Text

Technical Specifications Change 426 - Response to Request for Additional Information Regarding Revision to Diesel Generators Allowed Outage Time
	ML053130036
Person / Time
Site:	Browns Ferry
Issue date:	10/28/2005
From:	Crouch W; Tennessee Valley Authority
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	TAC MC5254, TVA-BFN-TS-426
	Download: ML053130036 (89)
	v • d • e

M1 Tennessee Valley Authority, Post Office Box 2000, Decatur, Alabama 35609-2000 October 28, 2005 TVA-BFN-TS-426 10 CFR 50.90 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Mail Stop: OWFN P1-35 Washington, D.C. 20555-0001 Gentlemen:

In the Matter of

)

Docket No. 50-259 Tennessee Valley Authority BROWNS FERRY NUCLEAR PLANT (BFN)

UNIT 1 -

TECHNICAL SPECIFICATIONS (TS)

CHANGE 426 -

RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION REGARDING REVISION TO DIESEL GENERATORS ALLOWED OUTAGE TIME (TAC NO. MC5254)

This letter provides TVA's responses to the NRC request for additional information (Reference 1) regarding proposed Technical Specification (TS) 426.

On December 6, 2004 (Reference 2), TVA requested a TS change (TS 426) to revise the current Unit 1 diesel generators (DGs)

TS seven day allowed outage time (AOT) to 14 days.

The purpose of increasing the AOT is to provide additional flexibility for preventive or corrective maintenance and repair of the DGs.

NRC requested additional information to support the review of the submittal.

The NRC requests and TVA's responses are enclosed.

TVA has determined that the additional information provided does not affect the no significant hazards considerations associated with the proposed amendment and TS changes.

The proposed amendment and TS changes still qualify for a categorical exclusion from environmental review pursuant to the provisions of 10 CFR 51.22(c)(9).

pbCD

U.S. Nuclear Regulatory Commission Page 2 October 28, 2005 If you have any questions about this submittal, please contact me at (256) 729-2636.

I declare under penalty of perjury that the foregoing is true and correct. Executed on October 28 th, 2005.

Sincerely, William D. Crouch Manager of Licensing and Industry Affairs

References:

1.

NRC letter to TVA, dated August 30, 2005, Browns Ferry Nuclear Plant, Unit 1 -

Request for additional Information Regarding extended Allowable Outage Time for Inoprable Diesel Generator (TAC No, MC5254)(TS-426)."

2.

TVA letter to NRC, dated December 6, 2004, "Browns Ferry Nuclear Plant (BFN) Unit 1 -

Technical Specification (TS)

Change TS 426 -

Revision to Diesel Generators Allowed Outage Time."

Enclosure cc (Enclosure):

State Health Officer Alabama Dept. of Public Health RSA Tower -

Administration Suite 1552 P.O. Box 303017 Montgomery, AL 36130-3017

U.S. Nuclear Regulatory Commission Page 3 October 28, 2005 Enclosure cc (Enclosure):

U.S. Nuclear Regulatory Commission Region II Sam Nunn Atlanta Federal Center 61 Forsyth Street, SW, Suite 23T85 Atlanta, Georgia 30303-3415 Mr. Stephen J. Cahill, Branch Chief U.S. Nuclear Regulatory Commission Region II Sam Nunn Atlanta Federal Center 61 Forsyth Street, SW, Suite 23T85 Atlanta, Georgia 30303-8931 NRC Senior Resident Inspector Browns Ferry Nuclear Plant 10833 Shaw Road Athens, AL 35611-6970 Margaret Chernoff, Project Manager U.S. Nuclear Regulatory Commission (MS 08G9)

One White Flint, North 11555 Rockville Pike Rockville, Maryland 20852-2739 Eva A. Brown, Project Manager U.S. Nuclear Regulatory Commission (MS 08G9)

One White Flint, North 11555 Rockville Pike Rockville, Maryland 20852-2739

TENNESSEE VALLEY AUTHORITY (TVA)

BROWNS FERRY NUCLEAR PLANT UNIT 1 RESPONSE TO NRC REQUEST FOR ADDITIONAL INFORMATION REGARDING PROPOSED TECHNICAL SPECIFICATION (TS)

TS 426 EXTENSION OF DIESEL GENERATORS ALLOWED OUTAGE TIME BACKGROUND On December 6, 2004, TVA submitted(' a proposed change to the BFN Unit 1 TS.

The proposed change revised the current Unit 1 diesel generators (DGs) TS seven day allowed outage time (AOT) to 14 days.

The purposes of increasing the AOT are to provide additional flexibility for preventive or corrective maintenance and repair of the DGs and to make the Unit 1 TS DG AOT identical to Units 2 and 3. On August 30, 2005, NRC requested 2 1 additional information to support their review of the proposed change.

In order to provide a supporting context for TVA's response to NRC's questions, a discussion of BFN and its electrical systems configuration is provided below.

This discussion is followed by a response to each specific NRC request.

Browns Ferry is a three unit plant, with each unit being a General Electric (GE) Boiling Water Reactor (BWR) 4 with a Mark I containment.

As shown in Figure 1, the standby AC supply and distribution system for Units 1/2 consists of four DGs, four 4.16-kV shutdown boards, two shutdown buses, four 480-v shutdown boards, and eight 480-v Reactor Motor Operated Valve (RMOV) boards.

The standby AC supply and distribution system for Unit 3 consists of four DGs, four 4.16-kV shutdown boards, two shutdown buses, two 480-v shutdown boards, and five 480-v RMOV boards.

Both of these standby AC supply and distribution systems supply power to unitized Units 1/2 and Unit 3 electrical loads.

In addition to the unitized electrical loads, shared (common) systems are an integral part of the BFN plant configuration.

The shared systems which constitute safety related and non-safety related systems, are designed, l

TVA letter to NRC, dated December 6,2004, "Browns Ferry Nuclear Plant (BFN) Unit 1 - Technical Specification (TS) Change TS 426 - Revision to Diesel Generators Allowed Outage Time."

2 NRC letter to TVA, dated August 30, 2005, "Browns FcrryNuclcar Plant, Unit 1 - Request for Additional Information Regarding Extended Allowable Outage Time for Inoperable Diesel Generator (TAC No.

MC5254) (TS-426)."

E-1

maintained, operated, and systemically disbursed between Units 1/2 and Unit 3 to satisfy applicable single failure criteria, electrical load requirements, and operational flexibility.

Detailed discussions of the shared systems are given in Appendix F of the Updated Final Safety Analysis Report (UFSAR).

The safety related shared systems which are pertinent to the DG AOT evaluation are Residual Heat Removal Service Water (RHRSW), Emergency Equipment Cooling Water (EECW), Standby Gas Treatment. (SGT), and Control Room Emergency Ventilation (CREV).

These shared systems are a part of the power supply and loads below.

The eight DGs provide a standby power supply used on loss of the Normal Auxiliary Power System.

Each of the DGs is assigned to one 4.16-kV shutdown board.

It is possible, through breaker ties to the shutdown buses, to make any DG available to any 4.16-kV shutdown board. Another physical feature for flexibility of operation, is the provision made for the interconnection of 4.16-kV shutdown board A (Units 1/2) with 4.16-kV shutdown board 3EA (Unit 3).

Similar interconnections have been provided between boards B and 3EB, C and 3EC, and D and 3ED.

All AC loads necessary for the safe shutdown of the plant under non-accident and accident conditions are fed from this distribution system.

The power supply and loads associated with selected major safety-related components of the standby AC supply and distribution system for Units 1, 2, and 3 are provided below.

This presentation is structured to provide the information in a progressive fashion from the DGs to selected safety-related end devices. Note the term 'symmetrical' means each board of that type supplies that electrical load.

The term 'shared system board loading' is used to denote situations where the listed loads are not supplied by each of the boards of that type (typically supply shared system equipment).

UNITS 1 AND 2 Units 1/2 DGs -

Each DG can supply power to:

One Unit 1/2 4.16-kV shutdown board E-2

Units 1/2 4.16-kV shutdown boards -

Each board can receive power from:

One Units 1/2 DG

Off-site power (through either of two shutdown buses)

Associated Unit 3 4.16-kV shutdown board Symmetrical loading for the Units 1/2 4.16-kV shutdown board is:

One Unit 1 Residual Heat Removal (RHR) Pump*

One Unit 2 RHR Pump*

One Unit 1 Core Spray Pump*

One Unit 2 Core Spray Pump*

Normal supply for a 480-v shutdown board

Alternate supply for 480-v shutdown board(s)

Only one RHR and one Core spray pump at a time.

Units 1/2 4.16-kV shutdown board shared system loading consists of:

Two shared RHRSW pumps

Two 480-v Diesel Aux boards Units 1/2 480-v shutdown boards -

Each board receives power from:

Units 1/2 4.16-kV shutdown board Each 1/2 480-v shutdown board supplies:

Units 1/2 480-v RMOV board Units 1/2 480-v RMOV boards -

Each board receives normal power from:

Units 1/2 480-v shutdown board An alternate power supply from another Units 1/2 480-v shutdown board Units 1/2 480-v RMOV boards supply:

Units 1/2 Emergency Core Cooling System (ECCS) valves Units 1/2 480-v RMOV board shared system loading consists of:

CREV A E-3

Units 1/2 480-v Diesel Aux board -

Each board receives power from:

Units 1/2 4.16-kV shutdown boards Units 1/2 480-v Diesel Aux board shared system loading consists of:

SGT Trains A and B UNIT 3 Unit 3 DGs -

Each DG can supply power to:

One Unit 3 4.16-kV shutdown board Unit 3 4.16-kV shutdown boards -

Each board can receive power from:

One Unit 3 DG

Off-site power (through each shutdown bus)

Associated Units 1/2 4.16-kV shutdown board Symmetrical loading for each Unit 3 4.16-kV shutdown board is:

One Unit 3 RHR Pump

One Unit 3 Core Spray Pump

Normal supply for 480-v shutdown board

Alternate for 480-v shutdown board(s)

Unit 3 4.16-kV shutdown board shared system loading consists of:

A shared RHRSW Pump Unit 3 480-v SGT board Unit 3 480-v shutdown boards -

Each board receives power from:

Unit 3 4.16-kV shutdown board Each Unit 3 480-v shutdown board supplies:

Units 1/2 480-v RMOV board E-4

Unit 3 480-v RMOV boards -

Each board receives normal power from:

One Unit 3 480-v shutdown board

An alternate power supply from another Unit 3 480-v shutdown board Unit 3 480-v RMOV boards supply:

Unit 3 ECCS valves Unit 3 480-v RMOV board shared system loading consists of:

CREV B Unit 3 480-v SGT board -

Board receives power from:

Unit 3 4.16-kV shutdown board Unit 3 480-v SGT board shared system loading consist of:

SGT Train C The standby AC supply and distribution system for Units 1/2 and Unit 3 is divided into redundant divisions, so that loss of any one division does not prevent the minimum safety-related functions from being performed by the remaining division.

Following the postulated loss of off-site power to the plant with three units operating at Extended Power Uprate (EPU) operating conditions, a total of three DGs are required to meet the AC power supply needs to support the safe shutdown of three units.

This configuration allows effectively the use of one DG per unit.

This will assure that for each unit one RHR Pump (suppression pool cooling), high pressure steam driven turbines (reactor vessel make-up), and one RHRSW Pump (RHR heat removal) are available.

This DG configuration will also be capable of supplying AC power to support operation of two common EECW Pumps (DG cooling, primary containment and reactor building heat removal).

Note that this three DG configuration would also support the required battery chargers to maintain the DC system requirements available throughout the postulated event.

The DC system loads are relatively small and involve control power for operation of the high pressure steam driven turbines for reactor vessel water level control, Main Steam Relief Valves for reactor vessel pressure control and control power for a limited number of components.

E-5

The BFN standby AC supply and distribution system operational flexibility permits the requirement of three DGs being satisfied by any three DGs of the eight DGs installed at BFN.

This capability is provided by the operational flexibility of the AC system including the physical configuration that provides for the availability of both normal and alternate remote manual transfers of power supply feeds for many of the electrical boards.

The BFN design basis also requires TVA postulate a Design Basis Accident (DBA) coincident with a loss of off-site power. A DBA Loss of Coolant Accident (LOCA) event is postulated to occur in one of the three BFN units.

A loss of offsite power to the site, in combination with one active single failure, is assumed to occur with the LOCA event.

With this initiating event and assumed associated conditions, the onsite DGs provide all of the AC power requirements for the three BFN units.

The AC power supply requirements for the accident unit include two Core Spray and two RHR low pressure ECCS pumps and associated Motor Operated Valves (MOVs).

The two Core spray pumps provide reactor vessel water level control.

The two RHR pumps provide reactor vessel water level control and primary containment cooling (containment spray and suppression pool cooling modes).

The non-accident units would experience a reactor SCRAM (control rod insertion) and reactor vessel isolation (main steam isolation valve closure) due to the loss of offsite power.

Given these plant conditions, with high pressure ECCS injection capabilities [High Pressure Coolant Injection (HPCI) and Reactor Core Isolation Cooling (RCIC)] and main steam relief valves for reactor vessel pressure control available, there is no need for immediate depressurization of the non-accident units.

Therefore, the major AC power demand for each non-accident unit would be an RHR pump for primary containment (suppression pool) cooling and for shutdown cooling (for long-term temperature control).

In addition to the RHR pump, the drywell coolers for primary containment atmosphere temperature control would be required.

Therefore, for the two non-accident units, one DG per unit is required to supply the necessary loads for one RHR pump and drywell coolers.

E-6

In addition to the unit specific loads necessary for shutdown of the accident unit and two non-accident units, several shared system loads must be supplied by the standby AC supply and distribution system.

These include RHRSW (one for each RHR pump), EECW (two for the plant), SGT (two trains for the plant),

CREV (one for the plant), and battery chargers (DC power requirements for the plant).

Thus, the total AC power requirements for all three units would be four RHR pumps, two Core Spray pumps, four RHRSW pumps, two EECW pumps, drywell blowers for each non-accident unit, two SGT trains, one CREV train and various miscellaneous loads which includes MOVs and battery chargers.

