ML051380429
| ML051380429 | |
| Person / Time | |
|---|---|
| Site: | Cook  |
| Issue date: | 05/06/2005 |
| From: | Jensen J Indiana Michigan Power Co |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| AEP:NRC:5811-02, TAC MC4525, TAC MC4526 | |
| Download: ML051380429 (107) | |
Text
INDIANA MICHIGAN POWER' A unit of American Electric Power Indiana Michigan Power Cook Nuclear Plant One Cook Place Bridgman,MI 49106 AEP.com May 6, 2005 Docket Nos:
AEP:NRC:5811-02 10 CFR 50.90 50-315 50-316 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Mail Stop O-P1-17 Washington, DC 20555-0001
Subject:
Donald C. Cook Nuclear Plant Units 1 and 2 Docket Nos. 50-315 and 50-316 Remainder of Response to Request For Additional Information Regarding License Amendment Request to Extend the Allowed Outage Times for Emergency Diesel Generators, 69 kV Offsite Power Circuit, Component Cooling Water, and Essential Service Water (TAC Nos. MC4525 and MC4526)
References:
- 1) Letter from J. N. Jensen, Indiana Michigan Power Company (1&M), to U. S. Nuclear Regulatory Commission (NRC)
Document Control Desk,
'Donald C. Cook Nuclear Plant Units 1 and 2 - Docket Nos. 50-315 and 50-316 -
Extension of Allowed Outage Times for Emergency Diesel Generators, 69 kV Offsite Power Circuit, Component Cooling Water, and Essential Service Water,"
AEP:NRC:481 1, dated September 21, 2004 (ML042780478).
- 2) Letter from C. F. Lyon, NRC, to M. K. Nazar, I&M, "Donald C. Cook Nuclear Plant, Units 1 and 2 - Request for Additional Information Regarding License Amendment Request to Extend Allowed Outage Times (TAC Nos. MC4525 and MC4526)," dated January 18, 2005 (ML043650279).
- 3) Letter from J. N. Jensen, I&M, to NRC Document Control Desk, "Partial Response to Request For Additional Information Regarding License Amendment Request to Extend the Allowed Outage Times for Emergency Diesel Generators, 69 kV Offsite Power Circuit, Component Cooling Water, and Essential Service Water (TAC Nos.
AEP:NRC:5811, dated March 18, 2005 (ML050890319).
U. S. Nuclear Regulatory Commission AEP:NRC:5811-02 Page 2
Dear Sir or Madam:
By Reference 1, Indiana Michigan Power Company (I&M) proposed to amend Facility Operating Licenses DPR-58 and DPR-74 for Donald C. Cook Nuclear Plant (CNP), Units 1 and 2. I&M proposed revising the Technical Specifications (TS) to permit extending allowed outage times (AOTs) from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 14 days for an inoperable emergency diesel generator (EDG), an inoperable component cooling water (CCW) system loop, an inoperable essential service water (ESWV) system loop, or an inoperable alternate offsite power circuit (69 kilovolt circuit).
The proposed AOT extensions were supported by a plant modification to install supplemental diesel generators (SDGs) that will provide an additional source of electrical power.
Reference 2 transmitted a Nuclear Regulatory Commission (NRC) request for additional information (RAI) regarding the proposed amendment. A partial response to the Reference 2 RAI was transmitted by Reference 3. In that partial response, I&M informed the NRC that the proposed AOT extension for the CCW and ESW systems were withdrawn, and that the scope of the proposed 69 kilovolt circuit AOT extension was reduced from a permanent extension to a one-time extension.
This letter provides the remainder of the response to the NRC RAI transmitted by Reference 2. to this letter provides an affirmation pertaining to the statements made in this correspondence. Enclosure 2 provides the remainder of the response to the NRC RAI transmitted by Reference 2. to this letter provides updated design information for the SDGs. documents the resolution of significance level A and B facts and observations (F&Os) regarding the CNP probabilistic risk assessment as identified by a Westinghouse Owners Group peer review. Attachment 3 identifies the significance level C and D F&Os. Attachment 4 provides a summary of a contractor validation of the F&O resolutions and an assessment against requirements of Regulatory Guide 1.200, "An Approach For Determining The Technical Adequacy Of Probabilistic Risk Assessment Results For Risk-Informed Activities," dated February 1, 2004. defines the abbreviations used in the enclosures and attachments to this letter. identifies the documents referenced in the enclosures and attachments. Attachment 7 provides clarifications regarding the response to an NRC request for additional deterministic information. Attachment 8 identifies the regulatory commitments contained in this letter. to the original amendment request transmitted by Reference 1 included an evaluation of significant hazard considerations performed in accordance with 10 CFR 50.92 and an environmental assessment performed in accordance with 10 CFR 51.22. The information in this letter provides supporting information for the amendment request submitted by Reference 1. The information provided in this letter does not alter the validity of the original evaluation of significant hazard considerations for the remaining proposed changes.
The environmental assessment provided in to Reference 1 also remains valid.
U. S. Nuclear Regulatory Commission AEP:NRC:5811-02 Page 3 Should you have any questions, please contact Mr. John A. Zwolinski, Safety Assurance Director, at (269) 466-2428.
Sincerely Vice President JRW/jen
Enclosures:
- 1.
Affirmation.
- 2.
Remainder of Response to Request for Additional Information Regarding License Amendment Request to Extend Allowed Outage Times.
Attachments:
- 1.
Updated SDG Design Information
- 2.
Significance Level A and B F&Os and Resolutions
- 3.
Significance Level C and D F&Os
- 4.
Results of Contractor Validation of F&O Resolution and Assessment Against RG 1.200
- 5.
Abbreviations Used in Enclosures and Attachments
- 6.
References Used In Enclosures and Attachments
- 7.
Clarifications Regarding Request for Additional Deterministic Information
- 8.
J. L. Caldwell, NRC Region III K. D. Curry, AEP Ft. Wayne, w/o attachments J. T. King, MPSC C. F. Lyon, NRC Washington, DC MDEQ - WHMD/HWRPS NRC Resident Inspector to AEP:NRC:5811-02 AFFIRMATION I, Joseph N. Jensen, being duly sworn, state that I am Site Vice President of Indiana Michigan Power Company (I&M), that I am authorized to sign and file this request with the Nuclear Regulatory Commission on behalf of I&M, and that the statements made and the matters set forth herein pertaining to I&M are true and correct to the best of my knowledge, information, and belief.
Indiana Michigan Power Company Jensen Site Vice President SWORN TO AND SUBSCRIBED BEFORE ME THIS (__
DAY OF il(Ž U,,2005 My Cmiso Epe b.-'
Not ublilc My Commission Expires (G /O /l2207
/
I
ENCLOSURE 2 TO AEP:NRC:581 1-02 REMAINDER OF RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION REGARDING LICENSE AMENDMENT REQUEST TO EXTEND ALLOWED OUTAGE TIMES Abbreviations and references are identified in Attachments 5 and 6 to this letter, respectively.
By Reference 1, I&M proposed to amend Facility Operating Licenses DPR-58 and DPR-74 for CNP Units I and 2. I&M proposed revising the TS to permit extending AOTs from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 14 days for an inoperable EDG, an inoperable CCW system loop, an inoperable ESW system loop, or an inoperable alternate offsite power circuit (69 kilovolt circuit).
Reference 2 transmitted an NRC RAI regarding the proposed amendment. A partial response (to Questions 1, 7, 9 - 14) was transmitted by Reference 3. Reference 3 also informed the NRC that I&M was withdrawing the proposed AOT extensions for the CCW and ESW systems, and that the scope of the proposed 69 kilovolt AOT extension would be reduced from a permanent extension to a one-time extension. This enclosure provides the remainder of the response (to Questions 2 - 6, and 8) to the NRC RAI transmitted by Reference 2.
The procedural direction for aligning the SDGs to the emergency buses and establishing RCP seal flow will be provided by a revision to the CNP procedure for loss of all AC power. The HRA analysis presented in the response to NRC Question 3 is based on an early draft of that procedure. That HRA determined a human error rate of 9.5E-3. A subsequent HRA, using a more recent draft version of the procedure and the same HRA methodology, but assuming all steps are critical, resulted in a human error rate of 4.2E-2. Since the procedure is not finalized, a human error rate of 5E-2 was used as an upper bound to estimate the risk profiles provided in the responses to NRC Questions 2, 4, and 5.
NRC Ouestion 2 Please provide the following infonnation: (If the results for Unit I and Unit 2 are similar, only the Unit 1 hnfonration need be provided.) (RG 1.174, Sections 2.2.2 and 2.2.4; RG 1.177 Sections 2.3 and 2.4)
assuming the fourAOTs are extended as requested?
- b. In Tables 1 and 2, for AB emergency diesel generator (EDG) out-of-service: Was this case analyzed with the supplemental diesel generators (SDGs) aligned to T11C and TJJD (721C and W21D) as implied by the first note in the table? If "yes, " please provide the results for AB EDG out-of-service with the SDGs aligned to the buses nornally supplied by the AB EDG.
- c. Provide results similar to Tables I and 2 for the East CCW and East ESW cases, assuming the SDGs are aligned to TI1A and Tu1B (721A and T21B).
to AEP:NRC:5811-02 Page 2 I&M Response to NRC Ouestion 2 Each part of NRC Question 2 is restated below followed by I&M's response.
- a. What is the delta CDF and delta LERF, contpared to both the current and new base risk, assuming thefourAOTs are extended as requested?
Response
I&M has recalculated the values for delta CDF and delta LERF using modeling which differs from that used in determining the values presented in the original amendment request (Reference 1).
Descriptions of the modeling changes and the recalculated values are provided below.
CCW Modeling Changes As noted in the partial response transmitted by Reference 3, I&M identified potential alternative modeling for the CCW system. This alternative modeling involved two issues concerning CCW pump maintenance that were addressed by making changes to the fault tree modeling. First, it was determined that if a CCW pump is out of service for maintenance, the heat exchanger in the same train also is declared inoperable. For the model to indicate this relationship, it was necessary to remove each pump's T&M event from its existing location and to insert it under the gate representing heat exchanger unavailability. Second, during a review of the fault trees, it was determined that there was no T&M term in the CCW fault tree for the ECCS recirculation phase. To address this issue, the CCW pump T&M basic events were included under the gate representing the recirculation phase in the CCW system fault trees.
It was determined that no similar changes were needed for the ESW system modeling.
SDG Modeling Changes A fault tree that represents the various ways that the SDGs could fail to provide power to the 4 kV safety buses was added to the 4kV system fault trees. This was done in a manner that accounts for the possibility that the SDGs may be aligned to different trains following an SBO initiator. In the previous model, a basic event representing the numerical quantification of the SDG fault tree had been added to the 4kV system fault tree.
A key assumption of the system configuration of the two SDGs is that both SDGs are required to start and run in order to power a single train at either unit, (i.e., a two-out-of-two logic for success). A common cause screening analysis was performed in accordance with NUREG/CR-5485and NUREG/CR-4780, Reference 4 and Reference 5, respectively. As a result, a CCF factor for the SDGs is not included as a basic event in the revised model.
to AEP:NRC:5811-02 Page 3 Event Tree Model Changes The model was changed to explicitly represent the SDGs in the event trees by adding top event EP to represent the operability of the SDGs. This top event was added to the event trees for the following initiating events:
Single unit LOSP Dual unit LOSP Transients with steam conversion systems available Transients without steam conversion systems available Loss of 250 VDC Train A Loss of 250 VDC Train B Loss of ESW to both units after a dual unit LOSP
- Loss of ESW to both units after a single unit LOSP The success criteria for top event EP is that both SDGs must start and be loaded onto the 4 kV safety -buses within 13 minutes. Success of the branch prevents an immediate seal LOCA and allows mitigation of the event in the same manner as if an EDG were operable.
Failure of the branch results in an SBO since no credit is taken for starting and loading the SDGs after the initial 13 minutes.
The ordering of the top event for loss of all four ESW pumps within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of the initiating event, and the top event for failure of all AC power at one unit was reversed to preclude generation of incorrect cutsets.
A change to several event trees was performed to address the condition that the placement of the top events Q1 (Q2) "SRV (PORV) Does Not Stick Open" in the previous single unit and dual unit LOSP event trees did not allow any SBO sequence with a stuck-open relief valve.
In the previous trees, Ql (Q2) are asked first, and their failures are transferred to a separate tree, where the functions are quantified without off-site power. As a result, EDG failures occur in cutsets of these sequences, without any chance of AC power restoration or credit for the SDGs. This condition was addressed by moving these top events after the EP top event.
In addition, the Q1 and Q2 top events were added to the single-unit SBO, dual-unit-LOSP-single-unit SBO, and dual-unit SBO event trees.
New event trees were created to account for the unique support state that exists'when a single-unit or dual-unit LOSP initiator occurs, both EDGs subsequently fail, and the SDGs are successfully loaded onto a safety bus.
Separate event trees address a stuck-open pressurizer relief valve, a stuck-open safety valve, and a loss of CCW for the unit specifically for this new support state.
Finally, it was determined that total failure of ESW at one unit following a single unit LOSP or dual unit LOSP is a very small CDF contributor. Accordingly, the top event for single unit loss of ESW was deleted from the single unit LOSP and dual unit LOSP event trees.
to AEP:NRC:581 1-02 Page 4 Basic Event Data Changes The probabilities for CCF of switchgear room cooling fans and CCF of emergency bus transformers were reduced because the current modeling of this CCF grouping was determined to be overly conservative.
However, to avoid significant additional modeling changes at this time, these CCF values were changed in a manner that preserves their CDF contributions.
The probabilities for CCF of the EDGs were changed as appropriate to each case to address the reduction in common cause component group number associated with voluntary outages.
Recalculated Delta CDF and Delta LERF Values Tables 2-1 and 2-2 below provide the new delta CDF and delta LERF values. There are three types of cases shown in these tables.
The "Current'" base cases for Unit 1 and 2 represent the base PRA model with the revisions described in the original amendment request (Reference 1) and the enhancements described above. The "Current" base cases correspond to the current base case identified in NRC Question 2.a. Although the SDGs are included in this model, they are treated as always unavailable. Each EDG is assumed to be unavailable approximately 1.35 days per year.
The 'Projected" base cases for Unit 1 and Unit 2 start with the "Current" base case, but allow the SDGs to be credited. The SDGs are estimated to be unavailable 3 days per year due to T&M, and the EDGs are estimated to be unavailable 8 days per year to represent the expected performance of EDG maintenance activities with the units on line rather than during an outage.
The "Interim" base cases for Unit 1 and Unit 2 also start with the "Current" base case, and also credit the SDGs as available all but 3 days per year. For these cases, the average unavailability of each EDG is the same as was assumed in the "new" base case identified in NRC Question 2.a, i.e., approximately 1.35 days per year.
The "Interim" base case, therefore, corresponds to the "New Base Cases" identified in Tables 1 and 2 of the original amendment request (Reference 1). Similar to the "New Base Cases," the "Interim" base cases were developed only with the SDGs aligned to the TI1 C/D or T21C/D buses.
Table 2-1 compares the CDF and LERF values for Unit 1 and Unit 2 with no credit for SDGs (the "Current" base cases) to CDF and LERF values for Unit 1 and Unit 2 with anticipated average SDG and EDG unavailabilities (the "Projected" base cases). Table 2-1 includes results for cases with the SDGs aligned to each safety train for a unit. Table 2-1 shows that the extension of the EDG AOTs combined with installation of the SDGs will lead to a significant decrease in risk for the plant relative to its current state.
Section 2.2.4 of RG 1.174 (Reference 6) states that, if it can clearly be shown that the proposed change will to AEP:NRC:5811-02 Page 5 result in a decrease in CDF or a decrease in LERF, the change will be considered to have satisfied the relevant principle of risk-informed regulation with respect to CDF or LERF.
Table 2-1, Comparison of Unit 1 and Unit 2 "Projected" Base Cases with "Current" Base Cases Case Definition CDF LERF Delta Delta CDF LERF Unit I Current Base Case:
- No credit for SDGs.
4.15E-5 7.23E-6
- All other components' T&M set to average yearly values.
Unit 1 Projected Base Case with SDGs aligned to TI 1AIB:
- Current Base Case but with credit allowed for SDGs.
- SDG function unavailable 3 days per year for T&M.
2.58E-5 4.53E-6
-1.57E-5
-2.70E-6
- Each EDG unavailable 8 days per year for T&M.
- All other components' T&M set to average yearly values.
Unit 1 Projected Base Case with SDGs aligned to Ti IC/D:
- Current Base Case but with credit allowed for SDGs.
- SDG function unavailable 3 days per year for T&M.
2.57E-5 4.53E-6
-1.58E-5
-2.70E-6
- Each EDG unavailable 8 days per year for T&M.
- All other components' T&M set to average yearly values.
Unit 2 Current Base Case:
- No credit for SDGs.
4.14E-5 7.20E-6
- All other components' T&M set to average yearly values.
s S
. * *s*.**s*.
Unit 2 Projected Base Case with SDGs aligned to T21AJB:
- Current Base Case but with credit allowed for SDGs.
- SDG function unavailable 3 days per year for T&M.
2.56E-5 4.53E-6
-1.58E-5
-2.67E-6
- Each EDG unavailable 8 days per year for T&M.
- All other components' T&M set to average yearly values.
to AEP:NRC:5811-02 Page 6 Table 2-1, Comparison of Unit 1 and Unit 2 "Projected" Base Cases with "Current" Base Cases Case Definition CDF LERF Delta Delta
____CDF LERF Unit 2 Projected Base Case with SDGs aligned to T2MCOD:
- Current Base Case but with credit allowed for SDGs.
- SDG function unavailable 3 days per year for T&M.
2.57E-5 4.53E-6
-1.57E-5
-2.67E-6
- Each EDG unavailable 8 days per year for T&M.
- All other components' T&M set to average yearly values.
Table 2-2 compares the CDF and LERF values for the Unit 1 and Unit 2 'Projected" base cases with cases representing a plant state designated as "Interim."
Table 2-2 shows that, with the SDGs installed and operational, the effect of changing the assumed EDG time in T&M from approximately 1.35 days per year to 8 days per year is small and does not affect the conclusion that the addition of the SDGs is a net risk benefit to the units.
Table 2-2, Comparison of Unit I and Unit 2 'Projected" Base Cases with "Interim" Base Cases Case Definition CDF LERF Delta Delta
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _C D F L E R F Unit 1 Interim Base Case with SDGs aligned to T1 ICID:
- SDG function unavailable 3 days per year for T&M.
2.471E-5 4.381E-6
- All other components' T&M set to average yearly values Unit 1 Projected Base Case with SDGs aligned to T1lA/B:
- SDG function unavailable 3 days per year for T&M.
- Each EDG unavailable 8 days per year for T&M.2.581-5 4.53E-6 1.1O1-6 1.501-7
- All other components' T&M set to average yearly values.
Unit 1 Projected Base Case with SDGs aligned to TlIC/D:
- SDG function unavailable 3 days per year for T&M.
2.57E-5 4.53E-6 1.OOE-6 1.SOE-7
- Each EDG unavailable 8 days per year for T&M.
- All other components' T&M set to average yearly values.
to AEP:NRC:5811-02 Page 7 Table 2-2, Comparison of Unit 1 and Unit 2 'Projected" Base Cases with "Intexim" Base Cases Case Definition CDF LERF Delta Delta CDF LERF Unit 2 Interim Base Case with SDGs aligned to T2IC/D:
- SDG function unavailable 3 days per year for T&M.
2.4E 4.38E-6.
- All other components' T&M set to average yearly values.
Unit 2 Projected Base Case with SDGs aligned to TnA/B:
- SDG function unavailable 3 days per year for T&M.
2.56E-5 4.53E-6 1.OOE-6 1.50E-7
- Each EDG unavailable 8 days per year for T&M.
- All other components' T&M set to average yearly values.
Unit 2 Projected Base Case with SDGs aligned to T2MC/D:
- SDG function unavailable 3 days per year for T&M.
2.57E-5.
4.53E-6 1.1 OE-6 1.50E-7
- Each EDG unavailable 8 days per year for T&M.
- All other components' T&M set to average yearly values.
- b. In Tables 1 and 2, for AB emergency diesel generator (EDG) out-of-service: Was this case analyzed with the supplemental diesel generators (SDGs) aligned to T1JC and TJJD (T21C and 721D) as implied by the first note in the table? If "yes, " please provide the results for AB EDG out-of-service with the SDGs aligned to the buses normally supplied by the AB EDG.
Response
The cases for the AB EDG out of service shown in Tables 1 and 2 of the original amendment request (Reference 1) were analyzed with the SDGs aligned to the Ti IC and TI ID buses.
Tables 2-3 and 2-4 below provide the requested information for all four EDG out-of-service cases for SDG alignments to the Ti lA/B, T11C/D, and T21C/D safety bus trains. The cases in Table 2-3 include four cases with the SDGs aligned to safety buses TiIA/B and each of the Unit 1 and 2 EDGs out of service, and four cases with the SDGs aligned to safety buses Ti 1C/D and each of the Unit 1 and 2 EDGs out-of-service. The four cases in Table 2-4 have the SDGs aligned to safety bus train T21C/D and each of the Unit 1 and 2 EDGs to AEP:NRC:5811-02 Page 8 out-of-service.
CDF and LERF values are provided for each case shown.
In addition, ICCDP and ICLERP values are provided. These values are based on the CDF and LERF values for each case compared to the '"rojected" base case with SDGs aligned to either T11A/B or TIIC/D (for Unit 1) or T21C/D (for Unit 2). Note that Tables 1 and 2 in Reference 1 were conservatively based on having an EDG in T&M for 17 days. The results shown in Tables 2-3 and 2-4 are consistent with the proposed TS changes, based on having an EDG in T&M for 14 days.
Table 2-3, Comparison of EDG Outages wvith SDGs Aligned to Unit 1 Buses for
'Projected" Base Case ICCDP Based ICLERP Based Case Definition CDF LERF on "Projected" on "Projected" Base Case &
Base Case &
- lAB EDG out of service;
- SDG aligned to TlIC/D; 5.01E-5 8.30E-6 9.36E-7 1.44-7
- SDG T&M unavailability set to 0.0;5.15 83E6 93E714E7
- Other EDG T&M unavailabilities set to 0.0
- SDG aligned to Tl IC/D; 4.89E-5 8.17E-6 8.91E-7 1.39E-7
- SDG T&M unavailability set to 0.0;
- Other EDG T&M unavailabilities set to 0.0
- 2AB EDG out of service;
- SDG aligned to Tl IC/D; 2.52E-5 4.35E-6
-1.96E-8
-7.06E-9
- SDG T&M unavailability set to 0.0;
- Other EDG T&M unavailabilities set to 0.0
- 2CD EDG out of service;
- SDG aligned to TIl soC/D; 2.52E-5 4.35E-6
-1.73E-8
-6.94E-9
- Other EDG T&M unavailabilities set to 0.0
- 1AB EDG out of service;
- SDG aligned to TlIA/B; 5.05E-5 8.29E-6 9.47E-7 1.44E-7
- SDG T&M unavailability set to 0.0;
- Other EDG T&M unavailabilities set to 0.0
- lCD EDG out of service;
- SDG aligned to TI1 A/B; 4.99E-5 8.17E-6 9.25E-7 1.40E-7
- SDG T&M unavailability set to 0.0;
- Other EDG T&M unavailabilities set to 0.0
- 2AB EDG out of service;
- SDG aligned to T1 IA/B, 2.54E-5 4.34E-6
-1.SOE-8
-6.94E-9
- SDG T&M unavailability set to 0.0;
- Other EDG T&M unavailabilities set to 0.0 to AEP:NRC:5811-02 Page 9 Table 2-3, Comparison of EDG Outages with SDGs Aligned to Unit 1 Buses for
'?roiected" Base Case ICCDP Based ICLERP Based Case Definition CDF LERF on "Projected" on "Projected" Base Case &
Base Case &
- 2CD EDG out of service;
- S DG aligned to T 1I1AIB,2535 43E6 15E86879
- SDG T&M unavailability set to 0.0; 2.53E-5 4.35E-6
-l.65E-8
-6.87E-9
- Other EDG T&M unavailabilities set to 0.0 Note: Negative values show Ul risk decrease due to full credit for SDG rather than splitting credit with U2.
