Text

Request to Amend Technical Specification (TS) 3.8.7, Inverters - Operating, to Extend Completion Time for Restoration of an Inoperable Inverter
	ML092810227
Person / Time
Site:	Palo Verde
Issue date:	09/28/2009
From:	Mims D; Arizona Public Service Co
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	102-06069-DCM/SAB/CJS
	Download: ML092810227 (97)
	v • d • e

10 CFR 50.90 L.--S A subsidiaryof Pinnacle West CapitalCorporation Dwight C. Mims Mail Station 7605 Palo Verde Nuclear Vice President Tel. 623-393-5403 P.O. Box 52034 Generating Station Regulatory Affairs and Plant Improvement Fax 623-393-6077 Phoenix, Arizona 85072-2034 102-06069-DCM/SAB/CJS September 28, 2009 ATTN: Document Control Desk U.S. Nuclear Regulatory Commission Washington, DC 20555-0001

Dear Sirs:

Subject:

Palo Verde Nuclear Generating Station (PVNGS)

Units 1, 2, and 3 Docket Nos. STN 50-528, 50-529, and 50-530 Request to Amend Technical Specification (TS) 3.8.7, "Inverters -

Operating," to Extend Completion Time for Restoration of an Inoperable Inverter As permitted by 10 CFR 50.90, Arizona Public Service Company (APS) hereby requests to amend Operating License Nos. NPF-41, NPF-51, and NPF-74, by amending the Technical Specifications (TS) that are incorporated as Appendix A to the Operating Licenses for PVNGS Units 1, 2, and 3. As detailed further in Enclosure 1 to this letter, the proposed amendment would revise Required Action A.1 of TS 3.8.7, "Inverters -

Operating," to extend the Completion Time for restoration of an inoperable vital alternating current (AC) inverter from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 7 days. The proposed amendment is based on risk-informed and deterministic evaluations, and is requested to support on-line corrective maintenance of the vital AC inverters. to this letter provides a detailed description of, and basis for, the proposed TS amendment, as well as technical and regulatory evaluations of the amendment.

This enclosure includes the basis for a determination that the proposed amendment does not involve a significant hazards consideration under the standards set forth in 10 CFR 50.92(c). Proposed TS page markups and retyped TS pages are included as Attachments 1 and 2, respectively, to Enclosure 1 to this letter. A markup of the affected TS Bases pages is also provided for information as Attachment 3 to .

Enclosure 2 to this letter describes the PVNGS Probabilistic Risk Assessment (PRA)

Quality and History, and Enclosure 3 provides an Internal Events Model Self Assessment Evaluation for the proposed amendment to TS 3.8.7, to extend the Completion Time for inoperable vital AC inverters. AcicI A member of the STARS (Strategic Teaming and Resource Sharing) Alliance Callaway

Comanche Peak

Diablo Canyon

Palo Verde 0 San Onofre

South Texas 0 Wolf Creek

ATTN: Document Control Desk U.S. Nuclear Regulatory Commission Request to Amend Technical Specification 3.8.7 Page 2 As discussed further in Enclosure 1 to this letter, the amendment proposed herein is similar to those previously approved by the Nuclear Regulatory Commission (NRC) for the Clinton, North Anna, Braidwood and Byron Stations. The NRC reviews preceding these approvals involved the original licensee application as well as licensee responses to NRC requests for additional information (RAIs). Accordingly, APS has reviewed the applicable licensee amendment requests, RAI responses, and the associated regulatory approvals, and has incorporated them as appropriate herein.

Enclosures 4, 5, and 6 contain the APS response to each RAI question area and, as appropriate, reference to the sections of the license amendment request that incorporate the issues raised in the question.

Approval of the proposed amendment is requested by July 30, 2010. Once approved, the amendment shall be implemented within 60 days.

In accordance with the PVNGS Quality Assurance Program, the Plant Review Board and the Offsite Safety Review Committee have reviewed and concurred with this proposed amendment. By copy of this letter, this submittal is being forwarded to the Arizona Radiation Regulatory Agency (ARRA) pursuant to 10 CFR 50.91(b)(1).

No commitments are being made by this letter. Should you need further information regarding this amendment request, please contact Russell A. Stroud, Licensing Section Leader, at (623) 393-5111.

I declare under penalty of perjury that the foregoing is true and correct.

Executed on 0 (Dat6)

Sincerely, DCM/RAS/CJS/gat

ATTN: Document Control Desk U.S. Nuclear Regulatory Commission Request to Amend Technical Specification 3.8.7 Page 3

Enclosures:

1. Evaluation of the Proposed Change (with 3 Attachments)

2. PVNGS Probabilistic Risk Assessment Quality and History

3. Internal Events Model Self Assessment Evaluation for Tech Spec 3.8.7, Vital AC Inverters, Allowed Outage Time Extension Submittal

4. Arizona Public Service (APS) Response to NRC Request for Additional Information Regarding Clinton Power Station Request for Amendment to Extend Completion Time for Restoration of an Inoperable Inverter

5. Arizona Public Service (APS) Response to NRC Request for Additional Information Regarding North Anna Power Station Request for Amendment to Extend Completion Time for Restoration of an Inoperable Inverter

6. Arizona Public Service (APS) Response to NRC Request for Additional Information Regarding Byron Station and Braidwood Station Requests for Amendment to Extend Completion Time for Restoration of an Inoperable Inverter cc: E. E. Collins Jr. NRC Region IV Regional Administrator J. R. Hall NRC NRR Project Manager R. I. Treadway NRC Senior Resident Inspector for PVNGS A. V. Godwin Arizona Radiation Regulatory Agency T. Morales Arizona Radiation Regulatory Agency

ENCLOSURE 1 Evaluation of the Proposed Change

Subject:

Request for Amendment to Technical Specification (TS) 3.8.7, "Inverters

- Operating," to Extend Completion Time for Restoration of an Inoperable Inverter

1.

SUMMARY

DESCRIPTION

2. DETAILED DESCRIPTION 2.1 Description of the Proposed Changes 2.2 Basis for Requesting the Proposed Changes

3. TECHNICAL EVALUATION 3.1 Introduction 3.2 System Description 3.3 Deterministic Evaluation 3.4 Probabilistic Risk Assessment (PRA) 3.5 Maintenance Rule Program Controls 3.6 Conclusion

4. REGULATORY EVALUATION 4.1 Applicable Regulatory Requirements/Criteria 4.2 Precedent 4.3 No Significant Hazards Consideration Determination 4.4 Commitments

5. ENVIRONMENTAL CONSIDERATION

6. REFERENCES ATTACHMENTS:

1. Technical Specification Markup

2. Retyped Technical Specification

3. Technical Specification Bases Markups 1 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7

1.

SUMMARY

DESCRIPTION This evaluation supports an Arizona Public Service Company (APS) request to amend Operating License Nos. NPF-41, NPF-51, and NPF-74 for Palo Verde Nuclear Generating Station (PVNGS) Units 1, 2, and 3, respectively. The license amendment is requested specifically to amend the Technical Specifications (TS) that are incorporated as Appendix A to the Operating Licenses for PVNGS Units 1, 2, and 3. The proposed amendment would revise Required Action A.1 of TS 3.8.7, "Inverters - Operating," to extend the Completion Time for restoration of an inoperable vital alternating current (AC) inverter from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 7 days. The amendment detailed herein is proposed to support on-line corrective maintenance of the vital AC inverters and will have no significant impact on public health and safety.

2. DETAILED DESCRIPTION 2.1 Description of the Proposed Changes The proposed amendment would revise Required Action A.1 of TS 3.8.7, "Inverters -

Operating," to extend the Completion Time for restoration of an inoperable vital AC inverter from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 7 days. The specific changes to the PVNGS TS for Units 1, 2, and 3 are indicated in the proposed TS page markups and retyped TS pages that are included as Attachments 1 and 2, respectively, to this enclosure. A copy of the affected TS Bases page markups is also provided as Attachment 3 to this enclosure.

2.2 Basis for Requesting the Proposed Changes Consistent with the objectives of the Nuclear Regulatory Commission's (NRC's) policy entitled "Use of Probabilistic Risk Assessment Methods in Nuclear Activities: Final Policy Statement," (Probabilistic Risk Assessment [PRA] Policy Statement; Reference 6.1), the amendment proposed herein provides (1) safety decision-making enhanced by the use of PRA insights, (2) more efficient use of resources, and (3) a reduction in unnecessary burden. As discussed further below, the proposed inverter Completion Time extension would provide these benefits by supporting the ability to complete on-line corrective maintenance of an inoperable vital AC inverter.

Required Action A.1 of TS 3.8.7 currently allows only 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to troubleshoot and repair an inoperable vital AC inverter, perform post-maintenance testing, and return it to service. As stated in the TS 3.8.7 Bases, the 24-hour Completion Time is based on engineering judgment, taking into consideration the time required to repair an inverter and the additional risk to which the unit is exposed because of the inverter inoperability.

Recent experience both at PVNGS and at other nuclear power plants has shown that the current 24-hour Completion Time for restoration of an inoperable vital AC inverter is insufficient in certain instances to support on-line troubleshooting, corrective maintenance, and post-maintenance testing while the unit is at power. Specifically, 2 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 since May 2005, PVNGS has experienced six (6) instances involving an unexpected inoperability of a vital AC inverter. In four (4) of these instances, the ability to complete repairs and restore the affected inverter within the 24-hour Completion Time became uncertain, to the extent that site management considered a request for Notice of Enforcement Discretion (NOED). In two of these four instances, the time required to complete the repair exceeded the 24-hour Completion Time; accordingly, the unit entered Condition B of TS 3.8.7, which requires the unit transition to Mode 3 in 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and Mode 5 in 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months (Reference 6.33). With preparations being made for unit shutdown, the shutdowns were narrowly avoided when the necessary corrective repairs were completed and the inverter restored to operable status shortly before initiating power reductions.

Other nuclear power plants have had similar instances of inverter failures prompting requests for NOEDs. On December 5, 2005, FPL Energy Seabrook, LLC received NRC approval of enforcement discretion for an 18-hour extension to the Seabrook Station Allowed Outage Time (AOT) for an inoperable (i.e., failed) vital instrument bus inverter (Reference 6.2). The basis for the NOED was that the 24-hour AOT did not provide adequate time to troubleshoot the problem, complete the repair activities, and perform post-maintenance testing to return the inverter to operable status.

In addition to the NOED approved for FPL Energy Seabrook, LLC, the Nine Mile Point and Watts Bar nuclear stations received enforcement discretion in 2003 and 2001, respectively, to extend the Completion Time for an inoperable instrument bus inverter (References 6.3 and 6.4). These examples, combined with inverter TS Completion Time extensions from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 7 days previously approved by the NRC for the Clinton, North Anna, Braidwood, and Byron Stations (as detailed in Section 4.2 of this evaluation), demonstrate that the current 24-hour Completion Time for restoration of an inoperable vital AC inverter can, in some cases, be insufficient to support on-line troubleshooting, corrective maintenance, and post-maintenance testing.

The PVNGS vital AC inverters have experienced sporadic maintenance and operational issues since installation. Repair actions have included replacement of capacitors, metal oxide varistors (MOVs), silicon controlled rectifiers (SCRs), and voltage regulators that have been susceptible to age-related degradation, along with instances of solder problems. These problems have all been managed through corrective maintenance actions and the inverters are in Maintenance Rule category (a)(2), based on historical data that the Class 1E Instrument Power System (PN) inverters are meeting established performance criteria. Although a shutdown has not been completed due to an inoperable inverter at PVNGS, shutdown actions were initiated at least two times in the past year because an inverter could not be restored to operable status within the 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months provided by TS 3.8.7, Action A.1. In addition, APS prepared submittals to request an NOED on four occasions in the past two years, for inverter outages that were at risk of exceeding the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time.

3 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 Based on the above discussion, extending the Completion Time to 7 days for an inoperable vital AC inverter is anticipated to result in a number of benefits that meet the NRC's PRA Policy Statement objectives. These benefits are described in the following table:

NRC PRA Policy Statement Objective Anticipated Benefits of Proposed ") '. S WC:0) C:CnC Inverter Completion Time Extension coo F* co. 0o ! 0a uuJ CD C

1. Provide additional time to complete repairs following an inverter X X malfunction;

2. Avert unplanned unit shutdowns and minimize the potential need for X X X requests for NOED;

3. Increase the time to perform troubleshooting, repair, and testing X X following inverter equipment problems, Which will enhance the safety and reliability of equipment and personnel.

4. Allow time to perform routine maintenance activities on the vital inverters X X X in Modes 1 through 4, enhancing the ability to focus quality resources on the activity and the availability of the inverters during refueling outage periods.

3. TECHNICAL EVALUATION 3.1 Introduction APS has determined that the proposed vital AC inverter Completion Time extension from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 7 days is necessary to support on-line troubleshooting, corrective maintenance, and post-maintenance testing of an inoperable inverter while the unit is at power (MODES 1-4). As detailed in this section and in Section 4 of this evaluation, implementation of the proposed inverter Completion Time extension would comply with current NRC regulations and guidance, and would have no significant impact on public health and safety.

3.2 System Description The function of the vital AC inverters is to provide AC electrical power to the vital AC instrumentation and control buses. The vital AC inverters are the preferred source of power for the 120-volt vital AC instrumentation buses because of the stability and reliability they achieve by being powered from the 125-volt direct current (DC) battery source. Alternatively, the vital AC instrumentation buses can be powered from an AC source via a Class 1E constant voltage regulator through a transfer switch. This configuration provides an uninterruptible power source for the instrumentation and 4 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 controls for the Reactor Protective System (RPS) and the Engineered Safety Features Actuation System (ESFAS). There are two vital AC inverters per independent train (A and B), for a total of four vital AC inverters per PVNGS unit. Specific details on the vital AC inverters and their operating characteristics are found in the PVNGS Updated Final Safety Analysis Report (UFSAR), Section 8.3.1.1.6.

Each 25 kVA, 120-volt AC, single-phase vital AC inverter is part of an independent vital AC instrumentation power supply that also consists of a transfer switch, a backup voltage regulator, and one distribution panel. In each PVNGS unit, four power sources supply the four channels of the RPS and ESFAS in a design configuration that ensures that each of the four channels is electrically and physically isolated. The transfer switches installed in the vital AC instrumentation power supplies in PVNGS Units 2 and 3 are automatic static transfer switches, while the Unit I transfer switches are manually operated. As indicated previously, if an inverter is inoperable or is to be removed from service for maintenance or testing, the associated vital AC instrumentation bus is powered from a separate Class 1E regulated power supply through the transfer switch.

The initial conditions of Design Basis Accident (DBA) and transient analyses in the PVNGS UFSAR, Chapter 6, "Engineered Safety Features," and Chapter 15, "Accident Analyses," assume Engineered Safety Feature (ESF) systems are operable. The vital AC inverters are designed to provide the required capacity, capability, redundancy, and reliability to ensure the availability of necessary power to the RPS and ESFAS instrumentation and controls so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. Accordingly, the vital AC inverters are required to be operable in Modes 1, 2, 3, and 4 to ensure that:

Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of anticipated operational occurrences or abnormal transients; and Adequate core cooling is provided, and containment operability and other vital functions are maintained in the event of a postulated DBA.

The vital AC inverters ensure the availability of AC electrical power for the instrumentation and controls of systems required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence or a postulated design basis accident. Maintaining the required vital AC inverters operable ensures that the redundancy incorporated into the design of the RPS and ESFAS instrumentation and controls is maintained. The four inverters (two per train) ensure an uninterruptible supply of AC electrical power to the vital AC instrument buses even if the 4160-volt safety buses are de-energized.

Operable vital AC inverters require the associated vital AC instrumentation bus to be powered by the inverter with output voltage and frequency within tolerances, and power input to the inverters from a 125-volt DC station battery. With a vital AC inverter 5 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 inoperable, its associated vital AC instrument bus becomes inoperable until it is re-energized from its Class 1 E constant voltage source regulator. With a vital AC inverter inoperable and the associated vital AC instrumentation bus supplied from the alternate (interruptible) regulated AC electrical power source, a loss of offsite power will result in loss of power to the associated vital AC instrumentation bus. Power would be restored once the associated diesel generator (DG) re-energized the bus. Following restoration of vital AC instrumentation bus power, bus loads would be restored with no adverse impact to PVNGS since the unaffected instrument channels would be expected to be operable (with the exception of any undergoing routine surveillances) and powered from their respective inverters.

3.3 Deterministic Evaluation The vital AC inverters provide a stable and reliable source of AC power to the vital AC instrumentation buses. There are four inverters, two per train, each of which can be supplied from a separate 125-volt DC battery source or from an AC source via a Class 1E constant voltage regulator through a transfer switch.

In order for a vital AC instrumentation bus to remain de-energized following a loss of offsite power, while powered from its alternate AC source, the associated DG would have to fail or the alternate regulated power source would have to fail. In the unlikely event of such a failure, the most significant impact on the unit would be the failure of one train of vital AC powered equipment to operate (e.g., an ADV positioner on each steam generator for either Channel A or B, see Section 3.4.4). In this condition, the redundant train of vital AC powered equipment would be available to mitigate the accident, and the unit would remain within the bounds of the accident analyses. In addition, there would be no adverse impact to the unit because no other instrument channels in the opposite train would be expected to be inoperable or in a tripped condition during this time, with the exception of routine surveillances. Since the probability of these events occurring simultaneously during a planned maintenance window is low, there is minimal safety impact due to the requested extended Completion Time.

Should a vital instrument bus lose power, the RPS and ESFAS actuation logic for the affected channel would be completed due to the fail safe nature of the design. As described in Section 3.3.1, the logic requires a two-out-of-three logic, with a fourth channel capable of being bypassed. The safety functions associated with the vital instrumentation buses are, therefore, met with the power supplied by the alternate AC regulated electrical power source.

The combination of defense-in-depth and safety margin inherent in the electrical distribution system ensures an uninterruptible supply of power and supports extension of the Completion Time from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 7 days, as discussed further below.

6 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 3.3.1 Defense-in-Depth Evaluation As described above, each PVNGS unit has two vital AC inverters per independent train (A and B), for a total of four vital AC inverters (Channels A and C for A Train, Channels B and D for B Train). The system design configuration ensures that each of the four channels is electrically and physically isolated. If an inverter is inoperable or is to be removed from service for maintenance or testing, the associated vital AC instrumentation bus is powered from a separate Class 1E regulated power supply through the transfer switch.

As described in the UFSAR, the four vital AC channels provide independent power to the RPS four measurement channels that generate trip signals, with the exception of control element assembly (CEA) position. The RPS requires coincidence of two like trip signals to generate a reactor trip signal. The fourth channel is provided as a spare and allows bypassing of one channel while maintaining a two-out-of-three system.

The defense-in-depth philosophy requires multiple means or barriers to be in place to accomplish safety functions and prevent the release of radioactive material. During operation with an inoperable, out-of-service vital instrument bus inverter, the associated vital AC instrument bus is energized from its back-up source, a dedicated voltage regulating transformer. The source of power for the back-up supply is a safety-related motor control center (MCC), which relies on the DG as the back-up power supply. In the event of a failure of a vital AC inverter, the static transfer switch (in Unit 2 or 3) will shift the instrument bus to its back-up source with no interruption of power to the instrument bus. In Unit 1, the vital AC bus is re-energized by operator action from the back-up source. Should a loss of off-site power (LOOP) occur while an instrument bus is aligned to its back-up source, the instrument bus will remain de-energized for approximately ten seconds until the DG starts and energizes the back-up power supply.

In order for the instrument bus to remain de-energized, the DG would have to fail or the MCC that provides the back-up power source would have to fail. A failure to energize a vital AC instrument bus following a LOOP has no impact on the ability of the RPS or ESFAS to actuate. The remaining three vital 120-volt AC instrument buses will be unaffected by the loss of offsite power because they will be supplied from their associated inverter batteries.

The impact of a ten second loss of power to the single affected vital 120-volt AC instrument bus on plant operations will be minimal. The plant will shutdown due to the loss of offsite power, and the remaining three instrument buses will still provide the required two-out-of-three channel actuation logic to the RPS and ESFAS. TS permit no more than one vital instrument bus inverter to be inoperable, so that when one vital instrument bus is aligned to its back-up source, the redundant instrument bus inverters will be operable and aligned to a DC power supply.

7 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 The unavailability of a single vital AC inverter by entry into a TS Action Statement for inverter maintenance does not reduce the amount of available equipment to a level below that necessary to mitigate a design basis accident. The two protective trains, with adequate independence and backup power supplies ensure proper mitigation of postulated accidents. The proposed change will continue to provide multiple means to accomplish safety functions and prevent the release of radioactive material, consistent with the defense-in-depth philosophy.

The proposed extension of the vital AC inverter TS Completion Time does not introduce any new common cause failure modes, and protection against failure modes previously considered in the UFSAR analyses is not compromised.

3.3.2 Safety Margin Evaluation The proposed extension of the vital AC inverter TS Completion Time remains consistent with the codes and standards applicable to the PVNGS onsite AC sources and electrical distribution system. With one of the required 120-volt AC uninterruptible power distribution systems being powered from the 1E constant voltage regulator and backed up by a DG, there is no significant reduction in the margin of safety.

The instrument bus inverters are the preferred source of power for the AC instrument buses because of the stability and reliability that they provide. The inverters can be powered from an AC source or from an associated 125-volt DC battery. The battery provides an uninterruptible power source. On Units 2 and 3 each instrument bus inverter is equipped with a safety-related static transfer switch that connects the vital inverter output to its associated instrument bus. The static transfer switch will transfer the instrument bus power source to its maintenance supply in the absence of an output from the inverter, in the event of an overload condition, or with a degraded AC power source to the inverter. The static transfer switch is an electronic, solid state device that will automatically or manually transfer instrument bus power from the inverter to the back-up source without interruption of power. Unit 1 relies on operator action to shift the vital AC bus power supply to the back-up voltage regulator.

In the event of a LOOP with a vital instrument bus aligned to its back-up source, the instrument bus will remain de-energized for approximately ten seconds until the DG starts and energizes the back-up supply. In order for the instrument bus to remain de-energized, the DG would have to fail or the MCC that provides the back-up power source would have to fail. The simultaneous failure of an inverter and its back-up supply coincident with a LOOP is unlikely. Nonetheless, a failure to energize a vital AC instrument bus following a LOOP has no impact on the ability of the RPS or ESFAS to actuate.