Each DG can electrically supply a minimum of one RHR pump, one Core Spray pump, one RHRSW (EECW) pump, drywell blowers, and small transient loads such as MOVs.

Based on the DG loadings described above, for the situation where the postulated LOCA occurs in Units 1 or 2, three of the four Units 1/2 DGs, and one of the four Unit 3 DGs are required.

For the postulated LOCA in Unit 3, two of the four Units 1/2 DGs and three of the four Unit 3 DGs are required.

These requirements would be accomplished given the physical arrangement and procedural controls in place at BFN.

With regards to TS requirements for multiple DGs being out of service, if two or more Unit 1 and 2 DGs are inoperable, Units 1 and 2 TS require TVA to restore all but one Unit 1 and 2 DGs to operable status within two hours or be in Mode 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months on Units 1 and 2. If two or more required Unit 3 DGs are inoperable, TS require TVA to restore all but one Unit 3 DGs to operable status within two hours or be in Mode 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months on Unit 3. In addition, the Units 1 and 2 TS requires TVA to declare the required feature(s) supported by the inoperable Unit 3 DG inoperable when the redundant required feature(s) are inoperable within four hours from discovery and declare the affected SGTS and the CREVS subsystem(s) inoperable within 30 days.

The remaining operable DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System to support operation of Units 1 and 2. The 30 day completion time is commensurate with the importance of the affected system considering the low probability of a design basis accident in these conditions and the availability of the remaining power sources.

E-7

Additionally, the TS requires if one or more required Unit 3 DGs is inoperable, TVA must declare the required feature(s) supported by the inoperable Unit 3 diesel generator inoperable within four hours and declare the affected common (shared) SGT and CREVs subsystem(s) inoperable within 30 days.

In this condition, the remaining operable DGs and offsite circuits are adequate to supply electrical power to the onsite Class lE Distribution System to support operation of Unit 1. As discussed in the TS Bases, the 30 day completion time is commensurate with the importance of the affected system considering the low probability of a design basis accident in these conditions and the availability of the remaining power sources.

Each of the Units 1/2 and Unit 3 TS require that if one or more DGs are inoperable, the units(s) must be placed in a Limited Condition of Operation (LCO).

These TS requirements assure the availability of three DGs for three unit operation to mitigate a postulated loss of off-site power.

In summary, the Browns Ferry standby AC supply and distribution system for Units 1/2 and Unit 3 provides a redundant, independent, diverse and reliable supply of required electrical power to mitigate postulated events.

E-8

NRC Question:

1.

This submittal states, on page El-1, that the proposed change to the emergency diesel generator (EDG) allowed outage time (AOT) for Browns Ferry Nuclear Plant (BFN)

Unit 1 is based on the prior request and RAI (Request for Additional Information] responses for EDG AOT extension for Units 2 and 3. This submittal also states, on page El-13, that the impact of returning Unit 1 to operational status would be discussed; however, no such discussion was provided.

The Units 2 and 3 EDG AOT extension was based, in part, on the nonoperational status of Unit 1, and the availability of its EDGs to support Units 2 and 3. Please provide the necessary information and additional analyses which demonstrate that the conclusions of the prior risk analyses for extending the EDG AOT from 7 days to 14 days for Units 2 and 3 remain valid given the return of Unit 1 to operation.

TVA Response:

Historically, in 1986 an internal Condition Adverse to Quality Report documented a concern that the electrical systems and ECCS initiation logic could not accommodate various combinations of spurious and valid accident signals if Units 1 and 2 were both in-service.

Therefore, the restart of Unit 1 requires modifications to eliminate the potential for overloading a Units 1/2 4KV shutdown board or diesel generator when both Units 1 and 2 are in-service.

These modifications will reduce the number of ECCS subsystems that are actually available in response to certain design basis LOCA scenarios.

The modifications necessary to ensure the proper functioning of the ECCS initiation logic to preclude overloading a Units 1/2 4KV shutdown board or diesel generator when both Units 1 and 2 are in-service were approved by NRC in their review of TS 424 The return of Unit 1 to operation will not jeopardize the capability of the standby AC supply and distribution system to support safe operation of Units 2 and 3. The AC electrical 3

NRC letter to TVA, dated April 1, 2004, "Browns Ferry Nuclear Plant, Units 1, 2 and 3 - Issuance of Amendments Regarding the Emergency Core Cooling Systems (TAC Nos. M1B8423, MB8424 and MB8425) (TS-424).

E-10

system at BFN will continue to support the operation and event mitigation capability of Units 2 and 3 following the return to operation of Unit 1 and no additional on-site AC electrical equipment is required to support Unit 1 restart.

The major design concepts which were evaluated to support this conclusion include defense-in-depth, redundancy, independence, diversity and a risk-informed assessment.

Each is discussed below:

Defense-in-depth The primary barriers consist of the fuel cladding, reactor pressure vessel, primary containment, and secondary containment.

The standby AC supply and distribution system plays an important role regarding the successful accomplishment of the requirements associated with these barriers.

The standby AC supply and distribution system is designed, constructed, and maintained such that the AC requirements for the protection of these barriers are accomplished.

These requirements supported by the AC system include water makeup to the reactor vessel, primary containment heat removal, and secondary containment environmental control.

The return of Unit 1 to operation does not jeopardize the ability of the standby AC supply and distribution system to meet the defense-in-depth principles and requirements.

Redundancy (single failure criteria)

As required by regulatory requirements, the standby AC supply and distribution system continues to satisfy the single failure criteria.

The current shutdown condition of Unit 1 necessitates meeting the single failure criteria for equipment providing functions supporting Unit 1 existing condition and ensuring that Unit 1 does not interfere with the safe operation of Units 2 and 3 including meeting the single failure criteria.

The single failure criteria applies to the three units for the current configuration and returning Unit 1 to operation does not change the physical electrical arrangements to assure continued compliance of the single failure criteria.

E-I 1

Independence The return of Unit 1 to operation does not change the inherent design and operational independence of the standby AC supply and distribution system.

Unit 1 operation does not affect or change the physical arrangement of the plant barriers consisting of the fuel cladding, reactor pressure vessel, primary containment, and secondary containment.

Diversity The diversity of the standby AC supply and distribution system is maintained with the return to operation of Unit 1. For the electrical system, diversity being multiple off-site power inputs, DGs, and interconnects at the various levels of the electrical supply system.

Unit 1 restart does not change the number of off-site power sources or the reliability of each source.

DG capability and reliability are not impacted by the restart of Unit 1.

In addition, the Unit 1 operating status does not change the physical configuration of the standby AC supply and distribution systems interconnects at the various levels of the electrical supply system.

Risk-informed assessment The following risk-informed assessment reviews the potential impact on the major Probabilistic Safety Assessment (PSA) attributes associated with Unit 1 restart.

This includes initiating event frequencies, component and system reliability, operator response, success criteria, and PSA results.

Each is discussed below:

Initiating Event (IE) Frequencies The Unit 1 return to operation does not change any of the IE frequencies for BFN.

IEs can be placed into two groups.

The first being unitized IEs.

At this IE level, the postulated IE will not impact (i.e., scram, trip, isolate) the other units.

Unit 1 restart will not change the IE frequency associated with the Units 2 and 3 unitized IE frequency.

The other group of IEs being plant IEs.

These are the IEs that have the capability to initiate the event on all three units.

For example, the IE associated with the loss of off-site power at BFN does not increase with the restart of Unit 1.

E-12

Component and System Reliability No increase in component failure rates is anticipated following Unit 1 return to operation.

Equipment operating limits, conditions, and ratings are not changed.

Existing plant equipment monitoring programs detect degradation if it occurs and corrective action(s) are taken in a timely manner.

Operator Response The operator actions associated with unitized actions can be directly applied to Unit 1 with few, if any, changes.

For shared systems, the systems are presently operating in a shared mode of operation to support the operation of Units 2 and 3. The return to operation of Unit 1 does not change the operating characteristics of the shared systems.

E-13

Success Criteria The success criteria associated with some of the shared systems are impacted by the return to operation of Unit 1.

These PSA impacts are extremely small due to the fact that BFN was originally designed, maintained, and operated with three units operating.

Unit 1 operation has no impact on some systems. An example of this situation is the SGTS.

The secondary containment configuration and geometry is presently maintained as it will be following Unit 1 operation, therefore, this consistent configuration requirement allows the success criteria to remain the same for the SGTS following Unit 1 operation.

The success criteria associated with individual components (i.e.,

pumps, fans, etc.) is not changed.

PSA Results The BFN PSA models were originally used to develop the Core Damage Frequency (CDF) and Large Early Release Frequency (LERF) values for Units 2 and 3 using the present operating configuration (Unit 1 shutdown, Units 2 and 3 operating).

These values were evaluated and the associated results used to support the approved extension of the DG AOT from 7 to 14 days for Units 2 and 3. Specifically, the PSA results were used to determine the CDF and LERF values for the 14 day AOT, change in CDF, change in LEFR, percent CDF increase, percent LERF increase, Incremental Conditional Core Damage Probability (ICCDP), and Incremental Conditional Large Early Release Probability (ICLERP).

These results demonstrated for the current operating condition that the change due to extension of the 7 day DG AOT to 14 days was risk insignificant and well below NRC acceptance criteria specified in Regulatory Guides (RG) 1.174 and 1.177.

Subsequently, the Units 2 and 3 models were updated to reflect the addition of Unit 1 operating and the incorporation of enhancements and updated with later plant information.

The results of this work are provided in the following table:

E-14

Previous PSA Previous PSA Results without Unit 1 Results with Unit I Operating Operating Unit 2 CDF 2.624E-6 1.55E-6 Unit 3 CDF 3.361E-6 2.76E-6 Unit 2 LERF 3.927E-7 3.51 E-7 Unit 3 LERF 4.532E-7 3.84E-7 The change in Unit 1 from a non-operational status to an operational status has minimal impact on the Units 2 and 3 CDF and LERF results.

In addition, BFN has produced the Unit 1 PSA model representing a configuration of all three units operating and resulting in a calculated CDF of 1.77E-6 and LERF of 4.40E-7.

These CDF and LERF results were used to calculate the changes associated with extending DG AOT from 7 to 14 days for Unit 1. Again, the PSA results were used to determine the CDF and LERF values for the 14 day AOT, change in CDF, change in LERF, percent CDF increase, percent LERF increase, ICCDP, and ICLERP.

The acceptance criteria specified in RG 1.174 and RG 1.177 were met.

This model supports extending the DG AOT from 7 to 14 days for Unit 1.

The progression of model development at BFN has produced the opportunity to evaluate PSA models representing both Units 2 and 3 operating at EPU conditions (without Unit 1 operating) and Unit 1 (with all three units operating at EPU conditions).

These PSA results for Units 1, 2, and 3 reflect an understanding of the impact on the PSA created by the implementation of extending the DG AOT from 7 to 14 days.

In all cases, the change due to extension of the 7 day DG AOT to 14 days were risk insignificant and well below NRC acceptance criteria specified in RGs 1.174 and 1.177.

Therefore, TVA concludes that the prior risk analyses for extending the EDG AOT from 7 days to 14 days for Units 2 and 3 remain valid given the return of Unit 1 to operation.

TVA has concluded that safe operation and shutdown continues to be assured and the extension of the DG AOT from 7 days to 14 days for Units 2 and 3 remains valid given the restart of Unit

1. This conclusion is based both upon a deterministic and probabilistic evaluation.

The deterministic evaluation approach addresses major design concepts that need to be considered with Unit 1 restart.

The discussion for each design concept E-15

concludes that Unit 1 restart with a 14 day DG AOT does not jeopardize safe operation and shutdown of BFN.

From a probabilistic perspective, each of the PSA primary attributes was assessed and the evaluation for each attribute demonstrated continued acceptable PSA results.

BFN has had the opportunity to evaluate the impact of extending the DG AOT from 7 to 14 days for a number of distinct situations.

Each time the PSA evaluations have demonstrated that the changes in CDF and LERF are insignificant and well below the applicable criteria.

E-16

NRC Question:

2.

This submittal identifies, on page E1-16, a loss of offsite power (LOOP) frequency of 6.43E-3 per year for BFN, Unit 1, and that the value is based on generic industry data with a plant-specific Bayesian update.

Given that Unit 1 has been nonoperational for a significant period, it is not clear how plant-specific data could be applicable.

Please provide the following information:

a.

Provide the details of the calculations of LOOP power frequencies applicable to the BFN probabilistic risk assessment (PRA) models, and for calculation of nonrecovery of offsite power, including the generic data source(s) and the plant-specific data, screening criteria applied to generic industry events, the time periods covered by the data, unit-specific differences or assumptions (if any), and how the non-operational status of Unit 1 was accounted in these calculations.

TVA Response:

Loss of offsite Power Frequencies The data from Units 2 and 3 was used as plant-specific data for Unit 1. Note that during the time period used for data collection (January 1996 to March 2003) there were no loss of offsite power or loss of station power (LOOP or LOSP) events at BFN.

BFN Units 1, 2 and 3 are a common facility with a common switchyard.

Even though Unit 1 has been in a non-power production mode, several Unit 1 systems and components have remained operational both to support fuel pool cooling and Units 2 and 3 operation.

At the time of restart, Unit 1 will be the same functionally as Units 2 and 3. All three units will have the same UFSAR and operators will be licensed on all three units.

Therefore, it is appropriate to use Unit 2 and 3 LOOP data for Unit 1.

To ensure there is a common understating of terms, a LOOP (or LOSP) is defined in the PSA as the concurrent loss of the 500kV systems and the 161kV systems.

In this situation, AC power is supplied by the onsite DGs.

For BFN, the Station Blackout (SBO) is defined as the complete loss of AC power to one unit and limited AC power provided onsite by DGs to the other two units.

E-17

The calculation of LOOP frequencies are based on the BFN design in which there are no dependencies between the 500kV system and the 161kV system with respect to plant-centered and switchyard events.