Table 2-4, Comparison of EDG Outages with SDGs Aligned to Unit 2 Buses for "Projected" Base Case ICCDP Based ICLERP Based on "Projected" on "Projected" Scenario Definition*
Base Case &
- 2AB EDG out of service;
- SDG aligned to T2lC/D,
- SDG T&M unavailability set to 0.0; 4.99E-5 8.28E-6 9.32E-7 1.44E-7
- Other EDG T&M unavailabilities set to 0.0
- 2CD EDG out of service;
- SDG aligned to T2lC/D, 4.92E-5' 817E-6 9.04E-7 1.40.-7
- SDG T&M unavailability set to 0.0;
- Other EDG T&M unavailabilities set to 0.0
- lAB EDG out of service; SDG aligned to T21C/D, 2.50E-5 4.35E-6
-2.68E-8
-6.71E-9
- SDG T&M unavailability set to 0.0;
-Other EDG T&M unavailabilities set to 0.0
- 1CD EDG out of service;
- SDG aligned to T2IC/D,
- SDG T&M unavailability set to 0.0; 2.502-5 4.35E-6
-2.68E-8
-6.71 E-9
-Other EDG T&M unavailabilities set to 0.0 XT-XT
_A1-
_A-A-A I
rTCo L-
- I "TN A
A 1-:
Note:
INO results are provided ior aLJus aligned to I Ii A05 because, as snown m I abie Z-4, -ne results do not differ significantly between SDG train alignments for a given EDG out of service.
Negative values show U2 risk decrease due to full credit for SDG rather than splitting credit with UW.
to AEP:NRC:5811-02 Page 10 Table 2-5 below is a condensed version of the information provided in Tables 2-3 and 2-4, and can be used to facilitate comparison with NRC guidelines. As stated in Section 2.4 of RG 1.177 (Reference 7), an ICCDP of less than 5.0E-7, and an ICLERP of 5.0E-8 or less are considered small. As shown in Table 2-5, the largest ICCDP (9.47E-7) and largest ICLERP (1.44E-7) are slightly above the NRC guidelines. As also stated in Section 2.4 of RG 1.177:
In the context of the integrated decisionmaking, the acceptance guidelines should not be interpreted as being overly prescriptive.
They are intended to provide an indication, in numerical terms, of what is considered acceptable. As such, the numerical values above are approximate values that provide an indication of the changes that are generally acceptable.
Furthermore, the state of knowledge, or epistemic, uncertainties associated with PRA calculations preclude a definitive decision with respect to the acceptance of the proposed change based purely on the numerical results.
Accordingly, the conservatisms included in the risk evaluation should also be considered. These conservatisms include the following:
- No credit is taken for the SDGs if they are not started and loaded onto the 4 kV safety buses within 13 minutes. It is assumed that failure to start and load the SDGs within this time period results in an SBO. In actuality, if the SDGs and associated electrical distribution systems are available, they could be used to power safety loads subsequent to 13 minutes from the start of the event.
- No credit is taken for an HEP below the bounding value assumed in the risk evaluation. An HRA based on the final version of the Operations procedure for aligning the SDGs will likely result in an HEP below the assumed bounding value.
- No credit is taken for any compensatory actions associated with use of the extended AOT, including no credit for a reduced probability of an LOSP because of protecting the switchyard. Normal station risk management practices direct the switchyard to be protected when specific AOTs, including the EDG AOT, are entered.
- No credit is taken for extending the availability of DC power, beyond the current 4-hour station battery life, during SBO scenarios.
With the SDGs, the battery chargers will be powered, and reliance on the batteries during SBO conditions would be greatly reduced.
- No credit is taken for the availability of the SDGs in the convolution analysis associated with the recovery of offsite power. If one of the two SDGs were to fail to provide power, the remaining SDG would still be capable of providing sufficient power to restore injection capability to a single unit. This alignment may require additional operator actions associated with blocking non-essential loads, and manually aligning the required loads.
Therefore, given the decrease in risk shown by the negative values for CDF and LERF shown in Table 2-1, and the above identified conservatisms in the risk evaluation, I&M considers the proposed change to be acceptable, even though the ICCDP and ICLERP values are slightly above the guidelines.
to AEP:NRC:5811-02 Page 1 1 Table 2-5, Comparison of Unit 1 and Unit 2 EDG Outages wiith
'Projected" Base Cases SDGs EDG Out ICCDP Based on ICLERP Based on Aligned of Service CDF LERF Projected Base Case & 14 Projected Base Case & 14 to:
___Day AOT Day AOT 1AB 5.01E-5 8.30E-6 9.36E-7 1.44E-7 Tl lC/D 1CD 4.89E-5 8.17E-6 8.91E-7 1.39E-7 2AB 2.52E-5 4.35E-6
-1.96E-8
-7.06E-9 2CD 2.52E-5 4.35E-6
-1.73E-8
-6.94E-9 IAB 5.05E-5 8.29E-6 9.47E-7 1.44E-7 TlIA/B 1CD 4.99E-5 8.17E-6 9.25E-7 1.40E-7 2AB 2.54E-5 4.34E-6
-1.50E-8
-6.94E-9 2CD 2.53E-5 4.35E-6
-1.65E-8
-6.87E-9 2AB 4.99E-5 8.28E-6 9.32E-7 1.44E-7 TC/D 2CD 4.92E-5 8.17E-6 9.04E-7 1.40E-7 1AB 2.50E-5 4.35E-6
-2.68E-8
-6.71E-9 1CD 2.50E-5 4.35E-6
-2.68E-8
-6.71E-9 Note:
SDG T&M unavailability and other EDG T&M unavailabilities set to 0.0 for each case.
- c. Provide results similar to Tables 1 and 2 for the East CCW and East ESW cases assutming the SDGs are aligned to TlJA and TIB (T21A and 721BJ.
Response
Since the proposed CCW and ESW AOT extensions have been withdrawn, no response has been provided for the CCW and ESW cases. Revised configuration risk impacts for the 69 kV system outage are presented in the following table.
to AEP:NRC:5811-02 Page 12 Table 2-6, Configuration Risk Impact for 69 kV Outage When Compared to Unit 1 and Unit 2 "Current" Base Cases ICCDP Based ICLERP Based Scenario Definition CDF LERF on Current on Current Base Case &
Base Case &
- Unit 1 with 69 kV out of service;
- No credit for SDGs; 4.16E-5 7.23E-6 2.69E-9 1.15E-10
- All other T&M set to average yearly values
- Unit 2 with 69 kV out of service;
- No crdth r
SDs;t to4.15E-5 7.20E-6 2.30E-9 1.53E-10
- All other T&M set to average yearly values__
Notes: Reference CDF and LERF values for ICCDP and ICLERP are as follows:
From Table 2-1, Unit 1 CDFo =4.15E-5, LERFo = 7.23E-6 From Table 2-1, Unit 2 CDFo = 4.14E-5, LERFO = 7.20E-6 NRC Question 3 Section 4.2.1 of the submittal says that operator action is necessary to energize and load the necessary emergency bius. Please provide the following: (RG 1.174, Section 2.2.2; RG 1.177, Section 2.3)
- a. The hunman reliability analysisfor this operator action.
- b. The dependency analysis for this operator action with other operator actions that may be required in a given core damage scenario, including actions to recover offsite power.
- c. The importance (e. g., Fussell-Vesely and risk-achievement Tvorth) of this operator action for each of the following: (1) the new base case; (2) one EDG out-of-service; (3) one ESW out-of-service; and (4) one CCW out-of-service.
I&M Response to NRC Question 3 Each part of NRC Question 3 is restated below followed by I&M's response.
- a. [Please provide] The humlan reliability analysisfor this operator action.
Response
As discussed on the first page of this attachment, the procedural direction for aligning the SDGs to the emergency buses and establishing RCP seal flow will be provided by a revision to the CNP procedure for loss of all AC power. This procedure is not finalized. The HRA to AEP:NRC:5811-02 Page 13 presented below is based on an early draft of the procedure. However, the methodology shown is applicable to the HRA that will be performed to determine a final HEP once the procedure is finalized.
Operator action is required to close the SDG supply breaker (Ti 1A12 or Ti lDl for Unit 1, T21A12 or T21D1 for Unit 2), and to load the selected train of emergency 4160 volt buses onto the SDGs. This action is designated as SWYD-EP-BKR-HE.
The HRA for these actions is presented below. The HRA uses the EPRI (Reference 8) cause-based decision tree methodology and THERP (Reference 9) techniques to develop the HEP.
Table 3-1, HEP Summary - SWYD-EP-BKR-HE P.,
Pexe Total HEP Error Factor Without Recovery 3.OE-3 6.5E-3 With Recovery 3.OE-3 6.5E-3 9.5E-3 5
l Table 3-2, Scenario Description
- 1. Initial Conditions: Steady state, full power operation.
- 2. Initiating Event: Loss of offsite power.
- 3. Accident sequence (preceding functional failures and successes):
Turbine-driven auxiliary feedwater successful.
Both EDGs on the same unit fail to start.
SDGs start automatically.
- 4. Preceding operator error or success in sequence: Operators recognize that the Ti 1A and TI iD buses are de-energized and enter the CNP procedure for loss of all AC power.
- 5. Operator action success criterion: Close the SDG supply breaker to TI IA or Ti ID
- 6. Continued station blackout with possible RCP seal failure.
Table 3-3, Cues and Indications Cues I Both EDGs are not running Degree of Clarity Average to AEP:NRC:58 11-02 Page 14 Table 3-4, Procedures and Training Cognitive Procedure CNP procedure for loss of all AC power.
Cognitive Instruction Close the SDG supply breaker to bus TI IA Execution Procedure CNP procedure for loss of all AC power.
Other Procedure Job Performance Measure Classroom Training Frequency: 0.5 per year Simulator Training Frequency: 0.5 per year Notes: The procedural direction to align the SDG to the emergency buses will come from the CNP procedure for loss of all AC power. In the early draft of that procedure used for this evaluation, the direction is provided in a step where the "Response Not Obtained" column directs the operator to an attachment in the procedure to align the SDGs. It is assumed that in the final version of the procedure, the number/complexity of intervening steps from the first step to the step for breaker closure is small/simple enough to allow the operator to reach the step for breaker closure within 5 minutes from the time of the loss of offsite power.
Table 3-5, Timing Analysis T,,.
13 Minutes Tdclay 5 Minutes Tir2 0 Minutes TM 1 Minutes Time available for recovery 7 Minutes SPAR-H Available time (cognitive) 7 Minutes SPAR-H Available time (execution) 8 Minutes Minimum level of dependence for recovery high dependency Notes: The CNP procedure for loss of all AC power takes precedence over all other procedures.
The CNP procedure for loss of all AC power is entered directly as an immediate, memorized action.
The operators will not enter the CNP procedure for reactor trip or safety injection first and then transfer to the procedure for loss of all AC power. Therefore, there will be no significant delay in entering the CNP procedure for loss of all AC power.
The average validated time to locally close the RCP seal water return valve is 12.25 minutes. This is measured from the start of loss of all AC power to closure of the valve.
Assuming between 5 and 10 minutes to perform this local action, or 7.5 minutes on average, the operators get to step 5 in 4.75 minutes (12.25-7.5). Rounding 4.75 minutes to the nearest minute gives 5 minutes. Therefore, Tdday = 5 minutes.
to AEP:NRC:5811-02 Page 15 (Table 3-5 Notes continued)
The manipulation time to perform one step in the control room, with formal, three-way communication, is assumed to be 1 minute. Therefore, T,.c= 1 minute.
From the NRC SER (Reference 10) for WCAP 15603 Revision 1-A, in the event of loss of all AC power, the RCP seal cartridge will be exposed to RCS water via back leakage through the seals in 13 minutes. Beyond this time, the seals will be immersed in the hot RCS backflow. It is not possible to assure that the design leak rate will be maintained beyond this time (13 minutes) after a loss of seal cooling. There is a 0.21 probability that the seal leak rate will exceed 21 gallons per minute per pump.
It is conservatively assumed that Tsw is 13 minutes.
Table 3-6, Cognitive Analysis Pc Failure Mechanism Branch as defined in EPRI-TR-HEP 100529 (Reference 8)
P.a: Availability of Information A
Negligible P~b: Failure of Attention H
Negligible PCC: Misread/miscommunicate data A
Negligible PHd: Information misleading A
Negligible Pce: Skip a step in procedure A
L.OE-3 Pcf-Misinterpret Instructions A
Negligible P,,: Misinterpret decision logic E
2.0E-3 PcI,: Deliberate violation A
Negligible Initial P,(without recovery credited)
Not applicable 3.OE-3 Notes: None Cognitive Complexity: Simple Equipment Accessibility: Accessible (Main Control Room) to AEP:NRC:5811-02 Page 16 Table 3-7, Cognitive Recovery_
0 U
CZ 9
4 0
Ica2 S
3
+:
L
-6 U
)
=
W.
w U
0 Pc8 Negligible NC 1.0 Pcb Negligible NC 1.0 Pcc Negligible NC 1.0 Pcd Negligible NC 1.0 Pce 1.0E3-3 NC 1.0
.OE-3 Pcf Negligible NC 1.0 Pc 2.OE-3 NC 1.0 2.OE-3 Pc,,
Negligible NC 1.0 Final Pc (with recovery credited) 3.OE-3 Notes: No cognitive recovery is credited due to the restrictive time window.
Table 3-8, Execution Performance Shaping Factors Environment Lighting: Emergency Heat: Normnal Radiation: Background Atmosphere: Normal Equipment Accessibility: Accessible(Main Control Room)
Stress: High Notes: High stress applies to SBO scenarios. No recoveries are allowed due to the restrictive time window.
Execution Complexity: Simple Table 3-9, Execution Unrecovered Procedure: Loss of All Error THERP Stress Over Total AC Power Type Table Item HEP Factor Ride HEP Instruction: Close SDG EOM 20-7b 2
6.5E-3 Supply Breaker to 2
6.5E-3 Bus TI lA EOC 20-12 la negligible Comments: Assume the SDG controls will be very distinct.
to AEP:NRC:5811-02 Page 17
- b. [Please provide] The dependency analysis for this operator action with other operator actions that may be required in a given core damage scenario, including actions to recover offsite powver.
The dependency analysis was developed using the EPRI HRA Dependency Calculator software (Reference 11). The PRA model was first solved with all post initiator HEPs set to 1.0. The resulting cutsets were loaded into the EPRI HRA calculator and sorted based on number and occurrence of HEPs. The HRA calculator ranks the cutsets, based on RAW value, assuming all HEPs are 1.0.
All post-initiator HFEs that occur in loss of offsite power combinations with SWYD-EP-BKR-HE are listed below. The list is sorted by the cognitive procedure and step that the HFE is based on. This sort order is indicative of the chronological order in which the HFEs would occur for a given procedure.
Table 3-11, HFEs in Combinations with SWYD-EP-BKR-HE Basic Event Identifier Event Description SWYD-EP-BKR-HE Close the SDG supply breaker to load the selected train of emergency 4160 volt buses onto the SDGs AABS-MS-TI IDHE Failure to manually strip Bus TI ID AABS-MS-T21DHE Failure to manually strip Bus T21D ABBS-MS-Ti lAHE Failure to manually strip Bus Ti lA ABBS-MS-TI IBHE Failure to manually strip Bus TI lB ABBS-MS-T21AHE Failure to manually strip Bus T21A ABBS-MS-T21BHE Failure to manually strip Bus T21B ABBST1 1A69KVHE Failure to transfer the 69kV alternate power source to Bus Ti iA ABBSTi lD69KVHE Failure to transfer the 69kV alternate power source to Bus Ti iD RCC---EXE-EHHE Fail RCS cooldown after SBO and AFW success EPORVMANOPENHE Failure to manually open PORVs (Screening Value)
RRIA-CSI-PBBHE Failure to restore RCS inventory for SBO RRI---CCP-EHHE Restore RCS inventory for SBO (charging)
RRI---CCW-EHHE Restore RCS inventory for SBO (component cooling)
RRI----SI-EHHE Restore RCS inventory for SBO (safety injection)
CSIA----COG-HE Failure to start containment spray injection to AEP:NRC:5811-02 Page 1 8 Table 3-11, HFEs in Combinations with SWYD-EP-BKR-HE Basic Event Identifier Event Description HIl-FAILURE-HE Failure to energize hydrogen igniters given failure of RHR HI2-HIGHDEP-HE Failure to restart DIS after SBO Z-TK2SLOWCSTHE Long term failure to provide water supply to AFW pumps PBB----COG1-HE Failure to transfer to loss of heat sink procedure PBB----COG2-HE Primary bleed and feed without SI actuated or required AFW-CROSSTIEHE Failure to cross-tie to Unit 2 AFW PBB----20-EHHE Open PORVs for feed and bleed' AFW-OPENDOORHE Failure to open AFW pump room doors in one hour Note: The cognitive procedure and steps for SWYD-EP-BKR-HE and the AABS-MS events are based on steps in an early draft revision of the procedure for loss of all AC power.
The draft revision provides instructions for loading the selected train of emergency 4160 volt buses onto the SDGs. All other Basic Events are based on existing procedures. Although the structure of the early draft procedure is different from the expected final procedure, the chronological order of the events would not change.
SXVYD-EP-BKR-IHE is the first HFE credited in an SBO sequence, based on procedural instructions in the CNP procedure for loss of all AC power.
Therefore, this HFIE is completely dependent on the cognitive error for entering the procedure. If the operators fail to properly diagnose an SBO and fail to enter the procedure, this HFE is a guaranteed failure.
However, it is generally assumed that the cognitive error for diagnosing an SBO and entering the procedure for loss of all AC power is negligible. This is based on the obvious symptoms and the extensive training provided to the operators. Since operators understand that no other procedure can be executed if AC power is not available, it is reasonable to assume that entry into the procedure for loss of all AC power will be a high priority if the reactor trips and the emergency AC buses are de-energized.
Because the cognitive error for entering the procedure for loss of all AC power is considered negligible, it is not modeled in the fault trees. Therefore, there is no sequence for a failure to enter the procedure combined with a failure to close the SDG supply breaker. As this HFE is the first HFE in the SBO sequence, it will always appear as an independent HFE only.
Based on sequence of steps in the CNP procedure for loss of all AC power, the next HFEs in an SBO sequence are:
Table 3-12, HFEs in SBO Sequence AABS-MS-TI lDHE Failure to manually strip Bus Ti ID AABS-MS-T21DHE Failure to manually strip Bus T21D ABBS-MS-Ti IAHE Failure to manually strip Bus TiIA ABBS-MS-T21AHE Failure to manually strip Bus T21A ABBS-MS-TI 1BHE Failure to manually strip Bus Ti1 B to AEP:NRC:5811-02 Page 19 Table 3-12, HFEs in SBO Sequence ABBS-MS-T21BHE Failure to manually strip Bus T21B ABBST1 IA69KVHE Failure to transfer the 69kV alternate power source to Bus Ti lA jABBST1 ID69KVHE Failure to transfer the 69kV alternate power source to Bus Ti iD These HFEs would have a high dependence on SWYD-EP-BKR-HE, as they occur close in time (within 15 minutes) and are involved with the restoration of the same function, i.e., AC power. However, there are special circumstances which make these HFEs inconsequential.
HEPs for the AABS-MS type HFEs are set to 1.0 in the model, which implies they are screening values for future development. Removal of these events from the model would have no effect on the results.. The ABBST1 lA/D 69KVHE events represent failure to restore offsite power for a consequential loss of offsite power (LOSP) in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after a non-LOSP initiator. These events appear in the cutsets with the SWYD-EP-BKR-HE action because the consequential single unit LOSP SBO sequences are. combined with the single unit LOSP/dual unit LOSP SBO sequences. The PRA model treats all SBO sequences the same and assumes offsite power is not available, thus obviating the effect of the ABBST1 1AID69KVHE events.
Based on the steps in the CNP procedure for loss of all AC power, the next HFEs in an SBO sequence are for depressurizing the intact SGs to 190'psig. These HFEs are:
- Table 3-13, HFE~s in SBO Sequence for Depressurizing Intact SGs RCC---EXE-EHHE-ail RCS cooldown after SBO and AFW success EPORVMANOPENHE ailure to manually open PORVs (Screening Value)
SG depressurization is required if AC power is not restored. It is assumed that the operators need to depressurize the SGs while the TDAFWP is still available and supplying feedwater in order to affect the required RCS cooldown. It is assumed that, if the operators' delay the SG depressurization until after the TDAFWP fails, SG blowdown alone will not be sufficient to cool the RCS down to the point of accumulator injection.
If the TDAFWP is initially available, the system time window for SG depressurization is 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. SG depressurization requires an RCS cooldown which would take a few hours. If AC power cannot be restored due to equipment failures, the operators'would proceed through the procedure for loss of all AC power without delay and reach the step for SG depressurization in about 20 minutes.
This would allow sufficient time to start the cooldown. The same timing would apply if the operators omit aligning the SDGs. -If the operators align the SDGs, the potential for additional EOMs and EOCs exist, 'which would be more time consuming. Failure of the operators to close the SDG supply breaker (SWYD-EP-BKR-HE) could therefore impact the SG depressurization actions due to decreasing the time available. Based on 15 to 30 minutes between actions, the SG depressurization actions would have a moderate dependence on SWYD-EP-BKR-HE. Based on the INEEL/EXT-02-10307 (Reference 12) dependency rules (same crew, same location, not close in time, different cues), the SG depressurization actions would also have a moderate dependence on SWYD-EP-BKR-HE.
to AEP:NRC:5811-02 Page 21
- c. [Please provide] The importance (e. g., Fiissell-Veselb and risk achievement worth) of this operator action for each of the following: (1) the new base case; (2) one EDG outt-of-service; (3) one ESW out-of-service; and (4) one CCW out-of-service.
Importance measures for this basic event are provided in the table below for the new base case with the SDGs aligned to the TI 1C/D buses and the same case but with the lAB EDG also assumed out of service. Values are provided for the early draft of the procedure and for the upper bound HEP of 5E-2 assumed in the responses to NRC Questions 2, 4, and 5.
Table 3-16, F-V and RAW for SWYD-EP-BKR-HE Early Draft Procedure Upe Case HEP Bound HEP F-V RAW F-V RAW Unit 1 New Base Case:
- All modeling changes included
- SDGs assumed aligned to TI1 C/D
- SDGs assumed unavailable due to T&M for three days per year 7.3E-3 1.8 4.7E-2 1.9
- Each EDG assumed unavailable due to T&M for eight days per year
- Full Boolean solution Unit I New Base Case:
- SDGs assumed aligned to TlIC/D
- EDG lAB assumed out-of-service
- SDGs and other EDGs assumed available 37E2 4.9 1.7E-1 4.2
- Cutset manipulation NRC Ouestion 4 Please provide a discussion on the effects of the proposed AOT extensions on dominant accident sequences (sequences that contribute more than 5 percent to risk, for example) to show that the proposed change does not create risk outliers or exacerbate existing risk outliers. Please provide core damage and LERF contributions by initiating event and by sequence type for the current base case, the 69 kV bus out of service, and for a selected EDG, ESW and CCW configuration. (Both units do not have to be provided if the results are similar between units, as is the case for the results presented in Tables I and 2 of the submittal.) (RG 1.174, Section 3.3.1)
I&M Response to NRC Ouestion 4 A comparison between the highest frequency sequence contributors for the "Current" Unit 1 base case and the "Projected" Unit 1 base case (as they are defined in the response to NRC to AEP:NRC:5811-02 Page 22 Question 2) shows that the proposed EDG AOT extension does not create new risk outliers or exacerbate existing risk outliers. The results for Unit 2 are similar to those for Unit 1.
Tables 4-1 and 4-2 below list accident sequences that provide the largest contributions to CDF and LERF, respectively, for the Unit 1 "Current" base case.
