AEP-NRC-2015-49, Emergency License Amendment Request to Extend the Allowed Outage Time for an Emergency Diesel Generator
ML15149A412 | |
Person / Time | |
---|---|
Site: | Cook |
Issue date: | 05/28/2015 |
From: | Gebbie J Indiana Michigan Power Co |
To: | Document Control Desk, Office of Nuclear Reactor Regulation |
References | |
AEP-NRC-2015-49 | |
Download: ML15149A412 (104) | |
Text
INDIANA Indiana Michigan Power MICHIGAN Cook Nuclear Plant l& RO One Cook Place Bridgman, MI 49106 A unit ofAmerncan Electric Power IndianaMichiganPower.com May 28, 2015 AEP-NRC-2015-49 10 CFR 50.90 Docket Nos. 50-315 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001 Donald C. Cook Nuclear Plant Unit 1 Emergency License Amendment Request to Extend the Allowed Outage Time for an Emergency Diesel Generator Pursuant to 10 CFR 50.90, Indiana Michigan Power Company (I&M), the licensee for Donald C. Cook Nuclear Plant (CNP) Unit 1, requests an amendment to the Appendix A Technical Specifications (TS) for Renewed Facility Operating License DPR-58. The proposed amendment would revise TS 3.8.1 to permit extending the Completion Time (CT) from 14 days to 65 days for an
.inoperable emergency diesel generator (EDG). The proposed amendment would also revise the TS Surveillance Requirement 3.8.1.2 and 3.8.1.3 to extend the Surveillance Frequency (SF) from 31 days to 82 days, or within 3 days following the inoperable EDG being restored to service, and TS Surveillance Requirement 3.8.1.7 to extend the SF from 92 days to 145 days, or within 3 days following the inoperable EDG being restored to service.
TS 3.8.1 requires two EDGs to be operable in Modes 1 through 4. During a test run following recent maintenance on the Unit 1 AB EDG, the Number 4 bearing failed, rendering the Unit 1 AB EDG inoperable.
I&M has determined that the safety function of the EDGs will continue to be met with one train inoperable and additional compensatory measures implemented. I&M is therefore requesting a one-time change to TS 3.8.1 that would allow continued operation in Mode 1 with one inoperable EDG. I&M has two permanent non-safety-related diesel generators at CNP. These supplemental diesel generators (SDGs) are designed to provide a backup alternating current power source to either emergency bus in either Unit 1 or 2. The SDGs have adequate capacity to power required safe shutdown loads in the event of a loss of offsite power and failure of the operable EDG.
SDG availability is included as part of the risk assessment associated with this request. The SDGs provide significant risk benefit.
I&M will manage the risk associated with repair of the EDG during use of the proposed extended CT using the CNP configuration risk management program.
I&M is requesting that the proposed change be approved on an emergency basis in accordance with 10 CFR 50.91(5) because failure to issue the amendment in a timely manner would result in SAoo I
U. S. Nuclear Regulatory Commission AEP-NRC-2015-49 Page 2 shutdown of the unit. The unit is currently operating in TS Action Requirement 3.8.1.B.5, which will expire on 0010 on June 1, 2015, and the unit would enter TS Action Requirement 3.8.1.G, which requires the unit to be in Mode 3 in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and Mode 5 in 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. This does not allow time for the 30-day public comment period specified in 10 CFR 50.91 (a)(2)(ii) prior to issuance of a normal license amendment. The EDG bearing failure that resulted in this condition could not have been reasonably foreseen. Therefore, I&M could not have avoided the situation that has resulted in the need for an emergency amendment. to this letter provides an affirmation statement pertaining to the proposed amendment. provides I&M's evaluation of the proposed TS change and the basis for requesting emergency approval. Enclosure 3 to this letter provides Unit 1 TS pages marked to show the proposed changes. Enclosure 4 to this letter provides a description of the risk analysis that supports the proposed changes. Enclosure 5 to this letter contains new regulatory commitments associated with this request. Enclosure 6 to this letter provides a Probabilistic Risk Assessment technical adequacy justification. New clean Unit 1 TS pages with proposed changes incorporated will be provided to the U. S. Nuclear Regulatory Commission Licensing Project Manager when requested. Associated TS Bases changes will be made in accordance with the CNP Bases Control Program.
Copies of this letter and its attachments are being transmitted to the Michigan Public Service Commission and Michigan Department of Environmental Quality, in accordance with the requirements of 10 CFR 50.91.
Should you have any questions, please contact Mr. Michael K. Scarpello, Regulatory Affairs Manager, at (269) 466-2649.
Sincerely, Joel P. Gebbie Site Vice President JMT/amp
Enclosures:
- 1. Affirmation
- 2. Evaluation of Proposed Emergency License Amendment Request to Extend the Allowed Outage Time for an Emergency Diesel Generator
- 3. Donald C. Cook Nuclear Plant Unit 1 Technical Specification Pages Marked to Show Proposed Changes
U. S. Nuclear Regulatory Commission AEP-NRC-2015-49 Page 3
- 4. Risk Analysis to Support Extension of Allowed Outage Time for Unit 1 Emergency Diesel Generators
- 5. Regulatory Commitments
- 6. Donald C. Cook Nuclear Plant Probabilistic Risk Assessment Technical Adequacy Justification c: A. W. Dietrich, NRC, Washington, D.C.
J. T. King - MPSC MDEQ - RMD/RPS NRC Resident Inspector C. D. Pederson, NRC Region III A. J. Williamson, AEP Ft. Wayne, w/o enclosures
Enclosure I to AEP-NRC-2015-49 AFFIRMATION I, Joel P. Gebbie, being duly sworn, state that I am Site Vice President of Indiana Michigan Power Company (I&M), that I am authorized to sign and file this request with the U. S. Nuclear Regulatory Commission on behalf of I&M, and that the statements made and the matters set forth herein pertaining to I&M are true and correct to the best of my knowledge, information, and belief.
Indiana Michigan Power Company Joel P. Gebbie Site Vice President SWORN TO AND SUBSCRIBED BEFORE ME THIS b DAY OF * - , 2015 DANIELLE BURGOYNE Notary Public, State of Michigan County of Berrien My Commission Expires 04- 4-2018 Acting in the County of My C s otanExir c-My Comm ission Expires (' * \
Enclosure 2 to AEP-NRC-2015-49 Evaluation of Proposed Emergency License Amendment Request to Extend the Allowed Outage Time for an Emergency Diesel Generator 1.0
SUMMARY
DESCRIPTION 2.0 DETAILED DESCRIPTION 2.1 Proposed Change 2.2 Event Description and Reason for Amendment 2.3 Background
3.0 TECHNICAL EVALUATION
3.1 Plant Specific Confirmatory Analysis 3.2 Tier 1: Probabilistic Risk Assessment (PRA) Capability and Insights 3.2.1 PRA Technical Adequacy 3.2.2 Conclusion of Plant-Specific Assessment Results 3.3 Tier 2: Avoidance of Risk Significant Plant Configurations 3.4 Tier 3: Risk Informed Configuration Risk Management 3.5 Extension of Surveillance Frequency
4.0 REGULATORY EVALUATION
4.1 Applicable Regulatory Requirements/Criteria 4.2 Precedent 4.3 No Significant Hazards Consideration Determination 4.4 Conclusions
5.0 ENVIRONMENTAL CONSIDERATION
S
6.0 REFERENCES
to AEP-NRC-2015-49 Page 2 1.0
SUMMARY
DESCRIPTION Pursuant to 10 CFR 50.90, Indiana Michigan Power Company (I&M), the licensee for Donald C. Cook Nuclear Plant (CNP) Unit 1, proposes to amend the Appendix A Technical Specifications (TS) to Facility Operating License DPR-58. I&M proposes to revise the license, on a one-time basis, to modify TS 3.8.1, "AC Sources - Operating," to extend the Completion Time (CT) from 14 days to 65 days for an inoperable emergency diesel generator (EDG). I&M also proposes to revise the license on a one-time basis, to modify TS Surveillance Requirement (SR) 3.8.1.3 Surveillance Frequency (SF) from 31 days to 82 days and TS Surveillance Requirement 3.8.1.7 to extend the SF from 92 days to 145 days, or within 3 days of the inoperable EDG being restored to service. Specifically, I&M proposes adding a footnote to the TS 3.8.1, Required Action B.5, CT as well as a footnote to TS SR 3.8.1.2, 3.8.1.3, and 3.8.1.7.
2.0 DETAILED DESCRIPTION 2.1 Proposed Change I&M proposes adding a footnote to the TS 3.8.1, Required Action B.5, CT. This footnote would read:
"For the Unit 1 AB DG only, the Completion Time that the DG can be inoperable as specified by Required Action B.5 may be extended beyond the "14 days AND 17 days from discovery of failure to meet LCO 3.8.1.a or b" up to "65 days AND 65 days from discovery of failure to meet LCO 3.8.1.a or b", to support repair and restoration of the Unit 1 AB DG. Upon completion of the repair and restoration, this footnote is no longer applicable and will expire at 0010 on July 22, 2015."
I&M proposes adding a footnote to the TS SR 3.8.1.2, 3.8.1.3, and 3.8.1.7 Frequency. For TS SR 3.8.1.2 and 3.8.1.3, the footnote would read:
"For the duration of the repair and restoration of the Unit 1 AB DG failure which occurred on May 21, 2015, the Surveillance Frequency for the Unit 1 CD DG is extended to 82 days, or 3 days following the restoration of the Unit 1 AB DG, whichever is first."
For TS SR 3.8.1.7, the footnote would read:
"For the duration of the repair and restoration of the Unit 1 AB DG failure which occurred on May 21, 2015, the Surveillance Frequency for the Unit 1 CD DG is extended to 145 days, or 3 days following the restoration of the Unit 1 AB DG, whichever is first."
The difference in the footnotes is due to the length of the SF for each TS SR, when each was last run, and the requested CT for TS 3.8.1.
to AEP-NRC-2015-49 Page 3 2.2 Event Description and Reason for Amendment Description of Events:
At 0010 on May 18, 2015, Unit 1 entered TS Limiting Condition for Operation (LCO) 3.8.1 Condition B as part of a scheduled maintenance work window on the Unit 1 AB EDG. Prior to starting the work window, the Unit 1 AB EDG was run as part of a pre-maintenance run to verify Operability. In the pre-maintenance run, all equipment performed as expected and parameters were within their allowable range. Over the next few days various maintenance activities were performed as part of the work window. At 1049 on May 21, 2015, during performance of a post-maintenance run, the Ul AB EDG tripped on an apparent high bearing temperature. The Ul AB EDG Number (#) 4 bearing was subsequently removed and indications of a wiped bearing were revealed.
Reason for Requestingq Amendment:
Following the failed post maintenance run on May 21, 2015, CNP began evaluating possible causes and potential repair methodologies. Once potential scoping of repairs was complete, a preliminary schedule was prepared that indicated completion of the repair activity might challenge the ability of the plant staff to complete the restoration and testing within the 14 day completion time allowed by the Limiting Condition of Operation (LCO). On May 22, 2015, and May 26, 2015, a draft amendment request was discussed with Nuclear Regulatory Commission (NRC) Staff.
The current timeline for repairs is 56 days, which would result in a CT of 65 days, this includes 6 days of margin due to the complexity of this evolution and to avoid perceived time pressure by workers in the field. The LCO was entered at 0010 on May 18, 2015. The current CT is June 1, 2015. The current 56 day timeline for repairs is based on replacement of the shaft. Specifically, the timeline consists of:
- Remove the cylinder covers and heads (12).
" Disconnect the connecting rod bearings from the crankshaft.
" Disconnect air intake header and exhaust header.
" Remove intake headers and exhaust header from engine.
- Break all jacket water connections and remove jacket water headers.
- Disconnect all lube oil, fuel oil, jacket water and control air lines and remove associated equipment from engine.
- Uncouple the generator from the engine.
- Break all instrument connections between the upper and lower casing. Remove upper half of all main bearings.
" Remove block wall at west end of room, remove electrical sub-panel at west end of room, and disconnect and remove all ventilation lines that run near the engine.
" Relocate generator out of the crankshaft haul path.
- Remove all other crankshaft haul path interferences.
to AEP-NRC-2015-49 Page 4
- Attach jacking connections and lift the top half of the engine off of the base.
- Position the upper half such that the crankshaft can be removed from the engine.
- Remove the crankshaft from the engine and transfer out of room.
- Remove lower half of main bearings.
" Perform all required inspections and equipment checks.
- Move the new crankshaft into the room.
- Reinstall lower half of main bearings.
" Lower the crankshaft onto the engine base.
- Perform required inspections and equipment checks.
- Replace the top half of the engine onto the base.
- Reconnect all lines and equipment onto engine.
- Reattach connecting rods to the crankshaft and install cylinder heads.
- Refill all fluid systems.
" Perform post maintenance testing.
Since the initial event on May 21, 2015, work on the repair of the U1 AB EDG #4 bearing has continued on an around-the-clock basis. The proposed schedule is also based on an around-the-clock basis.
Extension of Diesel Surveillance Frequency The timeline for repair and restoration of the U1 AB EDG would not allow for the plant conditions to accommodate the performance of the Ul CD EDG monthly fully loaded surveillance, as the Unit 1 CD Diesel is rendered Inoperable during the completion of TS SR 3.8.1.2, 3.8.1.3, and 3.8.1.7 is also performed during operation of the CD EDG. TS SR 3.8.1.2 and 3.8.1.3 were last completed on May 5, 2015, and must be completed again no later than June 12, 2015. TS SR 3.8.1.7 was last completed on March 3, 2015, and must be completed again no later than June 26, 2015. An extension to all three of these TS SR SFs would be required in order to delay the completion of these TS SRs for Unit 1 CD EDG until after the repair and restoration of the Unit 1 AB EDG.
