Text

Technical Specifications Change TS-468 - Request to Extend Completion Time for TS 3.8.1 Required Action B.4 - Emergency Diesel Generators a, B, C, D, 3A, 3B, 3C, and 3D
	ML100550700
Person / Time
Site:	Browns Ferry
Issue date:	02/18/2010
From:	Krich R; Tennessee Valley Authority
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	TVA-BFN-TS-468
	Download: ML100550700 (89)
	v • d • e

Tennessee Valley Authority, 1101 Market Street, Chattanooga, Tennessee 37402-2801 February 18, 2010 10 CFR 50.90 TVA-BFN-TS-468 U. S. Nuclear Regulatory.Commission ATTN: Document Control Desk Washington, D.C. 20555-0001 Browns Ferry Nuclear Plant, Units 1, 2, and 3 Facility Operating License Nos. DPR-33, DPR-52, and DPR-68 NRC Docket Nos. 50-259, 50-260, and 50-296

Subject:

Technical Specifications Change TS-468 - Request to Extend Completion Time for TS 3.8.1 Required Action B.4 - Emergency Diesel Generators A, B, C, D, 3A, 3B, 3C and 3D

References:

1. NRC letter to TVA, "Browns Ferry Nuclear Plant, Units 2 and 3 -

Issuance of Amendments Regarding Authorization of 14 Day Allowable Outage Time for Emergency Diesel Generators (TAC, Nos.

M98205 and M98206)," August 2, 1999.

2. NRC Letter to TVA, "Browns Ferry Nuclear Plant, Units 2 and 3 -

Supplement to Safety Evaluation Relating to Approval of 14 Day Allowable Outage Time for Emergency Diesel Generators (TAC Nos.

M98205 and M98206)," September 23, 1999.

Pursuant to 10 CFR 50.90, "Application for amendment of license, construction permit, or early site permit," TVA is requesting a TS change (TS-468) to licenses DPR-33 for BFN Unit 1, DPR-52 for BFN Unit 2, and DPR-68 for BFN Unit 3. The TS change proposes to extend the Completion Time of TS 3.8.1 Required Action B.4 for Diesel Generators (DGs) A, B, C, D, 3A, 3B, 3C, and 3D. A commensurate change is also proposed to extend the maximum Completion Time of TS 3.8.1 Required Actions A.3 and B.4. These extensions would allow continued operation of BFN Units 1, 2, and 3 while corrective maintenance, modifications, post-maintenance and modification testing, and surveillance testing of the subject DGs are completed. These activities will sustain the reliability of the DGs.

Printed on recycled paper

U. S. Nuclear Regulatory Commission Page 2 February 18, 2010 The TS change also proposes to eliminate a historical footnote (BFN Unit 3 Only) for TS 3.8.1 Required Action B.4. to this letter provides the justification for this request. Enclosure 2 provides marked-up pages of the affected TS and Bases pages. Enclosure 3 provides retyped pages of the affected TS and Bases pages. Enclosure 4 provides a list of new commitments. Enclosure 5 provides a summary of the BFN Probabilistic Risk Assessment Quality Upgrade Initiative.

TVA has determined that there are no significant hazards considerations associated with the proposed changes and that the TS changes qualify for a categorical exclusion from environmental review pursuant to the provisions of 10 CFR 51.22(c)(9). Additionally, in accordance with 10 CFR 50.91(b)(1), TVA is sending a copy of this letter and enclosures to the Alabama State Department of Public Health.

TVA requests approval of these TS changes by December 1, 2010, to support planned work activities, and implementation of the revised TSs be within 14 days of NRC approval.

There are no new regulatory commitments associated with this submittal.

Please direct any questions concerning this matter to D. Green at (423) 721-8423.

I declare under penalty of perjury that the foregoing is true and correct.

Executed on the 18th day of February, 2010.

Respectfully R. M. Krich Vice President Nuclear Licensing

Enclosures:

1, TVA Evaluation of Proposed Changes

2. Proposed Technical Specifications and Bases Changes (marked-up)

3. Proposed Technical Specifications and Bases Changes (retyped) 4, Commitment List 5, Summary of Browns Ferry Nuclear Plant Probabilistic Risk Assessment Quality Upgrade Initiative

U. S. Nuclear Regulatory Commission Page 3 February 18, 2010 Enclosures cc: (Enclosures):

NRC Regional Administrator - Region II NRC Senior Resident Inspector - Browns Ferry Nuclear Plant State Health Officer - Alabama Department of Public Health

ENCLOSUREI Browns Ferry Nuclear Plant, Units 1, 2, and 3 Technical Specifications (TS) Change 468 License Amendment Request to Extend Completion Times For TS 3.8.1 Required Action B.4.

EVALUATION OF PROPOSED CHANGE

1.0 DESCRIPTION

2.0 PROPOSED CHANGE

3.0 TECHNICAL EVALUATION

4.0 REGULATORY EVALUATION

5.0 ENVIRONMENTAL CONSIDERATION

6.0 REFERENCES

El-1

1.0 DESCRIPTION

Pursuant to 10 CFR 50.90, the Tennessee Valley Authority (TVA) is submitting a request for Technical Specification (TS) changes to license DPR-33 for Browns Ferry Nuclear Plant (BFN)

Unit 1, license DPR-52 for BFN Unit 2 and license DPR-68 for BFN Unit 3. The proposed TS changes: a) extend the Completion Time for Required Action B.4 from 7 days to 14 days; b) make commensurate changes to the maximum Completion Times for Required Action A.3 and B.4 by extending these times from 14 days to 21 days and c) eliminate a historical footnote regarding a one-time extension to the first Completion Time of BFN Unit 3 Required Action B.4.

These changes will provide operational and maintenance flexibility. They will also allow performance of diesel generator (DG) inspection and maintenance activities during plant operation, reducing plant refueling outage duration and improving DG availability during shutdown plant conditions.

2.0 PROPOSED CHANGE

2.1 Need for Proposed Changes Currently, BFN Units 1, 2, and 3 TS 3.8.1, Required Action B.4 permits a diesel generator to be removed from service for a period of seven days, before action is required to place the unit in a Mode for which the TS is not applicable. Based on plant-specific experience, the 7 day duration does not permit adequate time to perform some planned and corrective DG maintenance.

Longer Required Action Completion Time durations will reduce the regulatory burden associated with DG maintenance activities.

2.2 Proposed Changes A description of the proposed TS changes is provided below. The specific changes to the BFN TS and TS Bases for Units 1, 2, and 3 are indicated in the markups provided in Enclosure 2.

The retyped (clean) pages of the BFN TS and TS Bases for Units 1, 2, and 3 are provided in .

TS 3.8.1 - Completion Time - Required Action B.4 The Completion Time for Required Action B.4 is proposed to be extended from 7 days to 14 days. In addition, TVA is proposing to eliminate a reference to a historical footnote from the Completion Time of TS 3.8.1, Required Action B.4 for BFN Unit 3. This footnote refers to a one-time extension that has expired. The elimination of this footnote is an administrative change with no impact on safety, because the provisions reflected in the footnote have expired.

TS 3.8.1 - Maximum Completion Time - Required Actions A.3 and B.4 The maximum (i.e., second) Completion Time for Required Actions A.3 and B.4 are proposed to be extended from 14 days to 21 days. The maximum Completion Time limits the total time that Limiting Condition for Operation (LCO) 3.8.1 is not met while concurrently or simultaneously in Conditions A and B. This Completion Time is the sum of the Completion Time for Required Action A.3 and the Completion Time for Required Action B.4. TVA is proposing to increase the Completion Time for Required Action B.4 to 14 days (described above); thus, the sum of the first Completion Times for Required Action A.3 and B.4 will be increased from 14 days to 21 days.

E1-2

2.3 Bases for Proposed Changes Consistent with the objectives of the NRC's policy entitled "Use of Probabilistic Risk Assessment Methods in Nuclear Activities: Final Policy Statement" (60 FR 42622) (Reference 6.6), the amendment proposed herein provides (1) safety decision-making enhanced by the use of Probabilistic Risk Assessment (PRA) insights, (2) more efficient use of resources, and (3) a reduction in unnecessary burden.

The Completion Time of Required Action B.4 of TS 3.8.1 currently allows only 7 days to perform maintenance and post-maintenance testing or troubleshoot and repair an inoperable DG, and return it to an operable status when BFN Unit 1, 2, or 3 is in Modes 1, 2, 3, or 4. Recent experience at TVA has shown that the current 7 day Completion Time is insufficient to support all on-line trouble shooting, maintenance, and post-maintenance testing, examples include the 12 year PM activities and Lube Oil System Modification, while the unit is at power.

Specifically, BFN's DGs are subject to a vendor recommended preventative maintenance (PM) program, which involves several periodic service and inspection activities, including a major PM outage every 12 years. The BFN DGs were manufactured by General Motors Electromotive Division (EMD) and the PM program is based on EMD recommendations.

The 12 year PM requires an extensive diesel engine disassembly, including removal of pistons, cylinder liners, and connecting rods. During the last BFN 12 year PM the longest out of service time for a diesel was 180.4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The average unplanned availability for all eight diesels generators is 4.5 days based on available data from 1994 to 2007.

TVA's experience with the 12 year PM activities is limited by the infrequency of performance.

However, the predicted schedule duration has considerably more uncertainty than routinely conducted activities and could encounter unexpected delays, thus raising the potential for exceeding the 7 day Completion Time. The extension of the seven day DG Completion Time to 14 days gives extra time for completing the task; thus reducing the risk of a TS forced reactor shutdown as a result of exceeding the 7 day Completion Time. Partitioning the 12 year DG mechanical PM and electrical PM into two maintenance activities could be performed. However, it is not desirable from an overall DG availability perspective since this approach removes the DGs from service for a longer period of time than if performed as a combined activity. This is because setup, restoration, and post-maintenance testing associated with the maintenance are often duplicative, and must be repeated each time the DGs undergo maintenance. TVA has estimated the proposed combined outage approach can save 58 hours6.712963e-4 days 0.0161 hours 9.589947e-5 weeks 2.2069e-5 months of outage time per DG.

For the eight DGs, this is equivalent to a total of 464 hours0.00537 days 0.129 hours 7.671958e-4 weeks 1.76552e-4 months (19.3 days), which represents a significant increase in overall DG availability.

TVA has considered scheduling the 12 year PM outages during refueling outages. However, Units 1 and 2 share four DGs and TVA does not intend to schedule simultaneous outages for these units. No more than two of the four DGs could be serviced within a single refueling outage without extending the outage, since only one DG is removed from service at a time in order to minimize shutdown risk. There are also manpower constraints. Maintenance on DGs is performed by a limited number of experienced craftsmen due to the specialized nature of the maintenance. This manpower limitation likewise restricts working on more than one diesel generator at a time. Additionally, previous work experience indicates that shorter DG outages can be achieved by performing preventive maintenance while operating since work resources are focused on a single objective. This focus results in better planning of work, dedicated E1-3

manpower allocation, and greater resource availability for contingency work. For these reasons, it is desirable to be able to perform DG maintenance during power operations. A 14 day DG Completion Time is also justifiable as a contingency provision for major unexpected DG failures.

Given the conclusions reached by the deterministic and risk-based evaluations stated in Section 3.5, extending the Completion Times associated with an inoperable DG would also provide the following:

1. Enhanced Decision-Makinq The NRC's Policy Statement regarding the Use of Probabilistic Risk Assessment Methods in Nuclear Regulatory Activities states:

"PRA and associated analyses (e.g., sensitivity studies, uncertainty analyses, and importance measures) should be used in regulatory matters, where practical within the bounds of the state-of-the-art, to reduce unnecessary conservatism associated with current regulatory requirements, regulatory guides, license commitments, and staff practices."

The extended Completion Times, to permit a DG to be removed from service for 14 days to perform maintenance or to trouble shoot and repair an inoperable DG, are acceptable from a risk-based approach due to the small increase in Core Damage Frequency (CDF) and Large Early Release Frequency (LERF) consistent with the criteria in Regulatory Guides 1.174 and 1.177(References 6.4 and 6.5, respectfully).

The risk-based evaluation in combination with the deterministic evaluation provided in Section 3.3 permits TVA to request a change to the Completion Time that may not be sought when utilizing only deterministic means.

2. Efficient Use of Resources The extended Completion Times, to permit a DG to be removed from service for 14 days to perform maintenance or to trouble shoot and repair an inoperable DG while the unit is in Mode 1, 2, 3, or 4, will avert unplanned unit shutdowns and minimize the potential need for requests for enforcement discretion.

This change will allow some maintenance activities to be performed on-line which would otherwise require performance during a refueling outage. On-line preventive maintenance and scheduled overhauls provide the flexibility to focus more quality resources on any required or elective diesel generator maintenance. For example, during refueling outages, resources are required to support many systems; during online maintenance, plant resources can be more focused on the diesel generator overhaul. The extended Completion Times associated with an inoperable DG will improve the effectiveness of the allowed maintenance period. A significant portion of on-line maintenance activities is associated with preparation and return to service activities, such as, tagging, fluid system drain down, fluid system fill and vent, and cylinder block heat-up. The duration of these activities is relatively constant. Longer Required Action Completion Time durations allows more maintenance to be accomplished during a given on-line maintenance period and therefore would improve maintenance efficiency.

E1-4

Performance of more DG maintenance on-line will improve DG availability during plant refueling outages. Performing more DG overhaul activities on-line should reduce the risk and synergistic effects on risk due to DG unavailability occurring concurrently with other activities and equipment outages during a refueling outage.

3. Reduction in Unnecessary Burden These proposed changes provide a reduction in unnecessary burden, because they:

Avert unplanned unit shutdowns and minimize the potential need for requests for enforcement discretion.

" Increase the time to perform troubleshooting, repair, and testing of an inoperable DG during Modes 1 through 4, which will enhance the safety and reliability of equipment and personnel.

Allow additional time to perform routine maintenance activities on the DG in Modes 1 through 4, enhancing the ability to focus quality resources on the activity, improve maintenance efficiency, and improve DG availability during plant refueling outages.

These proposed changes meet the objectives of the NRC's PRA Policy Statement (60 FR 42622).

3.0 TECHNICAL EVALUATION

For BFN Units 1, 2, and 3, TVA is proposing to extend the TS allowed Completion Time for an inoperable DG from 7 days to 14 days and to extend the maximum Completion Time that a unit may be in Conditions A and B of TS 3.8.1 concurrently or simultaneously from 14 days to 21 days. This license amendment request includes an integrated review and assessment of plant operations, deterministic design basis factors, and an evaluation of overall plant risk using the probabilistic risk assessment (PRA) techniques. Deterministically, the proposed change is supported by the defense-in-depth basis that is incorporated into the plant design as well as in the approach to maintenance and operation.

The proposed amendment to allow an extension of the Completion Times associated with a DG is based on the following.

3.1 Introduction The proposed changes will allow a Completion Time of 14 days for DG maintenance or testing activities, and a total Completion Time of 21 days for concurrent or simultaneous entries in Conditions A and B of TS 3.8.1. This proposal will allow an additional 7 days beyond the current TS allowed Completion Times and avoid or minimize TS required plant shutdown time due to DG maintenance or testing.

Site specific experience has shown that the current Completion Time for restoring a DG to an operable status is not adequate to complete these activities.

E1-5

3.2 Background

3.2.1 System Description 3.2.1.1 Offsite Power Distribution The TVA transmission system is a diverse and dependable system due to the large generating capacity of TVA, the high number of transmission lines, and multiple interconnections. This results in a highly stable and reliable off-site power supply system for BFN.

Off-site power is delivered to the site via seven 500-kV and two 161-kV transmission lines.

These lines feed a 500-kV switchyard and a 161-kV switchyard as described in detail in Chapter 8.3 of the BFN Updated Final Safety Analysis Report (UFSAR) (Reference 6.1). The 500-kV switchyard includes seven line bays and three transformer bays, and is designed to minimize the effects of the failure of individual items of equipment so any single probable event will not prevent the 500-kV system from providing off-site power. The 500-kV yard has two main buses, which are physically separated, and each bus has two sections connected by a disconnect.

Each transformer can back feed from either bus. 4.16-kV station service is provided via the unit Main Transformers and two Unit Station Service Transformers on each unit.

3.2.2.2 Grid Reliability Regarding the likelihood of needing DGs due to the loss of offsite power or degraded voltage conditions, TVA's power system provides some of the most reliable electric power in North America. TVA's regional transmission grid spans portions of seven states. TVA's nuclear plants generate approximately 30 percent of TVA's net power. The remaining 70 percent of power generation comes from reliable fossil and hydroelectric plants, pumped storage, and green power.

In actions taken in response to Generic Letter 2006-02, "Grid Reliability and the Impact on Plant Risk and the Operability of Offsite Power," (Reference 6.7), protocols have been put in place to improve communications between TVA grid operators and BFN operating staff. This includes daily communications regarding plant activities and TVA system grid activities, coordination of scheduling activities on matters related to off-site power and on-site power systems, contingency planning for degraded configurations, and prompt notification of plant operators in the event of degraded grid situations.

Adverse weather contingency procedures have also been established for meteorological conditions that could potentially affect offsite power availability. Operators will monitor weather forecasts each shift. Weather conditions will be evaluated prior to intentionally entering the extended DG outage and will not be entered if official weather forecasts are predicting severe conditions (tornado or thunderstorm warnings). If severe weather or grid instability is expected after a diesel generator outage begins, station managers will assess the conditions and determine the best course for returning the diesel generator to an operable status.

3.2.2.3 Onsite Emergency Power System BFN is a three-unit plant, with each unit being a General Electric (GE) Boiling Water Reactor (BWR) 4 with a Mark I containment. All Alternating Current (AC) loads necessary for the safe shutdown of the plant under non-accident and accident conditions are fed from the standby AC power supply and distribution system.

E1-6

The standby AC supply and distribution system for BFN Units 1 and 2 includes four DGs (A, B, C, and D), four 4160V shutdown boards (4kV-SDBD-A, B, C, and D), four 480V shutdown boards (480V-SDBD-1A, 2A, 1B, and 2B), eight 480V Reactor Motor Operated Valve (RMOV) boards, four Motor Generator (MG) sets, and two 480V diesel auxiliary boards.

The standby AC supply and distribution system for BFN Unit 3 includes four DGs (3A, 3B, 3C, and 3D), four 4160V shutdown boards (4kV-SDBD-3EA, 3EB, 3EC, and 3ED), two 480V shutdown boards (480V-SDBD-3A, and 3B), five 480V RMOV boards, four MG sets, and two 480V diesel auxiliary boards.

Both of these standby AC supply and distribution systems supply power to unitized Units 1/2 and Unit 3 electrical loads. In addition to the unitized electrical loads, shared (common) systems between all three units are an integral part of the BFN plant configuration. Detailed discussions of the shared systems are given in Appendix F of the Updated Final Safety Analysis Report (UFSAR) (Reference 6.2). The safety related shared systems which are pertinent to the DG TS Completion Time evaluation are the Residual Heat Removal Service Water (RHRSW),

Emergency Equipment Cooling Water (EECW), Standby Gas Treatment, (SBGT), and Control Room Emergency Ventilation (CREV).

The eight DGs provide a standby power supply used on loss of the Normal Auxiliary Power System. Each of the DGs is assigned to one 4kV Shutdown Board. Provision is made for the interconnection of 4kV Shutdown Board A (Units 1/2) with 4kV Shutdown Board 3EA (Unit 3).

Similar interconnections have been provided between Units 1/2 and Unit 3 boards B and 3EB, C and 3EC, and D and 3ED. It is possible, using the 4kV bus tie board (UFSAR Figure 8.4-2), to make any DG available to any 4kV Shutdown Board.

Below the 4kV level, the system is basically unitized, having two 480V Shutdown Boards (with associated 480V RMOV boards) and two DG auxiliary boards (unitized between Units 1/2 and Unit 3). The two 480V Shutdown Boards, one physically isolated from the other, have independent supplies from different 4kV boards; and, in addition, each has a backup supply from a third 4kV board. The four 480V diesel auxiliary boards, which provide common services to the DGs, are similar to the unit 480V Shutdown Boards in respect to physical and electrical separation and supply. The remaining DGs supplying power to the backup emergency supply could be aligned to supplement 480V loads normally carried by an DG under maintenance, if required. For example, 480V Shutdown Board 3A can be transferred from DG 3A to the emergency supply that is fed from DG 3B. While these boards have backup emergency supplies, these loads will not be pre-aligned to the emergency supply during the associated DG maintenance outage. This is primarily because of two reasons: (1) this configuration often requires crossing divisional separation and results in increased risk of a single failure of an off-site circuit causing a loss of both divisions and (2) the act of transferring the boards poses unnecessary risk to the operating units.

In the event of a LOOP and the concurrent inoperability of a Unit 1/2 DG, additional capacity can be attained for the associated Unit 1/2 Shutdown Board by paralleling a Unit 3 DG. To accomplish this, a Unit 3 4kV Shutdown Board that can be stripped of all of its loads is selected.