8 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 3.4 Probabilistic Risk Assessment (PRA)

The impact of the proposed extension of the vital AC Inverter Completion Time on plant safety was evaluated using PRA calculations. These calculations provide a quantitative evaluation of risk in terms of average Core Damage Frequency (CDF) and Large Early Release Frequency (LERF). This evaluation included consideration of the Maintenance Rule program based on 10 CFR 50.65(a)(4) to control the performance of other potentially high risk tasks during an inverter outage, as well as consideration of specific compensatory measures to minimize risk. The risk evaluation was based on the three-tiered approach suggested in RG 1.177, "An Approach for Plant-Specific Risk-Informed Decisionmaking: Technical Specifications" (Reference 6.8), as follows:

Tier 1 - PRA Capability and Insights Tier 2 - Avoidance of Risk-Significant Plant Configurations Tier 3 - Risk-Informed Configuration Risk Management Program Evaluations addressing each of these tiers are provided below. The PRA model serves as the primary tool for these evaluations. Therefore, in order to establish the qualification of the PRA model, supplemental background information related to the development, application, and quality of the PRA model for PVNGS is provided below.

Palo Verde maintains a "living" PRA to evaluate the impacts of maintenance activities and planned equipment outages on plant risk levels. The impacts of these activities on calculated CDF and LERF are identified for management review on a weekly and sometimes daily basis, prior to initiating these activities. This risk-informed approach to work planning provides assurance that plant risks will be controlled during the proposed 7-day Completion Time for restoring an inoperable vital AC inverter to operable status.

Enclosure 2 to this submittal describes the Palo Verde PRA Quality and History, including discussions of the PRA procedures, reviews, updates, and quality control provisions.

Enclosure 3 to this submittal describes a Self Assessment of the Palo Verde PRA, including specific impacts on the proposed Inverter Completion Time extension request.

3.4.1 PRA Model Development The PRA model is described in Enclosure 2, "Palo Verde PRA Quality and History."

PVNGS uses the large fault tree/small event tree, also known as the linked fault tree, methodology, and basic failure events are modeled down to the component level.

9 of 33

Enclosure I Evaluation of the Proposed Change Amendment to TS 3.8.7 3.4.2 PRA Model Maintenance The PVNGS program for maintaining the PRA model is described in Enclosure 2, "PVNGS Probabilistic Risk Assessment Quality and History." Maintenance provisions include periodic monitoring of plant changes and periodic updates to the PRA model.

3.4.3 PRA Model Application Application of the PVNGS PRA model to the proposed amendment is discussed in , "Internal EventsModel Self Assessment Evaluation for Tech Spec 3.8.7, Vital AC Inverters, Allowed Outage Time Extension Submittal."

3.4.4 Tier 1: PRA Capability and Insights Risk-informed support for the proposed change is based on PRA calculations performed to quantify the change in CDF and LERF resulting from the increased Completion Time for the vital inverters.

The PVNGS PRA model and documentation have been maintained current and are routinely updated to reflect the current plant configuration and to reflect the accumulation of additional plant operating history and component failure data.

The Level 1 and Level 2 PVNGS PRA analyses were originally developed and submitted to the NRC in APS letter 161-04750 (Reference 6.32), as the Palo Verde Nuclear Generating Station Individual Plant Examination (IPE) Submittal. The PVNGS PRA has been updated several times since the original IPE. The PRA update used for this application includes the incorporation of all the "A" PRA Peer Review Fact and Observations (F&Os) and all but one of the risk significant "B" F&Os (lack of an internal flood analysis). The PRA Peer Review is discussed in Enclosure 2.

The model used in this analysis is documented in Engineering Study 13-NS-C029, Revision 15, Interim PRA Change Documentation. The baseline CDF and LERF values, including random maintenance events, are 5.07E-6/yr and 3.03E-7/yr, respectively. Truncation levels for internal events CDF and LERF are 1E-12/yr and 1E-13/yr, respectively. For fire the truncation levels are 2E-12/yr and 1E-13/yr, respectively. The seismic analysis used the internal events truncation values.

Calculations for this submittal included random maintenance events. No equipment recoveries are credited in the PRA model.

To determine the effect of the proposed 7-day Completion Time for an inverter, the guidance suggested in RG 1.174 and RG 1.177 was used. Thus, the following risk metrics were used to evaluate the risk impacts of extending the inverter Completion Time from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 7 days:

10 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 Delta CDFAVE = change in the annual average CDF due to any increased on-line maintenance unavailability of inverters that could result from the increased Completion Time. This risk metric is used to compare against the criterion of RG 1.174 to determine whether a change in CDF is regarded as risk significant. This criterion is a function of the baseline annual average core damage frequency, CDFBASE.

Delta LERFAVE = change in the annual average LERF due to any increased on-line maintenance unavailability of inverters that could result from the increased Completion Time. RG 1.174 criteria were also applied to judge the significance of changes in this risk metric.

ICCDP = incremental conditional core damage probability with inverter out-of-service for an interval of time equal to the proposed new Completion Time (i.e., 7 days). This risk metric is used as suggested in RG 1.177 to determine whether a proposed increase in Completion Time has an acceptable risk impact.

ICLERP = incremental conditional large early release probability with an inverter out-of-service for an interval of time equal to the proposed new Completion Time (i.e., 7 days).

RG 1.177 criterion was also applied to determine the significance of changes in this risk metric.

The vital AC buses are normally supplied by a dedicated inverter powered from the associated DC bus with a dedicated voltage regulator as a backup power supply.

The equipment supplied by the vital AC-buses modeled in the PRA is:

Atmospheric Dump Valve (ADV) positioners (one on each steam generator from Channel A and one on each steam generator from Channel B),

Cooling fans in the Balance Of Plant (BOP) Engineering Safety Features Actuation System (ESFAS) cabinets, which each have an auctioneered DC power supply (also Channels A and B only),

Instruments providing a permissive based on pressurizer pressure to allow opening the Shutdown Cooling return valves off the Reactor Coolant System hot legs (all four channels).

Virtually all of the Class 1E instrumentation used by the operators to monitor and control the plant, as well as Plant Protection System power supplies, are also supplied by vital AC, but the redundant nature of the vital AC and Plant Protection systems results in extremely high reliability, and these functions are not explicitly modeled.

Examination of baseline model importance results shows that Channel A inverter has the highest Risk Achievement Worth, so the analysis uses it as the affected channel.

This will bound the results for the other three channels. The small asymmetry between Channels A and B arises from the different effects on Auxiliary Feedwater (AFW) by the 11 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 sequencers in the BOP ESFAS cabinets. Train B AFW pump receives a start signal, whereas the Train N (non-essential) AFW pump (powered from Train A) does not, so it must be started manually. Also, the battery chargers and voltage regulators are reloaded by sequencers, which supports the Train A steam-driven AFW pump; Train B AFW does not require long-term DC power. Vital AC Channels C and D are far less risk-important than Channels A and B, because they have fewer and even lower risk-significant loads on them.

Certain modeling changes were necessary to perform the risk evaluation. One of the few differences among the Palo Verde units is use of a static transfer switch to provide a "bumpless" transfer from the inverter to the voltage regulator in the event of inverter failure. Unit 1 does not currently have this feature and depends on operator action to restore instrument bus power from the back-up voltage regulator. The PRA baseline model has the static transfer switch. To provide a bounding analysis (operator action is less reliable than the automatic transfer switch) a Human Reliability Analysis (HRA) was developed for this purpose. It was substituted for the static transfer switch failure in the fault trees. It was only used for the long-term average impact to CDF and LERF. For ICCDP and ICLERP calculations, it was set TRUE. This is due to the initial conditions where one channel is already failed (hence the plant is in Condition A of TS 3.8.7), and the restoration of power to the vital bus from the back-up voltage regulator was successful. A second failure would result in the plant being in TS 3.0.3 with only one hour to respond. The HRA is not valid under this time constraint.

In addition, because neither ADVs nor Shutdown Cooling is a risk-significant system as determined via Maintenance Rule risk ranking, and the BOP ESFAS cabinet cooling fans have auctioneered power supplies, the vital AC system is also of low risk-significance. The low risk-significance of the inverters led to their being screened out of the need to model common-cause failure using the methodology of NUREG/CR-5485 (Reference 6.9). In fact, the common-cause database in NUREG/CR-6268 (Reference 6.10) does not include data on inverters. However, to capture potential uncertainty in the historical data for common-cause inverter failures for this specific application, common-cause modeling for the inverters was added. An initial screening value for beta of 0.1 was assigned with a subsequent sensitivity study performed. Thus, the common-cause event has a value of 10 percent of the random inverter failure.

Palo Verde does not have a seismic PRA. The seismic contribution was estimated by assumingall equipment and off-site power remain functional below the Operating Basis Earthquake (OBE = 0.1g); off-site power is lost and no equipment remains functional above the Review Level Earthquake (RLE = 0.3g); and only seismically qualified equipment remains functional between those values and off-site power is assumed to have' been lost. By using the LOOP event tree with the difference between the RLE and OBE frequencies as the initiating event frequency (2.6 E-4/yr from Seismic Hazard Evaluation for PVNGS, Rev. 2; Prepared by Risk Engineering, Inc.; April 1993) and not crediting off-site power recovery, the Station Blackout Generators or the non-class AFW 12 of 33

Enclosure I Evaluation of the Proposed Change Amendment to TS 3.8.7 Pump (located in the non-seismic turbine building), the seismic contribution can be conservatively estimated.

The PVNGS Individual Plant Examination for External Events (IPEEE) analysis of high winds, tornadoes, external floods, transportation accidents, nearby facility accidents, and other external hazards was accomplished by reviewing the plant environs against regulatory requirements regarding these hazards. Based upon this review, it was concluded that PVNGS meets the applicable Standard Review Plan requirements and, therefore, has an acceptably low risk with respect to these hazards. The inverter Completion Time extension does not impact the conclusions of the assessment for these external hazards. It should be noted that the effect of high winds and tornadoes on off-site power is included in the determination of Palo Verde's LOOP frequency, which used NUREG/CR-INEEL/EXT-04-02326 (October 2004). Regarding the lack of internal flood modeling, the inverters and their power supplies are not located in areas of the plant subject to potential for significant flooding.

RESULTS Table 1 shows the results for ICCDP and ICLERP separately for internal events, fire and seismic events. Note that there was no measurable change in seismic risk even with the conservative assumptions made. ICCDP and ICLERP were calculated using the following equation:

ICCDP or ICLERP = {R1 - RO} X 7 days 365 days/yr where R1 = CDF/LERF with Channel A inverter out of service and the voltage regulator aligned to supply power tothe Channel A vital"AC bus:

RO = CDF/LERF with all four inverter failures set FALSE (this maximizes the delta to be calculated)

The resulting values are well within the guideline values in RG 1.177 of 5E-7 for ICCDP and 5E-8 for ICLERP.

Table 1: PRA Model Results for ICCDP and ICLERP Risk Internal Fire Seismic Total Measure Events ICCDP 4.8E-8 9.6E-1 1 0.0 4.8E-8 ICLERP 2.0E-9 3.8E-12 0.0 2.OE-9 13 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 For purposes of determining the impact on CDF and LERF long term, an assumption of two entries per year using 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months per entry was made. This is applied to the inverters in all four channels, so it is many times the level of unavailability experienced even with the recent inverter failures. One-hundred forty-four (144) hours per reactor critical year (90 percent capacity factor) gives an unavailability of 1.83E-2. The resulting CDF and LERF are shown in Table 2. Given the much smaller effects in the fire and seismic results, only internal events results are calculated. The results show a negligible increase in average internal events CDF and LERF. Changes in fire and seismic CDF and LERF would not be measurable. Table 2 also shows that even if the entire 7-day Completion Time is used twice per year on each of the four channels, the delta CDF and LERF values are still well within the RG 1.174 guideline values of 1 E-6/yr and 1E-7/yr, respectively.

Table 2: PRA Model Results for CDF and LERF

- Increase in CDF and LERF Due to Extended Completion Time -

Risk Measure Six days/yr-channel Two weeks/yr-channel Unavailability Unavailability Delta CDF 3E-9/yr 7E-9/yr Delta LERF 2E-10/yr 5E-10/yr Uncertainty and Sensitivity Analysis Sensitivity analyses were run on those initiators and basic event parameters that would have the most impact on the results given an unavailable inverter. Given the extremely low impact on fire and seismic results, only the effect on internal events was calculated.

Sensitivity cases were considered on the following parameters:

LOOP frequency - Since the inverters maintain power to the vital AC buses, a loss of off-site power challenges the back-up power supply. Loss of Off-site Power frequency is increased to its 9 5 th percentile value of 5.11 E-2/yr from 2.13E-2/yr.

Inverter failure rate - This affects the remaining three inverters, since one is already assumed to be out of service. The inverter failure rate parameter was increased to its 9 5 th percentile value of 1.70E-4/hr from 5.50E-5/hr.

This also results in an increase in the common-cause failure rate parameter to 1.70E-5/hr from 5.50E-6/hr.

Common-cause beta factor - The beta factor would have to be increased to more than 0.31 to have a greater effect than that associated with the inverter random failure rate. Therefore, a value of 0.5 is used, giving a value of 2.75E-5/hr.

14 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 Voltage regulator failure rate - This failure only applies to Channel A, because the voltage regulator for a second failed inverter is never placed in service (failure of the operator action is set TRUE). The failure rate is increased to its 9 5 th percentile value of 1.99E-5/hr from 7.11 E-6/hr.

" DG unavailability - DG unavailability was found to have increased from 6.74E-3 to 2.7E-2 over the last three years. The test will use the 9 5 th percentile of the updated value, which is 8.36E-2.

" Operator action for aligning the back-up voltage regulator - The failure of the action is assumed TRUE, thus no sensitivity analysis is necessary.

Table 3 shows the sensitivity to changes in the parameters tested. Although inverter failure rate and DG unavailability show more than a 10 percent increase in ICCDP and ICLERP, both metrics remain well below the RG 1.177 (Reference 6.8) guideline values.

Table 3: Sensitivity Analysis Results Risk LOOP Inverter Failure Beta Factor Volt Reg. DG Measure Rate Failure Rate Unavailable ICCDP 4.7E-8 6.4E-8 5.OE-8 4.8E-8 5.8E-8 ICLERP 2.OE-9 2.8E-9 2.1 E-9 2.OE-9 2.5E-9 The cumulative effect of previously granted Completion Time extensions was also evaluated. Palo Verde has three previous Completion Time extensions:

Safety Injection Tank Completion Time extended from one hour to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or seven days, depending on the parameter

Low Pressure Safety Injection system from 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to seven days

DGs from 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to ten days Table 4 shows the estimated change in CDF and LERF (where available) for these three previous changes and the current application. It is important to note that the PRA model used was different for each of these analyses. Both CDF and LERF have decreased significantly over the years as the model was refined and conservatisms removed. Even with that, the total changes in CDF and LERF are still below the RG 1.174 (Reference 6.7) guideline values. The inverter Completion Time extension adds an insignificant amount to both CDF and LERF.

15 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 Table 4: Cumulative Impact of Completion Time Extensions Completion Time CDF LERF Change SITs 0.0 Not Available LPSI +1.3E-7/yr Not Available DG +5.OE-7/yr +2.6E-8/yr Inverters +3.OE-9/yr +2.OE-1 0/yr TOTAL +6.3E-7/yr +2.6E-8/yr Transition and Shutdown Risk Transition and shutdown risk are not quantified. Palo Verde does not have a model for these states. Previous estimates of forced shutdown (transition) risk, exclusive of risk in a steady-state shutdown mode, have yielded conditional core damage probability far higher than that estimated for continued operation with one inverter out of service.

However, this change should be evaluated on risk increase that is acceptable under the Maintenance Rule. No attempt to balance any increased operational risk against transition and shutdown risk is made in this submittal.

3.4.5 Tier 2: Avoidance of Risk-Significant Plant Configurations A comparison of the cutsets with and without the Channel A inverter out of service was performed. Loss of Vital AC is modeled as an initiating event for Channels A and B, since failure to address the condition leads to a forced shutdown and has some impact on mitigation. In the baseline model, these two initiators together only contribute 0.1 percent to CDF and <0.1 percent to LERF. When the Channel A inverter is removed from service a substantial increase in the contribution of the Loss of Channel A Vital AC initiating event is seen due to the unavailability of a redundant power supply for that channel. A substantial increase in the Loss of Channel B Vital AC initiating event is also seen due to the assumption of operator failure to align the voltage regulator (or automatic transfer) should the Channel B inverter fail while the Channel A inverter is out of service. Crediting the operator action for Unit 1 (or the automatic transfer in Units 2 or 3) would greatly reduce the contribution from the loss of Channel B initiator. Those Loss of Channel A cutsets that rise in importance include power supply faults that are common to both the Channel A voltage regulator, which is now the sole power source for the vital AC bus, and another important component, such as one suction valve for the non-class 1E AFW Pump, or two Train A HPSI injection valves along with a random failure on Train B that fails the Train B HPSI pump (sequences involving induced LOCA through a Pressurizer Safety Valve).

16 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 The fire and seismic results do not show any significant change in component importance.

There is reasonable assurance that risk-significant plant equipment configurations will not occur when a vital AC inverter is out-of-service consistent with the proposed Technical Specification. This conclusion is based on implementation of specific compensatory measures prior to planned activities that will render a vital AC inverter inoperable. These compensatory measures are included in the proposed TS Bases for TS 3.8.7 as follows:

"Planned inverter maintenance or other activities that require entry into Required Action A.1 will not be undertaken concurrent with the following:

a. Maintenance on the associated train Diesel Generator (DG); or

b. Planned maintenance on another RPS or ESFAS channel that results in that channel being in a tripped condition.

These actions are taken because it is recognized that with an inverter inoperable and the instrument bus being powered by the regulating transformer, instrument power for that train is dependent on power from the associated DG following a loss of offsite power event."

It is recognized that TS LCO 3.0.3 must be entered if one or more additional inverters are inoperable. In addition, increases in risk posed by potential combinations of equipment out-of-service will be managed under the Configuration Risk Management Program (CRMP).

3.4.6 Tier 3: Risk Management and Assessment Program for Planned Maintenance PVNGS follows procedure 70DP-ORA05, "Assessment of Risk Due to Maintenance When in Modes 1 and 2," to ensure that the risk impact of equipment out of service is appropriately evaluated prior to performing any maintenance activity. This process uses a probabilistic review:to identify risk-significant plant equipment outage configurations in a timely manner both during the work management process and for emergent conditions during normal plant operation. Appropriate consideration is given to equipment unavailability, operational activities like testing, and weather conditions. This process includes provisions for performing a configuration dependent assessment of the overal' impact of risk of proposed plant configurations prior to, and during, the performance of maintenance activities that remove equipment from service. Risk is re-evaluated if equipment failure/malfunction or emergent conditions produce a plant configuration that has not been previously assessed.

17 of 33

Enclosure I Evaluation of the Proposed Change Amendment to TS 3.8.7 For planned maintenance activities, an assessment of the overall risk of the activity on plant safety, including benefits to reliability and performance, is currently performed prior to scheduled work. The assessment includes the following considerations:

" Maintenance activities that affect redundant and diverse structures, systems, or components (SSCs) that provide backupfor the same function are minimized.

The potential for planned activities to cause a plant transient are reviewed and work on SSCs that would be required to mitigate the transient are avoided.

Work is not scheduled that has a potential to exceed a TS Completion Time requiring a plant shutdown. Planning for on-line equipment outages typically provides for a 100 percent contingency time within the TS Completion time.

" As a final check, a quantitative risk assessment is performed to ensure that the activity does not pose an unacceptable risk. This evaluation is performed using the Level 1 and 2 PRA model. The results of the risk assessment are classified in Table 5 by a color code based on the increased risk of the activity as follows:

Table 5: Risk Management Action Levels Risk Management Level of Risk Plant Impact and Required Action Action Level Green Minimal Risk Little or no impact on Plant Risk. Normal work control practices apply.

Yellow Acceptable Risk More than minimal impact on Plant Risk. Requires increased awareness of affected safety function by plant personnel.

Plant Manager permission is required and Risk Management Action Guidelines are implemented if CDP (LERP) exceeds 1 E-06 (1E-07) (not a normal occurrence)

Orange High-Risk Significant impact on Plant Risk. Requires written contingency planning and Plant Manager's approval prior to entry. Risk Management Action Guidelines are implemented.

Red Unacceptable Risk No planned evolutions are normally scheduled that result in this risk level. Entry requires Vice President

-Operations notification/approval. Risk Management Action Guidelines are implemented.

Emergent work is reviewed by Operations to evaluate the impact of the emergent work on the scheduled risk profile. Prior to starting any work, the work scope and schedule are reviewed to assure that nuclear safety and plant operations are consistent with the expectations of management. Individual work activities that potentially have an impact to plant risk shall be evaluated to effectively determine the overall impact to plant risk levels.

18 of 33

Enclosure I Evaluation of the Proposed Change Amendment to TS 3.8.7 As part of the risk management program the following types of items may be considered in work planning to minimize an incremental risk.

Evaluate simultaneous switchyard maintenance and reliability.

Evaluate simultaneous maintenance or inoperable status of any of the remaining three instrument bus inverters for the unit.

" Evaluate simultaneous emergency diesel generator or station blackout generator maintenance.

In accordance with NUMARC 93-01, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants" (Reference 6.11), the inverters are considered risk significant and therefore the reliability and unavailability of the inverters are monitored to demonstrate that their performance is adequate.

The reliability and availability of the affected vital AC inverters are monitored under the PVNGS Maintenance Rule program. If the pre-established reliability or availability performance criteria are exceeded for the vital AC inverters, consideration must be given for 10 CFR 50.65, "Requirements for monitoring the effectiveness of maintenance at nuclear power plants," paragraph (a)(1) actions, including increased management attention and goal setting in order to restore their performance (i.e., reliability and availability) to an acceptable level. The performance criteria are risk based and, therefore, are a means to manage the overall risk profile of the plant. An accumulation of large core damage probabilities over time is precluded by the performance criteria.

The vital AC inverters are all currently in the 10 CFR 50.65(a)(2) Maintenance Rule category (i.e., the vital AC inverters are meeting established performance criteria).

Performance of planned vital AC inverter on-line maintenance is not anticipated to result in exceeding the current established Maintenance Rule criteria for the vital AC inverters.

The actual vital AC inverter reliability and availability will be monitored and periodically evaluated, per Procedure 70DP-OMR01, "Maintenance Rule," to assess the effect of the proposed extended Completion Time upon plant performance in relation to Maintenance Rule goals.

To ensure the TS Completion Time does not degrade operationa Isafety over time, the Maintenance Rule Program will be used, as discussed above, to identify and correct adverse trends. Compliance with the Maintenance Rule not only optimizes reliability and availability-of important equipment, it also results in management of the risk when equipment is taken out of service for testing or maintenance per 10 CFR 50.65(a)(4).