Table 4-1, Contribution to CDF by Event Tree Sequence for Unit 1 "Current" Base Case Sequence Sequence Contribution Identifier CDF to Total CDFSequence Description SBO-S93 3.76E-6 9.0 %
SBO from single unit LOSP with failure to recover offsite p o w e r SBO-S61 2.85E-6 6.9 %
SBO from single unit LOSP with offsite power recovery but inventory control failure DSBOS93 2.27E-6 5.5 %
SBO from dual unit LOSP with failure to recover offsite I
power SBO-S79 2.06E-6 5.0 %
SBO from single unit LOSP with offsite power recovery but not before core damage, and failure of hydrogen igniters SLO-SOS 1.40E-6 3.4 %
Small break LOCA with recirculation failure Note: Total CDF = 4.15E-5 per year Table 4-2, Contribution to LERF by Event Tree Sequence for Unit 1 "Current" Base Case Sequence Sequence Contribution Identifier LERF to Total LERF Sequence Descrption SBO-S94 9.64E-7 13.3 %
SBO from single unit LOSP with failure to recover offsite power and LER from containment DSBOS94 5.82E-7 8.1 %
SBO from dual unit LOSP with failure to recover offsite power and LER from containment SBO from single unit LOSP with offsite power recovery but SBO-S80 5.27E-7 7.3 %
not before core damage, failure of hydrogen igniters, and LER from containment Transient with failure of auxiliary and main feedwater, TRA-S40 4.65E-7 6.4 %
operator failure to bleed and feed, failure of containment spray, failure of hydrogen igniters, and LER from containment 5L1508 3.87E-7 5.4 So Interfacing systems LOCA (failure in RHR cooldown suction IS__S__
3_______
5___4_line) occurs with failure of operators to isolate the break Note: Total LERF = 7.23E-6 per year Tables 4-3 and 4-4 below list accident sequences that provide the largest contributions to CDF and LERF, respectively, for the Unit 1 "Projected" base case with the SDGs aligned to buses TlICID in Table 2-1. In the Unit I "Projected" base case, it is assumed that the SDGs are to AEP:NRC:5811-02 Page 23 unavailable for 3 days per year, each EDG is unavailable for 8 days per year, and that the T&M terms for other components are set to their average yearly values.
Table 4-3, Contribution to CDF by Event Tree Sequence for Unit 1 'Projected" Base Case with SDGs Aligned to Buses T11C/D Sequence Sequence Contribution _
Description Identifier CDF to Total CDF Sequence Description SLO-SO8 1.40E-6 5.5 %
Small LOCA with recirculation failure SLO-S16 1.28E-6 5.0 %
Small LOCA with recirculation failure and containment spray recirculation failure Transient with failure of auxiliary and main feedwater, TRA-S39 1.17E-6 4.5 %
operator failure to bleed and feed, failure of containment spray, and failure of hydrogen igniters ESW4S39 1.03E-6 4.0 %
Loss of all ESW with failure to recover ESW Note: Total CDF = 2.57E-5 per year Table 4-4, Contribution to LERF by Event Tree Sequence for Unit 1 "Projected" Base Case w ith SDGs Aligned to Buses T11CM D
Sequence Sequence Contribution Identifier LERF to Total Sequence Description Ident fier L E R FL E R F Transient with failure of auxiliary and main feedwater, TRA-S40 4.65E-7 10.3 %
operator failure to bleed and feed, failure of containment spray, failure of hydrogen igniters, and LER from containment lSISM S
3.8713-7 8.5 %
Interfacing systems LOCA (failure in RHR cooldown suction line) occurs with failure of operators to isolate the break SG tube rupture in RCS loop 1, faulted SG overfills, one or SGRlS20 3.05E-7 6.7 %
more safety or relief valves sticks open, and failure of 100°Fir cooldown SG tube rupture in RCS loop 2, faulted SG overfills, one or SGR2S20 3.05E-7 6.7 %
more safety or relief valves sticks open, and failure of 1 00 0F/lr cooldown SG tube rupture in RCS loop 3, faulted SG overfills, one or SGR3S20 3.05E-7 6.7 %
more safety or relief valves sticks open, and failure of 100F/hr cooldown SG tube rupture in RCS loop 4, faulted SG overfills, one or SGR4S20 3.05E-7 6.7 %
more safety or relief valves sticks open, and failure of 100F/hr cooldown Note: Total LERF = 4.53E-6 per year Comparing the results for the two cases, it may be seen that the dominant CDF and LERF sequences for the "Current" base case are the result of SBO conditions. These same sequences do not appear in the list of dominant CDF and LERF sequences for the "Projected" base case.
Instead, the dominant CDF and LERF sequences for the "Projected" base case are lower to AEP:NRC:5811-02 Page 24 frequency sequences in the "Current" base case. This demonstrates that the addition of the SDGs lowers overall risk values in the "Projected" base case by improving the mitigation of the highest risk sequences in the "Current" base case. Accordingly, it may be concluded that the "Projected" base case does not exacerbate the existing risk outliers or create new risk outliers.
Tables 4-5 through 4-12 below document the percentage contributions to CDF and LERF by initiating events and sequence types for the "Current" base case and a case in which the Unit 1 CD EDG is out-of-service and the SDGs are aligned to safety buses T11C/D. Comparing the values shown in Tables 4-5 through 4-12, the primary conclusion that may be drawn is that the SDGs effectively replace the assumed out-of-service EDG. This conclusion is supported by the similarity in contributions to CDF and LERF between the two cases based on either internal initiating events or event type.
Note that similar tables showing the various contributions to risk when the 69 kV system is out-of-service are not provided.
This information is not provided due to the change in the requested 69 kV system AOT from a permanent license change to a one-time request and due to the very smali effects on risk that the 69 kV system outage was shown to have on plant risk in Table 2-6. Also, note that similar tables showing the various contributions to risk when one train of ESW or CCW is out-of-service are not provided. This information is not provided due to the removal of these systems from the license amendment request as documented in Reference 3.
Table 4-5, Contribution to CDF by Initiating Event for Unit 1 "Current" Base Case Initiating Contribution to Event Basic Initiating Event Description Total CDF Event IE-LSP Single unit LOSP 32.09%
IE-DLSP-1 Dual unit LOSP 22.03%
IE-SLO Small LOCA 10.67%
IE-TRA Transient with power conversion system available 8.60%
IE-CCW Loss of CCW 7.13%
IE-ESW4 Loss of ESW - both Units 3.53%
IE-ESW2 Loss of ESW - single Unit 2.62%
IE-SGTR-2 SG tube rupture - RCS loop 2 1.57%
IE-SGTR-3 SG tube rupture - RCS loop 3 1.57%
IE-SGTR-1 SG tube rupture - RCS loop 1 1.56%
IE-SGTR-4 SG tube rupture - RCS loop 4 1.56%
IE-ISL1 Interfacing systems LOCA (RHR cooldown suction line) 1.37%
IE-TRS Transient without power conversion system available 1.00%
IE-VEF Breaks beyond ECCS capability 0.72%
IE-SLB-2 Large steam line/feed line break - RCS loop 2 0.49%
to AEP:NRC:5811-02 Page 25 Table 4-5, Contribution to CDF by Initiating Event for Unit 1 "Current" Base Case Initiating Contribution to Event Basic Initiating Event Description Total CDF Event IE-SLB-3 Large steam line/feed line break - RCS loop 3 0.49%
IE-SLB-I Large steam line/feed line break - RCS loop 1 0.48%
IE-SLB-4 Large steam line/feed line break - RCS loop 4 0.48%
IE-SLB-5 Large steam line/feed line break - downstream of MSIVs 0.46%
IE-VDC-B Loss of 250 VDC Train B 0.27%
IE-VDC-A Loss of 250 VDC Train A 0.23%
IE-ISL2 Interfacing systems LOCA (low pressure injection line) 0.16%
IE-ISL4 Interfacing systems LOCA (high pressure injection line) 0.14%
IE-ISL3 Interfacing systems LOCA (shutdown cooling return line) 0.10%
IE-LLO-Large LOCA - RCS loop 1 0.08%
IE-LLO-2 Large LOCA - RCS loop 2 0.08%
IE-LLO-3 Large LOCA - RCS loop 3 0.08%
IE-LLO-4 Large LOCA - RCS loop 4 0.08%
IE-MLO-1 Medium LOCA - RCS loop 1 0.08%
IE-MLO-3 Medium LOCA - RCS loop 3 0.08%
IE-MLO-4 Medium LOCA - RCS loop 4 0.08%
IE-MLO-2 Medium LOCA - RCS loop 2 0.08%
IE-SLO-2 eimLC C
op200t PORV-FO Small LOCA (PORV sticks open) 0.05%
Note: Total CDF = 4.15E-5 I Table 4-6, Contribution to LERF by Initiating Event for Unit 1 "Current" Base Case Initiating Contribution to Event Basic Initiating Event Description TtlLR Event Total_____
IE-LSP Single unit LOSP 28.66%
IE-DLSP-1 Dual-Unit LOSP 22.36%
IE-TRA Transient with power conversion system available 8.33%
IE-ISL1 Interfacing systems LOCA (RHR cooldown suction line) 6.95%
IE-SGTR-2 SG tube rupture - RCS loop 2 5.19%
IE-SGTR-3 SG tube rupture - RCS loop 3 5.19%
IE-SGTR-1 SG tube rupture -RCS loop 1 5.16%
IE-SGTR-4 SG tube rupture - RCS loop 4 5.16%
to AEP:NRC:5811-02 Page 26 Table 4-6, Contribution to LERF by Initiating Event for Unit 1 "Current" Base Case Initiating C
Event Basic Initiating Event Description Contribution to Event TtlLR IE-SLO Small LOCA 3.26%
IE-ESW4 Loss of ESW - both units 1.74%
IE-CCW Loss of CCW 1.14%.
IE-ESWN2 Loss of ESNV-Single Unit 1.02%
IE-TRS Transient without power conversion system available 0.96%
IE-ISL2 Interfacing systems LOCA (low pressure injection line) 0.89%
IE-ISL4 Interfacing systems LOCA (high pressure injection line) 0.79%
IE-ISL3 Interfacing systems LOCA (shutdown cooling return line) 0.59%
IE-VEF Breaks beyond ECCS capability 0.44%
IE-SLB-2 Large steam line/feed line break - RCS loop 2 0.37%
IE-SLB-3 Large steam line/feed line break - RCS loop 3 0.37%
IE-SLB-1 Large steam line/feed line break - RCS loop 1 0.37%
IE-SLB-4 Large steam line/feed line break - RCS loop 4 0.37%
IE-SLB-5 Large steam line/feed line break - downstream of MSIVs 0.34%
IE-VDC-B Loss of 250 VDC train B 0.14%
IE-VDC-A Loss of 250 VDC train A 0.14%
IE-MLO-1 Medium LOCA - RCS loop 1 0.01%
IE-MLO-3 Medium LOCA - RCS loop 3 0.01%
IE-MLO-4 Medium LOCA - RCS loop 4 0.01%
IE-MLO-2 Medium LOCA - RCS loop 2 0.01%
IE-SLO-PORV-FO Small LOCA (PORV sticks open) 0.01%
IE-LLO-1 Large LOCA - RCS loop 1 0.01%
IE-LLO-2 Large LOCA - RCS loop 2 0.01%
IE-LLO-3 Large LOCA - RCS loop 3 0.01%
IE-LLO-4 Large LOCA - RCS loop 4 0.01%
Note: Total LERF = 7.23E-6 Table 4-7, Contribution to CDF by Event Type for Unit 1 "Current" Base Case Event Event Tree Description Contribution Type to Total CDF SBO Single unit LOSP leading to SBO 30.6%
DSBO Dual unit LOSP leading to SBO 21.0%
to AEP:NRC:5811-02 Page 27 Table 4-7, Contribution to CDF by Event Type for Unit 1 "Current" Base Case Event Event Tree Description Contribution Type Eto Total CDF SLO Small LOCA (all except RCP seals) 11.2%
ESW4 Loss of ESW - both units 6.7%
SGR SG Tube rupture (all RCS loops) 6.3%
TRA Transient with power conversion system available 4.3%
ESW2 Loss of ESW - single unit 2.6%
SLB Large steam line/feed line break (all locations) 2.4%
ISL Interfacing systems LOCA (all lines) 1.8%
ATW Anticipated transient without scram 1.6%
VEF Breaks beyond ECCS capability 0.7%
TRS Transient without power conversion system available 0.6%
MLO Medium LOCA (all RCS loops) 0.5%
LSP Single unit LOSP 0.4%
LLO Large LOCA (all RCS loops) 0.3%
DLSP Dual unit LOSP 0.2%
VDCB Loss of 250 VDC train B 0.1%
VDCA Loss of 250 VDC train A 0.1%
Note: Total CDF= 4.15E-5 Table 4-8, Contribution to LERF by Event Type for Unit 1 "Current" Base Case Event Contribution T
Event Tree Description to Total LERF SBO Single unit LOSP Leading to SBO 27.3%
DSBO Dual unit LOSP leading to SBO 21.8%
SGR SG tube rupture (all RCS loops) 20.6%
ISL Interfacing systems LOCA (all lines) 9.2%
TRA Transient with power conversion system available 6.6%
ESW4 Loss of ESW - both units 3.8%
SLO Small LOCA (all except RCP seals) 3.7%
SLB Large steam line/feed line break (all locations) 1.8%
ESW2 Loss of ESW - single unit 1.0%
TRS Transient without power conversion system available 0.8%
to AEP:NRC:5811-02 Page 28 Table 4-8, Contribution to LERF by Event Type for Unit 1 "Current" Base Case Contribution Eve Event Tree Description to Total Type LERF ATW Anticipated transient without scram 0.6%
VEF Breaks beyond ECCS capability 0.4%
LSP Single unit LOSP 0.3%
DLSP Dual unit LOSP 0.2%
MLO Medium LOCA (all RCS loops) 0.1%
VDCB Loss of 250 VDC Train B 0.1%
VDCA Loss of 250 VDC Train A 0.1%
LLO Large LOCA (all RCS loops) 0.0%
Note: Total LERF = 7.23E-6 Table 4-9, Contribution to CDF by Initiating Event for Unit 1 vith ICD EDG Out of Service and SDGs Aligned to T11C/D IInitiating Event nitiating Event Description Contribution Basic Event IntaigEetDsrpinto Total CDF IE-LSP Single unit LOSP 37.1%
IE-DLSP-1 Dual unit LOSP 24.8%
IE-SLO Small LOCA 8.9%
IE-TRA Transient with power conversion system available 7.1%
IE-CCW Loss of CCW 6.0%
IE-ESW4 Loss of ESW - both units 2.9%
IE-ESW2 Loss of ESW - single unit 2.2%
IE-SGTR-2 SG tube rupture - RCS loop 2 1.3%
IE-SGTR-3 SG tube rupture - RCS loop 3 1.3%
IE-SGTR-1 SG tube rupture - RCS loop 1 1.3%
IE-SGTR-4 SG tube rupture - RCS loop 4 1.3%
IE-ISL1 Interfacing systems LOCA (RHR cooldown suction line) 1.1%
IE-TRS Transient without power conversion system available 0.8%
IE-VEF Breaks beyond ECCS capability 0.6%
IE-SLB-2 Large steam line/feed line break - RCS loop 2 0.4%
IE-SLB-3 Large steam line/feed line break - RCS loop 3 0.4%
IE-SLB-1 Large steam line/feed line break - RCS loop 1 0.4%
IE-SLB-4 Large steam line/feed line break - RCS loop 4 0.4%
IE-SLB-5 Large steam line/feed line break - downstream of MSIVs 0.4%
to AEP:NRC:5811-02 Page 29 Table 4-9, Contribution to CDF by Initiating Event for Unit 1 with ICD EDG Out of Service and SDGs Aligned to T11C/D Initiating Event Contribution Basic Event Initiating Event Description to Total CDF IE-VDC-B Loss of 250 VDC Train B 0.2%
IE-VDC-A Loss of 250 VDC Train A 0.2%
IE-ISL2 Interfacing systems LOCA (low pressure injection line) 0.1 %
IE-ISL4 Interfacing systems LOCA (high pressure injection line) 0.1%
IE-ISL3 Interfacing systems LOCA (shutdown cooling return line) 0.1%
IE-LLO-1 Large LOCA - RCS loop 1 0.1%
IE-LLO-2 Large LOCA - RCS loop 2 0.1%
IE-LLO-3 Large LOCA - RCS loop 3 0.1%
IE-LLO-4 Large LOCA - RCS loop 4 0.1%
IE-MLO-1 Medium LOCA - RCS loop 1 0.1%
IE-MLO-3 Medium LOCA - RCS loop 3 0.1%
IE-MLO-4 Medium LOCA - RCS loop 4 0.1%
IE-MLO-2 Medium LOCA - RCS loop 2 0.1%
IE-SLO-PORV-FO Small LOCA (PORV sticks open) 0.0%
Note: Total CDF = 4.899E-5 Table 4-10, Contrbution to LERF by Initiating Event for Unit 1 with 1CD EDG Out of Service and SDGs Aligned to T11C1D Event Contribution Initiating Initiating Event Description to Total Basic EventLERF IE-LSP Single unit LOSP 33.3%
IE-DLSP-1 Dual unit LOSP 23.5%
IE-TRA Transient with power conversion system available 7.3%
IE-ISLI Interfacing systems LOCA (RHR cooldown suction line) 6.2%
IE-SGTR-3 SG tube rupture - RCS loop 3 4.6%
IE-SGTR-2 SG tube rupture - RCS loop 2 4.6%
IE-SGTR-4 SG tube rupture - RCS loop 4 4.6%
IE-SGTR-1 SG tube rupture -RCS loop 1 4.6%
IE-SLO Small LOCA 2.9%
IE-ESW4 Loss of ESW - both units 1.5%
IE-CCW Loss of CCW 1.0%
IE-ESW2 Loss of ESW - single unit 0.9%
to AEP:NRC:5811-02 Page 30 Table 4-10, Contribution to LERF by Initiating Event for Unit 1 with lCD EDG Out of Service and SDGs Aligned to T11C/D Initiating Event Contribution Basic Event Initiating Event Description to Total BasicEventLERF IE-TRS Transient without power conversion system available 0.8%
IE-ISL2 Interfacing systems LOCA (low pressure injection line) 0.8%
IE-ISIA Interfacing systems LOCA (high pressure injection line) 0.7%
IE-ISL3 Interfacing systems LOCA (shutdown cooling return line) 0.5%
IE-VEF Breaks beyond ECCS capability 0.4%'
IE-SLB-4 Large steam line/feed line break - RCS loop 4 0.3%
IE-SLB-3 Large steam line/feed line break - RCS loop 3 0.3%
IE-SLB-2 Large steam line/feed line break - RCS loop 2 0.3%
IE-SLB-1 Large steam line/feed line break - RCS loop 1 0.3%
IE-SLB-5 Large steam line/feed line break - downstream of MSIVs 0.3%
IE-VDC-A Loss of 250 VDC Train A 0.1%
IE-VDC-B Loss of 250 VDC Train B 0.1%
IE-MLO-4 Medium LOCA - RCS loop 4 0.0%
IE-MLO-3 Medium LOCA - RCS loop 3 0.0%
IE-MLO-1 Medium LOCA - RCS loop 1 0.0%
IE-MLO-2 Medium LOCA - RCS loop 2 0.0%
IE-SLO-PORV-FO Small LOCA (PORV sticks open) 0.0%
IE-LLO-4 Large LOCA - RCS loop 4 0.0%
IE-LLO-3 Large LOCA - RCS loop 3 0.0%
IE-LLO-2 Large LOCA - RCS loop 2 0.0%
IE-LLO-1 Large LOCA - RCS loop 1 0.0%
Note: Total LERF = 8.17E-6 Table 4-11, Contribution to CDF by Event Type for Unit 1 Case with ICD EDG Out of Service and SDGs Aligned to T11C/D Contribution Event Type Event Tree Description to Total CDF SBO Single unit LOSP leading to SBO 31.0%
DSBO Dual unit LOSP leading to SBO 20.9%
SLO Small LOCA (all except RCP seals) 12.5%
ESW4 Loss of ESW - Both Units 7.1%
--- to AEP:NRC:5811-02 Page 3 1 Table 4-11, Contibution to CDF by Event Type for Unit 1 Case with 1CD EDG Out of Service and SDGs Aligned to T11C/D Event Type Event Tree Description to Total CDF SGR SG Tube Rupture (all RCS loops) 5.2%
TRA Transient with power conversion system available 3.6%
ESW2 Loss of ESW - single unit 2.2%
SLB Large steam line / feed line break (all locations) 2.0%
ISL Interfacing systems LOCA (all lines) 1.5%
ATW Anticipated transient without scram 1.4%
LSP Single unit LOSP 1.2%
VEF Breaks beyond ECCS capability 0.6%
MLO Medium LOCA (all RCS loops) 0.5%
TRS Transient without power conversion system available 0.5%
DLSP Dual-Unit Loss of Offsite Power 0.4%
LLO Large LOCA (all RCS loops) 0.3%
VDCB Loss of 250 VDC Train B 0.1%
VDCA Loss of 250 VDC Train A 0.1%
Note: Total CDF = 4.891E-5 Table 4-12, Contribution to LERF by Event Type for Unit I Case w*ith ICD EDG Out of 1Service and SDGs Aligned to T11CID Contribution Event Type Event Tree Description to Total LERF SBO Single unit LOSP leading to SBO 27.3%
SGR SG Tube Rupture (all RCS loops) 21.6%
DSBO Dual unit LOSP leading to SBO 18.3%
ISL Interfacing systems LOCA (all Lines) 8.2%
SLO Small LOCA (all except RCP seals) 6.5%
TRA Transient with power conversion system available 5.9%
ESW4 Loss of ESW - both units 5.2%
SLB Large steam line/feed line break (all locations) 1.6%
ESW2 Loss of ESW - single unit 0.9%
LSP Single unit LOSP 0.8%
TRS Transient without power conversion system available 0.7%
ATW Anticipated transient without scram 0.5%
to AEP:NRC:5811-02 Page 32 Table 4-12, Contribution to LERF by Event Type for Unit 1 Case with ICD EDG Out of Service and SDGs Aligned to T11C/D Contribution Event Type Event Tree Description to Total LERF VEF Breaks beyond ECCS capability 0.4%
DLSP Dual unit LOSP 0.2%
MLO Medium LOCA (all RCS loops) 0.1%
VDCB Loss of 250 VDC Train B 0.0%
VDCA Loss of 250 VDC Train A 0.0%
LLO Large LOCA (all RCS loops) 0.0%
Note: Total LERF = 8. 17E-6 NRC Question 5 Please provide the results of an uncertainty analysis for the new base case (i.e., withi credit for the SDGs) probabilistic risk assessment (PRA) model. Alternately, provide a sensitivity analysis to key assumptions for this application. (RG 1.1 74, Section 2.2.2; RG 1. 177, Section 2.3.5)
I&M Response to NRC Question 5 The uncertainty analyses results for the Unit 1 new base case with the SDGs aligned to the TI lC/D safety buses are shown in the tables below.
Case 1.
Unit 1 uncertainty analysis based on an early draft procedure resulting in an HEP of 9.5E-3 for basic event SWYD EP BKR-HE. The results for Unit 2 are simnilar.
Case 2a.
Unit I uncertainty analysis based on a bounding HEP of 5.OE-2 for basic event SWYD-EP-BKR-HE.
Case 2b.
Unit 2 uncertainty analysis based on a bounding HEP of 5.OE-2 for basic event SWYD-EP-BKR-HE.
Table 5-1, CDF and LERF Results of Uncertainty Analyses Case 1 Case 1 Case 2a Case 2a Case 2b Case 2b CDF LERF CDF LERF CDF LERF Point Estimate 2.48E-5 4.38E-6 2.57E-5 4.53E-6 2.56E-5 4.53E-6 95t' Percentile 5.1 OE-5 1.18E-5 5.34E-5 1.21 E-5 5.28E-5 1.13E-5 Mean 2.48E-5 5.42E-6 2.58E-5 5.57E-6 2.62E-5 5.29E-6 Median 2.03E-5 3.26E-6 2.1IE-5 3.39E-6 2.1 OE-5 3.45E-6 5th Percentile 1.02E-5 1.55E-6 1.06E-5 1.60E-6 1.06E-5 1.63E-6 to AEP:NRC:5811-02 Page 33 NRC Ouestion 6 Please provide a copy of the facts and observations (F&Os) from the September 2001, PRA model certification, and describe how the significance level "A" and "B" F&Os were resolved.
