (0-2 HRS)

Sil 8.40E-001 - Diesel Fire Pump - SBO (2-8 HRS)

EDG3OM 9.10E-001 - EDG Recovery HPCS1 8.60E-001 - HPCS EDG Crossitie to Div I or II - SBO IRE 4.00E-001 - CETi - Invessel Recovery CZD 6.50E-003 - CETI - Containment Isolated and Intact 4 BFLCB 9.30E-004 Flood in the Control Bldg EHI 4.0006E-008 3.98 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS IER1 1.00E-003 - Initiating Event Recovery DABSSA 9.99E-001 - System - DA and DB KASSC 9.96E-001 - System - KA1 and KA2 KBSSC 9.96E-001 - System - KB1 and KB2 NABSSA 9.89E-001 - System - NA and NB PCH1 9.60E-001 - Portable Charger IS3 1.05E-001 - CETI & 3 - Containment Isolation OP1 4.55E-001 - CET2 - Operator RPV Depressurization RB7 9.90E-001 - CET2 - Reactor Bldg Effectiveness Total Quantified Frequency of Sequence Group = 1.0050E-006 Page 15 of 17

Table 4 Division 2 Emergency UPS Inverter Large Early Release Frequency (LERF) Sequences Top-Ranked Sequences Contributing to Group (Sorted by Frequency): LERF Rank IE/SF Value Sequence Description Bin Frequency Percent of Group 1 BLOSP 5.68E-002 BLACKOUT LOSP EHI 7.3739E-008 6.76 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABSSA 9.99E-001 - System - DA and DB OGR1 7.10E-001 - Offsite power recovery w/in 30 minutes A3FFJ 4.32E-003 - System - Al and A2 PCH1 9.60E-001 - Portable Charger UCSFAM 1.OOE+000 - System - UA and UB E3SFC 9.87E-001 - System - El and E2 U16 2.69E-001 - RCIC - Station Blackout (0-2 HRS)

Sil 8.40E-001 - Diesel Fire Pump - SBO (2-8 HRS)

EDG30M 9.10E-001 - EDW Recovery HPCS1 8.60E-001 - HPCS EDW Crossitie to Div I or II - SBO GV2 9.90E-001 - CETI - Combustible Gas Venting CZB 5.50E-003 - CETi - Containment Isolated and Intact 2 BLOSP 5.68E-002 BLACKOUT LOSP EHI 5.8684E-008 5.38 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS DABSSA 9.99E-001 - System - DA and DB OGR1 7.10E-001 - Offsite power recovery w/in 30 minutes A3FFJ 4.32E-003 - System - Al and A2 PCH1 9.60E-001 - Portable Charger UCSFAM 1.00E+000 - System - UA and UB E3SFC 9.87E-001 - System - El and E2 U16 2.69E-001 - RCIC - Station Blackout (0-2 HRS)

Sll 8.40E-001 - Diesel Fire Pump - SBO (2-8 HRS)

EDG3OM 9.10E-001 - EDG Recovery HPCS1 8.60E-001 - HPCS EDG Crossitie to Div I or II - SBO IRE 4.00E-001 - CETI - Invessel Recovery CZD 6.50E-003 - CET1 - Containment Isolated and Intact 3 BFLCB 9.30E-004 Flood in the Control Bldg EHI 4.8068E-008 4.40 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS IER1 1.00E-003 - Initiating Event Recovery DABSSA 9.99E-001 - System - DA and DB Page 16 of17

Table 4 Division 2 Emergency UPS Inverter Large Early Release Frequency (LERF) Sequences Top-Ranked Sequences Contributing to Group (Sorted by Frequency): LERF Rank IE/SF Value Sequence Description Bin Frequency Percent of Group KASSC 9.96E-001 - System - KA1 and KA2 KBSSC 9.96E-001 - System - KB1 and KB2 NABSSA 9.89E-001 - System - NA and NB PCH1 9.60E-001 - Portable Charger IS3 1.05E-001 - CET1 & 3 - Containment Isolation RB7 9.90E-001 - CET2 - Reactor Bldg Effectiveness 4 BFLCB 9.30E-004 Flood in the Control Bldg EHI 4.0006E-008 3.67 POSA 9.90E-001 - Top Event for Setting Plant Mode/POS IERI 1.00E-003 - Initiating Event Recovery DABSSA 9.99E-001 - System - DA and DB KASSC 9.96E-001 - System - KA1 and KA2 KBSSC 9.96E-001 - System - KBI and KB2 NABSSA 9.89E-001 - System - NA and NB PCH1 9.60E-001 - Portable Charger IS3 1.05E-001 - CET1 & 3 - Containment Isolation OP1 4.55E-001 - CET2 - Operator RPV Depressurization RB7 9.90E-001 - CET2 - Reactor Bldg Effectiveness Total Quantified Frequency of Sequence Group . 1.0914E-006 Page 17 of 17

ML051020400

Contents

Text

SUBJECT:

Subject:

1.0 DESCRIPTION

2.0 PROPOSED CHANGE

3.0 BACKGROUND

4.0 TECHNICAL ANALYSIS

6.0 ENVIRONMENTAL CONSIDERATION

1.0 DESCRIPTION

2.0 PROPOSED CHANGE

3.0 BACKGROUND

4.0 TECHNICAL ANALYSIS

6.0 ENVIRONMENTAL CONSIDERATION

SUMMARY

SUMMARY

SUMMARY

Navigation menu

ML051020400

Text

SUBJECT:

Subject:

1.0 DESCRIPTION

2.0 PROPOSED CHANGE

3.0 BACKGROUND

4.0 TECHNICAL ANALYSIS

6.0 ENVIRONMENTAL CONSIDERATION

1.0 DESCRIPTION

2.0 PROPOSED CHANGE

3.0 BACKGROUND

4.0 TECHNICAL ANALYSIS

6.0 ENVIRONMENTAL CONSIDERATION

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search