As stated previously, PVNGS has developed a CRMP consistent with 10 CFR 50.65(a)(4). The goals of this program are to ensure that risk-significant plant configurations will not be entered for planned maintenance activities, and appropriate 19 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 actions will be taken should unforeseen events place the plant in a risk-significant configuration during the proposed extended vital AC inverter Completion Time.

3.5 Maintenance Rule Program Controls The vital AC inverters are scoped into the Maintenance Rule via the PN system. PN is a high risk Maintenance Rule system. The vital AC inverters currently have performance criteria to address reliability and unavailability. Performance criteria (a)(2) monitoring is performed at the train level. The PN system is currently being maintained in accordance with Maintenance Rule (a)(2) monitoring.

The reliability performance criterion for the PN inverters is no more than 3 failures in an 18-month period. The unavailability performance criteria for the PN inverters is

< 0.3 percent for a rolling 18-month period.

Table 6 shows the current PN inverter reliability/availability for the three Palo Verde units.

Table 6: PVNGS Current PN Inverter Reliability/Availability Unit Train # Failures/18 mo. Unavailability 1 A 0 0.00 I B 0 0.00 1 C 1 0.18 1 D 0 0.00 2 A 1 0.17 2 B 1 0.19 2 C 1 0.21 2 D 0 0.04 3 A 0 0.00 3 B 0 0.00 3 C 0 0.00 3 D 0 0.00 The reliability/unavailability performance criteria is based on operating/historical information and is set below the limit that would have a noticeable impact (>1.OE-06) on the PRA model.

Should the reliability or unavailability performance criteria be exceeded, the associated unit/train PN inverter would receive a Maintenance Rule (a)(1) review. Should the unit/train be placed in (a)(1) monitoring status, a cause determination would be performed that generally results in, 1) corrective actions to return system/train to (a)(2);

2) establishment of goals to monitor the system/train while in (a)(1); and 3) an effective monitoring period would be established to ensure that corrective actions are effective at restoring system/train performance. Procedure 70DP-0MR01, "Maintenance Rule" contains the process for (a)(1) activities.

20 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 3.6 Conclusion The results of the deterministic evaluation and risk-informed assessment described above provide high assurance that the equipment required to safely shut down the plant and mitigate the effects of a DBA will remain capable of performing their safety functions when a vital AC inverter is out of service for maintenance or repairs in accordance with the proposed extended Completion Time. The deterministic evaluation concluded that the proposed change is consistent with the defense-in-depth philosophy, in that: 1) there continue to be multiple means available to accomplish the required safety functions and prevent the release of radioactive material in the event of an accident; and 2) multiple barriers currently exist and additional barriers will be provided to minimize the risk associated with entering the extended vital AC inverter Completion Time so that protection of public health and safety is assured. The deterministic evaluation also concluded that the proposed change will not adversely affect the reduction in severe accident risk that was achieved with implementation of the station blackout rule (10 CFR 50.63) or affect any of the safety analyses assumptions or inputs as described in the UFSAR. The risk-informed assessment concluded that the increase in plant risk is small and consistent with the NRC's Safety Goal Policy Statement (Reference 6.5), as implemented via the NRC Standard Review Plan (SRP), (NUREG-0800; Reference 6.6), RG 1.174 (Reference 6.7), and RG 1.177 (Reference 6.8).

The proposed extension of the vital AC inverter Completion Time is consistent with NRC policy and will continue to provide protection of the public health and safety. As detailed in Section 2.2 of this evaluation, the proposed change advances the objectives of the NRC's PRA Policy Statement (Reference 6.1), including safety decision-making enhanced by the use of PRA insights, more efficient use of resources, and reduction of unnecessary burden.

Therefore, based on the above evaluations and conclusions, APS believes that the proposed change is acceptable and operation in the proposed manner will not present undue risk to public health and safety or be inimical to the common defense and security.

4. REGULATORY EVALUATION 4.1 Applicable Regulatory Requirements/Criteria The proposed inverter Completion Time extension has been evaluated to determine whether applicable regulations and requirements continue to be met. To fully evaluate the effect of the proposed change, PRA methods and a deterministic analysis were used. APS has determined that the proposed Completion Time extension does not require any exemptions or relief from regulatory requirements, other than the Technical Specifications, and does not affect conformance with the General Design Criteria differently than described in the PVNGS UFSAR.

21 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 4.1.1 Regulations 10 CFR 50.36, "Technical specifications," requires that operating licenses for nuclear reactors must include TS that specify Limiting Conditions for Operation (LCOs) for equipment required for safe operation. Based on the risk-informed assessments presented herein, the proposed change in the vital AC inverter Completion Time has no significant impact on the continued conformance with the requirements of 10 CFR 50.36.

10 CFR 50, Appendix A, General Design Criterion (GDC) 17, "Electric power systems,"

requires, in part, that nuclear power plants have onsite and offsite electric power systems to permit the functioning of structures, systems, and components (SSCs) that are important to safety. The onsite system must have sufficient independence, redundancy, and testability to perform its safety function, assuming a single failure. The offsite power system must be supplied by two physically independent circuits that are designed and located so as to minimize, to the extent practical, the likelihood of their simultaneous failure under operating and postulated accident and environmental conditions. In addition, this criterion requires provisions to minimize the probability of losing electric power from the remaining electric power supplies as a result of a loss of power from the unit, the offsite transmission network, or the onsite power supplies. The proposed change continues to provide sufficient independence, redundancy, and testability, and ensures that the probability of losing power as a result of a loss of power from the unit, the offsite transmission network, or the onsite power supplies is minimized. Therefore, implementation of the proposed Completion Time extension will have no significant effect on the continued conformance with GDC 17.

10 CFR 50, Appendix A, GDC 18, "Inspection and testing of electric power systems,"

requires that electric power systems that are important to safety must be designed to permit appropriate periodic inspection and testing. The proposed change does not make changes to inverter inspections or testing. Therefore, implementation of the proposed Completion Time extension will have no significant effect on the continued conformance with GDC 18.

10 CFR 50.65, "Requirements for monitoring the effectiveness of maintenance at nuclear power plants," requires that preventive maintenance activities must be sufficient to provide reasonable assurance that SSCs are capable of fulfilling their intended functions. As it relates to the proposed inverter Completion Time extension, 10 CFR 50.65(a)(4) requires the assessment and management of the increase in risk that may result from proposed maintenance activities. As discussed previously, the PVNGS Maintenance Rule program monitors the reliability and availability of the vital AC inverters and ensures that appropriate management attention and goal setting are applied based on pre-established performance criteria. The vital AC inverters are all currently in the 10 CFR 50.65 (a)(2) Maintenance Rule category (i.e., the vital AC inverters are meeting established performance criteria). The PVNGS CRMP is consistent with 10 CFR 50.65 (a)(4), and is managed to ensure that risk-significant plant 22 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 configurations will not be entered for planned maintenance activities, and that appropriate actions will be taken should unforeseen events place the plant in a risk-significant configuration during the proposed extended vital AC inverter Completion Time. Therefore, the proposed extension of the vital AC inverter Completion Time from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 7 days, and the planned vital AC inverter on-line maintenance that this extension will permit, are not anticipated to result in exceeding the current established Maintenance Rule criteria for the vital AC inverters.

10 CFR 50.63, "Loss of all alternating current power," requires that nuclear power plants must be able to withstand a loss of all AC power for an established period of time and recover from a station blackout (see RG 1.155, "Station Blackout," dated August 1988; Reference 6.12). The proposed extension of the vital AC inverter Completion Time from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 7 days has no significant effect on the ability to withstand a loss of all AC power and recover from a station blackout.

10 CFR 50.90, "Application for amendment of license or construction permit," addresses the requirements for a licensee desiring to amend its license and the TS incorporated therein. This request for amendment to PVNGS TS 3.8.7 has been prepared to meet the requirements of 10 CFR 50.90.

4.1.2 Applicable Regulatory Criteria/Guidance Regulatory criteria and guidance related to risk-informed activities implement and are consistent with the NRC's "Safety Goal Policy Statement" (Reference 6.5) and the NRC's PRA Policy Statement (Reference 6.1). General criteria for evaluating the technical basis for proposed risk-informed changes is provided in Section 19.2, "Review of Risk Information Used to Support Permanent Plant-Specific Changes to the Licensing Basis: General Guidance,"of the NRC SRP, NUREG-0800 (Reference 6.6). More specific guidance related to risk-informed TS changes is provided in SRP Section 16.1, "Risk-Informed Decision Making: Technical Specifications" (Reference 6.13), which includes Completion Time changes as part of risk-informed decision-making.

Section 19.2 of the SRP states that a risk-informed application should be evaluated to ensure that the proposed change meets the following key principles:

The proposed change meets the current regulations, unless it explicitly relates to a requested exemption or rule change; The proposed change is consistent with the defense-in-depth philosophy;

The proposed change maintains sufficient safety margins;

When proposed changes increase CDF or risk, the increase(s) should be small and consistent with the intent of the NRC's Safety Goal Policy Statement; and 23 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 The impact of the proposed change should be monitored using performance measurement strategies.

The NRC's Safety Goal Policy Statement and PRA Policy Statement are implemented in part via RG 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis" (Reference 6.7),

and RG 1.177, "An Approach for Plant-Specific, Risk-Informed Decisionmaking:

Technical Specifications" (Reference 6.8). RG 1.174 describes a risk-informed approach, acceptable to the NRC, for assessing the nature and impact of proposed licensing basis changes by considering engineering issues and applying risk insights.

RG 1.177 identifies an acceptable risk-informed approach, including additional guidance geared toward the assessment of proposed TS Completion Time changes. Specifically, RG 1.177 identifies a three-tiered approach for the evaluation of the risk associated with a proposed TS Completion Time change as shown below.

Tier 1 assesses the risk impact of a proposed change in accordance with acceptance guidelines consistent with the NRC's Safety Goal Policy Statement, as documented in RG 1.174 and RG 1.177. The first tier assesses the impact on operational plant risk based on the change in CDF and change in LERF. It also evaluates plant risk while equipment covered by the proposed Completion Time is out of service, as represented by ICCDP and ICLERP. Tier 1 also addresses PRA quality, including the technical adequacy of the licensee's plant-specific PRA for the subject application. Cumulative risk of a proposed TS change in light of past applications, or additional applications under review, is also considered, along with uncertainty/sensitivity analysis with respect to the assumptions related to the proposed TS change.

Tier 2 identifies and evaluates any potential risk-significant plant equipment outage configurations that could result if equipment, in addition to that associated with the proposed license amendment, is taken out of service simultaneously, or if other risk-significant operational factors, such asý concurrent system or equipment testing, are also involved. The purpose of this evaluation is to ensure that there are appropriate restrictions in place, such that risk-significant plant equipment outage configurations will not occur when maintenance associated with the proposed Completion Time is implemented.

Tier 3 addresses the licensee's overall CRMP to ensure that adequate programs and procedures are in place for identifying risk-significant plant configurations resulting from maintenance or other operational activities, and that appropriate compensatory measures are taken to avoid such configurations that may not have been considered when the Tier 2 guidance was developed. Compared with Tier 2, Tier 3 provides additional coverage to ensure that risk-significant plant equipment outage 24 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 configurations are identified in a timely manner and that the risk impact of out-of-service equipment is appropriately evaluated prior to performing any maintenance activity over extended periods of plant operation.

Tier 3 guidance can be satisfied by 10 CFR 50.65(a)(4) (Maintenance Rule), which requires a licensee to assess and manage the increase in risk that may result from activities such as surveillance testing and corrective and preventive maintenance, subject to the guidance provided in RG 1.177, Part C, "Regulatory Position," Section 2.3.7.1, and the adequacy of the licensee's program and supporting PRA model. The CRMP is established to ensure that equipment removed from service prior to or during the proposed extended Completion Time will be appropriately assessed from a risk perspective.

More specific methods and guidelines acceptable to the staff are also outlined in RG 1.177 for assessing risk-informed TS changes. Specifically, RG 1.177 provides recommendations for utilizing risk information to evaluate changes to TS Completion Times and surveillance test intervals with respect to the impact of the proposed change on the risk associated with plant operation. RG 1.177 also describes acceptable implementation strategies and performance monitoring plans to help ensure that the assumptions and analysis used to support the proposed TS changeswill remain valid.

An implementation and monitoring program should include means to adequately track the performance of equipment that, when degraded, can affect the conclusions of the licensee's evaluation for the proposed licensing basis change. RG 1.174 states that monitoring performed in accordance with the Maintenance Rule can be used when the monitoring performed under the Maintenance Rule is sufficient for the SSCs affected by the risk-informed application.

SRP Section 19.1, "Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities" (Reference 6.14), and RG 1.200, "An Approach For Determining The Technical Adequacy Of Probabilistic Risk Assessment Results For Risk-Informed Activities," Revision 1 (Reference 6.15), provide guidance to licensees for use in determining the technical adequacy of the base PRA used in a risk-informed regulatory activity. RG 1.200 endorses standards and industry guidance that address risk-informed activities, and is a supporting document to other NRC regulatory guides that address risk-informed activities, including RG 1.174 and RG 1.177 described above.

The APS assessment of potential risk impacts associated with the vital AC inverter Completion Time extension proposed herein was performed in a manner consistent with the guidance and criteria described above. This assessment confirms that applicable regulatory requirements will continue to be met, adequate defense-in-depth will be maintained, sufficient safety margins will be maintained, and any increase in risk is small and consistent with the NRC's Safety Goal Policy Statement, as implemented via the NRC's SRP, RG 1.174, RG 1.177, and RG 1.200. The ICCDP and ICLERP for 25 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 each vital AC inverter meet the regulatory guidelines such that the impact on plant risk is considered small. Thus, the criteria of RG 1.177 for the proposed increased inverter Completion Time are satisfied. Furthermore, the evaluation of changes in CDF and LERF due to the potential for increased inverter unavailability, as mitigated by the compensating measures assumed in the analysis, have been shown to meet the risk significance criteria of RG 1.174.

As discussed previously, APS implements a CRMP consistent with 10 CFR 50.65(a)(4).

The goals of this program are to ensure that risk-significant plant configurations will not be entered for planned maintenance activities. These goals ensure that appropriate actions will be taken should unforeseen events place the plant in a risk-significant configuration during the proposed extended vital AC inverter Completion Time. To ensure the Completion Time does not degrade operational safety over time, the Maintenance Rule Program will be used, as discussed previously, to identify and correct adverse trends. In addition to optimizing reliability and availability of important equipment, compliance with the Maintenance Rule also results in management of risk when equipment is taken out of service for maintenance or testing per 10 CFR 50.65(a)(4).

Based on the considerations discussed above, the proposed extension of the vital AC inverter Completion Time from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 7 days has been evaluated to verify that:

(1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner; (2) such activities will be conducted in compliance with NRC regulations; and (3) issuance of the amendment will not be inimical to the common defense and security.

4.2 Precedent The changes proposed herein to the Completion Time for restoration of an inoperable vital AC inverter are similar to those previously approved by the NRC for the Clinton Power Station, North Anna Power Station, and the Byron and Braidwood Stations.

These previous approvals are discussed below.

Clinton Power Station By AmerGen Energy Company, LLC (AmerGen) letter dated April 26, 2004 (Reference 6.16), as supplemented by AmerGen letters dated April 18, 2005 (Reference 6.17), October 11,2005 (Reference 6.18), and May 19, 2006 (Reference 6.19), AmerGen requested NRC approval of a Clinton Power Station TS change to extend the Completion Time for Nuclear System Protection System Inverters.

The NRC approved the change in License Amendment No. 174 for the Clinton Power Station, Unit 1, issued May 26, 2006 (Reference 6.20). The amendment issued for the Clinton Power Station was substantively equivalent to the amendment requested herein for the PVNGS, in that it revised TS 3.8.7, "Inverters - Operating," to change the Completion Time for restoration of an inoperable inverter from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 7 days.

26 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 North Anna Power Station By Virginia Electric and Power Company (VEPC) letter dated December 13, 2002 (Reference 6.21), as supplemented by VEPC letters dated May 8, 2003 (Reference 6.22), December 17, 2003 (Reference 6.23), February 12, 2004 (Reference 6.24), and March 9, 2004 (Reference 6.25), VEPC requested NRC approval of a North Anna Power Station TS change to extend the inverter Allowed Outage Time.

The NRC approved the change in License Amendment Nos. 235 and 217 for the North Anna Power Station, Units 1 and 2, respectively, issued May 12, 2004 (Reference 6.26).

The amendment issued for the North Anna Power Station was substantively equivalent to the amendment requested herein for the PVNGS, in that it revised TS 3.8.7, "Inverters - Operating," to change the Allowed Outage Time for restoration of an inoperable inverter from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 7 days.

Byron and Braidwood Stations By Exelon Generation Co., LLC (Exelon) letter dated October 16, 2002 (Reference 6.27), as supplemented by Exelon letters dated June 20, 2003 (Reference 6.28), October 14, 2003 (Reference 6.29), and November 7, 2003 (Reference 6.30), Exelon requested NRC approval of TS changes to extend the inverter Completion Time for the Byron and Braidwood Stations. The NRC approved the changes in License Amendment Nos. 135 for the Byron Station, Units 1 and 2, and Amendment Nos. 129 for the Braidwood Station, Units 1 and 2, issued November 19, 2003 (Reference 6.31). The amendments issued for the Byron and Braidwood Stations were substantively equivalent to the amendment requested herein for the PVNGS, in that they revised TS.3.8.7, "Inverters - Operating," to change the Completion Time for restoration of an inoperable inverter from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 7 days.

4.3 No Significant Hazards Consideration Determination As detailed above, the proposed amendment would modify Required Action A.1 of TS 3.8.7, "Inverters - Operating," to extend the Completion Time for restoration of an inoperable vital AC inverter from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 7 days. APS has determined that the proposed TS amendment does not involve a significant hazards consideration under the standards set forth in 10 CFR 50.92(c). This determination is based on evaluation with respect to the specific criteria of 10 CFR 50.92(c) as follows:

1. Does the proposed amendment involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No.

The proposed TS amendment does not affect the design of the vital AC inverters, the operational characteristics or function of the inverters, the interfaces between 27 of 33

Enclosure I Evaluation of the Proposed Change Amendment to TS 3.8.7 the inverters and other plant systems, or the reliability of the inverters. An inoperable vital AC inverter is not considered an initiator of an analyzed event. In addition, Required Actions and the associated Completion Times are not initiators of previously evaluated accidents. Extending the Completion Time for an inoperable vital AC inverter would not have a significant impact on the frequency of occurrence of an accident previously evaluated. The proposed amendment will not result in modifications to plant activities associated with inverter maintenance, but rather, provides operational flexibility by allowing additional time to perform inverter troubleshooting, corrective maintenance, and post-maintenance testing on-line.

The proposed extension of the Completion Time for an inoperable vital AC inverter will not significantly affect the capability of the inverters to perform their safety function, which is to ensure an uninterruptible supply Of 120-volt AC electrical power to the associated power distribution subsystems. An evaluation, using PRA methods, confirmed that the increase in plant risk associated with implementation of the proposed Completion Time extension is consistent with the NRC's Safety Goal Policy Statement, as further described in RG 1.174 and RG 1.177. In addition, a deterministic evaluation concluded that plant defense-in-depth philosophy will be maintained with the proposed Completion Time extension.

Based on the above, the proposed amendment does not involve a significant increase in the probability or consequences of an accident previously evaluated.

2. Does the proposed amendment create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No.

The proposed amendment does not involve physical alteration of the PVNGS.

No new equipment is being introduced, and installed equipment is not being operated in a new or different manner. There is no change being made to the parameters within which the PVNGS is operated. There are no setpoints at which protective or mitigating actions are initiated that are affected by this proposed action. The use of the alternate Class 1,E power source for the vital AC instrument bus is consistent with the PVNGS plant design. The change does not alter assumptions made in the safety analysis. This proposed action will not alter the manner in which equipment operation is initiated, nor will the functional demands on credited equipment be changed. No alteration is proposed to the procedures that ensure the PVNGS remains within analyzed limits, and no change is being made to procedures relied upon to respond to an off-normal event. As such, no new failure modes are being introduced.

28 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 Based on the above, the proposed amendment does not create the possibility of a new or different kind of accident from any accident previously evaluated.

3. Does the proposed amendment involve a significant reduction in a margin of safety?

Response: No.

Margins of safety are established in the design of components, the configuration of components to meet certain performance parameters, and in the establishment of setpoints to initiate alarms or actions. The proposed amendment does not alter the design or configuration of the vital AC inverters or their associated 120-volt AC subsystems, and does not alter the setpoints at which alarms and associated actions are initiated. With one of the required 120-volt AC vital instrumentation buses being powered from the alternate safety-related Class 1E power supply, which is backed by the divisional diesel generator (DG), there is no significant reduction in the margin of safety. Testing of the DGs and associated electrical distribution equipment provides confidence that the DGs will start and provide power to the associated equipment in the unlikely event of a loss of offsite power during the extended 7-day Completion Time.

Applicable regulatory requirements will continue to be met, adequate defense-in-depth will be maintained, sufficient safety margins will be maintained, and any increases in risk are consistent with the NRC Safety Goal Policy Statement. Furthermore, during the proposed extended inverter Completion Time, any increases in risk posed by potential combinations of equipment out of service will be managed in accordance with the PVNGS site Configuration Risk Management Program, consistent with Paragraph (a)(4) of 10 CFR 50.65, "Requirements for monitoring the effectiveness of maintenance at nuclear power plants."

Therefore, the proposed amendment does not involve a significant reduction in a margin of safety.

Based on the above, APS concludes that the proposed amendment does not involve a significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and accordingly, a finding of "no significant hazards consideration" is justified.

4.4 Commitments There are no commitments being made by this license amendment request. The license amendment statements provide information to support NRC action and are not considered to be regulatory commitments. Once the license amendment is approved, APS plans to implement the amendment within 60 days, including the related TS Bases changes, as shown in Enclosure 1, Attachment 3.

29 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7

5. ENVIRONMENTAL CONSIDERATION A review has determined that the proposed amendment would change a requirement with respect to installation or use of a facility component located within the restricted area, as defined in 10 CFR 20, or would change an inspection or surveillance requirement. However, as established above, the proposed amendment does not involve (i) a significant hazards consideration, (ii) a significant change in the types or a significant increase in the amounts of any effluents that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure.

Accordingly, the proposed amendment meets the eligibility criterion for categorical exclusion set forth in 10 CFR 51.22(c)(9). Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed amendment.

6. REFERENCES 6.1 NRC Policy Statement, "Use of Probabilistic Risk Assessment Methods in Nuclear Activities: Final Policy Statement," Federal Register, Vol. 60, p. 42622 (60 FR 42622), August 16, 1995.