Include the results of the contractor's validation of F&O resolution and assessment to RG 1.200 mentioned in the submittal. (RG 1.174, section 2.2.3.3; RG 1.177, section 2.3.1)
I&M Response to NRC Question 6 to this letter provides the significance level A and B F&Os identified by a Westinghouse Owners Group peer review, and the resolution of these F&Os.
provides the significance level C and D F&Os. provides the results of the contractor's validation of F&O resolution and assessment against RG 1.200 (Reference 13).
NRC Ouestion 8 Section 4.1 of the submittal discusses the SDGs. Do the SDGs require any support systems (e.g.,
electric power, cooling water, heating, ventilation, and air conditioning, instrumentation and control) in order to start and nin? What support (e.g., DC control power) is needed for the circuit breakers connecting the SDGs to biuses TIIA (T2IA), T11B (T21B), T11C (721C), and TJID (T21D)? How wvere these dependencies addressed in the model used to calculate the new base case and other plant configurations for the risk assessment? (RG 1.174, Section 2.2.2; RG 1.1 77 Section 2.3)
I&M Response to NRC Question 8 The SDG units will be self-contained, requiring no external support systems except for fuel replenishment. Power to SDG controllers in the control rooms will be provided by the Technical Support Center uninterruptible power supply. Due to the highly reliable nature of this power supply, its potential failure mode was neglected in the PRA modeling for the SDGs.
DC control power is needed for operation of the circuit breakers connecting the SDGs to buses TI lA/B (T21A/B) and TI lC/D (T21C/D) as shown in the following table.
Table 8-1, DC Control Power Sources for SDG Supply to 4kV Safety Buses 1
Safety Bus Feed Breaker DC Control Power Source TI IA T1IA12 Unit 1 Train B DC TI 1B T11B2 Unit 1 Train B DC T11C T1lC2 Unit I TrainADC TIID TDlDI Unit I Train A DC T21A T21A12 Unit 2 Train B DC T21B T21B2 Unit 2 Train B DC T21C T21C2 Unit 2 Train A DC to AEP:NRC:5811-02 Page 34 Table 8-1, DC Control Power Sources for SDG Supply to 4kV Safety Buses Safety Bus l Feed Breaker I
DC Control Power Source T21D I
T21D1 I
Unit 2 Train A DC These dependencies on DC control power were addressed in the model used to calculate the new base case and other plant configurations for the risk assessment by assuming that Unit 1 Train A 250 VDC will supply DC power for all breaker operations to connect the SDGs to the emergency buses.
This simplifying assumption was not observed to result in any significant impact on the model results.
For example, although there are some small differences between the importance measures for comparable Unit 1 250 VDC Train A and Train B basic events, there are no significant differences between their occurrences in the top 500 cutset sequences.
ATTACHMENT 1 TO AEP:NRC:5811-02 UPDATE OF SDG DESIGN This attachment provides updated information regarding the design of the SDGs. Abbreviations and references are identified in Attachments 5 and 6 to this letter, respectively.
- The figure at the end of Enclosure 2 to the letter from J. N. Jensen, I&M, to NRC Document Control Desk, AEP:NRC:4811, dated September 21, 2004 (ML042780478), provided a oneline electrical diagram of the SDGs.
An updated figure is provided at the end of this attachment.
- Page 12 of the September 21, 2004, letter stated that each SDG will be installed within its own metal enclosure, complete with fuel oil tank, closed loop radiator cooling system, engine and generator control panels, output circuit breaker and miscellaneous support systems and devices.
Due to limited space in the SDG enclosures, the output breakers and associated components will be located in a separate metal enclosure near, but not a part of, the SDG enclosures.
- Page 12 of the September 21, 2004, letter also stated that the output of each SDG will be connected via normally-closed, manually-operated, disconnecting switches to 4 kV Bus 1.
The updated design includes electrically-operated breakers (52G 1 and 52G2, see the attached updated figure) on the discharge of each SDG, and an electrically-operated tie breaker (52TI, see the attached updated figure) between the SDG output breakers and the 4 kV Bus 1.
Page 12 of the September 21, 2004, letter also stated that both SDGs will start automatically upon a sustained loss of power on 4.16-kV Bus 1. Upon attaining rated speed and voltage, they will automatically synchronize with each other, and remain available for connection to de-energized 4.16-kV Bus 1. The SDGs will then automatically open the power-operated disconnect switch on Bus 1 to isolate transformer TR12-EP-1, and automatically close the output breakers for both SDGs onto Bus 1. The two SDGs will be connected to the bus in parallel.
This description is revised to be as follows: Upon a sustained loss of power on 4 kV Bus 1, a new motor operated disconnect switch (within the dotted line on the updated figure) will automatically open to isolate the 69 kV system When the motor operated disconnect switch is confirmed open, the two SDGs will automatically start. When the first SDG reaches rated speed and voltage, its output breaker will close. When the second SDG reaches rated speed and voltage, the two SDGs will synchronize and the second SDG output breaker will close.
With both SDGs operating, the tiebreaker (52T1 on the updated figure) will close loading the SDGs onto 4 kV Bus 1.
- Page 20 of the September 21, 2004, letter stated that the SDGs are independent of external supports other than fuel oil.
Power to the controllers in the Unit 1 and Unit 2 control rooms will be provided by the Technical Support Center uninteruptable power supply.
10 MY SIII Stsm Cl A C2 mUml co (0
,2\\
E3 00 IV.
0 i'J 00 CD O1 %T & PAT LEGN ObWN !W5 tISO5 10 SA9VT SOC R7h - TO5l 4W MaS I Nt T aWVtO i"2-V-l Do IMM1M.
FIGURE SUPPLEMENTAL DIESEL GENERATORS ONE-UNE DIAGRAM
A3TACHMENT 2 TO AEP:NRC:5811-02 SIGNIFICANCE LEVEL A AND B F&Os AND RESOLUTIONS Abbreviations and references are identified in Attachments 5 and 6 to this letter, respectively.
Significance Level/
Observation No./
PRA Peer Review F&O I&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element A/
The event tree transfers do not necessarily retain the dependencies Thirty-four new event trees were developed to explicitly consider transfer AS-07/
of the initiating event. For example, LSP*CCW is transferred into from one event tree to another given failure of a support system as shown AS/
the IE-CCW tree, in which the sequences are modeled assuming below.
AS-I 1 offsite power has not been lost. Similarly, LSP*ESW is transferred back into the 1E-ESW tree, where offsite power has not been lost.
Support System Failures Initiating Event with New Transfer The same is true for Loss DC bus initiators. This is assigned a Event Trees for Support System Level A because it violates a primary rule of dependency Failures preservation. The effect of this practice may not have a significant effect on baseline CDF, but may have a large impact on certain Single unit loss of offsite power ATWS at reactor power greater than applications.
40%
Dual unit loss of offsite power ATWS at reactor power less than 40%
Loss of train A 250 VDC Medium LOCA caused by a stuck open pressurizer safety valve Loss of train B 250 VDC Small LOCA caused by a stuck open pressurizer relief valve Loss of ESW to both units' CCW Loss of ESW to a single unit's CCW Loss of CCW Loss of train A 250 VDC Failure to trip the RCPs following loss of ESW to both units' CCW Loss of train B 250 VDC Failure to trip the RCPs following loss of ESW to both units' CCW Failure to trip the RCPs following loss of CCW to AEP:NRC:5811-02 Page 2 Significance Level/
Observation No./
PRA Peer Review F&O T&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element A/
Flood barriers were not treated probabilistically. All flood barriers I&M is currently involved in implementing industry guidance via an EPRI ST-02/
were assumed to perform function. Back flow through drains was tailored collaboration effort utilizing contractor support. Plant walkdowns ST/
also not assumed to occur.
have been performed. Identification of flood sources and potentially ST-2 The flooding analysis screened away all rooms except the turbine affected SSCs for each flood zone has begun but is in the early stages of building basement. The screening criteria considered pipe spray development (less than half done).
mode only (i.e., no ruptures), which resulted in the screening out of all rooms.
This is level A significance, since the flooding CDF is very low (2E-7), based on screening away of all rooms using erroneous criteria.
A/
Passive failures are not well represented in the IE fault trees for Fault Tree Modeling Guidelines were developed that include passive SY-l 1/
ESW and CCXV. In particular, there was no apparent search for failure considerations. Passive failures have been addressed in accordance SY/
system locations where a single boundary failure (leak, rupture) with these Guidelines for all system models. Specific modeling SY-7 could disable the entire system, or severely compromise the ability assumptions are included in Section 5 of each system notebook for which to operate. Also, there were no passive failures for plugging and passive failures have been included.
blockage in the initiating event frequency fault trees. It is interesting to note that the top contributor for IE-ESW is CCF In addition, heat exchanger ruptures, system leaks, and heat exchanger strainer plugging within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of a TRA. The probability of plugging have been addressed for the CCW and ESW systems in both CCF strainer plugging is 5.7E-6 per 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. This is equivalent to their initiating event models and plugging has been added to their system 2E-3 for an annual rate, which would be the largest contributor to response models. CCF of ESW system strainers is treated consistently for the IE-ESW frequency if the value is applicable. Also, the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> all initiators.
mission time fault tree for CCW has a failure for FX rupture. Thie probability is 7.2E-5. Tllis is a small contributor to the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> fault tree, but would be a 0.026 per year contributor for loss of a train in the CCW-IE fault tree. Thlis was assigned level A, because it could have a potentially large effect on results, as Loss of ESW is a dominant contributor to CDF and LERF.
to AEP:NRC:5811-02 Page 3 Significance Level Observation No./
PRA Peer Review F&O T&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element B/
AS-08/
AS/
AS-12 RCP Seal LOCA modeling for the Loss of CCW events is not the same as for the SBO sequences. The event tree headings (i.e.,
depressurization) necessary to employ the SBO seal LOCA model are not questioned in the IE-CCW and IE-ESW event trees. The following observations were made.
- 1) RCP seal cooling/seal LOCA modeling is asked only in the Loss of CCW, Loss of ESW and SBO event trees. This is not questioned in the transient event tree based on the assumption that seal cooling can only fail if CCW has failed. This assumption is generally valid (although it ignores the potential for local loss of cooling to individual RCPs, the impacts of which would generally be small).
- 2) The operator action to depressurize the RCS to reduce seal failure probability is not asked on the ESW and CCW event trees
- 3) It is not obvious how the split fractions for seal LOCA are incorporated into the ESW and CCW event tree.
- 4) For the sequences involving failure to trip the RCP on Loss of CCW, the sequence modeling appears optimistic. The seal LOCA size in this sequence is appropriately assumed to be 1920 gpm.
This will likely result in actuation of the containment sprays, which will drain the RWST in 30 minutes. These events will significantly complicate the execution of events OL2 and RR2. This is a level B significance because the seal LOCA risk profile changes significantly if functions OL2 and RR2 are not possible.
An assumption underlying this F&O is that RCP seal degradation and failure would progress similarly following an SBO and following failure to trip the RCPs after a loss of ESW or CCW. For the latter situations, if the operator fails to trip the RCPs, then they will continue to run until they overheat sufficiently that they can no longer function. Such a situation will cause higher RCP temperatures than the SBO situation in which they trip immediately due to the initiating event. As a result, there would be different boundary conditions for the seal cavity water volume than in the SBO event. Accordingly, application of the SBO models for RCP seal LOCAs to Loss of ESW and CCW initiated events appears to be unjustified (at this time).
Answers to the specific questions in the F&O are as follows.
- 1) Loss of RCP seal cooling is modeled from realistic initiators. In that CCW provides direct RCP seal cooling via the thermal barrier, or indirectly by supporting seal injection, only those events that directly cause a loss of CCW will cause a loss of RCP seal cooling.
- 2) The CNP plant model does include top events for cool down and depressurization in case of failed ESW or CCW, but this question is only asked as part of the mitigation strategy following recovery of these systems. This is unlike the cool down questioned following an SBO initiator for which the probability of core uncovery depends on the success or failure of RCS cool down.
- 3) The seal LOCA model is based on the seal behavior that is assumed following an SBO initiator. As described above, this behavior is different to AEP:NRC:5811-02 Page 4 Significance Level/
Observation No./
PRA Peer Review F&O I&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element than would be expected following loss of ESW or CCW initiators.
Accordingly, seal LOCA is not addressed in the CNP model by use of the SBO split fractions in the loss of CCW or loss of ESW event trees.
Instead, consideration is given to whether the seals should be considered failed if the RCPs are not stopped, or if cooling is otherwise interrupted.
This is a realistically conservative method of modeling these interactions, given that the existing seal LOCA models cannot differentiate between these initiators.
- 4) The timing requirements for OL2 and RR2 for loss of ESW and loss of CCW sequences were changed to include consideration of revised success criteria for small LOCAs.
B/
The event trees do not include a heading for containment isolation The F&O identifies the lack of CI failure top event in the various event AS-lO/
failure. This function is not necessary for delineation of core trees as inconsistent with the LERF modeling approach adopted by I&M AS/
damage, but is necessary for proper assignment of LERF. The (i.e., NUREG/CR-6595). Rather than changing all event trees to include AS-21 current LERF model neglects CIS failure because of low CT, the LERF fault tree was modified to include CI. Specifically, the probability. In accordance with NUREG/CR-6595, (Reference 14) containment isolation model was incorporated explicitly into the LERF containment isolation must be included as LERF for all core analysis by including failure to isolate under an OR-gate for each of the damage sequences. Some core damage sequences do not ask the LERF functional equations utilized in the event tree. Appropriate use of LERF question because they represent long term overpressure house events accounted for initiator dependencies.
failures. This is significance Level B, because although this issue has no significant effect on the base line LERF frequency, this may be important for future applications.
to AEP:NRC:581 1-02 Page 5 Significance Level/
Observation No./
PRA Peer Review F&O I&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element B/ISLOCA initiating event frequency is calculated external to the The ISLOCA initiating event and event trees have been revised to follow AS-il/
event/fault trees, and the initiating event frequency, taken as the the methodologies of NUREG/CR-5744 (Reference 15) and AS/
sum of frequencies for all scenarios evaluated, is input into the NUREG/CR-5102 (Reference 16). Four ISLOCA initiating events-and AS-7 event tree, which models the "limiting case" (the RHR pump event trees are now used to separate the effects of various initiators and suction scenario). The dependencies between the failures causing scenario specific dependencies, including an event initiated in the ST ISLOCA in the individual ISLOCA scenarios and the systems piping that precludes use of the SI pumps. The initiating events and their mitigating ISLOCA are not considered.
frequencies are documented in a new ISLOCA notebook. The event tree ISLOCA can occur in lines involving the SI pumps. The fault tree structure and the scenario specific dependencies are documented in the asks for makeup from HHSI and assumes all HHSI pumps are revised event tree notebook.
available. The ISLOCA, or the flooding effect of the ISLOCA, could fail one or more of the HHSI pumps and they would not be available for make-up, thus changing the success criteria for that scenario. This effect could be important to the ISLOCA core damage frequency and LERF, so a more scenario-specific assessment of ISLOCA would be desirable.
to AEP:NRC:5811-02 Page 6 Significance Level/
Observation No./
PRA Peer Review F&O Element/
(Editorial changes have been made for clarity.)
Sub-Element B/
AS-12/ AS/
AS-18 In the current ISLOCA event sequence model (which is unchanged from the IPE), the probability of RHR piping failure is very important to the outcome of the ISLOCA analysis, since if the piping does not fail, the event is treated as a mitigatable RHR pump seal failure. The probability assigned to failure of the RHR piping is 4E-9, which is based on an opinion provided by Fauske &
Associates for the IPE. This opinion states that the expected creep rupture frequency for similar piping under similar conditions would be on the order of E-6, so that a 24-bour exposure would be on the order E-9. While this may have been adequate for the IPE,-a more robust assessment of the probability of low pressure pipe rupture given overpressure should be performed for a PRA intended for use in risk-informed plant applications. NUREG/CR-5124 (Reference 17), NUREG/CR-5744, and related studies, performed since the time of the IPEs, provide appropriate methodologies for evaluating ISLOCA pathways and frequencies. Current probabilistic fracture mechanics approaches are also available for evaluation of low pressure pipe rupture probability. Since this probability is so important to the ISLOCA CDF and LERF, additional attention should be given to this item. This is level B significance. The ISLOCA analysis should provide a sound basis for assuming low pressure pipe integrity, given the potentially -
significant impact on the results.
As indicated in the resolution to F&O AS-I 1, the ISLOCA analysis has been redone using the methodologies of NUREG/CR-5744 and NUREG/CR-5102. In addition, the low-pressure piping failure probabilities have been reevaluated and appropriate values included in the model for each of the four separate initiating events.
to AEP:NRC:5811-02 Page 7 Significance Level/
Observation No./
PRA Peer Review F&O I&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element B/
DA-05/
DA/
DA-9 MGL parameters from NUREG/CR-5497 (Reference 18) were used for the CNP CCF analysis. NUREG/CR-5497 is a reasonable generic data source, but it is not clear that the data can be directly used for plant-specific application.
Most of the CCF probabilities based on NUREG/CR 5497 may be considered realistic.
However, CCFs for some of the components may not be realistic even though they are from NUREG/CR-5497 because plant specific screening of the generic CCF data has not been done. One example is the service water pumps. The root causes of the CCFs of the service water pumps vary from plant to plant largely depending on the plant specific environments such as water source (river, lake, or sea) and design of the service water systems. INEEL CCF data base, on which NUREG/CR-5497 values are based, shows that a specific plant experienced a relatively large number of multiple failures of service water pumps because of its unique service water system design. Another plant had a repetitive problem caused by low lake level, which may not be applicable if a plant used sea water as a suction source.
Component boundaries defined for common cause modeling have not been checked against those defined in NUREG/CR-5497.
Without checking boundaries, there is a possibility that a CCF probability is either under-or over-estimated. For example, EDG component boundary in RMOI Guidebook for data collection does not include the load sequencer (or sequencing circuitry) and output breaker. However, the EDG boundary in NUREG/CR-5497 (Figure 5.1) includes those two.
Generally, CCFs are dominant contributors to PRA results for The F&O includes two general observations related to (1) the potentially generic nature of the CCF data source used and (2) potential discrepancies between CCF data component boundaries and the components included in the CCF groups in the model.
Response to Observation 1: Plant specificity was incorporated in the CCF parameters by identifying those common cause terms that had an F-V importance measure of greater than 1 % and developing plant specific MGL parameters for these components. In the quantification applicable at the time of the certification, seven different common cause terms had F-V importances greater than 1 %. For each of these seven components, the CCF Database was used to develop plant specific MGL parameters. To accomplish this, the following process was followed:
- 1. The CCF Database was first searched to identify the generically applicable set of failure events. These searches (applications) are defined by the systems, the components, and the failure modes for which the database was searched. Two of the component types resulted in insufficient data in the application for development of plant specific parameters.
- 2. The events produced from each application were then captured in a file and reviewed by the system analysts to identify those events that are not applicable to CNP, due either to system design or to component boundary definition.
- 3. The inapplicable events were deleted from each application and the resulting MGL parameters were obtained. Since NUREG/CR-5497 did to AEP:NRC:5811-02 Page 8 Significance Level/
Observation No./
PRA Peer Review F&O Element/
(Editorial changes have been made for clarity.)
Sub-Element nuclear power plants and should be modeled and quantified not provide application descriptions, the generic applications may result in appropriately.
different MGL parameter values than those provided in NUREG/CR-5497. Therefore, the plant specific parameters may not be directly comparable to the values from NUREG/CR-5497.
Response to Observation 2: The data was collected consistent with the component boundaries identified in the original revision of the data notebook. The boundaries identified in NUREG/CR-5497 are consistent with these definitions with one exception, the diesel generators. The definition for the diesel generator component boundary provided in NUREG/CR-5497 includes the diesel generator output breaker. To account for this difference in definitions, those events in the CCF Database that are due to failures associated with the output breakers were removed from the database used to develop MGL parameters for CNP.
B/
The CCF grouping appears to be inconsistent with respect to CCF Guidelines have been developed and include grouping guidelines for DE-02/
whether running and standby components are grouped together. In running and standby components. These guidelines were then used to DE/
ESW, the running ESW pumps are not grouped with the standby review and revise, as necessary, the CCF groups for all systems. ESW DE-9 ESW pumps for CCF, even though there could be failure pump CCF groups were revised so that both standby and running pumps mechanisms that would prevent a standby pump from running for are included in CCF groups for fails-to-start and fails-to-run.
the mission time once started. Similarly, the operating strainers are not grouped with the standby strainers for CCF. Thle operating strainers have a CCF tern, while the standby strainers have no CCF. There are several cases of running and standby pumps which are in a CCF group -- CCW, CVCS, NESW. The explanation for the grouping is cursory.
This is a level B because the Loss of ESW is an important contributor to CDF, and the CCF grouping could be important to the Loss of ESW frequency.
to AEP:NRC:5811-02 Page 9 Significance Level/
Observation No./
PRA Peer Review F&O I&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element B/
According to Rev H of HRA notebook, only the following Guidelines for the modeling of pre-initiator human errors, including HR-02/
pre-initiator human interactions were evaluated:
miscalibration errors, are included in the Fault Tree Modeling Guidelines.
HR/
- Failure to restore typical manual valves after T&M, These guidelines were implemented and the results specifically HR-7
- Failure to restore MOVs after T&M, documented in a new Section 5.2 of each system notebook. The
- Mispositioning of turbine driven AFW pump fan test switch, evaluation of miscalibration HEPs is included in the HRA notebook.
- Failure to assure containment drain operability, and
- Turbine driven AFW room door left closed inadvertently.
Miscalibration of instruments was not addressed, which may result in underestimation of actual risk. Miscalibration can affect multiple trains like a CCF.
CCF type of miscalibration error may have a significant impact on CDF or LERF.
to AEP:NRC:5811-02 Page 10 Significance Level/
Observation No./
PRA PeerReview F&O I&M Resolution Element/
(Editorial changes hlave been made for clarity.)
Sub-Element B/
HR-03/
HR/
HR-15/
In the HRA notebook Revision 2, HEP for a bounding case was used for LPR in all scenarios that require low pressure recirculation.
LPR is needed in scenarios such as Large LOCA, medium LOCA, Consequential Medium LOCA, Small LOCA, and RCP seal leakage after loss of CCW.
The bounding case for the HEP was the Large LOCA with containment spray running and the estimated available time was 9 minutes. The notebook describes that the available time may extend as much as 20 - 30 minutes for medium and small LOCA cases.
However, only one HEP was evaluated based on 9 minutes available time and it was used for all initiator scenarios, which seems not to be appropriate because not only the available time but also other PSFs may be significantly different among different scenarios.
Use of HEP based on Large LOCA scenario and PSFs for scenarios other than Large LOCA will produce unrealistic results.
Use of bounding HEPs may shadow actual dominant contributors to the risk.
New LPR HEPs were developed and documented in Section 3.1 of the HRA notebook for cases where LPR is needed following medium and small LOCAs and loss of ESW and CCW. The new cases consider the timing of when recirculation will be required for the scenarios. These new cases also consider PSFs that are needed to model the stress caused by high pressure injection failing as well as the work load added by the depressurization procedure. These new LPR cases have been added to the event trees and the event tree notebook updated.
.1.
.1.
to AEP:NRC:58 11-02 Page 1I1 Significance Level/
Observation No./
PRA Peer Review F&O T&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element B/
IE-02/
IE/
IE-4/
In general, events can be considered similar, and therefore grouped, if they exhibit similar: - plant response, - success criteria, - timing,
- recovery probability, OR, events can be subsumed into a group and bounded by the worst case impacts within the "new" group.
However, to avoid excess conservatism low-frequency events should not be subsumed if the subsumed initiating event consequences are inconsistent with those of more frequent group contributors (i.e., the "receiving group" should generally not be defined in terms of the consequences of an event that contributes only a very small portion of the group frequency, and an event with more severe consequences should generally not be subsumed into a group with less severe consequences). This is not the case for the groupings in Table 4 of the Internal Initiating Events Categories Notebook. For example the Turbine Trip category includes inadvertent closure of all MSIVs. A trip from this event results in the loss of the steam conversion system. This is also true for the loss of non-safety related cooling water. A loss of circulating water implies that the steam conversion system will be failed. Both of these initiators are more severe, but less frequent, than a Turbine Trip. Section 2.4 indicates that Loss of Control Air is included with (or subsumed by) Transients without Steam Conversion Available.