The selected Unit 3 4kV Shutdown Board, supplied by a Unit 3 DG, is then stripped of its loads and paralleled with the corresponding Unit 1/2 4kV Shutdown Board. This alignment will result in a Unit 3 DG and a Unit 1/2 DG supplying power to the Unit 1/2 4kV Shutdown Board with the inoperable Unit 1/2 DG.

E1-7

The detailed process for performing this task is documented in Abnormal Operating Instruction 0-AOI-57-1A, "Loss of Offsite Power (161 and 500 KV)/Station Blackout, Attachment 11, Operating Two RHR Pumps on One Unit 1/Unit 2 4KV Shutdown Board."

In the event of a LOOP and the concurrent inoperability of a Unit 3 DG, the de-energized 4kV Shutdown Board. can be supplied through a Bus Tie from another Unit 3 DG. This configuration would be compensatory measure and is not a normal configuration for Unit 3 DGs.

3.2.2.4 Differences between the BFN Units and AC Power Configurations Unit sharing and interactions are discussed and evaluated in UFSAR Appendix F.

Relevant sections regarding standby AC power supply and distribution systems are discussed below. Discussion is also provided on unit differences with regard to the AC Power Configurations.

The system is composed of four independent DG units coupled as an alternate source of power to four independent 4kV boards for Units 1 and 2. There are four additional DG units coupled as an alternate source of power to the four Unit 3 4kV boards. Any given Unit 1 and Unit 2 4kV board has two RHR pumps, each assigned to a different unit. Thus, the four Shutdown Boards supply four RHR pumps on each unit. Any given Unit 3 4kV board has one RHR pump; thus, the four Unit 3 boards also supply four RHR pumps. Similarly, the four Unit 1 and Unit 2 Shutdown Boards power eight Core Spray pumps, and the Unit 3 Shutdown Boards power four Core Spray pumps. Two such pumps operating in parallel on the same Core Spray loop are required for Core Spray on a particular unit.

For Units 1 and 2, on loss of supply from a 4160V shutdown bus, in the absence of an accident signal, there is automatic transfer of the shutdown board to the alternate shutdown bus with automatic return when the normal supply voltage is restored. The Unit 3 design does not include these shutdown buses.

For Units 1 and 2 only, to prevent overloading the shared Unit 1 4kV shutdown boards during coincident combinations on both units, the RHR Low Pressure Core Injection and Core Spray systems will initiate the ECCS preferred pump logic to dedicate the Division I 4kV shutdown boards and their associated pumps to Unit 1. The Division II shutdown boards and their associated pumps are dedicated to Unit 2. This ECCS preferred pump logic does not exist on Unit 3.

As described in the UFSAR Section 8.4, the 480V safety related boards are provided with manual transfer capability, with the exception of the Units 2 and 3 RMOV Boards D and E that also have automatic transfer capability. For Unit 1 only, the Low Pressure Coolant Injection (LPCI) Motor Generator-Sets have been removed. 480v RMOV Boards 1D and 1 E have been abandoned in place and the loads redistributed. The DGs loads have been evaluated for normal and alternate alignments, including the automatic transfer of the RMOV Boards D and E in Units 2 and 3. Therefore, the remaining operable DGs are not susceptible to overload conditions from automatic transfers due to the extended DG outage and a loss of off-site power.

E1-8

3.2.2.5 Transients and Accidents The ECCS Pumps powered by the on-site DGs are the 2000 hp Residual Heat Removal Pumps and the 600 hp Core Spray Pumps. DG 3A, 3B, C, and D also supply power for a 400 hp RHRSW pump (pump A3, C3, B3, D3) dedicated to EECW. DG A, B, 3C, and 3D can also supply power for a 400 hp RHRSW pump dedicated to EECW ifthe RHRSW swing pumps (pump Al, C1, B1, D1I respectively) are aligned for EECW. For a Design Basis Accident (DBA)

Loss of Coolant Accident (LOCA) with LOOP, each of these pumps (RHR, CS, EECW) will sequence on automatically. The RHR pumps are sized on the basis of the flow required during the low pressure coolant injection (LPCI) mode of operation, which is the mode requiring the maximum flow rate. Therefore, the most limiting accident with respect to DG capability Js the DBA LOCA consisting of a double ended recirculation pipe break with simultaneous loss of offsite power. The most limiting transient with respect to DG capability is the loss of offsite power. This transient is bounded by the DBA discussed below.

DBA < 10 Minutes For a LOOP/LOCA with one DG out of service for maintenance and no additional single failures assumed, the 7 remaining DGs will start and the ECCS equipment associated with the accident unit will automatically sequence on. All in-service diesel generators in the plant will be-started on an accident signal in any unit as a pre-emergency action in case of a subsequent loss of offsite power. Loads supplied by the Out Of Service (OOS) DG will not start. If the pipe break involves the recirculation discharge line, then one RHR loop will be ineffective for vessel injection due to the location of the break. The limiting DG OOS would be the one supplying the 480 RMOV Boards 1A or 1 B for the ECCS division opposite the broken discharge loop for a Unit 1 accident. On Units 2 and 3, 480 RMOV Boards D and E automatically transfer to an alternate supply and this failure combination is less limiting since LPCI injection valves for both divisions remain available. The remaining equipment for Core Cooling would be one loop of Core Spray consisting of 2 pumps.

DBA > 10 Minutes After initial core reflood, operators are assumed to secure all but one loop of Core Spray for vessel injection to establish long term core cooling. Operators would then establish at least 2 RHR pumps and 2 RHRSW pumps in containment cooling mode (containment spray or suppression pool cooling). At this time operators on the other units which experienced only a loss of offsite power would maintain core cooling with high pressure systems (High Pressure Coolant Injection (HPCI) or Reactor Core Isolation Cooling (RCIC)) and establish suppression pool cooling. With a Unit 1/2 DG OOS and a LOCA on Unit 1 or 2, only one of two RHR and RHRSW pumps needed to maintain suppression pool temperature within design basis limits would be available for the non-accident unit. In some cases, the 480V Boards needed to establish Suppression Pool cooling on the non-accident unit would be lost. To restore the 480V Boards and to establish the second RHR and RHRSW pumps needed for suppression pool cooling in the non-accident unit, operators would coordinate to cross connect a Unit 3 DG to the 4kV Shutdown Board associated with the OOS DG. Operator coordination and cross connecting a Unit 3 DG to a Unit 1/2 4kV Shutdown Board can be performed in the Main Control Rooms and this evolution can be performed in less than one hour (most likely accomplished in less than 15 minutes). Analysis has been performed that demonstrates that this time is adequate to maintain the suppression pool temperature within design basis limits.

Prior to applying the extended Completion Time for DG A, B, C, and D, procedures for interconnecting operable DGs to the shutdown boards associated with the DG to be removed from service will be revised as necessary to instruct operators on the actions to take for a LOOP E1-9

or LOOP/LOCA event for the associated DG outage to ensure safe shutdown of each BFN unit.

In addition, operator training will be performed to heighten their awareness of challenges to the electrical distribution system in this configuration and on the LOOP procedure(s) prior to applying the extended Completion Time.

For the non-accident units, the preferred method for cooling would be to establish shutdown cooling if it is available. Operators would begin to reduce Reactor Pressure Vessel pressure at a 100°F/hr cool down rate (required when suppression pool temperature reaches 120*F) using Safety Relief Valves. When pressure is reduced to less than the RHR low pressure permissive pressure, the RHR pump is placed in shutdown cooling, thus terminating heat input to the containment. Calculations show that suppression pool temperature can be maintained within design basis limits of 187 0 F if shutdown cooling is established before 11,100 seconds (-3.1 hours1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months ).

DG A Out-Of-Service (Unit 1 LOCA)

In the event of a DBA LOCA on Unit 1 with DG A out of service, 4kV Shutdown Board A is initially lost for a LOOP event. It is noted that Division I of 480V loads would be lost in Unit 1 and both of the A train RHRSW Pumps would be lost. For LOOP/LOCA on Unit 1, DG C/D, 4kV Shutdown Board C/D, RHR 1B/1 D, Core Spray 1 B/1 D, RHRSW BID and Division II 480V loads would be used to mitigate the accident.

Only one of two RHR and RHRSW pumps needed to maintain suppression pool temperature within design basis limits would be available for Unit 2. Unit 2 operators would maintain core cooling with HPCI or RCIC. Unit 2 operators would establish suppression pool cooling with the available RHR Pump 2C fed from DG B and coordinate with Unit 3 to cross connect DG 3A to 4kV Shutdown Board A to obtain the second needed Unit 2 RHR/RHRSW pumps needed for suppression pool cooling.

Unit 3 operators would maintain core cooling with HPCI or RCIC and then establish suppression pool cooling using RHR 3B/3D and RHRSW B/D and 480V Division II. Unit 3 Operations would place 480 Shutdown Board 3A (Division I) on alternate so that it is supplied by DG 3B. All Unit 3 loads would be removed from 4kV Shutdown Board 3EA, including removing EECW Pump A3 after verification that two other EECW pumps are in service. Then DG 3A and 4kV Shutdown Board 3EA would be connected to 4kV Shutdown Board A using the inter-tie breakers. This restores power to 4kV Shutdown Board A and the affected equipment including Unit 1 Division I 480V loads, RHR Pump 2A and both A train RHRSW pumps which could then be used to support Unit 2 shutdown. This configuration provides at least two RHR and two RHRSW pumps in each unit as required.

DG B Out-Of-Service (Unit 1 LOCA)

In the event of a DBA LOCA on Unit 1 with DG B out of service, 4kV Shutdown Board B is initially lost for a LOOP event. It is noted that Division I of 480V loads would be lost in Unit 2 and both of the C train RHRSW Pumps would be lost. For LOOP/LOCA on Unit 1, DG C/D, 4kV Shutdown Board C/D, RHR 1B/1D, Core Spray 1B/1D, and RHRSW B/D and Division II 480V loads would be used to mitigate the accident.

Only one of two RHR and RHRSW pumps needed to maintain suppression pool temperature within design basis limits would be available for Unit 2. Unit 2 operators would maintain core cooling with HPCI or RCIC. Unit 2 operators would not be able to establish suppression pool cooling with the available RHR Pump 2A fed from DG A since Unit 2 480 Division I loads are lost. Unit 2 operators would coordinate with Unit 3 to cross connect DG 3B to 4kV Shutdown El-10

Board B to obtain the Unit 2 Division I 480V loads and RHR/RHRSW pumps needed for suppression pool cooling.

Unit 3 operators would maintain core cooling with HPCI or RCIC and then establish suppression pool cooling using RHR 3B/3D and RHRSW B/D and 480V Division I1. All Unit 3 loads would be removed from 4kV Shutdown Board 3EB, including removing EECW Pump C3 after verification that two other EECW pumps are in service. Then DG 3B and 4kV Shutdown Board 3EB would be connected to 4kV Shutdown Board B using the inter-tie breakers. This restores power to 4kV Shutdown Board B and the affected equipment including Unit 2 Division I 480V loads, RHR Pump 2C and both C train RHRSW pumps which could then be used to support Unit 2 shutdown. This configuration provides at least two RHR and two RHRSW pumps in each unit as required.

DG C Out-Of-Service (Unit 1 LOCA)

In the event of a DBA LOCA on Unit 1 with DG C out of service, 4kV Shutdown Board C is initially lost for a LOOP event. It is noted that Division II of 480V loads would be lost in Unit 1 and EECW pump B3 and one pump of the B train RHRSW Pumps would be lost. For LOOP/LOCA on Unit 1, DG A/B, 4kV Shutdown Board A/B, RHR 1A/1C, Core Spray 1A/1C, and RHRSW A/C and Division I 480V loads would be used to mitigate the accident.

Only one of two RHR and RHRSW pumps needed to maintain suppression pool temperature within design basis limits would be available for Unit 2. Unit 2 operators would maintain core cooling with HPCI or RCIC. Unit 2 operators would establish suppression pool cooling with the available RHR Pump 2D fed from DG D and coordinate with Unit 3 to cross connect DG 3C to 4kV Shutdown Board C to obtain the second needed Unit 2 RHR/RHRSW pumps needed for suppression pool cooling.

Unit 3 operators would maintain core cooling with HPCI or RCIC and then establish suppression pool cooling using RHR 3A/3C and RHRSW A/C and 480V Division I. Unit 3 Operations would place 480 Shutdown Board 3B (Division II) on alternate so that it is supplied by DG 3B. After coordination with the accident unit and confirming that the B train of RHR is not required in any unit, all Unit 3 loads would be removed from 4kV Shutdown Board 3EC, including removing RHRSW Pump BI. (This would leave the B train of RHR in each unit without RHRSW until cross-ties are made and loads sequenced back on. However, Unit 2 is the only Unit that credits the B train for this scenario.) DG 3C and 4kV Shutdown Board 3EC would be connected to 4kV Shutdown Board C using the inter-tie breakers. This restores power to 4kV Shutdown Board C and the affected equipment including Unit 1 Division II 480V loads, RHR Pump 2B, EECW Pump B3 and RHRSW Pump B2. (One RHRSW Pump in a train is sufficient for one heat exchanger being used in that train. While not required, RHRSW Pump B1 could be restarted on 4kV Shutdown Board 3EC if B3 EECW Pump from 4kV Shutdown Board C is not in service.)

This configuration provides at least two RHR and two RHRSW pumps in each unit as required.

DG D Out-Of-Service (Unit 1 LOCA)

In the event of a DBA LOCA on Unit 1 with DG D out of service, 4kV Shutdown Board D is initially lost for a LOOP event. It is noted that Division II of 480V loads would be lost in Unit 2 and EECW pump D3 and one pump of the D train RHRSW Pumps would be lost. For LOOP/LOCA on Unit 1, DG A/B, 4kV Shutdown Board A/B, RHR 1A/iC, Core Spray 1A/iC, and RHRSW A/C and Division I 480V loads would be used to mitigate the accident.

Only one of two RHR and RHRSW pumps needed to maintain suppression pool temperature within design basis limits would be available for Unit 2. Unit 2 operators would maintain core El-11

cooling with HPCI or RCIC. Unit 2 operators would not be able to establish suppression pool cooling with the available RHR Pump 2B fed from DG C since Unit 2 480 Division II loads are lost. Unit 2 operators would coordinate with Unit 3 to cross connect DG 3D to 4kV Shutdown Board D to obtain the Unit 2 Division II 480V loads and RHR/RHRSW pumps needed for suppression pool cooling.

Unit 3 operators would maintain core cooling with HPCI or RCIC and then establish suppression pool cooling using RHR 3A/3C and RHRSW A/C and 480V Division I. Unit 3 operators would confirm that the other trains of Standby Gas Treatment and Control Bay Ventilation are in service and begin shedding loads from 4kV Shutdown Board 3ED. After coordination with the accident unit and confirming that the D train of RHR is not required in any unit, all Unit 3 loads would be removed from 4kV Shutdown Board 3ED, including removing RHRSW Pump D1.

(This would leave the D train of RHR in each unit without RHRSW until cross-ties are made and loads sequenced back on. However, Unit 2 is the only Unit that credits the D train for this scenario.) DG 3D and 4kV Shutdown Board 3ED would be connected to 4kV Shutdown Board D using the inter-tie breakers. This restores power to 4kV Shutdown Board D and the affected equipment including Unit 2 Division II 480V loads, RHR Pump 2D, EECW Pump D3 and RHRSW Pump D2. (One RHRSW Pump in a train is sufficient for one heat exchanger being used in that train. While not required, RHRSW Pump D1 could be restarted on 4kV Shutdown Board 3ED if D3 EECW Pump from 4kV Shutdown Board D is not in service.) This configuration provides at least two RHR and two RHRSW pumps in each unit as required.

DG A Out-Of-Service (Unit 2 LOCA)

In the event of a DBA LOCA on Unit 2 with DG A out of service, 4kV Shutdown Board A is initially lost for a LOOP event. It is noted that Division I of 480V loads would be lost in Unit 1 and both of the A train RHRSW Pumps would be lost. For LOOP/LOCA on Unit 2, DG C/D, 4kV Shutdown Board C/D, RHR 2B/2D, Core Spray 2B/2D, RHRSW B/D and Division II 480V loads would be used to mitigate the accident.

Only one of two RHR and RHRSW pumps needed to maintain suppression pool temperature within design basis limits would be available for Unit 1. Unit 1 operators would maintain core cooling with HPCI or RCIC. Unit 1 operators would not be able to establish suppression pool cooling with the available RHR Pump 1C fed from DG B since Unit 1 480 Division I loads are lost. Unit 1 operators would coordinate with Unit 3 to cross connect DG 3B to 4kV Shutdown Board A to obtain the Unit 1 Division I 480V loads and RHR/RHRSW pumps needed for suppression pool cooling.

Unit 3 operators would maintain core cooling with HPCI or RCIC and then establish suppression pool cooling using RHR 3B/3D and RHRSW B/D and 480V Division I1. Unit 3 Operations would place 480 Shutdown Board 3A (Division I) on alternate so that it is supplied by DG 3B. All Unit 3 loads would be removed from 4kV Shutdown Board 3EA, including removing EECW Pump A3 after verification that two other EECW pumps are in service. Then DG 3A and 4kV Shutdown Board 3EA would be connected to 4kV Shutdown Board A using the inter-tie breakers. This restores power to 4kV Shutdown Board A and the affected equipment including Unit 1 Division I 480V loads, RHR Pump 1A and both A train RHRSW pumps which could then be used to support Unit 1 shutdown. This configuration provides at least two RHR and two RHRSW pumps in each unit as required.

DG B Out-Of-Service (Unit 2 LOCA)

In the event of a DBA LOCA on Unit 2 with DG B out of service, 4kV Shutdown Board B is initially lost for a LOOP event. It is noted that Division I of 480V loads would be lost in Unit 2 and both of the C train RHRSW Pumps would be lost. For LOOP/LOCA on Unit 2, DG C/D, 4kV E1-12

Shutdown Board C/D, RHR 2B/2D, Core Spray 2B/2D, and RHRSW B/D and Division II 480V loads would be used to mitigate the accident.

Only one of two RHR and RHRSW pumps needed to maintain suppression pool temperature within design basis limits would be available for Unit 1. Unit 1 operators would maintain core cooling with HPCI or RCIC. Unit 1 operators would establish suppression pool cooling with the available RHR Pump 1A fed from DG A and coordinate with Unit 3 to cross connect DG 3B to 4kV Shutdown Board B to obtain the second needed Unit 1 RHR/RHRSW pumps needed for suppression pool cooling.

Unit 3 operators would maintain core cooling with HPCI or RCIC and then establish suppression pool cooling using RHR 38/3D and RHRSW BID and 480V Division II. All Unit 3 loads would be removed from 4kV Shutdown Board 3EB, including removing EECW Pump C3 after verification that two other EECW pumps are in service. Then DG 3B and 4kV Shutdown Board 3EB would be connected to 4kV Shutdown Board B using the inter-tie breakers. This restores power to 4kV Shutdown Board B and the affected equipment including RHR Pump 1C and both C train RHRSW pumps which could then be used to support Unit 1 shutdown. This configuration provides at least two RHR and two RHRSW pumps in each unit as required.

DG C Out-Of-Service (Unit 2 LOCA)

In the event of a DBA LOCA on Unit 2 with DG C out of service, 4kV Shutdown Board C is initially lost for a LOOP event. It is noted that Division II of 480V loads would be lost in Unit 1 and EECW pump B3 and one pump of the B train RHRSW Pumps would be lost. For LOOP/LOCA on Unit 2, DG A/B, 4kV Shutdown Board A/B, RHR 2A/2C, Core Spray 2A/2C, and RHRSW A/C and Division I 480V loads would be used to mitigate the accident.

Only one of two RHR and RHRSW pumps needed to maintain suppression pool temperature within design basis limits would be available for Unit 1. Unit 1 operators would maintain core cooling with HPCI or RCIC. Unit 1 operators would not be able to establish suppression pool cooling with the available RHR Pump 1D fed from DG D since Unit 1 480 Division II loads are lost. Unit 1 operators would coordinate with Unit 3 to cross connect DG 3C to 4kV Shutdown Board C to obtain the Unit 1 Division II 480V loads and RHR/RHRSW pumps needed for suppression pool cooling.