Reason that the Amendment is Requested on an Emergency Basis:
I&M is requesting approval of the proposed TS change on an emergency basis as permitted by 10 CFR 50.91(a)(5). The regulation, 10 CFR 50.91(a)(5) states that, where an emergency situation exists, in that failure to act in a timely way would result in shutdown of a nuclear power plant, the U. S. NRC may issue a license amendment involving no significant hazards consideration without prior notice and opportunity for a hearing or for public comment. The regulation states that the NRC will decline to dispense with notice and comment on the determination of no significant hazards consideration if it determines that the licensee has abused the emergency provision by failing to make timely application for the amendment and thus itself creating the emergency. Finally, the regulation states that a licensee requesting an emergency amendment must explain why the emergency situation occurred and why it could not avoid this situation.
to AEP-NRC-2015-49 Page 5 Reason that the Emergency Situation has occurred:
A failure investigation team was assembled to investigate the cause of the failed bearing.
Visual inspection of the failed Ul AB EDG #4 bearing shows the surfaces to be consistent with loss of oil film leading to contact of the #4 bearing with its journal. The apparent cause for the loss of oil film is that a particle, or particles, introduced to the lubricating oil system during the Unit 1 AB EDG critical maintenance project disrupted the oil film to an extent that lead to loss of the film in a localized area The apparent cause of the loss of oil film is that a particle greater in size than the film layer was introduced into the system, likely by the work performed on the Duplex Strainer Selector Valve, 1-QP-59 (grinding occurred). The oil that would have been affected by this work would have an unfiltered path to the Diesel Generator (DG). Sixteen (16) minutes into the EDG run, the foreign material disrupted the film layer of the #4 bearing causing the bearing to "wipe" and the subsequent trip on hi-hi bearing temperature.
The oil film on the #4 bearing is the thinnest of all the EDG bearings due to being the most heavily loaded. Additionally, the #4 bearing has a full oil channel on the upper bearing half and a quarter oil channel on the lower bearing half. The remaining bearings have full oil channels on both the upper and lower bearing halves. It is therefore possible that particulate could have passed through the oil channels of the other EDG bearings without causing a disruption of their oil films. Additionally, anecdotal industry operating experience was identified of foreign material affecting only one bearing of diesel machinery.
The extent of condition for the foreign material apparent cause is limited to the Unit 1 AB EDG.
The scope of work performed on the lubricating oil system in March 2012 and May 2012 for Unit 2 AB and Unit 2 CD EDGs respectively, was significantly less than that of the May 2015 Unit 1 AB EDG maintenance work window. It should also be noted that no work on the lubricating oil systems for the Unit 2 AB and Unit 2 CD EDGs has been performed since the 2012 maintenance work windows. Further, per engineering judgment, the By-Pass Filters for the Unit 2 AB and Unit 2 CD EDGs has been in service for a sufficient length of time (i.e., 3 years) to rid the Before and After Pump circuit of those lube oil systems of any potentially damaging particulate. Additionally, the Unit 1 CD EDG has not had extensive maintenance performed on it in the last several years that could have had a potential to introduce particulate into the lube oil system. Therefore, there is no potential for a common failure mode on the remaining three EDGs.
Reason that the situation could not have been avoided:
I&M could not avoid the emergency circumstance because the high temperature of the #4 bearing could not have been foreseen in sufficient time to allow the 30-day public comment period specified in 10 CFR 50.91(2)(ii). An as-found operability run was performed a few days earlier, prior to the critical maintenance project work window. During this as-found operability run, bearing temperatures were within their allowable range, and overall EDG performance was within acceptance criteria. Recent diesel runs in both units have given no indication of bearing to AEP-NRC-2015-49 Page 6 abnormalities. Also, all recent oil samples and vibration data gave no indication of bearing degradation. Furthermore, a search of the Corrective Action Program was conducted for all diesel runs in both units, covering the last 10 years, and no similar events were discovered.
Therefore, the need to extend the CT of TS LCO 3.8.1, Condition B, Required Action B.5, requiring Unit 1 be shutdown no later than June 1, 2015, could not be avoided.
I&M is requesting approval of the proposed change to include the footnotes by May 31, 2015, which would eliminate the requirement to shutdown Unit 1.
2.3 Background Description of Emergency Power System As stated in Updated Final Safety Analysis Report (UFSAR), Section 8.4, "Emergency Power System," the emergency power sources for the two units, including the DGs, are similar and are electrically and physically isolated from one another. Each unit has two full capacity DGs, each supplying power to two safety-related 4160 volt (v) buses. Loss of voltage to the 4160v buses is sensed by loss of voltage relays. Upon sensing, master relays automatically start the DGs, trip the normal feed circuit breakers for the 4160v buses, and trip all motor feeder breakers and 480v bus transformer feeder breakers on the buses, the 600v bus tie breaker, non-essential 600v feeder breakers, and 480v bus breakers. The DG bus input circuit breakers which connect the DG output to the 4160/600v bus system are automatically closed when voltage and speed approach rated values. The DGs supply power to the 600v buses through the 4160v buses and transformers, respectively.
Each DG comes up to speed and is capable of accepting load within 10 seconds. If either DG fails to start, the remaining one is capable of supplying the required engineered safeguard load.
A Safety Injection (SI) signal will also start the DGs. To avoid overloading of the DGs, all loads are shed when the SI occurs and the safety buses are energized from the DGs. The safety loads are subsequently loaded as required.
The DGs are sized at 3500 kilowatts each to assure available power to operate one train of safety equipment assuming a loss-of-offsite-power (LOOP) concurrent with a loss-of-coolant accident, with or without containment spray.
UFSAR, Section 8.1.2, "Functional Criteria," provides functional requirements employed on electrical systems to achieve maximum reliability and operating efficiency. One of the criteria is that motor loading does not exceed its nameplate rating.
Each diesel engine is a Worthington Type SWB-12, 12 cylinder, heavy duty turbocharged diesel engine, with a continuous rated output of 4900BHP at 514 RPM.
The alternating current (AC) sources are designed to permit inspection and testing of all important areas and features, especially those that have a standby function, in accordance with Plant Specific Design Criterion (PSDC) 39. Periodic component tests are supplemented by extensive functional tests during refueling outages (under simulated accident conditions). The to AEP-NRC-2015-49 Page 7 supporting requirements for demonstrating OPERABILITY of the DGs are in accordance with the recommendations of NRC Regulatory Guide (RG) 1.9, "Application and Testing of Safety-Related Diesel Generators in Nuclear Power Plants", and Institute of Electrical and Electronic Engineers (IEEE) Standard 387-1995 IEEE Standard Criteria for Diesel-Generator Units Applied as Standby Power Supplies for Nuclear Power Generating Stations.
CNP also has an independent on-site, stand-by AC power source consisting of two supplemental diesel generators (SDGs) which automatically supply power to 4.16 kilovolt (kV)
EP Bus 1. EP Bus 1 is normally supplied by the 69kV alternate qualified off-site circuit and can be manually aligned by control room (CR) procedure, action to directly supply a 4.16kV emergency bus. On loss of the off-site qualified 69kV circuit/power, the SDGs automatically start and energize the EP Bus 1, in stand-by, ready for CR action to align them to a safety bus.
3.0 TECHNICAL EVALUATION
3.1 Plant Specific Confirmatory Analysis 3.2 Tier 1: Probabilistic Risk Assessment Capability and Insights The risk associated with extending the CNP Unit 1 one-time TS 3.8.1 Condition B5 CT for the 1 AB EDG from the current 14 days to 65 days has been evaluated with an updated PRA model scheduled for Peer Review in July 2015. Details of the evaluation are included as Enclosure 3.
This plant-specific risk assessment followed the guidance in RG 1.177, Revision 1, on use of PRA findings and risk insights in support of a request for a one time change to a plant licensing basis.
The updated CNP Level 1, internal events (IE) PRA (IEPRA) model includes updated Level 2 modeling to perform the plant-specific risk assessment for this one time TS change. The updated CNP IE & Flooding PRA model is an updated version of the existing peer reviewed CNP PRA model of record. The model of record had been Peer Reviewed against American Society of Mechanical Engineers (ASME) PRA Standard RA-S-2003. A gap assessment of the current model of record Level 1 PRA model against the current PRA Standard RA-Sa-2009 was completed and is addressed as a part of the PRA technical adequacy evaluation further discussed in Enclosure 6. The current Level 2 model was peer reviewed in 2013 against ASME/American Nuclear Society PRA Standard RA-Sa-2009 with clarification and qualifications by the NRC in RG 1.200, Revision 2. The PRA analyses includes evaluations for the dominant external events (internal fire and seismic only, as high winds and tornados were considered negligible). The Seismic, high winds and tornados insights were from the CNP Individual Plant Examination of External Events (IPEEE). An entirely new fire PRA (FPRA) model was completed in 2013 and used in preparing the risk assessment associated with this amendment request. The updated CNP PRA model used was based on, and is an improvement of, the aforementioned CNP model of record. It includes improved support system modeling, and updated general information for failure rates and initiating events frequencies which include updated CNP specific data from 2008 through 2013.
to AEP-NRC-2015-49 Page 8 The updated CNP PRA models (both IEPRA & FPRA) do not contain any recovery action or recovery factor for failed EDGs, thus there is no need to modify any such model factor/action, and EDG failures will not be recovered.
3.2.1 PRA Technical Adequacy The recently updated, but not yet Peer Reviewed CNP Level 1 and large early release frequency (LERF) PRA model used in this assessment is characteristic of the as-built and as operated plant, and is based on the PRA model used in the recent CNP transition from Appendix R to National Fire Protection Association (NFPA) 805 license requirements. The IE model is a linked fault tree model. Severe accident sequences have been developed from internally initiated events. Sequences have been mapped to the radiological release end state (i.e., source term release to environment). CNP's Updated PRA is a further evolution of a detailed model of the plant which originated from the Individual Plant Examination which underwent NRC review. Review comments, current plant design, current procedures, plant operating data, current industry PRA techniques, and general improvements have been incorporated into the current Updated PRA model. CNP PRA models are maintained in accordance with CNP's PRA procedure. This updated model is nearing completion and scheduled for July 2015 Peer Review. It is a major update to incorporate recent plant changes, better reflect accepted industry modeling practices, and updated CNP and industry data.
CNP's PRA current model of record, on which the update is based, was the subject of the following independent, third-party reviews:
2001 Westinghouse Owners Group Peer Review - A full-scope Peer Review performed to the guidance of Nuclear Energy Institute 00-02. All of the Facts and Observations (F&Os) from that Peer Review that were graded at the A or B level were resolved. Only some of the F&Os that were graded at the C or D level were resolved.
2004 AREVA Gap Analysis - This effort identified differences between the 2003 ASME PRA Standard and the version used for the 2001 Peer Review.
2009 Westinghouse Owners Group Focused-Scope Peer Review - This limited-scope Peer Review addressed supporting requirements that pertained to Common-Cause Failure modeling, data analysis performed in support of a Mitigating Systems Performance Indicator, SDG system modeling and incorporation into LOOP/Station Blackout events, and a revised Human Reliability Analysis for Steam Generator Tube Rupture response actions.
In August 2012, Scientech personnel performed a Gap Analysis associated with CNP's transition to NFPA-805 to establish the quality of CNP's IEPRA against the requirements of RG 1.200, Revision 2. The Gap Analysis identified differences between the supporting requirements of the 2003 and 2009 Standards and the impact of these differences on the results of the previous reviews.
The 2012 gap assessment found that Test and Maintenance (T&M) factors were applied differently in the model than standard industry practice. The focused scope peer review associated with this gap has been finalized, and required revising the PRA model to conform to
Enclosure 2 to AEP-NRC-2015-49 Page 9 industry practice for T&M treatment. The metrics for the 1 AB EDG CT extension reflect this recent PRA model change.
The 2012 gap assessment also identified several shortcomings in LERF modeling which were applicable to the underlying Level 2 modeling. As a result, a Level 2 model update was conducted to address the modeling gaps identified. A focused-scope peer review was performed on the Level 2 model in 2013. The high-level results of this peer review were that 37 of the 41 LERF Analysis supporting requirements are met, while four of the supporting requirements were not met. The four Not Met supporting requirements were related to documentation issues and had no numerical effect on the Level 2 model results. Additional focused scope Peer Reviews on LERF treatment identified that then current model LERF treatment was overly conservative based on relatively recent Pressurized Water Reactor Owner's Group (PWROG) (WCAP 163241-P) furnished guidance on the subject. LERF treatment was improved in both the IE and FPRA based on the PWROG guidance and resulted in significant LERF reduction.
As noted earlier, the Updated CNP IEPRA used in this analysis is in the final update stages by a different contractor than the contractor that developed the current model of record and supported by the CNP PRA staff. A preliminary version of the updated CNP IEPRA model was employed to calculate the metrics associated with this request. Selecting a different contractor for the CNP IEPRA update provided an outside/effective third party review of the IEPRA and internal flooding model to assure it was consistent with current industry PRA practices. Prior to this update, the new contractor assessed the existing CNP 09MORW model against standards and practices to determine the scope of work required. This outside assessment determined that most supporting requirements are met at the Capability Category (CC) II level for the IEPRA. Most gaps to CC II were due to failure to appropriately document existing information in model notebooks, or for situations where uncertainty needed to be completed and documented. The majority of items identified as CC I were due to conservative treatment of the associated item and were associated with LERF supporting requirements. None of the shortcomings were considered as significantly affecting model results, except that the model produces conservative results. Incorporation of more recent WCAP LERF guidance and better documentation of other supporting requirements in the updated model address these issues.
The flooding portion of the current model was considered to have insufficient walkdown documentation from the update performed in 2006. However, walkdowns had been performed in the 2005 and 2006 timeframe to determine spatial interaction and this is a documentation issue with no significant impact on model results. The updated model used for this assessment has incorporated changes to address these shortcomings.
Based on the history discussed above, CNP's updated PRA model, including the updated Level 2 model, is acceptable for use in assessing the risk impact of a one-time extension to CNP Unit 1 AB (Train B) EDG (1 AB EDG) CT of 65 days. Discussion of specific PRA model review F&Os and possible impact on PRA model technical adequacy limited to those pertinent to this request is included in Enclosure 6 to this letter. Further discussion of the updated model is contained in Reference 4.
to AEP-NRC-2015-49 Page 10 The model used for the numerical result was the current in-process update to the existing CNP PRA model of record, and the CNP NFPA 805 FPRA model. Treatment of other external events has been considered based on CNP's IPEEE assessments.