6.2 NRC Letter to FPL Energy Seabrook, LLC, "Notice of Enforcement Discretion for FPL Energy Seabrook, LLC, Regarding Seabrook Station [TAC No. MC 9007, NOED No. 2005-01-01]," dated December 5, 2005 (ADAMS Accession No. ML053400372).

6.3 NRC Letter to Nine Mile Point Nuclear Station, LLC, "Notice of Enforcement Discretion Regarding Nine Mile Point Unit 2 [TAC No. MC0294, NOED No. 2003-03-01-002]," dated August 18, 2003 (ADAMS Accession No. ML032310080).

6.4 NRC Letter to Tennessee Valley Authority, "Notice of Enforcement Discretion for Tennessee Valley Authority Regarding Watts Bar Nuclear Plant Unit 1, NOED No. 2001-2-001," dated March 8, 2001 (ADAMS Accession No. ML010680211).

6.5 NRC Policy Statement, "Safety Goals for the Operations of Nuclear Power Plants; Policy Statement; Republication," Federal Register, Vol. 51, p. 30028 (51 FR 30028), August 4, 1986.

6.6 NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Chapter 19.2, "Review Of Risk Information Used To Support Permanent Plant-Specific Changes To The Licensing Basis: General Guidance," dated June 2007.

30 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 6.7 NRC Regulatory Guide 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," Revision 1, dated November 2002.

6.8 NRC Regulatory Guide 1.177, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications," dated August 1998.

6.9 NUREG/CR-5485, "Guidelines on Modeling Common-Cause Failures in Probabilistic Risk Assessment," dated November 1998.

6.10 NUREG/CR-6268, Revision 1, "Common-Cause Failure Database and Analysis System: Event Data Collection, Classification, and Coding," dated September 2007.

6.11 NUMARC 93-01, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants," dated July 2000.

6.12 NRC Regulatory Guide 1.155, "Station Blackout," dated August 1988.

6.13 NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Chapter 16.1, "Risk-Informed Decision Making; Technical Specifications," Revision 1, dated March 2007.

6.14 NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Chapter 19.1, "Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities,"

Revision 2, dated June 2007.

6.15 NRC Regulatory Guide 1.200, "An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-informed Activities,"

Revision 1, dated January 2007.

6.16 AmerGen Energy Company, LLC Letter No. RS-04-044 to NRC, "Request for Technical Specification Change to Extend Completion Time for Nuclear System Protection System Inverters," dated April 26, 2004 (ADAMS Accession No. ML041210913).

6.17 AmerGen Energy Company, LLC Letter No. RS-05-038 to NRC, "Additional Information Supporting the Request for License Amendment Related to Extending the Completion Time for Nuclear System Protection System Inverters,"

dated April 18, 2005 (ADAMS Accession No. ML051080395).

6.18 AmerGen Energy Company, LLC Letter No. RS-05-135 to NRC, "Additional Information Supporting the Request for License Amendment Related to 31 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 Extending the Completion Time for Nuclear System Protection System Inverters,"

dated October 11, 2005 (ADAMS Accession No. ML052910184).

6.19 AmerGen Energy Company, LLC Letter No. RS-06-077 to NRC, "Clarification of Commitments Supporting the Request for License Amendment Related to Extending the Completion Time for Nuclear System Protection System Inverters,"

dated May 19, 2006 (ADAMS Accession No. ML061500124).

6.20 NRC Letter to AmerGen Energy Company, LLC, "Clinton Power Station, Unit 1 -

Issuance of Amendment - Re: Technical Specification Change to Extend Completion Time for Nuclear System Protection System Inverters (TAC No. MC3035)," dated May 26, 2006 (ADAMS Accession No. ML061160181).

6.21 Virginia Electric and Power Company Letter No.02-758 to NRC, "Virginia Electric and Power Company, North Anna Power Station Units 1 and 2, Proposed Risk-Informed Technical Specifications Change, Extended Inverter Allowed Outage Time," dated December 13, 2002 (ADAMS Accession No. ML023600217).

6.22 Virginia Electric and Power Company Letter No. 02-758A to NRC, "Virginia Electric and Power Company, North Anna Power Station Units 1 and 2, Request for Additional Information, Proposed Risk-Informed Technical Specifications Change, Extended Inverter Allowed Outage Time," dated May 8, 2003 (ADAMS Accession No. ML031400019).

6.23 Virginia Electric and Power Company Letter No.03-494 to NRC, "Virginia Electric and Power Company (Dominion), North Anna Power Station Units 1 and 2, Revised Required Action Completion Time for Proposed Risk-Informed Technical Specifications Change, Extended Inverter Allowed Outage Time," dated December 17, 2003 (ADAMS Accession No. ML033580639).

6.24 Virginia Electric and Power Company Letter No. 03-494A to NRC, "Virginia Electric and Power Company (Dominion), North Anna Power Station Units 1 and 2, Revised Compensatory Measures, Extended Inverter Allowed Outage Time, Proposed Risk-Informed Technical Specifications Change," dated February 12, 2004 (ADAMS Accession No. ML040550548).

6.25 Virginia Electric and Power Company Letter No. 03-494B to NRC, "Virginia Electric and Power Company (Dominion), North Anna Power Station Units 1 and 2, Extended Inverter Allowed Outage Time, Revised Required Action Completion Time for Proposed Risk-Informed Technical Specifications Change," dated March 9, 2004 (ADAMS Accession No. ML040700512).

6.26 NRC Letter to Virginia Electric and Power Company, "North Anna Power Station, Units 1 and 2,- Issuance of Amendments re: Extended Inverter Allowed Outage 32 of 33

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 Time (TAC Nos. MB6957 and MB6958)," dated May 12, 2004 (ADAMS Accession No. ML041380438).

6.27 Exelon Generation Co., LLC Letter No. RS-02-179 to NRC, "Request for Technical Specification Change, Extension of Completion Time for Instrument Bus Inverters," dated October 16, 2002 (ADAMS Accession No. ML023020061).

6.28 Exelon Generation Co., LLC Letter No. RS-03-119 to NRC, "Response to a Request for Additional Information Regarding a Technical Specification Change Request - Extension of Completion Time for Instrument Bus Inverters," dated June 20, 2003 (Not Found in ADAMS).

6.29 Exelon Generation Co., LLC Letter No. RS-03-195 to NRC, "Corrected Information Supporting a Technical Specification Change Request - Extension of Completion Time for Instrument Bus Inverters," dated October 14, 2003 (ADAMS Accession No. ML032900989).

6.30 Exelon Generation Co., LLC Letter No. RS-03-215 to NRC, "Revision to Technical Specification Change Request - Extension of Completion Time for Instrument Bus Inverters," dated November 7, 2003 (ADAMS Accession No. ML033160196).

6.31 NRC Letter to Exelon Generation Co., LLC, "Issuance of Amendments (TAC Nos. MB6569, MB6570, MB6571, and MB6572)," dated November 19, 2003 (ADAMS Accession No. ML032830455).

6.32 APS Letter 161-04750-WFC/GAM to NRC, "Submittal of PVNGS Individual Plant Examination for Severe Accident Vulnerabilities (Response to Generic Letter 88-20)," File No. 92-056-026, dated April 28, 1992.

6.33 APS Letter 102-05927-DCM/REB/DCE to NRC, "Licensee Event Report 2008-003-00," dated November 17, 2008.

33 of 33

Enclosure I Evaluation of the Proposed Change Amendment to TS 3.8.7 ENCLOSURE 1, ATTACHMENT I Technical Specification Markup Page:

3.8.7-1

Inverters - Operating 3.8.7 3.8 ELECTRICAL POWER SYSTEMS 3.8.7 Inverters - Operating LCO 3.8.7 The required Train A and Train B inverters shall be OPERABLE.

---- ---------- - NOTE- -- ---------------------

One inverter may be disconnected from its associated DC bus for

24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to perform an equalizing charge on its associated battery, provided:

a. The associated AC vital instrument bus is energized from its Class 1E constant voltage source regulator; and

b. All other AC vital instrument buses are energized from their associated OPERABLE inverters.

APPLICABILITY: MODES 1, 2, 3, and 4.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One required inverter A.1 --------- NOTE------

inoperable. Enter applicable Conditions and Required Actions of LCO 3.8.9, "Distribution Systems - Operating" with any vital instrument bus de-energized.

Restore inverter to 24 hurws7 days OPERABLE status.

(continued)

PALO VERDE UNITS 1,2,3 3.8.7-1 AMENDMENT NO. 4-1-ý

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 ENCLOSURE 1, ATTACHMENT 2 Retyped Technical Specification Page:

3.8.7-1

Inverters - Operating 3.8.7 3.8 ELECTRICAL POWER SYSTEMS 3.8.7 Inverters - Operating LCO 3.8.7 The required Train A and Train B inverters shall be OPERABLE.

----- ------ ----- -NOTE ---------------------

One inverter may be disconnected from its associated DC bus for

24hours to perform an equalizing charge on its associated battery, provided:

a. The associated AC vital instrument bus is energized from its Class 1E constant voltage source regulator; and

b. All other AC vital instrument buses are energized from their associated OPERABLE inverters.

APPLICABILITY: MODES 1, 2, 3, and 4.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. One required inverter A.1 --------- NOTE------

inoperable. Enter applicable Conditions and Required Actions of LCO 3.8.9, "Distribution Systems - Operating" with any vital instrument bus de-energized.

Restore inverter to 7 days OPERABLE status.

(continued)

PALO VERDE UNITS 1,2,3 3.8.7-1 AMENDMENT NO. 4-ý;

Enclosure 1 Evaluation of the Proposed Change Amendment to TS 3.8.7 ENCLOSURE 1, ATTACHMENT 3 Technical Specification Bases Markups Pages:

B 3.8.7-3 B 3.8.7-4 B 3.8.7-5

Inverters - Operating B 3.8.7 BASES (continued)

LCO disconnected. All other inverters must be connected to (continued) their associated batteries and aligned to their associated AC vital instrument buses.

APPLICABILITY The inverters are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and

b. Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.

Inverter requirements for MODES 5 and 6, and during movement of irradiated fuel assemblies are covered in the Bases for LCO 3.8.8, "Inverters - Shutdown."

ACTIONS A.1 With a required inverter inoperable, its associated AC vital instrument bus becomes inoperable until it is re-energized from its Class 1E constant voltage source regulator.

Required Action A.1 is modified by a Note, which states to enter the applicable conditions and Required Actions of LCO 3.8.9, "Distribution Systems - Operating," when Condition A is entered with one AC vital instrument bus de-energized. This ensures the AC vital instrument bus is re-energized within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months via the Class 1E constant voltage regulator.

Required Action A.1 allows 2A hours7 days to fix the inoperable inverter. and return it to service. The 24 Peu.-7-day limit is based upon enginee

... ng judmcta risk-informed Completion Time based on a plant-specific risk analysis, taking into consideration the time required to repair an inverter and the additional risk to which the unit is exposed because of the inverter inoperability. This has to be balanced against the risk of an immediate shutdown, along with the potential challenges to safety systems such a (continued)

PALO VERDE UNITS 1,2,3 B 3.8.7-3 REVISION 41

Inverters - Operating B 3.8.7 BASES (continued)

ACTIONS A.1 (continued) shutdown might entail. When the:AC vital instrument bus is powered from its constant voltage source, it is relying upon interruptible AC electrical power sources (offsite and onsite). The uninterruptible inverter source to the AC vital instrument buses is the preferred source for powering instrumentation trip setpoint devices.

Planned inverter maintenance or other activities that require entry into Required Action A.1 will not be undertaken concurrent with the following:

a. Maintenance on the associated train Diesel Generator (DG); or

b. Planned maintenance on another RPS or ESFAS channel that results in that channel being in a tripped condition.

These actions are taken because it is recognized that with an inverter inoperable and the instrument bus being powered by the regulating transformer, instrument power for that train is dependent on power from the associated DG following a loss of offsite power event.

B.1 and B.2 If the inoperable devices or components cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

(continued)

PALO VERDE UNITS 1,2,3 B 3.8.7-4 REVISION

Inverters - Operating B 3.8.7 BASES (continued)

SURVEILLANCE SR 3.8.7.1 REQUIREMENTS This Surveillance verifies that the inverters are functioning properly with all required circuit breakers closed and AC vital instrument buses energized from the inverter. The verification of proper voltage and frequency output ensures that the required power is readily available for the instrumentation of the RPS and ESFAS connected to the AC vital instrument buses. The 7 day Frequency takes into account the redundant capability of the inverters and other indications available in the control room that alert the operator to inverter malfunctions.

REFERENCES 1. UFSAR, Chapter 8.

2. UFSAR, Chapter 6.

3. UFSAR, Chapter 15.

PALO VERDE UNITS 1,2,3 B 3.8.7-5 REVISION

Enclosure 2 PVNGS Probabilistic Risk Assessment Quality and History ENCLOSURE 2 PVNGS Probabilistic Risk Assessment Quality and History In Support of License Amendment Request for Technical Specification 3.8.7, Vital AC Inverters Extended Completion Time

Enclosure 2 PVNGS Probabilistic Risk Assessment Quality and History Table of Contents

1. PALO VERDE PRA MODEL OVERVIEW ................................................................................................ 2

2. PALO VERDE PRA QUALITY OVERVIEW : .......................................................................................... 2 2.1. QUALIFICATION OF PRA STAFF 3 2.2. PRA PROCEDURES 3 2.3. INDEPENDENT REVIEWS 3 2.4. PRA CONFIGURATION CONTROL PROGRAM 3 2.5. PRA OPEN ITEMS (IMPACTS) 4 2.6. MONITORING PLANT CHANGES 4 2.7. PRA UPDATES 4 2.8. SOFTWARE QUALITY CONTROL 4 2.9. PEER REVIEWS 4 2.10. CEOG CROSS-COMPARISON PROCESS 5 2.11. CEOG PSA TECHNICAL POSITIONS 5 2.12. CONTINUOUS QUALITY IMPROVEMENT PROCESS 5

3. PALO VERDE PRA DEVELOPMENT HISTORY ................................................................................. .. 6

4. SIGNIFICANT OPEN ITEM S .......................................................................................................................... 8

5. COMBUSTION ENGINEERING OWNERS GROUP TECHNICAL POSITIONS: ............................... 8 5.1. CEOG PSA STANDARD: EVALUATION OF THE INITIATING EVENT FREQUENCY FOR THE LOSS OF COOLANT ACCIDENT 8 5.2. CEOG PSA STANDARD: EVALUATION OF THE INITIATING EVENT FREQUENCY FOR MAIN STEAM LINE BREAK EVENTS 9 5.3. CEOG PSA STANDARD: EVALUATION OF THE INITIATING EVENT FREQUENCY FOR STEAM GENERATOR TUBE RUPTURE 9 5.4. CEOG PSA STANDARD: SUCCESS CRITERIA FOR THE MINIMUM NUMBER OF SAFETY INJECTION PATHWAYS FOLLOWING LARGE AND SMALL BREAK LOCAS FOR CE PWRS 9 5.5. CEOG PSA STANDARD: BEST ESTIMATE ATWS SCENARIOS AND SUCCESS CRITERIA 9 5.6. CEOG PSA STANDARD: EVALUATION OF THE MECHANICAL SCRAM FAILURE FOR ATWS OCCURRENCE FREQUENCY 9 5.7. CEOG PSA STANDARD: REACTOR COOLANT PUMP SEAL FAILURE PROBABILITY GIVEN A LOSS OF SEAL INJECTION 9 5.8. CEOG PSA STANDARD: EVALUATION OF THE INITIATING EVENT FREQUENCY FOR REACTOR VESSEL RUPTURE 9

6. INDEPENDENT EXTERNAL REVIEW S ............... ;................................................................................... 9

7. C ON CLU SIO N .................................................................................................................................................. 10

8. RE FERE NCES .................................................................................................................................................. 10 1

Enclosure 2 PVNGS Probabilistic Risk Assessment Quality and History 1 Palo Verde PRA Model Overview Palo Verde uses the large fault tree/small event tree, also known as the linked fault tree, methodology.

Basic failure events are modeled down to the component level. Level 1 (Core Damage Frequency, or CDF) and Level 2 (Large Early Release Frequency only, or LERF) are fully developed. A Level 3 (Dose Consequence) analysis was done to support the Individual Plant Examination (IPE), but has not been maintained.

The Internal Events model consists of twenty-eight (28)-initiating events, which proceed through their respective event trees. Failure branches are assigned a plant damage state (PDS) CM (Core Melt) or ATWS (Anticipated Transient Without Scram) and an appropriate Level 2 damage state. ATWS is modeled in separate event trees. Failure branches there are also assigned CM and the appropriate Level 2 PDS. Core Melt is defined as initiation of sustained uncovery of the top of the active fuel.

Internal flooding was analyzed using a screening process for the IPE. That analysis is still considered to be valid. Internal flooding is not currently modeled using event and fault trees. A task is currently underway using EPRI methodology to perform an internal flood PRA.

External Events were examined as required by Generic Letter 88-20 Supplement 4, the IPE for External Events (IPEEE). None was analyzed by a fully developed PRA. A full fire PRA has since been developed and incorporated into the PVNGS PRA model. Only buildings and external areas where a fire could not credibly interfere with normal plant operations were screened from consideration. No compartments within buildings housing plant equipment used for normal power production or emergency operations were screened. There are approximately 135 fire initiating events. These proceed first through fire event trees, which determine potential fire damage states (FDS). Each FDS is then carried through an event tree mimicking the internal events event trees. CM, ATWS and Level 2 plant damage states are assigned as in the internal events event trees.

2 Palo Verde PRA Quality Overview:

Formal qualification program for the PRA staff 9 Use of procedures to control PRA processes

Independent reviews (checks) of PRA documents

Comprehensive PRA Configuration Control Program Quarterly plant change monitoring program Process to control PRA quantification software Active open items list (Impact Review database)

Interface with the site's corrective action program Process to maintain configuration of previous risk-informed decisions

Peer reviews

" Participation in the Combustion Engineering Owners Group (CEOG) cross comparison process

" Incorporation, where applicable, of CEOG PRA Technical Positions

. Commitment of continuous quality improvement These elements are used to achieve a quality PRA and are described in the remainder of Section 2.

Section 3 provides an overview of the development history of the PRA since the IPE submittal in April of 1992, Section 4 describes the significant PRA open items. Section 5 lists the CEOG Technical Positions and describes the PVNGS position on each of these documents. Section 6 discusses the independent 2

Enclosure 2 PVNGS Probabilistic Risk Assessment Quality and History (external) reviews that have been performed on PRA. A summary of the significant issues and their status is provided.

2.1 Qualification of PRA Staff Risk analysts are qualified in accordance with the PVNGS Engineering Training Program, which meets the INPO requirements for a Systematic Approach to Training and 10CFR50.120.

2.2 PRA Procedures The PRA model is controlled by station procedure 70DP-ORA03, PRA Model Control, Ref. 1.

The PRA model is documented by way of Engineering Studies, which are controlled by station procedure 81 DP-4CC03, EngineeringStudies, Ref. 2.

PRA model documentation is maintained by the Nuclear Information Records Management Department in accordance with administrative controls meeting the requirements of Reg. Guide 1.33, Ref. 3.

2.3 Independent Reviews The Engineering Studies, which document the PRA, receive independent technical review, as required by station procedure 8 1DP-OCCO5, Design and TechnicalDocument Control, Ref. 4.

2.4 PRA Configuration Control Program The three Palo Verde units are nearly identical. Differences among the units are primarily due to the fact that plant modifications cannot be introduced simultaneously in all three units; typically they are introduced in succeeding outages. Any one of the units could be the lead unit. The model is intended to represent Unit 1. Unit One's drawings, calculations and procedures (where unitized) are the ones referenced within the model. The one exception to this is the static transfer switches for the Vital AC.

Unit 1 was originally scheduled to receive this change, but did not; Units 2 and 3 did. Referenced drawing changes are reviewed by PRA Group personnel. Differences in unit applicability can be ascertained in the review. Noteworthy connections between the 3 units are as follows:

In normal line-up, the three Startup-up Transformers each supply one source of off-site power to two units through separate secondary windings. Thus, loss of one Start-up Transformer would cause a single train of ESF equipment on two units to lose off-site power. Although loss of off-site power to one ESF bus is not by itself an initiating event, it can be a precursor and is captured by initiating events IELOP-TRAIN-A and IELOP-TRAIN-B.

The units are also connected via the Auxiliary Steam System, which supplies process steam for water processing and turbine gland seals during start-up. The normal line-up of this system is one unit supplying auxiliary steam for all three units. This sharing is done primarily to keep the lines warm and the water within them in good condition. Malfunctions of the system are not significant enough perturbators to cause a trip or shutdown. Nor is the system credited in the PRA for mitigating any transients or accidents. Procedures do exist, however, to transfer condensate from one unit to another, if needed.

Another common electrical connection is to the Station Blackout Gas Turbine Generators. It is not postulated that more than one unit would ever be lined up to receive power concurrently 3

Enclosure 2 PVNGS Probabilistic Risk Assessment Quality and History from the GTGs, although procedures exist to provide limited power to two units or being routed to the switchyard to maintain station restart capabilities (not modeled in the PRA). The likelihood of two units experiencing a simultaneous station blackout is remote and is not part of the station blackout licensing and design bases.

The Tower Make-up and Blowdown system supplies condenser cooling water to all three units to make up for evaporation and blowdown. Its failure would lead to shutdown of all three units. It has multiple pumps, powered from multiple power supplies, making it highly reliable.

Should it ever fail, it would most likely be manifest as a normal shutdown for all three units.

At worst, it could lead to loss of condenser vacuum and loss of Plant Cooling Water. It is not required for safe shutdown.

2.5 PRA Open Items (Impacts)

To evaluate and track items that may lead to a change to the model or its documentation, an "impact review database" is maintained. Dispositions and change records are sent to Nuclear Information Records Management and maintained per the above-mentioned requirements. Each impact is assigned a category, which corresponds to those used in the ASME PRA Standard.

2.6 Monitoring Plant Changes Documents used in the development of the PRA are periodically (monthly) compared to the station document database to identify revisions to referenced documents. Documents that have been revised are then reviewed to determine if there is any impact to the model. Changes are identified and evaluated using the impact database and process described above.

2.7 PRA Updates Updates to the PRA model to incorporated changes required due to plant changes are typically made annually to biennially.

2.8 Software Quality Control Software, including Risk SpectrumTM , MAAP, etc. is verified and controlled in accordance with the P VNGS Non-process Software QA Program, station procedure 8ODP-OCCO 1; along with implementing procedures 8ODP-OCCO2, Non-process Qualified Software Development, Process and Upgrades, Ref. 6; and 80DP-OCCO6, Control and Use of QualifiedNon-process,Software and Data, Ref. 7.