Unit 3 operators would maintain core cooling with HPCI or RCIC and then establish suppression pool cooling using RHR 3A/3C and RHRSW A/C and 480V Division I. Unit 3 Operations would place 480 Shutdown Board 3B (Division II) on alternate so that it is supplied by DG 38. After coordination with the accident unit and confirming that the B train of RHR is not required in any unit, all Unit 3 loads would be removed from 4kV Shutdown Board 3EC, including removing RHRSW Pump B1. (This would leave the B train of RHR in each unit without RHRSW until cross-ties are made and loads sequenced back on. However, Unit 1 is the only Unit that credits the B train for this scenario.) DG 3C and 4kV Shutdown Board 3EC would be connected to 4kV Shutdown Board C using the inter-tie breakers. This restores power to 4kV Shutdown Board C and the affected equipment including Unit 1 Division II 480V loads, RHR Pump 1B, EECW Pump B3 and RHRSW Pump B2. (One RHRSW Pump in a train is sufficient for one heat exchanger being used in that train. While not required, RHRSW Pump 81 could be restarted on 4kV Shutdown Board 3EC if B3 EECW Pump from 4kV Shutdown Board C is not in service.)

This configuration provides at least two RHR and two RHRSW pumps in each unit as required.

E1-13

DG D Out-Of-Service (Unit 2 LOCA)

In the event of a DBA LOCA on Unit 2 with DG D out of service, 4kV Shutdown Board D is initially lost for a LOOP event. It is noted that Division II of 480V loads would be lost in Unit 2 and EECW pump D3 and one pump of the D train RHRSW Pumps would be lost. For LOOP/LOCA on Unit 2, DG A/B, 4kV Shutdown Board A/B, RHR 2A/2C, Core Spray 2A/2C, and RHRSW A/C and Division I 480V loads would be used to mitigate the accident.

Only one of two RHR and RHRSW pumps needed to maintain suppression pool temperature within design basis limits would be available for Unit 1. Unit 1 operators would maintain core cooling with HPCI or RCIC. Unit 1 operators would establish suppression pool cooling with the available RHR Pump 2B fed from DG C and coordinate with Unit 3 to cross connect DG 3D to 4kV Shutdown Board D to obtain the second needed Unit 2 RHR/RHRSW pumps needed for suppression pool cooling.

Unit 3 operators would maintain core cooling with HPCI or RCIC and then establish suppression pool cooling using RHR 3A/3C and RHRSW A/C and 480V Division I. Unit 3 operators would confirm that the other trains of Standby Gas Treatment and Control Bay Ventilation are in service and begin shedding loads from 4kV Shutdown Board 3ED. After coordination with the accident unit and confirming that the D train of RHR is not required in any unit, all Unit 3 loads would be removed from 4kV Shutdown Board 3ED, including removing RHRSW Pump D1.

(This would leave the D train of RHR in each unit without RHRSW until cross-ties are made and loads sequenced back on. However, Unit 1 is the only Unit that credits the D train for this scenario.) DG 3D and 4kV Shutdown Board 3ED would be connected to 4kV Shutdown Board D using the inter-tie breakers. This restores power to 4kV Shutdown Board D and the affected equipment including RHR Pump 1 D, EECW Pump D3 and RHRSW Pump D2. (One RHRSW Pump in a train is sufficient for one heat exchanger being used in that train. While not required, RHRSW Pump D1 could be restarted on 4kV Shutdown Board 3ED if D3 EECW Pump from 4kV Shutdown Board D is not in service.) This configuration provides at least two RHR and two RHRSW pumps in each unit as required.

DG 3A Out-Of-Service (Unit 3 LOCA)

In the event of a DBA LOCA on Unit 3 with DG 3A out of service, 4kV Shutdown Board 3EA is lost for a LOOP event. It is noted that Division I of 480V loads would be lost in Unit 3 and A3 EECW Pump would be lost. For LOOP/LOCA on Unit 3, DG 3C/3D, 4kV Shutdown Board 3EC/3ED, RHR 3B/3D, Core Spray 3B/3D, RHRSW B/D and Division II 480V loads would be used to mitigate the accident. Unit 3 Division I 480V loads could be aligned to alternate supply fed from DG 3B if desired.

Unit 1 and 2 operators would maintain core cooling with HPCI or RCIC. Unit 1 and 2 operators would establish suppression pool cooling with two RHR and two RHRSW Pumps available in each unit.

Two out of four EECW Pumps are required. Three out of four EECW pumps would remain available. This configuration provides at least two RHR and two RHRSW pumps in each unit as required without having to cross connect DGs to 4kV Shutdown Boards.

DG 3B Out-Of-Service (Unit 3 LOCA)

In the event of a DBA LOCA on Unit 3 with DG 3B out of service, 4kV Shutdown Board 3EB is lost for a LOOP event. It is noted that C3 EECW Pump would be lost. For LOOP/LOCA on Unit 3, DG 3C/3D, 4kV Shutdown Board 3EC/3ED, RHR 3B/3D, Core Spray 3B/3D, RHRSW B/D and Division II 480V loads would be used to mitigate the accident.

E1-14

Unit 1 and 2 operators would maintain core cooling with HPCI or RCIC. Unit 1 and 2 operators would establish suppression pool cooling with two RHR and two RHRSW Pumps available in each unit.

Two out of four EECW Pumps are required. Three out of four EECW pumps would remain available. This configuration provides at least two RHR and two RHRSW pumps in each unit as required without having to cross connect DGs to 4kV Shutdown Boards.

DG 3C Out-Of-Service (Unit 3 LOCA)

In the event of a DBA LOCA on Unit 3 with DG 3C out of service, 4kV Shutdown Board 3EC is lost for a LOOP event. It is noted that Division II of 480V loads would be lost in Unit 3 and RHRSW Pump B1 would be lost. For LOOP/LOCA on Unit 3, DG 3A/3B, 4kV Shutdown Board 3EA/3EB, RHR 3A/3C, Core Spray 3A/3C, RHRSW A/C and Division I 480V loads would be used to mitigate the accident. Unit 3 Division II 480V loads could be aligned to alternate supply fed from DG 3B if desired.

Unit 1 and 2 operators would maintain core cooling with HPCI or RCIC. Unit 1 and 2 operators would establish suppression pool cooling with two RHR and two RHRSW Pumps available in each unit.

One of two B train RHRSW Pumps is required. RHRSW Pump B2 fed from 4kV Shutdown Board C remains available. This configuration provides at least two RHR and two RHRSW pumps in each unit as required without having to cross connect DGs to 4kV Shutdown Boards.

DG 3D Out-Of-Service (Unit 3 LOCA)

In the event of a DBA LOCA on Unit 3 with DG 3D out of service, 4kV Shutdown Board 3ED is lost for a LOOP event. It is noted that one train of Standby Gas Treatment, one train of Control Bay Ventilation, and RHRSW Pump D1 would be lost. For LOOP/LOCA on Unit 3, DG 3A/3B, 4kV Shutdown Board 3EA/3EB, RHR 3A/3C, Core Spray 3A/3C, RHRSW A/C and Division I 480V loads would be used to mitigate the accident.

Unit 1 and 2 operators would maintain core cooling with HPCI or RCIC. Unit 1 and 2 operators would establish suppression pool cooling with two RHR and two RHRSW Pumps available in each unit.

One of two D train RHRSW Pumps is required. RHRSW Pump D2 fed from 4kV Shutdown Board D remains available. This configuration provides at least two RHR and two RHRSW pumps in each unit as required without having to cross connect DGs to 4kV Shutdown Boards.

10 CFR 50, Appendix R 10 CFR 50, Appendix R, "Fire Protection Program for Nuclear Power Facilities Operating Prior to January 1, 1979," requires that the shutdown capability must be able to accommodate post-fire conditions involving a loss of off-site power for 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . Because of this requirement, an adequate number of DGs must be available to provide standby AC power to essential safe shutdown components in the event of a fire within the plant.

To protect equipment from damage due to fires caused by "hot work" activities, precautions and requirements have been defined to protect the plant against possible fire damage or loss resulting from the use of spark or heat producing devices. A fire watch shall be posted as required. Open flames or combustion-generated smoke shall not be used for leak testing.

El-15

One method of reducing the severity of a fire which might occur in a given area is to maximize the availability of the fire protection equipment, such as a suppression system, a detection system, fire pump, fire hose station, fire hydrant, and fire barriers. Fire protection equipment and fire barriers are to remain fully operational at all times, to the maximum extent possible. A system has been developed and implemented to monitor fire protection impairments in order to assure appropriate compensatory measures are instituted. This system identifies the conditions that require a roving or continuous fire watch system. For areas where the detection is inoperable, the fire watch will be continuous.

For equipment that is unable to perform its intended function, the compensatory actions (described in the BFN Fire Protection Report), as listed below are applicable.

Compensatory Measure A:

Restore the equipment function in 7 days or provide equivalent shutdown capability by one of the following methods:

1) A temporary alteration in accordance with plant procedures that allows the equipment to perform its intended function, or

2) A fire watch in accordance with the site impairment program in the, affected areas/zones as specified in Section II1.

This compensatory measure is intended to assure safe shutdown capability is restored within 7 days by either restoring the failed equipment function or by taking temporary measures to assure equivalent shutdown capability exists. Equivalent shutdown capability is defined as 1) providing temporary equipment or procedures which will ensure the out of service equipment function does not affect safe shutdown capability or 2) providing adequate fire watch capability to ensure fires are prevented and/or discovered in a time frame which will assure the out of service equipment is not needed to support reactor safe shutdown in case of fire. An hourly fire watch in these areas would provide sufficient assurance that a fire would not occur or would be detected and mitigated before it progresses to an Appendix R fire event. As a result, spurious operations of critical equipment and serious plant degradation will be prevented.

As an added measure of defense in depth, for each DG outage, BFN makes the following commitment.

" Increased administrative control will be exercised for any proposed hot work in the vicinity of protected equipment and in the impacted fire zones (Prior to entering the required Completion Time and maintained for the duration of the required Completion Time).

No planned maintenance on fire detection or fire suppression equipment that will cause the fire detection or fire suppression equipment in the impacted fire zones to be inoperable (For the duration of the required Completion Time).

Transient combustible loading in the impacted fire zones will be reviewed and any unnecessary transient combustibles will be removed. (Prior to entering the period of required Completion Time and maintained for the duration of the required Completion Time).

El-16

Station Blackout (SBO)

SBO coping duration for BFN is four hours. SBO is postulated as the failure of the two DGs that normally feed a respective unit's 480V AC shutdown boards concurrent with the loss of all off-site power. Coping strategy is to shutdown the blacked-out unit with equipment powered from the 250V DC battery system. Alternate AC power from DGs in the non-blacked-out units, will be made available to power additional required HVAC and common loads. As set forth in Nuclear Utility Management and Resource Council (NUMARC) 87-00, "Guidelines for and Technical Basis for NUMARC Initiatives for Addressing Station Blackout at Light Water Reactors,"

Appendix B (Reference 6.3), the Alternate AC will be available within one hour through existing cross-ties.

The 250V unit batteries 1, 2, and 3 are adequate to supply the required Unit 1, Unit 2, and Unit 3 loads for the coping duration of four hours. SBO on Unit 2 is the loss of DGs B and D and loss of DGs A and C for SBO on Unit 1. SBO on Unit 3 is the loss of DGs 3A and 3C.

Considering the failure of one DG in each of the non-blacked out units (A or C for Unit 1, B or D for Unit 2, and 3A or 3C for Unit 3), and an additional failure of DG 3B or 3D, a minimum of three DGs remain available for SBO. These provide sufficient power to supply required HVAC and common loads.

Due to the large number of diverse generating units and strong interconnections, the likelihood of the transmission system causing the loss of all off-site power is considered to be extremely remote. Off-site power is delivered to the site via seven 500-kV and two 161-kV transmission lines. These lines feed a 500-kV and a 161-kV switchyard as described in detail in Chapter 8.3 of the UFSAR (Reference 6.4). The large number of 500 kV and 161 kV transmission lines and the physical separation of the lines and transformer bays minimize the likelihood of power loss due to loss of transmission lines. Additionally, during this evolution, the protection of the switchyard and cooperation with TVA Transmission helps to minimize risk of the SBO event. As stated in the TVA response to Generic Letter 2006-02 dated April 3, 2006 (Reference 6.7),

"TVA's hydroelectric plants reduce the risk of prolonged LOOP since TVA's three Nuclear Power Plants (NPPs) are located along the Tennessee River near hydroelectric stations. The fast start capability of hydroelectric, their locality, and TVA's reservoir system reduces the risk of prolonged LOOP since the hydroelectric plants can be isolated from the regional grid and aligned to TVA's NPPs. This capability provides a means for fast recovery from a grid blackout event."

The BFN configuration results in a favorable off-site power categorization for BFN for 10 CFR 50.63, "Loss of all alternating current power," i.e., SBO rule, applicability. NUMARC 87-00 (Reference 6.3) criteria classifies BFN as an Independence Group 11/2 category site which is the least susceptible category to LOOP events due to grid-related disturbances. This favorable categorization is based on physical separation of BFN switchyard and off-site transmission lines. BFN is categorized as an Extremely Severe Weather Group 1 site which places BFN in the category of plants least likely to lose off-site power because of extremely severe weather.

The Severe Weather category for BFN is Group 2 which is the second most favorable category out of five possible groups with respect to the probability of losing off-site power due to severe weather. With regard to the SBO rule, BFN has been categorized by NRC as an Emergency Alternating Current Category "C" plant. This classification was based on requirements for shutting down all three units for an extended period following a LOOP. This "C" category translates to a SBO coping duration of four hours and a DG target reliability of 0.95 for BFN.

E1-17

These three factors combine to result in an Off-site Power Design Characteristic Group of P1 for BFN, which is the category of plants with the least susceptibility for LOOP events. NRC has previously accepted this characterization.

While BFN was not licensed in accordance with the Standard Review Plan (SRP), a review of NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 8.4, 111.3.O.iv (Reference 6.8), "When an SBO occurs at one unit of a multiunit site, the EAC power source(s) and the redundant EAC power source(s) are unavailable. An SBO on one unit does not assume a concurrent single failure; however, the remaining unit(s) should still meet the normal operatingsingle failure criteria"suggests that BFN would incur a loss of off-site power coupled with the failure of 4 out of 8 DGs (2 on SBO Unit and 1 each on non-SBO Units as their single failure). Since DG 3A and 3C normally feed the 480V power system for Unit 3, one of these DGs are assumed failed if Unit 3 is a non-SBO unit and both of these DGs are assumed failed when Unit 3 is the SBO unit. DGs 3B and 3D for SBO supply loads which are common. Therefore, the BFN commitment to also fail one of the DG 3B or 3D in addition to the failures taken on DG 3A and/or 3C could be considered conservative with respect to the SRP requirements discussed above. If the additional failure of either 3B or 3D were not postulated, an additional available DG for SBO provides added flexibility with respect to the requested increased DG outage time.

For SBO, a consideration with respect to the DG extended Completion Time is EECW availability. As previously described, it is possible, through breaker ties to make any DG available to any 4kV Shutdown Board. Two EECW pumps are required to support the BFN DGs. The BFN design provides four dedicated EECW pumps fed from separate 4kV Shutdown Boards. In addition, four RHRSW pumps are available to be aligned for EECW if needed and not required for the RHRSW system. This redundancy in EECW design along with the flexibility to tie any DG to any 4kV Shutdown Board provides BFN the ability to ensure the DGs have adequate cooling for SBO. EECW pumps A3, B3, C3 and D3 are automatically started when their corresponding 4kV Shutdown Board (3EA, C, 3EB, and D respectively) is re-energized following a loss of power. For three of the possible twenty-four SBO scenarios described in the BFN UFSAR, the available DGs for those three scenarios would not result in any immediately available EECW pumps at the beginning of the event. With no cooling available the responding DGs would eventually overheat and be required to be shutdown. If the DG removed from service happened to be one of the DGs that would have provided EECW automatically (i.e., DG 3A, C, 3B, D),

operating procedures provide instruction to cope with the scenario where there are no EECW pumps at the beginning of the event.

3.3 Traditional Engineering Considerations For an SBO, the redundant DGs would be available to mitigate the accident, and the units would remain within the bounds of the accident analyses. In addition, there would be no adverse impact to the unit, because the Safety Function Determination Program will be utilized to ensure that cross-train checks are performed to determine if a loss of safety function exists if there are concurrent equipment inoperabilities, and ensure the appropriate actions are taken if a loss of safety function is identified. Since the probability of these events occurring concurrently during a planned maintenance window is low, there is minimal safety impact due to the requested extended Completion Times.

El-18

The combination of defense-in-depth and safety margin inherent in the Onsite Emergency Power System ensures an emergency supply of power will be available to perform the required safety function. This supports extension of the Completion Times to allow a DG to be out-of-service for a longer period of time, as discussed further below.

3.3.1 Defense-In-Depth The proposed changes to the Completion Times, associated with an inoperable DG while the unit is in Mode 1, 2, 3, or 4, maintain the system redundancy, independence, and diversity commensurate with the expected challenges to system operation. The other DGs, offsite sources of power, and the associated engineered safety equipment will remain operable to mitigate the consequences of any previously analyzed accident. Otherwise, the Safety Function Determination Program will require that a loss of safety function be declared, and the appropriate TS Conditions and Required Actions taken. In addition to the TS Safety Function Determination Program, the Work Management Program, and Maintenance Rule Program provide for controls and assessments to preclude the possibility of simultaneous outages of redundant trains and ensure system reliability. The proposed increase in the Completion Times, associated with an inoperable DG while the unit is in Mode 1, 2, 3, or 4, will not alter the assumptions relative to the causes or mitigation of an accident.

With a DG inoperable, a loss of function has not occurred. The remaining offsite power sources and DGs are capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure.

As defined by Regulatory Guide 1.174, consistency with the defense-in-depth principle is maintained if:

1. A reasonablebalance among prevention of core damage, prevention of containment failure, and consequence mitigation is preserved.

The proposed extensions to the Completion Times, associated with an inoperable DG while the unit is in Mode 1, 2, 3, or 4, have only a small calculated impact on CDF and LERF. The proposed changes are not accomplished by degrading core damage prevention and compensating with improved containment integrity nor does this change degrade containment integrity and compensate with improved core damage prevention. The balance between prevention of core damage and prevention of containment failure is maintained.

Consequence mitigation remains unaffected by the proposed changes. Furthermore, no new accident or transients are introduced with the requested change and the likelihood of most accidents or transients is not impacted.

2. Over-relianceon programmaticactivitiesto compensate for weaknesses in plant design.

Plant safety systems are designed with redundancy so when one train is inoperable, a redundant train can provide the necessary design function. During the timeframe when a DG is inoperable, a redundant source of power will be maintained operable. In the event other equipment becomes inoperable concurrent with the DG inoperability, the Safety Function Determination Program requires cross-division checks to ensure a loss of safety function does not go undetected. If a loss of safety function is identified, TS LCO 3.0.6 will require entry into the applicable Conditions and Required Actions for the system that possesses the E1-19

loss of safety function. PRA analysis indicates that there is a small calculated impact on CDF and LERF with the proposed TS changes.

3. System redundancy, independence, and diversity are maintainedcommensurate with the expected frequency and consequences of challenges to the system.

The redundancy, independence, and diversity of the Onsite Emergency Power System will be maintained during the extended Completion Times.

4. Defenses againstpotential common cause failures are maintainedand the potential for introductionof new common cause failure mechanisms is assessed.

Defenses against common cause failures are maintained. New common cause failure mechanisms are not expected to be created by the proposed changes. In addition, the operating environment and operating parameters for the DGs remain constant, therefore, new common cause failures modes are not expected. In addition, redundant and backup systems are not impacted by this change and no new common cause links between the primary and backup systems are introduced. Therefore, no new potential common cause failure mechanisms have been introduced by the proposed change.

5. Independence of barriersis not degraded.

The barriers protecting the public and the independence of these barriers are maintained.

Multiple DGs, systems or electrical distribution systems will not be intentionally taken out of service simultaneously. This could lead to degradation of these barriers and an increase in risk to the public. In the event other equipment becomes inoperable concurrent with the DG inoperability, the Safety Function Determination Program requires cross-division checks to ensure a loss of safety function does not go undetected. If a loss of safety function is identified, TS LCO 3.0.6 will require entry into the applicable Conditions and Required Actions for the system that possesses the loss of safety function. In addition, the extended Completion Times do not provide a mechanism that degrades the independence of the barriers; fuel cladding, reactor coolant system, and containment.

6. Defenses against human errors are maintained.

The proposed extensions to the Completion Times, associated with an inoperable DG while the unit is in Modes 1, 2, 3, or 4, do not introduce any new operator actions. In addition, the supporting probabilistic risk analysis does not take any credit for any new operator actions.

7. The intent of the GeneralDesign Criteriain Appendix A to 10 CFR 50 is maintained.

The design and operation of the DGs are not altered by the proposed extensions to the Completion Times. The safety analysis acceptance criteria stated in the UFSAR is not impacted by the change. Redundancy and diversity of the DGs is not altered, because the system design and operation are not altered by the proposed extensions to the Completion Times. The proposed change will not allow plant operation in a configuration outside the design basis. The requirements credited in the accident analysis regarding the DGs will remain the same.