Seismic Consideration CNP's Seismic IPEEE assessment dates from Generic Letter 88-20. In that IPEEE assessment the top three contributors were:
- 1) Auxiliary Building Collapse
- 2) Loss of Electrical Systems
- 3) Ice Condenser Failure Contributions from Items 1 and 3 will not be affected/altered due to unavailability of the 1 AB EDG. Item 2, Loss of Electrical Systems, was incurred due to block wall failures near both the 4kV to 600VAC transformers in the switchgear rooms and in the EDG day tank enclosures.
Unavailability of the 1 AB EDG does not impact the capability of these block walls and would have no result on the outcome. These block walls were reinforced subsequent to the IPEEE seismic assessment, with the qualitative result of reducing contribution from item 2, but has not been formally assessed. Additionally, CNP added permanently installed SDGs in the on-site 69kV yard that did not exist at the time of the IPEEE. The 69kV yard is a separate switchyard from the unit's main generator output and normal reserve feed 345kV, and 765kV, yards. These SDG units are Caterpillar diesels housed in a steel framed enclosure, and on a concrete base/foundation. Although they have not been formerly assessed for seismic response, they do provide an alternate, well separated, additional power capability that would ameliorate, to an undetermined extent, the contribution from Item 2. Based on this information, and from prior consideration of EDG unavailability in response to seismic events (which did not consider the possible significant benefit the reactor coolant pump (RCP) Gen III Shutdown Seal (SDS) provide) estimated in Reference 9, wherein an IPEEE based assessment for the seismic contribution of the 1 AB EDG being unavailable for a full month is an Integrated Conditional core Damage Probability (ICCDP) of 1.95E-09. That study concluded that 1 AB EDG equipment associated failures do not play a significant role in overall seismic risk. For these reasons, the 1 AB EDG proposed CT extension has minimal to no impact in the seismic contribution to risk.
Other External Hazards CNP's IPEEE also considered other external hazards:
o High Winds and Tornados, and associated missiles o Shipping which could affect ultimate heat sink o On-Site and Off-Site hazardous material o Turbine generated missiles An extended CT for the 1 AB EDG would not affect any initiators associated with these situations, nor would it be expected to affect plant response for shipping, hazardous material, and turbine missile events, in that the multiple sources of offsite AC power to CNP would not be challenged by these events. Unavailability of the 1 AB EDG would affect response to those high wind and tornado events that could disable offsite power supplies (LOOPs or dual loss of offsite power (DLOOPs)) and cause the unit to rely on EDGs for continued cooling. The IPEEE determined that based on the low frequency of wind, tornado, and tornado induced missiles, to AEP-NRC-2015-49 Page 11 and protection afforded CNP equipment, that contribution to risk from those events was insignificant. Although the 1 AB EDG is important in responding to LOOPs or DLOOPs these events can cause, and cannot be considered through the IPEEE model, this condition is addressed in the updated IE PRA model, by consideration of LOOP and DLOOP initiating event frequency in the industry, which includes those events caused by severe weather conditions.
3.2.2 Conclusion of Plant-Specific Assessment Results The change in CNP risk metrics associated with a one-time extension of the 1 AB EDG TS 3.8.1, Condition B.5, CT from 14 days to 65 days is minimal, consistent with regulatory guidance contained in RG 1.177. This assessment included accounting for 28 hours3.240741e-4 days <br />0.00778 hours <br />4.62963e-5 weeks <br />1.0654e-5 months <br /> of concurrent Unit 1, West (Train B), Auxiliary Feedwater Pump (AFWP) unavailability along with the overall 1 AB EDG unavailability, in that the AFWP had been out of service for part of the overall interval before the bearing failed on the EDG. Details of the CNP risk assessment are contained in of this letter. The CNP-specific results for a one time request to extend the 1 AB EDG CT from the current 14 days to 65 days are summarized below.
The ICCDP & Integrated Conditional Large Early Release Probability (ICLERP) associated with this one time TS based on the updated CNP PRA model is 4.13E-06 (ICCDP) and 2.99E-07 (ICLERP). Guidance in RG 1.177 defines acceptable ICCDP and ICLERP as less than 1.OE-5, and 1.OE-6, respectively, provided effective compensatory measures are implemented to reduce the sources of increased risk. Therefore, the estimated conditional probabilities determined are consistent with the RG 1.177 guidelines, provided compensatory measures which act to reduce risk but are not part of the quantitative assessment are implemented.
3.3 Tier 2: Avoidance of Risk Significant Plant Configurations CNP plant risk associated with the proposed extended 1 AB EDG CT are determined from various PRA models for lEs, fire, flooding, seismic, and other external events. Associated actions to avoid or respond to these events on one or both units through function of onsite emergency backup power supplies, and inclusion of additional onsite emergency power, are discussed in Tier 3 information, below.
Ultimately for this extended CT request, CNP provides assurance that any other risk significant plant equipment outage configurations will not occur during the extended CT period by flatly ruling out elective maintenance on other PRA risk significant plant equipment and avoiding other activities that could challenge unit operation or cause fires in risk significant areas. Refer to actions discussed in Tier 3, below. The Tier 3 actions mitigate additional plant risk due to events beyond that associated with 1 AB EDG unavailability represented in the ICCDP and ICLERP values furnished in the Tier 1 discussion above.
This request includes a one-time surveillance interval extension for the Unit 1 Train A (CD) EDG so as to maintain that EDG available and OPERABLE during the extended 1AB-EDG CT.
Further discussion of this is contained in Section 3.5.
to AEP-NRC-2015-49 Page 12 IMPACT ON INTERNAL EVENTS The updated PRA model used in this assessment includes a typical IE model and an internal flooding model. In the IE modeling, the 1 AB EDG is important for responding to LOOP events and has no direct effect on the initiating event frequency. The updated IE PRA model, by consideration of LOOP and DLOOP initiating event frequency from industry information applied in the model, considered the impact of the failed 1 AB EDG and determined its impact for both lEs and internal flooding (internal flooding is discussed below). The updated PRA model also addresses weather (winds and tornado) induced LOOP/DLOOP by using industry initiating event frequencies based on weather induced loss of grid events.
Regardless of the LOOP cause, it is important to assure that all possible emergency power sources and associated electrical distribution system equipment is available for reactor coolant system (RCS) inventory control and decay heat removal. In this case, Tier 3 actions are intended to assure that alternate train generators and powered equipment is available to function by protecting the alternate (Train A) equipment as well as the turbine driven auxiliary feed pump (TDAFP) to assure a multiple diverse auxiliary feed water (AFW) supply is available for heat removal. The model also considers use of CNP's chemical and volume control system and AFW cross-ties as means to provide RCS inventory and heat removal. Tier 3 actions also include obtaining an additional generator to supplement the existing CNP SDGs, and having a final "fall-back" capability to energize a train of the containment distributed ignition system (DIS) if core cooling fails and containment hydrogen is the only thing that can be controlled through continuous limited area burns ignited by DIS equipment.
IMPACT ON INTERNAL FLOODING Internal flooding as noted above is part of the updated PRA model used to determine the PRA metrics provided in Tier 1. This section is a discussion of the top three significant flooding events associated with CNP. Those top three events are: 1) main circulating water system expansion joint failure; 2) essential service water (ESW) system pipe rupture in the ESW pipe tunnel, and; 3) AFW pipe rupture in the East Steam Generator (SG) Stop Valve enclosure. With regard to the first flooding scenario, a large, gross, failure in a circulating water system expansion joint, if unchecked for more than 20 minutes can disable AFW and EDG function and is expected to cause a unit trip. 1 AB EDG unavailability does not affect either the initiating event frequency or the response capability or reliance on offsite power supply, since the event is already considered to disable all EDGs and AFW pumps if unchecked. Sufficient indication and alarms exist in the control room to bring operator attention to such a failure, and actions in the alarm response procedure for condenser pit flooding address such an event by promptly removing the circulating water system from service. Tier 3 actions are suggested to heighten operator awareness of this potential risk and on emphasis prompt action if one of these events were to occur.
The second flooding scenario involves gross rupture of a 20 inch diameter, relatively low pressure (typically <80 pounds per square inch gauge), ESW piping in a confined area that houses the Unit 1 to 2 ESW header cross tie valves and EDG ESW cooling supply valves for all four EDGs on the two units. Flooding in this area would be indicated by low ESW header pressure alarms on one of the two main ESW headers in both CRs, and high sump alarms for to AEP-NRC-2015-49 Page 13 this area. If personnel do not respond in a timely manner, normally open ESW cross-tie valves would be submerged or sprayed, eventually EDG supply valves would be submerged, and EDG room flooding could start for the 1 AB EDG on Unit 1 and the 2 CD EDG on Unit 2. Such an event would not necessarily cause a trip on either unit, but it would be likely that the crew, if unable to stop the flood, would trip the units. At worst, if the correct ESW header (the 1 E/2W header) ruptured and the crews could not close one of the two header crosstie valves, the remaining EDG on Unit 1 (1 CD-EDG) could be disabled through loss of cooling ESW flow, and one EDG on Unit 2 would be lost for the same reason. Procedural direction for a rupture in the ESW system exists and sufficient instrumentation and alarms to indicate such a condition exist in the CRs. Availability of the SDGs to backup EDGs for such events, and capability to use an additional non-safety diesel obtained specifically for this event, reduce importance of the 1 AB EDG for this scenario, as do efforts to eliminate challenges to reserve feed via grid condition monitoring.
In the third flooding scenario, flooding due to a gross rupture in a portion of the AFW line between the last AFW check valve and its tie in to the main feedwater line to a SG in the East SG Stop Valve enclosure was considered to disable AFW flow control to two of four SGs from the Train A AFW pump, and results in a unit trip due to pressure loss in one SG. For this event, 1 AB EDG unavailable does not affect either the initiating event frequency, or equipment disabled. The only part played in such an event by the 1 AB EDG is that it would be the emergency power source for the Train B AFW pump feeding the other two SGs, in the unlikely event normal reserve feed from the switchyards is lost. Availability of the SDGs to backup EDGs for such events, and capability to use an additional non-safety diesel obtained specifically for this event, reduce importance of the 1 AB EDG for this scenario, as do efforts to eliminate challenges to reserve feed via grid condition monitoring. No specific actions are suggested for this flooding, as: 1) a rupture of this nature would most likely be evident through a unit trip and possible SI, for which operators are well trained, and 2) any developing leak in the piping would be readily evident to normal operator and various other group tours in the area.
Regardless of what flooding concern exists, Tier 3 actions are suggested to heighten operator awareness of these potential risks and emphasis prompt action if one of these events were to occur.
IMPACT ON FIRE RISK As discussed above, the fire risk impact is included in the ICCDP and ICLERP metrics provided in Tier 1. The model identified significant fire risk areas are those associated with the CRs, cable spreading areas, component cooling water (CCW) pump and heat exchanger areas, and the 600 VAC switchgear areas. The Tier 3 information below includes actions to assure that fire detection and suppression systems for these areas are functional, that likelihood of fire initiation from work or operating equipment in the area is reduced/eliminated, and that flammable transient material is not in these high risk areas.
SUMMARY
Overall, in that these higher risk equipment combinations and situations are identified, CNP will avoid any risk significant plant configurations by not performing any elective maintenance on
Enclosure 2 to AEP-NRC-2015-49 Page 14 plant equipment, and minimizing activities that could initiate plant transients or challenge continued operation. These conditions will be established through application of Risk Management Actions (RMA) as presented in the Tier 3 discussion below.
RG 1.177 indicates that actions modifying plant design or operating procedures, or to obtain additional backup equipment, should be considered in the Tier 1 evaluation. However, no plant modifications have been made to reduce the risks associated with these Tier 2 considerations.
Alternate means of supplying a function do exist, but for the most part are dominated by the associated required manual actions, and it would not be appropriate to provide an estimated improvement for those manual actions used in the model based on the Tier 3 actions.
3.4 Tier 3: Risk Informed Configuration Management Compensatory Measures Given the impossibility of identifying all possible risk-significant configurations, for this one time Unit 1 TS 3.8.1, Condition 5, Required Action B.5, CT change, CNP will reduce plant risk exposure through a combination of RMAs that prevent planned high risk configurations and other non-quantifiable risk reducing actions to reduce risk through availability of additional power supplies requiring manual actions.
Since the One-time CT extension will exceed the Cook Maintenance Rule (a)(4) On Line risk assessment criteria for "Normal" risk conditions for both for online risk from the internal events model and fire risk considerations, RMAs will be required and are outlined below. These actions are taken consistent with putting controls in place to minimize the higher risk concerns associated with long term unavailability of the IAB-EDG.
RMAs to prevent high risk configurations (due either to fire initiation or other significant plant
.events), and establish non-quantifiable actions to monitor for high risk (fire or other internal or external) events and provide readily usable alternate power sources are listed below:
Note: These actions include a provision that if emergent plant conditions require actions to stabilize the unit(s), and if any of those actions conflict with any of the RMAs below, then those actions should be taken without delay, and the RMA restored after the emergent upset/condition has passed and the plant is stabilized.
- 1. Equipment listed below will be protected in accordance with plant practices for protected/guarded equipment during the 1 AB EDG repair extended CT period. The following equipment will be posted to limit personnel access to these areas (outside of normal Operational, Security, or Fire Brigade related tour and rounds, shift functions) to that approved as needed by the Shift Manager.