Electronic data and databases are controlled in accordance with station procedure 8ODP-OCC06; Control and Use of QualifiedNon-process Software and Data. The databases are stored in a controlled, limited access location. Copies for use are required to be verified against the controlled version.

2.9 Peer Reviews Section 5 describes the external independent reviews and their findings.

The nuclear industry has adopted a PSA Peer Review Process originally developed by the Boiling Water Reactor Owners Group (BWROG). This original BWROG Process was provided to the other 4

Enclosure 2 PVNGS Probabilistic Risk Assessment Quality and History owners groups. In a cooperative undertaking, this process was modified by the WOG, the B&WOG and the CEOG to be applicable to both BWRs and PWRs. The result is a common, consistent PRA peer review process that is applicable to any commercial nuclear power plant in the U.S. At the same time, it is flexible enough to incorporate individual owners group programs to enhance the technical quality and adequacy of the plant PRAs.

Combustion Engineering Owners Group performed a review of the Palo Verde PRA as part of the industry-wide PRA quality initiative in November 1999.

2.10 CEOG Cross-Comparison Process In 1995, the CEOG PSA Working Group funded the first in a series of five cross-comparison review tasks to identify similarities and differences among CEOG member PRAs and where the results are perceived to be different, to investigate the potential causes for differences. In general, differences in PRA results were attributed to one of the following:

Plant specific design or operational differences.

Data selection.

Selection of success criteria.

PRA modeling assumptions and modeling philosophy.

The primary interest of this effort was to highlight areas where additional attention may be desirable as the PRA evolves. Besides the knowledge and insights gained through participation in this activity, the primary product was the identification of areas where additional guidance is required.

Since that time, the PWR Owners Group has expanded the original Westinghouse database to provide model information on all PWRs to facilitate members' ability to query other facilities' results and modeling methods.

2.11 CEOG PSA Technical Positions CEOG PSA Technical Positions (Standards) and Guidelines were developed to either address a specific application need or were an outgrowth of the results of quality-related tasks, such as the CEOG plant cross-comparison, CEOG risk-informed joint applications, and resolution of PRA issues raised by individual member utilities. Section 5 lists the CEOG Technical Positions and describes the Palo Verde position on each of these documents. The PWR Owners Group is continually addressing model quality issues.

2.12 Continuous Quality Improvement Process The Palo Verde PRA has undergone considerable evolution since the original Individual Plant Examination (IPE) submittal. The history of the PRA model updates is described in Section 3. A strong level of commitment is demonstrated by this development history.

The Palo Verde PRA staff has been maintained at a level such that nearly all technical work is performed in-house by qualified staff with strong plant-specific knowledge. The PRA Group consists of a supervisor, or Group Leader, one consulting engineer two senior engineers and five lower level engineers. Two of these engineers held Senior Reactor Operator Licenses or SRO certification on Palo Verde or other stations. The Maintenance Rule Group collects failure, success, unavailability and plant operating data for various plant needs, including the Maintenance Rule and the PRA.

5

Enclosure 2 PVNGS Probabilistic Risk Assessment Quality and History The Palo Verde PRA Group has also actively participated in the industry peer review process. One engineer has participated in every CEOG peer review. This participation is an effective means of understanding the plant design differences, and an excellent means of seeing the different modeling techniques.

3 Palo Verde PRA Development History Numerous revisions to the PVNGS PRA model have been implemented since the Individual Plant Examination was performed. These revisions include thousands of changes to event sequence and fault tree modeling, as well as data changes. Changes to the model and data are made in response to:

Physical changes to the facility

Changes to operating and maintenance procedures, as well as administrative controls

Errors found in reviews of the model, or during its use

Enhancements where experience has indicated that greater accuracy is needed to remove unnecessarily conservative assumptions Coincident with conversion of the PRA model from Unix-based software and platform to a Windows-based platform using Relcon's Risk SpectrumTM software in 1996, the model was completely rebuilt to enhance documentation and control of the model and associated software. This effort led to the following improvements:

" Equipment failure rates were updated with referenceable sources;

Control circuit failure analyses were completely re-performed and documented;

Initiating Event methodology was documented and the initiating events were recalculated and Bayesian-updated;

Common-cause failure methodology was re-performed and documented;

Human Recovery Analysis was completely re-performed and documented based on current operating, maintenance, emergency and administrative control procedures;

" System modeling was reviewed and numerous updates made to such systems as Engineered Safety System Actuation, Auxiliary Feedwater, Low and High Pressure Safety Injection, Essential Spray Ponds (ultimate heat sink) and Chemical Volume and Control. Modeling of the non-class 1E electrical distribution systems was expanded to better capture power loss impact on non-class equipment credited in the model.

Changed the focus of Level 2 modeling to Large Early Release Frequency.

Since Risk SpectrumTM has extensive documentation capability, all references to station and external documents are included within the PRA database. This allows periodic comparison to the station's document database to identify revision changes.

The following changes represent corrections and enhancements'to the model that improve its fidelity and accuracy, but did not necessarily have a significant impact on CDF or LERF:

Refined modeling of power distribution failures as initiating events to ensure completeness.

Definite system boundaries were defined. The two initiators, Loss of Channel A Vital AC and Loss of Channel B Vital AC, were changed to capture all losses of power due to station equipment failure from the Start-up Transformers, the 13.8KV, 4.16KV and 480VAC distribution systems to the battery chargers and the back-up voltage regulators for the Vital AC system. A more recent change split this initiator into several pieces to better capture where in the distribution systems problems originate that lead to plant trips or shutdowns.

6

Enclosure 2 PVNGS Probabilistic Risk Assessment Quality and History

Updated Human Recovery Analysis, both to capture procedure changes and to ensure consistent and defensible modeling methodology. The EPRI HRA Calculator is used for new and updated HEPs.

Added Reactor Coolant Pump High Pressure Seal Cooler Rupture as an initiating event. This was identified as a potential containment bypass event.

" Improved Steam Generator Tube Rupture modeling as the industry and NRC have addressed this issue. The model now includes multiple tube rupture sequences and pressure-induced tube rupture.

" Data update was performed in 1998 and again in 2006. As more plant-specific data has become available through failure data trending and Maintenance Rule requirements, failure rates for risk-important equipment have been Bayesian-updated. For most equipment included in the scope of the Maintenance Rule, plant-specific unavailability values are used.

" Added more detail to the switchyard modeling to better assess maintenance activities.

Removed Reactor Coolant Pump seal leakage modeling following Westinghouse evaluation of CE seal designs and acknowledgement of Palo Verde's unique design.

Added thermally-induced SG tube rupture following steam line break. This had no impact on results, but conforms to the industry standard.

Changes that had a significant impact on the Core Damage Frequency (CDF) or Large Early Release Frequency (LERF) are summarized below:

Added modeling of the Station Blackout Gas Turbine Generators (SBOGs or GTGs), which were installed to address the Station Blackout Rule, 10CFR50.63. While the modeling of the GTGs was not credited in the IPE directly, it was used to address .and close out USI A-45, which was included as part of the GL 88-20 submittal.

" Refined the GTG modeling to allow success with one GTG rather than requiring both for certain sequences. The GTGs have an output less than that of the Diesel Generators. One GTG is not capable of powering both an electric Auxiliary Feedwater Pump and a HPSI pump, along with support equipment. Since most sequences only require AF, and not HPSI, one GTG is adequate for those sequences.

Change of the test interval for ESFAS relay testing from 62-day to 9-month staggered as a result of a Tech Spec change; resulting common-cause failure value changes were also incorporated.

This resulted in a significant increase in both CDF and LERF. At the urging of the PRA group, these test intervals were later shortened to quarterly for the relays associated with Auxiliary Feedwater injection valves. This reduced CDF and LERF by about 10 percent.

" Credited an additional check valve in the charging line to remove conservatism in the containment penetration model. This change significantly reduced LERF.

Removed Loss of Control Room HVAC as an initiating event. This event had been modeled in a highly conservative and unrealistic manner. Since the Control Room is continuously manned, and since at least twelve hours are available before equipment failure temperatures would be reached, it would be virtually certain that either equipment could be repaired or temporary cooling could be established.

Updated Initiating Event Frequencies in 2001 resulting in significant decreases to Uncomplicated Reactor Trip and Turbine Trip frequencies. The definition of Uncomplicated Reactor Trip (called Miscellaneous Trip in the model) was narrowed to be consistent with the rest of the industry.

Previously, all manual shutdowns, including for planned outages, were counted as initiators. This in turn resulted in much lower CDF and LERF, and significantly affected importance measures.

Addition of the alternate off-site-power supply to each ESF bus. This plant feature had not been procedurally allowed due to Technical Specification interpretation.

7

Enclosure 2 PVNGS Probabilistic Risk Assessment Quality and History

Physical plant change adding a redundant power supply to the BOP ESFAS cabinet cooling fans.

This change makes spurious load shed actuation much less likely.

Added alignment of the Gas Turbine Generators to the initiating event trees for loss of off-site power to Train A or B ESF Bus. This provides a more realistic treatment of these initiators.

" Changed the treatment of the Loss of Instrument Air initiating event to allow use of low-pressure condensate (Alternate Feedwater) in its mitigation. This was possible due to removal of an incorrect dependence of the Condensate system on Instrument Air.

" Corrected modeling of spurious load shed. Certain failures had been incorrectly modeled as preventing closure of the Diesel Generator output breaker.

Adopted "Alpha factor" common-cause methodology and used NRC Common-Cause database to update common-cause failure probabilities in 2006.

Updated failure data in 2006.

" Upon a SGTR event, credited the feed to either steam generator until the affected SG is identified.

Credited the removal of ESF pump room dependency on HVAC.

Credited the continued flow of Main Feedwater for up to 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months after reactor trip. Those credits lowered the LERF and CDF values. The dominant LERF contributor remained the SGTR events.

No impact on containment performance.

Updated Loss of Off-Site Power frequency using NUREG/CR-6890.

Internal Events CDF and LERF have varied significantly as the above changes were implemented.

Compared to the IPE, CDF has decreased significantly. Similarly, LERF cannot be compared to the overall Level 2 value presented in the IPE, but compared to when it was first determined in 1998, it has decreased significantly. LERF decreased from 8.65E-7/yr to 3.03E-7/yr, or 65 percent, due primarily to allowing feed to both SGs until the ruptured SG is identified, removal of the pump HVAC. dependence noted above and longer availability of MFW after reactor trip. Containment failure/bypass distribution shows high pressure containment failure dominates at 44 percent followed by pressure-induced SGTR at 23 percent. SGTR itself as an initiator is a 22 percent contribution to Containment bypass. Interfacing System LOCA (RCP HP seal cooler) contributes 5 percent to Containment bypass. When internal events and fire are quantified to the same truncation level, fire contributes about 35 percent to total CDF and 30 percent to total LERF.

4 Significant Open Items There are no Category A and only one Category B peer review items open following issue of 13-NS-C029 Rev 15. The only remaining one is lack of an internal flooding analysis. No other significant open items exist.

5 Combustion Engineering Owners Group Technical Positions:

5.1 CEOG PSA-Standard: Evaluation of the Initiating Event Frequency for the Loss of Coolant Accident This CEOG PSA Standard is no longer used; LOCA frequencies are based on NUREG/CR-5750, Ref. 8. The NUREG values were used in lieu of the CEOG standard because the NUREG is a more recent document and more publicly available.

8

Enclosure 2 PVNGS Probabilistic Risk Assessment Quality and History 5.2 CEOG PSA Standard: Evaluation of the Initiating Event Frequency for Main Steam Line Break Events The CEOG standard is used as the basis for developing large steam and feedwater line break IE frequencies.

5.3 CEOG PSA Standard: Evaluation of the Initiating Event Frequency for Steam Generator Tube Rupture The CEOG standard is used as the basis for calculating the PVNGS SGTR frequency.

5.4 CEOG PSA Standard: Success Criteria for the Minimum Number of Safety Injection Pathways Following Large and Small Break LOCAs for CE PWRs The CEOG standard is used.

5.5 CEOG PSA Standard: Best Estimate ATWS Scenarios and Success Criteria The CEOG standard is used.

5.6 CEOG PSA Standard: Evaluation of the Mechanical Scram Failure for ATWS Occurrence Frequency The CEOG standard is used.

5.7 CEOG PSA Standard: Reactor Coolant Pump Seal Failure Probability Given a Loss of Seal Injection The CEOG standard was used in the development of RCP seal failure probability. Modeling showed that RCP seal failure is not a significant contributor to CDF or LERF under any circumstances. It was subsequently removed from the model.

5.8 CEOG PSA Standard: Evaluation of the Initiating Event Frequency for Reactor Vessel Rupture Reactor vessel rupture is not explicitly modeled in the PVNGS PRA. Its frequency is less that IE-7/yr allowing it to be screened. It is not possible to mitigate the event, so modeling it provides no insight. Palo Verde's reactor vessel is less susceptible to brittle fracture due to a lower than typical copper content in the steel alloy used for the vessel.

6 Independent External Reviews By this date/model revision, there has no external review of the PRA model to assess the extent it meets the ASME standard and/or Regulatory Guide 1.200. A self-assessment was performed against the ASME standard as modified by RG 1.200 Rev. 1. The results and evaluation of supporting requirements not in compliance was performed. As the various PRA sections and documents are revised, the new revisions have been compared with the reg guide and ASME requirements. For example, revised HRAs are based on the latest revision of the EPRI HRA-Calculator.

9

Enclosure 2 PVNGS Probabilistic Risk Assessment Quality and History

Combustion Engineering Owners Group performed a review of the overall PRA modeling as part of the industry-wide PRA quality initiative in November 1999. All F&Os are addressed in PRA's Impact Database, as well as by the station's Corrective Action Program (CRDR 113787).

Erin Engineering performed a review of Large Early Release Frequency methodology and results in December 2000.

In early 2001 Erin Engineering reviewed all Category A and B Facts and Observations (F&Os) from the CEOG peer review. The results are as follows:

" Category A - 8 F&Os. 4 were closed and the responses deemed satisfactory. The remaining 4 were later closed.

" Category B - 26 F&Os. The one remaining open item is lack of flooding analysis.

Figure J Internal Events LERF Distribution By CTMT FailurelCTMT BypasslSGTR Failures CTMT FAIL - LO PRIE CTMT ISOL FAIL 3_5 19%

ISLOCA 5.0%

CTMT FAIL - HIPRES 44.0%

SGTR INITIATING EVBENT 22.2%

PRES INDUCED SGTR 23.4%

7 Conclusion The PVNGS PRA model is currentlysuitable for risk-informed applicationsthat can support power uprate, license renewal, on-line risk assessments, and other regulatoryrisk-informed applications.

8 References

1. Station Procedure 70DP-ORA03, PRA Model Control

2. Station Procedure 8 1DP-4CC03, EngineeringStudies

3. Reg. Guide 1.33, Quality Assurance Program Requirements

4. Station Procedure 8 1DP-0CC05, Design and Technical Document Control 10

Enclosure 2 PVNGS Probabilistic Risk Assessment Quality and History

5. Station Procedure 80DP-OCCO1, PVNGS Non-process Software QA Program

6. Station Procedure 80DP-OCCO2, Non-process Qualified Software Development, Process and Upgrades

7. Station Procedure 80DP-OCCO6, Control and Use of Qualified Non-process Software and Data

8. NUREG/CR-5750, Rates of Initiating Events at U.S. Nuclear Power Plants: 1987-1995

9. Engineering Study 13-NS-C029, Interim PRA Change Documentation, Rev 15.

11

Enclosure 3 Internal Events Model Self Assessment Evaluation ENCLOSURE 3 Internal Events Model Self Assessment Evaluation for Tech Spec 3.8.7, Vital AC Inverters Allowed Outage Time Extension Submittal

Enclosure 3 Internal Events Model Self Assessment Evaluation Internal Events Model Self Assessment Evaluation for Tech Spec 3.8.7 Allowed Outage Time Extension Submittal (Vital AC Inverters) 1 Introduction A self-assessment was performed on the Palo Verde internal events Probabilistic Risk Assessment (PRA) to evaluate the level of compliance with Reg. Guide 1.200 "An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities." This application is determined to be a Category II application, because numerical results for Core Damage Frequency and Large Early Release Frequency are necessary to determine the risk impact of the requested change, and the change is risk-informed, not risk-based. Each of the supporting requirements (SR) that did not meet Category II criteria is listed along with the Assessment of Noncompliance and evaluation that the shortcoming has no material impact on the License Amendment Request for Completion Time extension for one inoperable vital AC inverter.

2 Initiating Events 2.1 Completeness (IE-A)

SR IE-A2: INCLUDE in the spectrum of internal-event challenges considered at least the following general categories:

(a) Transients. INCLUDE among the transients both equipment and human-induced events that disrupt the plant and leave the primary system pressure boundary intact.

(b) LOCAs. INCLUDE in the LOCA category both equipment and human-induced events that disrupt the plant by causing a breach in the core coolant system with a resulting loss of core coolant inventory.

DIFFERENTIATE the LOCA initiators, using a defined rationale for the differentiation. Examples of LOCA types include: (1) Small LOCAs. Examples: reactor coolant pump seal LOCAs, small pipe breaks; (2) Medium LOCAs. Examples: stuck open safety or relief valves; (3) Large LOCAs. Examples:

inadvertent ADS, component ruptures; (4) Excessive LOCAs. (LOCAs that cannot be mitigated by any combination of engineered systems). Example: reactor pressure vessel rupture; (5) LOCAs Outside Containment. Example: primary system pipe breaks outside containment (BWRs)

(c) SGTRs. INCLUDE spontaneous rupture of a steam generator tube (PWRs)

(d) ISLOCAs. INCLUDE postulated events in systems interfacing with the reactor coolant system that could fail or be operated in such a manner as to result in an uncontrolled loss of core coolant outside the containment [e.g., interfacing systems LOCAs (ISLOCAs)].

(e) Special initiators (e.g., support systems failures, instrument line breaks).

(f) Internal flooding initiators (see IF-DI).

IE-A2: There is no internal flood model. All compartments screened out in the Individual Plant Evaluation (IPE).

Evaluation: See section on Internal Floods.

SR IE-A5: In the identification of the initiating events, INCORPORATE (a) events that have occurred at conditions other than at-power operation (i.e., during low-power or shutdown conditions), and for which it is determined that the event could also occur during at-power operation.

1

Enclosure 3 Internal Events Model Self Assessment Evaluation (b) events resulting in a controlled shutdown that includes a scram prior to reaching low-power conditions, unless it is determined that an event is not applicable to at-power operation.

IE-AS: Only at-power conditions were considered for initiators.

Evaluation: PRA model cross-comparisons were performed by CEOG. No shutdown lEs were identified as lacking in the PVNGS model. Also, there were no peer review F&Os on this issue. Any missed IEs are extremely unlikely to have a significant impact on the results.

SR IE-A6: INTERVIEW plant personnel (e.g., operations, maintenance, engineering, safety analysis) to determine if potential initiating events have been overlooked.

IE-A6: There is no evidence that interviews were conducted in searching for initiators.

Evaluation: CE System-80 specific initiating events were identified in 13-NS-B060. These PVNGS-specific initiators were identified through extensive input from System Engineering and Operations personnel. The documentation of that input may be insufficient. As noted in IE-A3 above, this issue was not identified in the peer review, nor would missing IEs be of such magnitude as to affect importance of either the inverters or backup voltage regulators.

2.2 Frequency Estimation (IE-C)

SR-IE-C4: USE as screening criteria no higher than the following characteristics (or more stringent characteristics as devised by the analyst) to eliminate initiating events or groups from further evaluation:

(a) the frequency of the event is less than 1E-7 per reactor-year (/ry) and the event does not involve an ISLOCA, containment bypass, or reactor pressure vessel rupture (b) the frequency of the event is less than 1E-6/ry and core damage could not occur unless at least two trains of mitigating systems are failed independent of the initiator, or (c) the resulting reactor shutdown is not an immediate occurrence. That is, the event does not require the plant to go to shutdown conditions until sufficient time has expired during which the initiating event conditions, with a high degree of certainty (based on supporting calculations), are detected and corrected before normal plant operation is curtailed (either administratively or automatically).

If either criterion (a) or (b) above is used, then CONFIRM that the value specified in the criterion meets the applicable requirements in the Data Analysis section (para. 4.5.6) and the Level 1 Quantification section (para. 4.5.8).

IE-C4: Reactor vessel rupture is not modeled, and some Interfacing System Loss of Coolant Accidents (ISLOCAs) are not screened using the proper criterion (although they would screen out).

Evaluation: Reactor vessel rupture was analyzed. It was concluded that it contributes less than IE-7/yr to CDF, representing less than 1 percent of total CDF. Modeling it does not provide any risk insights, since this event cannot be mitigated. For Large Early Release Frequency (LERF) determination, reactor vessel rupture would be binned in PDS3 "NON-SBO, RCS @ HIGH PRESSURE". Per NUREG/CR-6595 "An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events", the conditional LERF would be 0.1 or less, thus reducing the LERF contribution to less than 1E-8/yr. Therefore, there is no impact on the vital AC inverter LAR submittal.

2.3 Documentation (IE-D)

SR IE-D2: DOCUMENT the processes used to select, group, and screen the initiating events and to model and quantify the initiating event frequencies, including the inputs, methods, and results. For example, this documentation typically includes:

(a) the functional categories considered and the specific initiating events included in each (b) the systematic search for plant-unique and plant-specific support system initiators 2

Enclosure 3 Internal Events Model Self Assessment Evaluation (c) the systematic search for RCS pressure boundary failures and interfacing system LOCAs (d) the approach for assessing completeness and consistency of initiating events with plant-specific experience, industry experience, other comparable PRAs and FSAR initiating events (e) the basis for screening out initiating events (f) the basis for grouping and subsuming initiating events (g) the dismissal of any observed initiating events, including any credit for recovery (h) the derivation of the initiating event frequencies and the recoveries used (i) the approach to quantification of each initiating event frequency (j) the justification for exclusion of any data IE-D2: Documentation of a process for systematic searches of ISLOCAs and for assessing the completeness and consistency of IEs is lacking.

Evaluation: ISLOCAs were evaluated, so some process was evidently used, but not specifically documented. Internal reviews, peer reviews and other PRA applications have not identified any oversights in consideration of ISLOCAs.

SR IE-D3: DOCUMENT the key assumptions and key sources uncertainty with the initiating event analysis.

IE-D3: Documentation of assumptions and uncertainties is lacking.