Complete dependencies are modeled for grid and severe weather events.

The BFN PSA partitions loss of offsite power events (sustained loss of offsite power for more than 2 minutes) into four categories of IEs:

Loss of the 500kV supply to a single unit (L500U),

Loss of the 500kV supply to the plant (L500PA),

Grid related LOSP events (LOSPG), and

Severe weather related LOSP (LOSPW).

Note that LOSPG and LOSPW events are combined to form the initiator LOSP.

For completeness, a fifth initiating event category is also used, momentary loss of offsite power (MLOSP).

Momentary loss of offsite power events are those events that are recovered either manually or automatically in less than two minutes, as defined in NUREG/CR-5496 4). Momentary loss of offsite power events do not require the modeling of the emergency diesel generators, but require modeling of the restart demand for any operating equipment powered from the emergency buses.

For all other initiating events, top events representing the 500kV system (OG5) and the 161kV system (OG16) are questioned.

The approach used to evaluate these top events is consistent with the discussion in the previous paragraph.

There have been a number of publications prepared by or for the NRC related to LOSP frequency and recovery times.

They are summarized as follows:

NUREG-1032 5 ) was published in June 1988.

It documents the findings of technical studies performed as part of the program to resolve the "Station Blackout," Unresolved Safety Issue A-44.

Important factors analyzed include:

LOSP frequency, reliability of emergency AC power 4

U.S. Nuclear Regulatory Commission, "Evaluation of Loss of Offsite Power Events at Nuclear Power Plants: 1980-1996," NUREG/CR-5496, November 1998.

5 NUREG-1032, "Evaluation of Station Blackout Accidents At Nuclear Power Plants," June 1988.

E-18

supplies, capability and reliability of decay heat removal systems independent of AC power, and the likelihood of restoring offsite power before core damage could be initiated.

The effects of different switchyard designs, plant locations, and operational features on the estimated station blackout events are also addressed.

NUREG-1032 can be seen as definitive in addressing station blackout, and subsequent studies were based on the format and structure developed in NUREG-1032.

INEEL/EXT-97-00887 was published in November 1997.

Its primary objective is to update the NUREG-1032 LOSP frequency and recovery time, using plant event data from 1980 to 1996.

It also extends the scope by considering LOSP events at shutdown.

NUREG/CR-5496 was published in November 1998 as the final version of INEEL/EXT-97-00887.

Generic Data The BFN PSA models use the data and information from NUREG/CR-5496 to develop prior distributions.

NUREG/CR-5496 continued the practice from NUREG-1032 of classifying LOSP events into one of the following categories:

Plant-centered LOSP events are those in which the design and operational characteristics of the plant itself play a role in the likelihood of LOSP.

Plant-centered failures typically involve hardware failures, design deficiencies, human errors (maintenance and switching), and localized weather-induced faults (lightning and ice), or combinations of these types of failures.

Switching or repairing faulted equipment at the site can recover plant-centered failures.

Grid-related LOSP events are those attributed to the intrinsic grid unreliability.

Grid unreliability has traditionally been the most prominent factor associated with a loss of offsite power at nuclear power plants.

Factors affecting recovery include the existence and implementation of appropriate procedures and the capability and availability of power sources that can supply power during grid blackout.

E-l9

Severe weather LOSP events occur due to local or area-wide storms.

Severe weather only includes weather events that cause severe or extensive damage at or near the site.

In such cases, the recovery time is relatively long due to the extensive repair work required.

Severe weather does not include weather events that do not cause extensive damage and therefore does not affect the recovery time.

Such events may be classified as either grid-related or plant-centered LOSP events.

The following paragraphs describe the development of frequencies for LOSP, MLOSP, L500U, and L500PA events based on the data in NUREG/CR-5496.

The sustained plant-centered frequency is partitioned into L500U and L500PA frequencies.

Sustained grid-related and severe weather events are mapped into LOSP events.

The momentary frequencies from grid-related, severe weather and plant-centered events are combined into the MLOSP frequency.

Table 2A-1 provides the results of the analysis.

Plant-Centered L500U (single unit) and L500PA (entire plant, multi-unit) Frequency The plant-centered events are further partitioned into sustained and momentary events.

The momentary events are included in the MLOSP initiating event and only the sustained plant-centered events (i.e. L500U and L500PA) are considered here.

Table B-4 in NUREG/CR-5496 lists the industry distribution that was developed for sustained plant-centered LOSP events.

This reference constitutes the generic data used.

The process for developing the sustained plant-centered event distributions is as follows:

In step 1, calculate a generic industry beta factor for L500PA events by assuming the occurrence of L500PA events can be modeled as the fraction of sustained plant-centered LOSP events that result in loss of power to more than one unit, at multi-unit sites.

This is analogous to the event by event reviews performed to derive common cause hardware failures.

For step 2, develop the generic industry (sustained plant-centered) distributions for L500U and L500PA by using the beta factor calculated in step 1 and the sustained plant-centered LOSP distribution in step 1. In step 3, perform Bayesian E-20

updates on the generic distribution to develop plant specific distributions for L500U and L500PA.

The generic industry frequency distribution for sustained plant-centered events in Table B-4 of NUREG/CR-5496 is a gamma distribution with a= 1.844 and P= 46.12 and a mean of 4.OOE-2, per year.

The next step is to calculate a common cause beta factor for plant-centered LOSP events.

Only the statistics for multi-unit sites are used in the development of the beta factor.

The common cause beta factor is then estimated as 2N2/(N1+2N2), where N1 is the number of events affecting only one unit and N2 is the number of events affecting two or more units.

As shown in Table 2A-2, N1 is 26 and N2 is five.

Thus the point estimate for the LOSP beta factor is approximately 0.278.

The resulting generic prior distributions are presented in Table 2A-3.

Plant-Specific Data Between late 1984 and mid 1985, all three units were shut down and have undergone substantial changes to design, equipment, maintenance, procedures, and operating policies.

It was judged that the old data (prior to this shutdown period) are not applicable to the BFN units, so only data from the period following the shutdowns are used in the development of initiating event frequencies.

Due to the fact that the NUREG/CR-5750 is used as the source document and since that document includes all LERs through 1995, the initiating event collection starts in 1996.

All three units are similar in design (with respect to initiating events) and Unit 1 will be operated with similar procedures and management philosophy as the other units.

Unit 1 has been shutdown during the entire period since mid 1985.

Hence, there is no Unit 1 initiating event data available.

Unit 2 and Unit 3 data through March 2003 are pooled to form a pseudo plant specific database for Unit 1. There are a total of 13.78 calendar years of data for Unit 2 and Unit 3 combined between January 1996 and March 2003.

E-21

Since the frequencies in NUREG/CR-5750 are given in terms of critical hours, the calendar years for BFN must be converted to equivalent units.

Browns Ferry total critical hours is estimated from two sources 6 1)(7).

A criticality factor of 0.944 is the average of Units 2 and 3 during the years 1996 through 2002.

Historical losses of offsite power events are recorded in the database regardless of plant power level.

In the actual event sequence quantification, the initiating event categories related to losses of offsite power [i.e. loss of offsite power (LOSP),

loss of 500-kV line to a single unit (L500U), loss of 500-kV line to the plant (L500PA), and momentary losses of offsite power (MLOSP)] are modified by a scalar factor of 0.944 to account for the average plant availability factor over the data collection period.

The resulting, updated distributions for losses of offsite power are indicated in Table 2A-4.

Non-Recovery of Offsite Power The non-recovery of offsite power is accounted for in the sequence models via top events [EPR30] and [EPR6].

These top events account for the time-dependent failure of the DGs.

Of interest here is the portion of the recovery model related to recovery of power from offsite sources.

No credit is given for recovery of the failed DGs.

Generic, industry data representing the time to recovery from a LOSP at nuclear power plants for actual incidents that occurred from 1980-1996 caused by plant-centered losses, grid losses, or severe weather losses have been documented in NUREG/CR-5496.

Earlier analyses(6 ) of the nuclear plant incidents through 1985 categorized plant-centered causes of offsite power failure into three plant groups, depending on the plant design factors regarding independence of the offsite power sources, and automatic and manual transfer schemes for class 1E buses.

The later analysis of plant incidents through 1996 in NUREG/CR-5496 indicates no statistically significant unit-to-unit variability 6

Web address: www.nrc.gov/NRR/OVERSIGHT/ASSESS, June 6, 2003.

7 Tennessee Valley Authority, "Browns Ferry Nuclear Plant Scram Database," updated as of March 31, 2003.

U.S. Nuclear Regulatory Commission, "Modeling Time to Recovery and initiating Event Frequency for Loss of Off-Site Power incidents at Nuclear Power Plants," NUREG/CR-5032, January 1988.

E-22

for the plant-centered initiating events and recovery times, and hence, this trend was not modeled.

Therefore, as shown in NUREG/CR-5032, the frequency of offsite power non-recovery is obtained or interpolated from the values used to represent the figures and data for the recovery of offsite power due to plant-centered, weather, and grid-related causes.

Plant specific data was not used to adjust the generic industry curves for offsite non-recovery.

The values used in the analysis for these three curves are reported in Table 2A-5.

For intermediate times, linear interpolation is used to obtain the non-recovery probability.

Times Available for Offsite Power Recovery The Modular Accident Analysis Program (MAAP) code was used to determine reactor vessel water level as a function of time, given successful scram and main steam isolation valves close but no high-pressure reactor vessel injection.

Specifically, following the loss of offsite power, DGs fail to start and reactor vessel makeup was considered not to be available from Reactor Feedwater, HPCI, RCIC, or the Control Rod Drive Hydraulic Systems.

That calculation indicated that a reactor vessel level equivalent to one-third core height is reached in approximately 55 minutes.

The 30-minute recovery window was defined to allow sufficient time (approximately 25 minutes) to permit manual realignment of power supplies after offsite power is recovered.

The LOSP event is an integral part of the BFN operating procedures (Abnormal Operating Instruction [AOIs)) and associated operator training program.

The second recovery time is for the likelihood of offsite power recovery within six hours.

The ability of HPCI or RCIC to maintain vessel level is limited to the four hour life of their respective batteries. A MAAP analysis was performed to determine reactor vessel level as a function of time.

In that analysis, vessel injection was terminated at four hours.

The calculation indicated that a vessel level equivalent to one-third core height is reached in an additional time of approximately two and a half hours.

The six hour recovery window was defined to allow sufficient time (approximately 30 minutes) to permit manual realignment of power supplies after offsite power is recovered.

Again, these actions associated with the LOSP event are an integral part of the BFN operating procedures (Abnormal Operating Instruction) and associated operator training program.

For these two time intervals, E-23

non-recovery of offsite power is of interest for the recovery of offsite power from plant-centered causes, grid-related causes, and from loses caused by severe weather.

The non-recovery of offsite power from plant-centered causes is used to represent the non-recovery of 500kV power to one unit and that from severe weather is used to represent the non-recovery of 500kV power to Units 1, 2 and 3. The non-recovery from grid-related causes is used to represent the total loss of the grid (500kV and 161kV) to multiple units.

In the electric power recovery model, the total time available for recovery following a loss of offsite power is the sum of the time to failure of onsite electric power (when the DGs are lost) plus the time available after HPCI and RCIC are lost.

Units 1, 2 and 3 will be functionally identically upon Unit 1 recovery.

There are minor differences between the units.

These differences do not affect the IE categories or their frequencies.

The success criteria are also identical.

There is a difference between the units with respect to the RHR cross-ties between the units.

While Unit 2 can be cross-tied to either Unit 1 or Unit 3, Units 1 and 3 can only be cross-tied to Unit 2. Apart from those differences, design and operational features do not affect recovery actions, human actions, or human action probabilities.

The PSA models for each of the three units are structured to completely reflect the design, maintenance, and operation associated with the loss of offsite power.

Both industry data and plant-specific data have been used to accurately reflect the anticipated failure rates that BFN will experience.

In addition, the approach used in the PSA models is consistent with procedures and operator training.

E-24

TABLE 2A-1 BROWNS FERRY GENERIC PRIOR LOSS OF STATION POWER (LOSP)

FREQUENCY DISTRIBUTIONS (PER CALENDAR YEAR)

Category Mean Distribution Sustained LOSP Severe-Weather LOSP 5.20E-3 Gamma (0.197, 37.93)

Grid-Related LOSP 3.OOE-3 Gamma (3.14,1048.3)

Sustained L500PA Total Sustained L500PA 1.11E-2 Gamma (1.844, 165.9)(1)

Sustained L500U Total Sustained L500U 2.89E-2 Gamma (1.844, 63.88)(2)

Momentary MLOSP Plant-Centered MLOSP 3.82E-3 Gamma (4.50,1178.6)

Severe-Weather MLOSP 2.39E-3 Gamma (2.50,1048.2)

Grid-Related MLOSP 1.43E-3 Gamma (1.50,1048.2)

Total Momentary MLOSP 7.64E-3 Gamma (8.24,1078.7)(3)

Total LOSP 5.58E-2 (1) Gamma(1.844, 46.12) scaled by 0.722 (1 - beta factor).

(2) Gamma(1.844, 46.12) scaled by 0.278 (beta factor).

(3) Best fit distribution for the sum of the three types of MLOSP.

E-25

TABLE 2A-2 MULTI-UNIT STATION LOSS OF STATION POWER (LOSP) EVENTS Multi Unit Station Single Unit LOSP Events Multi-Unit LOSP Events Arkansas 0

1 Beaver Valley I

1 Braidwood I

Browns Ferry 0

Brunswick 2

Byron 0

Calvert Cliffs 0

1 Catawba 1

Comanche Peak 0

Cook 1

Diablo Canyon I

Dresden 2

Farley 0

Hatch 0

Indian Point 1

Lasalle 1

Limerick 0

McGuire 3

Millstone I

Nine Mile Point 0

North Anna 0

Oconee I

Palo Verde 2

Peach Bottom 0

Point Beach 1

Prairie Island 0

1 Quad City I

Salem 0

San Onofre 1

Sequoyah 0

1 South Texas 0

St. Lucie 1

Surry 0

Susquehanna 1

Turkey Point 2

Vogtle 0

Zion I

Totals 26.00 5.00 LOSP Beta Factor 0.278 Note: Events in this table were extracted from Table C-1 of Reference I (events with '"

in the "Initiator' column at multi-unit sites).