Loss of control air is a more severe transient than just a loss of steam conversion. Note that section 2.4 of notebook PRA-NB-INIT indicates that loss of condensate will be included as a loss of condensate pumps in Transients without Steam Conversion System Available. This is not consistent with Table 4, item 7.3.8.
Similarly, the Reactor Trip category includes loss of a vital DC Bus.
This conflicts with the modeling of the loss of 250 DC explicitly.
The initiating event categories have been reviewed and revised.
Inadvertent Closure of all MSIVs, Loss of Condenser Vacuum, Turbine Bypass Unavailable, Loss of all Condensate Flow, and Loss of Non-Safety-Related Cooling Water were removed from Turbine Trip (or Transients with Power Conversion System Available) and added to Transients with Steam Conversion System Not Available. Subsumed events meet appropriate criteria, and these initiators frequencies were revised. More discussion of effects of loss of control air was added to clarify the basis for the conclusion that this event is grouped appropriately with Transients with Steam Conversion System Not Available. Tables and text were made consistent which addressed the remaining issues.
to AEP:NRC:58 11-02 Page 12 Significance Level/
Observation No./
PRA Peer Review F&O Element/
(Editorial changes have been made for clarity.)
T&M Resolution Sub-Element The loss of a safety-rated AC Bus does not cause a trip at CNP.
However, the corresponding NUREG/CR-5750 (Reference 19) category in Table 4 (Item 7.3.1) is included as part of the reactor trip. There are several cases where a category is subsumed by another category with more severe impact. This may have a significant affect on the calculated CDF.
B/
A single value is used for the probability of pressurizer PORV or The probability of a PORV challenge following an initiator has been IE-05/
safety valve challenge following all transients, without any other provided separate values for transient initiators and for LOSP or loss of IE/
considerations for how the probability might depend on the DC power initiators. These values were determined in accordance with IE-13/
transient. This practice does not account for possible the methodology used in NUREG/CR-4550 (Reference 20) for Sequoyah.
event-dependent primary heat removal and pressure control Basic events WBMV-NRVS-CHALNG, and WXRV-SV-CHALNGD requirements. It also does not account for the ability of AFW to probabilities are determined in the Internal Initiating Events Analysis remove sufficient heat to prevent challenging tie pressurizer Notebook.
PORVs on an event-specific basis. The safety valve challenge probability as modeled is also not dependent on the operation of the pressurizer PORV.
A Bayesian update was used to reflect plant experience for Qd but there should actually be multiple event-specific Qds. The use of a single value may prevent an accurate assessment of plant response' involving selected initiators. Additionally, inadvertent SI actuations may result in a PORV challenge without operator action, so use of an average value is not appropriate.
to AEP:NRC:5811-02 Page 13 Significance Level/
Observation No.
PRA Peer Review F&O I&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element B/
The Loss of DC initiating event was quantified by fault tree analysis The loss of DC IE fault tree model for each unit was revised to move the IE-07/
to have a frequency of 7.7E-6/yr. The frequency for Loss of DC IE general failure of the distribution cabinets up in the fault tree so that this IE/
in NUREG/CR-5750 is about 5E-4, which supposedly includes basic event by itself leads to a loss of DC initiating event.
IE-16/
actual events that may not be included in the fault tree analysis. For example, the CNP fault tree analysis does not include bus failure in In addition it was determined that the basic event for the manual switches the IE fault tree. This is level significance B because the Loss of should be deleted. Upon reviewing the original analysis and data source, DC CDF at CNP is less than lE-9. This is not comparable result to it was concluded that the value used is inappropriate and the transfer open other plants.
of this switch is properly included in the general failure event above.
The Loss of DC IE frequency from the revised model is 8.8E-4 per critical year. This compares favorably with 7E-4 per critical year from NUREG/CR-5750 (no applicable events).
B/
The LERF calculation omitted CI failure from the LERF equation.
The containment isolation notebook, fault tree model, and basic event L2-04/
This was based on the fact that CI was evaluated at 3E4, which is a probabilities have been updated, including pre-existing failures. The L2/
very small contributor compared to the LERF split fractions from failure probability of containment fluid penetrations considered as L2-22/
containment failure. There are 2 observations about this practice.
pre-existing leaks was updated to 5.0E-3 per the value in
- 1) There is an expected, but small, contribution due to "pre-existing NUREG/CR-4550, Volume 5, Revision 1, Part 1, "Analysis of Core failure conditions," which has been neglected. Failure rates for Damage Frequency: Sequoyah, Unit 1 Internal Events." The these modes are typically in the high E-3/demand range.
unavailability of the Cl system, assuming all support systems are
- 2) In the LERF evaluation, the probability of failure of isolation is available, is now calculated to be multiplied by the total CDF, so that the contribution to LERF is not 5.09E-3.
necessarily insignificant.
This is level B significance. If the CI failure is reevaluated at -lE-2 The containment isolation model was incorporated explicitly into the and multiplied by all CDF, the LERF from this mode is -5E-7, LERF analysis by including failure to isolate under an OR for each of the which is comparable to the current baseline of 5E-6 and should be LERF functional equations utilized in the event tree. Appropriate use of accounted for.
house events accounted for initiator dependencies.
to AEP:NRC:5811-02 Page 14 Significance Level/
Observation No./
PRA Peer Review F&O T&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element B/
L2-05/
L2/
L2-I 0/
The generic split fractions from NUREG/CR-6595 simplified LERF model are adopted without explicit consideration of the most significant unique feature of the plant, the concrete containment.
The generic probabilities from the NUREG are assumed to apply without any specific evaluation to support the assumption. Most ice condenser containments are free standing steel rather than steel lined concrete. This unique feature draws into question the appropriateness of the generic containment failure probabilities adopted from the NUREG. The ultimate capacity of the concrete containment is slightly lower than the value that is typical for free standing steel containments, however, since some testing has indicated that concrete containments are less likely to fail catastrophically than the free standing steel, the adoption of the NUREG values may or may not be conservative with respect to the LERF estimation. The impact is probably small, but should be investigated.
In addition to the considerations identified in the F&O, it should be noted that the containment fragility curves are only one element in the determination of the containment failure probabilities cited in NUREG/CR-6595. Differences in other design features between CNP and Sequoyah could be significant factors related to the creation of the phenomenological challenge to the containment building. For example, CNP has instrument holes in the reactor cavity walls that allow sump water to flow to the reactor cavity compartment even at low sump water levels; this assures that there are no truly "dry cavity" sequences at CNP as there are at Sequoyah which does not have such holes. Since the method for determining the split fractions used in NUREG/CR-6595 has not been explicitly identified in the literature, the impacts and significance of any such differences are difficult to estimate.
In summary, development of plant-specific LERF values for CNP is judged to not be required. TIhis conclusion is based on the similarity between the CNP containment fragility curve and the aggregate Sequoyall curve, and the other significant uncertainties associated with determining LERF, both with characterizing the severe accident phenomena as well as inherent in the expert elicitation process. Accordingly, the decision was made to proceed using the LERF split fractions provided in NUREG/CR-6595.
Attaclunent 2 to AEP:NRC:5811-02 Page 15 Significance Level/
Observation No./
PRA Peer Review F&O I&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element B/
There is not currently a formal procedure or process for the control The PRA model files are controlled by utilizing the site Calculation MU-02/
of the PRA models.
procedure. In particular, the model files are copied to a CD-R format MU/
The current PRA computer model is stored in a networked shared compact disk that is included in the Quantification evaluation.
MU-6/
drive. There is no access control to the shared drive. The files are not write-protected.
All notebooks and supporting documentation are also controlled in A person is designated to take care of the model in the shared drive.
accordance with site procedures, utilizing the Nuclear Document The revision of the model can be identified either by:
Management system for controlled documents. PRA processes (i.e.,
- 1) looking at the date of the file, or system notebook preparation and quantification evaluation) require
- 2) re-evaluating the model using the same cut-off in the existing independent review and approval.
quantification calculations and compare the results with those in the quantification calculations.
Software packages used for PRA purposes are controlled via the site There are no specific procedures for the control of PRA software.
software control procedure.
General software control procedures are currently used for control of PRA software.
The PRA model files maintained on the networked share drive. Access to The same person taking care of the PRA model is designated also this drive is limited to those individuals designated by the PRA group for PRA software control.
supervisor. The PRA model files stored on the PRA group shared drive Controls should be in place to prevent inadvertent changing of PRA are write-protected and authorization to change file permissions is limited.
model files. PRA models and software should be backed up in a secure storage area, consistent with the process used for other plant licensing-related software and applications.
to AEP:NRC:5811-02 Page 16 Significance Level/
Observation No./
PRA Peer Review F&O I&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element BT/
The CCW functions quantified for the Loss of DC bus initiators Fault tree logic was reviewed and, previously omitted house events were QU-02/
have remarkably similar cutsets and frequency to those quantified added to the CCW initiator logic such that CCW pump starts were QU/
for the transient (with all systems available) event tree.
guaranteed failure for the applicable Loss of 250 VDC event.
QU-1 1/
Examination of the cutsets, for example for CCW-A, showed cutsets for failure of CCW pump A to start, which should not appear without DC power availability. Similar improper cutsets were found in CCW-B. It appears a house event structure for Loss of DC has been incorrectly developed in the fault trees T1his problem appears to be restricted to CCW.
This is significance Level B, because the inclusion of the correct dependencies in the solution could have a significant effect on the results. The affected functions are CCW and possibly ESW. AFW is not affected.
to AEP:NRC:5811-02 Page 17 Significance Level/
Observation No./
PRA Peer Review F&O I&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element B/The Internal Initiating Events notebook documents the development The methodology from NUREG/CR-5744 was adopted to calculate the QU-03/
of the ISLOCA initiating event frequency. When calculating the ISLOCA initiating event frequencies taking into consideration the QUI probability of failure of valves in series (i.e., RHR discharge and correlated data contribution for valves in series with the same data QU-l 1/
suction), the failure probabilities for valves with the same data distributions.
distributions were not correlated. Thie correct failure probability is dependent on the variance of the valve failure distribution, which can be quite large for valve rupture probabilities. The necessity of correlating variables is discussed in NUREG/CR-5744, "Assessment of ISLOCA Risk-Methodology and Application to a Westinghouse Four-Loop Ice Condenser Plant."
That NUREG also provides an overall ISLOCA evaluation approach that is generally accepted as more realistic than the approach used for CNP, addressing in more detail such factors as alternate pathways resulting from failures of other equipment (e.g.,
heat exchangers, relief valves) in the interfacing systems.
Given that ISLOCA is a significant contributor to LERF, and since the proper correlation has been shown in other studies to potentially increase portions of the ISLOCA frequency by a factor of as much as 8 or so, then this suggests the potential that LERF is understated.
Consideration of the approach used in NUREG/CR-5744 and related studies has the potential to affect the ISLOCA frequency as well.
to AEP:NRC:5811-02 Page 18 Significance Level/
Observation No./
PRA Peer Review F&O Element/
(Editorial changes have been made for clarity.)
I&M Resolution Sub-Element B/
Some sequences involving the loss of CCW and ESW initiators do The observations and possible resolutions included in this F&O cover QU-04/
not appear to be correct. The sequences in question involve tripping several issues. Each is discussed below.
QU/
the RCPs, depressurizing the RCS to allow low pressure injection, QU-1 1/
and restoring CCW or ESW. Observations regarding these
- 1. The time. allowed for the operators to trip RCPs, following loss of sequences include the following:
CCW or ESW, has been revised to two minutes in all notebooks and this The operator action to trip the RCPs is based on having 10 minutes timing is used. in the analysis.
The Event Tree Notebook and HRA to perform the action after the indication of a loss of CCW. The Notebook have been revised to reflect this change and to be consistent governing abnormal operating instruction instructs the operators to with one another.
perform the action within 2 minutes. Although there is -
documentation that states that 2 minutes is conservative, no analysis Failure of the RCP breakers to open has been added to the fault tree used is provided. Hence, the basis for the HEP for this action is unclear.
for the RCP top event.
Even if the action is successful, there is a potential the pumps may not trip if the RCP breakers fail to open. The failure of the breakers
- 2. The accident progression in the Event Tree Notebook was revised to is not modeled.
reflect the use of FR-C.2 to initiate RCS cooldown with FR-C. I as a The action of depressurizing the RCS is based on a MAAP run that backup. Thie timing of the cues that cause the operators to enter these indicates the RCS can be depressurized in about 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> by procedures was confirmed with MAAP runs and this timing was performing a maximum-rate cooldown of the secondary using all incorporated into the HEPs that model the cooldown. The HRA notebook four SG PORVs. The case of a "normal" cooldown (apparently was also revised to reflect this timing.
credited in the event tree success criteria notebook) is shown to be not successful. We note that FR-C. 1 is the procedure that calls for a The capability of two out of four steam generator PORVs to complete maximum cooldown and would not be entered until the loss of depressurization and allow accumulator and RHR injection was confirmed cooling was detected. This would occur after the failure to with MAAP runs. These MAAP runs also removed the requirement for depressurize. Note that the MAAP analysis is based on availability pressurizer PORVs on depressurization.
of all four steam generators, whereas the model is only crediting flow to two steam generators. Thus, the top event modeling the
- 3. Recovery of ESW and CCW is modeled with fault trees that consider probability of depressurizing the primary appears to be incorrect.
the failure involved and these fault trees have been incorporated into the We also note that, given the initiators and the failure to trip the quantification process. Also, the MAAP runs mentioned above allow up reactor coolant pumps, these sequences would be similar to small to two hours to recover cooling to RHR pumps before core damage. Since to AEP:NRC:5811-02 Page 19 Significance Level/
Observation No./
PRA Peer Review F&O T&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element LOCA (RCP seal LOCA) sequences. Yet the CCW and ESW the RHR pumps are limited to 90 minutes of operation without CCW sequences as modeled involve totally different human actions for cooling, the time available to recover cooling water was extended to depressurizing.
90 minutes.
(Note that F&O SY-19 comments on the use of NSAC-1 61 (Reference 21) to recover CCW and ESW. The timing considerations addressed above may also affect those recovery estimates, which may be optimistic.)
The sequences appear to be systemically optimistic and could have a significant effect on the results. Since small LOCA sequences are very important, the different HEPs could be significant.
to AEP:NRC:5811-02 Page 20 Significance Level/
Observation No./
PRA Peer Review F&O I&M Resolution Element/
(Editorial changes have been made for clarity.)
Subl.Element B/
QU-07/
QU/
QU-10/
OLI dependency issue with CSI:
The #2 and #3 core damage cutsets in the quantification involve small LOCA, failure of high head injection, and failure to depressurize to allow low head injection. Failure of the operator action to perform the cooldown and depressurization procedure is top event OLI in the SLOCA event tree. The HEP for the action in these top cutsets (an execution error) is assigned a value of 0.5. The HRA notebook indicates that this value is assigned because, depending on the break size, there is a reasonable possibility that while the depressurization actions are being performed, the RWST will reach low level (as a result of containment spray actuation, which occurs quickly in an ice condenser plant). The assumption is that the operators would then be distracted by the need to manually realign the ECCS pumps for sump recirculation. Thus, the depressurization action is treated as having a very high dependency on the actions for ECCS realignment to the sump (top event CSR, containment spray recirculation, in the event tree), even though there is a chance that the actions would be separated in time and performed by different members of the operating crew. The cognitive portion of both actions are also treated as dependent in the model.
The reviewers were concerned with several aspects of this modeling, particularly since it results in the #2 and #3 cutsets.
Failure of OLI results in core damage in the model. Thus, there would normally not be an execution error dependency modeled with CSR actions, since CSR is not asked unless OLI succeeds.
However, given that the timing of OLI is dependent on operation of containment sprays, the cognitive error dependency is certainly New cases were developed to model the dependency between RCS depressurization following failure of high pressure injection and the switchover to recirculation for small and medium LOCAs as well as consequential LOCAs such as those due to loss of CCW or ESW. The HEPs for these new cases are documented in the HRA notebook and consider the workload of the operators, the need to depressurize to allow low pressure injection, the procedure cues for initiating the depressurization and the timing of the switchover to recirculation. MAAP runs were performed to verify the timing of actions and events. The results of these runs used in evaluating the HEPs and updating the event tree structures for small and medium LOCAs as well as loss of ESW and CCW event trees. The results of these MAAP runs resulted in relaxing the requirement for pressurizer PORVs on depressurization and confirmed that two of four steam generator PORVs provide adequate capacity to depressurize at 100 degrees per hour and prevent core damage.
The Event Tree Notebook has been updated to reflect the results of the new MAAP runs and the impact of the results on accident progression. In particular, the procedures that the operators use to conduct the cooldown are now modeled as FR-C.2 primarily with FR-C. I as a backup. The cues that the operators use to initiate the cooldown are identified in the Event Tree Notebook accident progression and top event descriptions. The accident progression has been updated for small and medium LOCAs and loss of ESW and CCW event trees. Also the top event descriptions for depressurization have been revised for each of the above event trees.
Also, the timing available to recover CCW and ESW has been extended to 90 minutes based on the MAAP results. T'his revision has been incorporated into the top event description for CH1 and EHM.
to AEP:NRC:58 11-02 Page 21 Significance Level/
Observation No./
PRA Peer Review F&O I&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element appropriate. But it is not clear that the high dependency value assignment to the OLI execution error is appropriate, since the actions may have occurred prior to the need for CSR, and may be performed by separate members of the operating crew.
It appears from information in the HRA notebook that the same human actions and timing assumptions are being used for both small and medium LOCA. If it is the case that MLOCA timing is being applied to SLOCA, then perhaps better estimate timing analyses would be justified.
The issue of containment spray resulting in human action timing conflicts for SLOCA would, if it is valid, also appear to apply to consequential SLOCA scenarios, such as RCP seal LOCA following loss of CCW or loss of ESW event sequences. In those scenarios, however, the current event tree and fault tree models assume switchover to recirculation prior to recovery of CCW and associated depressurization actions. It may be that the scenarios and timing are distinctly different and would be handled via different procedural paths, but it isn't clear that it would always be the case that this is true.
Although the total impact of the various items noted above is not known, the apparent inconsistencies should be reviewed and resolved.
to AEP:NRC:5811-02 Page 22 Significance Level Observation No./
PRA Peer Review F&O Element/
(Editorial changes have been made for clarity.)
Sub-Element B/
A blanket statement is made in Assumption 5.1.1.6 in the SI System Fault Tree Modeling Guidelines were developed and implemented that SY-05/
notebook PRA-NB-SI that diversion flow paths are not considered include flow diversion considerations. A review of flow diversion paths SY/
if the diversion flow area is less than 10% of the main flow area.
has been performed on those systems included in the PRA model based on SY-17/
This general assumption is also in the RHR notebook PRA-NB-these guidelines and this review is documented in the revised PRA system RHR 5.1.1.10. This assumption is reasonable if the downstream notebooks. The specifics regarding inclusion and exclusion of potential pressure for the diversion flow path is roughly equal to that of the system flow diversions are addressed in Section 5.1 of each of the system main flowpath, but may not be if the diversion flowpath is at a notebooks, "Assumptions and Boundary Conditions." The 10% of flow much lower pressure as it may be for mini-flow lines. Diversion area criteria (or 1/3 diameter) included previously, as a general assumption flowpaths that adversely affect success criteria or timing of events in some of the system notebooks is no longer used for any of the system may have been inadvertently eliminated without justification.
models.
to AEP:NRC:58 11-02 Page 23 Significance Level/
Observation No./
PRA Peer Review F&O I&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element B/
In a couple of places in the SI and AFW system models, component The CST inventory required to remove decay heat for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been SY-09/
hardware failures are not modeled explicitly because they are determined and the fraction of time that a CST contains less than this SY/
dominated by operator action failures. This approach is generally inventory has been determined to be 2.26%. The AFW fault trees have SY-61 acceptable per the peer review subelement criteria, but one case in been modified so that makeup to the CSTs is not required except for when the AFW model does not appear to be appropriate. A single basic the CST inventory is less than that required to remove decay heat for 24 event is used to model failures of the human actions and hardware hours. A firmer basis has been added to the AFW notebook to justify not to provide a suction source to the AFW pumps after the CSTs have explicitly modeling the hardware needed to provide CST makeup and been pumped dry (see assumption 5.1.1.18 in notebook PRA-NB-using a single human action to model the total failure to provide makeup.
AFW, which indicates that there could be only 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> worth of The value quantified for the original HEP was developed using standard, AFW capacity with CST at tech spec minimum level). This action accepted HRA methodology and is considered acceptable for the AFW has been assigned a very low failure probability (1E-5) and is models.
ANDed with failure to provide flow from the opposite unit AFW pumps through the cross-tie, effectively making this function an almost guaranteed success. Initiator impacts on the capability to provide a long-term suction source are also not considered, possibly resulting in this point estimate being non-conservative to a significant degree. Significant hardware failure impacts on success of this function may be missed, especially when initiator impacts are considered. The risk impact of hardware being unavailable for maintenance could also be underestimated because of this simplification.
to AEP:NRC:58 11-02 Page 24 Significance Level/
Observation No./
PRA Peer Review F&O I&M Resolution Element/
(Editorial changes have been made ror clarity.)
Sub-Element B/
The pressure relief success criteria for ATWS is not based on the The ATWS pressure relief models (Gates GPOR500 and GPOR800 of the SY-IO/
total relief capacity, but on combinations of valves. For example, PORV fault tree) have been redone to be based on total relief capacity SY/
for some conditions, the success criterion is 3/3 pressurizer safety required (in terms of equivalent PORVs). The original success criteria SY-17/
valves, with no mention of the availability of the PORVs to provide provided only the Unfavorable Exposure Time for all SRV available and capacity lost if a safety valve fails to open. In the event a safety various combinations of PORVs available. This has been expanded to valve fails to open, 2 or more PORVs could provide an equal allow I SRV to fail if 2 additional PORVs are available since the capacity amount of pressure relief. More importantly, the fault tree results of an SRV is twice that of a PORV. Section 5 of the PORV notebook do not match the criteria as written in the system notebook. Cutsets (item 2 of the revised Section 5.3.1) has been revised to include the for PPRI show a fraction of time when I PORV is required and a development of the combination of failures of SRV and PORV that lead to fraction of time when 2 PORVs are required. The system notebook failure of pressure relief for an ATWS.
states that the two cases are l PORV and 0 PORV. Cutsets for PPR2 indicate a UET of 0.164 during which no amount of available The second part of the observation compares the fault tree results in the pressure relief is adequate. The ET notebook states that success PORV notebook for Unit I with the statements in the Event Tree notebook criteria for failure of MRI is 2 of 3 valves 27% of the time, I PORV for Unit 2. The two units have different PORV requirements. The results 16% of the time and 0 PORV 56% of the time. This is a level B, and the statements are both correct and consistent for each unit. Table L-1 because there seems to be inconsistency between the success of the Event Tree notebook has been revised to include the success criteria criteria and the implementation in the model.
for both units.
to AEP:NRC:5811-02 Pagte 25 Significance Level!
Observation No./
PRA Peer Review F&O I&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element B/
The fault trees have limited modeling of passive failures, functional Fault Tree Modeling Guidelines addressing the issues raised in this F&O SY-l 8/
failures and "subtle interactions". Thlere is little (or no) discussion were developed and implemented for each system included in the F&O SY/
of how these failures were represented in each fault tree.
resolution update. The Guidelines are provided below:
SY-7/
Guidelines for these items were found from the 1991 WPE production, but the guidelines do not appear to have been followed Specifically for each of the examples cited in the F&O:
in the update. For example:
A) The plugging failure mode is only assigned to filters in the
- a. Plugging has been added as a failure mode to all systems containing essential and non-essential service water system. Omission from raw lake water where plugging was not considered previously.
The other systems is not explained.
plugging failure mode was added to an appropriate functional pipe B) The only passive HX failure mode is rupture. Disposition of segment in the containment spray, CCW, RHR and diesel generator leak, plugging is not explained.
systems and the AFW room cooler ESW lines.
The addition is in C) Restoration errors (e.g., mispositioning) are only assigned to air accordance with the Fault Tree Modeling Guidelines.
Plugging was conditioning units in the AFW system and CCW and ESW.
adequately modeled for other systems per the guidelines.