Equipment or areas will be posted with signs limiting entry so as to avoid activity or maintenance that might disable remaining risk significant equipment or affect equipment power supplies. There will be no routine work activities outside of expected TS SRs on protected equipment. Operations Shift Manager approval will be required for any emergent work involving this protected equipment.
to AEP-NRC-2015-49 Page 15 The following equipment or areas will be posted/guarded as protected:
o EDGs 1 CD-EDG, and Unit 2 EDGs o Essential Service Water Pumps (All Unit 1 and Unit 2) o The Ul TDAFP and associated direct current Power sources (including Battery Chargers) & Distribution o 1 CD 4kV Switchgear Rooms, and the 600 VAC and mezzanine areas o 1 CD Station Battery and Battery Chargers o 1 CD 250-Vdc Distribution Panels/Room o U1 Main and Unit Auxiliary Transformers o Ul Reserve Feed Transformers o 69kV Switchyard and SDGs o Ul East Residual Heat Removal (RHR) Pump and Heat Exchanger Rooms o U1 East Centrifugal Charging.Pump (CCP) o Ul North SI pump o 345 & 765kV switchyards o Ul DIS Trains o Component Cooling Water Pumps (All Unit 1 and Unit 2)
- 2. In that fire risk dominates CNP Risk parameters, representing the largest portion of the Tier 1 risk estimate, the following actions from Attachment 10 in PMP-2291-OLR-001, CNP's Online Risk Management Procedure, for a Unit 1 Train B fire PRA function unavailable, high fire risk condition, will be implemented:
a) On duty Fire Brigade and Operations crews will be made aware that an extended outage of Unit 1 fire risk significant equipment (the 1 AB EDG) is being invoked, and the risk management actions below, and fire responses for those areas, should be reviewed.
b) The following fire zones are to be guarded as fires in these zones have the potential to damage Unit 1 Train A equipment, that are important with the 1 AB EDG (Train B EDG) unavailable:
to AEP-NRC-2015-49 Page 16 Fire Zone Description 15 Unit 1 CD Emergency Diesel Generator Room 17D Unit 1 East Motor Driven Auxiliary Feed Pump Room 29A & 29G Unit 1 East Essential Service Water Pump, and Screenhouse MCC, Rooms 40B Unit 1 Train A 4kV Switchgear Area 41 & 42A Unit 1 600V Switchgear Areas 42C Unit 1 Inverter Room 44S Unit 1/2 Auxiliary Building El. 609', Southwest End (CCW Pp Area) 55 Unit 1 Electrical Switchgear Room Cable Vault 62B Unit 1 East Centrifugal Charging Pump Room c) For each fire zone listed above:
- 1) No elective maintenance on fire detection or fire suppression equipment that will cause the fire detection or fire suppression equipment in the impacted fire zones to be inoperable.
- 2) Verify installed Fire Detection and Suppression systems are available, as applicable- AND - Establish an hourly fire watch tour of the area.
- OR -
Establish a continuous fire watch in the area
- 3) Verify no transient combustibles are stored in the immediate area, this excludes incidental transient combustible material as defined by station procedures.
- 4) No hot work is allowed in the area.
d) Verify Unit 1 Train A is protected.
e) Operating Large Switchgear Breakers-either:
- 1) Operation of 4kV breakers (on 1A, T11A, 1B, T11B, 1C, T11C, 1D, & T11D) and large 600V breakers (on 11A, 11B, 11C, & 11D) is not allowed on Unit 1, except in response to emergent plant conditions (to minimize the possibility of high energy arc fault and other electrical fires).
-OR -
- 2) 4kV and 600V breakers may be operated in support of planned maintenance or Technical Specification surveillances provided the 609' El. 4kV and 600V switchgear areas automatic fire detection and C02 suppression systems are OPERABLE and in service (i.e. not isolated or bypassed). If not aligned for automatic discharge, C02 suppression systems must be capable of manual actuation and personnel are to be stationed at the actuation panel ready to actuate room C02 for the switchgear area, if directed.
to AEP-NRC-2015-49 Page 17
- 3. Similar to Item 2., above, the following actions from Attachment 12 in PMP-2291-OLR-001, CNP's Online Risk Management Procedure, for Unit 1 Train B fire PRA function supporting Unit 2 unavailable, high fire risk condition will be implemented:
a) On duty Fire Brigade and Operations crews will be made aware that an extended outage of Unit 1 fire risk significant equipment (the 1 AB EDG) is being invoked, and the risk management actions below, and fire responses for those areas, should be reviewed.
b) The following fire zones are to be guarded as fires in these zones have the potential to damage all Unit 2 Safe Shutdown Equipment:
Fire Zone Description 29G Screenhouse MCC Equipment Room 45 & 46A Unit 2 600V Switchgear Areas 46B Unit 2 Control Rod Drive Equipment Room 46C Unit 2 Inverter Room 46D Unit 2 AB Battery Room 54 Unit 2 Control Room 58 Unit 2 Control Room Cable Vault 59 Unit 2 Auxiliary Cable Vault 60 Unit 2 Electrical Switchgear Room Cable Vault 145 Unit 2 Hot Standby Panel Area c) For each fire zone listed above:
- 1) No elective maintenance on fire detection or fire suppression equipment that will cause the fire detection or fire suppression equipment in the impacted fire zones to be inoperable.
- 2) Verify installed Fire Detection and Suppression systems are available, as applicable- AND - Establish an hourly fire watch tour of the area
- OR -
Establish a continuous fire watch in the area
- 3) Verify no transient combustibles are stored in the immediate area, this excludes incidental transient combustible material as defined by station procedures.
- 4) No hot work is allowed in the area.
d) Operations review and brief on the following procedures:
to AEP-NRC-2015-49 Page 18
- 2-OHP-4025-001-001, Emergency Remote Shutdown
- 12-OHP-4025-001-002, Fire Response Guidelines e) Operating Large Switchgear Breakers-either::
- 1) Operation of 4kV breakers (on 1A, T11A, 1B, T11B, 1C, T11C, 1D, & T11D) and large 600V breakers (on 11A, 11B, 11C, & 11D) is not allowed on Unit 1, except in response to emergent plant conditions (to minimize the possibility of high energy arc fault and other electrical fires).
-OR -
- 2) 4kV and 600V breakers may be operated in support of planned maintenance or Technical Specification surveillances provided the 609' El. 4kV and 600V switchgear areas automatic fire detection and C02 suppression systems are OPERABLE and in service (i.e. not isolated or bypassed). If not aligned for automatic discharge, C02 suppression systems must be capable of manual actuation and personnel are to be stationed at the actuation panel ready to actuate room C02 for the switchgear area, if directed.
- 4. The Unit 1 CD EDG (Train A EDG) day tank shall be filled to just under the high level alarm, so as to provide as much run time for this EDG as possible before the day tank requires replenishment. This will provide approximately 87 minutes of Train A operation at full load if all other sources of power are lost, allowing additional time for personnel to restore offsite power from other sources if required.
5 Elective Maintenance or test activities which could lead to a unit trip, excluding TS required surveillances, will not be performed unless needed to address an emergent failure that could challenge continued unit operation or the protected equipment for this CT extension. A listing of TS surveillances expected to be performed that could affect Unit 1 is included below.
- 6. Operations personnel will at least once daily monitor weather and grid conditions that may challenge offsite power reliability and inform Plant Management so that actions can be taken to reduce or eliminate, to the extent practicable, those challenges. The system load dispatcher will be contacted once per day to ensure no significant grid perturbations are expected during the extended CT. Also, the system load dispatcher typically informs the plant operator if conditions change during the extended CT (e.g., when the predicted voltages would be unacceptable as a result of a trip of the nuclear unit).
- 7. A temporary non-safety related diesel generator (NDG) capable of supplying power to the Train B 4kV Emergency bus will be staged in the CNP protected area. The NDG will be connected to the bus in the event of a LOOP. Operations will be provided with instructions regarding start, operation, and breaker operation of this equipment, to utilize this diesel for Unit 1 if needed. Appropriate guidance for using this equipment will be in place prior to entering the extended CT. Additional discussion on the NDG is provided below.
to AEP-NRC-2015-49 Page 19
- 8. A smaller diverse and flexible strategies (FLEX) DG will be brought to the plant protected area location to support Unit 1, with necessary cabling stowed nearby, to relatively quickly connect these diesels through established FLEX connections and procedures to provide an additional emergency operating power for a train of Unit l's Containment DIS.
- 9. Monitor condenser pit and circulating water system piping, valves, condenser water boxes, and flexible couplings in both units for indication of failures that could cause turbine building flooding, and bring these to the attention of Plant Management for prompt evaluation and, if required, action. Operating crews will be briefed to promptly investigate condenser pit sump level, condenser pit flooded alarms, and condenser/circulating water system anomalous behavior, so as to take actions needed to arrest turbine building flooding due to circulating water system piping failures in the turbine building.
- 10. Monitor ESW pipe tunnel alarms and ESW system indications in both units for indication of failures that could cause ESW Pipe tunnel flooding, and bring these to the attention of Plant Management for prompt evaluation and, if required, action. Operating crews will be briefed to promptly investigate pipe tunnel sump alarms or anomalous ESW system behavior, so as to take actions needed to address any ESW initiated flooding due to ESW system piping failures. If ESW pipe tunnel sump alarms are not functional, the crews should periodically monitor ESW piping in the ESW pipe tunnel for leaks.
- 11. The Operations department will periodically (every twelve hours) verify that the temporary NDG is properly staged and that the guidance necessary to connect it to the emergency bus is available at the machine.
- 12. These compensatory measures will be promulgated to the operating crews in an operations department standing order.
Non-Safety Related Diesel Generator As a mitigating measure, CNP will stage, within the CNP protected area, a temporary NDG capable of supplying power to the Train B 4 kV Emergency bus. This NDG will be connected to the bus in the event of a LOOP. The requirements selected for NDG was greater than 1353 kW. The loads considered were as follows:
- BHP KW Charging Pump 684 554 Component Cooling Water Pump 515 417 Essential Service Water Pump 446 357 N Train Battery Charger 25 Total 1353
- BHP - Brake Horse Power to AEP-NRC-2015-49 Page 20 These loads consist of one train of equipment required to maintain the affected unit in a safe and stable state through RCS inventory control and decay heat removal for a 24-hour period in the event of a station blackout. This selection of equipment has been previously analyzed by the CNP PRA model to provide successful outcomes for a single unit following a loss of off-site power and subsequent failure of a single installed (TRO 8.8.3) supplemental diesel generator.
The NDG will be kept in non-running stand-by alignment to prevent excess fuel consumption and damage due to long-duration unloaded operation which can cause reliability problems. The NDG fuel tank will be kept full, and the generator output connections will be made to the low potential side of the 480V- 4.16kV step-up transformer. The transformer output cables will be routed into the Train B 4 kV room, and when required, will be manually connected to the Train B 4 kV safety buses. This is accomplished by disconnecting the incoming feed from the 69 kV alternate off-site power source and reconnecting the NDG output cables to the line side of this feed breaker. The high potential transformer cables will be staged in 4 kV settlement pit. They will be staged below grade under a closed manhole cover to provide environmental protection when the NDG is not in use and avoid the need for a security compensatory action that would be required if cables were permanently routed through the manhole. Both ends of the cable will be prepared for termination at the transformer and breaker respectively. Once the connection to the T11 A 4 kV bus is made and the generator is connected, the EP feed breaker can be manually closed from the U1 control room to restore power to the Train B safety bus. Based on a walk-down with construction and operations personnel, the actions to place the NDG system in service and provide power to the safety busses is approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. This timeline consists of making the final cable pulls and connecting to the transformer and breaker, starting the NDG, and aligning breakers to repower the 4 kV bus.
As part of the receipt and staging of the temporary diesel generator the machine will be started, and it will be verified that the engine comes up to speed and that the generator develops the required voltage. The Operations Department will periodically (every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />) verify that the generator is properly staged and that the guidance necessary to connect it to the emergency bus is available at the machine.
The on-board fuel storage capacity for the NDG is 1150 gallons. This fuel is expected to provide power at the assumed capacity (1353 kW) for approximately 11.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. In the event the NDG is required to load, the vendor will be able to provide fuel delivery on an acceptable timeline to maintain constant operation. In the event of an external event that prevents delivery of additional fuel to the site, CNP has procedures and equipment in place to provide fuel to the NDG from the installed plant emergency diesel generator fuel oil storage tanks. All operators have been trained on the procedures required to perform this transfer.
Typical Unit 1 TS Surveillance and Other Activities That Will be Performed During the One Time I AB EDG CT Extension This list is not all inclusive, but lists typical TS surveillances currently identified as scheduled for the period of the 1 AB EDG unavailability.
to AEP-NRC-2015-49 Page 21
- Unit 1 and 2 Train B Reactor Trip Breaker and Solid State Protection System (SSPS)
Logic Test (1-IHP-4030-111-001B for U1, similar for U2) - trip breaker testing places automatic reactor trip function on the Train A normal and bypass reactor trip breakers and associated reactor protection system (RPS) while the Train B reactor trip breaker is tested, the Train B SSPS test disables Train B auto actuation capability for most Train B engineered safety feature (ESF) functions, however Operators retain capability and have procedural direction to start or position equipment if an ESF actuation were to occur.
- Unit 1 West ESW Pump Test (1-OHP-4030-119-022W) - this test closes the 1W-2E ESW header cross tie valve and takes Inservice Inspection/Testing (ISI) pump performance data, the header remains in service and the cross tie valve can be re-opened if needed should an event occur, the 2E ESW pump will also be running to keep the 2E ESW header in service and pressurized. 4kV breaker operation may be required depending on which ESW pump(s) are running.
- Unit 1 and 2 Pressurizer Pressure Set Channel Operational Test (COTs) (1-IHP-4030-102-013AI014A/015B/016B) - in these tests the bistable input is bypassed for all sets for Reactor Protection System (RPS) & SSPS functions, thus the associated RPS & SSPS function for the bypassed input remains in a 2 out of 3 (RPS) or 2 out of 2 (SSPS) logic and takes two failures/events to trip the unit and initiate an SSPS actuation.
- Unit 1 West RHR Train Operability test (1-OHP-4030-117-050W) - this test starts the West (Train B ) RHR pump on recirculation flow to open In-Service Testing (IST) data, outside of the pump recirculation flow valve opening and closing (and being closed by procedure) this has no other significant effect on the unit. Requires 4kV breaker operation to start and stop the RHR pump.
" Unit 1 SG Stop Valve Dump Valve testing (1-OHP-4030-151-018) - this test sequentially demonstrates function of both SG stop valve dump valves associated with each of the four SG stop valves, this is accomplished through a test feature that first closes off the dump valve under test flow path to the stop valve actuating cylinder, and then when the flow path, is closed, opens the dump valve.