E-26

TABLE 2A-3 GENERIC PRIOR DISTRIBUTIONS Prior Distribution BFN IE Description Mean (per calendar year)

Gamma Alpha Beta (no (critical unit) years)

LOSPG Loss of Offsite Power Grid Related 2.85E-03 3.14 1048.3 LOSPW Loss of Offsite Power-Weather Related 4.93E-03 0.197 37.93 L500PA Loss of 500kV to Plant 1.1E-02 1.84 165.9 L500U Loss of 500kV to One Unit 2.7E-02 1.84 63.9 MLOSP Momentary Loss of Offsite Power 7.26E-03 8.24 1078.7 E-27

TABLE 2A-4 BFN INITIATING EVENT PLANT-SPECIFIC UPDATES AND POSTERIOR DISTRIBUTIONS FOR LOSSES OF OFFSITE POWER Prior BFN Data Posterior BFN IE Description Mean (per Exposure Mean Beta 5th %ile 95th %Ile calendar No. of Time (per Apacrtc (per (per year)

Events (critical calendar Apa ears) calendar calendar years) year) y year) year)

LOSPG Loss of Offsite Power - Grid Related 2.85E-03 0

13.78 2.81 E-03 3.14 1062.08 7.96E-4 5.82E-3 LOSPW Loss of Offsite Power-Weather Related 4.93E-03 0

13.78 3.62E-03 0.197 51.71 2.98E-9 1.9E-2 L500PA Loss of 500kV to Plant 1.IE-02 0

13.78 9.73E-03 1.84 179.68 1.55E-3 2.4E-2 L500U Loss of 500kV to One Unit 2.7E-02 0

13.78 2.3E-02 1.84 77.68 3.59E-3 5.5E-2 MLOSP Momentary Loss of Offsite Power 7.26E-03 0

13.78 7.17E-03 8.24 1092.48 3.61E-3 1.2E-2 E-28

TABLE 2A NON-RECOVERY PROBABILITIES DERIVED FROM DATA PRESENTED IN NUREG/CR-5496 Hours After Offsite Non-recovery Probabilities Power is Lost Plant-Centered Weather Related Grid Related Events Events Events

0.

1 1

1 0.8333 0.3999 1.667 0.23351 0.783 0.99617 2.5 0.15758

__0.52875 3.333 0.11487 0.59622 0.34578 5

0.069683

__0.19429 6.667 0.04699 0.38391 0.12848 10

__0.2708 0.07010 13.333 0.20214 16.667 0.010696 0.15685 0.03091 21.667 0.11287 35 0.004368 0.08491 0.01361 E-29

NRC Question:

b.

Typically, the PRA for multi-unit sites will distinguish between a site LOOP and a single unit LOOP, which impacts the required number of diesel generators (DGs) that must function, and provides different options to recover offsite power using operating units.

Provide details regarding how the BFN PRA models address this issue, including the frequency of these initiating events, differences (if any) between the units with regards to unit LOOP frequency, differences in offsite power nonrecovery probabilities used for unit and site LOOP, and differences in success criteria for DGs.

TVA Response:

Additional information is provided above, in response to Question 2a.

In summary, each of the individual Units 1, 2 and 3 PSA models distinguish between a site loss of offsite power and a single unit loss of offsite power.

The PSA is scenario-based; that is to say, the PSA traces the possible sequences of events starting with an initiator, articulates possible responses of plant systems and appropriate operator actions, and ends in either success or a LERF / Non-LERF plant state.

The characterization of the endstate of a sequence is specified in terms of successful operation of frontline systems that question required mitigating actions including human action(s), reactor vessel level and pressure control as well as heat removal.

The number of DGs available for a unit is therefore dependent on the individual scenario, including whether the scenario is of a multiple unit nature.

The consideration of the likelihood of recovery of offsite power (at 30 minutes and at 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ) distinguishes between plant-centered events and non-plant-centered events.

Initiating event frequencies are also given in the response to question 2a.

E-30

NRC Question:

c.

Discuss how the LOOP initiating event frequency and recovery probabilities reflect the Northeast blackout of August 2003.

TVA Response:

The freeze date for the Unit 1 PSA effort was prior to the August 2003 event.

The August 2003 event is therefore not explicitly reflected in the analysis.

However, the non-recovery likelihood for offsite power used in the analysis reflects the possibility that the grid will not be recovered during the 24-hour mission time.

E-31

NRC Question:

d.

Describe how the potential for LOOP given a non-LOOP initiating event (e.g., "consequential LOOP") is addressed in the BFN PRA models.

TVA Response:

Top Event OG5 models the 500-kV offsite grid, the equipment between the 500-kV switchyard, and the Unit Station Service Transformers (USSTs).

This equipment includes switchyard breakers, motor-operated disconnect switches, and the 500-kV buses.

Top Event OG16 models the 161-kV offsite grid, the equipment between the 161-kV switchyard, and the Common Station Service Transformers (CSSTs).

This equipment includes switchyard breakers, motor-operated disconnect switches, and the 161-kV buses.

During the total loss of offsite power event, both of these top events are guaranteed to fail.

The loss of a single grid event, 500-kV or 161-kV, will not constitute total loss of power, and offsite power is available from the non-failed grid.

During non-loss of offsite power transients, these top events again describe the availability of offsite power.

The potential for failure of power from offsite is considered in every sequence.

For initiators involving the trip of just one unit, the consequential loss of each of the two grids is considered independent of each other.

For top event OG5, the consequential failure is assigned a small chance of failing at the time of plant trip (2.66E-4) plus the chance that the 500kv grids fails over the next 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ; i.e.

split fraction OG51 represents a likelihood of failure of 3.34E-4.

For top event OG16, the consequential failure likelihood is determined to be 4.94E-4.

E-32

For initiators involving plant trip of multiple units (i.e. loss of plant air, loss of raw cooling water, or floods in the turbine building), the consequential loss of power to the 500kv grid is assigned a probability of 0.1, plus the small chance that connections to the grid fail; (i.e. this is represented by split fraction OG52 with a failure likelihood of 0.1002).

For the 161kv grid, the trip of multiple units does not affect the consequential failure of the grid so that split fraction OG161 is used.

The approach for PSA modeling used at BFN is consistent with the industry and regulatory approaches.

For example, the determination of numerical values is consistent with the ASME guidance 9 ) and Regulatory Guide 1.200(1l).

The generic data sources used includes the PLG generic data base and the series of NREG/CR reports regarding LOOP frequencies and recoveries.

BFN has used a realistic approach based on industry and BFN operating history.

9 American Society of Mechanical Engineers, "Standard for Probabilistic Risk Assessment for Nuclear Power Plant Application," ASME RA-S-2002, April 5, 2002.

10 Regulatory Guide 1.200 For Trial Use, "An Approach For Determining The Technical Adequacy Of Probabilistic Risk Assessment Results For Risk-Informed Activities," February 2004.

E-33

NRC Question:

3.

This submittal identifies, on page E1-24, that three of eight DGs are sufficient to achieve safe shutdown for an extended duration of LOOP.

It is not clear if any three DGs are sufficient, or if asymmetries in support systems' power supplies or other plant features would result in requiring specific combinations of DGs to successfully achieve safe shutdown for a particular unit.

Further, the technical specifications only require operability of the four Unit 1 and 2 DGs, while the requirements for the Unit 3 DGs are only relevant to the standby gas treatment and control room emergency ventilation systems.

Please provide information regarding the modeling of the DGs in the BFN PRAs (Regulatory Guide (RG) 1.177 -

2.3.3.1):

a.

Identify the success criteria with regards to the specific DGs that can be credited for safe shutdown of each unit for a LOOP, and discuss any asymmetries in DG capabilities with regards to the ability to provide adequate power to safely shut down each unit.

TVA Response:

The response to this question is addressed in the Background section.

E-34

NRC Question:

b.

If Unit 3 is shut down, one or more of its DGs may be removed from service for more than 14 days.

Please discuss the administrative controls that assure availability of the Unit 3 DGs to support Units 1 and 2 during the extended AOT, and describe how the risk analyses account for multiple extended outages of the Unit 3 DGs when Unit 3 is out of service.

TVA Response:

Due to the highly specialized nature of DG maintenance, the same personnel at BFN perform maintenance on each diesel generator in series.

Thus, multiple diesel generators are not voluntarily removed from service simultaneously.

Moreover, a situation where such a need would be required is extremely unlikely.

BFN historical evidence justifies a very low frequency for unplanned maintenance in general.

Due largely to the low frequency of unplanned maintenance, it is not necessary in the PSA to account for more than one Unit 3 DG being in maintenance while Unit 3 is out of service.

The Background section provides the response to the requested discussion of the administrative controls which assure availability of the Unit 3 DGs to support Units 1 and 2 during the extended AOT.

In summary, the TS requirements states if one or more required Unit 3 DGs is inoperable, TVA must declare the required feature(s) supported by the inoperable Unit 3 diesel generator inoperable when the redundant required feature(s) are inoperable within four hours and declare the affected common (shared) SGT and CREVs subsystem(s) inoperable within 30 days.

In this condition, the remaining operable DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System to support operation of Unit 1.

E-35

NRC Question:

c.

A 'B' level fact/observation DA-14 is identified in Reference 13 of the submittal, which deals with common cause failure modeling for the DGs.

The resolution of this item did not address a technical basis for separating the Unit 3 DGs into a different population.

Please discuss common cause failure modeling for the DGs, including the populations used across the eight DGs, probabilities of events modeled, and discuss how the potential for common cause failure modes is accounted in the risk calculations if the DG is removed from service under the proposed extended AOT for corrective maintenance.

TVA Response:

The BFN model has been revised since fact/observation DA-14 was posed.

Currently, and for the analysis of the proposed extended DG AOT, the eight diesel generators for the three Browns Ferry units are considered within three general common cause failure (CCF) groupings.

The first common cause grouping is of the Unit 1 and 2 DGs; i.e.

A, B, C, and D. The second common cause grouping is for the four Unit 3 DGs; i.e. 3A, 3B, 3C, and 3D.

The third common cause grouping considers a global event that could fail all eight DGs on all three units.

The evaluation to determine the modeling approach for the BFN eight DGs was extensive and thorough.

The eight DGs used at BFN could have been placed in a single common cause group.

However, this group size was beyond the capability of the PSA software.

The DG modeling approach was then established following an in-depth evaluation. An appropriate mixture of single and multiple common cause groupings were utilized based on the physical separation attributes, design, procedures, maintenance practices, and operational approaches regarding the DGs utilized at BFN.

In summary, if all four DGs on Units 1 and 2 are failed, for any reason, then top event DGC in the event tree model considers the conditional probability that the cause of those failures would also affect the Unit 3 diesels.

If the Unit 1 and 2 diesels fail, and top event DGC is failed, then all four diesels on E-36

Unit 3 are also conservatively assumed to have failed.

Otherwise, the common cause failures involving DGs in Units 1 and 2 versus Unit 3 are considered separately.

For scenarios in which at least one of the Units 1 and 2 DGs is successful, Top Event DGC is not questioned, that is, bypassed.

This is because the success of one of the Units 1 and 2 DGs implies that the common cause failures that impact both Units 1 and 2, and Unit 3 DGs do not contribute in these scenarios.

Partial common cause coupling between the unit 3 DGs and those on Units 1 and 2 (e.g. common cause between only 1A and 3B) are not considered.

They are not significant compared to those that are modeled.

Evaluation of the conditional likelihood or "coupling factor" was determined during the TVA Unit 2 Individual Plant Examination analysis.

This model has retained this data for the current Unit 1 analysis.

The conditional likelihood was determined by evaluating applicable DG common cause events. A scale of 0 through 5 was used to estimate this conditional likelihood.

Based on the comments of the BFN personnel who participated in the evaluation process and the system analyst, weighting factors were assigned to each common cause event to reflect the likelihood of the common cause event occurring in BFN DGs.

The weighting scale of 1 through 3 was used to estimate the likelihood value:

High

=

3 Medium

= 2 Low

=

1 Using the weighting factors assigned, the mean conditional likelihood was calculated and has a value of 0.238, as shown.

We note that the use of this value is just a factor of four lower than conservatively assuming that when the first four DGs fail, that all eight fail.

To reflect the uncertainty associated with this conditional likelihood, a Beta function (values range from 0 to 1.0) is used to describe this distribution.

The parameters selected for this distribution are A = 1.5 and B = 4.8. The characteristics of the distribution are given below:

E-37

Mean

2.38 x 10-1 5th Percentile

3.49 x 10-2 50th Percentile =

2.09 x 10-2 9 5 th Percentile =

5.38 x 10-1 Note that in addition to common cause failure modes of the DGS, the fault tree models for the first two general common cause failure groupings (i.e. for Units 1 and 2 [top event DIES1] and then Unit 3 DGs [top event DIES2]) also include common case models for fans and dampers that must function to support the DG operation.

For purposes of displaying event probabilities, we focus on the specific common cause grouping between diesels A, B, C, and D in top event [DIES1].

The event probabilities for the specific common cause grouping between diesels in top event [DIES2] 3A, 3B, 3C, and 3D are identical.

To simplify and continue to maintain valid modeling techniques, the fault tree model, unreliability values for six failure modes associated with the Unit 1 and 2 diesels are combined together.

These failure modes are:

DG fails to start

DG fails to run first hour

DG fails to run after first hour

DG circuit breaker fails to close

Fuel oil pump fails to start

Fuel oil pumps fail to run

Fuel oil day tank switches fail on demand The failure parameters used for failure modes associated with common cause failures of the DGs in the first general common cause grouping (i.e. for the diesels in Units 1 and 2, top event

[DIES1] are listed in the table 3C-1.