Evaluation: Many assumptions are documented in the Risk Spectrum database [the PVNGS PRA Model software], as well as the individual system studies, although their completeness is not assured.

Assumptions and uncertainties not documented would have to have a very large impact to significantly affect this application. Regarding uncertainties, each initiator was reported as Mean Value and Error Factor (consistent with NUREG/CR-5750 "Rates of Initiating Events at U.S. Nuclear Power Plants").

The Error Factor value for some initiators was used to support PVNGS applications to the NRC.

3 Accident Sequences 3.1 Documentation (AS-C)

SR AS-Cl: DOCUMENT the accident sequence analysis in a manner that facilitates PRA applications, upgrades, and peer review.

AS-Cl: There is no current engineering study to provide the information in a format that facilitates review. The information in memos inside the Risk Spectrum database contains the necessary information.

Evaluation: The existing memos in the database provide the needed information for an analyst familiar with it to judge its acceptability. No impact on the vital AC application.

SR AS-C2: DOCUMENT the processes used to develop accident sequences and treat dependencies in accident sequences, including the inputs, methods, and results. For example, this documentation typically includes:

(a) the linkage between the modeled initiating event in the Initiating Event Analysis section and the accident sequence model; (b) the success criteria established for each modeled initiating event including the bases for the criteria (i.e., the system capacities required to mitigate the accident and the necessary components required to achieve these capacities);

(c) a description of the accident progression for each sequence or group of similar sequences (i.e.,

descriptions of the sequence timing, applicable procedural guidance, expected environmental or phenomenological impacts, dependencies between systems and operator actions, end states, and other 3

Enclosure 3 Internal Events Model Self Assessment Evaluation pertinent information required to fully establish the sequence of events);

(d) the operator actions reflected in the event trees, and the sequence-specific timing and dependencies that are traceable to the HRA for these actions; (e) the interface of the accident sequence models with plant damage states; (f) [when sequences are modeled using a single top event fault tree] the manner in which the requirements for accident sequence analysis have been satisfied.

AS-C2: No process is documented for linking initiating events with the accident sequence development, or for ascribing success criteria.

Evaluation: Development of the accident sequences along with success criteria application indicates that a process was followed; however, it was not spelled out. No inappropriate sequence development or success criteria have been identified in internal reviews, peer reviews or in the course of pursuing other PRA applications.

SR AS-C3: DOCUMENT the key assumptions and key sources of uncertainty associated with the accident sequence analysis.

AS-C3: Same deficiency noted in AS-Cl for assumptions. Sources of uncertainty are not documented.

Evaluation: Many assumptions, which may lead to sources of uncertainty, are documented in the Risk Spectrum database, as well as the individual system studies, although their completeness is not assured.

Assumptions and uncertainties not documented would have to have a very large impact to significantly affect this application. None has been identified internally, by peer reviews, or in the course of pursuing other PRA applications.

4 Success Criteria 4.1 Documentation (SC-C)

SR SC-C2: DOCUMENT the processes used to develop overall PRA success criteria and the supporting engineering bases, including the inputs, methods, and results. For example, this documentation typically includes: (a) the definition of core damage used in the PRA including the bases for any selected parameter value used in the definition (e.g.,

peak cladding temperature or reactor vessel level) (b) calculations (generic and plant-specific) or other references used to establish success criteria, and identification of cases for which they are used (c) identificationof computer codes or other methods used to establish plant-specific success criteria (d) a description of the limitations (e.g., potential conservatisms or limitations that could challenge the applicability of computer models in certain cases) of the, calculations or codes (e) the uses of expert judgment within the PRA, and rationale for such uses (f) a summary of success criteria for the available mitigating systems and human actions for each accident initiating group modeled in .the PRA (g) the basis for establishing the time available for human actions (h) descriptions of processes used to define success criteria for grouped initiating events or accident sequences SC-C2: No basis for the definition of core damage used is provided. Also, no process is defined for success criteria applied to grouped initiators.

Evaluation: Although PVNGS uses the generalized definition of Core Damage as "Sustained uncovery of any portion of the active fuel", onset of core damage is specifically defined in 13-NS-B065 "At-Power PRA MAAP 4.0.4 Analysis" as MAAP variable TCRHOT "Hottest Core Node Temperature" greater than 2200F, when the cladding begins to relocate. Success criteria are seldom linked to actual core damage, (which begins about 0.5 hour5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months after beginning of core uncovery). This provides a conservative time estimate to support mitigating system recovery or HRA timing analyses.

4

Enclosure 3 Internal Events Model Self Assessment Evaluation MAAP simulations have consistently indicated core damage initiating after TCRHOT > 2200F. From SC-Al, for core damage, PVNGS uses "Sustained uncovery of any portion of the active fuel." However, where MAAP is used, it has become a common standard for MAAP users to link the beginning of core damage to variable TCRHOT "Hottest Core Node Temperature" greater than 2200F, when the cladding begins to relocate. Success criteria are seldom linked to actual core damage (which begins about 0.5 hour5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months after beginning of core uncovery). From the time that TCRHOT approaches 2200 F, the Operators would feel the threat of losing control. They become much stressed.

Their error rate should then be multiplied by 5. Hence, if we set the success criteria up to core damage, we would be invalidating many of the HRAs in the model. MAAP runs shown on the screen would always show core damage coming after TCRHOT > 2200F. In other words: no compelling need to define core damage, since it is not really used.

Regarding a process not defined for success criteria applied to grouped initiators, it is clear a process was used, but not written down. The major basis for grouping lEs is that plant behavior is similar, which directly implies similar success criteria.

SR SC-C3: DOCUMENT the key assumptions and key sources of uncertainty associated with the development of success criteria.

SC-C3: Sources of uncertainty are not addressed.

Evaluation: Many assumptions, which may lead to sources of uncertainty, are documented in the Risk Spectrum database, as well as the individual system studies, although their completeness is not assured.

Assumptions and uncertainties not documented would have to have a very large impact to significantly affect this application. None has been identified internally, by peer reviews, or in the course of pursuing other PRA applications.

5 Systems Analysis 5.1 Completeness (SY-A)

SR SY-A4: PERFORM plant walkdowns and interviews with system engineers and plant operators to confirm that the systems analysis correctly reflects the as-built, as-operated plant.

SY-A4: Walkdowns and interviews either were not conducted or not documented.

Evaluation: Although not documented, system engineers reviewed the fault tree modeling for their systems and provided comments and input to the PRA analysts. The PRA analysts were also knowledgeable in plant layout and operations, both normal and emergency.

5.2 Documentation (SY-C)

SR SY-CI: DOCUMENT the systems analysis in a manner that facilitates PRA applications, upgrades, and peer review.

SY-CI: System studies have not been updated for several revisions of the model. Although the memos in Risk Spectrum are maintained current and are linked to the appropriate parameter, this cannot be said to facilitate applications, upgrades and reviews Evaluation: Changes are captured in impacts contained in 13-NS-C029. While this makes review difficult, it is still possible. Furthermore, system boundaries, functions and success criteria have been further defined for Maintenance Rule documentation and compliance. No actual shortcomings that would impact this application have been discovered internally or through peer reviews.

5

Enclosure 3 Internal Events Model Self Assessment Evaluation SR SY-C2: DOCUMENT the system functions and boundary, the associated success criteria, the modeled components and failure modes including human actions, and a description of modeled dependencies including support system and common cause failures, including the inputs, methods, and results. For example, this documentation typically includes:

(a) system function and operation under normal and emergency operations (b) system. model boundary (c) system schematic illustrating all equipment and components necessary for system operation (d) information and calculations to support equipment operability considerations and assumptions (e) actual operational history indicating any past problems in the system operation (f) system success criteria and relationship to accident sequence models (g) human actions necessary for operation of system (h) reference to system-related test and maintenance procedures (i) system dependencies and shared component interface (j) component spatial information (k) assumptions or simplifications made in development of the system models (1) the components and failure modes included in the model and justification for any exclusion of components and failure modes (m) a description of the modularization process (if used)

(n) records of resolution of logic loops developed during fault tree linking (if used)

(o) results of the system model evaluations (p) results of sensitivity studies (if used)

(q) the sources of the above information (e.g., completed checklist from walkdowns, notes from discussions with plant personnel)

(r) basic events in the system fault trees so that they are traceable to modules and to cutsets.

(s) the nomenclature used in the system models.

SY-C2: Several of the required elements of this SR are missing or incomplete, even in memos in the Risk Spectrum database.

Evaluation: Elements of this SR are addressed in various locations. What is missing is a single concise document that captures all of the elements.

SR SY-C3: DOCUMENT the key assumptions and key sources uncertainty associated with the systems analysis.

SY-C3: Documentation of assumptions is in the form of memos within Risk Spectrum, which does not afford ease of review. Assumptions are incomplete. Sources of uncertainty are not addressed.

Evaluation: Many assumptions, which may lead to sources of uncertainty, are documented in the Risk Spectrum database, as well as the individual system studies, although their completeness is not assured.

Assumptions and uncertainties not documented would have to have a very large impact to significantly affect this application. None has been identified internally, by peer reviews, or in the course of pursuing other PRA applications.

6 Internal Flooding All SRs: There is no internal flood model; no supporting requirements are met.

Evaluation: A screening process was used to comply with GL88-20, "Individual Plant Examination of External Events for Severe Accident Vulnerabilities". All compartments screened out. The highly compartmentalized design of the plant reduces the likelihood of flooding affecting more than one train of 6

Enclosure 3 Internal Events Model Self Assessment Evaluation mitigating equipment. Work is currently underway to perform a flood PRA. To date, no information that contradicts the IPE has been identified. PVNGS design is post-1975 when flooding issues were generically identified and incorporated into design. CDF contribution of internal flooding is expected to be minimal. The equipment of importance for the vital AC application is not located in areas of the plant where a significant flood initiator could occur.

7 Quantification 7.1 Core Damage Frequency Quantification (QU-A)

SR QU-A2b: ESTIMATE the mean CDF from internal events, accounting for the "state-of- knowledge" correlation between event probabilities when significant.

QU-A2b: State of knowledge correlation is neither discussed nor accounted for.

Evaluation: The theory behind State of knowledge correlation was established in a research paper in 1981. The main principle is that the product of two failure probabilities for some basic events in the same cutest may be smaller than the combined probability that would be estimated by means of Monte Carlo Trials. The component and human error failure data reported in the early 1980s were characterized as "best estimates" such as NUREG/CR-1278 "Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications" human failure data. The PVNGS PRA model treated these older failure data as median values from a Log-Normal distribution, converted the data into mean values for CDF and LERF quantifications. The conversion into mean values adequately compensates for any short-coming in the state of knowledge correlation.

7.2 Results Analyses (QU-D)

SR QU-D3: COMPARE results to those from similar plants and IDENTIFY causes for significant differences. For example: Why is LOCA a large contributor for one plant and not another?

QU-D3: No recent comparison to similar plants' results is documented, although the owners group did perform this comparison several years ago. Resources to compare current plants' results are not available.

Evaluation: Significant changes to the PRA model that impacted CDF and LERF have been introduced by means of common industry initiatives (such as Westinghouse's LERF guidance, and EPRI HRA Calculator applications) with input from a variety of plants. Other changes (such as Common Cause Failures) were introduced as a result of NRC and/or EPRI initiatives. This type of PRA model evolution improves and preserves consistency between PRA models.

7.3 Uncertainty Characterization (QU-E)

SR QU-EI: IDENTIFY key sources of model uncertainty.

QU-E1: Sources of uncertainty are not provided.

Evaluation: All. failure data used in the PRA model includes the upper bound values ( 9 5 th percentiles).

Risk-informed applications to the NRC, including the vital AC inverter completion time extension, include sensitivity analyses with the most relevant failure data used at their upper bound values.

SR QU-E2: IDENTIFY key assumptions made in the development of the PRA model.

QU-E2: There is no systematic approach to ensure completeness of the assumptions used in development of the model.

Evaluation: The model assumptions were peer reviewed and validated internally. The documentation of completeness may be improved. Assumptions not documented would have to have a very large impact to 7

Enclosure 3 Internal Events Model Self Assessment Evaluation significantly affect this application. None has been identified internally, by peer reviews, or in the course of pursuing other PRA applications.

SR QU-E3: ESTIMATE the uncertainty interval of the overall CDF results. ESTIMATE the uncertainty intervals associated with parameter uncertainties (DA-D3, HR-D6, HR-G9, IE-C 13), taking into account the "state-of-knowledge" correlation QU-E3: Uncertainty is not quantified.

Evaluation: All failure data used in the PRA model includes the upper bound values (9 5th percentiles).

Applications to the NRC that contain risk support, including that for the vital AC inverter Completion Time extension, include risk assessments with the most relevant failure data used at their upper bound values.

SR QU-E4: EVALUATE the sensitivity of the results to key model uncertainties and key assumptions using sensitivity, analyses.

QU-E4: No sensitivity on assumptions and uncertainties has been done.

Evaluation: Several sensitivity analyses were done to support the vital AC inverter completion time extension application.

7.4 Documentation (QU-F)

SR QU-FI: DOCUMENT the model quantification in a manner that facilitates PRA applications, upgrades, and peer review.

QU-F1: Shortcomings identified in assumptions and uncertainties do not allow proper documentation of them.

Evaluation: Many assumptions, which may lead to sources of uncertainty, are documented in the Risk Spectrum database, as well as the individual system studies, although their completeness is not assured.

Assumptions and uncertainties not documented would have to have a very large impact to significantly affect this application. None has been identified internally, by peer reviews, or in the course of pursuing other PRA applications.

SR QU-F2: DOCUMENT the model integration process, including any recovery analysis, and the results of the quantification including uncertainty and sensitivity analyses. For example, documentation typically includes (a) records of the process/results when adding non-recovery terms as part of the final quantification (b) records of the cutset review process (c) a general description of the quantification process including accounting for systems successes, the truncation values used, how recovery and post-initiator HFEs are applied (d) the process and'results for establishing the truncation screening values for final quantification demonstrating that convergence towards a stable result was achieved (e) the total plant CDF and contributions from the different initiating events and accident classes (f) the accident sequences and their contributing cutsets (g) equipment or human actions that are the key factors in causing the accidents to be non-dominant (h) the results of all sensitivity studies (i) the uncertainty distribution for the total CDF (j) importance measure results (k) a list of mutually exclusive events eliminated from the resulting cutsets and their bases for Elimination (1) asymmetries in quantitative modeling to provide application users the necessary understanding regarding why such. asymmetries are present in the model 8

Enclosure 3 Internal Events Model Self Assessment Evaluation (in) the process used to illustrate the computer code(s) used to perform the quantification will yield correct results process QU-F2: The review process is not documented; factors in causing accidents to be non-dominant is not discussed; sensitivity and uncertainty analyses are not performed; a list of mutually exclusive events eliminated from the resulting cutsets and their bases for elimination is not provided.

Evaluation: While there is no procedural guidance regarding review, reviews are conducted for each model update. Several of these requirements are discussed in other areas, such as sequence analysis and initiating events. Lack of sensitivity and uncertainty analyses are addressed elsewhere in this document.

Lack of this documentation is not expected to have any significant impact on the results of the PRA in general, nor specifically to the vital AC inverter LAR.

SR QU-F4: DOCUMENT key assumptions and key sources of uncertainty, such as: possible optimistic or conservative success criteria, suitability of the reliability data, possible modeling uncertainties (modeling limitations due to the method selected), degree of completeness in the selection of initiating events, possible spatial dependencies, etc.

QU-F4: Assumptions and uncertainties impact to the results are not documented.

Evaluation: See QU-F2 above.

SR QU-F5: DOCUMENT limitations in the quantification process that would impact applications.

QU-F5: Limitations in the quantification process are not discussed.

Evaluation: No limitations in the quantification process are known.

SR QU-F6: DOCUMENT the quantitative definition used for significant basic event, significant cutset, significant accident sequence. If other than the definition used in Section 2, JUSTIFY the alternative.

QU-F6: No quantitative definition of "significant" is provided.

Evaluation: Importance analysis is performed on basic events, where the typical Risk Achievement Worth (RAW) and Fussell-Vesely cut-off values of 2.0 and 5E-3, respectively, are applied. Those results, along with top cutsets, are provided and discussed in the quantification results study, 13-NS-C029.

8 LERF Analysis 8.1 Accident Progression Analysis Sequence Delineation (LE-C)

SR LE-C2a: INCLUDE realistic treatment of feasible operator actions following the onset of core damage consistent with applicable procedures, e.g., EOPs/SAMGs, proceduralized actions, or Technical Support Center guidance.

LE-C2a: The lack of operator action credit may have resulted in unnecessary conservatism.

Evaluation: Feasible operator actions up to the time of beginning of core uncovery were introduced in the PRA Level I analysis. The time between beginning of core uncovery and onset of core damage (Tcorehot>2200 F) is approximately 0.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months . This added time provides the operators with opportunities to reflood the core. However no reflood credit was taken. It is likely to be a small credit with relatively high uncertainty. Once the core begins to uncover, the Main Control Room operators stress level would be increased to "extreme" status. This, in turn, would lead to a much higher error rate. Thus, the expected benefits of lowered LERF value is considered too small and does not significantly impact this Inverter AOT application SR LE-C2b: REVIEW significant accident progression sequences resulting in a large early release to determine if repair of equipment can be credited. JUSTIFY credit given for repair [i.e., ensure that plant 9

Enclosure 3 Internal Events Model Self Assessment Evaluation conditions do not preclude repair and actuarial data exists from which to estimate the repair failure probability (see SY-A22, DA-C14, and DA-D8)]. AC power recovery based on generic data applicable to the plant is acceptable.

LE-C2b: This Cat II SR was not part of PVNGS LERF described in 13-NS-C040 Rev. 5. PRA engineering operated with the understanding that HRAs cannot be used to credit equipment repairs.

Evaluation: PVNGS design of RCP seal and strong containment structure resulted in relatively low LERF estimate. Additional credits from potential equipment repair after core damage is not expected to significantly lower the estimated LERF value.

SR LE-C8b: REVIEW significant accident progression sequences resulting in a large early release to determine if engineering analyses can support continued equipment operation or operator actions during accident progression that could reduce LERF. USE conservative or a combination of conservative and realistic treatment for non-significant accident progression sequences.

LE-C8b: No equipment review was done.

Evaluation: PVNGS design of RCP seal and strong containment structure resulted in relatively low LERF estimate. Additional credits from engineering justifications of equipment operability during accident progression are not expected to significantly lower the estimated LERF value.

SR LE-C9b: REVIEW significant accident progression sequences resulting in a large early release to determine if engineering analyses can support continued equipment operation or operator actions after containment failure that could reduce LERF. USE conservative or a combination of conservative and realistic treatment for non-significant accident progression sequences.

LE-C9b: No such LERF review was done.

Evaluation: PVNGS design of RCP seal and strong containment structure resulted in relatively low LERF estimate. Additional credits from engineering justifications of equipment operability after containment failure are not expected to significantly lower the estimated LERF value.

SR LE-C10: PERFORM a containment bypass analysis in a realistic manner. JUSTIFY any credit taken for scrubbing (i.e., provide an engineering basis for the decontamination factor used).

LE-ClOb: The engineering basis for decontamination factor was not provided.

Evaluation: Upon a SGTR event, reactor operators are required to flood the SGs in order to achieve release scrubbing. Addition of an engineering basis for decontamination will not impact the LERF. value from bypass events. No impact on this inverter AOT application.

8.2 Containment Structural Capacity And Bypass Analysis (LE-D)

SR LE-D4: PERFORM a realistic secondary side isolation capability analysis for the significant accident progression sequences caused by SG tube release. USE a conservative or a combination of conservative and realistic evaluation of secondary side isolation capability for non-significant accident progression sequences resulting in a large early release. JUSTIFY applicability to the plant being evaluated.

Analyses may consider realistic comparison with similar isolation capability in similar containment designs.

LE-D4: Should a SGTR event lead to core damage (i.e. remain unisolated in level 1), LERF analysis continues to assume "unisolated" without adding any human actions to isolate.

Evaluation: The PVNGS LERF analysis did not credit operator actions to isolate the broken steam generator after core damage has occurred. The LERF value for PVNGS is relatively low and warrants no further credits (that have high uncertainties). No negative impact on this vital AC inverter application.

10

Enclosure 3 Internal Events Model Self Assessment Evaluation SR LE-D5: PERFORM an analysis of thermally-induced SG tube rupture that includes plant-specific procedures and design features and conditions that could impact tube failure. An acceptable approach is one that arrives at a plant-specific split fraction by selecting the SG tube conditional failure probabilities based on NUJREG-1570 [Note (3)] or similar evaluation for induced SG failure of similarly designed SGs and loop piping. SELECT failure probabilities based on a) RCS and SG post-accident conditions sufficient to describe the important risk outcomes (b) secondary side conditions including plant-specific treatment of MSSV and ADV failures JUSTIFY key assumptions and election of key inputs. An acceptable justification can be obtained by the extrapolation of the information in NUREG-1570 to obtain plant-specific models, use of reasonably bounding assumptions, or performance of sensitivity studies indicating low sensitivity to changes in the range in question.

LE-D5: SGTR data was used from NUREG-1 150 for split fraction for Induced-SGTR.

Evaluation: The split fractions used for Induced SGTR are conservative. This conservatism was later validated by Westinghouse analysis in WCAP 16431. No negative impact on the vital AC inverter application.

8.3 Results Review And Characterization (LE-F)

SR LE-F2: PROVIDE uncertainty analysis that identifies the key sources of uncertainty and includes sensitivity studies for the significant contributors to LERF.

LE-F2: No documentation that shows sensitivity analyses done on significant LERF contributors.

Evaluation: Application-specific uncertainty analyses are provided with each licensing application submittal, as appropriate (section 3.4 of the vital AC inverter submittal). There is no negative impact on containment performance regarding the vital AC inverter Completion Time extension submittal.

SR LE-F3: IDENTIFY contributors to LERF and characterize LERF uncertainties consistent with the applicable requirements of Tables 4.5.8-2(d) and 4.5.8-2(e).

NOTE: The supporting requirements in these tables are written in CDF language. Under this requirement, the applicable requirements of Table 4.5.8 should be interpreted based on LERF, including characterizing key modeling uncertainties associated with the applicable contributors from Table 4.5.9-3.

For example, supporting requirement QU-D5 addresses the significant contributors to CDF. Under this requirement, the contributors would be identified based on their contribution to LERF.

LE-F3: Contributors to LERF were identified. The uncertainties were not developed.

Evaluation: Contributors to LERF were properly identified. Application-specific uncertainty analyses are provided with each licensing application submittal, as appropriate (section 4.3 of the inverter AOT risk support submittal). There is no negative impact on containment performance regarding the vital AC inverter Completion Time extension submittal.