Disposition of these failures in other systems is not explained.
D) Spurious actuation of systems and their effect is not discussed
- b. Failure modes for leak and rupture have been addressed for the CCW for many systems and ESW systems. This resulted in leak events being added to the models E) Need for mini-flow recirculation to preserve pump integrity for each of the systems. Rupture of heat exchangers has been added for during operation at shutoff heads is not discussed and often not the diesel-generator coolers and was previously included where necessary modeled - an example of this is the RHR model and notebook.
in accordance with the Fault Tree Modeling Guidelines F) Miscalibration errors are not modeled and not discussed.
Thnis is level B because it represents a possible deficiency over
- c. Failure to restore components after maintenance events is now multiple fault trees.
summarized in a Pre-Initiator section (new section 5.2) of each system notebook.
- d. Spurious operation was considered per the Fault Tree Modeling Guidelines and addressed in Section 5.1 of each system notebook.
- e. Changes were made in the HPR, 2HPR, LPI, and 2LPI fault trees to to AEP:NRC:5811-02 Page 26 Significance Level/
Observation No./
PRA Peer Review F&O T&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element I
I model the failures of the RHR pump recirculation valves (IMO-312 and
-322) to open when the RCS pressure is above the RHR pump discharge pressure. Failures of the valves include independent and CCF. House events were added to the model such that these valve failures would be applicable only during high-pressure scenarios.
- f. Miscalibration potential errors are evaluated in the Pre-Initiator section of each system notebook.
Those errors with the potential to impact system operation are evaluated in the HRA notebook and included in the ECCS, containment spray, containment isolation, and CCW system models.
The Guidelines The systems analysis (fault trees) should make every effort to include passive failures, functional failures, subtle failures and interactive failures.
While these failure modes will not have any significant effect on the random independent failure probabilities of the train (or maybe even the system), there are two reasons why the lesser failures should be included.
I") The lesser failures should be included because they may have common cause characteristics, which when taken altogether could be a significant source of system unreliability.
2nd) The lesser failure modes may relate to future reliability issues of the plant.
3rd) They may provide insight for generic failure issues 4th) they may actually improve insight into the operation of the system Tlhe following guidelines are provided for use in system modeling for the revision of the 2001 update of the CNP fault tree models.
I I
to AEP:NRC:5811-02 Page 27 Significance Level/
Observation No./
PRA Peer Review F&O Element/
(Editorial changes have been made for clarity.)
I&M Resolution Sub-Element I.
- 1. Spurious actuation or false signals do not need to be modeled unless:
a) They have occurred in the past and have been shown to interfere with system operation.
b) They fail the function of the system in a time that allows no chance for recovery.
c) Spurious actuation would cause a non-recoverable failure.
- 2. Plugging of systems within the 24-hour mission time must be considered for raw water systems or contaminated systems. Also, plugging must be considered for any system involved in a system initiating event fault tree. If plugging is modeled, only one event per functional pipe segment should be included. The event can be attached to the pipe segment, valve, heat exchanger, or filter in the train.
- 3. Plugging of valves or piping is not modeled for a 24-hour mission time unless one of the following is true:
a) The valve or pipe is never flow tested.
b) The interval between flow tests is several years or more.
c) The valve or pipe is in a seawater, raw water or highly borated water system (borated to the extent that heat tracing is required to prevent precipitation and flow blockage).
- 4. Include passive failures that are likely to be important, e.g.,
common suction strainer blockage.
to AEP:NRC:5811-02 Page 28 Significance Level/
Observation No./
PRA Peer Review F&O I&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element
- 5. In general, piping and valve ruptures are not modeled for 24-hour mission times. Piping and valve ruptures should be included for mission times of one year or longer. If rupture is included, only one event per functional pipe segment should be included and can be attached to the pipe segment, valve, or heat exchanger, or filter in the train. Consideration should be given to human actions to isolate the rupture prior to significant system impact. Rupture events that would be included as internal flooding initiators should not be included.
- 6. Heat exchangers should postulate rupture, leak, and plugging.
The difference between leak and rupture is the following. Leak is a higher probability event and will not cause immediate loss of the system, but for leak rate on the order of 100 gpm, will cause loss of the train due to inventory problems or flooding problems.
Rupture is a much lower probability event, but will cause instant system loss.
- 7.
Modeling of diversion paths cannot rely strictly on the 1/3 diameter rule from WASH-1400 (Reference 22). Flow diversion which fails the function of the system must be considered for effect on flow, effect on inventory, and effect on flooding. The amount of flow diversion rather than the diameter of the diversion pipe must be considered. The effect on inventory for the mission time and whether the system is once-through or closed-loop must be considered.
- 8. Consider failures caused by insufficient NPSH in the pump suctions. Also consider failures cause by insufficient min-flow to AEP:NRC:5811-02 Page 29 Significance Level/
Observation No./
PRA Peer Review F&O I&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element during times of operation above the pump shutoff head.
- 9. Consider conditions of pump trip on pump run out caused by failure to control downstream pressure.
- 10. Component failure to restore (mispositioning) events need not be modeled if any of the following are true:
a) Auto-realignment of the component occurs when the system is
- demanded, b) Testing following maintenance would indicate a failure to restore, c) The component is not aligned away from its normal position during maintenance, d) Mispositioning is annunciated in the control room or is checked each shift or daily.
- 11. Include hydraulic backflow models where necessary.
- 12. Balance the model such that any loop can experience a LOCA and any SG can experience a tube rupture.
- 13. Ensure the models contain as a minimum:
a) CCF contributors, b) Test and maintenance unavailability, c) Operator errors that influence system operability (where appropriate),
d) False instrument signals that can cause failures of the system.
to AEP:NRC:58 11-02 Page 30 Significance Level/
Observation No./
PRA Peer Review F&O I&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element I
I
- 14. Ensure that dependencies for power and cooling are modeled in the fault tree.
- 15. Ensure potential degraded environments due to loss of room cooling, or steam line break is considered.
- 16. In modeling cross-tie from other unit, the unavailability of the other unit's equipment should be modeled in precise terms, inlcuding the functional inoperbility in shutdown modes. This includes T&M time in shutdown modes if the Tech Specs for shutdown are not the same as for power. Also, must consider dual unit success criteria for times when both units will require the system in question.
- 17. Human interactions can occur before an initiating event, when plant personnel affect availability and safety of the plant either by inadvertently disabling equipment during testing, maintenance, and calibration. These types of human interactions include testing, calibration, and maintenance errors that degrade system reliability. A review of each system should be performed to identify areas where the potential exists for human errors to occur prior to an initiating event and have a significant impact on system performance. As part of the review, all system actuation signals and sensors should be identified and evaluated to determine if an error prior to an initiating event could disable or degrade a mitigating function.
Performing this evaluation, HFEs, including dependencies and interfaces between HFEs and the capability of the operator to affect more than one to AEP:NRC:5811-02 Page 3 1 Significance Level/
Observation No./
PRA Peer Review F&O I&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element component, train or system, can be screened from further consideration when plant-specific evaluations show one of the following criteria are met:
- l.
No Impact on PRA 1A Not in PRA model.
lB No impact on (not relevant to) PRA top event (CDF or LERF).
lC No impact on component success criteria.
- 2.
Design Methods of Detection or Correction of Fault 2A Compelling indication such as an annunciator or monitor recognizable by operator before or during restoration back to service.
2B Component can be actuated or repositioned successfully upon an actuation signal.
- 3.
Multiple Administrative Methods of Detection and Correction of Fault 3A Operability test after maintenance or calibration AND verified on a periodic checklist (daily or more frequent).
3B Operability test after maintenance or calibration AND independent verification.
3C Independent verification AND the component is sealed.
3D System or component is re-aligned with a startup procedure.
J.
to AEP:NRC:5811-02 Page 32 Significance Level/
Observation No./
PRA Peer Review F&O I&M Resolution Element/
(Editorial changes have been madIe for clarity.)
Sub-Element
- 4.
No or Insignificant Impact on PRA Results 4A Insignificant contributor to PRA results.
- 5.
Hardware Failures (Used to Screen Historical Events)
.5A Manufacturing defect.
SB Error caused by instrument drift.
SC Resulted from equipment damage due to material defect.
The above criteria were developed from NUREG/CR-4772 (Reference 23). The criteria are presented in order of priority with those criteria presented first being the first criteria checked in the screening process in order to make the process more manageable and defendable.
to AEP:NRC:58 11-02 Page 33 Significance Level/
Observation No./
PRA Peer Review F&O Element/
(Editorial changes have been made for clarity.)
I&M Resolution Sub-Element B\\
Recovery for ESW and CCW does not consider the cause of failure.
Both the ESW and CCW fault trees were modified to specifically address SY-19\\
The recovery factors are derived from NSAC-161 and applied to all the differing recovery probabilities for valve and pump failures, while the SY\\
system failures evenly. Different types of system failure modes ESW fault tree was modified to also consider recovery for strainer SY-24 would have different recovery probabilities. For example, plugging. Recovery of pump or valve failure requires operator actions mechanical pump failure is much more difficult to recover than that would be performed outside the control room. As a result, recovery valve Disposition. If passive failures such as plugging and pipe credit is limited to correction of only one of the potentially several rupture are included in response to other F&Os in this review, this recoverable valve or pump faults that may have resulted in failure of the problembecomes more acute. Since the recovery factors assigned system Recovery of plugged strainers can be accomplished by automatic to ESW and CCW are 0.58 and 0.06, respectively, they may action to shift the on-line strainer to the standby strainer. Since recovery significantly affect the CDF and should be carefully applied only of a plugged strainer is an automatic action, it is credited in all applicable where appropriate.
cutsets. System level recovery failures are no longer applied.
to AEP:NRC:5811-02 Page 34 Significance Level/
Observation No./
PRA Peer Review F&O T&M Resolution Element/
(Editorial changes have been made for clarity.)
Sub-Element B\\
TH-06\\
TH TH-5 The basic success criteria based on MAAP analyses were developed in the 1991/1992 time frame using the MAAP3 Code, Revision 17, mainly to support containment integrity determinations.
New success criteria have not been evaluated for later PRA updates, which retain the conservative bias of the IPE.
There are a number of known improvements in the modeling of accident sequences, from the MAAP3 Rev. 17 code version to the present MAAP 4.0.x code version. The most important model improvements from the perspective of developing system and operator action success criteria are those involving the steam generators and the pressurizer. The accident sequence features that rely on these models are the RCS cooldown and depressurization and the SG tube rupture recovery. While it appears that the success criteria used in the most recent PRA analyses are reasonable based on experience, some of the operator action times may change if based on a current analysis, and could impact the human reliability assessment results.
Further, a PRA used for risk-informed decisions regarding configuration and operation of the plant should reflect more realistic conditions than may be captured by Updated Final Safety Analysis Report-based success criteria. Consideration should be given to reviewing the total set of PRA success criteria to ensure that they reflect the current plant and are not overly conservative. Revisions to the success criteria and operator action times can directly impact the CDF and LERF quantification.
I&M did not perform a comprehensive re-analysis or re-validation of the success criteria. However, as the F&O specifically identifies RCS cooldown and depressurization as the most important success criteria, new analyses were performed to establish the timing for these success criteria based on a more modern version of MAAP (i.e., MAAP 4.0.5).
J.
J.
ATTACHMENT 3 TO AEP:NRC:58 11-02 SIGNIFICANCE LEVEL C AND D F&Os Abbreviations and references are identified in Attachments 5 and 6 to this letter, respectively.
Significance Level/
Observation No./
Obserint/
PRA Peer Review F&O Sub-Element (Editorial changes have been made for clarity.)
The documentation or separate specific guidance should be sufficient to provide a means to obtain equivalent results. However, that is not the C/
case for reproducing the lognormal distributions that describe the generic single and dual unit loss of offsite power frequency. The mean values IE/
derived are in the range of other generic estimates when the single and dual unit frequencies are added. The variance appears lower than other IE-3 generic estimates.
C/
A cross reference demonstrating how initiator categories from an acceptable source are applied to the initiator categories as quantified for the CE3 PRA was not located. We note that unanticipated transients are addressed, as is mapping of quantified categories to NUREG/CR-5750. Based IE on experience, it appears that all categories are accounted for, but such a cross reference would ensure completeness.
IE-7 A review of some systems for initiating event potential was performed to assess and document the possibility of an initiating event resulting from IE-4C support system failures. However, there is no discussion to indicate that a structured process was followed. The basis for excluding initiators is IE/
documented and reasonable. The systems retained seem reasonable.
IE-10 Large LOCA ET description describes "If gross containment failure occurs, it is assumed that steam released from the break in the RCS will be C/
lost from containment, all recirculation capability will be lost, and severe core damage can be expected to occur." This seems to imply that the AS-II ECCS failure is a long-term loss of sump inventory. The current modeling assumption is that the displacement of the containment structure fails AS/
the injection lines. Treatment as a loss of injection versus a loss of recirculation in this instance probably does not change the conclusion that AS-18 core damage occurs so late as to not qualify as part of LERF.
to AEP:NRC:58 11-02 Page 2 Significance Level/
Observation No./
PRA Peer Review F&O Sub-Element (Editorial changes have been made for clarity.)
C/
The medium LOCA event tree discussion on long term cooling states, "Success in this event to prevent core damage requires heat removal from one of the two RHR heat exchangers as well as one of the two CTS heat exchangers as this is the plant design basis." This statement seems to AS-2/
indicate that heat removal from two heat exchangers is required when in fact only one is required. This seems to be a documentation issue.
AS/
AS-18 There is an initiating event frequency for SLBO. There is not a corresponding SLBO event tree. The SLBI event tree discussion states that the ASC3/
SLBO is covered by the SLBI tree. The mitigation requirements of these events are different with respect to isolation and containment systems, AS-/
indicating that different event trees should be used. This is probably not a significant factor in the CDF/LERF calculations. However, some AS4 specific applications (e.g., precursor evaluation) may be impacted by the failure to capture the correct nature of the transient.
In the event tree for SBO, two AFW functions are asked successively - the first is AFT and then AFC. In AFT, the success criterion is flow to C/
2/4 steam generators. In AFC, the failure modeling for SG flow is that 2/4 valves remain open. But since only two valves may have opened for AS-4/
AFT success, it is necessary that the same valves be addressed in AFC. The existing logic does not require this correlation. For example, the A AS/
and C SG could succeed in AFC, and the B and D SG could succeed in AFT, thereby having "event tree success", when in fact the sequence should be failure in the combined view. This is level C, because, although there is a logic error, it will not have a significant affect on results.
There is no discussion of functional failure criteria for the event trees. Although all system success criteria are discussed and listed, the way the C/
system success criteria combine to provide the necessary safety functions is not discussed in the system notebooks. However, no inconsistencies AS/
in modeling of systems to meet the safety functions were identified. This is level C because no inconsistencies were identified.
AS-6 to AEP:NRC:5811-02 Page 3 Significance LeveV Observation No./
Element/
Sub-Element PRA Peer Review F&O (Editorial changes have been made for clarity.)
- 6.
C/
AS-6/
AS/
AS-18 The success criterion for feed and bleed is I CHP + I SIP + 2 PORV. This is conservative compared to the criterion used for some other 4-loop Westinghouse plants (typical is I CHP and I PORV, OR 1 SIP and 2 PORV). No explanation of the basis for the success criteria or sensitivity on results is available. Some other examples of potentially conservative success criteria:
Rather than success for small LOCA given injection/recirculation of one SI and one CC pump, any one of the four high and intermediate head pumps is likely adequate, though the number of loops receiving flow is likely impacted.
With one SI and one CC pump available, one PORV may be sufficient. With two PORVs open, any one of four high and intermediate head pumps may be adequate.
This is assigned a level C. It appears to be conservative as it stands; there may be a justifiable basis for the criteria, but it appears that they could be made more realistic by investigating some other success criteria combinations. The base case results may not be significantly impacted, but some other specific applications may become biased by the conservatisms.
After recovery of AC power, after SBO, the PRA asks for RRI. The requirement for RRI appears conservative without an obvious basis to support it. RRI is required after recovery from SBO, when the core is covered and AFW is operating. AFW is available at the time of recovery.
The fault tree for RRI1 has several individual HEPs for alignment of systems whose purpose is not obvious within the context of the sequence.
C/
There are individual HEPs for alignment of SI, CVCS, CSI, and AFW. In the scenario, AFW is operating, and AC power has been restored (with AS-9/
consideration of another potential operator error). If the RCS requires make-up, there will be an SI signal present, so the need for operator action AS/
for CVCS and SI is questioned. The same is true for CSI. There is no established need for CSI at this time in the sequence. Requiring operation AS-9 of these systems with the attendant greater action is conservative. The systems may not be needed or may be initiated automatically. The failure to restore RCS conditions after SBO may be much lower than modeled here. This is a level C because it is a conservatism that likely does not significantly affect the results.
to AEP:NRC:5811-02 Page 4 Significance Level/
Observation No./
PRA Peer Review F&O Element/
(Editorial changes have been made for clarity.)
Sub-Elem'ent The medium LOCA event tree analysis assumes that upon failure of AFW, feed and bleed is required. Additionally, two of three PORVs are assumed to be required. The medium LOCA break size range is typically defined such that included breaks are large enough such that decay C/
heat is removed via the blowdown through the break. Thus, success of AFW should not be required and feed and bleed should be unnecessary TH-/
for medium LOCA. There is no basis supplied in the notebook for the assumption that AFW/feed and bleed may be needed for medium LOCAs.
TH/
The stuck open SRV event tree is also treated as a medium LOCA but no requirement for AFW is included in this tree. The basis for the TH-4 requirement for cold leg accumulators is similarly not documented, and some PRAs have performed additional analyses to reduce/eliminate this requirement for medium LOCA. The observation notes a lack of traceability in the analyses supporting the success criteria. The assumptions appear to be somewhat pessimistic but are not likely to have a large impact on the baseline CDF/LERF estimates.
Documentation of the success criteria used is split between the event tree notebook and the success criteria notebook. These documents provide a good picture of the success criteria used and where to find the supporting bases. However, some of the supporting information (e.g., analysis results and plots) is missing, and this prevented a thorough review of the supporting documentation. In particular, the MAAP runs supporting the C/
containment overpressure evaluation for the large LOCA resulted in containment failure times that were evaluated as counterintuitive. The TH-2/
unavailability of plots and results for plant parameters other than the containment pressure prevented resolution of this concern. The success TH/
criteria documentation would be improved by providing hard copies of some additional output (e.g., plots) of plant specific analyses (MAAP TH-2 runs, etc.). This would improve the ability to evaluate not only the correctness of the conclusion, but also the reasonableness of the overall results by a review of the notebook. The hard copies of MAAP input files are available such that the runs should be reproducible, but the retention of the actual output generated is preferable to demonstrate that the conclusions reached are reasonable based on the analysis results.
There appears to be an inconsistency between the current event trees and the success criteria notebook text. Some sections reference particular endpoints of the event trees. The referenced endpoints do match up with the successes that are being verified. For example: Sections 3.0 and D/
3.1 of the success criteria notebook. References to event tree sequences 1 and 8 should be I and 5. References to sequences 21 and 28 should be TH-3/
20 and 27. Section 4.1 references endpoints 12 and 19 of the small LOCA tree, 27 and 29 would seem more appropriate. The DIS notebook TH/
references the event tree notebook for establishing that the success criteria for the system is one of two trains. This reference seems backwards in TH-9 that the system notebook should specify what is required for the system to work and should be referenced by the event tree analysis. Editorial changes.
to AEP:NRC:5811-02 Page 5 Significance Level/
Observation No.1 PRA Peer Review F&O Element/
(Editorial changes have been made for clarity.)
Sub-Element Calculations and evaluations performed to determine the need for room cooling for the various equipment rooms containing equipment modeled in the PRA are generally available and referenced in assumptions in the IPE system analysis notebooks. In some cases, copies of the pertinent C/
memos are included in the notebooks. The information supporting the HVAC modeling decisions was generally available. But the current TH-04/
documentation process is such that the current notebooks refer to the IPE notebooks, which contain references to supporting memos, which TH/
reference supporting calcs. This makes it somewhat difficult to clearly trace the basis for the HVAC modeling. It might be helpful to create an TH-8 HVAC dependency notebook that displays all modeled HVAC requirements, and their bases, across systems modeled in the PRA. This would also allow a clear determination of the vintage and applicability of all such supporting calculations. This is a suggestion for making the bases for HVAC dependency modeling decisions clearer and more traceable.
The CEQ fans are not included in the hydrogen control evaluation for LERF estimation. A MAAP run was performed to verify that the containment pressure would not be excessive for hydrogen burns occurring in the absence of the fans. The pressure results are acceptable; C/
however, MAAP does not model the potential for detonation. Without the fans, hydrogen may collect to high concentrations in the ice condenser TH-5/compartment. With a burn initiated in the ICUP, propagation of the burn back into the ice condenser would occur. A white paper developed by TH/
FAI provides some discussion related to the difficulty of direct detonation or DDT in the ICUP. However, no specific discussion of a burn in the TH-4 ICUP propagating back into a hydrogen laden ice condenser is provided. Since, in the reviewer's experience, most ice condenser hydrogen analyses to demonstrate the effectiveness of igniters are performed with the fans operating, the CNP position may be unique. However, the LERF estimate would probably not change much if the success criteria were revised to include a requirement for a train of CEQ fans.
Unable to establish basis for the time available to actuate bleed and feed for transients without steam conversion. Table in Section 3.17.3 of C.
revision H to the HRA notebook gives the timing analysis for bleed and feed top events. No reference is provided for these times. No TH-8/
information on timing is available from the original HRA analysis. The times themselves do not appear unreasonable. However the times should TH/
be traceable back to a documented analysis.
There is a reference in notebook PRA-NB-ET to NUREG-1335 (Reference 24) as a source for sequence cutoff frequency guidance. This is not a C/
current reference, and consideration should be given to changing this to a more current reference such as RG 1.174 (Reference 6). This is TH-9/
primarily a documentation issue.
THI TH-5 to AEP:NRC:58 11-02 Page 6 Significance Level/
Observation No./
Element/
PRA; Peer Review F&O Sub-Element (Editorial changes have been made for clarity.)
The calculation for UET for ATWS pressure relief is documented in notebook PRA-NB-MISC, Rev. 1, Section 2.7. The calculation generally C/
follows the approach defined in WCAP-11992 (Reference 25). However, the calculated UETs are expressed as "fraction of cycle" without SY-01/
adjustment for use in annual CDF calculations, as specified in the WCAP. Since the fuel cycle length is greater than 12-months, use of values SY/
that are fractions of an 18-month cycle introduces an error into the annual CDF calculation. While it is important that the calculation be SY-13 consistent with an annual CDF quantification, and while the individual non-zero UET values could be affected significantly, ATWS is not a large contributor to CDF or LERF, so the error introduced into the overall PRA results is not likely to be large.
Notebook PRA-NB-PORV, Rev. I documents the various fault tree models for PORVs. Section 5.1 of this notebook describes assumptions and boundary conditions for the system logic models. (a) Assumption II defines the assumed probability that each of the PORV block valves is closed. The reference for the assigned values is a telephone conversation between the PRA group supervisor and a Scientech consultant, but no information is provided as to how the assigned probability was determined. (b) The probability assigned (0.1) is apportioned equally among each of the 3 PORV block valves, implying block valve closure for roughly 300 hours0.00347 days <br />0.0833 hours <br />4.960317e-4 weeks <br />1.1415e-4 months <br /> per year per valve. This probability appears to be high, given C/
the requirements in TS 3.4.11, which indicate that an individual block valve would not be closed for longer than 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> without requiring plant SY-02/
shutdown. (c) The fault tree assumptions do not access the possibility that the PORV block valves could be closed and de-energized. This SY/
condition is allowed by TS 3.4.11, but requires that PORVs be in manual control. Per discussions with I&M PRA personnel, the block valve SY-22 closure probablilites referred to in item (b) are modeled as failing operation of the PORVs, effectively modeling the valves as being de-energized. (d) Assumption 9 (and the system description) indicates that each of two of the three PORVs has a backup air bottle that allows those PORVs to be operated in the event of loss of the normal air supply. There is no information provided to indicate that the bottled air supply is sufficient to allow PORV operation for the required mission time (24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for bleed and feed). Based on discussions with I&M PRA group personnel, the above items appear to be inadequately documented assumptions rather than significant errors.
to AEP:NRC:5811-02 Page 7 Significance Level/
Observation No./
Element/
Sub-Element PRA Peer Rcviewv F&O (Editorial changes have been made for clarity.)