These failure parameters combine to give the following basic event failure probabilities for common cause failure of the diesels.

The same failure probabilities result for the common cause failure events for top event [DIES2] representing the diesel generators for Unit 3.

E-38

Independent failure of one DG = 3.43E-2

Common cause failure of one specific pair of 2 DG = 2.47E-4

Common cause failure of one combination of exactly 3 DG 1.19E-4

Common cause failure of all four DGs in Units 1 and 2 =

1.384E-4

Common cause failure of all 8 DGs = 1.384E-4 x 0.238 =

3.29E-5 The above common cause failure events are included for each DG modeled in the fault tree for top event [DIES1].

The minimal cutsets for top event [DIESI], including these common cause events, are first solved.

They are then evaluated algebraically for each alignment (e.g. normal configuration with all diesels in service, diesel A only in maintenance, diesel D only in maintenance, etc.) postulated in the system model.

An alignment is evaluated for each system configuration in which a single DG at a time is out of service for maintenance.

For each such alignment, an event corresponding to the maintenance action is set to logically failed (e.g. the independent failure of the diesel to start) and the cutsets resolved before algebraic quantification.

The contribution of the fault tree failure probability for each alignment is then weighted by the fraction of time in each alignment and summed to give the total top event failure probability.

In this way, the basic event probabilities of the fault tree, including the common cause event probabilities, need not change.

Instead, the impacts of maintenance are accounted for by the Boolean reduction step.

Note that the maintenance frequencies and alignment configurations were derived from BFN operating data.

For common cause events that involved the DG being maintained and at least one other DG, such events are retained in the fault tree and accounted for in the alignment totals.

No adjustment to the event probabilities is required.

E-39

TABLE 3C-1 COMMON CAUSE FAILURE MODES CONSIDERED FOR DIESEL GENERATORS IN TOP EVENT [DIES1]

Failure Modes Total failure rate Beta Factor Gamma Factor Delta Factor Notes Diesel generator fails to start BTDGSS = 5.05E-3 BBDGDS=2.22E-2 BGDGDS = 0.364 BDDGDS = 0.262 Diesel generator fails to run first hour BTDGSI = 2.21 E-3 BBDGDR = 3.40E-2 BGDGDR = 0.415 BDDGDR = 0.282 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months mission time Diesel generator fails to run after first hour BTDGS2 = 9.41 E-4 BBDGDR = 3.40E-2 BGDGDR = 0.415 BDDGDR = 0.282 23 hour2.662037e-4 days 0.00639 hours 3.80291e-5 weeks 8.7515e-6 months mission time Diesel generator circuit breakerfails to close ZTCB1C = 1.61E-3 BBEP4C = 1.25E-1 BGEP4C = 3.77E-1 BDEP4C = 0.292 20 starts assumed, Fuel oil pumps fail to redundant fuel oil start ZTPMSS = 3.29E-3 ZBPXRS = 7.OE-2 NA NA pumps for each DG Pumps run 1/4 of time, two pumps for Fuel oil pumps fail to run ZTPMSR = 3.42E-5 ZBPXRR = 1.OOE-2 NA NA each DG 20 demands Fuel oil day tank assumed, redundant switches fail on demand ZTSWPD = 2.69E-4 ZBSWBD = 7.OE-02 NA NA switches for each DG E-40

NRC Question:

d.

Provide information regarding credit taken (if any) in the risk calculations for recovery of failed DGs, and how such recovery credit was adjusted for a DG assumed out of service under the extended AOT.

TVA Response:

Two top events are developed to analyze the likelihood of recovering offsite power.

Top Event EPR30 evaluates the likelihood of recovering offsite power within 30 minutes, and Top Event EPR6 assesses the likelihood of recovering offsite power within six hours, given that power was not recovered in 30 minutes.

No credit is given for repair of the failed DGs.

Only restoration of offsite power is credited.

In each of the calculations for recovery of offsite power, the time available for recovery (i.e. 30 minutes or six hours) is measured from the time that both offsite and onsite power is lost (i.e. the time the DGs fail).

The probability of losing four DGs is considered as a function of time after offsite power is lost and the probability of non-recovery of offsite power is then measured for that time plus 30 minutes or plus six hours.

The non-recovery factor for each time increment is then weighted by the probability that the diesels are lost during that time increment and the products are then summed to give an effective non-recovery probability.

The model for the time-dependent failure probability of the DGs credits only four of the eight DGs.

The model is the same as split fraction DG4 (i.e. failure of power from four diesels) for top event DIES1.

This model includes consideration that the diesels may fail to start or fail to run after starting and that they may be unavailable at the time offsite power is lost due to maintenance.

Note that the maintenance frequencies and alignment configurations were derived from BFN operating data.

The fraction of time assumed for preventative maintenance considers the yearly corrective maintenance but omits the contribution from the proposed 12 year overhaul.

This contribution to corrective maintenance would contribute negligibly to the non-recovery factor because it affects only one DG at a time.

Therefore, the model was not adjusted for this affect.

E-41

NRC Question:

e.

A 'B' level fact/observation HR-17 is identified in Reference 13 of the submittal, which deals with a recovery action for aligning a swing residual heat removal service water (RHRSW) pump for cooling water for a "distressed" DG.

The resolution of this item identified a change to the human error probability (HEP) from 5E-4 to 1.6E-2, and identified procedures applicable to this action. Please provide additional details regarding this recovery action:

i.

A qualitative description of this recovery action, including the specific failure modes and sequences for which the recovery is credited, and the operating conditions of the affected DG during the time period between cooling water failure(s) and restoration of cooling using the swing RHRSW pump.

TVA Response:

The recovery action is required during LOSP scenarios, which require that the emergency DGs start and assume safety related AC loads in a programmed sequence shortly thereafter, which results in rapid heatup of the DG lubrication. After 13 seconds, the DGs reenergize the 4160V shutdown boards, which should enable all available EECW pumps to start and provide the cooling needed to prevent overheating and failure.

Should the EECW system fail to provide adequate cooling water flow, the operators can align a swing RHRSW pump(s) to accomplish this function.

This action has been evaluated for the Unit 1 PSA using the EPRI Human Reliability Calculator.

The calculator provides the structure for documenting pertinent information regarding the time available and performance shaping factors to provide a basis for its quantification.

The actions and their Human Error Probability (HEP) are:

HREEC1, respond to no EECW flow to DG following LOSP.

This action accounts for operator response when all four EECW pumps fail to start automatically following startup of DGs during a LOSP event.

It was evaluated to have an HEP=1.4E-1 per demand.

E-42

HREEC2, respond to inadequate EECW flow to DG following LOSP.

This action was employed when three of four EECW pumps fail to start, resulting in what is assumed inadequate cooling to the DGs.

It was evaluated to have an HEP=2.3E-2/demand.

For both of these actions, the operators must first recognize that the DGs are heating up due to lack of cooling water.

The differences between the two are the cues and time available to diagnose the problem is discussed in response to part ii of this question.

To execute either action, operators must manually align the RHRSW swing sumps to the EECW headers using MOVs, which can be operated from the Control Room.

It is assumed that there is not enough time to manipulate local valves.

Failure to establish cooling to the DGS is assumed to result in loss of all AC power.

(It should be noted that discussions with the operators indicate that, if they recognize that the DGs are heating up, but are unable to realign the RHRSW swing pumps within the time allotted, they have the option to shut down the DGs until they can reestablish cooling locally.

However, because the contribution of failure that would prevent them from doing the action from the control room was found to be a small contributor to risk, this action was not added to the PSA model.)

E-43

NRC Question:

ii.

The cues and time available for recovery, including the analyses which identify the time the DG can operate "distressed" due to cooling water prior to equipment failure.

TVA Response:

The manual start requirement is supported by the DG design and test results.

The DG is assumed inoperable if the jacket water reaches 2080F.

The initial temperature for the jacket water is normally at 1250F.

Two special tests were performed to determine the heatup rate of the jacket water without EECW available.

The first test was performed with the DG unloaded.

For this condition, the jacket water will not reach the design limit of 208IF within 16 minutes.

The second test was performed with the DG loaded to 2200kW.

The duration for the jacket water to reach the design limit is approximately five minutes for the loaded condition.

Given no EECW flow, the total time available for human action HREEC1 is five minutes.

For Top Event OEEC2, the time will depend on the amount of partial flow.

A reasonable extension of the time available for human action HREEC2 is judged to be ten minutes.

For human action HREEC1, the operators have indications of the failure of the four EECW pumps to start and run, no EECW flow, and high DG temperature alarms.

For human action HREEC2 the operators have indications of the failure of the three EECW pumps to start and run, low EECW flow, and high DG temperature alarms.

E-44

NRC Question:

iii. Plant-specific training and simulator experience that support the human reliability analysis calculations.

TVA Response:

Operators train in the capacity to perform the crosstie operation on the swing EECW pumps in the classroom and on the simulator.

In addition, they train to monitor the condition of the DGs and respond to cues of abnormal heating.

The operators train on LOSP scenarios several times a year, but not those scenarios that contain the specific condition that all DGs start without EECW cooling.

However, the combination of generic DG training, crosstie training, and ample indications of lack of EECW flow and DG heatup are judged to provide ample support for the assessments of the human reliability analysis calculations.

E-45

NRC Question:

iv.

Sensitivity analyses of this operator recovery action on the baseline PRA model and the specific risk analyses supporting this amendment request.

TVA Response:

For the Unit 1 PSA, the split fraction OREEM had a Fussel-Vesely importance of 0.3%.

The importance for split fraction OREE2 was less than 0.1%.

In addition, when the HEP for these Top Events were increased to values of 0.2/demand for a dependency sensitivity study, as discussed in the answer to question 9c, they did not appear in the sequences that contributed to 99.3%

of the core damage frequency obtained by the sensitivity calculation.

Refer to the answer to question 9c for more discussion of the sensitivity study.

E46

NRC Question:

4. With regards to the success criteria used in the PRA for maintaining core cooling under station blackout conditions (i.e., failed DGs), please provide the following information (RG 1.177 2.3.1):

a.

A 'B' level fact/observation TH-8 is identified in Reference 13 of the submittal, which deals with the plant response to station blackout.

The resolution of this item is somewhat vague, in that it is not clear that the plant response is based on actual analyses or judgment, or what mission time is applicable (4, 6, and 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months are all identified).

Please discuss the plant systems assumed to be capable of maintaining primary inventory and decay heat removal without any ac power available, their success criteria, including required mission times, and availability of monitoring and control instrumentation, their reliance upon site dc power sources, including the time available until battery depletion, and their functioning after battery depletion (if applicable).

TVA Response:

BFN has been categorized by NRC as an Emergency Alternating Current (EAC) Category "C" plant.

This "C" category translates to a SBO coping duration of four hours and a Diesel Generator target reliability of 0.95.

The NRC SBO Safety Evaluation Report (SER) for Units 1, 2, and 3 (1) stated:

"... the staff agrees with the licensee's end result that there would be sufficient EDG excess capacity and connectability following an SBO on any of the three units to provide AC assistance to the blacked-out unit and to power the normal LOOP loads on the non-blacked-out units.

However the staff concludes that only three EDGs should be credited as being available following an SBO on one unit and the single failure criteria on the units.

The staff characterizes these three remaining EDGs as an excess capacity AAC power source.

This AAC power source is not NRC letter to TVA, dated September 16, 1992, "Station Blackout - Browns Ferry Units 1, 2, and 3 (MPA-A022) (TACNos. M68517, M68518, and M68519)."

E47

normally connected to the off-site or on-site emergency AC power systems and is connectable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to the bus(es) of the SBO unit.

The AAC power source meets the criteria in Appendix B of NUMARC 87-00.

Therefore, the staff agrees with the licensee to rely on limited use of AC power for SBO coping purposes."

TVA has performed analyses and procedures are in place to control and direct the operation of equipment from six systems (Main Steam, Condensate, Feedwater, HPCI, RCIC and 25OVDC) to control reactor vessel pressure, maintain reactor vessel coolant inventory, and provide decay heat removal during the required coping duration of the postulated station blackout.

Additionally, there are also support systems which will function to allow operators to cope with a station blackout.

The following is a discussion of each system and its required components.

Main Steam Main Steam safety relief valves will control reactor vessel pressure during the initial stages of the station blackout event (until HPCI is manually operated in the Condensate Storage Tank

[CST] to CST recirculation mode).

Condensate The Condensate system is the source of water for both HPCI and RCIC during station blackout.

All three condensate tanks will be available.

The required condensate supply and discharge isolation valves are normally open (or locked open) and must remain open.

Feedwater The Feedwater system will provide water level control and pressure indications as well as the injection path for both HPCI and RCIC. All level and pressure components are powered from the 25OVDC Reactor MOV Board A and can be operated during station blackout.

All valves required to provide an injection path are either check valves or normally open valves which will remain open during station blackout.

E48

250 VDC Power The 250 VDC Power system will provide power to all equipment necessary for coping with a station blackout. All equipment associated with this system (except for the chargers) is needed and will be available, including the batteries, battery boards and Reactor MOV Boards and associated distribution.

RCIC During station blackout, the RCIC system will provide sufficient reactor coolant high pressure makeup to maintain the reactor vessel water level in a safe condition.

Equipment is powered by the 250 VDC system except for the inboard isolation valve (powered from the 480 VAC Reactor MOV Board B) and the flow controller and associated equipment (powered from the 120 VAC unit preferred bus).

The inboard isolation valve is normally open, fails as is on loss of AC power and will remain open during station blackout since no single failure need be assumed.

Equipment is provided to ensure RCIC could be initiated from the flow test position, if desired.

HPCI The HPCI system will provide coolant injection into the reactor vessel at high pressure until it can be manually run in the CST-to CST recirculation mode for pressure relief and decay heat removal.

All equipment is 250 VDC powered except for the inboard supply isolation valve, which can be excluded in the same way as in the case of RCIC.

Any additional equipment required to be operated in the HPCI CST to CST recirculation mode will be available.

Security including door and interlock alarms The security system will be available to allow ingress/egress from the control room to any required location during station blackout.