8.4 Documentation (LE-G).

SR LE-G4: DOCUMENT key assumptions and key sources of uncertainty associated with the LERF analysis, including results and important insights from sensitivity studies.

LE-G4: No such documentation. Key assumptions and limitations were not identified.

Evaluation: Many assumptions, which may lead to sources of uncertainty, are documented in the Risk Spectrum database,. as well as the individual system studies, although their completeness is not assured.

Assumptions and uncertainties not documented would have to have a very large impact to significantly 11

Enclosure 3 Internal Events Model Self Assessment Evaluation affect this application. None has been identified internally, by peer reviews, or in the course of pursuing other PRA applications.

SR LE-G5: IDENTIFY limitations in the LERF analysis that would impact applications.

LE-G5: Limitations in LERF analysis were not identified.

Evaluation: Although limitations were not identified within the LERF analysis. The existing LERF model is clearly adequate for this application for the vital AC inverter Completion Time extension.

12

Enclosure 4 APS Response to NRC RAIs Regarding Clinton Power Station ENCLOSURE 4 Arizona Public Service (APS) Response to NRC Request for Additional Information Regarding Clinton Power Station Request for Amendment to Extend Completion Time for Restoration of an Inoperable Inverter

Enclosure 4 Response to Clinton Power Station RAI Amendment to TS 3.8.7 Arizona Public Service (APS) Response to NRC Request for Additional Information Regiarding Clinton Power Station Request for Amendment to Extend Completion Time for Restoration of an Inoperable Inverter By letters dated April 18, 2005, and October 11, 2005, AmerGen Energy Company, LLC transmitted responses to two Nuclear Regulatory Commission (NRC) requests for additional information (RAIs) to support the Staff's review of a proposed change to the Clinton Power Station Technical Specification (TS) 3.8.7, "Inverters - Operating."

Similar to the amendment requested herein for Palo Verde Nuclear Generating Station (PVNGS), the Clinton Power Station change was to revise TS Required Action A.1 to extend the Completion Time for restoration of an inoperable inverter from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 7 days.1 The two NRC RAIs for the Clinton Power Station TS change encompassed 14 question areas. To facilitate the NRC's review of the amendment proposed herein, APS has prepared a response to each of these 14 RAI question areas, to the extent they may be pertinent in supporting the similar change to PVNGS TS 3.8.7. The APS response to each RAI question area includes, as appropriate, reference to the section(s) of this license amendment request and/or supporting analyses that incorporate the issue(s) raised in the question.

RAI Question 1 During an extended inverterallowed outage time (AOT), the instrument bus would be powered from the constant voltage transformer. In the event of loss of offsite power (LOOP), the power supply to the instrumentationbus would be dependent upon the emergency diesel generator. As a result, entry into extended AOT concurrentwith an EDG routine maintenance could have an impact on plant safety leaving the instrument bus without power. In addition, an entry into the extended inverterAOT, concurrent with planned maintenance on anotherreactorprotection system (RPS)/engineeredsafety feature actuation system (ESFAS) channel, could potentially result in that channel being in a tripped condition. Provide compensatory measures that would be taken before and during the time the instrument bus inverteris removed for an extended outage. Forany compensatory measure proposed, identify how these actions will be documented and controlled at the facility.

APS Response to RAI Question 1 PVNGS performs an assessment of the overall risk of planned maintenance activities on plant safety, including benefits to reliability and performance, prior to scheduled work. This assessment is performed in accordance with procedure 70DP-ORA05, "Assessment of Risk Due to Maintenance When in Modes 1 and 2," and ensures that the risk impact of equipment out of service is appropriately evaluated prior to performing Clinton Power Station, Amendment No. 174 issued by NRC letter dated May 26, 2006 (Agencywide Documents Access and Management System [ADAMS] Accession No. ML061160210).

1

Enclosure 4 Response to Clinton Power Station RAI Amendment to TS 3.8.7 any maintenance activity. This process includes provisions for performing a configuration-dependent assessment of the overall impact of risk of proposed plant configurations prior to, and during, the performance of maintenance activities that remove equipment from service. Risk is re-evaluated if equipment failure/malfunction or emergent conditions produce a plant configuration that has not been previously assessed.

The planned outage risk assessment includes the following considerations:

" Maintenance activities that affect redundant and diverse SSCs that provide backup for the same function are minimized.

The potential for planned activities to cause a plant transient are reviewed and work on SSCs that would be required to mitigate the transient are avoided.

Work is not scheduled that has a potential to exceed a Technical Specification Completion Time requiring a plant shutdown. Planning for on-line equipment outages typically provides for a 100 percent contingency time within the Technical Specification Completion time.

As a final check, a quantitative risk assessment is performed to ensure that the activity does not pose an unacceptable risk. This evaluation is performed using the Level 1 and 2 PRA model. The results of the risk assessment are classified by a color code based on the increased risk of the activity as described in Enclosure 1.

In addition, specific compensatory measures will' be implemented for planned activities that will render a vital AC inverter inoperable. These compensatory measures will be added to the TS Bases for TS 3.8.7. As shown in Attachment 3 to Enclosure 1, these specific compensatory measures include the following:

"Planned inverter maintenance or other activities that require entry into Required Action A.1 will not be undertaken concurrent with the following:

a. Maintenance on the associated train Diesel Generator (DG); or

b. Planned maintenance on another RPS or ESFAS channel that results in that channel being in a tripped condition.

These actions are taken because it is recognized that with an inverter inoperable and the instrument bus being powered by the regulating transformer, instrument power for that train is dependent on power from the associated DG following a loss of offsite power event."

2

Enclosure 4 Response to Clinton Power Station RAI Amendment to TS 3.8.7 RAI Question 2 As stated in Regulatory Guide (RG) 1.177, "An Approach for Plant-Specific, Risk-Informed Decision Making Technical Specifications,"a Technical Specification (TS) change may be requested to reduce the unnecessary burdens in complying with current TS requirements, based on operatinghistory of the plant or industry in general. Please provide maintenance (e.g., time to repair)and operating(e.g., constant voltage transformerand inverterfailure rates) data for the extended outage.

APS Response to RAI Question 2 Recent experience both at PVNGS and at other nuclear power plants has shown that the current 24-hour Completion Time for restoration of an inoperable vital AC inverter is insufficient in certain instances to support on-line troubleshooting, corrective maintenance, and post-maintenance testing while the unit is at power.

Specifically, since May 2005, PVNGS has experienced six (6) instances involving the unexpected failure of a vital AC inverter. In four (4) of these instances, the ability to complete repairs and restore the affected inverter within the 24-hour Completion Time became uncertain, to the extent that site management considered a request for Notice of Enforcement Discretion (NOED). In two of these four instances, the time required to complete the repair exceeded the 24-hour Completion Time; accordingly, the unit entered Condition B of TS 3.8.7, which requires the unit transition to Mode 3 in 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and Mode 5 in 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months (Reference 6.33). With preparations being made for unit shutdown, the shutdowns were narrowly avoided when the necessary corrective repairs were completed and the inverter restored to operable status shortly before initiating power reductions.

Repair actions have included replacement of capacitors, metal oxide varistors (MOVs),

silicon controlled rectifiers (SCRs), and voltage regulators that have been susceptible to age-related degradation, along with instances of solder problems. These problems have all been managed through corrective maintenance actions and the inverters are in Maintenance Rule category (a)(2), based on historical data that the vital AC inverters are meeting established performance criteria.

Based on PVNGS historical data, the failure rate of the vital AC inverters is 5.5e-5/hr, and the failure rate of the backup constant voltage regulator is 7.1 le-6/hr. Using a mission time for both components of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , the failure probability, which is the product of the failure rate and mission time, is 1.3e-3 for the inverters and 1.7e-4 for the voltage regulators.

3

Enclosure 4 Response to Clinton Power Station RAI Amendment to TS 3.8.7 RAI Question 3 Page 11 of attachment I presents the Tier 2 assessment. The Tier 2 assessment is limited to a qualitative statement that there is reasonableassurancethat risk-significant equipment configurations will not occur with equipment out of service consistent with the proposed TS changes. The referenced CRMP program is more appropriately designated as a Tier 3 program that ensures that the risk impact of out-of-service equipment is evaluated priorto performing any maintenance activity. Provide a Tier 2 assessment and discuss the conclusions consistent with the guidance of Regulatory Guide 1.177. Include any compensatory measures, TS changes or procedures to be implemented based on the Tier I and Tier 2 evaluationsas discussed below.

Page [5 of 20] of the submittal discusses the impact on the plant when alternate power is supplying a Class IE Vital AC bus. With the alternate supply and an inoperableinverter, a Loss-of-offsite power event would cause a momentary loss of power to a Class 1E Vital A C bus until the associateddiesel generatorre-energizes the bus. The submittal states that there are no adverse impacts, because no additionalinstrument channels in the opposite train, nor the second channel in the same train, are expected to be inoperable (except for routine maintenance).

Section 4.3 of Attachment 4, ["Technical Evaluation of Extending Division 1 and 2 Inverter Completion Time (CT)," Revision 1, dated August 8, 2004] states that certain additionalitems could be included in work planning to minimize any incrementalrisk. The additionalitems are identified in the submittal and are shown below.

o Evaluate simultaneous switchyard maintenance and reliability.

o Evaluate concurrentmaintenance or inoperable status of any of the remaining three instrument bus inverters for the unit.

o Evaluate simultaneous emergency diesel generatormaintenance.

o Perform simultaneous with [RCIC] work window to minimize overall integratedrisk.

In addition, see [Attachment 1, page 5, first paragraphof the amendment. Also see Attachment 4, section 7.3.1] which presents additionalrisk insights as follows.

o The Division I diesel generatoravailabilityduring inverterA on-line maintenance is criticalto minimizing the configuration specific risk.

o The offsite power availabilityare criticalto minimizing the configuration specific risk.

4

Enclosure 4 Response to Clinton Power Station RAI Amendment to TS 3.8.7 Also, [Attachment 4, Section 3.4, page 3-6 states that major overhauls of the inverter online within the extended CT will only occur at most once per inverterper fuel cycle.]

Section 3.4 goes on to state that compensatory measures are included in the proposed plans. However, attachment 4, Section 3.4 does not list or discuss these compensatory measures.

Discuss any compensatory measures to limit DG or opposite train surveillance during invertermaintenance including the conditions/limitationsand/orregulatorycommitments that are expected to be implemented as part of the Division I and 2 extended CT

[NSPS] inverterrequest.

APS Response to RAI Question 3 Major overhauls are not anticipated at Palo Verde; only sufficient repair to restore operability. An estimate of two entries per year on each of the four inverters was used in the calculations, which is believed to be very conservative.

The very low importance of the equipment powered from the Vital AC buses does not warrant specific compensatory actions. However, to preserve defense-in-depth for use of the Atmospheric Dump Valves and capability to align Shutdown Cooling, unavailability of the Diesel Generators and other electrical equipment supplying either the normal inverters for the other three channels, or the back-up Class 1E voltage regulators for any of the four channels, should be avoided.

RAI Question 4

[Attachment I page,11] discusses the Tier 3 program and states that for planned maintenance activities the assessment of the overall risk of the activity includes benefits to system reliabilityand performance. Provide a discussion on the applicabilityof including system reliabilityand performance benefits in the Tier 3 assessment.

APS Response to RAI Question 4 The inverters do not normally require planned maintenance resulting in unavailability.

Unavailability results from failures.

RAI Question 5 Provide a description of the program for updating and the maintenance of the CPS PRA referencing the appropriateprocedures/instructions.

5

Enclosure 4 Response to Clinton Power Station RAI Amendment to TS 3.8.7 APS Response to RAI Question 5 The PVNGS program for maintaining the PRA model includes periodic reviews of facility modifications and periodic updating of the PRA model to reflect facility changes, as described in Enclosure 2 to this submittal.

RAI Question 6 The submittal states that a spare inverter was obtained in 2001 to allow expedited replacementshould an inverterfail in service. Describe preventive maintenance and/or storage practices that ensure the continued viability that the spare inverter is an available replacement for a failed plant inverter. Describe any credit taken in the inverterrisk assessment based on the availabilityof the spare inverter with respect to maintenance/procedures/operator actions and assumed completion times.

APS Response to RAI Question 6 Palo Verde does not currently have spare or swing inverters.

RAI Question 7 The submittal states that the CPS [Clinton Power Station] IPEEE fire models are currently archived. Discuss any differences the archived fire models may have with the current as-built, as operatedplant and any impact that this would have on the proposed division I and 2 and extended NSPS inverterAOT and estimated fire PRA results.

APS Response to RAI Question 7 Palo Verde has a fire PRA, which was developed in 2000 using the EPRI Fire PRA Implementation Guide. Fire risk is quantified and provided in this submittal.

RAI Question 8 Provide a discussion on the cumulative impact of previous changes or additional planned risk-informed requests. In the discussion include the impact of the diesel generatorCT extension and extended power uprate at Clinton Power Station Unit 1.

See RG 1.174 Section 3.3.2.

APS Response to RAI Question 8 Three other Completion Time extensions have been granted to PVNGS:

6

Enclosure 4 Response to Clinton Power Station RAI Amendment to TS 3.8.7

Low Pressure Safety Injection from 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to seven days (Amendment 124, March 2000)

" Safety Injection Tank from one hour to either 24 or 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , depending on the condition (Amendment 118)

Diesel Generator from 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to ten days The first two are for systems of very low importance and the risk analyses associated with them showed very small increases in risk. The Completion Time extensions have been in effect for about nine years, so unavailability values used in the PRA model would reflect any actual changes in unavailability. There is no significant dependence between either LPSI or SITs and vital AC, so the compounding of potentially longer unavailability times is insignificant.

The longer Completion Time for the DGs has resulted in greater unavailability. A change was implemented in the latest model update that updated unavailability for all systems covered under the Mitigating Systems Performance Index program, which includes the DGs. This higher unavailability was the subject of one of the sensitivity cases run for this study, so the compounding of risk effects was explicitly accounted for.

Results were shown to be acceptable.

RAI Question 9 , page 10 of 20, states that the CDF contribution due to internalfires was estimated to be 3.26E-6/year. The staff review of the IPE references a CDF contribution from fire as 3.6E-6/year-basedon increased CDF contribution from dc/UPS equipment area fires. Reconcile these differences and possible impact on the proposed division I and 2 inverter 7-day CT.

APS Response to RAI Question 9 This does not apply to the Palo Verde submittal. Palo Verde has a fire PRA, which was used in generating this submittal. Results are reported.

RAI Question 10 , page 2-7. The CDF/averagecalculation assumes that each inverter is only taken out for maintenance once per fuel cycle and will use the full 7-day CT.

Confirm that inverter maintenance history, reliability, and availabilityare consistent with the above assumptions. The submittal notes that CPS policy is to schedule inverter maintenance for half the CT (3.5 days). However, the proposed CT includes additional maintenance tasks including possible inverterreplacement.

7

Enclosure 4 Response to Clinton Power Station RAI Amendment to TS 3.8.7 APS Response to RAI Question 10 The estimate of inverter unavailability used for the long-term impact to CDF and LERF used a conservative estimate of two outages per year on each of the four inverters.

This is in excess of recent problems experienced with the inverters (on a per-unit basis).

To date, all failures have been repaired without the need to shutdown, which means 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (slightly longer in one case, where preparations for plant shutdown were in progress). The repair/restoration time used is 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . In general plant operations attempts to limit use of the Completion Time to about half that allowed.

RAI Question 11 The licensee states that they performed the quantification using a single top model (fault tree). This approach can result in subsuming (and thus elimination) of valid event sequences, if event sequence success branches are not included in the sequence logic that inputs to the single top event. Please describe your development approachof the single top fault tree (i.e., conversion from event tree logic structure to single top fault tree logic structure) and confirm that this approach does not subsume valid event sequences during the quantificationprocess.

APS Response to RAI Question 11 This is not applicable to Palo Verde. Complete quantification was performed for every configuration analyzed for this submittal. Furthermore, the Equipment Out Of Service Monitor Software (EOOS) also performs complete quantification for on-line configuration risk management.

RAI Question 12 For Table A-i, the last bullet on the bottom of page A-4 appears to have an incomplete reference for the fraction of the fire scenarioattributedto station blackout.

APS Response to RAI Question 12 This RAI question is specific to an editorial omission (inadvertent truncation) in the Clinton Power Station submittal and is not pertinent to the APS request for amendment to TS 3.8.7 proposed herein for the PVNGS.

8

Enclosure 4 Response to Clinton Power Station RAI Amendment to TS 3.8.7 RAI Question 13 Appendix D states that the 2003A Clinton Power Station Unit I LERF model incorporatesa significantnumber of conservatisms. Appendix D credits operatoraction for the isolation for a pairof containment isolation valves that require A C power to close citing the availabilityof manualisolation valves. The valves as stated, are located where radiation levels could be high. The current PRA no longer incorporatesthe credit for manual valve isolation and the referenced human errorprobabilities(HEP)are not used. No justification is provided that the Appendix D change is considered valid and reviewed/approved for incorporatinginto the next revision of the PRA model. Based on the above, eitherpresent additionaljustification for this change to the model including the impact on Tier 2 and Tier 3 evaluations or, as an alternative,provide and confirm that the estimates for LERF, L4LERF, and ICLERP without the revised HEP recovery factor are within the acceptance guidelines given in RG 1.174 and 1.177.

Confirm that baseline LERF, ALERF, and ICLERP with either division I or 2 inverters out-of-service incorporatethe modified Appendix D reduction factor of .44 (credited recovery action) See table 1, Attachment 1, note 2, Equation 5, Attachment 4, page 2-8 equation 5, or page 2-9, equation 9.

APS Response to RAI Question 13 This is not applicable to Palo Verde.

RAI Question 14 Confirm that the referenced CPS CRMP meets the guidance for a Tier 3 program as outlined by Key Components 1, 2, 3 and 4 of a CRMP. RG 1.177 Section 2.3.7.2.

APS Response to RAI Question 14 This is addressed in Section 3.4 of Enclosure 1 of this submittal.

9

Enclosure 5 APS Response to NRC RAIs Regarding North Anna Power Station ENCLOSURE 5 Arizona Public Service (APS) Response to NRC Request for Additional Information Regarding North Anna Power Station Request for Amendment to Extend Completion Time for Restoration of an Inoperable Inverter

Enclosure 5 APS Response to NRC RAIs Regarding North Anna Power Station Arizona Public Service (APS) Response to NRC Request for Additional Information Regarding North Anna Power Station Request for Amendment to Extend Completion Time for Restoration of an Inoperable Inverter By letter dated May 8, 2003, Virginia Electric and Power Company transmitted a response to a Nuclear Regulatory Commission (NRC) request for additional information (RAI) to support the Staff's review of a proposed change to the North Anna Power Station Technical Specification (TS) 3.8.7, "Inverters - Operating." Similar to the amendment requested herein for Palo Verde Nuclear Generating Station (PVNGS), the North Anna Power Station change was to revise TS Required Action A.1 to extend the Completion Time for restoration of an inoperable inverter.2 The NRC RAI for the North Anna Power Station TS change encompassed 15 question areas. To facilitate the NRC's review of the amendment proposed herein, APS has prepared a response to each of these 15 RAI question areas, to the extent they may be pertinent in supporting the similar change to PVNGS TS 3.8.7. The APS response to each RAI question area includes, as appropriate, reference to the section(s) of this license amendment request and/or supporting analyses that incorporate the issue(s) raised in the question.

RAI Question 1 The Tier 2 evaluation states that there are no single components with the unit at power per the TS, when allowed to be out of service concurrent with an inverter would result in a significant change in risk (i.e., increasein RAW greaterthan 10 percent for components with a RAW of 2). Confirm that no basic event RAW value previously considered not risk significant (RAW less than 2) increase to 2 or greaterwith an inverter completion time of 14 days.

APS Response to RAI Question 1 No similar claim is made in the Palo Verde submittal. Risk will be managed in accordance with the Configuration Risk Management'Program (CRMP) (10 CFR 50.65(a)(4)).

RAI Question 2-What are the risk impacts of a loss of offsite power event with or without a vital AC inverter available?

North Anna Power Station, Amendment Nos. 235 and 217 for Units 1 and 2, respectively, issued by NRC letter dated May 12,,2004 (ADAMS Accession No. ML041380438).

1

Enclosure 5 APS Response to NRC RAIs Regarding North Anna Power Station APS Response to RAI Question 2 In the base case model, IELOOP accounts for 30 percent of CDF, which is 1.53E-6/yr; with Channel A inverter out of service, IELOOP accounts for 20 percent of CDF, which is also 1.53E-6/yr. Thus there is no change in the contribution to CDF.

RAI Question 3 The proposed license amendment discussion on external events is limited to the seismic evaluation of the voltage regulatingtransformers. Provide additionaldiscussion with respect to seismic, fire, high winds, floods, and other external events and their impact on the proposed inverter times.

APS Response to RAI Question 3 This is not applicable to Palo Verde. Fire and seismic effects were explicitly addressed.

High winds are included in the Loss of Off-Site Power initiating event [NUREG/CR-INEEL/EXT-04-02326 (October 2004) was used in the estimation of IELOOP]. External flooding hazard is extremely low in the desert, and there are no nearby industrial facilities nor transportation corridors (Interstate 10 is six miles away).

RAI Question 4 Forthe base case risk analysis the invertermaintenance failures were set to "zero." Did the analysis assume recovery of the inverter? Describe how common cause factors were accounted for in the inverterrisk analysis for inverterfailure probabilitieswhen set to true or false.

APS Response to RAI Question 4 The inverter maintenance portion of this question is not applicable to the Palo Verde submittal. Common-cause treatment is explicitly addressed in the analysis.

RAI Question 5 Are the replacements U-2 regulating voltage transformers seismically qualified? Will future replacement transformersbe seismically qualified? Will future replacement inverters include an automatic transferfeature to the voltage regulatingtransformers upon loss of power?

2

Enclosure 5 APS Response to NRC RAls Regarding North Anna Power Station APS Response to RAI Question 5 Palo Verde has not made any recent replacements of either the constant voltage transformers or the vital AC inverters, and this part of the question does not apply to PVNGS.

The process of transferring power from the inverter to its backup constant voltage transformer is performed automatically for Units 2 and 3, and manually at Unit 1. Also, the existing Class 1 E vital AC instrumentation inverters and backup constant voltage transformers are seismically qualified components.

It is noted for information that new inverters are being considered for the purpose of increasing system reliability. The specification for these replacement inverters currently includes automatic transfer features and seismic qualification requirements, and would be applicable to all three PVNGS Units.

RAI Question 6 List plant tools, techniques and procedures used in evaluating the configuration risk (Tier 3) per 10 CFR 50.65(a)(4).