- Unit 2 AB EDG slow speed start - this is a surveillance run on the Unit 2 Train B EDG which consists of a slow start, parallel to the grid, loading and running at full load for one hour, and unloading & shutting down the EDG, as well as some related fuel oil system testing. Requires Unit 2 4kV breaker operation to parallel EDG and remove from service at end of test.
- Unit 2 CD EDG slow speed start - this is a surveillance run on the Unit 2 Train A EDG which consists of a slow start, parallel to the grid, loading and running at full load for one hour, and unloading & shutting down the EDG, as well as some related fuel oil system testing. Requires Unit 2 4kV breaker operation to parallel EDG and remove from service at end of test.
- Unit 1 North SI pump SI (1-OHP-4030-108-051N) - this surveillance runs the U1-N-SI pump with the pump manual discharge valve closed on recirculation flow for IST data, operators at the pump have instructions to re-open the manual valve when directed.
Requires 4kV breaker operation to start & stop pump
- Unit 1 Containment Upper Compartment Train A Normal Range Area Radiation Monitor COT (1-IHP-4030-113-010A) - this channel operational test opens several containment ventilation (valves which are normally shut and are opened for this procedure) to validate to AEP-NRC-2015-49 Page 22 relay actuation by valve closure, no other impact on Unit 1 outside of unavailable Upper containment radiation monitor information.
- Unit 1 Containment Recirculation (H2 Skimmer) Ventilation (CEQ) Fan IST and response time test (1-EHP-4030-128-003A) - this test starts the CEQ fan and obtains associated response time and fan operating data, no other impact on Unit 1.
" Unit 1 4kV Safety Bus T11 A Phase 1 to Phase 2 Under Voltage (UV) Relay COT (1-IHP-4030-182-007) - this surveillance test operates one relay out of a 1 of 2 scheme for UV actuation on bus T11 A. The test is straightforward by way of pushing a relay test button, performed in the CR, two I&C technicians perform the test, one performing actions after the second technician has validated that correct equipment has been identified for operation, and first determines that no other associated relays are tripped.
- Repair to the screenhouse center lake intake structure (one of three inlets and two outlets that can bring lake water into the screenhouse and fish deterrent system in Lake Michigan
- Unit 1, East-CCW surveillance (1-OHP-4030-116-020E) - this surveillance obtains 1E CCW pump data for a system that is normally in service and cycles valves within that system for ISI program.
- Unit 1 RCP bus UV relay calibration (1-IHP-4030-182-014) - tests 4kV bus undervoltage relays, one at a time, for proper setpoint, this testing is done in the CR, uses a relay tester in combination with a test plug, the test plug removes the relay trip function from service while the relay is calibrated, after calibration a different relay test plug is used to verify indication of the UV trip for that one channel into SSPS.
- Unit 1 RCP bus UV relay trip actuating device COT (1-IHP-4030-182-001) - tests 4kV bus undervoltage actuation relay string function for one relay at a time, testing is done in the CR with two Technicians, removes the relay plug and inserts a test plug to trip and validate operation of the actuation relay string into SSPS. Repeats for all eight relays.
- Unit 1 RCP bus underfrequency (UF) relay trip actuating device COT (1-IHP-4030-182-002) - tests 4kV bus UF actuation relay string function for one relay at a time, testing is done in the CR with two Technicians, removes the relay cover, pushes the relay arm to the UF position to trip and validate operation of the actuation relay string into SSPS. Repeats for all eight relays.
- Unit 1 East Charging Pump operability test (1-OHP-4030-103-052E) - ISI tests a normally running, in-service, charging pump for flow & pressure, 4kV breakers may have to be operated to change charging pumps to have the correct pump in operation for the test.
- Weekly NEIL switchyard inspection - Perform a visual inspection, to include as applicable, cleanliness, leaks, pressures/temperatures, compressor run time, relay flags, oil levels in tanks and bushings, heaters. Perform a visual inspection of batteries for abnormal/unusual conditions. Inspection will include Ambient Temperature, General Cell/Rack Inspection and Ventilation Equipment Check.
- Monthly NEIL switchyard inspection - Perform Visual Inspection on all Equipment and Structures in the 69 kV Yard, 345 kV Yard, and the 765 kV yard for any discrepancies or malfunctions.
" Monthly NEIL switchyard battery inspection - Perform the following - Battery Float Voltage, Pilot Cell Voltage and Specific Gravity or Battery Float Charging Current, Electrolyte Level, Charger Output Current/Voltage and Unintentional Grounds.
to AEP-NRC-2015-49 Page 23 3.5 Extension of Surveillance Frequency TS SR 3.8.1.2 and 3.8.1.3 Since January 2010, there have been 116 valid demands logged for the Unit 1 CD EDG with three events logged as valid failures. Eleven demands were logged as invalid tests since January 2010 and will not be considered in this discussion.
Of the three identified failures, only one event was determined to result in an actual loss of 1 CD EDG function.
Corrective Action condition report Action Request (AR) 2014-6397 documented that-Unit 1 CD EDG failed to successfully load when breaker 1-T11D8 failed to close in May 2014. The Equipment Apparent Cause Evaluation (EACE) performed for this event identified the apparent cause to be an open (closing) circuit caused by the isolated failure of the anti-pumping relay, the Auxiliary Switch (breaker) and the Secondary Disconnect Contact Assembly. Breaker 1-T1i1 D8 was replaced as part of the investigation into this event, with breaker post-maintenance testing performed satisfactorily. This is the only event that is an actual failure of the 1 CD EDG.
The two test failures that did not result in a loss of function are:
- Corrective Action condition report AR 2011-11629 documented that Unit 1 CD EDG was tripped due to low field volts and higher than expected phase amps in October 2011.
The EACE performed for this event determined the cause to be attributed to the droop pot being adjusted such that it was no longer providing the droop identified during the tuning of the voltage regulator. The EACE also determined that the 1 CD EDG would have been capable of performing its design function during a loss of offsite power event.
The voltage regulator was replaced and the 1 CD EDG was satisfactorily returned to service. Corrective actions were also implemented to update the EDG Voltage Regulator Clean and Inspect Model Work Order to better define setting of the voltage regulator droop pot and to update the EDG Voltage Regulator Tuning and Adjustment procedure.
- Corrective Action condition report AR 2013-1347 documented that Unit 1 CD EDG was shut down due to a Fuel Injector Pump leak on the number 6 cylinder in January 2013.
The EACE performed for this event identified the apparent cause of the crack in the Delivery Valve Holder to be failure of the vendor to recognize an attribute of their Delivery Valve Holder drawing as a critical characteristic and to specify verification of that critical characteristic on the final inspection sheet. Subsequent past operability evaluation was performed in Corrective Action condition report AR 2013-14944-8 and determined that all affected EDGs remained operable for the durations that the High Pressure Fuel Injection pumps containing lot LCH 1109 Delivery Valve Holders were installed. Delivery Valve Holders from bad manufacturing lot LCH-1 109 were replaced with pumps having the 60-degree geometry at the fuel line connection.
to AEP-NRC-2015-49 Page 24 Over the past five years, the Unit 1 CD EDG has performed successfully in 97.4% of valid demands (3 valid failures in 116 demands) and has been capable of performing its required function in 99.1% of valid demands (1 loss of function in 116 demands). Based on Unit 1 CD EDG reliability greater than 97% and the successful implementation of corrective actions to resolve the three test failures that have occurred since 2010, it is acceptable to delay the performance of Unit 1 CD EDG surveillance testing while Unit 1 AB EDG is inoperable for repairs.
TS SR 3.8.1.7 The Surveillance and IST Program testing history of the Unit 1 CD Emergency Diesel Generator Fuel Oil Transfer Pumps (1-QT-106-CD1 and 1-QT-106-CD2) was reviewed. Since third quarter 1996, there have been 80 tests of Fuel Oil Transfer Pump CD1 and 86 tests of Fuel Transfer Pump CD2. All 166 tests were completed satisfactorily.
A review of ARs associated with Fuel Oil Transfer Pumps CD1 and CD2 identified three ARs for equipment related issues.
AR 000047563 documented that on 11/05/2000 Fuel Oil Transfer Pump CD1 bearing vibration point 3H was above the alert limit, but within the action limit. This did not result in a loss of function for Fuel Oil Transfer Pump CD1.
AR 000084437 documented that on 11/03/2003, Fuel Oil Day Tank Level reached 130 gallons and was manually raised above 140 gallons. Fuel Oil Transfer Pump auto start setpoint of 120 gallons was not reached, so this did not indicate a loss of function.
AR 2012-4382 documented that on 4/04/2012, the auto start setpoint for the Fuel Oil Transfer Pumps was set too low. Operations determined that this condition was a matter of less than optimal performance of the Fuel Oil makeup control and that surveillance acceptance criteria were met.
Since there have been no test failures or equipment issues that have resulted in loss of function of the Unit 1 CD EDG Fuel Oil Transfer Pumps in over 18 years, it is acceptable to delay the performance of Fuel Oil Transfer Pump Surveillance and IST Program testing while Unit 1 AB EDG is inoperable for repairs.
4.0 REGULATORY EVALUATION
4.1 Applicable Regulatory Reguirements/Criteria Requlatory Requirements As described in UFSAR, Section 1.4, the PSDC define the principal criteria and safety objectives for the CNP design. The following PSDC is relevant to the proposed amendment:
to AEP-NRC-2015-49 Page 25 AC Power Systems Plant Specific Design Criterion 39 - Emergency Power - An emergency power source shall be provided and designed with adequate independency, redundancy, capacity, and testability to permit the functioning of the engineered safety features and protection systems required to avoid undue risk to the health and safety of the public. This power source shall provide this capacity assuming a failure of a single active component.
10 CFR 50, Section 36 (c)(2)(ii), stipulates that a TS LCO must be established for each item meeting one or more of the following criteria:
- 1. Installed instrumentation that is used to detect, and indicate in the CR, a significant abnormal degradation of the reactor coolant pressure boundary.
- 2. A process variable, design feature, or operating restriction that is an initial condition of a design basis accident or transient analysis that either assumes the failure of, or presents a challenge to the integrity of a fission product barrier.
- 3. A structure, system, or component that is part of the primary success path and which functions or actuates to mitigate a design basis accident or transient that either assumes the failure of or presents a challenge to the integrity of a fission product barrier.
- 4. A structure, system, or component which operating experience or PRA has shown to be significant to public health and safety.
Onsite electrical power system and an offsite electric power system shall be provided to permit functioning of structures, systems, and components important to safety. The safety function for each system shall be to provide sufficient capacity and capability to assure that (1) specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences and (2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents.
The onsite electrical power supplies, including the batteries, and the onsite electrical distribution system, shall have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure.
Provisions shall be included to minimize the probability of losing electrical power from any of the remaining supplies as a result of or coincident with, the loss of power generated by the nuclear power unit, loss of power from the transmission network, or loss of power from the onsite electrical power supplies.
The design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the ESF systems. The onsite Class 1E AC distribution system for I&M is divided into two load groups. A 4.16 kV ESF bus is associated with each load group. The two load groups are 100% redundant and are electrically and physically separated such that the loss of either group does not prevent the minimum safety functions from being performed. Each load group has connections to either of two offsite power sources from the to AEP-NRC-2015-49 Page 26 switchyard, and a single DG. Offsite power is supplied to the switchyard from the transmission network via two rights of way approaching the site from two different directions.
The proposed change has been evaluated to determine whether applicable regulations and requirements continue to be met. This one-time, 1 AB EDG, CT change amendment request has been prepared to comply with risk considerations from RG 1.177, Revision 1.
Based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the NRC's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.
In conclusion, CNP has determined that the proposed change does not require any exemptions or relief from regulatory requirements, other than the TS, and does not affect conformance with any regulatory requirements/criteria.
4.2 Precedent
- 1. Amendment 294 to James A. Fitzpatrick Generating Station (
Subject:
Emergency License Amendment Request Application for Technical Specification 3.8.1 Required Action B.4 Completion Time, dated June 4, 2009.)
- 2. Amendment 171 to Fermi Generating Station (
Subject:
Emergency License Amendment Request for One-Time Extension of Allowed Outage Time for the Fermi 2 Emergency Diesel Generator 12, dated February 5, 2006.)
4.3 No Significant Hazards Consideration Determination A change is proposed to the CNP Unit 1 TS 3.8.1, "AC Sources - Operating." The proposed amendment would extend the allowed outage time for Condition B.5 from 14 days to 65 days.
As required by 10 CFR 50.91(a), the CNP analysis of the issue of no significant hazards consideration is presented below:
- 1. Does the proposed amendment involve a significant increase in the probability or consequences of an accident previously evaluated?
Response: No.
The proposed revision to TS 3.8.1 increases the Completion Time (CT) for Condition B.5 and the frequency for TS Surveillance Requirement (SR) 3.8.1.2, 3.8.1.3, and 3.8.1.7. The DG's safety function is solely mitigative and is not needed unless there is a loss of offsite power. The DGs do not affect any accident initiators or precursors of any accident previously evaluated.
The proposed change does not affect the DG's interaction with any system whose failure or to AEP-NRC-2015-49 Page 27 malfunction can initiate an accident. Therefore, the probability of occurrence of an accident previously evaluated is not significantly increased.
The proposed change maintains defense-in-depth by preserving a reasonable balance among prevention of core damage, prevention of containment failure, and consequence mitigation.
I&M has determined that the increase in ICCDP due to the proposed change would be small.
Potential consequences of the one-time extension for the 1 AB EDG CT with SDGs Available from 14 days 65 days has been evaluated by analyzing the resulting changes in risk. The increase in risk with regard to design basis accidents, and additional PRA considered initiators and scenarios, was estimated to be acceptably small and the increase in core damage frequency (CDF) and LERF resulting from the proposed change was determined to be within the guidelines published in NRC RG 1.174.
Therefore, it is concluded that the proposed amendment does not significantly increase the consequences of an accident previously evaluated.
- 2. Does the proposed amendment create the possibility of a new or different kind of accident from any accident previously evaluated?
Response: No.
The proposed revision to TS 3.8.1 increases the CT for Condition B.5 and the frequency for TS SR 3.8.1.2, 3.8.1.3, and 3.8.1.7. The proposed one-time extension to the completion time does not create the possibility of a new or different type of accident since there are no physical changes being made to the plant and there are no changes to the operation of the plant that could introduce a new failure mode creating an accident or affecting the mitigation of an accident.