E1-20

3.3.2 Safety Margin For the extended Completion Times associated with an inoperable DG while the unit is in Mode 1, 2, 3, or 4, the plant remains in a condition for which the plant has already been analyzed; therefore, from a deterministic aspect, these changes are acceptable. The 14-day and 21-day Completion Times are risk-informed Completion Times based on a plant specific analysis using the methodology defined in this license amendment request. The Maintenance Rule (10 CFR 50.65) requires each licensee to monitor the performance or condition of the DGs to ensure that the DGs are capable of fulfilling its intended functions. If the performance or condition of the DGs do not meet performance criteria, appropriate corrective action is required along with goals to monitor effectiveness of the corrective action.

As defined in Regulatory Guide 1.174, the overall margin of safety is not decreased due to the extended Completion Times for the DGs, because:

1. Codes and standardsor their alternativesapproved for use by the NRC are met.

The design and operation of the DGs are not altered by the proposed extensions in the Completion Times. Redundancy and diversity of the electrical distribution system will be maintained, because the system design and operation are not altered by the proposed extensions to the Completion Times.

2. Safety analysis acceptance criteriain the Licensing Basis (e.g., FSAR, supportinganalyses) are met or proposed revisionsprovide sufficient margin to account for analysis and data uncertainty.

The safety analysis acceptance criteria stated in the UFSAR are not impacted by the change. The proposed change will not allow plant operation in a configuration outside the design basis. The requirements regarding the DGs credited in the accident analysis will remain the same.

Given the above, TVA concludes that safety margins were not impacted by the proposed changes.

3.4 Evaluation of Risk Impact The purpose of this section is to document the Probabilistic Risk Assessment (PRA) conducted in support of the TVA submittal of extensions to Completion Times associated with DG outages while a unit is in Mode 1, 2, 3, or 4. Risk-informed changes to a nuclear power plant's licensing basis consist of both deterministic and probabilistic evaluations, as required by Regulatory Guides 1.174 and 1.177. This section documents the probabilistic evaluation and is intended to supplement the deterministic evaluation described in Section 3.3.

The impact of the proposed changes on plant safety was evaluated using a PRA calculation.

This calculation provides a quantitative evaluation of risk in terms of average Core Damage Frequency (CDF) and Large Early Release Frequency (LERF). This evaluation included consideration of the Maintenance Rule program based on 10 CFR 50.65(a)(4) to control the performance of other potentially high risk tasks during a DG outage, as well as consideration of specific compensatory measures to minimize risk.

El-21

The risk evaluation was based on the three-tiered approach suggested in RG 1.177, "An Approach for Plant-Specific Risk-Informed Decision-making: Technical Specifications," as follows:

Tier 1 - PRA Capability and Insights Tier 2 - Avoidance of Risk-Significant Plant Configurations Tier 3 - Risk-Informed Configuration Risk Management Program Evaluations addressing each of these tiers are provided below. Although RG 1.177 requires the evaluation of the proposed change on the total risk (i.e., on-line and shutdown risk), this evaluation only quantifies the on-line risk. This is appropriate since the shutdown risk will not be impacted as a result of the proposed change. For this change, DGs will be allowed to be out of service for 14 days to perform on-line trouble shooting, repairs, maintenance, and post-maintenance testing while the unit continues to operate in Mode 1, 2, 3, or 4.

The PRA model serves as the primary tool for these evaluations. Therefore, in order to establish the adequacy of the PRA model, supplemental background information related to the development, application, scope, and quality of the PRA model for BFN Units 1, 2 and 3 is provided below.

The extended DG Completion Time was modeled explicitly for all eight DGs for all three units.

The increase in CDF and LERF for each of the three units was quantified assuming that the average online unavailability simultaneously increased for all eight DGs. The incremental conditional core damage probability and incremental conditional large early release probability with a DG out-of-service for the extended COMPLETION TIME was evaluated for each combination of unit and DG out of service (a total of 48 cases quantified).

3.4.1 Tier 1: PRA Capability and Insights 3.4.1.1 PRA Modeling TVA has used a risk-informed approach to determine the risk significance of extending the current Technical Specification Completion Time for restoring a DG to an operable status from 7 days to 14 days, and for extending the Completion Time that defines the total length of time that the unit may be allowed to enter Condition A and Condition B of TS 3.8.1 simultaneously and concurrently from 14 days to 21 days. To determine the effect of these proposed extensions, the guidance suggested in RG 1.174 and RG 1.177 was used. Thus, the following risk metrics were used to evaluate the risk impacts of extending the Completion Times:

Delta CDFAVE = change in the annual average CDF due to any increased on-line maintenance unavailability of DGs that could result from the increased Completion Times. This risk metric is used to compare against the criterion of RG 1.174 to determine whether a change in CDF is regarded as risk significant. This criterion is a function of the baseline annual average core damage frequency, CDFBASE as shown in Figure 3 of RG 1.174.

Delta LERFAVE = change in the annual average LERF due to any increased on-line maintenance unavailability of DGs that could result from the increased Completion Times. RG 1.174 criteria were also applied to judge the significance of changes in this risk metric.

E1-22

ICCDP = incremental conditional core damage probability with a DG out-of-service for an interval of time equal to the proposed new Completion Times. This risk metric is used as suggested in RG 1.177 to determine whether a proposed increase in Completion Time has an acceptable risk impact.

ICLERP = incremental conditional large early release probability with a DG out-of-service for an interval of time equal to the proposed new Completion Times.

3.4.1.1.1 Level of Detail The scope, level of detail, and quality of the BFN PRA is sufficient to support a technically defensible and realistic evaluation of the risk change for this proposed Completion Time extension. The BFN PRA was recently converted from a single-unit RISKMAN model to an integrated three-unit CAFTA model. As a part of the conversion process, the PRA was upgraded to meet the requirements of ASME/ANS RA-Sa-2009 "Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications,"

(Reference 6.9). This Standard establishes requirements for a Level 1 PRA of internal and external hazards for all plant operating modes (low power and shutdown modes will be included at a future date). In addition, this Standard establishes requirements for a limited Level 2 PRA sufficient to evaluate large early release frequency (LERF). This Standard applies to PRAs used to support applications of risk-informed decision-making related to design, licensing, procurement, construction, operation, and maintenance.

The emergency diesel generator system was modeled in the BFN PRA at the component level.

All major components that could fail the system or a train of the system were explicitly modeled.

The DGs themselves were modeled as super-components to be consistent with the BFN data collection processes and the component boundary defined in NUREG/CR-6928. The DG boundary includes the diesel engine with all components in the exhaust path, electrical generator, generator exciter, output breaker, combustion air, lube oil systems, fuel oil system, and starting compressed air system, and local instrumentation and control circuitry. However, the sequencer is not included. For the service water system providing cooling to the DGs, only the devices providing control of cooling flow to the DG heat exchangers are included. Room heating and ventilating is not included in the component boundary.

The DG system model includes DG failure to start and to run, failure of the sequencer, initiation logic, and unavailability due to test and maintenance. The support systems modeled are DG building ventilation and DG cooling water. Common cause failures were modeled for DG failure to start and failure to run, ventilation fan failure to start and failure to run, as well as common cause failures related to the cooling water system.

Changes to the DG unavailability were determined based on over twelve years of BFN specific data and the expected increased in online unavailability assuming the frequency of the major maintenance requiring the extended Completion Time.

3.4.1.1.2 Modeling of Initiating Events There are no initiating events associated with the failure or unavailability of the DG system.

There are no new initiators created or changes to existing initiating event frequencies due to the increase in the DG Completion Time. Therefore, there is no requirement for the initiating event frequencies to be adjusted.

E1-23

3.4.1.1.3 Screening Criteria The BFN PRA models the DG system explicitly. There was no screening performed that eliminated sequences on a frequency basis that would be affected by this Technical Specification change.

3.4.1.1.4 Truncation Limits As part of the PRA model upgrade, the quantification of the model is evaluated to assess the adequacy of the truncation level chosen.

The truncation limit specified in the CAFTA quantification affects the following:

The speed of the calculation

" The number of cutsets generated

The total CDF The NEI Peer Review Process (NEI-00-02) identifies the use of truncation values of four (4) orders of magnitude below the CDF for a high quality PRA. Therefore, as a minimum, the truncation for BFN has been set at 1E-12/yr, which is almost seven (7) orders of magnitude below the CDF. In addition, the ASME PRA Standard (SR QU-B2) states:

"Truncate accident sequences and associatedsystem models at a sufficiently low cutoff value that dependencies associatedwith significant cutsets or accident sequences are not eliminated."

An investigation was carried out to ensure the following:

Important recovery action combinations were not eliminated by use of this truncation value,

No important accident sequences were eliminated by the use of this truncation value, and

The model results are not significantly changed by use of this truncation value.

This demonstrates that convergence towards a stable result is achieved, i.e.,

there is no evidence of destabilizing effects as lower truncation values are used.

Therefore, a sensitivity study was performed of the calculated CDF and number of cutsets that result as the truncation level is decreased. The sensitivity study utilized the final logic model and the final database. This investigation showed that a truncation 1 E-12 captures all significant cut sets and does not eliminate dependencies associated with significant cutsets or accident sequences.

3.4.1.1.5 Plant versus Model Configuration The BFN PRA is designed to represent the as-built, as-operated plant. There are no known differences between the plant and the model that could affect the results of the DG Completion Time extension evaluation.

El-24

3.4.1.2 Assumptions in Completion Time'Evaluation

1. The Completion Time risk evaluations were performed using only the BFN PRA for power operation (i.e., to calculate the risk associated with (a) the equipment being unavailable during power operation for the duration of the Completion Time and (b) any change in the Completion Time). The risk associated with shutting the plant down because of Completion Time violations is not considered.

2. When calculating the risk impacts (i.e., a change in CDF or LERF caused by Completion Time changes), the change in average CDF has been estimated using the mean outage times for the current and proposed Completion Times. The average maintenance state is used as the base case (average annual unavailability of all components is assumed).

These unavailabilities are calculated from plant maintenance rule data (if available) or based on industry data or expert opinion.

3. The change in CDF and LERF that are calculated as a part of this submittal take into account the outage frequency but does not assume any reduced failure rate due to the maintenance being performed. The beneficial aspect of maintenance is not quantified and this may give a slightly higher estimate of the yearly Allowed Outage Time risk measure for the proposed Completion Time.

4. Only one of the eight DGs will be taken out of service at a time. Simultaneous DG maintenance will not be permitted.

5. The 4kV/480 transformers will not be taken out of service for test or maintenance simultaneously with one of the diesel generators.

6. Only major fires are assumed to result in a total loss of offsite power. This assumption is based on the BFN IPEEE FIVE Analysis.

7. The severe fire factor for 4-kV Bus Tie Board was not quantified in the FIVE analysis since fires in this area were quantitatively screened out. The severity factor was assumed to be 0.10 based on a review of the severity factors for the: shutdown board rooms documented in the FIVE analysis, which were all less than 0.073.

8. The recovery of offsite power (LOOP) lost due to the effects of an internal or switchyard fire is assumed to be possible within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months 50 percent of the time. This means that 50% of the time to recovery is assumed to take longer than 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . This is conservative when compared to recovery probabilities LOOPs due to other causes (weather-related, switchyard centered, grid related, plant centered) as reflected in NUREG/CR-6890 (Reference 6.12).

9. The %xLOOPSW initiator includes LOOP events due to high winds (NUREG/CR-6890).

Other initiators resulting from high winds were not considered since they would not be affected by the DG Completion Time.

E1-25

3.4.1.3 Results 3.4.1.3.1 Tier 1 Analysis The impact on plant risk has been evaluated as follows. These calculations considered the effects of internal events, fires, and seismic events. The results of these calculations are summarized in the following sections. The effects of seismic events are similar to that of fires (except with a much smaller effect on CDF and LERF) with respect to the DG Completion Time extension, so they were screened out.

3.4.1.3.2 Normal Diesel Generator Unavailability Data The normal diesel generator unavailability (1.39E-02) was taken from the BFN PRA Data Analysis Notebook. This unavailability is an average of the planned and unplanned diesel generator unavailability. This data is summarized in Table 1 below:

Table 1. Maintenance Rule Data for Diesel Generators Total Number of Diesel Planned Unplanned Total Required Maintenance Generator Unavailability Unavailability Unavailability Hours Events A 1,495.17 78.50 1,573.67 118,629 128 B 1,659.73 275.55 1,935.28 118,629 127 C 1,274.59 359.91 1,634.50 119,331 132 D 1,480.75 80.88 1,561.63 119,355 127 3A 1,067.47 123.75 1,191.22 107,304 118 3B 1,300.00 90.87 1,390.87 107,304 125 3C 1,569.67 186.02 1,755.69 107,304 124 3D 1,428.97 286.25 1,715.22 118,897 131 Total 11,276.35 1,481.73 12,758.08 916753 1012 Table 2 shows the fraction of DG Unavailability that is planned versus unplanned.

Table 2. Summary of Planned and Unplanned DG Unavailability UNAVAILABILITY PERCENT OF TOTAL PLANNED UNAVAILABILITY 0.0123 88.39%

UNPLANNED UNAVAILABILITY 0.0016 11.61%

TOTAL UNAVAILABILITY 0.0139 100.00%

3.4.1.3.3 Extended Diesel Generator Unavailability Data The DG unavailability resulting from the 14 day AOT extension was calculated in accordance with guidance contained in Reference 6.5. "The average downtime can be assumed to proportionally increase with the increase in the proposed AOT for downtimes associated with El-26

unscheduled maintenance. For scheduled (preventative) maintenance, the downtime assumed can be representative of plant practices (e.g., one-half of the AOT."

The 14 day DG unavailability is then calculated by summing the following components:

Normal DG unavailability = 0.0139

Increase in unplanned unavailability - This is calculated in accordance with guidance contained in Reference 6.5 as follows:

(extended AOT - original AOT)/(original AOT) x (normal unplanned unavailability) =

(14-7)/7 x (0.0016) = 0.0016

Increase in planned online unavailability - The only actual change in plant practices regarding planned online unavailability with the 14 day DG AOT involves the 12 year preventive maintenance. This would result in a potential increase of up to 14 days of planned maintenance per DG every 12 years. Since the normal data from section 3.4.1.2 above includes performance of the 12 year maintenance, which averaged 4.5 days (0.0123

365 days) per DG, this unavailability will be subtracted from the maximum planned unavailability to prevent counting this time twice.

This can be calculated as follows:

(Maximum # days per AOT - 4.5) / (# days per year) x (# of years per performance)

= (14 - 4.5)/(365 x 12) = 2.17E-3 Summing the above terms gives the DG unavailability resulting from the 14 day AOT of 0.0177 as shown in Table 3:

Table 3. Calculation of 14-day AOT DG Unavailability Normal DG Unavailability 0.0139 Increase in Unplanned Unavailability 0.0016 Increase in Planned Unavailability 0.0022 Total DG UA resulting from 14 day AOT 0.0177 3.4.1.3.4 Change in CDF due to Internal Events The expected change in the Internal Events Core Damage Frequency (CDF) and Large Early Release Frequency (LERF) has been calculated for each of the BFN Units. This has been done by subtracting the base CDF/LERF from the CDF/LERF with the 14-day AOT.

The base CDF and LERF for each of the three units were calculated using the base BFN PRA model (Revision 1).

In order to assess internal fires with the BFN PRA model, it was modified to include fire initiators that can result in a loss of offsite power for each unit. The modifications to the model are described in Section 3.4.1.3.5. The base case calculations were rerun with the fire initiators set to a frequency of zero to ensure that the values for CDF and LERF did not change from the base case. The results of these calculations are presented in Table 4.

The CDF and LERF with the 14-day AOT DG unavailability were calculated for each of the three units using the modified BFN PRA model discussed above and the 14-Day DG AOT Unavailability file. Table 4 provides the results of these calculations.

E1-27

Table 4. Effect on CDF and LERF of 14-Day DG AOT Unavailability DG Using Base PRA Unavailability Case Model 14-Day AOT Change % Change Ul CDF 6.57E-06 6.67E-06 9.49E-08 1.44%

U2 CDF 6.88E-06 6.95E-06 7.74E-08 1.13%

U3 CDF 7.30E-06 7.53E-06 2.29E-07 3.13%

Ul LERF 2.13E-06 2.14E-06 6.80E-09 0.32%

U2 LERF 2.70E-06 2.71 E-06 4.90E-09 0.18%

U3 LERF 1.01 E-06 1.02E-06 5.1OE-09 0.50%

3.4.1.3.5 Change in CDF due to Fires Evaluations of the potential risk due to internal fires were previously performed using the EPRI Fire Induced Vulnerability Evaluation (FIVE) progressive quantitative screening methodology.

For the purposes of this evaluation, the Unit 1, 2, and 3 FIVE analyses were reviewed and sensitivity quantifications were performed to bound the potential impact of the requested DG AOT.

The extended DG AOT would only impact plant risk with respect to fires for fires that could result in a loss of offsite power (LOOP). The FIVE analyses identified four areas in each of the units for which the bounding plant response was represented by the loss of offsite power.

These areas are identified in Table 5. The fire frequencies were taken from the Unit 1 IPEEE since it provided the most up to date information. These values can be applied to Units 2 and 3 due to the similarities in the design and operation of the three units.

Only a major fire is assumed to result in a total loss of offsite power. The major fire factors were multiplied by the fire frequency to obtain the major fire frequency that could result in a total loss of offsite power. The FIVE analysis identified the severe fire factors for the Control Room fire and the Turbine Deck Fire. The severe fire factor for 4kV Bus Tie Board was not quantified in the FIVE analysis since fires in this area were quantitatively screened out. The severity factor was assumed to be 0.10 based on a review of the severity factors for the shutdown board rooms documented in the FIVE analysis, which were all less than 0.073.

The severity factor for the yard fire that could result in a total loss of offsite power to a single unit was conservatively assumed to be 0.25. This based on the fact that only 3 of the 31 fire initiators documented in NUREG/CR-5750 resulted in loss of offsite power. In addition, there are two 500-kV Buses in the switchyard which provide redundant sources of offsite power to all three units and there are seven sources of offsite power for each bus. Each of the yard transformers has its own deluge system to prevent the spread of fire from one transformer to another. The switchyard also has automatic functions that can isolate the two buses from each other in the event of a loss of power. A fire in the switchyard would have to be large enough to involve both buses to create a total loss of offsite power The calculated major fire frequencies and the total fire frequencies for a fire that could result in a LOOP are given in Table 5.

E1-28

Table 5. FIVE Scenarios with Plant Response Bounded by Loss of Offsite Power Fire Area / Severe Fire Zone Fire Major Fire Description Frequency Factor Frequency 16-3 (case Control Building - 617' 4.62E-05 0.049 2.26E-06 2B) (Control Room) 24 4kV Bus Tie Board 1.92E-02 0.10 1.92E-03 Room 25-3 (case Turbine Deck 1.34E-02 0.119 1.59E-03 3B) 1__

Yard Area Yard Area 5.1OE-03 0.25 1.28E-03 (case 2) 1 To evaluate the impact of the extend DG AOT on plant risk with respect to fires, the BFN PRA CAFTA model was modified to include these fire-induced LOOP initiators. These initiators were added to the model in the same locations that the other LOOP events are located in the model.

The model was then quantified to determine CDF and LERF due to a LOOP with the current DG unavailability as well as with the 14-day AOT DG unavailability.

The base CDF and LERF for fire-induced LOOP for each of the three units were calculated using the modified BFN PRA model. The LOOP involves all 3 units and it is assumed that recovery of offsite power within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months will fail 50 percent of the time. This is considered a conservative assumption given that there are seven sources of 500-kV offsite power and two source of 161-kV offsite power. This failure rate is applied in the master recovery file.

The CDF and LERF with the 14-day AOT DG unavailability were calculated for each of the three units using the modified BFN PRA model. The LOOP frequency was set to 8.62E-03. The LOOP involves all 3 units and there is no possibility of a recovery of offsite power.

Table 6 provides the results of the calculations with the current DG unavailability and the DG unavailability projected with the 14 Day DG AOT.

E1-29

Table 6. Effect on CDF and LERF of 14-Day DG AOT Unavailability for Fires Resulting in a LOOP DG Using Base PRA Unavailability Model 14-Day AOT Case (Fires Only) (Fires Only) Change % Change Ul CDF 1.22E-06 1.35E-06 1.28E-07 10.44%

U2 CDF 9.92E-07 1.08E-06 8.97E-08 9.05%

U3 CDF 2.26E-06 2.53E-06 2.74E-07 12.14%

Ul LERF 2.25E-07 2.33E-07 7.95E-09 3.54%

U2 LERF 2.03E-07 2.08E-07 4.49E-09 2.21%

U3 LERF 1.83E-07 1.86E-07 3.38E-09 1.85%

3.4.1.3.6 Change in CDF due to Seismic Events The BFN design basis safe shutdown earthquake (SSE) is 0.20g. The mean annual frequency of exceedence for a SSE at BFN is 4.0E-5 (Reference 6.10). The probability of a SSE occurring during the 14-day (0.038 years) period the diesel is out of service maybe taken from the equation:

P = 1 -e-

Therefore, P(SSE in 14 days) = 1 - e( 4 E-5 )(°0 38

) = 1 .55E-06 which is a very small probability.