APS Response to RAI Question 6 Palo Verde uses the Equipment Out Of Service (EOOS) Monitor Software to monitor plant operating risk. Its use is governed by procedures 70DP-ORA05, Assessment and Management of Risk When Performing Maintenance in Modes I and 2, and 51 DP-90M03, Site Scheduling. Palo Verde uses a twelve-week maintenance schedule where one of the two safety trains is designated as "protected" each week. Work week managers are tasked with testing proposed plant configurations, such that instantaneous risk increase is maintained less than 1 E-6/yr in CDF and 1 E-7/yr in LERF where practicable. Greater increases require more review and approval. Suggested configurations to avoid are provided in Procedure 70DP-ORA05 that take into account defense-in-depth, as well as the risk metrics. For example, the Train A Auxiliary Feedwater Pump (which is steam-driven and important in Station Blackout) is not removed from service concurrently with the Train A diesel generator. Additional restrictions apply to multi-unit configurations, as well as single-unit configurations. For example, concurrent maintenance on diesel generators in two different units or a diesel-generator along with both of-the Station Blackout Generators is not scheduled.

RAI Question 7 With a new equipment installationis the assumption of only one 14 day outage per refueling cycle adequate? If 14 days is used for the installation what is the probability 3

Enclosure 5 APS Response to NRC RAIs Regarding North Anna Power Station that additionaltime for maintenance will be requireddue to new inverterperformance, surveillance, or operability concerns.

APS Response to RAI Question 7 Palo Verde is requesting a 7-day Completion Time instead of the 14 days discussed for North Anna.. New equipment installation will typically be planned during a refueling outage because it takes more than 7 days to do this task.

RAI Question 8 No discussion of cumulative risk was presented in the submittal. Are there other recent or pending applicationsthat would affect the results shown for a 14 day inverter CT?

Does the PRA analysis included in the submittal reflect these changes?

APS Response to RAI Question 8 Three other Completion Time extensions have been granted to PVNGS:

0 Low Pressure Safety Injection from 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to seven days (Amendment 124, March 2000)

Safety Injection Tank from one hour to either 24 or 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , depending on the condition (Amendment 118)

Diesel Generator from 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to ten days The first two are for systems of very low importance and the risk analyses associated with them showed very small increases in risk. The Completion Time extensions have been in effect for about nine years, so unavailability values used in the PRA model would reflect any actual changes in unavailability. There is no significant dependence between either LPSI or SITs and vital AC, so the compounding of potentially longer unavailability times is insignificant.

RAI Question 9 Provide a discussion on the applicabilityof the Unit I analysis to Unit 2.

APS Response to RAI Question 9 As stated in the submittal, the analysis was tailored to Unit 1 by adding the Human Reliability Analysis (HRA) for back-up voltage regulator alignment. The automatic static transfer switch in Units 2 and 3 makes the submittal conservative to those units.

4

Enclosure 5 APS Response to NRC RAIs Regarding North Anna Power Station RAI Question 10 Discuss how the values for baseline ICCDP, delta CDF, delta LERF and ICLERP stated in the submittal are consistent with the methodology given in RG 1.174 and RG 1.177 in that the baseline CDF states the nominal expected equipment unavailabilitiesare used.

APS Response to RAI Question 10 The nominal expected unavailability values for all equipment other than the inverters are used for both the RO and R1 calculations. As specified in the Regulatory Guides, the inverter failures are set to FALSE in calculating RO and TRUE in calculating RI.

RAI Question 11 What is the Base CDF (nominal equipment out of service) for North Anna? The IPE data base indicates an estimated core damage frequency of 7. 1E-5/r-y from internally initiatedevents. Provide background on the IPE results with respect to the baseline result estimated at 1.083E-51r-y shown in the submittal.

APS Response to RAI Question 11 See Enclosure 2 of this submittal addressing PRA history and quality. Significant modeling changes are listed.

RAI Question 12 Provide expanded discussion of the scope, level of detail of the North Anna PRA including the applicabilityof the North Anna PRA in assessingthe proposed inverter AOTs. Provide a discussion on the programsto update and maintain the North Anna PRA to reflect currentplant as-built conditions. With respect to peer review, provide additionaldetails on the guidelines used and organizationsemployed.

APS Response to RAI Question 12 See Enclosure 2 of this submittal addressing PRA history and quality.

RAI Question 13 Was generic data or plant specific data (inverters, transformers)used in the evaluation of the risk impact of the proposed CT?

5

Enclosure 5 APS Response to NRC RAIs Regarding North Anna Power Station APS Response to RAI Question 13 At Palo Verde, plant-specific unavailability data is used for both the inverters and voltage regulators. Failure data is generic.

RAI Question 14 Is there a cross-tie capabilityfrom the other North Anna unit for the 120v vital A C bus?

APS Response to RAI Question 14 The 120-volt vital AC buses for each Unit at PVNGS cannot be cross connected to buses at different Units.

RAI Question 15 Were the risk impacts of diesel generatorsincluding diesel generatormaintenance evaluated with respect to the proposed completion times? DG completion times, for example?

APS Response to RAI Question 15 This was explicitly accounted for, including a sensitivity analysis on DG unavailability.

6

Enclosure 6 APS Response to NRC RAIs Regarding Byron and Braidwood Stations ENCLOSURE 6 Arizona Public Service (APS) Response to NRC Request for Additional Information Regarding Byron Station and Braidwood Station Requests for Amendment to Extend Completion Time for Restoration of an Inoperable Inverter

Enclosure 6 APS Response to NRC RAIs Regarding Byron and Braidwood Stations Arizona Public Service (APS) Response to NRC Request for Additional Information Reqardinq Byron Station and Braidwood Station Requests for Amendment to Extend Completion Time for Restoration of an Inoperable Inverter By letter dated June 20, 2003, Exelon Generation Company, LLC transmitted a response to a Nuclear Regulatory Commission (NRC) request for additional information (RAI) to support the Staff's review of a proposed change to Technical Specification (TS) 3.8.7, "Inverters - Operating," for the Byron and Braidwood Stations.

Similar to the amendment requested herein for Palo Verde Nuclear Generating Station (PVNGS), the Byron/Braidwood change was to revise TS Required Action A.1 to extend the Completion Time for restoration of an inoperable inverter.

The NRC RAI for the Byron/Braidwood Station TS change encompassed 22 question areas. To facilitate the NRC's review of the amendment proposed herein, APS has prepared a response to each of these 22 RAI question areas, to the extent they may be pertinent in supporting the similar change to PVNGS TS 3.8.7. The APS response to each RAI question area includes, as appropriate, reference to the section(s) of this license amendment request and/or supporting analyses that incorporate the issue(s) raised in the question.

RAI Question 1 What is the risk impact for a loss of an offsite power event with or without a vital A C inverteravailable?(Individual Plant Examinations (IPE) notes that loss of offsite power (LOOP) contributes 83 percent to core damage frequency (CDF)).

APS Response to RAI Question 1 In the base case model,, IELOOP accounts for 30 percent of CDF, which is 1.53E-6/yr; with Channel A inverter out of service, IELOOP accounts for 20 percent of CDF, which is also 1.53E-6/yr. Thus there is no change in the contribution to CDF.

RAI Question 2 Based on maintenance history, is one surveillance per year of 14 days consistent with the performance experienced with the instrument bus inverters to date?

APS Response to RAI Question 2 Maintenance on the inverters at PVNGS is done during every other outage for the duration of one week. The 7-Day Completion Time is an assumed value for risk assessment purposes., As the inverters age, it is expected that additional maintenance 3Braidwood and Byron Stations, Amendment Nos. 129 and 135, respectively, issued by NRC letter dated November 19, 2003 (ADAMS Accession No. ML033290044).

1

Enclosure 6 APS Response to NRC RAts Regarding Byron and Braidwood Stations activities will be required. Therefore, the assumed value of 7 days of Completion Time per inverter per refueling outage is conservative with respect to the PRA analysis.

RAI Question 3 Do the instrument bus inverters automaticallyswitch to the constant voltage transformers (CVTs) upon loss of the inverter?

APS Response to RAI Question 3 In Unit 1, the switch to the CVT upon loss of the inverter is accomplished via a manual dead bus transfer.

In Unit 2 and 3, the switch to the CVT upon loss of the inverter is accomplished via automatic static transfer switches.

RAI Question 4 Provide a discussion of PRA peer review results and comments and indicate whether any of the peer review findings are applicable to the proposed inverter Completion Time (CT) request. Indicate what modifications were made to address the peer review comments.

APS Response to RAI Question 4 The CEOG peer review produced the following Category A, Fact and Observations (F&Os):

1. The recovery action RE-AFA-LOCAL appears to be used in a non-conservative fashion in several different scenarios. First, RE-AFA-LOCAL is used redundantly to 1ALFW-2HRS-HR in several sequences. This does not properly address dependencies across systems. (See F&O DE-07) Secondly, RE-AFA-LOCAL is being used to recover a hardware failure. An evaluation should be done to determine the fraction of failure that is recoverable (See F&O QU-03). Finally, RE-AFA-LOCAL is inappropriately being used to recover some SOSV events (See F&O QU-04).

2. Human action to manually control auxiliary feedwater (AFW) is not modeled even though procedures tell the operators to take manual control of AFW (See F&O HR-04).

2

Enclosure 6 APS Response to NRC RAIs Regarding Byron and Braidwood Stations

3. The model assumes that the AFW regulating valves are cycled only once to maintain AFW flow where these valves are probably cycled multiple times. This should be evaluated and the model updated as appropriate (See F&O HR-06).

4. Batteries C and D are modeled as having a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time prior to depletion so that control power is always available for AFW control. The capacities for batteries C & D should be verified and if less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , the model should be corrected (See F&O SY-12). In addition, battery demand failures are not included in the models (See F&O SY-10).

5. The common cause priors are significantly lower than the INEEL recommended values for key equipment in the PVNGS model (See F&O DA-04).

All of the above F&Os have been addressed and are considered closed. The model has undergone several revisions since the peer review, some having affected the subject concerns more than once. Regarding numbers 1 and 2, the Human Reliability Analysis (HRA) associated with Auxiliary Feedwater recovery and use of Alternate Feedwater (depressurizing a steam generator and feeding with a condensate pump) has undergone numerous refinements. These HRAs have all been recalculated relatively recently using the EPRI HRA calculator with significant operator input. There is high confidence in this modeling. Regarding number 3, AFW valve cycling is addressed as a modeling assumption where a sensitivity analysis was performed that showed that multiple AF valve cycling has no significant impact to CDF or LERF.

Analysis performed during a Significance Determination showed that Channel C and D battery capacity is more than sufficient to last the full 24-hour PRA mission time.

Common-cause modeling has been completely re-performed using the methodology of NUREG/CR-5458, Guidelines on Common-Cause Failure Modeling in ProbabilisticRisk Assessments and the data from NUREG/CR-6268, Common Cause Failure Data Collection and Analysis System.

None of the comments or their responses is likely to have any significant impact on the conclusions of the risk analysis given the low risk significance of the vital AC inverters.

A compliance assessment to Regulatory Guide 1.200 Rev. 1 was performed for this submittal and attached. Palo Verde PRA model history and quality assessment is also attached. They should be sufficient to address any concerns regarding the peer review.

RAI Question 5 Provide additionaldiscussion concerningthe Tier 2 evaluation including any components that were identified as risk significant with regardsto a 14-day CT for the instrument bus inverters risk achievement worth (RA W) values greaterthan two or components whose RAW value increasedto two based on the proposed 14-day 3

Enclosure 6 APS Response to NRC RAIs Regarding Byron and Braidwood Stations instrument bus inverter CT. In addition are there any maintenance activities that were identified that should not be scheduled during inverter maintenance? Were any compensatory measures identified related to invertermaintenance when a 14-day CT is implemented?

APS Response to RAI Question 5 As a matter of clarification, APS is requesting a seven day Completion Time, rather than fourteen days. The only components whose RAW values increased above 2.0 are those in the power supply to the voltage regulator placed in service in lieu of the out-of-service inverter. Electrical distribution equipment is not scheduled for maintenance during operation.

RAI Question 6 Describe how common cause factors were accounted for in the inverteranalysis for inverters taken out of service.

APS Response to RAI Question 6 Common-cause is explicitly addressed and reported in the submittal.

RAI Question 7 As suggested by Regulatory Guide (RG) 1.174, the licensee should perform sensitivity studies to provide additionalinsights into the uncertaintiesrelated to the proposed CT extension. Provide a discussion that shows the proposed instrument bus inverter CT request results met the acceptance criteria for CDF, large early release frequency (LERF), incremental conditionalcore damage probability (ICCDP), and incremental conditionallarge early release probability (ICLERP), when parameterspotentially affecting the risk results are changed to reflect the range of uncertainty of the associatedparameters.

APS Response to RAI Question 7 Sensitivity studies suggested in this question were performed and reported as part of the submittal.

RAI Question 8 Page 7 of 15 of the submittal states that the proposed 14 day CT is expected to be used no more than once per inverterper refueling cycle. It is noted that it appears that the 4

Enclosure 6 APS Response to NRC RAIs Regarding Byron and Braidwood Stations estimation of risk impact assumed that each inverterwill be taken out of service once per year for 14 days. Clarify the frequency that is intended for inverter maintenance.

APS Response to RAI Question 8 The proposed 7-day Completion Time allows performance of some maintenance activities online, instead of delaying work to be performed during an outage, as is the current practice with the 24-hour Completion Time limitation. The Completion Time evaluation assumes that each inverter would be unavailable for 7 days per refueling outage.

RAI Question 9 Page 7 of 15 of the submittal states, "The base CDF values for each unit range from about 3E-5/year to about 5E-5/year based on the average unavailabilityof the instrument bus inverters using plant specific data. Are these differences in base CDF attributableto the unavailabilityof the instrument bus inverters? Should this read, "includingthe average unavailability?"

APS Response to RAI Question 9 This question is not applicable to the Palo Verde submittal.

RAI Question 10 The IPE for Braidwood Station states that the pressurizerPORVs depend on 120 VAC power as well as DC power and compressed air. Discuss the impact of this dependency on the proposed 14 CT time for the instrument bus inverter.

APS Response to RAI Question 10 This question is not applicable to the Palo Verde submittal. Palo Verde does not have PORVs.

RAI Question 11 Was the ability to crosstie the emergency busses included in the instrument bus inverter 14 day CT evaluation? Discuss the risk impact this has on the instrumentation bus inverter 14 day CT.

5

Enclosure 6 APS Response to NRC RAIs Regarding Byron and Braidwood Stations APS Response to RAI Question 11 This question is not applicable to the Palo Verde submittal.

RAI Question 12 Page 12 of 15 of the submittal states that for planned maintenance activities an assessment of overall risk of the activity on plant safety, including benefits to system reliabilityand performance is currently performed priorto scheduled work. Is this stating that the overall risk of the activity is a combination based on the risk of performing that activity and the risk or performance benefit once the maintenance activity is completed?

APS Response to RAI Question 12 This question is not applicable to the Palo Verde submittal, since the referenced claim is not made.

RAI Question 13 On page 12 of 15 of the submittal, the last bullet states that as a final check, a quantitative risk assessment is performed to ensure that the activity does not pose any unacceptable risk. The evaluation is performed using the impact of CDF and LERF.

Are only CDF and LERF evaluated or are ICCDPand ICLERP metrics used when equipment is taken out of service? Is the contribution from common cause evaluated for maintenance activities for equipment taken out of service?

APS Response to RAI Question 13 Equipment Out Of Service Monitor Software (EOOS) does not explicitly account for incremental conditional probabilities. However, the length of time allowed in a greater-than-green Risk Management Action Level (RMAL) is limited administratively in order to restrict cumulative risk to 1E-6 CDF and 1E-7 LERF in any work week.

RAI Question 14 Besides the on-line work procedure, what tools are used to monitor plant risk? Discuss available computer models, including risk matrix, shutdown risk, etc. (See page 12 of 15 of the submittal).

6

Enclosure 6 APS Response to NRC RAIs Regarding Byron and Braidwood Stations APS Response to RAI Question 14 At Palo Verde, on-line risk is assessed using EOOS software. All four vital AC inverters are included in the PRA model which is the model used by EOOS to calculate on-line risk associated with maintenance activitiesl The risk of having any of the four vital AC Inverters out of service (OOS) would be calculated by the EOOS software.

To assess risk while in the shutdown modes (modes 3 to defueled), Palo Verde uses both a qualitative and quantitative (PARAGON) process. Both methods utilize a defense in depth philosophy. All four vital AC inverters are included in both defense in depth models. The risk of having any of the four vital AC inverters OOS, would be assessed by both shutdown risk assessment processes.

RAI Question 15 The submittal states that the instrument bus inverters are monitored under the maintenance rule (i.e., 10 CFR 50.65(a)(2)). Section (a)(2) says that monitoring is not performed - it is assumed that preventive maintenance is adequate. Discuss what performance criterion is in place for the instrumentbus inverters (See page 13 of 15 of the submittal).

APS Response to RAI Question 15 The vital AC system is a high risk maintenance rule system at Palo Verde. High risk system generally require reliability and unavailability performance criteria by which to monitor while in (a)(2) monitoring. The vital AC inverters have reliability and unavailability performance criteria. The reliability performance criterion for the vital AC inverters is no more than 3 failures in an 18 month period. The unavailability performance criterion for the vital AC inverters is < 0.3 percent for a rolling 18 month period.

RAI Question 16 Provide conditional CDF risk results for instrument bus inverters: CDFxAOOS, CDFxBOOS,-CDFxCOOS, and CDFxDOOS when each is out of service.

7

Enclosure 6 APS Response to NRC RAIs Regarding Byron and Braidwood Stations APS Response to RAI Question 16 The risk analysis supporting this submittal provides results for Channel A, which is the most risk-significant of the four vital AC channels. This bounds the results for the other three channels.

RAI Question 17 Forthe risk analysis of the inverters, did the analysis assume recovery of the inverter?

APS Response to RAI Question 17 No inverter recovery was credited.

RAI Question 18 Was generic data or plant specific data (i.e., for inverters, transformers)used in the evaluation of the risk impact of the proposed CT?

APS Response to RAI Question 18 At Palo Verde, plant-specific unavailability data is used for both the inverters and voltage regulators. Failure data is generic.

RAI Question 19 Provide the estimates for CDF, LERF, ICCDP, and ICLERP for the proposed 14-day instrument bus CT.

APS Response to RAI Question 19 All of these are provided in Enclosure 1 of this submittal. PVNGS is requesting a 7-day completion time, not 14-days.

RAI Question 20 The submittal states that NUREG/CR-6595, "An Approach for Estimating the Frequenciesof Various ContainmentFailure Modes and Bypass Events," was used to estimate LERF. What method (or definition of LERF) from NUREG/CR-6595 was used to derive the value for LERF? NUREG/CR-6595 states that if the estimated LERF is significantly (about an orderof magnitude or more) below the acceptanceguideline, 8

Enclosure 6 APS Response to NRC RAts Regarding Byron and Braidwood Stations then the expenditure of additionalresources to obtain a detailed level 2 model and more accurate estimate of LERF is not warranted. Based on Table A-1 and Table A-3 of the submittal, discuss the results of the LERF calculation and the conformance to the guidelines referenced in NUREG/CR-6595 on page 1-3.

APS Response to RAI Question 20 The statement referred to is not made, so the question is not applicable.

RAI Question 21 With a longer allowed outage time proposed for the inverters, provide a description of compensatory measures taken before the instrument bus inverteris taken out for service.

APS Response to'RAI Question 21 As described in Enclosure 4, in the response to RAI Question 1 for the Clinton Power Station, PVNGS evaluates facility risks associated with all planned equipment maintenance activities, and will implement specific compensatory measures prior to planned activities that will render a vital AC inverter inoperable. These compensatory measures will be included in the Bases for TS 3.8.7 and include the following:

"Planned inverter maintenance or other activities that require entry into Required Action A.1 will not be undertaken concurrent with the following:

a. Maintenance on the associated train Diesel Generator (DG); or

b. Planned maintenance on another RPS or ESFAS channel that results in that channel being in a tripped condition.

These actions are taken -because it is recognized that with an inverter inoperable and the instrument bus being powered by the regulating transformer, instrument power for that train is dependent on power from the associated DG following a loss of offsite power event."

RAI Question 22 When an inverteris taken out for service, upon a loss of offsite power (partialor full), a 120 VAC instrumentation bus that is being powered by the constant voltage transformer will be de-energized for 10 seconds until the associatedemergency diesel generator re-energizes the emergency bus. Describe any impact on plant operation as a result of momentarily de-energizing vital buses. Also, describe the impact of the reactor 9

Enclosure 6 APS Response to NRC RAIs Regarding Byron and Braidwood Stations protection system (RPS) and engineeredsafety features actuation system (ESFAS) logic during this time delay.

APS Response to RAI Question 22 The DGs provide a source of emergency power when offsite power is either unavailable or voltage is insufficient to allow safe unit operation. Normally after a loss of offsite power the vital 120 VAC instrument buses will be supplied with uninterrupted power from the batteries in their associated inverter. However, during periods of time when an inverter is taken out of service, e.g., for maintenance activities, the backup constant voltage transformer supplies the connected vital instrument loads, but this backup source is not an uninterruptible power supply. In this condition when a backup constant voltage transformer is supplying its associated vital 120-volt AC instrument bus, a loss of offsite power will de-energize the instrument bus for approximately 10 seconds until the DG is on-line. The remaining three vital 120-volt AC instrument buses will be unaffected by the loss of offsite power because they will be supplied from their associated inverter batteries.

The impact of this 10 second loss of power to the single affected vital 120-volt AC instrument bus on plant operations will be minimal. The plant will shutdown due to the loss of offsite power, and the remaining three instrument buses will still provide the required two-out-of-three channel actuation logic to the reactor protective system (RPS) and engineered safety features actuation system (ESFAS).

When the vital 120-volt AC instrument bus is re-energized, some of the supported instruments will most likely have tripped and some instruments may require re-calibration, since their settings may default to factory settings. PVNGS operating procedures provide instructions for performing channel checks and calibrations for affected instrument channels, in accordance with established surveillance test procedures, before these re-energized instruments can be considered operable.

10

v t e Letter Sequence Request
TAC:ME2337, (Open)
Initiation Request, Request, Request, Request Acceptance... Administration Questions 13 April 2010 20 April 2010 15 July 2010 Answers Results Approval... Other:
MONTHYEAR2010-06-24 [Table View]

ML092810227

Text

Dear Sirs:

Subject:

Enclosures:

Subject:

SUMMARY

SUMMARY

Navigation menu

Search