E49

Emergency Lighting Battery powered emergency lighting will be provided in areas which will be occupied (especially in the Main Control Room) during a station blackout including ingress/egress routes to those areas.

In summary, the approved SBO scenario for BFN is a loss of all AC power on one unit and limited on-site AC power for the other two units.

BFN has performed detailed analyses to determine each units response to this postulated SBO.

Using the analyses results and a thorough knowledge and understanding of the DC powered systems capability, a procedure was established to safely mitigate the postulated SBO.

The major attributes considered were reactor vessel pressure control, reactor vessel water level control, reactor vessel decay heat removal, sources of water makeup, instrumentation to monitor system performance and control, security requirements, and lighting needs.

In addition, system testing and training are performed to verify the validity of these processes established at BFN to successfully mitigate a postulated SBO.

The PSA approach for SBO inventory control and decay heat removal includes a success criteria that HPCI or RCIC can provide sufficient inventory control until battery depletion if AC power is not recovered.

The SBO coping study demonstrated that there is at least four hours until battery depletion.

The plant design provides for adequate instrumentation and DC control availability for four hours given at least one battery is available. At four hours, HPCI and RCIC are assumed to fail with no flow provided to the vessel.

Decay heat and vessel inventory are such that one-third core height is reached in another two and one-half hours, or six and one half hours after the start of the SBO.

The PSA allows thirty minutes for the restoration of power to the necessary buses, which implies an offsite recovery time of six hours.

During the time that AC power is not available, decay heat removal is provided by a combination of main steam relief valve operation to the suppression pool and HPCI in the recirculation mode, depending on equipment availability.

E-50

NRC Question:

b.

A 'B' level fact/observation QU-11 is identified in Reference 13 of the submittal, which deals with the assumed availability of the main condenser for accident sequences that would make the condenser unavailable (i.e., LOOP).

The resolution of this item simply states that main condenser availability is accounted for.

Please confirm that for LOOP sequences, no credit is taken for the condenser as a heat sink.

TVA Response:

The main condenser is guaranteed to be unavailable (unavailability of 1.0) for any sequence in which the 500-kV grid is failed (such as would be the case for loss of offsite power).

The main condenser is guaranteed to be unavailable for initiators "loss of condenser vacuum," "inadvertent MSIV closure," and "turbine trip with bypass unavailable."

The condenser is also guaranteed to be unavailable if the raw cooling water system or condenser circulating water system is unavailable.

E-51

NRC Question:

c.

Identify operator actions required to respond to station blackout conditions (excluding offsite power recovery or recovery of onsite power), including the procedural basis for those actions, the probability of those actions in the PRA, and dependencies that are evaluated of those actions with power recovery actions.

TVA Response:

The manual actions credited during an SBO involve level control of HPCI and RCIC.

The cues and actions required are not differentiated with respect to SBO conditions.

There are two such actions.

The first action is the failure to control level with HPCI/RCIC.

A failure of this action results in a Level 8 trip.

The second action models the failure to subsequently restart HPCI and RCIC and control level.

Operator Description RISKMAN Point Estimate Action Mean Probability HPHPE1 Operator fails to control level with HPCI/RCIC 3.14E-3 HPHPR1 Operator fails to control level with HPCI/RCIC 3.90E-3 following a Level 8 trip.

II These actions are not dependent.

The guidance for these actions is contained in the BFN site-specific Abnormal Operating Instruction for LOOP / SBO.

E-52

NRC Question:

d.

Three 'B' level fact/observations HR-9, HR-9.1, and HR-12 are identified in Reference 13 of the submittal, which deal with a recovery action for venting containment during loss of all ac power scenarios.

The resolution of these items identify (1) that 6.1E-3 is a screening value for the local actions needed to vent containment during blackout, and/or (2) that a new HEP of 1.43E-1 has been assigned.

Please identify credit taken (if any) and the performance shaping factors considered for local actions for containment venting to maintain a reactor heat sink for long term station blackout sequences.

Please also provide the results of any sensitivity analyses conducted on this operator recovery action.

TVA Response:

At all three Browns Ferry units, the instrumentation and controls needed to accomplish the alignment for containment venting to maintain a reactor heat sink for long term station blackout sequences are located in the control room.

The Emergency Operating Instructions delineate the steps required to complete the alignment.

The suppression pool heatup is gradual, so there is a considerable amount of time available to accomplish the action.

The Unit 1 HRA addresses the action with human failure event HRWWV1, "Align hardened wetwell vent for SP cooling,"

implemented in the event tree by Top Event OWWV.

The diagnosis and execution of the action is straightforward, so it will not be difficult.

The only negative performance shaping factor is the complexity of the overall situation, resulting in stress and leading to a relatively high HEP of 4.2E-02/demand for this control room action being calculated by the diagnosis and execution HEP algorithms of the EPRI HRA calculator.

The vent hardware, as modeled in Top Event VNT, is designed to be aligned by opening two air-operated valves actuated by DC powered solenoids, neither of which requires AC power.

Should a solenoid fail or the air pressure decay to a point where it cannot operate the valve, there are no provisions in EOIs for opening the vent locally.

Therefore, a local action was not included in the PSA.

Sequences that involve the failure of the E-53

wetwell vent valve hardware or support systems were found to have a low Fussel-Vesely importance when the PSA results were evaluated, and failure of Top Event OWWV had a negligible impact in the HRA dependency sensitivity study discussed in answer to Question 9. Furthermore, the PSA model assumes that failure to recover off-site power within six hours results in core damage, consequently long term blackout sequences greater than six hours also lead to core damage.

E-54

NRC Question:

5.

Provide the results of any uncertainty and sensitivity studies on the DG assumed unavailability, LOOP frequency, offsite power recovery probabilities, station blackout mitigation success criteria, and any other key assumptions or sources of uncertainty relevant to the risk results supporting this amendment request. (RG 1.177 -

2.3.5).

TVA Response:

BFN recognizes that sensitivity analyses may be necessary to address the important assumptions in a submittal made with respect to TS changes analyses.

The examples given in Regulatory Guide 1.177, Section 2.3.5, relate to the effects of the TS change itself.

TVA's initial reason for not performing uncertainly or sensitivity studies was that Unit 1 is in a unique situation.

The BFN DGs have been governed by a fourteen-day AOT for a substantial period of time.

A review of the historical DG out of service durations (downtime) data indicates that the average DG unavailability (frequency times downtime) has decreased in the time period after the increased AOT implementation as compared to the time period before.

This is attributed to improved plant DG maintenance practices over this time period.

Therefore, the fourteen-day AOT for Unit 1 is primarily needed as a contingency for corrective maintenance or an unexpected delay during preventive maintenance.

In response to this request for additional information, a sensitivity evaluation was performed in which the common cause beta MGL parameter was doubled for both groups of DGs.

The quantification resulted in a CDF of 1.82E-6 and a LERF of 4.4E-7.

For this study, the accompanying ICCDP value is 8.27E-8 with an acceptance criteria of 5.OE-7.

The ICLERP remains unchanged based on no change to the LERF value.

These results provide an adequate degree of confidence that additional sensitivity evaluations are not necessary.

E-55

NRC Question:

6.

The submittal does not identify the relationship between the configuration of BFN Unit 1 used as the basis for the risk calculations and the configuration of BFN Unit 1 that will exist when the plant is placed into service.

Please provide identification and disposition of any plant changes (i.e., modifications or procedure changes) that are planned to be in place at startup, but which are not reflected in the PRA model used to support this amendment request. (RG 1.177-2.3.1).

TVA Response:

The anticipated configuration at Unit 1 restart for each system is described by a combination of the existing plant documentation and Design Change Notification (DCN) packages.

The existing plant documentation, along with each issued Unit 1 DCN through the design freeze date of February 6, 2003, was reviewed by the staff performing the PSA for Unit 1 to ensure that the Unit 1 system models represented the anticipated configuration.

Other available Unit 1 DCNs in preliminary stages of development were also reviewed during the initial preparation of the Unit 1 PSA system notebooks to evaluate their effects on the Unit 1 system models.

If the Unit 1 DCN was not available at the time of this review, the Unit 2 system configuration was assumed applicable.

This is acceptable due to the design of the two units being essentially identical.

These assumptions are noted in the individual system analysis notebooks.

Following completion of the Unit 1 DCN closure process, which ensure the DCN packages reflect the Unit 1 as-built configuration, closed DCN packages will be reviewed to assure consistency with the Unit 1 PSA model.

Any differences will be reviewed and required revisions to the Unit 1 PSA will be made.

Applicable Unit 1 operating and test procedures had not been finalized, so the PSA model assumed the Unit 2 procedures were applicable. Again, this is acceptable due to the design of the two units being essentially identical and their operating procedures also being functionally duplicative.

E-56

NRC Question:

7.

Provide information regarding the scope and quality of the PRA used for the risk calculations with regards to internal fires and external events, since these items were not reviewed as part of the industry peer review.

If internal flooding was not within the scope of the peer review conducted for BFN PRA models, please also discuss the scope and quality of that portion of the PRA as well.

Please also discuss the integration of the internal and external events risk models. (RG 1.177 -

2.3.2)

TVA Response:

Generic Letter 88-20, Supplement 4 requested that examinations include the following five areas (the methodology for evaluation accomplished at BFN is designated by the information within parenthesis):

Internal fires (EPRI Fire Induced Vulnerabilities Evaluation

[FIVE]),

Seismic (EPRI Seismic Margins),

High winds (bounding analysis),

. External Floods (screening approach), and

Transportation and nearby facility accidents (screening approach).

The Unit 1 internal fires evaluation following the EPRI FIVE method uses the latest Unit 1 BFN PSA as an input.

None of the other Supplement 4 evaluations use the PSA as input.

These evaluations were accomplished using industry sanctioned and acceptable methods of evaluation that are progressive screening processes.

With regards to internal flooding, this evaluation was within the scope of the BFN PSA.model reviewed by the Peer Team.

The internal flooding evaluations in the BFN PSA were developed and are maintained by the same processes and controls as the other portions of the PSA.

With regards to integration of these five areas, there is currently no industry accepted methodology which permits integration of these results.

It should also be noted that the internal event (fire) and external events (seismic, high winds, E-57

external floods, and transportation and nearby facility accidents) were accomplish using industry sanctioned and acceptable methods of evaluation, which are progressive screening processes.

Absolute numerical values are not assigned nor required to be assigned.

E-58

NRC Question:

8.

A 'B' level fact/observation QU-7 is identified in Reference 13 of the submittal which deals with the use of the "saved sequence" model for applications and its impact on risk importance measures, with symptoms of truncation effects identified.

The resolution of this item identifies that an analysis of truncation effects was completed and documented.

However, the specific concerns identified on the truncation effects impact on importance measures in the base model were not dispositioned.

The risk analyses supporting this amendment request appear to be based on the importance measures of the "saved sequence" model.

Please provide additional information regarding how this item was corrected to eliminate truncation effects on the base model importance measures.

Discuss the adequacy of the truncation level used to quantify the PRA model for this amendment request, specifically to address the use of the DG risk achievement worth for calculating the incremental conditional core damage probability instead of providing a quantification of the model with the DG out of service.

Item QU-7 also identified model asymmetry as a limitation; please discuss model asymmetry as it impacts this amendment request. (RG 1.177 -

2.3.4, A.1.3.1.1)

TVA Response:

The saved sequence database is no longer used to support the determination of importance measures.

In RISKMANO for Windows 7.1, the analysis code used in the Unit 1 PSA and in the analyses supporting the DG AOT submittal, importance calculations are performed during scenario quantification, thereby eliminating the need to use the saved sequence database for such calculations.

The truncation effects, if any, introduced by using the saved sequence database for importance calculations have therefore been eliminated.

In the Unit 1 PSA, an overall scenario quantification truncation value of 1 x 10-12 was used for all initiators.

That is to say, all individual sequences with frequency 1 x 10-12 or greater are retained in the analysis and are included in the determination of importance measures.

E-59

NRC Question:

9.

An 'A' level fact/observation HR-26, and a similar 'B' level fact/observation HR-27, are identified in Reference 13 of the submittal which deal with dependencies of multiple HEPs.

The resolution of this item identifies (1) that the dependencies were evaluated using a systematic approach, (2) revised HEPs were developed, and (3) the results were documented.

Please provide additional information regarding the disposition of these items (RG 1.177-2.3.1):

a.

Discuss the systematic process used to identify dependent combinations.

TVA Response:

The BFN PSA assesses the degree of dependence between human actions in the same accident sequence in accordance with ASME Standard RA-S-2002, Para HR-G7121.

The evaluation considers two general categories of influences:

The time to complete all actions in relation to the time available to perform the action, and

Factors within the scenario that could lead to dependence.

The scenario dependency relates to the context of an operator action in response to a cue (i.e., control room alarm or instrument indication).

That is, the representation and evaluation of an operator action is performed based on type of initiating event, safety system availability, and the time available dictated by thermal hydraulics analysis.

The BFN Unit 1 HRA follows the approach for evaluation of Human Failure Event (HFE) dependence in Section 10 of NUREG/CR-1278(3'and EPRI TR-100259(4 ). Depending on the precise scenario, the dependency could range from zero to complete.

2 American Society of Mechanical Engineers, "Standard for Probabilistic Risk Assessment for Nuclear Power Plant Application," ASME RA-S-2002, April 5, 2002.

3 Swain, A.D. and H.E. Guttman, 1983. Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, NUREG/CR-1278, U.S. Nuclear Regulatory Commission, Washington (DC).

4 Parry, G.W., et al., 1992. An Approach to the Analysis of Operator Actions in Probabilistic Risk Assessment, EPRI TR-100259, Electric Power Research Institute, Palo Alto, CA.

E-60

Most actions appearing in the same accident sequences become apparent during the construction of the event trees.

The human action analyst works with the event tree analyst to define the boundary conditions for the actions, such as initial conditions, known previous equipment and HRA successes and failures, cues, and time available before transition to the next plant state.