The evaluation of seismic events performed as part of the IPEEE used the Electrical Power Research Institution (EPRI) Seismic Margins Assessment methodology and the review level earthquake was 0.3g. All BFN diesel generators were included in the list of components analyzed for safe shutdown of the unit following an earthquake. The Diesel Generator Building was also analyzed. This evaluation provided adequate evidence of the ability of BFN to resist a seismic event up to the review level earthquake (RLE) and initiate a safe shutdown of the unit.

The IPEEE Program did not identify any adverse spatial interactions or any components with seismic capacity below the RLE level.

In the BFN design bases, the switchyard is assumed to fail during a design basis earthquake.

The Unit 1 conditional core damage probability of an earthquake was assumed to be equal to that of a guaranteed LOOP. Therefore, the net effect of the seismic event is similar to that evaluated for fires. Since the frequency of an earthquake is three orders of magnitude lower than the frequency of the fires evaluated in the previous section, seismic events are bounded by the fire events with respect to this DG AOT extension.

3.4.1.3.7 Total Change in CDF Table 7 shows the results for delta-CDF and delta-LERF for internal events and fire. The resulting values are well within the guideline values in RG 1.174 of 1 E-6/yr for delta-CDF and 1E-7/yr for delta-LERF for "very small" increases.

E1-30

Table 7 Total Effect on CDF and LERF of 14-Day DG Completion Time Unavailability DG Using Unavailability Base PRA 14-Day Completion Case Model Time Change % Change Ul CDF 7.79E-06 8.01E-06 2.23E-07 2.86%

U2 CDF 7.87E-06 8.03E-06 1.67E-07 2.12%

U3 CDF 9.56E-06 1.01 E-05 5.02E-07 5.26%

Ul LERF 2.36E-06 2.37E-06 1.48E-08 0.63%

U2 LERF 2.90E-06 2.91 E-06 9.39E-09 0.32%

U3 LERF 1.19E-06 1.20E-06 8.48E-09 0.71%

The changes in CDF and LERF are insignificant and well below the Reg. Guide 1.174 (Reference 6.4) guidelines of 1 E-6 for changes in CDF and 1E-7 for changes in LERF for all three units. The conclusion is reached that the requested change in diesel generator AOT does not create a significant change in the total CDF or LERF 3.4.1.3.7 Calculation of ICCDP and ICLERP Incremental Conditional Core Damage Probability (ICCDP) is defined by Reference 6.11 as:

ICCDP = (CCDF - CDFB) x AOT

where, CCDF = Conditional CDF w/ equipment out of service CDFB = Baseline CDF w/ nominal expected equipment unavailabilities AOT = increase in AOT under consideration as a fraction of the year = (14-7)/365 CDFB is calculated using the modified BFN PRA model. A zero DG test and maintenance file was used because the effects of a single diesel being out of service are being evaluated. The average test and maintenance was used for the remainder of the components because it is not known what other equipment may be out of service during the DG maintenance.

CCDF is calculated for each diesel in maintenance for each unit (a total of 24 calculations) using the modified BFN PRA model.

Incremental Conditional Large Early release Probability (ICLERP) is defined by Reference 6.11 as:

ICLERP = (CLERF - LERFB) x AOT

where, CLERF = Conditional LERF w/ equipment out of service LERFB = Baseline LERF w/ nominal expected equipment unavailabilities AOT = increase in AOT under consideration as a fraction of the year = (14-7)/365 LERFB is calculated using the base BFN PRA model. A zero DG test and maintenance file was used because the effects of a single diesel being out of service are being evaluated. The average test and maintenance was used for the remainder of the components because it is not known what other equipment may be out of service during the DG maintenance.

E1-31

CLERF is calculated for each diesel in maintenance for each unit (a total of 24 calculations) using the base BFN PRA model.

Tables 8 through 15 show the results for ICCDP and ICLERP calculations. The values for ICCDP and ICLERF for all three BFN units for each of the eight diesel generators are below the Reference 6.5 guidelines for acceptability of 5.OE-7 and 5.0E-8, respectively.

Table 8 Calculation of ICCDP and ICLERP for DG A in Maintenance Base Case Conditional Case ICCDP ICLERP Ul CDF 6.54E-06 1.97E-05 2.52E-07 U2 CDF 6.43E-06 1.37E-05 1.38E-07 U3 CDF 7.30E-06 2.09E-05 2.60E-07 U1 LERF 2.21E-06 3.47E-06 2.40E-08 U2 LERF 2.83E-06 3.33E-06 9.52E-09 U3 LERF 1.12E-06 1.17E-06 8.95E-10 Table 9 Calculation of ICCDP and ICLERP for DG B in Maintenance Base Case Conditional Case ICCDP ICLERP Ul CDF 6.54E-06 2.44E-05 3.42E-07 U2 CDF 6.43E-06 1.92E-05 2.45E-07 U3 CDF 7.30E-06 2.98E-05 4.32E-07 U1 LERF 2.21E-06 3.26E-06 2.OOE-08 U2 LERF 2.83E-06 3.81E-06 1.87E-08 U3 LERF 1.12E-06 1.16E-06 7.80E-10 Table 10 Calculation of ICCDP and ICLERP for DG C in Maintenance Base Case Conditional Case ICCDP ICLERP Ul CDF 6.54E-06 2.OOE-05 2.58E-07 U2 CDF 6.43E-06 1.35E-05 1.35E-07 U3 CDF 7.30E-06 2.66E-05 3.70E-07 Ul LERF 2.21 E-06 2.72E-06 9.71E-09 U2 LERF 2.83E-06 3.26E-06 8.16E-09 U3 LERF 1.12E-06 1.14E-06 4.45E-10 Table 11 Calculation of ICCDP and ICLERP for DG D in Maintenance Base Case Conditional Case ICCDP ICLERP Ul CDF 6.54E-06 1.40E-05 1.42E-07 U2 CDF 6.43E-06 1.92E-05 2.46E-07 U3 CDF 7.30E-06 1.67E-05 1.80E-07 U1 LERF 2.21E-06 2.94E-06 1.38E-08 U2 LERF 2.83E-06 3.96E-06 2.16E-08 E1-32

U3 LERF 1.12E-06 1.22E-06 1.96E-09 !

Table 12 Calculation of ICCDP and ICLERP for DG 3A in Maintenance Base Case Conditional Case ICCDP ICLERP U1 CDF 6.54E-06 6.81 E-06 5.08E-09 U2 CDF 6.43E-06 6.66E-06 4.40E-09 U3 CDF 7.30E-06 2.20E-05 2.81E-07 U1 LERF 2.21 E-06 2.50E-06 5.54E-09 U2 LERF 2.83E-06 2.86E-06 4.70E-10 U3 LERF 1.12E-06 1.81 E-06 1.32E-08 Table 13 Calculation of ICCDP and ICLERP for DG 3B in Maintenance Base Case Conditional Case ICCDP ICLERP U1 CDF 6.54E-06 7.04E-06 9.43E-09 U2 CDF 6.43E-06 7.51 E-06 2.08E-08 U3 CDF 7.30E-06 1.99E-05 2.42E-07 Ul LERF 2.21E-06 2.26E-06 8.78E-10 U2 LERF 2.83E-06 2.90E-06 1.20E-09 U3 LERF 1.12E-06 1.90E-06 1.50E-08 Table 14 Calculation of ICCDP and ICLERP for DG 3C in Maintenance Base Case Conditional Case ICCDP ICLERP U1 CDF 6.54E-06 9.37E-06 5.42E-08 U2 CDF 6.43E-06 9.18E-06 5.28E-08 U3 CDF 7.30E-06 2.01E-05 2.46E-07 U1 LERF 2.21E-06 2.22E-06 2.87E-11 U2 LERF 2.83E-06 2.84E-06 2.87E-1 1 U3 LERF 1.12E-06 1.79E-06 1.28E-08 Table 15 Calculation of ICCDP and ICLERP for DG 3D in Maintenance Base Case Conditional Case ICCDP ICLERP U1 CDF 6.54E-06 9.63E-06 5.92E-08 U2 CDF 6.43E-06 9.51 E-06 5.90E-08 U3 CDF 7.30E-06 1.19E-05 8.80E-08 U1 LERF 2.21E-06 2.22E-06 2.87E-11 U2 LERF 2.83E-06 2.84E-06 2.87E-1 1 U3 LERF 1.12E-06 1.14E-06 3.74E-10 The results show that in all cases, the calculated ICCDP and ICLERP are less than the criteria listed in RG 1.177 when a DG is inoperable. There are a number of reasons calculated ICCDP and ICLERP values are significantly less than the RG 1 .177 limits:

E1-33

" Each 4 kV shutdown board on each unit is supported with its own dedicated DG with cross-tie capability between the same train across units;

Cross-tie capability across Unit 1 and Unit 2 4-kV buses between the same train is easily accomplished from the control room.

Cross-tie capability from the Unit 3 diesels to the Unit 1 and Unit 2 4-kV shut down boards is easily accomplished from the control room.

3.4.1.4 Sensitivity and Uncertainty Analyses As discussed in Regulatory Guide 1.177, previous sensitivity analyses performed for risk informed TS changes have shown that the risk resulting from TS Completion Time changes is relatively insensitive to uncertainties (compared, for example, to the effect on risk from uncertainties in assumptions regarding plant design changes, or regarding significant changes to plant operating procedures). This is because the uncertainties associated with Completion Time changes tend to similarly affect the base case (i.e., before the change) and the changed case (i.e., with the change in place). That is, the risks result from similar causes in both cases.

No new initiating transients or subsequent failure modes have been introduced by extending the DG Completion Time. Therefore, the increase in risk is due solely to Completion Time changes.

The completion time changes subject the plant to a variation in its exposure to the same type of risk, and the PRA model is able to predict, with relative surety based on data from operating experience, how much that risk will change based on that changed exposure.

In order to assess exceeding the 14 day DG Completion Time, an increased online unavailability must be determined.

The unavailability for a 21 day DG Completion Time is calculated by summing the following components:

Normal DG unavailability = 0.0139

Increase in unplanned unavailability - This is calculated in accordance with guidance contained in Reference 6.5 as follows:

[(extended AOT - original AOT)/(original AOT)] x (normal unplanned unavailability) =

[(21-7)/7] x (0.0016) = 0.0032

Increase in planned online unavailability - The only actual change in plant practices regarding planned online unavailability with the 14 day DG AOT involves the 12 year preventive maintenance. This would result in a potential increase of up to 14 days of planned maintenance per DG every 12 years. Since the normal data from section 3.4.1.3.2 above includes performance of the 12 year maintenance, which averaged 4.5 days (0.0123

365 days) per DG, this unavailability will be subtracted from the maximum planned unavailability to prevent counting this time twice.

Assuming that a 21 day AOT is substitute for the 14 day AOT, this unavailability can be calculated as follows:

(Maximum # days per AOT - 4.5) / [(# days per year) x (# of years per performance)]

=(21 - 4.5)/ (365 x 12) = 3.8E-3 E1-34

The unavailability for a 21 day DG Completion Time is calculated to be 0.0209 as shown in Table 16.

Table 16. Calculation of 21-day AOT DG Unavailability Normal DG Unavailability 0.0139 Increase in Unplanned Unavailability 0.0032 Increase in Planned Unavailability 0.0038 Total DG UA resulting from 21 day AOT 0.0209 The CDF and LERF with the 21-day Completion Time DG unavailability were calculated for each of the three units using the modified BFN PRA model. Table 17 shows the net change in CDF for a 21-day DG Completion Time. As can be seen in the table, the total change in CDF is still below the 1 E-06 criteria for CDF and the total change in LERF is still below the 1 E-07 criteria.

Table 17 Total Effect on CDF and LERF of 21-Day DG Completion Time Unavailabilitv DG Using Unavailability Base PRA 21-Day Completion Case Model Time Change % Change Ul CDF 7.79E-06 8.19E-06 3.94E-07 5.06%

U2 CDF 7.87E-06 8.14E-06 2.77E-07 3.52%

U3 CDF 9.56E-06 1.05E-05 9.09E-07 9.51%

Ul LERF 2.36E-06 2.38E-06 2.51 E-08 1.07%

U2 LERF 2.90E-06 2.92E-06 1.42E-08 0.49%

U3 LERF 1.19E-06 1.21E-06 1.54E-08 1.29%

3.4.1.4.2 Cumulative Risk The BFN PRA model reflects the as-built, as-operated plant as of January 2008. There are no previously granted risk-informed TS changes that have not been reflected in the model.

3.4.1.4.3 Transition and Shutdown Risk Transition and shutdown risks are not quantified. This change should be evaluated on risk increase that is acceptable under the Maintenance Rule. No attempt to balance any increased operational risk against transition or shutdown risk is made in this submittal.

3.4.2 Tier 2: Avoidance of Risk-Significant Plant Configurations There is reasonable assurance that risk-significant equipment configurations will not occur when specific plant equipment is out of service consistent with the proposed TS changes.

E1-35

Offsite power operability is ensured by TS Section 3.8.1 where offsite power availability must be verified within one hour and once every eight hours for an inoperable offsite path or DG.

Increases in risk posed by potential combinations of equipment out of service will be managed under the Configuration Risk Management Program (CRMP) as required by the Maintenance Rule (10 CFR 50.65(a)(4)). For example:

An DG extended Completion Time will not be entered for scheduled maintenance purposes if severe weather conditions are expected; and

While in the proposed extended DG Completion Time, additional elective equipment maintenance, testing or equipment failure will be evaluated using the CRMP and activities that yield unacceptable results via the CRMP will be avoided.

Additional compensatory actions and configuration risk management controls that will apply when entering the required DG Completion Time include:

Only one of the eight DGs will be taken out of service at a time. Simultaneous DG maintenance will not be permitted.

Electrical boards or transformers will not be removed from service for planned maintenance activities during the required DG Completion Time

Weather conditions will be evaluated prior to entering the required DG Completion Time for elective maintenance. An required DG Completion Time will not be entered for elective maintenance purposes if official weather forecasts are predicting severe conditions (tornado or thunderstorm warnings);

Elective maintenance will not be performed in the switchyard that would challenge offsite power availability during the proposed required DG Completion Time;

The condition of the offsite power supply and switchyard will be evaluated prior to entering the required DG Completion Time for elective maintenance. TVA will develop a procedure to determine acceptable grid conditions for entering the required DG Completion Time to perform elective maintenance;

The system dispatcher will be contacted once per day and informed of the DG status along with the power needs of the facility

The Unit 1 and Unit 2 HPCI pumps, RCIC pumps, and RHR pumps will not be removed from service for planned maintenance activities during the required DG Completion Time for Unit 1 and Unit 2 DGs;

The Unit 3 turbine driven HPCI pump, RCIC pump, and RHR pumps will not be removed from service for planned maintenance activities during the required DG Completion Time for Unit 3 DGs; and

Operating crews will be briefed on the DG work plan and procedural actions regarding LOOP and SBO.

E1-36

Procedures will be established to implement these restrictions when an EDG is inoperable for the required DG Completion Time in accordance with TS 3.8.1 Condition B.

3.4.3 Tier 3: Risk-Informed Configuration Risk Management TVA has developed a CRMP governed by procedure 0-TI-367, "BFN Equipment to Plant Risk Matrix", that ensures that the risk impact of equipment out of service is appropriately evaluated prior to performing any maintenance activity. This program requires an integrated view (i.e.,

both deterministic and probabilistic) to identify risk significant plant equipment outage configurations in a timely manner both during the work management process and for emergent conditions during normal plant operation.

TVA currently has the capability at BFN to perform a configuration dependent assessment of the overall impact on risk of proposed plant configurations prior to, and during, the performance of maintenance activities that remove equipment from service. Risk is re-assessed if an equipment failure, malfunction or emergent condition produces a plant configuration that has not previously been assessed. For planned maintenance activities, an assessment of the overall risk of the activity on plant safety, including benefits to system reliability and performance, is currently performed prior to scheduled work. The assessment includes the following considerations:

Maintenance activities that affect redundant and diverse systems, structures and components (SSCs,) that provide backup for the same function are minimized.

" Maintenance is not scheduled that is highly likely to exceed a TS or Technical Requirements Manual (TRM) Completion Time requiring a plant shutdown. For activities that are expected to exceed 50% of a TS Completion Time, a Voluntary LCO plan is developed to minimize SSC unavailability, maximize SSC reliability and ensure contingency and compensatory actions are in place.

For Maintenance Rule Risk Significant SSCs, the impact of the planned activity on the unavailability performance criteria is evaluated.

" As a final check, a quantitative risk assessment is performed to ensure that the activity does not pose any unacceptable risk. This evaluation is performed using the current Level 1 PRA model. The results of the risk assessment are classified by a color code based on the increased risk of the activity shown in Table 18 as follows:

E1-37

Table 18 Risk Assessment Color Classification Color Risk Level Plant Impact and Required Action Green Low Small impact on plant risk No specific actions are required Yellow Elevated Consider contingency planning Shift Manager approval to commence planned activity Orange Significant Consider compensatory actions to mitigate risk.

Minimize time spent in configuration Plant Manager approval to commence planned activity Red Excessive Not entered voluntarily Operations Committee must authorize operation for any length of time in this condition.

Immediately restore equipment to service or implement risk management actions to restore at least an ORANGE color

Plant operation's management during non-business hour shifts reviews emergent work to ensure that it does not invalidate risk analyses made during the work management process, and if it does, they are capable of updating the risk analyses.

If the risk of losing offsite power increases as a result of severe weather or as a result of unavailability or degradation of an offsite source, the CRMP is able to reflect this in the risk analysis.

3.4.3.1 Safety Function Determination Program The Safety Functional Determination Program (SFDP) ensures that any concurrent inoperabilities that result in a loss of safety function are identified and appropriate actions taken.

This program is required by TS 3.0.6 and TS 5.5.11. The SFDP contains the following:

a. Provisions for cross division checks to ensure a loss of the capability to perform the safety function assumed in the accident analysis does not go undetected,

b. Provisions for ensuring the plant is maintained in a safe condition if a loss of function condition exists,

c. Provisions to ensure that an inoperable supported system's Completion Time is not inappropriately extended as a result of multiple support system inoperabilities, and

d. Other appropriate limitations and remedial or compensatory actions.

A loss of safety function exists when, assuming no concurrent single failure, a safety function assumed in the accident analysis cannot be performed. For the purpose of this program, a loss of safety function may exist when a support system is inoperable, and:

a. A required system redundant to the system(s) supported by the inoperable support system is also inoperable, or

b. A required system redundant to the system(s) in turn supported by the inoperable supported system is also inoperable, or E1-38

c, A required system redundant to the support system(s) for the supported systems (a) and (b) above is also inoperable.

The SFDP identifies where a loss of safety function exists. If a loss of safety function is determined to exist by this program, the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists are required to be entered.

3.4.3.2 Configuration Risk Management Program The BFN Configuration Risk Management Program (CRMP) satisfies the requirements of 10 CFR 50.65 a(4); one portion of the Maintenance Rule. Implementation of the CRMP at BFN for online maintenance is controlled by Standard Programs and Processes SPP 7.1, "On Line Work Management," Technical Instruction 0-TI-367, "BFN Equipment to Plant Risk Matrix," and ND-N0999-000009, "Risk Significance of Online Maintenance."

Configuration risk management is aided by the Sentinel software. Issues not addressed by the software or matrix are addressed by consultation with a PRA knowledgeable risk engineer.

BFN is transitioning to configuration risk management using the new PRA model and the Equipment Out Of Service (EOOS) software.

The scope of the CRMP includes structures, systems, and components (SSCs) determined to be risk significant quantitatively (via the PRA which addresses internal events and internal flooding) and qualitatively (which addresses the following functions: decay heat removal, inventory control, power availability, reactivity control, fuel pool cooling, and primary/secondary containment).

SPP 7.1, "On Line Work Management," defines the risk assessment methodology that is used for Power Operations (Mode 1) and Startup (Mode 2). For online maintenance, a risk assessment is performed before implementation, and emergent work is evaluated against the assessed scope. For those SSCs modeled in the PRA, the following risk thresholds are established with approval/actions described below:

Incremental core damage probability (ICDP) greater than 1 E-05 should not be entered voluntarily(RED);

ICDP greater than 5E-06 but less than 1 E-05, assess non quantifiable factors, establish risk management actions per 3.5.2.1 (ORANGE);

ICDP greater than 1E-06 but less than 5E-06, assess non quantifiable factors, establish risk management actions per 3.5.2.1 (YELLOW); and

ICDP less than 1E-06, no separate risk management plans or approval are required (GREEN).