A.
D/
SY-03/
SY/
SY-13 Editorial Comments of AFW Notebook Assumptions: (1) The nominal mission time for AFW following transients (fault tree AFI) is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
General AFW fault tree assumption 18 (section 5.1.1 of notebook PRA-NB-AFW) states that the TS spec minimum allowable CST water level is sufficient only for a 9-hour supply. That assumption also notes that there are numerous options for operators to align alternative sources of water to the AFW pumps if necessary, that explicit modeling of all options is not warranted, and that therefore it is sufficient to model a single failure event (presumably failure to align alternative sources sufficient for the mission time). There is then a discussion about failure being modeled as an initial rupture of the CST early in the scenario, followed by an operator failure to provide any alternative supply. There appears to be a mixing of issues here. The AFI fault tree model includes both the logic as stated (i.e., CST failure AND failure to align alternate source quickly, if the opposite unit cross-tie also fails), and the logic as expected (i.e., failure to align alternate sources in the longer term). Hence, the modeling is correct, but the wording of the assumption could be improved. (2) In section 5.1.4, assumption 4 (and section 5.1.5, assumption 5), it appears that there is a typo in the last reference to "AFC", which should probably be "AFT." Editorial comments.
In the SI system notebook PRA-NB-SI, the success criteria by numbers of pumps ANDed and OR'd together for several different accident SC-04l scenarios listed as four bulleted paragraphs in Section 4.0 subsection a). There is, however, no tie that leads a reviewer to which accidents or SY/
scenarios the various combinations of success criteria apply. Simply listing the different combinations of pumps for required success without SY-25 specifying the scenarios to which they apply does not provide sufficient detail for reviewing or reproducing the evaluation.
C/
Although the high pressure injection fault tree includes individual failure of valves QMO-200 and QMO-201 to close to prevent flow diversion, SY-06 the CCF is not included. Closure of either of these series valves will result in preventing flow diversion for high pressure injection via the CC SY/
pumps, but a small portion of the failure of this action is missed if the common cause factor is neglected.
SY-8 DI The CNP PRA staff explained that systems with a normally running pump on one train are quantified for the average PRA model as if both SY-07/
pumps are in standby, then cutsets with both pumps failing to start are eliminated by "MEX"ing for appropriate initiators. The method is SY/
reasonable, but it is not explained in the SI Notebook where it is used for CC pumps. The MEXed event is also not listed in Table 12 with other SY-25 MEX events. This is only a documentation issue to help explain the quantification process for systems with a normally running pump.
to AEP:NRC:5811-02 Page 8 Significance Level/
Observation No./
PRA Peer Review F&O Element!
(Editorial changes have been ma(le for clarity.)
Sub-Element The notebook for containment spray states in assumptions 5.1.1.4 and.5 that plugging or fouling of the heat exchangers is not modeled, but D/
provides no basis. The reason is that on the ESW side (tubes), the ESW strainer failure probability already includes excessive fouling as a SY 08/
contributor. Strainer failure will cause loss of ESW cooling to the CTS heat exchangers and other systems. On the spray (shell) side, the water is SY/
either clean (from the RWST) or is strained through the containment sump strainers (during recirculation). The CCW notebook and EDG SYI25 notebooks do not discuss heat exchanger fouling in the assumptions at all. The model correctly accounts for potential ESW and CTS fouling but the documentation could be improved.
C/
CCF modeling for 250 VDC battery chargers was not included in the model. Assumption 5.1.19 in the 250 VDC notebook discusses common SY-12/
cause but offers no explanation as to why common cause was not modeled for the chargers. This is a modeling completeness item, but is not SY/
expected to affect the DC unavailability significantly.
SY-8 The documentation provides a reasonable basis for performing the system analysis and, in general, maintains consistency with proven C/
approaches. Other PRAs often include, in the system analysis documentation, a discussion of the potential for initiating events due to system SY-13/
faults, a discussion of spatial dependencies, and a table for components showing both support systems and the effect on the component of the loss SY/
of the support system This is a suggestion for documentation improvement, but there is no evidence that deviating from the above items has SY-2 manifested itself in errors in the systems analyses.
The only guidance available for systems analyses is the guidance from the IPE. The current system notebooks provide documentation of the C/
current analyses, but it is not clear that equivalent results could be obtained using the IPE guidance and the current PRA methodology and SY/
software. Current guidance should be available for each PRA element.
SY-3 to AEP:NRC:5811-02 Page 9 Significance Level/
Observation No./
Observao NPRA Peer Review F&O Element/
(Editorial changes have been made for clarity.)
Sub-Element The system notebook for the EDGs states that the capacity of the EDG day tanks will supply the EDGs for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. Beyond this time the FOT system will be required to refill the tank so that the EDGs will run out to their 24-hour mission time. The implication in the notebook is that fuel D/
oil is included in the fail-to-run probability, but this is not stated explicitly where the other subsystems are listed. Lumping the FOT system into SY-15/
the EDG fail-to-run probability is appropriate as long as this is consistent with test data collection and with the generic data used for Bayesian SY/
updating. I&M PRA personnel provided information that EDG testing is always performed for a period well in excess of the fuel oil day tank SY-13 capacity, such that the FOT system is tested whenever the EDGs are tested, and it was further confirmed that the stated boundary assumptions for the available generic data (from INEEL report NUREG/CR-5497) are consistent with the modeling assumption. Although the statement that FOT is included in the EDG failure boundary for the generic data, it was determined on this basis that this is an editorial comment.
In the PORV fault tree for automatic operation (used in response to ATWS overpressure events), the hardware required for pressure sensing and C/
signal generation is not modeled. The appropriate sensors, transmitters, etc., should be included in the model. The model should be complete, SY/
but this is not likely to have a significant effect on results.
SY-12 Cross-tie for AFW from Unit 2 does not consider the need for AFW at Unit 2. The fault trees presume both motor driven pumps at Unit 2 are C/
available for supply to Unit I in the event the three pumps at Unit I fail. Thie TDAFWP at Unit 2 is presumed to be operable and supplying C 1/
Unit 2. Under some conditions, the Unit 2 TDAFWP may be out of service, may fail, or may not have the steam to operate. In such cases, it is SY-17/
likely that only I (or neither) opposite unit pumps would be available for Unit 1. ThIis is assigned level C because it will not likely change the SY/
results significantly. The AFW redundancy is high at CNP. However, some applications may find there is an effect if the dual unit success criteria are modeled.
D/
RHR notebook assumption 5.1.3.2 states that plugging of the containment sump screen does not need to be considered. However, tree LPR on page 8 has a sump screen plugging basic event: I-CMNT-SUMP-PL. Thie model correctly includes sump strainer plugging, the documentation is SY-20/
incorrect.
SY/
SY-25 to AEP:NRC:5811-02 Page 10 Significance Level/
Observation No./
PRA Peer Review F&O Element/
(Editorial changes have been made for clarity.)
Sub-Element The data collection notebook provides a description of the criteria, in terms of evidence, for performing a Bayesian update. That guidance is as follows: "In addition, the analysis results for these items having zero failures were further examined. If the mean of a Bayesian update using a non-informative prior is greater than the mean of the generic prior, then it is concluded that there is not sufficient data to cause the reduction in the mean seen in Table II and the generic prior should be used." There is no justification provided for this conclusion. It is not consistent with NUREG-2300 (Reference 26) and NUREG/CR-4350 (Reference 27), Volume 6. From NUREG/CR-2300, "Noninformative priors are useful C/
when little or no generic prior information is available; they should not be used when there is no such information because they deliberately DA-01/
downgrade its role in the estimation process." RMOI Guidebook 2 provides guidance for CCF analysis and failure data collection & analysis DA/
methodology. In the guideline there is a set of rules related to the use of plant specific or generic data for the quantification. The basis for these DA-I should be better explained. There is another similar rule used in Rev 2 of notebook PRA-NB-DATA which is different from those in RMOI rule.
The guidelines for CCF data analysis in RMOI Guidebook 2 seems to not be used in Rev 2 of notebook PRA-NB-DATA. Level C is assigned for the comments for component failure data update, because the reviewers judged that the impact on CDF and LERF results due to the Bayesian updating criteria would not likely be significant in this case. The C significance is also assigned relative to the comments for CCF because, although the common cause guidelines do not seem to have been followed, the CCF groupings are reasonable and consistent with industry practice.
The method used to perform Bayesian updates is often described as moment matching. In this method, a lognormal distribution is mapped into a Beta function (for demand failures) or a Gamma function (for operating failures). The Beta and Gamma functions have a property that, when updated, produce a Beta or Gamma function whose parameters are completely described by the prior and the evidence (they are natural conjugates priors). Once the posterior Beta or Gamma functions are described, they are mapped back into a lognormal distribution. This process C/
is capable of producing erroneous results. NUREG/CR-4350, Volume 6, is the data development part of a PRA Course Documentation prepared DA-02/
for the NRC. Page 6-17 states: "The disadvantages of natural conjugate priors include the fact that they cannot be used if the form of the prior is DA/
specified in the generic data source. If a prior is specified, using natural conjugates is prohibited. Another disadvantage involves the sensitivity DA-2 to the choice of the prior, which may be important. In such cases, choosing a natural conjugate prior for convenience may lead to answers that are a little misleading." The NUREG goes on to point out that, for lognormal distributions, descretization or numerical integration must be used.
As indicated in NUREGICR-4350, the results in some cases may be misleading. However, the reviewers judged that the effect on the results of the process used is not likely to be significant in this case.
to AEP:NRC:5811-02 Page I11 Significance Level/
Observation No./
PRA Peer Review F&O Element/
(Editorial changes have been made for clarity.)
Sub-Element General guidelines for test and maintenance data collection are provided.
However, the components and subsystems to be included in C/
maintenance basic event were not defined in the data collection sheets or in the data notebooks. Depending on the modeling, the component DA-03/
boundaries for test and maintenance data collection may be different from those for component failure data boundary. Without clear definition of DA/
the component boundary, there is a possibility of either double counting or missing maintenance events. However, it was judged that the impact DA-7 of this would not be significant because it appeared that major items that should be included in the boundary had been counted.
MGL parameters from Table 5-11 of NUREG/CR-5485 (Reference 4) were used to obtain CCFs for some components in the CNP PRA. In NUREG/CR-5485, a data set is provided (in Table 5-1 1) for use as prior distributions for Bayesian analysis when there is no data available for CCF analysis. The data presented in Table 5-11 was produced by combining CCF events of all different types of components and failure modes.
There are limitations on using such data. Such limitations are described in section 3.3.4.8 of NUREG/CR-4780 (Reference 5), which further recommends that such data should be used for screening purposes only. In the CNP PRA, generic values from Table 5-11 of NUREG/CR 5485 were used to determine the CCF probabilities of some check valves, without explanation of the basis. (CCF values for other check valves were C/
derived using parameters from another source, NUREG/CR 5497.) Table 9 of notebook PRA-NB-DATA Rev 2, indicates that non-staggered DA-04/
testing was assumed for some components, again without explanation of the basis. For the other components, there is no indication of which DA/
testing scheme was assumed. (An assumption of non-staggered testing generally results in larger MGL parameters than does a staggered testing DA-8 assumption.) CCFs are typically important contributors to the PRA results for nuclear power plants, so it is important to apply and provide the basis for selection of appropriate priors, and for assumptions regarding staggered vs. non-staggered testing. At least one of the reviewers felt that the significance of this observation should be "B," given the rationale above. I&M PRA personnel indicated that: they understood the individual issues identified; that the issues regarding assumptions were primarily documentation rather than results impacts; and that the issue of which generic data source is appropriate is generic and, to some extent, a matter of preference, and that they are comfortable with the approach they have used. The significance "C" has been assigned on the basis of this understanding, but I&M is encouraged to consider the suggested resolutions noted below.
to AEP:NRC:5811-02 Page 12 Significance LeveV Observation No./
PRA Peer Review F&O Element/
(Editorial changes have been made for clarity.)
Sub-Element MGL parameters from Table 5-11 of NUREG/CR-5485 were used to obtain CCFs for some components in the CNP PRA. In NUREG/CR-5485, a data set is provided (in Table 5-1 1) for use as prior distributions for Bayesian analysis when there is no data available for CCF analysis. The data presented in Table 5-11 was produced by combining CCF events of all different types of components and failure modes. There are D/
limitations on using such data. Such limitations are described in section 3.3.4.8 of NUREG/CR-4780, which further recommends that such data DA-04/
should be used for screening purposes only. In the CNP PRA, generic values from Table 5-11 of NUREG/CR-5485 were used to determine the DA/
CCF probabilities of some check valves, without explanation of the basis. (CCF values for other check valves were derived using parameters DA-8 from another source, NUREG/CR-5497.) Table 9 of notebook PRA-NB-DATA Rev 2, indicates that non-staggered testing was assumed for some components, again without explanation of the basis. For the other components, there is no indication of which testing scheme was assumed. (An assumption of non-staggered testing generally results in larger MGL parameters than does a staggered testing assumption.) This is a documentation issue only.
C/
Rev 2 of notebook PRA-NB-DATA does not indicate that.a systematic approach was used to identify plant specific CCF groups. RMOI DA7 Guidebook includes a step describing CCF grouping, which looks reasonable but not as systematic as NUREG/CR-4780 suggests. A systematic DA/
procedure should be used to identify specific CCF groups. Incorrect grouping of CCFs can result in either under or over estimation of the actual DA-12 risk.
This subelement addresses the degree of conservatism in the unique unavailabilites discussed in Item 15. A grade of 4 for this subelement requires that the availabilities be developed to the state of the technology. That is not the case here, as a number of items are based on generic C/
values as compared to plant specific values. A grade of 3 indicates that the values should be conservative only for those contributors on DA-08/
non-dominant sequences. With some exceptions, that is the case here. The generic core uncovery times have been shown to be conservative at DA/
several plants that have performed plant specific analyses. There is also a specific case in this PRA (treatment of PORV challenges) where the DA-16 unique unavailability is not best estimate and the degree of conservatism is unknown. The unique unavailabilites, in the context of the current model, are judged not to have a significant effect on the results. This might not remain the case, however, if other parts of the model are changed.
to AEP:NRC:5811-02 Page 13 Significance Level/
Observation No./
PRA Peer Review F&O Element/
(Editorial changes have been made for clarity.)
Sub-Element Document was not signed by the reviewer indicated on the cover of notebook PRA-NB-DATA Rev 2. Somebody signed for the reviewer. Thus DA-09/
it is not clear the document has actually been reviewed by the reviewer. Also, the document has not been approved.
DA/
DA-18 CBDTM was used for quantification of the post accident cognitive errors. The decision trees and their values in EPRI TR-100529 (Reference 8) section 4 (and attachment A) were used for the quantification. However, CBDTM was originally proposed as a supplementary approach that should be used to check the validity of the extrapolation of a simulator based approach, HCR/ORE (section 4.1 of EPRI TR-100259). Section 6.2.2 of EPRI TR-100259 states that: "The preferred approach to estimate Pc, is to use simulator observations.... If all crews respond correctly HR-01/
in a timely manner, this data can be used in the HCR/ORE correlation approach... However, use of the method described in section 4 (CBDTM:
HR/
reviewer note) is recommended as a sanity check." Furthermore, a Note of Caution on page AT4-13 of EPRI-100259 states that: "The initial HR-1 numerical HEPs given in the decision trees are adapted from values given in NUREG/CR-1278 (Reference 9). The values given here are primarily for illustrative purposes. It is intended, and indeed recommended, that the analyst using this approach provide his own probability estimates based on his assessment of the importance of the different factors." Thus use of CBDTM alone may result in conservative and non plant specific HEP values. Use of conservative HEPs may shadow actual important risk contributors.
Table I in the Rev 2 HRA notebook is confusing for the following reason. It was described that cognitive error and execution error were C/
modeled as separate events (General assumption R in section 1.3), but Table I shows only a single value for each operator action.. The HRA HR-04/
notebook also does not have a summary of HRA methodologies used. For example, the decision trees used for CBDT methodology have not HR/
been presented; instead just the reference was quoted. There should be some additional explanation provided about what the Table is presenting, HR-28 to aid in understanding how the information is tied to the PRA model and results. Generally, a summary of the methodology, including key inputs and decision logic information, is an important part of the documentation to be included in the analysis notebook.
C/
A procedure which is less systematic than NUREG/CR-4780 was used to develop the component groups for common cause. No evidence could DE-Cl/
be found that plant specific operating experience was reviewed to ensure the grouping is applicable to the plant. This would be significance B DE-/
according to the sub-element DE-9 Subtier criteria. However, the groupings are reasonable (see sub-element DE-8), so it was assigned a C level DE-9 significance.
to AEP:NRC:5811-02
- Page 14 Significance Level/
Observation No./
PRA Peer Review F&O Sub-Element (Editorial changes have been made for clarity.)
C/
Multiple frequency truncation limits are used in the quantification for different events (to capture cutsets for each event without exceeding the maximum cutset limit), and their effects are documented. However, the demonstration of results convergence could be enhanced (i.e., using a QU-5 lower truncation cutoff). There is evidence that the model results tend to converge as the truncation is lowered.
QU-24 A formal search performed for unique or unusual sources of uncertainty not present in the typical or generic plant analysis is not sufficiently C/
documented for an effective review by the Peer Review Team. However, each event tree section provides a discussion of at least potential QU-6/
conservatisms. No sensitivity runs were made to gauge the effect of unusual sources of uncertainty. Although it is expected that the effect of QU/
these uncertainties will not significantly alter results or insights from the baseline model (except as noted in other F&Os addressing various QU/
7modeling and data observations), knowledge of these sources and their effect on the results may be important in performing risk-informed plant QU-27 applications.
D/
Editorial Comment: Section 3.0 reference to DG-1061 should be changed to RG-1.174. Editorial change.
L2-1/
L2/
L2-26 to AEP:NRC:58 11-02 Page 15 Significance Level/
ub-ervatont N l./
PRA Peer Review F&O Element/
(Editorial change's have been made for clarity.)
Sub-Element The plant has a unique containment failure mode which results in core damage after the containment fails. This failure mode can occur following loss of cooling of the containment sump. Thie impact of this containment failure mode has been evaluated with respect to the LERF. The conclusion that offsite protective actions would have directed evacuation of the surrounding population prior to core damage appears to be reasonable for most sequences. However, this conclusion may not be appropriate for large LOCA initiated sequences. The current success criteria require both RHR and CTS heat exchanger cooling for success. For a large LOCA sequence with only one RHR heat exchanger in C/
service and no CTS heat exchanger, the containment pressure is expected to rise and ultimately fail containment. For such a scenario, core L2-2/
cooling remains effective while the containment fails. The Emergency Classification Procedure (PMP-2080.EPP.101) Attachment 1, Fission L2/
Product Barrier Matrix, requires a loss of 2 fission product barriers and potential loss of the third for classification of a general emergency. For L2-8 the conditions described, there is no loss of the fuel clad barrier. The emergency classification should remain below the General Emergency classification. Therefore, no evacuation of the surrounding population is required to be recommended. While not explicitly required per the procedure, the EP training is to treat the high containment pressure as a loss of the containment barrier and the large LOCA as a potential loss of the fuel clad barrier. This would satisfy the general emergency conditions. The large LOCA initiating event is of such low frequency that no meaningful rise in the LERF would be expected. The current success criteria for the large LOCA may be conservative and more realistic modeling may reveal that only one heat exchanger is required.
At CNP, actions to depressurize the RCS (e.g., open PORVs) at the onset of core damage have been moved from the EOPs to the SAMGs. This C/
is different than the procedural guidance in effect at most plants. This change may impact the generic containment failure probabilities in the L2-3/
simplified LERF model, which implicitly include the likelihood of such action. This could be a potential reason for the generic probabilities not L2/
to apply on a plant specific basis. The potential impact of this difference should be evaluated. The impact is probably small, but should be L2-9 investigated.
to AEP:NRC:5811-02 Page 16 Significance Level/
Observation No.
PRA Peer Review F&O Element/
(Editorial changes have been made for clarity.)
Sub-Element Draft PRA Maintenance and Update Procedure 12-EHP-000-PRA-000 includes sections 4.5 through 4.14, which correspond to the PRA peer review technical elements. These sections specify that the various analyses must be performed according to the methodology defined in the associated analysis notebook (or in a desktop guide for the particular element, should such guides be developed). They also provide a list of C/
criteria for analysts to observe while performing the update. Each of these lists is the wording of the PRA peer review sub-elements for the MU-l/
particular element, per the Industry PRA Peer Review Process Guidance, NEI-00-02 (Reference 28). While there are important criteria in these MU/
lists, simply including the entire set of criteria may not be particularly useful to an analyst charged with performing the update. Some criteria are MU-3 specific, while others are general and subject to interpretation. This is by design in the peer review process, in which the review team is given some latitude in applying their knowledge and experience to various criteria, but may not be helpful as a procedure for maintaining a PRA. The procedure could be improved by focusing the list of criteria on key items with specific actions or directions for analysts.
J.
ATTACHMENT 4 TO AEP:NRC:5811-02 RESULTS OF CONTRACTOR VALIDATION OF F&O RESOLUTION AND ASSESSMENT AGAINST RG 1.200 Abbreviations and references are identified in Attachments 5 and 6 to this letter, respectively.
Provided below are excerpts from a June 1994 report, prepared by Framatome ANP, documenting their review of the CNP PRA. The excerpts document the Framatome review of the F&O resolutions and a gap assessment of the updated model compared to RG 1.200.
Summary of Gap Assessment Framatome ANP reviewed F&O resolutions for compliance with Regulatory Guide 1.200
[Reference 13] and ASME RA-Sa 2003 [Reference 29]. A detailed peer review was not performed. F&Os related to internal flooding (IF) were not reviewed because these will be addressed by AEP in a future update to the flooding model. A decision was made to delay disposition of the IF-related F&Os until the EPRI/industry internal flooding guidance document is available. There are 264 Supporting Requirements (SR) in the RG-1.200 (which essentially endorses the ASME PRA Standard with some minor clarifications provided).
Approximately 96 of the SRs (36%) were identified in the AEP F&Os. [not provided with this letter] documents the PRA gap assessment performed based on a check of the F&Os, PRA documentation and RG-1.200. Based on the assessment, the reviewers judge that in general, the PRA is sufficiently documented to warrant an overall Capability Category of II. However, the comments below should be considered by AEP for improvement of specific elements of the PRA model and to enhance overall compliance with RG-1.200.
Note:
The ASME Standard is currently undergoing revision to address use difficulties identified in a recent pilot application of the standard. An attempt was made at indicating (within Attachment 1) where the revisions to the standard are being proposed.
Gap Assessment Comments:
- 1. Basic Events - In many cases there is no description for the basic events or the description lacks sufficient detail to understand what the basic event is modeling. Example: there is no description for basic event R-BC-ABCDEFGHFR, a single event that leads to core damage.
Other examples include BFLSTRNPL and BUSBKR-ABCDEFGHFO, HIl-FAILURE-HE where an improved description is needed to gain an understanding of the model. Provide a complete and meaningful description for all basic events. Basic event descriptions should be included in the applicable systems analysis.
An example basic event description could include the following attributes:
to AEP:NRC:5811-02 Page 2
- Component ID
- Basic Event ID
- Component Description
. Failure Mode Basic Event Modeling Parameters Basic Event Value Source/Reference
- 2. Basic Events - Provide a clear description of the boundaries that make up each basic event. Such a description is provided only for the EDGs and is not provided consistently for other basic events.
The boundary description could be included within the basic event description.
- 3. Basic Events - There is inconsistency in describing dominant basic events in the systems analyses. For example, the CCW system notebook describes one of the most important contributors to system unavailability is "rupture" of the heat exchanger. However, the basic event modeled is "tube plugging" (section 7.3 - top gate GCCW300 and section 7.5 - top gate GCCWV500). The systems analyses should be reviewed to ensure that basic event terms are used consistently.