When previous actions are identified, the two analysts evaluate the dependence of the current on that previous failure using the criteria presented in answer to Question 9b below.

Once the analysts agree upon a degree of dependency, it is quantified in accordance with the guidance contained in Table 10-2 of NUREG/CR-1278 and explicitly included in the model for an appropriate split fraction of the Top Event associated the action in the event tree.

For reviewing convenience, the bases for assigning potential dependencies between human actions are consolidated into one table.

The response to Question 9d is an example of such an evaluation.

Finally, the completeness of the evaluation is checked using the sensitivity study discussed in answer to question 9c below, which would reveal potential dependent combinations not already addressed.

This evaluation approach results in a systematic process to identify and quantify dependent combinations.

E-61

NRC Question:

b.

Identify the criteria applied to identify multiple actions as independent.

TVA Response:

Upon identification of multiple HFEs in an accident sequence, the BFN Unit 1 HRA dependency evaluation addressed the factors listed below:

Time Between Actions -

HFEs committed over a short period by the same operators are generally highly dependent.

However, for longer-term operator actions (e.g., actions taken beyond the first 30 minutes), decoupling effects could arise through additional personnel entering the control room, alarms/enunciators, etc.

Ultimately, the analyses of dependencies are supported by simulator observations in combination with talk / walk-throughs.

Cognitive Dependence -

Error forcing contexts that increase dependencies result from similar spatial relationship, support and safety system status, and requirements for use of instruments and controls between actions in the given event tree sequence.

Cue-dependence -

Multiple cues within a sequence could have the effect of de-coupling multiple operator actions.

For example, an early failure by the control room crew to implement a procedure step could result in another apparent cue at a later stage.

If the system time-window is sufficiently long, there could be a high likelihood of successful recovery late in the event sequence.

Procedure Dependence -

Emergency Operating Instructions (EOI) require the operating crew to revisit safety parameters for other functions.

This process can reduce dependencies.

These criteria address both the timing and performance shaping factors that influence the human error probability of multiple actions while provide sufficient leeway to account for the scenario specific circumstances of each action.

E-62

NRC Question:

c.

Identify the lower limit (if any) to the overall HEP applied for a given sequence.

TVA Response:

As some of the scenarios addressed in the PSA can extend over hours, no strict limit has been established for the overall HEP applied to a given sequence of events.

The large event tree structure provided by the RISKMANO software allows the HRA Analyst to track the progression of a group of accident scenarios with the event sequence analyst.

Together they then assign a degree of dependency to actions that can occur in the same scenarios.

These dependencies are then incorporated directly into the event tree rules in accordance with Table 10-2 of NUREG/CR-1278.

In lieu of a rigid lower limit, the evaluation of the potential for dependence between HFEs within the same accident sequence was assessed by a sensitivity study in which the PSA is quantified with the HEPs of post-initiating event HFEs set to a screening value 0.2/demand.

Quantifying the accident sequence model with this high value significantly increases the frequency of those sequences containing human actions so that instances of multiple HFEs can be more easily identified and examined for dependencies.

This sensitivity analysis served as a check on the methods outline above for identifying dependencies between human actions.

The table below ranks the relative importance of the high HFEs used by the sensitivity study based on fraction of the CDF in the event sequences containing a given category of HFEs.

It should be noted that each sequence has at least one HFE.

This table shows clearly that when all HEPs are set to the artificially high screening value, failure to control the RPV level with high pressure injection (HPI) systems has the highest fractional importance, appearing in sequences that contribute 94% of the dependency evaluation baseline CDF.

In addition, over 50% involves only the failure to control HPI.

Those sequences that contain other independent HFEs are divided equally among failure to control low pressure injection, failure to initiate suppression pool cooling, and failure to initiate drywell spray.

Except for unusual cases, such as Anticipated E-63

Transient Without Scram (ATWS) events, the latter two actions could be performed hours into the accident sequence to mitigate against the undesired event.

Failure to initiate drywell spray relates to actions needed to protect the containment after a core damage event.

Except for ATWS events, the suppression pool has the heat absorption capacity for hours of decay heat.

Therefore, the presence of these actions in sequences where operators failed to control HPI is separated in time sufficiently to be independent.

The failure to control low pressure injection requires that the Reactor Pressure Vessel (RPV) be depressurized.

This would follow a successful emergency depressurization, which will key the operators to initiate and control low pressure injection. A high failure rate has been postulated for failure to emergency depressurize following the failure to control HPI, corresponding to explicit inclusion of moderate dependence with the failure of the operators to control RPV level at high pressure in the Top Event split fraction model.

However, as the scenario progresses, the operators still have an opportunity to fail to continue to control low pressure injection, as shown by the contribution failure to control Low Pressure Injection (LPI).

CATEGORY OF HUMAN FAILURE EVENT

% OF CDF

% CONTRIBUTION Failure to control HPI 94.1%

Sequences with only failure to control HPI 52.1%

containing failure to recover HPI 100.0%

Sequences with one additional failure 38.1%

which is failure to control LPI 33.4%

which is failure to initiate Suppression Pool (SP) cooling 33.3%

which is failure to initiate DWS 33.3%

Sequences with two additional failures 9.2%

Including failure to control LPI 66.7%

Including failure to initiate SP cooling 66.6%

Including failure to initiate drywell spray (DWS) 66.7%

Sequences with three additional failures 0.7%

combinations of LPI, SP, DWS 100.0%

E-64

CATEGORY OF HUMAN FAILURE EVENT

% OF CDF I

% CONTRIBUTION Not failure to control HPI 5.9%

Failure to Emergency Depressurize 96.2%

Involving failures during ATWS Events 3.1%

Other assorted 0.7%

E-65

NRC Question:

d.

Provide the disposition of the specific example cited in HR-26.

TVA Response:

Based on the guidance outlined in 9b above and reasoning below, extracted from the HRA dependency evaluation discussed in response to question 9a, the HRA for the Unit 1 PSA assessed complete dependence between failure to establish suppression pool cooling and failure to initiate wetwell venting.

The basis for this assignment was documented as follows in the human failure event dependency table:

Both actions are directed towards the same goal and would be accomplished over the same time frame.

If the operators fail to recognize that the available suppression pool cooling has not been used to maintain temperature and pressure within acceptable limits, it is judged that they will also fail to take the extraordinary action to establish wetwell vent to accomplish a function that can be done by more direct means.

Therefore, the event tree rules assume the operator action to open the wetwell vent is guaranteed to fail, e.g. Qd = 1.0.

E-66

NRC Question:

e.

Provide dependencies evaluated relevant to station blackout sequences, including the individual basic event probabilities and the final combined HEPs.

TVA Response:

The loss of offsite power will result in the closure of the MSIVs and a requirement that HPCI or RCIC start and maintain RPV level and pressure within acceptable levels.

A control room operator is assigned the sole function of monitoring and controlling RPV level using these systems and remains at the appropriate panel for controlling these systems.

The performance shaping factors for this individual do not change when AC power is not available, as HPCI and RCIC are designed to operate without AC power, and the control functions require no physical effort.

The operator will not become involved in efforts to recover AC power.

Should the suppression pool pressure and temperature rise high enough to fail the HPCI/RCIC, the operator can align the wetwell vent from the control room, as the appropriate valves are designed to operate without AC power.

The specifics of this action are discussed in the answer the question 4d.

The recovery of offsite power is a statistical evaluation, which is consistent with industry practice for analyzing recovery from LOSP.

The human actions to accomplish this are not explicitly considered.

E-67

NRC Question:

10.

Section 4.2.1.3 of the submittal describes administrative controls applicable for scheduling maintenance, which is referenced as satisfying tier 3 requirements of RG 1.177.

Please clarify the following aspects of these administrative controls as they apply to on-line maintenance (RG 1.177 -

2.3.1):

a.

No limits are identified for configuration-specific instantaneous risk, only limits based on incremental core damage probability.

TVA Response:

A through review of the core damage and large early release metrics contained in RGs 1.174 and 1.177 indicates instantaneous CDF and incremental core damage probability are the acceptance metrics.

The BFN calculation justifying the 14-day AOT satisfies the criteria given in RG 1.177, part 2.4 by determining the incremental core damage probability and indicating acceptable results.

The numerical aspect in 1.177 itself concerns only ICCDP and ICLERP.

The numerical criteria in 1.174 concerns only yearly average CDF and LERF.

Hence, BFN has satisfied the criteria in RG 1.177.

Determining the incremental core damage probability with acceptable results, provides the required measure of acceptability within TVA's work control process.

The determination of the instantaneous CDF for this situation does not provide any added assurance.

E-68

NRC Question:

b.

No evaluation of maintenance risk in terms of large early release frequency is identified.

TVA Response:

TVA has revised TVAN Standard Processes and Programs, Standard Programs and Processes (SPP) 7.1, Work Control Process, to include the following risk threshold:

For those activities modeled in the site PSA that could impact the probability of radiological releases, the LERF should be considered, (see NUMARC 93-01).

The following thresholds are established:

RED Incremental Large Early Release probability (ILERP) greater than 1E-06 should not be entered voluntarily. If such conditions are entered, it should be for very short periods of time and only with a clear detailed understanding of events that cause the risk level.

ORANGE ILERP greater than 5E-07 but less than 1E-06, assess non-quantifiable factors, establish risk management actions.

YELLOW ILERP greater than lE-07 but less than 5E-07, assess non-quantifiable factors, and establish risk management actions.

GREEN ILERP less than lE-07, no separate risk management plans or approval are required.

E-69

NRC Question:

c.

No criteria are identified for the risk threshold at which the various risk management actions would be taken.

TVA Response:

As discussed in Section 4.2.1.3 of our December 6, 2004 letter, the following risk thresholds are established with approval/

actions described below:

Incremental core damage probability (ICDP) greater than 1E-05 should not be entered voluntarily(RED);

ICDP greater than 5E-06 but less than 1E-05, assess non quantifiable factors, establish risk management actions per 3.5.2.1 (ORANGE);

ICDP greater than 1E-06 but less than 5E-06, assess non quantifiable factors, establish risk management actions per 3.5.2.1 (YELLOW); and

. ICDP less than 1E-06, no separate risk management plans or approval are required (GREEN).

Activities requiring risk management actions include, as appropriate, actions to provide risk awareness and control, actions to reduce duration, and actions to reduce magnitude of risk increase.

These actions might include:

Discussion of activity with operating shift approval of planned evolution;

Pre-job briefing of maintenance personnel emphasizing the risk aspects of the evolution;

Presence of appropriate technical personnel for appropriate portions of the activity;

. Pre-staging of parts and materials;

Walk down tagout and activity prior to conducting maintenance; E-70

Conduct of training and mock ups to familiarize personnel with the activity;

Perform activity around the clock;

Establish contingency plans to restore the out of service equipment rapidly, if needed;

Minimizing other work in areas that could affect event initiators (e.g. reactor protection system areas, switchyard, DG rooms, switchgear rooms) to decrease the frequency of initiating events mitigated by the safety function served by the out of service SSC;

Minimize work in areas that could affect other redundant systems such that there is continued likelihood of the availability of the safety functions served by the SSCs in those areas;

Establishment of alternate success paths for performance of the safety function of the out of service SSC (note; this equipment does not necessarily have to be in the scope of the Maintenance Rule per SPP-6.6); and Risk management plans are required to be approved by senior plant management.

While some activities present an increased ICDP, others activities can by the nature of the maintenance work present challenges to chemistry, environmental, industrial safety, radiological, and generation risk.

These type activities shall be presented to a senior management forum for identification and discussion as a "Critical Evolution".

The criteria for selection and follow up discussion for presenting this type work to the management forum includes any work activity that represents one of the following:

Work/testing projected to accumulate 25 mrem dose,

Component outages (e.g.. major pumps, electrical board outages, and Condensate Demineralizer),

. Board transfers that could affect plant operation, E-71

. Work including the Post-maintenance testing (PMT) that will use 60% of the AOT, o Medium (Orange) PSA Risk activities,

Potential Threat to generation activities,

Reduced margin activities (for example, chiller work),

Modifications affecting plant operating equipment,

Activities with significant ALARA implications (e.g. fuel canal),

Activities with unusual personnel safety exposure (e.g.,

divers),

. First of a kind (revisions) or first time online test performances,

Switchyard activities that could affect TS required off-site lines,

Specific troubleshooting,

Significant potential environmental threats identified, and

Significant industrial safety threats identified.

The Critical Evolution's Meeting agenda is prepared by the Work Week Managers each week. An overview of the Critical Evolution's scheduled in the next five weeks are presented which designates the implementing craft section, work document, component affected, and a brief description of the activity. At the meeting, the Work Week Manager presents an overview of the scheduled activity and the implementing group representative addresses any outstanding problems or concerns associated with the work.

The activities scheduled for completion within the next three weeks are discussed in the level of detail appropriate to identify any issues that may challenge their successful completion.

Contingency plans or a plan of action should be discussed for any potential problem identified. At these meetings, there may be direction given to have an activity E-72

brought back for clarification and further discussion in subsequent weeks until the issue is resolved.

E-73

NRC Question:

d.

No management involvement, except for senior management approval of risk management plans, is identified.

TVA Response:

There is extensive management involvement is the long-term planning and day-to-day work process in addition to the Critical Evolution's Meeting discussed in response to the previous question.

For example, in accordance with SPP-9.0, Engineering, Equipment Reliability Programs and Policies, a component long range improvement strategy and cycle plan which implements equipment reliability improvement plans is incorporated into the on-line and outage scheduling plans.

A Cycle Manager works with the Equipment Reliability Manager to identify those work orders, Preventative Maintenances, and surveillances, needing advance (prior to the current cycle) planning, resource, and engineering preparations in order to support timely readiness for efficient component outages.

Some work orders must be planned by at least 26 weeks in advance in order to procure parts for component outages.