Activities requiring risk management actions include, as appropriate, actions to provide risk awareness and control, actions to reduce duration, and actions to reduce magnitude of risk increase. These actions include:

Discussion of activity with operating shift approval of planned evolution; E1-39

Pre-job briefing of maintenance personnel emphasizing the risk aspects of the evolution;

" Presence of appropriate technical personnel for appropriate portions of the activity;

Pre-staging of parts and materials;

Ensuring required procedures changes have been incorporated and approved

" Ensuring all required tools have been pre-staged

Ensuring all required training has been completed

Walk down tag out and activity prior to conducting maintenance;

Perform activity around the clock;

Establish contingency plans to restore the out of service equipment rapidly, if needed;

Minimizing other work in areas that could affect event initiators (e.g. reactor protection system areas, switchyard, DG rooms, switchgear rooms) to decrease the frequency of initiating events mitigated by the safety function served by the out of service SSC;

Minimize work in areas that could affect other redundant systems such that there is continued likelihood of the availability of the safety functions served by the SSCs in those areas;

Establishment of alternate success paths for performance of the safety function of the out of service SSC (note; this equipment does not necessarily have to be in the scope of the Maintenance Rule per SPP-6.6)

Risk management plans are required to be approved by senior plant management.

The process for risk assessments for outage activities is found in SPP-7.2, "Outage Management." The risk assessment process found in SPP-7.2 begins when the unit enters Hot Standby and applies to work performed during Hot Shutdown, Cold Shutdown, Refueling, and Defueled activities. However, site management may choose to continue to use the on-line process for forced outages based on duration, work scope, and other considerations if the plant does not go beyond Hot Shutdown.

Shutdown safety is an integral part of the Outage process. Shutdown safety is maintained and monitored by compliance with work in accordance with the outage schedule/plan. An assessment of the outage schedule/plan implementation and during the execution of the outage schedule/plan anytime the outage schedule logic is affected.

The assessment performed during the outage execution phase is performed through the plant schedule using Outage Risk Assessment Management (ORAM) software. The ORAM is an on-line computer program which qualitatively performs risk assessment and is sponsored by the Electric Power Research Institute (EPRI). This software takes the status (i.e. available, unavailable, protected, etc.) of key plant equipment and then produces an output of the relative level of safety/defense in depth of key shutdown areas (i.e., reactivity control, shutdown cooling, AC power (onsite, offsite), fuel pool cooling, inventory control, support equipment, etc.). The E1-40

models which are built to support this software include fault trees which use a building block technology to identify specific components utilized to build a system utilized in maintaining a key safety function. The fault trees are then input into a SSFAT (Safety System Function Assessment Tree) to determine the number of systems/components that are required to get a predetermined output for a given plant state/condition (i.e., green for adequate defense in depth

[DID], yellow for slight reduction in DID, but still adequate, orange for significant reduction in DID, and a contingency plan must be in place prior to entry into this plant condition and red for an inadequate level of DID and action must be taken to get out of this condition).

A team with broad extensive experience in the operation of the applicable unit with detailed knowledge of the applicable plant; and knowledge of shutdown safety issues affecting the nuclear industry as outlined in NUMARC 91-06 reviews the unit Outage Plan and detailed (Level

3) schedule to ensure that all shutdown safety issues are addressed and all reasonable actions have been taken to minimize shutdown risk. The assessment considers:

TS requirements; The degree of redundancy available for performance of the key safety functions served by out of service Structures, Systems, and Components (SSCs);

The duration of the activity;

The likelihood of an initiating event or accident that would require the performance of the affected safety function;

The likelihood that the activity will significantly increase the frequency of an initiating event requiring key safety functions;

Component and system dependencies that are affected;

Significant performance issues for the in service redundant SSCs;

The risk impact of performing the maintenance during shutdown with respect to performing the maintenance at power;

Performance of maintenance that will involve alterations to the facility or procedures for the duration of the maintenance activity. The assessment considers the impact of these alterations on plant safety functions;

Whether the out-of-service SSCs could be promptly restored to service if the need arose due to emergent conditions. This would apply to surveillance testing, or to the situation where the maintenance activity has been planned in such a manner to allow for prompt restoration. In these cases, the assessment will consider the time necessary for restoration of the SSC's function, with respect to the time at which performance of the function would be needed;

The shutdown assessment is typically focused on SSCs "available to perform a function". Due to decreased equipment redundancies during outage conditions, the outage planning and control process may involve consideration of contingencies and backup methods to achieve the key safety functions, as well as measures that can El-41

reduce both the likelihood and consequences of adverse events;

Assessments for shutdown maintenance activities need to take into account plant conditions and multiple SSCs out-of-service that impact the shutdown key safety functions. The shutdown assessment is a component of an effective outage planning and control process;

Maintenance activities that do not necessarily remove the SSC from service may still impact plant configuration and impact key safety functions. Examples could include:

- A valve manipulation that involves the potential for a single failure to create a drain down path affecting the inventory control key safety function; or

- A switchyard circuit breaker operation that involves the potential for a single failure to affect availability of AC power.

Administrative controls ensure that voluntary removal of equipment from service is not scheduled when adverse weather conditions are predicted or at times when the plant may be subjected to other abnormal conditions.

SPP 7.1, "Work Control Process," requires an assessment of scheduled activities be performed before implementation of a work window. The assessment includes external event considerations involving the potential impacts of weather or other external conditions relative to the proposed maintenance evolution if these external impacts (e.g., weather, external flooding, and other external impacts) are imminent or have a high probability of occurring during the planned out of service duration.

SPP-7.2, "Outage Management," states that emergent conditions may result in the need for action prior to conduct of the assessment, or could change the conditions of a previously performed assessment. Examples include plant configuration or mode changes, additional SSCs out of service due to failures, or significant changes in external conditions (weather, offsite power availability). The following guidance applies to this situation:

The safety assessment will be performed (or re-evaluated) to address the changed plant conditions on a reasonable schedule commensurate with the safety significance of the condition. Based on the results of the assessment, ongoing or planned maintenance activities may need to be suspended or rescheduled, and SSCs may need to be returned to service; and

" Performance (or re-evaluation) of the assessment should n6t interfere with, or delay, the operator and/or maintenance crew from taking timely actions to restore the equipment to service or take compensatory actions.

3.4.3.3 Maintenance Rule Program Control The TVA Maintenance Rule Program is governed by a Standard Programs and Processes (SPP) document, SPP-6.6, "Maintenance Rule Performance Indicator Monitoring, Trending, and Reporting - 10 CFR 50.65." The program is implemented at BFN using Technical Instruction, 0-TI-346, "Maintenance Rule Performance Indicator Monitoring, Trending, and Reporting - 10 CFR 50.65."

E1-42

To ensure the proposed extension of the DG Completion Time does not degrade operational safety over time, the Maintenance Rule (MR) requires an evaluation when equipment covered by the MR does not meet its performance criteria. The reliability and availability of the DGs are monitored under the MR program. If the pre-established reliability or availability performance criteria are exceeded for-the DGs, they are considered for 10 CFR 50.65(a)(1) actions. These actions require increased management attention and goal setting in order to restore their performance to an acceptable level. With the approved extension of the DG Completion Time the actual out of service time for the DGs will be minimized to ensure that the reliability and availability performance criteria are met.

0-TI-346, "Maintenance Rule Performance Indicator Monitoring, Trending, and Report - 10 CFR 50.65," defines the reliability and unavailability performance criteria for BFN equipment.

The reliability performance criteria for the DGs are:

" Considering total diesel generator start and load run demands, there shall be no more

,than 5 failures in the last 50 demands and no more than 8 failures in the last 100 demands (both failure trigger values being exceeded)

Considering individual diesel generator start and load run demands, there shall be no more than 3 failures in the last 25 demands per diesel generator.

The unavailability performance criteria for the DGs are:

Each Standby Diesel Generator system shall maintain an unavailability factor of less than or equal to 0.0342 as monitored over a 24 month rolling interval. The performance of diesel support systems (ventilation, starting air, and 125 VDC systems) are included in this performance criteria.

If these performance criteria are exceeded, an assessment of the appropriateness of planned maintenance activities or the root cause of the failure and its impact on reliability will be conducted as follows:

1. When an unreliability performance criterion is exceeded, the adequacy of the preventive maintenance tasks and frequencies relative to preventing future similar failures will be evaluated.

2. When an unavailability performance criterion is exceeded due to equipment failures, perform the evaluation required in item 1 above.

3. When an unavailability performance criterion is exceeded due to planned maintenance activities, or an adverse performance trend exists, a determination will be made to determine if the excessive unavailability is associated with periodic preventive maintenance activities being scheduled too frequently, or ifthe planned maintenance activities have excessive schedule or tag-out durations.

E1-43

The DGs are currently being maintained in accordance with the Maintenance Rule as shown in Table 19. The data in Table 19 is based on a 24 month rolling interval.

Table 19 - DG Unavailability and Reliability Diesel Unavailability Failures last Failures last 50 Failures last Generator 25 starts starts 100 starts DG-A 0.023 0 0 0 DG-B 0.021 0 0 0 DG-C 0.044 0 0 0 DG-D 0.026 0 0 0 DG-3A 0.016 1 1 1 DG-3B 0.017 0 0 0 DG-3C 0.027 0 0 0 DG-3D 0.018 1 1 1 3.4.4 Quality of the PRA The scope, level of detail, and quality of the BFN PRA is sufficient to support a technically defensible and realistic evaluation of the risk change for this proposed Completion Time extension The BFN Units 1, 2 and 3 Internal Events Probabilistic Risk Assessment (PRA) Peer Review was performed in May 2009 at the TVA offices in Chattanooga, TN, using the NEI 05-04 process, the ASME PRA Standard, and Regulatory Guide 1.200, Rev. 2. A separate review was performed for the Internal Flooding portion of the BFN PRA in September 2009. The Internal Flooding Peer Review also used the NEI 05-04 process, the ASME PRA Standard, and Regulatory Guide 1.200, Rev. 2. A team of independent PRA experts from nuclear utility groups and PRA consulting organizations carried out these Peer Review Certifications.

The purpose of these reviews was to provide a method for establishing the technical adequacy of the PRA for the spectrum of potential risk-informed plant licensing applications for which the PRA may be used. The 2009 BFN PRA Peer Reviews provided a full-scope review of the Technical Elements of the internal events, at-power PRA.

These intensive peer reviews involved over two person-months of engineering effort by the review team and provided a comprehensive assessment of the strengths and limitations of each element of the PRA model. The Peer Review Certification of the BFN PRA model performed by BWROG resulted in a total 125 findings for the three unit model for internal events and internal flooding. All findings from these assessments have been dispositioned. This resulted in a number of enhancements to the PRA model prior to its use to support these proposed changes.

The certification team determined that with these proposed changes incorporated, the quality of all elements of the PRA model is sufficient to support "risk significant evaluations with deterministic input." As a result of the effort to incorporate the latest industry insights into the PRA model upgrades and certification peer reviews, TVA has concluded that the results of the risk evaluation are technically sound and consistent with the expectations for PRA quality set forth in RG 1.174 and RG 1.177.

El-44

3.5 Conclusion The results of the deterministic evaluation and risk-informed assessment described above provide assurance that the equipment required to safely shut down the plant and mitigate the effects of a design basis accident will remain capable of performing their safety functions when a DG is out-of-service in accordance with the proposed Completion Times.

The proposed Completion Times are consistent with NRC policy and will continue to provide protection of the public health and safety. As detailed in Section 2.3, the proposed change advances the objectives of the NRC's PRA Policy Statement, including safety decision-making enhanced by the use of PRA insights, more efficient use of resources, and reduction of unnecessary burden. In addition, the proposed change meets the following principles:

1. It meets the current regulations.

2. It is consistent with the defense-in-depth philosophy.

3. It maintains sufficient safety margins.

4. It results in an increase in CDF and LERF that is small and consistent with the NRC's Safety Goal Policy Statement, as implemented via the NRC Standard Review Plan (SRP) (NUREG-0800), RG 1.174, and RG 1.177.

5. Its impact will be monitored using performance measurement strategies.

Therefore, based on the above evaluations and conclusions, TVA believes that the proposed change is acceptable and operation in the proposed manner will not present undue risk to public health and safety or be inimical to the common defense and security.

4.0 REGULATORY EVALUATION

4.1 Applicable Regulations and Regulatory Criteria The proposed TS changes have been evaluated to determine whether applicable regulations and requirements continue to be met. To fully evaluate the effect of the proposed change, PRA methods and a deterministic analysis were used. TVA has determined that the proposed Completion Time extensions do not require any exemptions or relief from regulatory requirements, other than the Technical Specifications.

4.1.1 Regulations 10 CFR 50.36, "Technical Specifications," requires that operating licenses for nuclear reactors must include TS that specify Limiting Conditions for Operation (LCOs) for equipment required for safe operation. Based on the risk-informed assessments presented herein, the proposed changes to the BFN TS have no significant impact on the continued conformance with the requirements of 10 CFR 50.36.

10 CFR 50.65, "Requirements for monitoring the effectiveness of maintenance at nuclear power plants," requires that preventive maintenance activities must be sufficient to provide reasonable assurance that SSCs are capable of fulfilling their intended functions. As it relates to the proposed Completion Time extensions, 10 CFR 50.65(a)(4) requires the assessment and E1-45

management of the increase in risk that may result from proposed maintenance activities. As discussed previously, the BFN Maintenance Rule program monitors the reliability and availability of the DGs and ensures that appropriate management attention and goal setting are applied based on pre-established performance criteria. The DGs are all currently in the 10 CFR 50.65 (a)(2) Maintenance Rule category (i.e., meeting established performance criteria). The BFN CRMP is consistent with 10 CFR 50.65 (a)(4), and is managed to ensure that risk-significant plant configurations will not be entered for planned maintenance activities, and that appropriate actions will be taken should unforeseen events place the plant in a risk significant configuration during the proposed Completion Times. Therefore, the proposed extension of the Completion Times are not anticipated to result in exceeding the current established Maintenance Rule criteria for the DGs.

10 CFR 50.63, "Loss of all alternating current power," requires that nuclear power plants must be able to withstand a loss of all AC power for an established period of time and recover from a station blackout (see RG 1.155, "Station Blackout," dated August 1988). The proposed extensions to the Completion Times have no significant effect on the ability to withstand a loss of all AC power and recover from a station blackout.

10 CFR 50.90, "Application for amendment of license or construction permit," addresses the requirements for a licensee desiring to amend its license and the TS incorporated therein. This license amendment request to BFN Units 1, 2, and 3 TS 3.8.1 has been prepared to meet the requirements of 10 CFR 50.90.

4.1.2 Applicable Regulatory Criteria Regulatory criteria and guidance related to risk-informed activities implement and are consistent with the NRC's "Safety Goal Policy Statement" and the NRC's PRA Policy Statement. General criteria for evaluating the technical basis for proposed risk-informed changes are provided in Section 19.2, "Review of Risk Information Used to Support Permanent Plant-Specific Changes to the Licensing Basis: General Guidance," of the NRC SRP, NUREG-0800. More specific guidance related to risk-informed TS changes is provided in SRP Section 16.1, "Risk-Informed Decision Making: Technical Specifications," which includes Completion Time changes as part of risk-informed decision-making.

Section 19.2 of the SRP states that a risk-informed application should be evaluated to ensure that the proposed change meets the following key principles:

" The proposed change meets the current regulations, unless it explicitly relates to a requested exemption or rule change;

" The proposed change is consistent with the defense-in-depth philosophy;

" The proposed change maintains sufficient safety margins;

" When proposed changes increase CDF or risk, the increase(s) should be small and consistent with the intent of the NRC's Safety Goal Policy Statement; and

The impact of the proposed change should be monitored using performance measurement strategies.

The NRC's Safety Goal Policy Statement and PRA Policy Statement are implemented in part via RG 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," and RG 1.177, "An Approach for Plant-Specific, Risk-Informed Decision Making: Technical Specifications." RG 1.174 describes a risk-informed approach, acceptable to the NRC, for assessing the nature and impact of proposed licensing El-46

basis changes by considering engineering issues and applying risk insights. RG 1.177 identifies an acceptable risk-informed approach, including additional guidance geared toward the assessment of proposed TS Completion Time changes. Specifically, RG 1.177 identifies a three-tiered approach for the evaluation of the risk associated with a proposed TS Completion Time change. This TS change request was developed using the applicable guidelines of RG 1.174 and RG 1.177.

Based on the considerations discussed above, the proposed changes been evaluated to verify that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner; (2) such activities will be conducted in compliance with NRC regulations; and (3) issuance of the amendment will not be inimical to the common defense and security.

4.2 Precedent A similar TS amendment is listed below. Differences exist between this precedent and this TS change request due to plant design differences.

1. NRC previously approved Amendment No. 178 to Facility Operating License No. DPR-42 and Amendment No. 168 to Facility Operating License No. DPR-60 for the Prairie Island Nuclear Generating Plant, Units 1 and 2, respectively on May 30, 2007 (ADAMS Accession No. ML071310023).

4.3 Significant Hazards Consideration The proposed change is based on a risk-informed evaluation performed in accordance with RG 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions On Plant-Specific Changes to the Licensing Basis," and RG 1.177, "An Approach for Plant-Specific, Risk-Informed Decision-making: Technical Specifications." TVA has evaluated whether or not a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of Amendment", as discussed below:

1. Does the proposed amendment involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No The proposed changes do not affect the design of the DGs, the operational characteristics or function of the DGs, the interfaces between the DGs and other plant systems, or the reliability of the DGs. Required Actions and their associated Completion Times are not considered initiating conditions for any UFSAR accident previously evaluated, nor are the DGs considered initiators of any previously evaluated accidents. The DGs are provided to mitigate the consequences of previously evaluated accidents, including a loss of off-site power.

The consequences of previously evaluated accidents will not be significantly affected by the extended DG Completion Time, because a sufficient number of onsite Alternating Current power sources will continue to remain available to perform the accident mitigation functions associated with the DGs, as assumed in the accident analyses.

E1-47

Therefore, the proposed changes do not involve a significant increase in the probability or consequences of an accident previously evaluated.

2. Does the proposed amendment create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No The proposed change does not involve a change in the design, configuration, or method of operation of the plant. The proposed changes will not alter the manner in which equipment operation is initiated, nor will the functional demands on credited equipment be changed.

The proposed changes allow operation of the unit to continue while a DG is repaired and retested. The proposed extensions do not affect the interaction of a DG with any system whose failure or malfunction can initiate an accident. As such, no new failure modes are being introduced. Therefore, the proposed changes do not create the possibility of a new or different kind of accident from any accident previously evaluated.

3. Does the proposed amendment involve a significant reduction in a margin of safety?

Response: No The proposed changes do not alter the plant design, including instrument setpoints, nor does it change the assumptions contained in the safety analyses. The standby AC system is designed with sufficient redundancy such that a DG may be removed from service for maintenance or testing. The remaining DGs are capable of carrying sufficient electrical loads to satisfy the UFSAR requirements for accident mitigation or unit safe shutdown. The proposed changes do not impact the redundancy or availability requirements of offsite power supplies or change the ability of the plant to cope with station blackout events.

Therefore, the proposed changes do not involve a significant reduction in a margin of safety.

Based on the above, TVA concludes that the proposed amendment does not involve a significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and, accordingly, a finding of "no significant hazards consideration" is justified.

4.4 Conclusions In conclusion, based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

E1-48

5.0 ENVIRONMENTAL CONSIDERATION

A review has determined that the proposed amendment would change a requirement with respect to installation or use of a facility component located within the restricted area, as defined in 10 CFR 20, or would change an inspection or surveillance requirement. However, the proposed amendment does not involve (i) a significant hazards consideration, (ii) a significant change in the types or significant increase in the amounts of any effluent that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure.

Accordingly, the proposed TS changes meet the eligibility criterion for categorical exclusion set forth in 10 CFR 51.22(c)(9).Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed TS changes.