Therefore, the proposed amendment does not create the possibility of a new or different kind of accident from any accident previously evaluated.
- 3. Does the proposed amendment involve a significant reduction in a margin of safety?
Response: No.
The proposed revision to TS 3.8.1 increases the CT for Condition B.5 and the frequency for TS SR 3.8.1.2, 3.8.1.3, and 3.8.1.7.
A risk assessment using the current Cook Nuclear Plant PRA model concluded that extending the Completion Time from 14 days to 65 days results in a small change to the CNP risk profile.
There are no new DG failure modes created and the DGs are not an initiator of any new or different kind of accident. The proposed increase in the TS SR limit does not affect the interaction of the DGs with any system whose failure or malfunction can initiate an accident.
Therefore, the proposed change does not create the possibility of a new or different kind of accident from any previously evaluated.
to AEP-NRC-2015-49 Page 28 Therefore, the proposed amendment does not involve a significant reduction in margin of safety.
In conclusion, based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the NRC's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public. I&M concludes that the proposed amendment presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c) and, accordingly, a finding of "no significant hazards consideration" is justified.
4.4 Conclusions In conclusion, based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the NRC's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.
5.0 ENVIRONMENTAL CONSIDERATION
A review has determined that the proposed amendment would change a requirement with respect to installation or use of a facility component located within the restricted area, as defined in 10 CFR 20, or would change an inspection or surveillance requirement. However, the proposed amendment does not involve (i) a significant hazards consideration, (ii) a significant change in the types or significant increase in the amounts of any effluent that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure.
Accordingly, the proposed amendment meets the eligibility criterion for categorical exclusion set forth in 10 CFR 51.22(c)(9). Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed amendment.
6.0 REFERENCES
- 1. Regulatory Guide 1.174, "An Approach for using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," Revision 2, dated May 2011.
- 2. Regulatory Guide 1.177, "An Approach for Plant-Specific, Risk Informed Decision Making:
Technical Specifications," Revision 1, dated May 2011.
- 3. Regulatory Guide 1.200, "An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities", Revision 2, dated March 2009.
- 4. PRA-QNT-004, Calculation of Regulatory Guide 1.177Risk Parameters for Potential One-Time Emergency Technical Specification Completion Time Change for Unit 1 AB EDG, Revision 0 to AEP-NRC-2015-49 Page 29
- 5. PRA-FLOOD-014, Internal Flood Detailed Analysis, Revision 0, dated June 16, 2006.
- 6. PRA-FLOOD-01 3, Internal Flood Human Reliability Analysis, Revision 0, dated May 2, 2007.
- 7. PRA-FLOOD-01 1, PRA Internal Flooding Update Scenario Development, Revision 1, dated December 13, 2012.
- 8. Drawing OP-1-5151A-47, Flow Diagram Emergency Diesel Generator "AB" Unit No. 1
- 9. PRA-STUDY-073, Unit 1 Full Power Operation with Train-B Emergency Diesel Generator (1 AB EDG) Out of Service, Revision 2, dated June 2010.
Enclosure 3 to AEP-NRC-2015-49 DONALD C. COOK NUCLEAR PLANT UNIT 1 TECHNICAL SPECIFICATION PAGES MARKED TO SHOW CHANGES 3.8.1-4 3.8.1-6 3.8.1-7
AC Sources - Operating 3.8.1 ACTIONS (continued)
CONDITION REQUIRED ACTION COMPLETION TIME B.5 Restore required DG to 14 days OPERABLE status.
AND 17 days from discovery of failure to meet LCO 3.8.1.a orbFj C. Required Action and C.1 Restore both supplemental 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> associated Completion diesel generators to Time of Required Action available status.
B.1 not met.
OR C.2 Restore required DG to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> OPERABLE status.
D. Two required offsite D.1 Declare required feature(s) 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from circuits inoperable, inoperable when its discovery of redundant required Condition D feature(s) is inoperable, concurrent with inoperability of redundant required features AND D.2 Restore one required offsite 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> circuit to OPERABLE status.
(1)For the Unit 1 AB DG only, the Completion Time that the DG can be inoperable as specified by Required Action B.5 may be extended beyond the "14 days AND 17 days from discovery of failure to meet LCO 3.8.1 .a or b" up to "65 days AND 65 days from discovery of failure to meet LCO 3.8.1.a or b", to support repair and restoration of the Unit 1 AB DG. Upon completion of the repair and restoration, this footnote is no longer applicable and will expire at 0010 on July 22, 2015.
Cook Nuclear Plant Unit 1 3.8.1-4 Amendment No. 297,2-"
AC Sources - Operating 3.8.1 SURVEILLANCE REQUIREMENTS
NOTES -----------------------------
- 1. SR 3.8.1.1 through SR 3.8.1.22 are applicable only to the AC electrical power sources for Unit 1.
- 2. SR 3.8.1.23 is applicable only to the Unit 2 required AC electrical power sources. The Surveillances referenced in SR 3.8.1.23 are the Unit 2 Surveillance Requirements.
SURVEILLANCE FREQUENCY SR 3.8.1.1 Verify correct breaker alignment and indicated 7 days power availability for each offsite circuit.
SR 3.8.1.2 --------------------- NOTES---------------
- 1. All DG starts may be preceded by an engine prelube period and followed by a warmup period prior to loading.
- 2. A modified DG start involving gradual acceleration to synchronous speed may be used for this SR as recommended by the manufacturer. When modified start procedures are not used, the time, voltage, and frequency tolerances of SR 3.8.1.8 must be met.
Verify each DG starts from standby conditions and 31 daysr9 achieves steady state voltage > 3910 V and
< 4400 V, and frequency > 59.4 Hz and < 60.5 Hz.
(2)For the duration of the repair and restoration of the Unit 1 AB DG failure which occurred on May 21, 2015, the Surveillance Frequency for the Unit 1 CD DG is extended to 82 days, or 3 days following the restoration of the Unit 1 AB DG, whichever is first.
Cook Nuclear Plant Unit 1 3.8.1-6 Amendment No. 28-7, 29-1-, 309
AC Sources - Operating 3.8.1 SURVEILLANCE REQUIREMENTS (continued)
SURVEILLANCE FREQUENCY SR 3.8.1.3 -------------------- NOTES --------
- 1. DG loadings may include gradual loading as recommended by the manufacturer.
- 2. Momentary transients outside the load range do not invalidate this test.
- 3. This Surveillance shall be conducted on only one DG at a time.
- 4. This SR shall be preceded by and immediately follow without shutdown a successful performance of SR 3.8.1.2 or SR 3.8.1.8.
Verify each DG is synchronized and loaded and 31 daysm operates for > 60 minutes at a load > 3150 kW and
< 3500 kW.
SR 3.8.1.4 Verify each day tank contains > 101.4 gal of fuel oil. 31 days SR 3.8.1.5 Check for and remove accumulated water from each 31 days day tank.
SR 3.8.1.6 Verify each required DG air start receiver pressure 31 days is > 190 psig.
SR 3.8.1.7 Verify each fuel oil transfer system operates to 92 days[i automatically transfer fuel oil from the storage tank to the day tank.
(2)For the duration of the repair and restoration of the Unit 1 AB DG failure which occurred on May 21, 2015, the Surveillance Frequency for the Unit 1 CD DG is extended to 82 days, or 3 days following the restoration of the Unit 1 AB DG, whichever is first.
F May 21, 2015, the Surveillance Frequency for the Unit 1 CD DG is extended to 145 days, or 3 days (3)For following the of the duration restoration the repairofand therestoration Unit 1 AB DG, of thewhichever Unit 1 ABisDG first.failure which occurred on Cook Nuclear Plant Unit 1 3.8.1-7 Amendment No. 2-97, 291
Enclosure 4 to AEP-NRC-2015-49 RISK ANALYSIS TO SUPPORT EXTENSION OF ALLOWED OUTAGE TIME FOR UNIT 1 EMERGENCY DIESEL GENERATOR(S)
- mm~tN"D. C. COOK NUCLEAR PLANT POPRCALCULATION/REPORT COVER SHEET Document No. PRA-QNT-004 Rev No. 0 E Fl eF1Adnu ID Status Change
Title:
Calculation of Regulatory Guide 1.177 Risk Parameters for Potential One-Time Emergency Technical Specification Completion Time Change for Unit 1 AB EDG STATUS: E Approved Ej Superseded [:1 Voided L] Information Only Document Type/Class: . Calculation El Report El Class I El Class 2 E Class 3 QUALITY SYSTEM UNIT COMPUTER REVIEW METHOD:
CLASSIFICATION: CODE: NO.: MEDIA: 0 Detailed Review LM Safety-Related L0 Yes El Alternate Calculation LI Non-Safety Related with NAPL ENo EL Other Special Requirements L0 N/A - Status/Class Change Only Z Non-Safety Related Do any assumptions require later verification? 0I Yes Z No If yes, AI No.
==
Description:==
See Purpose This non-design calculation is exempted by the approver from the configuration management requirements of 12-EHP-5040-DES-003 section 3.4.5.
If the Reviewer is the Preparer's supervisor, the supervisor review is needed and is approved: [ N/A Supervisor's Manager's Name Title Signature Date Qualification Matrix Verification
- The responsible Engineering Supervisor/Manager approval signature also serves to signify that the qualifications of the individual(s) assigned as Preparer(s) and Reviewer(s) and Independent Design Verifier(s) were verified in the Plant Qualification Matrix.
IPreparation & Review PREPARED BY: REVIEWED BY: *APPROVED BY:
Name: James M. Heyeck Stephen J. Cherba Andrew W. Garrett
Title:
PRA Engineer PRA Engineer Manager Organization: Ejigineering Programs/PRA Enfineerig Plograms/PRA Eppineering Programs Signature: jzz/-
be, -I.'
Date: - u- s(-e8e- o/i-
[] Sign-offs for additional Preparer(s) and Reviewer(s) on next page This document includes the following pages: 1-46 (46 Pages total) Page 1
I Calculation No. PRA-QNT-004, Rev. 0 Page 2 Table of Contents 1 Purpose ................................................................................................................. 5 2 M ethodology ........................................................................................................ 6 3 Inputs ................................................................................................................... 7 4 Assumptions..................................................................................................... 8 5 Calculations .................................................................................................. 9 5.1 Modifications to the 2009 Internal Events & Internal Flooding Model ....................... 9 5.1.1 Internal Events PRA Model Update - Initiating Events ..................................................... 10 5.1.2 Internal Events PRA Model Update - Accident Sequences .............................................. 12 5.1.3 Internal Events PRA Model Update - Success Criteria ..................................................... 15 5.1.4 Internal Events PRA Model Update - Systems Analysis ................................................... 16 5.1.5 Internal Events PRA Model Update - Human Reliability Analysis .................................. 19 5.1.6 Internal Events PRA Model Update - Data Analysis ........................................................ 22 5.1.7 Internal Events PRA Model Update - Quantification ........................................................ 25 5.1.8 Internal Events PRA Model Update - Large Early Release .............................................. 28 5.1.9 Summary of Internal Events Supporting Requirements not Capability Category II ....... 31 5.1.10 Convergence Analysis of hiternal Events Model ......................................................... 31 5.2 Modifications to the Fire PRA model ....................................................................... 32 5.3 Risk Analysis of Unit I AB EDG Unavailability .................................................... 35 5.4 CDF and LERF Results ............................................................................................. 37 5.5 Analysis of Results ......................................................................................................... 37 5.5.1 Internal Events Model Results Analysis ............................................................................ 37 5.5.2 Fire PRA Model Results Analysis ..................................................................................... 42 6 Conclusions .................................................................................................... 44 7 References ...................................................................................................... 45
I Calculation No. PRA-QNT-004, Rev. 0 CalcuationNo. PA-QNT004, ev. 0Pae I List of Tables Table 5.1-1 - Gap Analysis for PRA Standard Supporting Requirements for Initiating Events ............................ 10 Table 5.1-2 - Gap Analysis for PRA Standard Supporting Requirements for Accident Sequences ....................... 13 Table 5. 1 Gap Analysis for PRA Standard Supporting Requirements for Success Criteria ............................. 15 Table 5.1-4 - Gap Analysis for PRA Standard Supporting Requirements for System Analysis ............................ 16 Table 5.1-5 - Gap Analysis for PRA Standard Supporting Requirements for Human Reliability Analysis ........... 19 Table 5.1-6 - Gap Analysis for PRA Standard Supporting Requirements for Data Analysis ................................ 22 Table 5.1-7 - Gap Analysis for PRA Standard Supporting Requirements for Quantification ................ 25 Table 5.1-8 - Gap Analysis for PRA Standard Supporting Requirements for Large Early Release ....................... 28 Table 5.1-9 - Convergence Analysis of Internal Events M odel .............................................................................. 32 Table 5.2-1 - Fire PRA HFE Review Summ ary .................................................................................................... 35 Table 5.3-1 - Basic Event Settings for Baseline CDF and LERF without SDS ..................................................... 35 Table 5.3-2 - Basic Event Settings for Unit I AB EDG Failed CDF and LERF without SDS .............................. 36 Table 5.4-1 - T otal C D F and LE RF R esults ............................................................................................................... 37 Table 5.4-2 - ICCDP and ICLERP Results for 65 Day Completion Time ........................................................... 37 Table 5.5-1 - Internal Events Initiating Events Comparison of Results ................................................................. 38 Table 5.5-2 - Fire IE Comparison.of Baseline Results with I AB EDG Failed Results .......................................... 43 List of Figures Figure 5.2 MAAP Reactor Core Water Temperature for Emergency Remote Shutdown Cooldown ............... 33 Figure 5.2 MAAP Primary System Pressure for Emergency Remote Shutdown Cooldown ........................... 34 Figure 5.2 MAAP Hottest Core Node Temperature for Emergency Remote Shutdown Cooldown ................ 34 List of Attachments A ttachm ent I - F iles on C D ........................................................................................................................................ 44
I Calculation No. PRA-ONT-004, Rev. 0 Page 4 1 Page 4 I Calculation No. PRA-QNT-004, Rev. 0 I List of Abbreviations AFW Auxiliary Feedwater AMSAC ATWS Mitigating System Actuation Circuitry ATWS Anticipated Transient Without Scram CCP Centrifugal Charging Pump CDF Core Damage Frequency CST Condensate Storage Tank CRDM Control Rod Drive Mechanism CTS Containment Spray system CVCS Chemical and Volume Control System ECCS Emergency Core Cooling System EDG Emergency Diesel Generator EOP Emergency Operating Procedure ESFAS Engineered Safety Features Actuation System ESW Essential Service Water FW Feedwater F-V Fussell-Vesely HEP Human Error Probability HFE Human Failure Event HLR High Level Requirement HSS High Safety Significant ICCDP Integrated Conditional Core Damage Probability ICLERP Integrated Conditional Large Early Release Probability IE Internal Events LERF Large Early Release Frequency LOCA Loss of Coolant Accident LSS Low Safety Significant MAAP Modular Accident Analysis Program MDAFP Motor-Driven Auxiliary Feedwater Pump MOR or MORW Model of Record MTI Maintenance Technical - Instrument and Control NRC Nuclear Regulatory Commission OOS Out of service or Unavailable PAC Plant Air Compressor PORV Power-Operated Relief Valve PRA Probabilistic Risk Assessment PDS Plant Damage State PRM Plant Response Model RAW Risk Achievement Worth RCP Reactor Coolant Pump RCS Reactor Coolant System RHR Residual Heat Removal RWST Refueling Water Storage Tank SDG Supplemental Diesel Generator SBO Station Blackout SG Steam Generator SR Supporting Requirement SSPS Solid State Protection System SI Safety Injection SIP Safety Injection Pump TDAFP Turbine-Driven Auxiliary Feedwater Pump TS Technical Specification
Calculation No. PRA-QNT-004, Rev. 0 Page 5 1 Purpose This calculation documents the PRA quantitative risk impact and allowed outage time associated with MODE I full power operation of Cook Unit 1 with the Unit 1 AB EDG, out of service for a onetime extended TS CT. Unit I is assumed to have no other maintenance occurring other than the Unit I West MDAFP, which was out of service for approximately 28 hours3.240741e-4 days <br />0.00778 hours <br />4.62963e-5 weeks <br />1.0654e-5 months <br />, and the Unit 1 Middle Heater Drain Pump, which remained out of service (Assumption 4.1). The Unit 2 Plant Air Compressor was also unavailable for approximately 14 hours1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br />. It also contains information in a format that is readily usable in an Emergent Technical Specification Change request for continued unit operation if the unavailability of the Unit I lAB EDG exceeds plant TS CT time limits.