These outages are grouped per the plant's predetermined system or functional equipment group work windows for on-line maintenance and outage periods. Required planned down power for periodic tests, planned down power for seasonal maintenance, and planned component and "mid-cycle" outages, are presented to plant management and concurred with via annual and quarterly cycle letters. Responsible task leads or sponsors are assigned as needed to oversee progress. A long-range plan and schedule is maintained at least three years in advance based on site improvement plans. Advance cycle planning is necessary to meet the readiness milestones for incorporation into the scope for a given work week.

For the day-to-day activities, a Work Order Review Group (WORG):

Reviews all new work orders and returns those to the originating organization any that do not contain sufficient detail to adequately define the problem.

E-74

Reviews and categorizes all work orders generated since the last Review Group meeting based upon the expertise and experience of the team members as well as approved plant procedures.

Assign priorities based upon generation risk, PSA risk, impact upon defense-in-depth (taking into account current plant and associated equipment status), procedural requirements, impact upon Operation's ability to control the plant, impact to current and near term scheduled activities, and the judgment of the team.

Reviews new work orders for functional impact on Structures, Systems and Components (SSCs) in Part 50 FSAR and Part 72 Independent Spent Fuel Storage Installation (ISFSI) licensing basis.

Provide a forum in which plant personnel may present requests and justifications for raising the priority for work orders which have previously been categorized or new work orders which require special processing.

Determine and set in motion any compensatory actions needed to ensure that plant equipment can safely operate until repaired if it is to remain available or in service.

. Determine and documents any plant conditions which must be established to perform the work requested.

Team meetings are facilitated by the Daily Scheduling Manager, Work Week Manager, or Cycle Manager; and are normally held every Monday through Friday.

Team members include:

Operations (current Senior Reactor Operator (SRO) license and preferably the Unit Manager),

System Engineering,

Maintenance,

Outage Management,

Daily Scheduling,

Chemistry,

Radcon,

Planning, and

. Materials (if required),

E-75

NRC Question:

11.

The submittal states (on page E1-29) that for the EDG AOT, no compensatory measures are required to avoid potential risk significant configurations.

The submittal further states (on page E1-24) that certain pumps cannot be deliberately disabled for maintenance if certain EDGs are concurrently disabled.

It is expected that EDG outages would be carefully planned and carried out to minimize the total outage duration and to take actions to minimize the risk impacts.

Please clarify how the administrative controls for on-line maintenance would specifically be implemented for the EDG AOT, including management approvals, risk management plans, specific restrictions on maintenance of other components, and compensatory measures to reduce risk. (RG 1.177 -

2.3.1)

TVA Response:

The procedure that establishes administrative controls for on-line work, including DGs, is SPP-7.1, On Line Work Management.

The On Line Work Management process provides the following methods to minimized risk:

Perform risk assessment of scheduled and emergent maintenance activities.

Control the equipment combinations that can be removed from service at the same time.

. Prioritize maintenance and repair activities.

. Determine the risk significance (using the site PSA) of scheduled maintenance and surveillance activities, then implement actions to: control risk, increase risk awareness, and reduce risk duration and magnitude.

Require senior plant management approval prior to entering increased risk conditions (ICDP greater than IE-06 or LERFP greater than lE-07), including approval of risk management plans.

E-76

Categorize as Critical Evolutions those activities which result in a challenge to reactor safety, industrial safety, or generation.

Critical Evolutions are reviewed and approved by a Senior Management Forum prior to implementation.

The 12 week schedule process includes a preliminary defense-in-depth assessment, which documents allowable combinations of system and Functional Equipment Groups (FEGs) that may be simultaneously worked on-line or during shutdown conditions.

FEGs are evaluated combinations of equipment that can be out-of service congruently to promote efficiency and minimize risk.

The surveillance testing schedule provides the "backbone" for the long-term maintenance plan. Other periodic activities (preventive maintenance items) are scheduled with related surveillance tests to maximize component availability.

System FEGs are used to ensure work on related components is evaluated for inclusion in the work window.

The inclusion of FEGs in the work window maximizes component availability and operability.

A risk assessment methodology is used for both on-line maintenance and outage activities.

For on-line maintenance a risk assessment is performed before implementation and any emergent work is evaluated against the assessed scope.

Risk assessment guidelines are documented in site-specific Technical Instructions (TIs) and utilize the results of the site PSA.

Other safety considerations, such as Technical Specifications and the scope of risk significant components not modeled in the PSA are also used to determine which system, component and FEG combinations may be worked on line.

E-77

NRC Question:

12.

Since three out of eight DGs are sufficient to achieve safe shutdown following a LOOP, please clarify how many DGs can be considered as spare that can be substituted for an inoperable DG assuming LOOP in all units and one DG under maintenance in each unit.

TVA Response:

The response to this question is addressed in the Background section.

E-78

NRC Question:

13.

Are there any restrictions as to how many DGs can be taken out for preplanned maintenance simultaneously at BFN site?

TVA Response:

This information is provided in response to NRC Question 3b.

E-79

NRC Question:

14.

On page E1-7 of Enclosure 1 of the submittal, it is stated that the DGs are arranged such that four DGs provide standby power to Units 1 and 2, and four DGs are in standby service for Unit 3. Also, through use of 4-KV Shutdown Buses 1 and 2, and the 4-KV Bus Tie Board, any DG can be cross connected with any 4-KV Shutdown Board.

In addition, these alignment actions can be performed from the control room for the Shutdown Buses or from an electrical board room for Bus Tie Board transfers.

Please describe how long it takes to accomplish this cross connection (a) from control room for Shutdown Buses, and (b) from an electrical board room for Bus Tie Board transfers?

TVA Response:

The cross connections can be accomplished as follows:

Supply a Unit 1/2 4KV Shutdown Board (SD BD) via Emergency Feeder to Unit 3 DG 4KV SD BD A from Unit 3 DG A or 4KV SD BD B from Unit 3 DG B or 4KV SD BD C from Unit 3 DG C or 4KV SD BD D from Unit 3 DG D This evolution is addressed in Q-AOI-57-1A, Attachment 7. The six steps necessary to perform this evolution are accomplished from the Main Control Rooms.

The procedure utilizes two Operators; however, the evolution could be performed by one Operator moving between control rooms.

The evolution can be performed in less than one hour (most likely accomplished in less than 15 minutes).

Supply any Unit 1/2 4KV SD BD from any other Unit 1/2 D/G 4 KV SD BD A from Unit 1/2 DG (B, C or D) 4 KV SD BD B from Unit 1/2 DG (A, C or D) 4 KV SD BD C from Unit 1/2 DG (A, B or D) 4 KV SD BD D from Unit 1/2 DG (A, B or C)

This evolution is addressed in O-AOI-57-1A, Attachment 8.

The five steps necessary to perform this evolution are accomplished from the Main Control Room.

The procedure utilizes one Operator E-80

and can be performed in less than one hour (most likely accomplished in less than 15 minutes).

Supply any Unit 1/2 4KV SD BD from any Unit 3 DG via the 4KV Bus Tie BD 4KV SD BD A from Unit 3 DG 3A, 3B, 3C, or 3D 4KV SD BD B from Unit 3 DG 3A, 3B, 3C, or 3D 4KV SD BD C from Unit 3 DG 3A, 3B, 3C, or 3D 4KV SD BD D from Unit 3 DG 3A, 3B, 3C, or 3D This evolution is addressed in O-AOI-57-1A, Attachment 1, Section 5.0.

The nine steps of this evolution are performed in the main control rooms and the shutdown board room.

One person could perform all actions in less than one hour, moving between the control rooms and shutdown board rooms.

If three operators were utilized the activity could be completed in less time (most likely less than 15 minutes).

Supply any Unit 3 4KV SD BD from any Unit 1/2 DG via the 4KV Bus Tie BD 4KV SD BD 3A from Unit 1 DG A, B, C, or D 4KV SD BD 3B from Unit 1 DG A, B, C, or D 4KV SD BD 3C from Unit 1 DG A, B, C, or D 4KV SD BD 3D from Unit 1 DG A, B, C, or D It is possible to supply any 4 KV SD Bd on Unit 3 from any Unit 1 DG by utilizing the 4KV Bus Tie Board; however, this alignment is not anticipated and is not covered by an existing operating procedure.

This alignment is not anticipated as each Unit 3 division already has 100% redundancy, (e.g., two 100%

Unit 3 DGs for each division).

In an emergency situation, it would be possible to supply any Unit 3 SD board from any Unit 1 DG via the 4KV Bus Tie BD.

The steps necessary to perform this activity would be essentially the same nine steps contained in 0-AOI-57-1A, Section 5.0.

It is reasonable to expect that 0-AOI-57-1A, Section 5.0 could be revised (emergency revision process) to supply a Unit 3 SD BD from a Unit 1 DG and the activity performed in approximately one hour.

E-8 I

NRC Question:

15.

On page El-12 of Enclosure 1 of the submittal, it is stated that each DG is required to maintain an unavailability factor of less than or equal to 0.0342, as monitored over a 24-month rolling interval.

Please provide the basis for the required unavailability factor of 0.0342.

TVA Response:

Maintenance Rule performance criteria, such as requiring each diesel generator to maintain an unavailability factor of less than or equal to 0.0342 as monitored over a 24 month rolling interval, were developed by the responsible system engineer and approved by an expert panel.

In developing this criterion, the system engineer considered such factors as historical performance, industry operating experience, PSA results, and expectations for future performance.

The 0.0342 unavailability factor is not bounded by the PSA model, which uses a value of 0.0189.

In accordance with SPP 6.6, "Maintenance Rule Performance Indicator Monitoring, Trending and Reporting -

10 CFR 50.65," if the performance criteria exceeds PSA assumptions, a sensitivity analysis is performed to determine the effect on core damage frequency and the acceptability of the criteria.

The sensitivity analysis showed no change in LERF and an eight percent change in CDF.

Therefore, the differences between the Maintenance Rule performance criterion and the value used in the PSA was classified as non-risk significant and the maintenance rule diesel generator unavailability criterion was considered acceptable.

E-82

NRC Question:

16.

What type of formal agreements have been established between the control room operators and the transmission system operator (TSO)?

Is the TSO notified in advance that a DG is going to be out for an extended period of time?

Does the TSO notify the operator when the conditions of the grid are such that degraded voltage (i.e., below the Technical Specification requirements) could occur following a trip of the reactor unit?

TVA Response:

TVA Policy And Organization Manual, Intergroup Agreement IGA-6 defines the interfaces and working relationships between TVA Nuclear (TVAN) and the Transmission/Power Supply Group (TPS).

The agreement applies to:

The joint business partnership agreements between TPS and TVAN for the design, modification, operation, and maintenance of Browns Ferry switchyards, transformer yards, and associated transmission equipment.

The development, maintenance, and control of transmission system studies to support TPS Operating Guides and TVAN Auxiliary Power Studies such as load flows, fault analysis, and transient stability studies to determine the adequacy of the off-site power supply to TVA's nuclear plants.

As a result of the Northeast grid blackout in August, 2003, "off-normal" activities are coordinated between the plant and TVA Transmission Planning to minimize challenges or vulnerabilities to the grid.

"Off-normal" activities are categorized as:

1.

Planned or Emergent work on safety related components that place the plant in a short (less than or equal to seven days) LCO,

2.

High Risk or Trip risk significant activities, or

3.

Down power or reduced power activities.

E-83

These activities are coordinated during daily communication between the Plant Operation Staff and the Load Dispatcher and/or Site TPS Representative.

"Off normal" conditions resulting for grid abnormalities are coordinated via telephone call, initiated by the TDCC or Load Dispatcher, when abnormal grid conditions occur.

TPS routinely communicates with the site Operation Managers on transmission matters affecting the plant (system configuration, work at other sites, switching utilizing site personnel, etc.).

TPS notifies site operations personnel when the grid cannot support the established voltage limits.

Generally, this communication is handled by telephone initiated by the Transmission Dispatch Control Center (TDCC).

IGA-6 Attachment A requires that the transmission operator be promptly notified by the nuclear plant control room if offsite power cannot support a unit trip with design basis accident loading.

The notification must be made within 15 minutes of identification of the condition.

This will allow for automatic and or manual actions to restore the availability of adequate offsite poser.

If the condition can be resolved within 15 minutes, notification to the nuclear plant is not required.

E-84

NRC Question:

17.

With respect to compensatory measures, please describe your policy regarding discretionary maintenance on the switchyard, main and station service transformers.

TVA Response:

Discretionary maintenance on the main and stations service transformers is be controlled by either SPP 7.1, On Line Work Management, or SPP-7.2, Outage Management; depending on whether the work is performed on-line or in a unit outage.

Both processes require that maintenance activities have a risk assessment performed to determine the risk category; then, implement compensatory measures and senior management oversight as appropriate to the risk category.

Additionally, the activities would be assessed to determine if the "critical evolution" criteria applies and if determined to be a critical evolution, then the activities would receive additional assessment, oversight and management approval prior to implementation.

Procedure NOM-SDP-6, Switchyard Risk, requires all maintenance on TPS controlled switchyard yard equipment that represents a "Switchyard Risk" be conducted in accordance with SPP-7.1, On Line Work Management, or SPP-7.2, Outage Management.

This ensures that the SPP-7.1 or SPP-7.2 risk assessment, control, and mitigations processes, including implementation of compensatory measures and senior management oversight, are applied to TPS controlled switchyard activities that constitute a risk to nuclear safety or power generation.

E-85

NRC Question:

18.

Is any equipment that supports the station's physical security plan powered from the EDGs or otherwise affected by this requested Technical Specification change?

TVA Response:

Equipment that supports the physical security plan is not powered from the emergency diesel generators or otherwise affected by this requested Technical Specification change.

E-86

v t e Letter Sequence Response to RAI
TAC:MC5254, (Withdrawn, Closed)
Initiation Acceptance... Administration Meeting Questions 30 August 2005 Answers 28 October 2005 Results Withdrawal Other: CNL-14-042, Updated Probabilistic Risk Analysis (PRA) Model, ML043430120, ML050900421, ML051150191, ML051430036
MONTHYEAR2005-04-19 [Table View]

ML053130036

Text

References:

2.38 x 10-1 5th Percentile

Navigation menu

Search