6.0 REFERENCES

6.1 Browns Ferry Nuclear Plant Updated Final Safety Analysis Report, Chapter 8, Electrical Power Systems, Amendment 23 6.2 Browns Ferry Nuclear Plant Updated Final Safety Analysis Report, Appendix F, Unit Sharing and Interactions, Amendment 23 6.3 Nuclear Utility Management and Resource Council (NUMARC) 87-00, Guidelines For and Technical Basis for NUMARC Initiatives for Addressing Station Blackout at Light Water Reactors 6.4 NRC Regulatory Guide 1.174, "An Approach for Using Probabilistic Risk Assessment In Risk-Informed Decisions On Plant-Specific Changes to the Licensing Basis," Revision 1, November 2002 6.5 NRC Regulatory Guide 1.177, "An Approach for Plant-Specific, Risk-Informed Decision making: Technical Specifications," Revision 0, August 1999 6.6 USNRC, "Use of Probabilistic Risk Assessment Methods in Nuclear Activities: Final Policy Statement," Federal Register, Vol. 60, p. 42622 (60 FR 42622), August 16, 1995 6.7 Generic Letter 2006-02, "Grid Reliability and the Impact on Plant risk and the Operability of Offsite Power" 6.8 NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 8.4,111.3.O.iv 6.9 ASME/ANS RA-SA-2009, "Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications" 6.10 EPRI NP-6395-D, "Probabilistic Seismic Hazard at Nuclear Plant Sites in the Central and Eastern United States: Resolution of Charleston Earthquake Issue",

April 1989 6.11 NUREG/CR-6141, "Handbook of Methods for Risk-Based Analysis of Technical Specifications" 6.12 NUREG/CR-6890, "Reevaluation of Station Blackout Risks at Nuclear Power Plants - Analysis of Loss of Offsite Power Events: 1986-2004" E1-49

ENCLOSURE2 Browns Ferry Nuclear Plant (BFN)

Units 1, 2, and 3 Technical Specifications (TS) Change TS - 468 - Request for Extension to Completion Time for TS 3.8.1 Required Action B.4 Proposed TS and TS Bases Changes (mark-ups)

E2-1

AC Sources - Operating 3.8.1 ACTIONS *_ __ __

CONDITION REQUIRED ACTION COMPLETION

TIME A. (continued) A.2 Declare required 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months from feature(s) with no offsite discovery of no power available offsite power to inoperable when the one shutdown redundant required board concurrent feature(s) are inoperable, with inoperability of redundant required feature(s)

AND A.3 Restore required offsite 7 days circuit to OPERABLE status. AND 44 21 days from discovery of failure to meet LCO B. One required Unit 1 and 2 B.1 Verify power availability 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months DG inoperable, from the offsite transmission network. AND Once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter AND (continued)

BFN-UNIT 1 3.8-2 Amendment No. 234 E2-2

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME B. (continued) B.2 Declare required 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months from feature(s), supported by discovery of the inoperable Unit 1 and Condition B 2 DG, inoperable when concurrent with the redundant required inoperability of feature(s) are inoperable. redundant required feature(s)

AND B.3.1 Determine OPERABLE 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Unit 1 and 2 DG(s) are not inoperable due to common cause failure.

OR B.3.2 Perform SR 3.8.1.1 for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months OPERABLE Unit 1 and 2 DG(s).

AND B.4 Restore Unit 1 and 2 DG -7 14 days to OPERABLE status.

AND

-4 21 days from discovery of failure to meet LCO (continued)

BFN-UNIT 1 3.8-3 Amendment No. 234 E2-3

AC Sources - Operating B 3.8.1 BASES ACTIONS A.3 (continued)

The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a DG is inoperable, and that DG is subsequently returned OPERABLE, the LCO may already have been not met for up to 7 14 days. This situation could lead to a total of 44-21days, since initial failure to meet the LCO, to restore the offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional 7 14 days (for a total of 24 35 days) allowed prior to complete restoration of the LCO. The 44 21 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 7 day and 44 21 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

As in Required Action A.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time the LCO was initially not met, instead of at the time that Condition A was entered.

(continued)

BFN-UNIT 1 B 3.8-16 Revision 0 E2-4

AC Sources - Operating B 3.8.1 BASES ACTIONS B.4 (continued)

Based on the diversity of AC electrical power sources, and the remaining redundancy and reliability, operation may continue in Condition B for a period that should not exceed -7 14 days. In Condition B, the remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1 E Distribution System. The -714 day Completion Time is based on a plant specific risk assessment and also takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period.

The second Completion Time for Required Action B.4 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently restored OPERABLE, the LCO may already have been not met for up to 7 days. This situation could lead to a total of 44 21 days, since initial failure to meet the LCO, to restore the DG. At this time, an offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 7 days (for a total of -24 28 days) allowed prior to complete restoration of the LCO. The 44 21 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 7- 14 day and 44 21 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive must be met.

As in Required Action B.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time that the LCO was initially not met, instead of the time that Condition B was entered.

(continued)

BFN-UNIT 1 B 3.8-20 Revision 0 E2-5

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. (continued) A.2 Declare required 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months from feature(s) with no offsite discovery of no power available offsite power to inoperable when the one shutdown redundant required board concurrent feature(s) are inoperable, with inoperability of redundant required feature(s)

AND A.3 Restore required offsite 7 days circuit to OPERABLE status. AND 44 21 days from discovery of failure to meet LCO B. One required Unit 1 and 2 B.1 Verify power availability 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months DG inoperable, from the offsite transmission network. AND Once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter AND

_ _(continued)

BFN-UNIT 2 3.8-2 Amendment No. 253 E2-6

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME B. (continued) B.2 Declare required 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months from feature(s), supported by discovery of the inoperable Unit 1 and Condition B 2 DG, inoperable when concurrent with the redundant required inoperability of feature(s) are inoperable. redundant required feature(s)

AND B.3.1 Determine OPERABLE 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Unit 1 and 2 DG(s) are not inoperable due to common cause failure.

OR B.3.2 Perform SR 3.8.1.1 for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months OPERABLE Unit 1 and 2 DG(s).

AND B.4 Restore Unit 1 and 2 DG - 14 days to OPERABLE status.

AND 44- 21 days from discovery of failure to meet LCO (continued)

BFN-UNIT 2 3.8-3 Amendment No. 253,-269, 298 January 26,2007 E2-7

AC Sources - Operating 79 B 3.8.1 BASES ACTIONS A.3 (continued)

The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a DG is inoperable, and that DG is subsequently returned OPERABLE, the LCO may already have been not met for up to -7 14 days.

This situation could lead to a total of 44-21days, since initial failure to meet the LCO, to restore the offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional -714 days (for a total of 24 35 days) allowed prior to complete restoration of the LCO. The 44 21 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 7 day and 44 21 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

As in Required Action A.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time the LCO was initially not met, instead of at the time that Condition A was entered.

(continued)

BFN-UNIT 2 B 3.8-16 Revision 0-48 A No. 20 Ameidmcnt April 6, 2007 E2-8

AC Sources - Operating B 3.8.1 BASES ACTIONS B.4 (continued)

Based on the diversity of AC electrical power sources, and the remaining redundancy and reliability, operation may continue in Condition B for a period that should not exceed -714 days. In Condition B, the remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. The -7 14 day Completion Time is based on a plant specific risk assessment and also takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period.

The second Completion Time for Required Action B.4 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently restored OPERABLE, the LCO may already have been not met for up to 7 days. This situation could lead to a total of 44 21 days, since initial failure to meet the LCO, to restore the DG. At this time, an offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 7 days (for a total of 24 28 days) allowed prior to complete restoration of the LCO. The 44 21 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the -7 14 day and 44 21 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive must be met.

As in Required Action B.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time that the LCO was initially not met, instead of the time that Condition B was entered.

(continued)

BFN-UNIT 2 B 3.8-20 Revision 41-8-48 Amendment No. 259, Rcvi)i.n 0,- 7, April 6, 2007 E2-9

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. (continued) A.2 Declare required 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months from feature(s) with no offsite discovery of no power available offsite power to inoperable when the one shutdown redundant required board concurrent feature(s) are inoperable, with inoperability of redundant required feature(s)

AND A.3 Restore required offsite 7 days circuit to OPERABLE status. AND 1-4 21 days from discovery of failure to meet LCO B. One required Unit 3 DG B.1 Verify power availability 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months inoperable, from the offsite transmission network. AND Once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter AND (continued)

BFN-UNIT 3 3.8-2 E2-10 Amendment No. 212

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME B. (continued) B.2 Declare required 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months from feature(s), supported by discovery of the inoperable Unit 3 DG, Condition B inoperable when the concurrent with redundant required inoperability of feature(s) are inoperable. redundant required feature(s)

AND B.3.1 Determine OPERABLE 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Unit 3 DG(s) are not inoperable due to common cause failure.

OR B.3.2 Perform SR 3.8.1.1 for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months OPERABLE Unit 3 DG(s).

AND B.4 Restore Unit 3 DG to -7 14 days OPERABLE status.

AND 44 21 days from discovery of failure to meet LCO (continued)

(o4,_ . - . - . " 11- 1- I

! ms. ,'

lay e frnpizrrcni irne. NvmlcNSH cnLWrea 03HAt'xi1n I, ~Kors i u.k I, 96ncxMS1 ' Hecca~tt!Hye Mi uuzlnRWHMa / Elawyto 4~u~t repai_ a la e~;tifll 01 Li'... 1. I I Siffif Oe niafiritaina Ii kJ11fl BFN-UNIT 3 3.8-3 Amendment No. 212, 218, 256, 257 April 06, 2007 E2-11

AC Sources - Operating B 3.8.1 BASES ACTIONS A.3 (continued)

The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. IfCondition A is entered while, for instance, a DG is inoperable, and that DG is subsequently returned OPERABLE, the LCO may already have been not met for up to -7 14 days.

This situation could lead to a total of 44-21days, since initial failure to meet the LCO, to restore the offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional -7 14 days (for a total of 24 35 days) allowed prior to complete restoration of the LCO. The 44 21 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 7 day and 44 21 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

As in Required Action A.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time the LCO was initially not met, instead of at the time that Condition A was entered.

(continued)

BFN-UNIT 3 B 3.8-14 Revision 0.-48

,Amendment No. 21-8 April 6, 2007 E2-12

AC Sources - Operating B 3.8.1 BASES ACTIONS B.4 (continued)

Based on the diversity of AC electrical power sources, and the remaining redundancy and reliability, operation may continue in Condition B for a period that should not exceed -7 14 days. In Condition B, the remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1 E Distribution System. The -7 14 day Completion Time is based on a plant specific risk assessment and also takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period.

The second Completion Time for Required Action B.4 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently restored OPERABLE, the LCO may already have been not met for up to 7 days. This situation could lead to a total of 44 21 days, since initial failure to meet the LCO, to restore the DG. At this time, an offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 7 days (for a total of 28 days) allowed prior to complete restoration of the LCO. The 44 21 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 7 14 day and 44 21 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive must be met.

As in Required Action B.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time that the LCO was initially not met, instead of the time that Condition B was entered.

(continued)

BFN-UNIT 3 B 3.8-18 Revision 4--848 Amendmentt No. 2118,RevAisOn 0 April 6, 2007 E2-13

ENCLOSURE 3 Browns Ferry Nuclear Plant (BFN)

Units 1, 2, and 3 Technical Specifications (TS) Change TS - 468 - Request for Extension to Completion Time for TS 3.8.1 Required Action B.4 Proposed TS and TS Bases Changes (Re-Typed)

E3-1

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. (continued) A.2 Declare required 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months from feature(s) with no offsite discovery of no power available offsite power to inoperable when the one shutdown redundant required board concurrent feature(s) are inoperable, with inoperability of redundant required feature(s)

AND A.3 Restore required offsite 7 days circuit to OPERABLE status. AND 21 days from discovery of failure to meet LCO B. One required Unit 1 and 2 B.1 Verify power availability 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months DG inoperable, from the offsite transmission network. AND Once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter AND (continued)

BFN-UNIT 1 3.8-2 Amendment No. 234 E3-2

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME B. (continued) B.2 Declare required 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months from feature(s), supported by discovery of the inoperable Unit 1 and Condition B 2 DG, inoperable when concurrent with the redundant required inoperability of feature(s) are inoperable. redundant required feature(s)

AND B.3.1 Determine OPERABLE 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Unit 1 and 2 DG(s) are not inoperable due to common cause failure.

OR B.3.2 Perform SR 3.8.1.1 for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months OPERABLE Unit 1 and 2 DG(s).

AND B.4 Restore Unit 1 and 2 DG 14 days to OPERABLE status.

AND 21 days from discovery of failure to meet LCO (continued)

BFN-UNIT 1 3.8-3 Amendment No. 234 E3-3

AC Sources - Operating B 3.8.1 BASES ACTIONS A.3 (continued)

The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a DG is inoperable, and that DG is subsequently returned OPERABLE, the LCO may already have been not met for up to 14 days. This situation could lead to a total of 21 days, since initial failure to meet the LCO, to restore the offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional 14 days (for a total of 35 days) allowed prior to complete restoration of the LCO. The 21 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO.

This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 7 day and 21 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

As in Required Action A.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time the LCO was initially not met, instead of at the time that Condition A was entered.

(continued)

BFN-UNIT 1 B 3.8-16 Revision 0 E3-4

AC Sources - Operating B 3.8.1 BASES ACTIONS B.4 (continued)

Based on the diversity of AC electrical power sources, and the remaining redundancy and reliability, operation may continue in Condition B for a period that should not exceed 14 days. In Condition B, the remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1 E Distribution System. The 14 day Completion Time is based on a plant specific risk assessment and also takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period.

The second Completion Time for Required Action B.4 is based on a plant specific risk analysis and establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently restored OPERABLE, the LCO may already have been not met for up to 7 days. This situation could lead to a total of 21 days, since initial failure to meet the LCO, to restore the DG. At this time, an offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 7 days (for a total of 28 days) allowed prior to complete restoration of the LCO. The 21 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 14 day and 21 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive must be met.

As in Required Action B.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time that the LCO was initially not met, instead of the time that Condition B was entered.

(continued)

BFN-UNIT 1 B 3.8-20 Revision 0 E3-5

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. (continued) A.2 Declare required 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months from feature(s) with no offsite discovery of no power available offsite power to inoperable when the one shutdown redundant required board concurrent feature(s) are inoperable, with inoperability of redundant required feature(s)

AND A.3 Restore required offsite 7 days circuit to OPERABLE status. AND 21 days from discovery of failure to meet LCO B. One required Unit 1 and 2 B.1 Verify power availability 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months DG inoperable, from the offsite transmission network. AND Once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter AND (continued)

BFN-UNIT 2 3.8-2 Amendment No. 253 E3-6

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME B. (continued) B.2 Declare required 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months from feature(s), supported by discovery of the inoperable Unit 1 and Condition B 2 DG, inoperable when concurrent with the redundant required inoperability of feature(s) are inoperable. redundant required feature(s)

AND B.3.1 Determine OPERABLE 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Unit 1 and 2 DG(s) are not inoperable due to common cause failure.

OR B.3.2 Perform SR 3.8.1.1 for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months OPERABLE Unit I and 2 DG(s).

AND B.4 Restore Unit 1 and 2 DG 14 days to OPERABLE status.

AND 21 days from discovery of failure to meet LCO (continued)

BFN-UNIT 2 3.8-3 Amendment No. 25, 25,* 298 January 26, 2007 E3-7

AC Sources - Operating B 3.8.1 BASES ACTIONS A.3 (continued)

The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a DG is inoperable, and that DG is subsequently returned OPERABLE, the LCO may already have been not met for up to 14 days. This situation could lead to a total of 21 days, since initial failure to meet the LCO, to restore the offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional 14 days (for a total of 35 days) allowed prior to complete restoration of the LCO. The 21 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO.

This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 7 day and 21 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

As in Required Action A.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time the LCO was initially not met, instead of at the time that Condition A was entered.

(continued)

BFN-UNIT 2 3.8-16 Revision 0-48 Amendment No. 259 April 6, 2007 E3-8

B 3.8.1 BASES ACTIONS B.4 (continued)

Based on the diversity of AC electrical power sources, and the remaining redundancy and reliability, operation may continue in Condition B for a period that should not exceed 14 days. In Condition B, the remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1 E Distribution System. The 14 day Completion Time is based on a plant specific risk assessment and also takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period.

The second Completion Time for Required Action B.4 is based on a plant specific risk analysis and establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently restored OPERABLE, the LCO may already have been not met for up to 7 days. This situation could lead to a total of 21 days, since initial failure to meet the LCO, to restore the DG. At this time, an offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 7 days (for a total of 28 days) allowed prior to complete restoration of the LCO. The 21 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 14 day and 21 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive must be met.

As in Required Action B.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time that the LCO was initially not met, instead of the time that Condition B was entered.

(continued)

BFN-UNIT 2 3.8-20 Revision &-48 Amendment No. 259,Revision 0, 7, April 6, 2007 E3-9

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. (continued) A.2 Declare required 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months from feature(s) with no offsite discovery of no power available offsite power to inoperable when the one shutdown redundant required board concurrent feature(s) are inoperable, with inoperability of redundant required feature(s)

AND A.3 Restore required offsite 7 days circuit to OPERABLE status. AND 21 days from discovery of failure to meet LCO B. One required Unit 3 DG B.1 Verify power availability 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months inoperable, from the offsite transmission network. AND Once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter AND (continued)

BFN-UNIT 3 3.8-2 Amendment No. 212 E3-10

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME B. (continued) B.2 Declare required 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months from feature(s), supported by discovery of the inoperable Unit 3 DG, Condition B inoperable when the concurrent with redundant required inoperability of feature(s) are inoperable. redundant required feature(s)

AND B.3.1 Determine OPERABLE 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Unit 3 DG(s) are not inoperable due to common cause failure.

OR B.3.2 Perform SR 3.8.1.1 for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months OPERABLE Unit 3 DG(s).

AND B.4 Restore Unit 3 DG to 14 days OPERABLE status.

AND 21 days from discovery of failure to meet LCO (continued)

BFN-UNIT 3 3.8-3 Amendment No. 212, 218, 256, 257 April 06, 2007 E3-11

AC Sources - Operating B 3.8.1 BASES ACTIONS A.3 (continued)

The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. IfCondition A is entered while, for instance, a DG is inoperable, and that DG is subsequently returned OPERABLE, the LCO may already have been not met for up to 14 days. This situation could lead to a total of 21 days, since initial failure to meet the LCO, to restore the offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional 14 days (for a total of 35 days) allowed prior to complete restoration of the LCO. The 21 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO.

This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 7 day and 21 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

As in Required Action A.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time the LCO was initially not met, instead of at the time that Condition A was entered.

(continued)

BFN-UNIT 3 B 3.8-14 Revision OG-48 Amendment No. 218 April 6, 2007 E3-12

AC Sources - Operating B 3.8.1 BASES ACTIONS B.4 (continued)

Based on the diversity of AC electrical power sources, and the remaining redundancy and reliability, operation may continue in Condition B for a period that should not exceed 14 days. In Condition B, the remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. The 14 day Completion Time is based on a plant specific risk.assessment and also takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period.

The second Completion Time for Required Action B.4 is based on a plant specific risk analysis and establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently restored OPERABLE, the LCO may already have been not met for up to 7 days. This situation could lead to a total of 21 days, since initial failure to meet the LCO, to restore the DG. At this time, an offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 7 days (for a total of 28 days) allowed prior to complete restoration of the LCO. The 21 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 14 day and 21 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive must be met.

As in Required Action B.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time that the LCO was initially not met, instead of the time that Condition B was entered.

(continued)

BFN-UNIT 3 B 3.8-18 Revision 4-8,-48 Amendment No. 218, RevAsion0 April 6, 2007 E3-13

ENCLOSURE4 Browns Ferry Nuclear Plant (BFN)

Units 1, 2, and 3 Technical Specifications (TS) Change TS - 468 - Request for Extension to Completion Time for TS 3.8.1 Required Action B.4 COMMITMENT LIST

1. As an added measure of defense in depth for each DG outage:

Increased administrative control will be exercised for any proposed hot work in the vicinity of protected equipment and in the impacted fire zones (Prior to entering the required Completion Time and maintained for the duration of the required Completion Time).

No planned maintenance on fire detection or fire suppression equipment that will cause the fire detection or fire suppression equipment in the impacted fire zones to be inoperable (For the duration of the required Completion Time).

" Transient combustible loading in the impacted fire zones will be reviewed and any unnecessary transient combustibles will be removed. (Prior to entering the required Completion Time and maintained for the duration of the required Completion Time).

2. The condition of the offsite power supply and switchyard will be evaluated prior to entering the required DG Completion Time for elective maintenance. TVA will develop a procedure to determine acceptable grid conditions for entering the required DG Completion Time to perform elective maintenance 3 Additional compensatory actions and configuration risk management controls that will apply when entering the required DG Completion Time include:

Only one of the eight DGs will be taken out of service at a time. Simultaneous DG maintenance will not be permitted.

" Electrical boards or transformers will not be removed from service for planned maintenance activities during the required DG Completion Time

Weather conditions will be evaluated prior to entering the required DG Completion Time for elective maintenance. An required DG Completion Time will not be entered for elective maintenance purposes if official weather forecasts are predicting severe conditions (tornado or thunderstorm warnings);

Elective maintenance will not be performed in the switchyard that would challenge offsite power availability during the proposed required DG Completion Time; E4-1

The condition of the offsite power supply and switchyard will be evaluated prior to entering the required DG Completion Time for elective maintenance. TVA will develop a procedure to determine acceptable grid conditions for entering the required DG Completion Time to perform elective maintenance;

The system dispatcher will be contacted once per day and informed of the DG status along with the power needs of the facility

" The Unit 1 and Unit 2 HPCI pumps, RCIC pumps, and RHR pumps will not be removed from service for planned maintenance activities during the required DG Completion Time for Unit 1 and Unit 2 DGs;

The Unit 3 turbine driven HPCI pump, RCIC pump, and RHR pumps will nbt be removed from service for planned maintenance activities during the required DG Completion Time for Unit 3 DGs; and

Operating crews will be briefed on the DG work plan and procedural actions regarding LOOP and SBO.