I Calculation No. PRA-QNT-004, Rev. 0 Page 6 1 2 Methodology The PRA risk impact of operation with Unit I AB EDG unavailable will be estimated using and application specific updated WinNUPRA PRA Model (Input 3.1) and an updated Fire PRA model (Input 3.2), modified for this application as described in this document. Truncation limits for the model are specified in Section 5.1.10.
Regulatory Guide 1.177 (Reference 7.12) risk parameters are calculated using the following general equations:
ACDF = CDFins, - CDFbase where CDFinst = the Unit 1 CDF value when only the Unit 1 AB EDG is unavailable, with appropriate allowances for the Unit 2-PAC & I W-MDAFP OOS time and the operation and maintenance restrictions described below (Assumption 4.1) are in place CDFbase= the Unit I "base case" zero maintenance CDF value (with the exceptions shown in Assumption 4.1).
ALERF = LERFnew - LERFbase where LERFinst= the Unit I LERF value when only the Unit I AB EDG is unavailable, with an appropriate allowance for the Unit 2-PAC & IW-MDAFP OOS time, and the operation and maintenance restrictions described below (Assumption 4.1) are in place LERFa,,e = the Unit I "base case" zero maintenance LERF value (with the exceptions shown in Assumption 4.1).
ICCDP = (ACDF)*(Duration (days) / 365 days/year)
ICLERP = (ALERF)*(Duration (days) /365 days/year)
The Westinghouse Generation III SHIELD seal (referred to as the Shutdown Seal or SDS) has been installed in both units. The updated model credits the capability of this seal based on the guidance in PWROG-14001 (Reference 7.4). Since the NRC has not yet approved the guidance, model results will be provided without the SDS active in the model. Two quantification cases are provided:
- 1. A baseline CDF and LERF value with zero maintenance other than the exceptions listed in Assumption 4.1, without credit for the SDS.
- 2. CDF and LERF values with the Unit I AB EDG failed, with zero maintenance other than the exceptions listed in Assumption 4.1, without credit for the SDS
Calculation No. PRA-QNT-004, Rev. 0 Page 7 3 Inputs 3.1 The 2009 WinNUPRA model of record (Reference 7.1) is outdated and requires a full model update. The preliminary updated model is documented and used in this calculation, and a summary of changes is discussed below in Section 5.1.
3.2 The Fire PRA model of record (Reference 7.2) does not contain credit for the Westinghouse SHIELD seal or the SDGs. Additionally, a documented error in the basis for the number of required SGs supplied by AFW is corrected. These changes are described in detail below.
I Calculation No. PRA-QNT-004, Rev. 0 Page 8 1 4 Assumptions 4.1 The average PRA model test and maintenance factors for the following equipment are adjusted to match the out of service durations during the Unit I AB EDG unavailability:
- The Unit I West MDAFP was unavailable for approximately 28 hours3.240741e-4 days <br />0.00778 hours <br />4.62963e-5 weeks <br />1.0654e-5 months <br />. The test and maintenance term is therefore adjusted to 28 hrs/ (14 days
- 24 hrs). This conservatively accounts for 28 hours3.240741e-4 days <br />0.00778 hours <br />4.62963e-5 weeks <br />1.0654e-5 months <br /> of unavailability during the onetime extended EDG unavailability window.
- The Unit 2 PAC was unavailable for approximately 14 hours1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br />. The test and maintenance term is therefore adjusted to 14 hour1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br />s/(14 days
- 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />). This conservatively accounts for 14 hours1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br /> of unavailability during the onetime extended EDG unavailability window.
- The Unit I Middle Heater Drain Pump remained out of service for the majority of the EDG unavailability. This pump is not modeled in the Internal Events or Fire PRA.
- Required surveillance runs with short-duration (-15 mins) unavailabilities are not considered. This includes surveillance tests on other EDGs to prove that they remain operable. For EDG runs, multiple equipment operators are stationed at the EDG being tested, such that the EDG can be restored in short order.
4.2 The Westinghouse Gen Ill SHIELD seal (referred to as the Shutdown Seal or SDS) has been installed in both units. The updated model credits the capability of this seal based on the guidance in PWROG-14001 (Reference 7.4). Since the NRC has not yet approved the guidance, model results will be provided without the SDS active in the model.
4.3 To the extent practicable and controllable, no other work is assumed be undertaken that could jeopardize operation of either unit. For example, main turbine valve testing or similar activities, or maintenance work on BOP components that have potential to initiate a unit trip, are assumed to be avoided while repair of the Unit I AB EDG is in progress. Normally scheduled TS Surveillances will be performed, based on multiple successful past performance, well trained MTI personnel, detailed procedures, and action validation/verification by a second MTI Technician, these surveillances are considered to present minimal risk to the unit.
4.4 The PRA risk impact of operation with Unit I AB EDG unavailable will be estimated using a preliminary event specific update to the current WinNUPRA PRA Model of Record (Reference 7.1).
4.5 The plant operating equipment alignment (i.e., secondary plant pumps such as condensate booster pumps, hotwell pumps, or generator cooling pumps and fans) is assumed to not be changed, except in response to emergent equipment conditions or failures that require action to maintain the unit in operation. That is, no purely elective change in plant alignment that could challenge unit operation with a transient is assumed during the Unit I AB EDG repair.
4.6 Unit 1 AB EDG repair work is assumed to proceed around the clock, to an identified plan and schedule, until the EDG is again available.
4.7 For the duration of the outage, the Unit I West - Unit 2 East ESW crosstie valve was closed to maintain operability of the Unit 2 ESW system for the Unit 2 Technical Specifications. Three ESW pumps (two on one unit and one on the other) are running during this configuration. This configuration is not explicitly accounted for in the Fire PRA, because the Fire PRA Model of Record does not contain flag settings for this event. This is offset by other conservatisms in the ESW model in the Fire PRA:
- The model assumes only two ESW pumps are normally operating. This is conservative with the exception of fire induced LOOP in which all pumps must restart.
I Calculation No. PRA-QNT-004, Rev. 0 Pa~e 9 1
- Fire Spurious operation often causes one or more ESW crosstie valves to close in the same scenarios in which ESW pump cables are damaged, thus negating any impact in these scenarios.
" The HFE for alternate shutdown models operators following the procedural guidance in the emergency remote shutdown procedure (Reference 7.14). This procedure directs assigning an operator to coordinate system restoration per the system restoration procedure (Reference 7.15),
which provides direction to re-open the crossties if necessary. In most cases, an alternate shutdown fire renders fire affected unit equipment nonfunctional, so ESW flow to the fire affected unit may not be necessary.
Based on the above considerations, this assumption is judged to have an insignificant impact on the overall results. This configuration is explicitly accounted for in the Internal Events model.
4.8 An HFE was credited in the Fire PRA to re-power the Hydrogen Igniters after fires which left all the busses faulted on the fire affected unit. This action takes 3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> to complete and it was identified late in the transition period that the time to core damage could be as little as 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> in some sequences (such as AFW failure). The HEP was averaged in the final model to account for this.
For this application, there is increased potential for this action to be required since the Unit I AB EDG is not available. Therefore, a risk mitigating action is taken to stage the alternate power supply such that the action can be completed within the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> time window. No adjustment is made to the HEP on the basis of this action.
4.9 Train B DIS will not be unprotected from a High Energy Line Break during the extended work window, since the block wall is being removed. This is not considered in this analysis, because the risk impact is insignificant. A High Energy Line Break would result in a unit shutdown, but not a LOOP. Thus Offsite Power, the Unit I CD EDG, and the SDGs remain available to power the Train A DIS system in the event of core damage. Since no other PRA modeled equipment is damaged by a High Energy Line Break, the risk of core damage from this event is not significant.
5 Calculations 5.1 Modifications to the 2009 Internal Events & Internal Flooding Model The 2009 Internal Events & Internal Flooding PRA Model contains a number of errors and modeling issues that required a model update to address. The major issues included:
I. Average test and maintenance values were incorrectly squared due to a misunderstanding of the conditional probabilities involved with support system initiating events.
- 2. ESW and CCW pump recovery terms were applied in internal flooding and dual unit SBO sequences in which pump repair was unlikely.
- 3. No safety train alignment was considered for the SDGs. The SDGs are procedurally directed to be aligned to a single safety train on one unit. Although crews would be expected to re-align them the alternate train if if the first train incurred random equipment failures, no direct procedural guidance exists to direct this consideration.
- 4. A reduction factor was incorrectly used for support system initiating events to reduce the contribution of common cause terms. This reduction factor was used to ensure the common cause failure only occurred during the technical specification allowed outage times during the year. Since common cause failure
I Calculation No. PRA-QNT-004, Rev. 0 Pae1 Page 10 J I
I Calculation No.PRA-QNT-004, I
Rev. 0 factors already include the consideration of the failures occurring within a short time period of each other, this reduction factor is unnecessary.
- 5. The WOG 2000 RCP Seal LOCA model was not fully incorporated. SBO offsite power recovery times were combined with Core Not Uncovered (CNU) probabilities rather than being justified by MAAP analyses. This is no longer considered best practice.
- 6. The amount of sequences on event trees and the total number of event trees were unnecessarily complicated leading to quantification issues.
- 7. Initiating event and component data is sourced from older data sources and out of date.
- 8. Internal Flooding initiating events contained simplified HFEs for isolation of the break which require updating.
Starting from 2009 Model of Record, a full model update was performed. A gap analysis was performed against the current PRA standard (Reference 7.8) as endorsed by Regulatory Guide 1.200 (Reference 7.11) to determine the focus areas of the update. The remainder of this section is broken into summaries of the PRA standard elements and the changes made to address the gaps to capability category II of the standard.
Since Internal Flooding is not a significant risk contributor to overall CDF, or to the configuration specific analysis with the Unit I AB EDG out of service, a discussion of supporting requirements for Internal Flooding is not included. The only major outstanding issue was the HFE discussion above in item 8, and this was corrected during the update. Internal Flooding has been more recently peer reviewed than the Internal Events model, with no significant outstanding issues.
5.1.1 Internal Events PRA Model Update - Initiating Events Table 5.1-1 contains the gap analysis for the PRA standard supporting requirements for initiating events. A summary of changes in the preliminary updated model to address the gaps to Capability Category (CC) II is provided in the table.
Table 5.1 Gap Analysis for PRA Standard Supporting Requirements for Initiating Events Section Capability Gap Analysis Notes Changes for Model Update to Meet CC II lE-A I Met INIT NB Section 2.1 uses logic diagram No Changes Required.
[NIT NB Section 2.2-2.3 includes IE-A2 Met transients, LOCAs, SGTR, ISLOCA, No Changes Required.
various support system IEs, etc.
INIT NB Appendix A has review of IE-A3 Met Cook LERs 1993-1997; Needs to be Updated Cook LER review completed.
updated Need to review generic analyses of from a peer ice IE-A4 Not Met similar plant to check for any missing Review of PRA initiating events IEs condenser PWR plant completed INIT NB Section 2.1 logic diagram, Section 2.4 for other systems; Need to Systems were reviewed where necessary down to the IE-A5 II address RG 1.200 clarification "where train or subsystem level. Loss of a train of DC necessary down to the subsystem or train included as an initiating event.
level"
I Calculation No. PRA-QNT-004, Rev. 0 Pane 11 II Section Capability Gap Analysis Notes Changes for Model Update to Meet CC 11 Support system IEs appears to consider CCF failures; need to confirm; Need to ESW, CCW, and electrical power trees were IE-A6 111II address RG 1.200 clarification to check reworked during the model update to include system "routine system alignments resulting aligmnents. Common cause events are included, and from preventive and corrective the incorrect reduction factor was removed.
maintenance" IE-A7 Not Met Need to review low-power/shutdown Low-power/shutdown event review completed. No events and preemptive scrams additional events were added based on the review.