- 4. Systems Analysis AFW NP - Enhance the AFW system description and fault tree related to CST refill by adding a discussion about CST refill system boundaries, capacities and dependencies, and any potential CCF modes among the refill systems.
Model the HEP separate from the hardware. These changes should be considered for the Safety Monitor.
- 5. General Comment: Systems Analysis - F&O #SY-9 stated that in part, "In a couple of places in the SI and AFW system models, hardware failures are not explicitly modeled because they are dominated by operator action failures...." The thrust of this F&O was on the AFW system as related to the modeling of CST refill. However, there was no apparent disposition of the SI model for combining a human action with hardware failures into a single basic event. These single HEP basic events can sometimes mask importance/success of the related hardware.
- 6. Success Criteria - MAAP - Consider a review and update of MAAP analyses for success criteria pertaining to accident sequence development associated with SBO and RCP Seal LOCA. These types of sequences include the EDGs and will be important to the EDG-AOT application.
- 7.
Success Criteria - MAAP - Should explain the potential impact on the model and associated success criteria with regard to the conservative nature of MAAP analyses which assume a core damage temperature threshold of 1400F. The ASME standard refers to a core peak temperature of >2200F using a detailed core model.
This explanation would supplement the model conservatism discussions in the event tree notebook.
Attachnient 4 to AEP:NRC:5811-02 Page 3
- 8.
General Comment: Containment Isolation Model/LERF - Address if there are any phenomenological interactions that should be considered as potential failure modes of containment isolation. In the containment isolation model, AEP should consider accounting for the possibility of up to 200 hrs per year (2.3E-2) containment purge operation when purge valves could be open and could randomly fail to close on demand.
- 9. LERF Model - Containment Performance - Use of NUREG/CR 6595 for containment modeling is considered "conservative" and is considered by RG-1.200 to be Capability Category I. AEP should consider documenting/discussing realistic attributes of the model as a basis to argue for a Capability Category II.
- 10.
ISLOCA Systems Modeling - ISLOCA modeling should: (1) separate the human reliability (OIB) and hardware (valve) reliability when modeling potential isolation of the appropriate breaks, (2) address valve shutoff delta-P capability for valves credited for isolation, (3) valve failure rates indicative of functional degradation due to harsh environment for RHR pump seal failure events, (4) operations procedures should address remote manual isolation of ISLOCA events.
- 11. Computer Model Results - AEP should consider documenting the process used for independent review of computer code results as part of the PRA general guidance document.
- 12. Dependencies - The split fraction dependencies and corresponding values (basis) are not well documented or described in the report.
For example, top event CSR has 21 split fractions (each with a different value) identified in the CCW event trees. However, the only way to follow what the dependencies are and how the different fraction values are calculated, is to go to the WINNUPRA calculation files. Even using the WINNUPRA files, not all boundary conditions could be determined. We would recommend that all "split fractions,"
for example CSRO, CSR1, CRS2...CSRO-D, etc, are defined in a table in the corresponding event trees notebook, together with basis, boundary conditions and the values.
- 13. Initiating Events - A good justification is lacking for why earlier years of operational experience are excluded (207 trips) in the plant trip initiation frequency. Note, however, that these trips are accounted for when evaluating the PORV challenge frequency. This should be clarified.
- 14.
Event Tree Transfers - The number of considered transfers is too large; even very unlikely transfer events are modeled (<.lE-8/yr).
For example, the IE frequency for MLOCA, transferred from a loss of VDC is 8E-9/yr.
Even at this low frequency, this combined event is still modeled and there is an event tree associated with it. As a potential improvement, AEP should consider a reduction/elimination of low frequency transfers to simplify the model.
ATTACHMENT 5 TO AEP:NRC:5811-02 ABBREVIATIONS USED IN ENCLOSURES AND ATTACHMENTS AC AEP AFC AFT AFW AOT ATWS BE ID BFLSTRNPL BUSBKR-ABCDEFGHFO CBDTM CCF CC CCW CDF CEQ CHI CHP CI CNP Cond.
CSI CSR CST CTS CVCS Crit DC DDT Dep DIS ECCS EDG Eli EOC EOM EOP a "wild card" in an event tree alternating current American Electric Power (parent company of IMM) top event-SBO with failure of AFW to continue top event-SBO with failure of TDAFWP auxiliary feedwater allowed outage time anticipated transient without scram basic event identifier basic event-ESW pump discharge strainer plugging basic event-failure of all eight 4 kV nonsafety normal feeder circuit breakers cause based decision tree methodology common cause failure coolant charging component cooling water core damage frequency containment air recirculation/hydrogen skimmer top event-restore CCW coolant charging pump containment isolation Donald C. Cook Nuclear Plant conditional containment spray injection containment spray recirculation condensate storage tank containment spray charging and volume control system critical direct current deflagration to detonation transition dependency distributed hydrogen ignition system emergency core cooling system emergency diesel generator top event-failure to recover ESW system for loss to single unit CCW errors of commission errors of omission emergency operating procedure to AEP:NRC:5811-02 Page 2 EP EPRI ERF ESW OF F&O FOT FR-C.2 FR-C.1 F-V HCR HEP HFE HHSI HI 1-FAILURE-HE HRA HVAC HX I&M IE ICCDP ICLERP
]CUP INEEL IPE ISLOCA kV LER LERF LOCA LOCA ET LOSP LPR LSP/DLSP MAAP MEX MGL MLOCA MOV MRI MSIV NC NESW NPSH top event-SDG start and load within 13 minutes Electric Power Research Institute Emergency Response Facility essential service water degree Fahrenheit -
Facts and Observation fuel oil transfer CNP emergency procedure for response to degraded core cooling CNP emergency procedure for response to inadequate core cooling Fussell-Vesely human cognitive reliability human error probability human failure event high head safety injection basic event-failure to energize hydrogen igniters human reliability analysis heating, ventilation, and air conditioning heat exchanger Indiana Michigan Power Company initiating event incremental conditional core damage probability incremental conditional large early release probability ice condenser upper plenum Idaho National Engineering and Environmental Laboratory Individual Plant Examination interfacing system loss of coolant accident kilovolt large early release large early release frequency loss of coolant accident LOCA event tree loss of offsite power low pressure recirculation single unit LOSP/dual unit LOSP modular accident analysis program designated as mutually exclusive Multiple Greek Letter medium LOCA motor operated valve manual rod insertion main steam isolation valve no credit allowed non-essential service water net positive suction head to AEP:NRC:5811-02 Page 3 NRC ORE OLI OL2 Pc Pca Pcb Pcc Pcd Pce Pcf PC8 PCI' Pexe Pcog PORV PRA PSF Qd RAI RAW R-BC-ABCDEFGHFR Rec RCP RCS RG RHR RMOI RRI RR2 RWST SAMG SBO SDG SG SI SIP SLBO SLBI SLOCA SPAR-H SRV Nuclear Regulatory Commission Operator Reliability Experiment operator action to depressurize the RCS and initiate LPI RCS cooldown following loss of ESW/CCW probability of failure to initiate timely correct response cognitive failure mechanism a, data not available cognitive failure mechanism b, data not attended to cognitive failure mechanism c, data misread or miscommunicated cognitive failure mechanism d, information misleading cognitive failure mechanism e, relevant step in procedure missed cognitive failure mechanism f, misinterpret instruction cognitive failure mechanism g, error in interpreting logic cognitive failure mechanism li, deliberate violation execution portion of human error probability cognitive portion of human error probability percent power operated relief valve probabilistic risk assessment performance shaping factor probability of a challenge request for additional information.
risk achievement worth basic event-failure of all eight battery chargers recovered reactor coolant pump reactor coolant system Regulatory Guide residual heat removal Risk Management and Operations Improvement, Westinghouse Electric Corporation LLC Restore RCS Inventory Restore reactor inventory refueling water storage tank severe accident management guideline station blackout supplemental diesel generators steam generator safety injection SI pump.
secondary line breaks outside of containment secondary line breaks inside containment small LOCA Standardized Plant Analysis Risk Human Reliability Analysis safety relief valve to AEP:NRC:581 i-02 Page 4 SSC STA Tin2 T l1A, B, C, D T21A, B, C, D TI lA12, B2, C2, DI T21A12, B2, C2, DI TDAFWP Tdeiay THERP TM T&M TRA TS TMW UET VAC VDC WBMV-NRVS-CHALNG WXRV-SV-CHALNGD structure, system. or component Shift Technical Advisor operator crew median response time 4 kilovolt Unit 1 safety buses shown on Attachment 2 to this letter 4 kilovolt Unit 2 safety buses (similar to those shown for Unit 1 on to this letter) 4 kilovolt Unit 1 safety bus supply breakers shown on to this letter.
4 kilovolt Unit 2 safety bus supply breakers (similar to those shown for Unit 1 on Attachment 2 to this letter) turbine driven auxiliary feedwater pump delay time, i.e., the time elapsed before an operator reaches a required step in a procedure Techniques for Human Error Rate Prediction manipulation time, i.e., the time required to complete a required action once it has been identified test and maintenance transient with power conversion system available Technical Specifications thermal-hydraulic system time window unfavorable exposure time alternating current volts direct current volts basic event-pressurizer PORVs challenged after transient basic event-pressurizer safety valves are challenged
ATTACHMENT 6 TO AEP:NRC:5811-02 REFERENCES USED IN ENCLOSURES AND ATTACHMENTS
- 1. Letter from J. N. Jensen, I&M, to NRC Document Control Desk, 'Donald C. Cook Nuclear Plant Units I and 2 - Docket Nos. 50-315 and 50-316 - Extension of Allowed Outage Times for Emergency Diesel Generators, 69 kV Offsite Power Circuit, Component Cooling Water, and Essential Service Water," AEP:NRC:481 1, dated September 21, 2004 (ML042780478).
- 2. Letter from C. F. Lyon, NRC, to M. K Nazar, I&M, 'Donald C. Cook Nuclear Plant, Units 1 and 2 - Request for Additional Information Regarding License Amendment Request to Extend Allowed Outage Times (TAC Nos. MC4525 and MC4526)," dated January 18, 2005 (ML043650279).
- 3. Letter from J. N. Jensen, I&M, to NRC Document Control Desk, "Partial Response to Request For Additional Information Regarding License Amendment Request to Extend the Allowed Outage Times for Emergency Diesel Generators, 69 kV Offsite Power Circuit, Component Cooling Water, and Essential Service Water (TAC Nos. MC4525 and MC4526)," AEP:NRC:5811, dated March 18, 2005 (ML050890319).
- 4. NUREG/CR-5485, "Guidelines on Modeling Common-Cause Failures in Probabilistic Rislk Assessment," dated November 1, 1998.
- 5. NUREG/CR-4780, "Procedures for Treating Common Cause Failures in Safety and Reliability Studies," dated January 1, 1988.
- 6. RG 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions On Plant-Specific Changes to the Licensing Basis," Revision 1, dated November 2002.
- 7. RG 1.177, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications," dated August 1998.
- 8. EPRI document EPRI-TR-100529, "An Approach to the Analysis of Operator Actions in Probabilistic Risk Assessment," by G. W. Parry, et. al., dated June 1992.
- 9. NUREG/CR 1278, "Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, Final Report," dated: August 1,1983.
- 10. Letter from H. N. Berkow, NRC, to R. H. Bryan, Westinghouse Owners Group, "Safety Evaluation of Topical Report WCAP-15603, Revision 1, 'WOG 2000 Reactor Coolant Pump Seal Leakage Model for Westinghouse PWRs,' (TAC No. MB 1714)," dated May 20, 2003.
to AEP:NRC:5811-02 Page 2
- 12. Idaho National Engineering and Environmental Laboratory document INEEL/EXT 10307, "SPAR-H Method," dated November 2002.
- 13. RG 1.200, "An Approach For Determining The Technical Adequacy Of Probabilistic Risk Assessment Results For Risk-Informed Activities," dated February 1, 2004.
- 14. NUREG/CR-6595, "An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events," Revision 0, dated January 1999.
- 15. NUREG/CR-5744, "Assessment of ISLOCA Risk-Methodology and Application to a Westinghouse Four-Loop Ice Condenser Plant," dated April 1, 1992.
- 16. NUREG/CR-5102, "Interfacing Systems LOCA: Pressurized Water Reactors," dated February 1, 1989.
- 17. NUREG/CR-5124, "Interfacing Systems LOCA:
Boiling Water Reactors,"
dated February 1, 1989.
- 18. NUREG/CR-5497, "Common-Cause Failure Parameter Estimations," dated October 1, 1998.
- 19. NUREG/CR-5750, "Rates of Initiating Events at U.S. Nuclear Power Plants: 1987-1995,"
dated February 1, 1999.
- 20. NUREG/CR-4550, "Analysis of Core Damage Frequency: Sequoyah, Unit 1 Internal Events," dated February 2, 1987 through April 1, 1990.
- 21. NSAC-161, "Faulted Systems Recovery Experience," May, 1992.
- 22. WASH-1400, (NUREG-75/014), "Reactor Safety Study, An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants," dated October 1975.
- 23. NUREG/CR-4772, "Accidents Sequence Evaluation Program Human Reliability Analysis,"
dated February 1 1987.
- 24. NUREG-1335, "Individual Plant Examination: Submittal Guidance, Final Report," dated August 1, 1989.
- 25. WCAP-1 1992, "Joint Westinghouse Owners Group/Westinghouse Programn Anticipated Transient Without Scram (ATWS) Rule Administration Process," May 1995.
- 26. NUREG/CR-2300, "PRA Procedures Guide, A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants," Volumes 1 & 2, dated January 1983.
to AEP:NRC:5811-02 Page 3
- 27. NUREG/CR-4350, "Probabilistic Risk Assessment Course Documentation,"
dated August 1, 1985.
- 28. NEI-00-02, "Probabilistic Risk Assessment (PRA) Peer Review Process Guidance,"
Revision A3, dated March 20, 2000.
- 29. ASME RA-Sa 2003, "Addenda to ASME Ra-S-2002, Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications," dated December 5, 2003.
- 30. Letter from C. F. Lyon, NRC, to M. K. Nazar, I&M, "Donald C. Cook Nuclear Plant, Units 1 and 2 - Request for Additional Information Regarding License Amendment Request to Extend Allowed Outage Times (TAC Nos. MC4525 and MC4526)," dated February 25, 2005 (ML050490440).
- 31. Letter from D. P. Fadel, I&M, to NRC Document Control Desk, "Response to Request For Additional Information Regarding License Amendment Request to Extend the Allowed Outage Times for Emergency Diesel Generators, 69 kV Offsite Power Circuit, Component Cooling Water, and Essential Service Water (TAC Nos. MC4525 and MC4526),"
AEP:NRC:581 1-01, dated April 7, 2005 (ML051020239)
- 32. Nuclear Management and Resources Council document NUMARC 93-01, "Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants," Revision 2, dated April 1996.
- 33. NRC RG 1.160, "Monitoring the Effectiveness of Maintenance at Nuclear Power Plants,"
- Revision 2, dated March 1, 1997.
ATTACHMENT 7 TO AEP:NRC:5811-02 CLARIFICATIONS REGARDING REQUEST FOR ADDITIONAL DETERMINISTIC INFORMATION Abbreviations and references are identified in Attachments 5 and 6 to this letter, respectively.
By Reference 30, the NRC requested additional information pertaining to deterministic aspects of the proposed amendment. I&M's response was provided by Reference 31. In a telephone discussion on April 28, 2005, members of the NRC staff requested clarification of certain information provided in that response.
The associated NRC question numbers from Reference 30 are identified below followed by the clarifying information.
Additionally, this attachment provides a new Unit 2 Current Technical Specification page to correct a typographical error in paragraph numbering.
Clarification of Response to NRC Ouestion 1 In Reference 31, I&M provided a commitment regarding communication with the system load dispatcher prior to an extended AOT. This commitment has been modified to be as follows:
Prior to entering an extended EDG or extended 69 kV circuit AOT, CNP personnel will hold discussions with the system load dispatcher to 1) ensure no significant grid perturbations are expected during the extended AOT, and 2) ensure that the system load dispatcher informs CNP, in accordance with established interface agreements, if conditions change during extended AOT such that significant grid perturbations do occur or become expected.
This revised commitment has been included in the list of commitments provided as Attachment 8 to this letter.
Clarification of Response to NRC Ouestion 2.F In Reference 31, I&M provided a commitment to designate the TDAFWP as guarded equipment during an extended EDG or extended 69 kV circuit AOT. Designation as guarded equipment will preclude rendering the TDAFWP inoperable for voluntary maintenance or testing.
Clarification of Response to NRC Ouestion 4 In Reference 31, I&M referenced a previous commitment to include the SDGs in the CNP Maintenance Rule program, which is based on NUMARC 93-01 (Reference 32) as endorsed by RG 1.160 (Reference 33). Additionally, the SDGs will be designated as High Safety Significant components in the CNP Maintenance Rule program. That program requires that performance criteria for High Safety Significant components correspond to a 95% success rate.
to AEP:NRC:5811-02 Page 2 Clarification of Response to NRC Ouestion 7 In Reference 31, I&M described plans for SDG quarterly load testing and testing of SDG automatic features every 18 months. In addition, I&M intends to routinely exercise the SDGs, on a nominal twice-per-month basis, by running the engine unloaded for several minutes. These exercises are intended to inhibit rust accumulation in the cylinder bores and bearing surfaces, thereby enhancing the reliability of the engines.
Replacement Technical Specification Pages This attachment provides a new Unit 2 Current Technical Specification page 3/4 8-1, with the proposed changes incorporated. This new page corrects an out-of-sequence paragraph number and replaces the corresponding page in Reference 31. This attachment also provides Unit 1 and Unit 2 Improved Technical Specification page 3.8.1-2 marked to show the proposed changes, and with the proposed changes incorporated.
These pages were inadvertently omitted from Reference 31.
3/4 LIMITING CONDITIONS FOR OPERATION AND SURVEILLANCE REQUIREMENTS 3/4.8 ELECTRICAL POWER SYSTEMS 3/4.8.1 A.C. SOURCES OPERATING LTMITING CONDITION FOR OPERATION 3.8.1.i As a minimum, the following A.C electrical power sources shall be OPERABLE:
- a.
Two physically independent circuits between the offsite transmission network and the onsite Class 1E distribution system, and
- b.
Two separate and independent diesel generators, each with:
- 1.
A separate day fuel tank containing a minimum of 70 gallons of fuel,
- 2.
A separate fuel storage system containing a minimum indicated volume of 46,000 gallons of fuel, and
- 3.
A separate fuel transfer pump.
APPLICABILITY:
MODES 1, 2,3 and 4.
ACTION:
- a.
With an offsite circuit of the above required A.C. electrical power sources inoperable, demonstrate the OPERABILITY of the remaining A.C. offsite source by performing Surveillance Requirement 4.8.1.1.1.a within I hour and at least once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter, restore at least two offsite circuits and two diesel generators to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.
- b.
With a diesel generator of the above required A.C. electrical power sources inoperable, demonstrate the OPERABILITY of the A.C. offsite sources by performing Surveillance Requirement 4.8.1.1.1.a within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and at least once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter; and if the diesel generator became inoperable due to any cause other than an inoperable support system, an independently testable component, or preplanned preventive maintenance or testing, demonstrate the OPERABILITY of the remaining OPERABLE diesel generator by performing Surveillance Requirement 4.8.1.1.2.a.4 within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, unless the absence of any potential common mode failure for the remaining diesel generator is demonstrated; restore diesel generators to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />, unless the following condition exists:
- 1.
The requirement to restore the diesel generators to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> may be extended to 14 days if both SDGs are verified available, and
- 2.
If at any time during the above identified 14-day period, one or both SDGs become unavailable, either restore both SDGs to available status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> (not to exceed 14 days from the time the required diesel generator of LCO 3.8.1.1.b originally became inoperable), or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.
At the number of failures for the inoperable diesel indicated in Table 4.8-1 perform the Additional Reliability Actions prescribed in Table 4.8-1.
- Tanks are separate between diesels but shared between Units I and 2.
COOK~~~~~~~
~
~
~
~
_ULA PLN-UI 2_ae3481AEDMN 4,448 COOK NUCLEAR PLANT-UNIT 2 Page 314 8-1 AMENDMENT442,4-N,448,
AC Sources - Operating 3.8.1 ACTIONS
__K__If'%
v'd jI l t LCO 3.0.4.b is not applicable to DGs.
CONDITION REQUIRED ACTION.
COMPLETION TIME A. One required offsite circuit inoperable.
A.1
NOTE--------------
Not applicable if a required Unit 2 offsite circuit is inoperable.
Perform SR 3.8.1.1 for required OPERABLE offsite circuit.
AND A.2 Declare required feature(s) with no offsite power available inoperable when its redundant required feature(s) is inoperable.
AND A.3 Restore required offsite circuit to OPERABLE status.
1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> AND Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> from discovery of no offsite power to one train concurrent with inoperability of redundant required feature(s) 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> AND
- 6. days from discovery of failure to meet LCO 3.8.1.a orb J.
Cook Nuclear Plant Unit 1 3.8.1 -2 Amendment No.
AC Sources - Operating 3.8.1 ACTIONS N,OTE.
LCO 3.0.4.b is not applicable to DGs.
CONDITION REQUIRED ACTION COMPLETION TIME A. One required offsite circuit inoperable.
A.1
NOTE--------------
Not applicable if a required Unit 1 offsite circuit is inoperable.
Perform SR 3.8.1.1 for required OPERABLE offsite circuit.
AND A.2 Declare required feature(s) with no offsite power available inoperable when Its redundant required feature(s) is inoperable.
AND 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> AND Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> from discovery of no offsite power to one train concurrent with inoperability of redundant required feature(s) 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> AND
&W days from discovery of failure to meet LCO 3.8.1.a orb A.3 Restore required offsite circuit to OPERABLE status.
Cook Nuclear Plant Unit 2 3.8.1-2 Amendment No.
AC Sources - Operating 3.8.1 ACTIONS NOTE-LCO 3.0.4.b is not applicable to DGs.
CONDITION REQUIRED ACTION
.COMPLETION-TIME A. One required offsite circuit inoperable.
A.1
NOTE--------------
Not applicable if a required Unit 2 offsite circuit is inoperable.
Perform SR 3.8.1.1 for required OPERABLE offsite circuit.
AND A.2 Declare required feature(s) with no offsite power available inoperable when its redundant required feature(s) is inoperable.
AND A.3 Restore required offsite circuit to OPERABLE status.
1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> AND Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> from discovery of no offsite power to one train concurrent with inoperability of redundant required feature(s) 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> AND 17 days from discovery of failure to meet LCO 3.8.1.a orb I
Cook Nuclear Plant Unit 1 3.8.1 -2 Amendment No.
AC Sources - Operating 3.8.1 ACTIONS KIfPrr-I-I JI
=___________________________________________________________-
LCO 3.0.4.b is not applicable to DGs.
CONDITION REQUIRED ACTION COMPLETION TIME A. One required offsite circuit inoperable.
A.1
NOTE--------------
Not applicable if a required Unit 1 offsite circuit is inoperable.
Perform SR 3.8.1.1 for required OPERABLE offsite circuit.
AND A.2 Declare required feature(s) with no offsite power available inoperable when its redundant required feature(s) is inoperable.
AND 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> AND Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> from discovery of no offsite power to one train concurrent with inoperability of redundant required feature(s) 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> AND 17 days from discovery of failure to meet LCO 3.8.1.a orb A.3 Restore required offsite circuit to OPERABLE status.
I J.
Cook Nuclear Plant Unit 2 3.8.1 -2 Amendment No.
N ATTACHMENT 8 TO AEP:NRC:5811-02 REGULATORY COMMITMENTS The following table identifies those actions committed to by I&M in this document.
actions discussed in this submittal represent intended or planned actions by I&M.
described to the NRC for the NRC's information and are not regulatory commitments.
Any other They are Commitment Date CNP personnel will hold discussions with the system load Prior to entering an extended dispatcher to 1) ensure no significant grid perturbations are EDG or extended 69 kY circuit expected during the extended AOT, and 2) ensure that the AOT.
system load dispatcher informs CNP in accordance with established interface agreements if conditions change during extended AOT such that significant grid perturbations do occur or become expected.
The SDGs will be designated as High Safety Significant Prior to crediting the SDGs as components in the CNP Maintenance Rule program.