E4-2

ENCLOSURE 5 Browns Ferry Nuclear Plant (BFN)

Units 1, 2, and 3 Technical Specifications (TS) Change TS - 468 - Request for Extension to Completion Time for TS 3.8.1 Required Action B.4 Summary of Browns Ferry Nuclear Plant Probabilistic Risk Assessment Quality Upgrade Initiative E5-1

1. Introduction The Browns Ferry Nuclear Plant (BFN) Probabilistic Risk Assessment (PRA) model was revised to support BFN Unit 1 restart and a full-scope Peer Review was completed in October 2006 on that revised model. The review identified 78 A and B level Findings and Observations (F&Os).

A total of 278 F&Os were identified, including the C and D level F&Os. In addition, in a July 16, 2007 letter to the Tennessee Valley Authority (TVA), the NRC stated that they had identified a number of weaknesses with the PRA model during a January 2006 audit. The NRC also stated that until such time as the information needed to allow the NRC to reach a conclusion regarding the quality and technical adequacy of the PRA model was provided, they did not believe that the existing BFN Unit 1 PRA model should be used to support time-sensitive requests, such as notice of enforcement discretions, or emergency or exigent changes to the Technical Specifications. Considering the high cost estimated to resolve the F&Os from the Peer Review, the NRC identified weaknesses associated with the PRA model, and the fact that resolving these issues would still not produce the documentation required to meet the latest industry PRA quality standards endorsed in applicable regulatory guidance, TVA elected to perform a complete upgrade of the BFN PRA model.

The PRA Quality Upgrade Initiative effort began in July 2007. The scope of this project included transition of the PRA software from RISKMAN to CAFTA and development of a three-unit model including all supporting documentation, in accordance with the standards endorsed by Regulatory Guide 1.200, "An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities," Revision 2. The PRA model was developed to meet the capability Category 2 standards for analysis as described in ASME/ANS RA-Sa-2009, "Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications." A full-scope Boiling Water Reactor Owners Group (BWROG) Peer Review of the new model was conducted in May 2009. The team of seven industry peers determined that the Internal Flooding analysis documentation was incomplete at the time of the review and this element was excluded from their scope of review.

Subsequently, the Internal Flooding analysis was completed and a recognized industry expert was contracted to perform a focused review of this element in October 2009.

This document provides a summary of the tasks that were completed in order to upgrade the BFN PRA. The following sections provide a description of the general requirements of the project and specific details of the steps taken to ensure quality in each of the tasks performed to upgrade the BFN PRA.

2. General Aspects of the Update The previous BFN PRA included individual models for each unit that created logistical problems with maintaining the models and supporting data current. The new CAFTA model is an integrated, three-unit model that allows the update of multi-unit system models, initiating event frequencies, component failure rates, and unavailability data for all three units with one revision to the model.

Plant and system configuration changes that were field implemented at the model freeze date (i.e., January 1, 2008) were included in the upgraded model. Plant configuration changes that are implemented after the freeze date are reviewed for PRA impact and incorporated into the model as necessary for individual applications. In addition, plant and system configuration E5-2

changes resulting from security event mitigation strategies and procedures were included in the upgraded model.

All BFN PRA notebooks were developed and issued as TVA calculation documents, in accordance with TVA administrative procedures. The BFN PRA documentation is now retrievable, traceable, and reproducible.

Individuals performing tasks associated with the development of the BFN PRA models and documentation were qualified in accordance with TVA administrative procedures. BFN licensed operators were used as consultants in developing initiating events, accident progression sequences, success criteria, and human performance parameters. Responsible BFN system engineers were involved in the development and review of initiating events and systems analyses.

3. Initiating Events Analysis The initiating event analysis has been updated to include current industry generic data reflected NUREG/CR-6928, "Industry-Average Performance for Components and Initiating Events at U.S.

Commercial Nuclear Power Plants," recent plant events and multi-unit initiators. NUREG/CR-6928 was the primary source for industry data and includes data through January 1, 2003. The scope of this analysis included: 1) a review of all initiators in the RISKMAN model to ensure applicability, 2) resolution of previously identified problems including a re-evaluation of the failure modes and effects analysis to identify new initiators not previously modeled, 3) a review of any common initiators that could result in challenging all 3 units or a combination of any 2 units, 4) the Bayesian updating of the initiating event frequency uncertainty distributions with plant specific data from Licensee Event Reports, 5) and the development of an updated Initiating Event Notebook. The Initiating Event Notebook contains all information and documentation necessary to provide a single source of reference regarding initiating events treatment and allow TVA to perform all future updates.

A total of 101 new initiators were added to the three-unit model. Fifty-seven of these initiators are flooding initiators that replaced the seven initiators that were previously included in the BFN Unit 1 RISKMAN model. There are three new initiators (one for each unit) that model the plugging of the raw water intake structure. The rest of the new initiators are related to the loss of specific AC electrical boards and various combinations of the simultaneous loss of two DC boards.

4. Accident Sequence Analysis The accident sequence analysis models, chronologically (to the extent practical), are the different possible progressions of events (i.e., accident sequences) that can occur from the start of the initiating event to either successful mitigation or core damage. The accident sequences account for the systems that are used (and available) and operator actions performed to mitigate the initiator based on the defined success criteria and plant operating procedures (e.g.,

plant emergency and abnormal operating procedures) and training. The availability of a system includes consideration of the functional, phenomenological, and operational dependencies and interfaces between the various systems and operator actions during the course of the accident progression.

E5-3

The accident sequences analysis was completely re-evaluated for the BFN PRA upgrade to CAFTA. All initiating events were grouped into classes that could be evaluated collectively. For each functional group of initiating events, an event tree model was developed that defines the possible plant responses, mitigating system functions, and operator actions that determine the event sequence progression. A comprehensive set of plant damage states were defined to account for important conditions that may affect containment response and possible offsite releases after a severe core damage event. These plant damage states provide the interface between the Level 1 PRA models and the Level 2 PRA models. BFN licensed operators were interviewed as part of this process to ensure realistic conditions were modeled.

A total of eight event trees were developed for the BFN PRA:

GTRAN - General Transient event tree

ATWS - Sub-tree for accidents involving Anticipated Transient without SCRAM

IOOV - Sub-tree for accidents involving one stuck open relief valve

MLOCA - Medium LOCA event tree

LLOCA - Large LOCA event tree

VILOCA - Interfacing System LOCA - Core Spray system discharge piping

VRLOCA - Interfacing System LOCA - RHR system discharge piping

VSLOCA - Interfacing System LOCA - RHR system suction piping A BFN Unit 1/2/3 Accident Sequence Notebook was produced that provides the top event descriptions, the event tree descriptions and other information as appropriate. The Accident Sequence Notebook contains all information and documentation necessary to provide a single source of reference regarding event tree and accident sequence analysis treatment.

5. Success Criteria The success criteria analysis was completely re-evaluated for the BFN PRA upgrade to CAFTA.

Success criteria analysis determines the minimum requirements for each function (and ultimately the systems used to perform the functions) to prevent core damage (or to mitigate a release) given an initiating event. The requirements defining the success criteria are based on engineering analyses that represent the design and operation of the plant under consideration.

For a function to be successful, the criteria are dependent on the initiator and the conditions created by the initiator. The computer codes used to perform the analysis for developing the success criteria are validated and verified for both technical integrity and suitability to assess plant conditions for the reactor pressure, temperature, and flow range of interest, and they accurately analyze the phenomena of interest. Calculations were performed by personnel who are qualified to perform the types of analyses of interest and are well trained in the use of the codes.

The objectives of the success criteria element are to define the plant-specific measures of success and failure that support the other technical elements of the PRA in such a way that overall success criteria are defined to determine the core damage frequency and large early release frequency for each unit. Success criteria are defined for critical safety functions, supporting systems, structures, components and operator actions necessary to support accident sequence development.

During risk model development, existing safety analyses were reviewed, and specific thermal hydraulic analyses were performed to establish realistic success criteria for the mitigating systems and operator actions that are modeled in the PRA. In some cases, conservative E5-4

success criteria were used to simplify the models or their supporting analyses when the degree of conservatism was determined not to have an important impact on the overall PRA results.

6. Systems Analysis All systems that are required for accident mitigation and those systems supporting accident mitigating systems have been re-analyzed as part of the conversion from RISKMAN to CAFTA.

To support this analysis, each system modeled in the PRA was walked down by a group of PRA analysts to evaluate

1. component location and operational status;

2. susceptibility to flooding and spray;

3. environmental considerations such as heat sources, ventilation, and steam/humidity sources;

4. considerations for manual operation; and

5. physical characteristics of the room/area.

Any plant design changes made since the last PRA model update were incorporated into the system models. Within the PRA model, the basic events were identified to include the BFN unique identifiers to support future applications such as online risk management. The simplified drawings for each system were re-drawn to match the current plant configuration and reference the current revision of the corresponding BFN drawings. All components included in the PRA models are represented in the simplified drawings. Any non-modeled components represented in the drawing are annotated as such. The intersystem dependency analysis was reviewed, upgraded and documented.

Documentation was provided in the form of an overall system analysis notebook with individual system notebooks, for all systems modeled. The System Analysis notebooks contain all information and documentation necessary to provide a single source of reference regarding individual system treatment to facilitate future updates.

Each system notebook was reviewed by the responsible System Engineer at BFN.

Subsequently, the PRA analyst interviewed the respective System Engineers. The purpose of the interview was to:

ensure system modeling in the BFN PRA is consistent with the as-built, as-operated plant;

ensure potential initiating events have not been overlooked; and

ensure system operating experience is properly considered and documented in the BFN PRA.

7. Data Analysis The objectives of the data analysis are to provide estimates of the parameters used to determine the probabilities of the basic events representing equipment failures and unavailabilities modeled in the PRA in such a way that:

parameters, whether estimated on the basis of plant-specific or generic data, appropriately reflect the configuration and operation of the plant;

component or system unavailabilities due to maintenance or repair are accounted for; and

" uncertainties in the data are understood and appropriately accounted for.

E5-5

The unreliability (or failure rate) data are based on generic industry data that has undergone Bayesian updating with plant specific data. Plant specific data for the period January 1, 2003, to January 1, 2008, was evaluated and used as input to the Bayesian analysis.

The unavailability data is based on plant specific data collected in support of the Maintenance Rule or derived from plant records, generic industry data, or estimates from plant personnel such as system engineers or operations staff. Plant specific data is the preferred method for determining unavailability since it represents historical equipment unavailability. Plant maintenance unavailability data is based on the same time period as the failure data (i.e.,

January 1, 2003, to January 1, 2008). Generic industry data from NUREG/CR-6928 was used for components for which no plant specific data was available. If no plant specific or generic industry data were available, estimates from plant personnel such as system engineers or operations staff was used.

Common cause failures are the failures of multiple, redundant equipment from three main causes:

Inadequate design or equipment qualifications

Improper maintenance or testing

Equipment aging In the conversion of the BFN PRA from a RISKMAN model to a CAFTA model, the methodology was changed from the Multiple Greek Letter methodology to the Alpha Factor Method.

The Alpha Factor Method was chosen for the BFN PRA model to estimate CCF probability for several reasons:

It is a multi-parameter model which can handle any redundancy level.

The parameters used in the model are based on the ratios of failure rates which makes the assessment of its parameters easier when no statistical data are available.

It has a simpler statistical model compared to other analytical models.

It produces more accurate point estimates as well as uncertainty distributions compared to other analytical models (e.g., Multiple Greek Letter Model which has the first two properties listed above).

The recommended parametric model to use in quantifying common cause failures (CCFs) is the alpha model. This is consistent with ASME PRA Standard supporting requirement DA-D5 Capability Category II.

8. Human Reliability Analysis The purpose of the Human Reliability Analysis (HRA) is to identify human interactions that could play a role in the accident sequences, and to provide an estimate of the probabilities for failure events corresponding to these interactions. The HRA for the BFN PRA was completely re-evaluated as part of the BFN PRA upgrade.

All human error probabilities were reviewed and upgraded based on all applicable three-unit BFN operating procedures. New industry methods and philosophy for human reliability analysis were incorporated into the BFN HRA including addressing and documenting dependency between actions.

As part of the upgrade process, BFN operations personnel were interviewed to assess the timing, level of stress, location of specific operator actions, accessibility of actuation equipment E5-6

during accident conditions, and number operators required for specific tasks. In addition, simulator runs were performed by BFN licensed operators so that the HRA analysts could observe operator actions for events of interest.

9. Internal Flooding The internal flooding (IF) analysis for the BFN PRA was completely re-evaluated as part of the BFN PRA upgrade. The scope of the flooding analysis includes all floods originating within the plant boundary. It does not include floods resulting from external events (e.g., weather, offsite events such as upstream dam rupture, etc.). The overall objective of the internal flood PRA is to ensure that the impact of internal flood as the cause of either an accident or a system failure is evaluated in such a way that:

the fluid sources within the plant that could flood plant locations or create adverse conditions (e.g., spray, elevated temperature, humidity, pressure, pipe whip, jet impingement) that could damage mitigative plant equipment are identified and

the internal flood scenarios/sequences that contribute to the core damage frequency and large early release frequency are identified and quantified.

Several plant walkdowns were performed to assess the plant for partitioning into flood zones, characterize the flood sources in each zone, examine the flow propagation paths between flood areas, and determine the susceptibility of PRA equipment to flood and spray effects.

10. Large Early Release Frequency Analysis The Large Early Release Frequency (LERF) Analysis was completely re-done as part of the conversion from a RISKMAN model to a CAFTA model. The LERF Analysis describes the process used to identify core damage sequences that could lead to large early fission product releases to the environment and therefore contribute to the BFN LERF.

The LERF sequences are identified through the development of a series of containment event trees (CETs). The LERF Analysis documents the development of the CETs and the process used to quantify LERF using the CETs. Results of the LERF quantification are contained in the PRA Quantification Notebook.

Separate CETs are developed for each core damage functional class that could result in large early releases. The CET structure has been formulated to include the following features for the accurate assessment of LERF:

to properly represent the time sequence of events and to divide the CET into major time periods;

to incorporate all important system, human and phenomenological occurrences including possible recovery;

to maintain a simplified representation;

to preserve the nature of the challenge throughout the analysis;

to explicitly recognize the effect of postulated containment failure modes;

to allow the identification of recovery and repair actions that can terminate or mitigate the progression of a severe accident; and E5-7

to categorize the end-states of the resulting sequences into groups that can be assessed for their affect on public safety. (This grouping has been simplified to meet the guidance of Regulatory Guide 1.174, "An Approach for Using Probabilistic Risk Assessment In Risk-Informed Decisions On Plant-Specific Changes to the Licensing Basis." The end-states consist of "LERF" and "No LERF.")

The LERF analysis interfaces with the Level 1 accident sequence analysis through the appropriate definition of a set of core damage functional classes. These states are the endpoints of the sequences in the Level 1 portion of the event trees and the initiating events for the CETs. The end products of the LERF analysis include a set of release categories, which define the radionuclide releases into the environment, and a quantification of the frequency of each release category. The analysis supporting the containment failure probabilities was updated with the latest plant design information.

11. Quantification The purpose of this task is to quantify the BFN Unit 1/2/3 CAFTA model and document the results in a PRA Quantification Notebook. The purpose of this notebook is to present the results of the BFN PRA. These results include the calculated total Core Damage Frequency (CDF),

uncertainties in the estimated CDF, and the key plant damage classes. This notebook also describes and documents the review of the initiating events, accident sequences, basic events, HEP, systems, and sources of uncertainty that are significant contributors to the CDF.

Importances of systems, components, operator actions, and initiating events are documented in the PRA Quantification notebook.

12. BWROG Peer Certification and F&O Resolution The previous RISKMAN model underwent a peer review by the BWROG and received a total of 278 F&Os. Although many of these F&Os did not apply to the new CAFTA model because they were specific to RISKMAN modeling techniques, all were reviewed and considered in the development of the new model and PRA documentation.

The BFN Units 1, 2 and 3 Internal Events PRA Peer Review was performed in May 2009 at the TVA offices in Chattanooga, TN, using the process described in NEI 05-04 (Process for Performing Follow-on PRA Peer Reviews Using the ASME PRA Standard), the ASME PRA Standard (ASME/ANS RA-Sa-2009), and Regulatory Guide 1.200, Revision 2. A separate review was performed for the Internal Flooding portion of the BFN PRA in October 2009. The Internal Flooding Peer Review also used the NEI 05-04 process, the ASME PRA Standard, and Regulatory Guide 1.200, Revision 2. A team of independent PRA experts from nuclear utility groups and PRA consulting organizations carried out these Peer Review Certifications.

The purpose of these reviews was to provide a method for establishing the technical adequacy of the BFN PRA for the spectrum of potential risk-informed plant licensing applications for which the BFN PRA may be used. The 2009 BFN PRA Peer Reviews provided a full-scope review of the Technical Elements of the internal events, at-power PRA.

These intensive peer reviews involved over two person-months of engineering effort by the review team and provided a comprehensive assessment of the strengths and limitations of each element of the PRA model. The Peer Review Certification of the BFN PRA model performed by E5-8

BWROG in May 2009 and October 2009 resulted in a total 125 findings for the three unit model for internal events and internal flooding. All findings from these assessments have been dispositioned. This resulted in a number of enhancements to the BFN PRA model prior to its use to support these proposed changes. The certification team determined that with these proposed changes incorporated, the quality of all elements of the BFN PRA model is sufficient to support "risk significant evaluations with deterministic input." As a result of the effort to incorporate the latest industry insights into the BFN PRA model upgrades and certification peer reviews, TVA has concluded that the results of the risk evaluation are technically sound and consistent with the expectations for PRA quality set forth in Regulatory Guide 1.174 and Regulatory Guide 1.177, "An Approach for Plant-Specific, Risk-Informed Decisionmaking:

Technical Specifications."

The PRA Update process defined in TVA administrative procedures ensures that the BFN PRA model adequately reflects the as-designed and as-operated plant configurations. The PRA Update process addresses those activities associated with maintaining and upgrading the BFN PRA model and documentation. PRA Updates include a general review of the entire BFN PRA model, incorporation of recent plant data and physical plant changes, conversion to new software versions, implementation of new modeling techniques, and a comprehensive documentation effort. The PRA Update process replaces the current BFN PRA Model of Record (MOR) with the updated BFN PRA MOR. The PRA Update process is applied to the Level 1/2, full power, internal events BFN PRA. However, the process may be applied to other risk related applications. The BFN PRA model updates are scheduled for 24-month intervals to coincide with BFN refueling outages.

13. Conclusion The BFN PRA has been converted from a RISKMAN model to a CAFTA model. During this process, all aspects of the BFN PRA were reviewed and the documentation was upgraded to be consistent with the current plant design and operation and all of the Peer Review comments from the 2006 review were incorporated into the model. Following the upgrade of the model, the internal events and internal flooding portions of the PRA were peer reviewed to the latest ASME PRA standard. All of the findings from these two peer reviews were dispositioned and incorporated as necessary. As a result of these activities, the BFN PRA is now considered to meet the requirements of Regulatory Guide 1.200, Revision 2 for Internal Events and Internal Flooding and have adequate quality to be used in support of risk-informed applications for BFN.

E5-9

ML100550700

Contents

Text

Subject:

References:

Enclosures:

1.0 DESCRIPTION

2.0 PROPOSED CHANGE

3.0 TECHNICAL EVALUATION

4.0 REGULATORY EVALUATION

5.0 ENVIRONMENTAL CONSIDERATION

6.0 REFERENCES

1.0 DESCRIPTION

2.0 PROPOSED CHANGE

3.0 TECHNICAL EVALUATION

3.2 Background

4.0 REGULATORY EVALUATION

5.0 ENVIRONMENTAL CONSIDERATION

6.0 REFERENCES

Navigation menu

ML100550700

Text

Subject:

References:

Enclosures:

1.0 DESCRIPTION

2.0 PROPOSED CHANGE

3.0 TECHNICAL EVALUATION

4.0 REGULATORY EVALUATION

5.0 ENVIRONMENTAL CONSIDERATION

6.0 REFERENCES

1.0 DESCRIPTION

2.0 PROPOSED CHANGE

3.0 TECHNICAL EVALUATION

3.2 Background

4.0 REGULATORY EVALUATION

5.0 ENVIRONMENTAL CONSIDERATION

6.0 REFERENCES

Navigation menu

Search