Need interviews of plant personnel to Interviews with plant operations completed. No check if potential lEs overlooked additional events were added based on the review.
Need to review (and document review) Operating experience review completed. No IE-A9 I Cook operating experience f,orOprtnexriceevwcme. o additional events were added based on the review.
precursors Dual unit LOOP covered in INIT NB 2.3.4; Dual unit loss of ESW also Dual Unit LOOP and Dual Unit ESW are IE-AIO Met modeled; Need to check support systems considered. The AFW needs of the opposite unit are to ensure multi-unit lEs are properly considered for these events.
addressed and documented IE-B 1 Met Groups assigned in INIT NB (e.g., 2.4, No Changes Required.
4.2, 4.3, 4.9)
IE-B2 Met Groups assigned based on plant effects; Explanation of analysis improved.
Need to state more explicitly Single Unit Loss of ESW was grouped with loss of IE-B3 11 Groupin based CCW.ofSince losneloss CCWandcooling is the primary thelaloslantevn response; Need to state more explicitly impact of losing ESW, and the loss of ESW event progresses slower than loss of CCW, this meets the CC I1requirements of the standard.
XLOCA, ISLOCA, SGTR all separate; MSLB was subdivided into MSLB inside IE-B4 Met Need to check on MSLB inside/outside containment, MLSB outside containment, and Main containment and ensure proper treatment Feedwater Line Break, as required.
Dual Unit Loss of CCW is possible but subsumed Dual unit lEs treated appropriately; within the singe unit event. This primarily impacts AFW crosstie availability (because the opposite unit IE-B5 Met Need to review support systems (e.g., requires AFW) and is included conservatively for ESW) to ensure proper treatment this event. Dual Unit Loss of ESW and Dual Unit LOOP include this consideration as well.
Initiating Events updated using latest generic data IE-CI Met Update calculation with new generic + from industry data sources. Plant-specific data new plant-specific incorporated when necessary.
Data range for plant specific data was January 1, IE-C2 Met In updated calculation, define new data 2008 through December 31, 2013. Unit I Turbine range and justify any excluded data event in fall 2008 was included for initiating events as required, but excluded for criticality factor.
Review cases where operator actions are Recovery actions review completed with HRA IE-C3 Met used to justify a non-IE and ensure update.
sufficient basis
I Calculation No. PRA-ONT-004. Rev. 0 Page 12 1 Page 12 I Calculation No. PRA-ONT-004. Rev. 0 I Section Capability Gap Analysis Notes Changes for Model Update to Meet CC 11 IE-C4 Met Updated calculation will also use Updated calculation included Bayesian Update Bayesian process process.
IE-C5 1-11 Updated calculation will also apply plant Criticality factor was developed.
availability factor to lEs Stuck Open Pzr PORVs/Safety Valves were For cases where an IE is not included, removed as a separate initiating event (Stuck Open For ase a lBis whre ot iclued, PORVs included as consequential event).
IE-C6 Not Met need to provide justification that Justifica s ded a dditial Losstof matches the Standard (see also IE-C3) Justification is provided. Additionally, Loss of Control Air, Loss of Main Feedwater, and Loss of Condenser Heat Sink included as separate initiators.
IE-C7 I-I No requirement for CC-II No time trend analysis is required for CC II Loss of CCW, Loss of ESW, and Loss of DC are Fault trees used for support system lEs; modeled using fault trees as required. Fault tree IE-C8 Met Need to review and confirm modeling modeling is consistent with Systems Analysis requireent s.
approach, especially as it affects MSPI requiremnents.
Uses multiplier of 365; Need to review 365 day multiplier reduced to account for criticality IE-C9 Met and confirm modeling approach, factor.
especially as it affects MSPI Review modeling to ensure math works Fault tree model calculates an initiator frequency IE-C 10 Met correctly with 365 multiplier, especially over a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period. The multiplier described for CCF events converts to an annual frequency.
IE-CI I Met Recovery actions not generally applied No Changes Required.
to the IE fault trees I E-C 12 Not Met Need to perform and document Comparison review completed.
comparison of results Need to review and improve justification NUREG-1829 (Reference 7.9) data used for Large IE-C13 I-Il for use of generic data for rare lEs to and Medium LOCAs and for Reactor Vessel Failure meet Standard events.
Mostly met; Need to review and ISLOCA model was updated to account for RHR improve ISLOCA justifications where system changes. Credit was removed for isolation of IE-C 14 1-I1 needed, particularly for item (e) LOCA given lack of supporting basis for valve regarding isolation function in high Llosu pportig b fv flow/dp conditions. closure under high DP.
IE-C 15 Met Error factors on lEs will also be part of Updated Probability Distributions were provided for updated calculation lEs.
IE-DI Met Notebook will be updated Notebook is being updated as required.
1E-D2 Met Notebook will be updated Notebook is being updated as required.
IE-D3 Not Met Model uncertainties to be addressed in New Uncertainty Notebook being developed.
new Uncertainty Notebook 5.1.2 Internal Events PRA Model Update - Accident Sequences Table 5.1-2 contains the gap analysis of the PRA standard supporting requirements for accident sequences. A summary of changes to address the gaps to Capability Category (CC) 1I is provided in the table.
I Calculation No. PRA-QNT-004. Rev. 0 Pap-e 13 1 Table 5.1 Gap Analysis for PRA Standard Supporting Requirements for Accident Sequences Section Capability Gap Analysis Notes Changes for Model Update to Meet CC It AS-AI Met Event trees model accident sequences No Changes Required.
Key safety Keysafty functions uncion identified idntiiedin in each ach Accident Sequence Notebook being updated to AS-A2 Met appendix to AS NB; Need to review and Ang ensure latest modeling include key safety functions, no changes to accident a Sdealig is iAcaptured (e.g., sequences to meet this requirement were necessary.
Seal LOCA)
Top event descriptions in each appendix to AS NB identify systems needed; See AS-A2, Accident Sequence Notebook will Need to review and ensure latest provide list of systems for each initiator.
modeling is captured (e.g., Seal LOCA)
Operator actions identified in Tables in AS NB appendices; Need to review and A]l entries were reviewed and updated as necessary.
AS-A4 Met confirm all entries, particularly for HEPs related to Seal LOCA AS-A5 Met Accident sequences definitions are No Changes Required.
consistent AS-A6 Met Events are sequentially ordered No Changes Required.
Sequences are delineated in event trees; Accident Sequence Notebook being updated to AS-A7 1-I1 Need to add text description of core include text descriptions of core damage sequences.
damage sequences AS-A8 Met Endstates defined in event trees No Changes Required.
Review uses of TH analysis to ensure Success LOCAs,Criteria SGTRs,updates wereSeal and RCP performed LOCAs.forHigh Small AS-A9 II most recent, realistic applicable analyses Press S pum Reqieents rlef are used Pressure ECCS pump requirements relaxed for Small/RCP Seal LOCAs based on MAAP analyses.
Generally met, but need to review for Sequence detail was reviewed and no significant re quirement AS-A 10 II compliance with squeregarding leve Standard ofdetil Ces change were necessary sfor changes wetnecesa this requirement.
level of detail of sequences Transfers are used; Need to review Transfers explicitly include sequence successes transfers as applied in WinNUPRA to during quantification. Transfers modeled include AS-AI I Met ensure requirements in Standard are met; SBO, Loss of RCP Seal Cooling, ATWS, and Stuck Need to review and ensure latest modeling is captured (e.g., Seal LOCA) Open Pressurizer PORV.
AS-B I Met Impacted systems identified within text; No Changes Required.
Identify impacts explicitly in AS NB AS-B2 Met Event tree structure captures the No Changes Required.
dependence on preceding systems Phenomenological conditions identified AS-B3 Met within text where applicable; Identify No Changes Required.
conditions explicitly in AS NB AS-B34 NA Conditional employedsplit fractions at event tree not generally branches No Changes Required.
AS-B35 Met Linked event tree / fault tree model No NRChanges Required.
captures dependencies
I Calculation No. PRA-QNT-004, Rev. 0 Page 14 1 Section Capability Gap Analysis Notes Changes for Model Update to Meet CC H Configurations captured within support AS-B6 Met system IE fault trees; dependencies No Changes Required.
among mitigation systems captured in linked fault trees Linked event tree / fault tree structure AS-B7 Met captures Need totime-phased review and dependencies; ensure latest SBO MAAPOffsite Power Recovery was revised based on analyses. No other changes were required.
modeling is captured (e.g., Seal LOCA)
AS-C l Met Notebook will be updated Notebook is being updated as required.
Notebook will be updated; Review AS-C2 Met specific documentation items in Notebook is being updated as required.
Standard to ensure treatment AS-C3 Not Met Model uncertainties to be addressed in New Uncertainty Notebook being developed.
new Uncertainty Notebook
I Calculation No. PRA-ONT-004. Rev. 0 Pap-e 15 1 5.1.3 Internal Events PRA Model Update - Success Criteria Table 5.1-3 contains the gap analysis of the PRA standard supporting requirements for success criteria. A summary of changes to address the gaps to Capability Category (CC) 11 is provided in the table.
Table 5.1 Gap Analysis for PRA Standard Supporting Requirements for Success Criteria Section Capability Gap Analysis Notes Changes for Model Update to Meet CC II SC-A I Met Need to highlight 1 definition of core New Success Criteria Notebook being created which damage explicitly will include the core damage definition.
Assumption 2 in SC notebook: core Definition not explicitly consistent with the damage is max core temp >1400F for > standard, but max 2200F core temperature was used SC-A2 I-III "short duration"; review for "consistent as well. In credited MAAP analyses, once core damage exceeds 1400F core damage is assured and wit tbaisti ded, eno credit was taken forLERF.
core damage arrest cases in basis if needed AS Notebook Tables; Need to confirm New Success Criteria Notebook being created to SC-A3 Met against SC and older SC notebook; Need collect all relevant MAAP analyses for the PRA to incorporate newer PRA-TH-LI model.
reports Appears to be covered; Need to confirm SC-A4 Met modeling of shared mitigating systems See AS-A2 discussion above.
and make documentation explicit sfor each function ECCS injection mission time is 30 minutes, and iission t times ECCS recirculation has a mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
id11 componentsarejstifiedis; < dtimes f k Use of the CVCS crosstie for injection past 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> SC-Arcmpnents a tentiie; Nd tourc includes unavailability of the opposite unit RWST treatment of potential >24 hour to support 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> of injection. This is considered sequences to be sufficient to meet this requirement.
Bases for success criteria appear Non-proceduralized system operation is not credited SC-A6 Met consistent with plant; Need to state in the model. Systems are not credited outside of explicitly in notebook their capability unless a basis exists to do so.
New 4 Need SC notebook based S oteboonk againstolr on MAAP SC MAAP parameter file was updated to latest MAAP SC-B I 111 4.0.5; Need to confirm against older SC version. New Success Criteria Notebook being notebook; Need to incorporate newer created.
PRA-TH-LI reports SC-B2 II-Ili Expert judgment not used No Changes Required.
SC-B3 Met Appropriate level of detail and No Changes Required.
consistency MAAP within 4.0.5; limits Need to check forand of applicability use MAAP MA parameter aaee file was updated to latest iewsudtdt aetMA MAAP SC-B4 Met of also and vithindocmits ersion. MAAP analyses were not credited outside explicitly document such (see also Ref 2 of their applicability (e.g. Large LOCA).
in SC Notebook) book; No comparison in new SC notebook; New Success Criteria Notebook being created will SC-B5 Not Met Need to check against old and create/update reasonableness check
I Calculation No. PRA-ONT-004. Rev. 0 Pap-e 16 1 Section Capability Gap Analysis Notes Changes for Model Update to Meet CC I1 Current notebook does not contain full New Success Criteria Notebook being created will SC-CI Not Met analysis; Need to consolidate SC consolidate information.
information SC-C2 Not Met Address specific documentation items as New Success Criteria Notebook being created will part of SC SRs above consolidate information.
SC-C3 Not Met Model uncertainties to be addressed in New Uncertainty Notebook being developed.
new Uncertainty Notebook 5.1.4 Internal Events PRA Model Update - Systems Analysis Table 5.1-4 contains the gap analysis of the PRA standard supporting requirements for systems analysis. A summary of changes to address the gaps to Capability Category (CC) II is provided in the table.
Table 5.1 Gap Analysis for PRA Standard Supporting Requirements for System Analysis Section Capability Gap Analysis Notes Changes for Model Update to Meet CC I1 SY-AI Met System models developed No Changes Required.
SY-A2 Met System models based on pertinent No Changes Required.
information Generally met; Need to explicitly identifya system boundaries, & I&C System boundaries are more explicitly identified in SY-A3 Met requirements; Need to review updated System Notebooks. ESW system modeling dY Metrequiren enes; NM ino,&Tec pew improved to specifically address Technical dependencies, T&M info, & Tech Spec Specification disallowed alignments.
info0 Walkdowns probably covered in Walkdown notebook (e.g., ESW reference 20); Need to confirm System Walkdowns were completed during the SY-A4 Not Met walkdowns and document explicitly; No original IPE/PRA Model development. Interviews documentation of interviews; Need to with plant personnel were not formally documented.
confirm, perform, and document interviews if needed Alignments can be captured using house ESW, CCW, Charging, and DC system models were SY-A5 Met events; Need to review and explicitly updated to include alignment events.
document use of house events System model boundaries not always clearly defined; Need to explicitly See SY-A3. S1 actuation system modeling was SY-A6 Not Met identify system boundaries and So components providing interfaces with addressed specifically during the update.
support systems Systems generally have detailed system Detailed system models exist for most systems.
Syst111 moems;gerllyhaveos d tetsailesye AMSAC and SI actuation systems did not have SY-A7 I-Il models; Miscellaneous systems also dealdstmmol.SIcutinwsmpvd documented in MISC notebook SI actuation was improved detailed system models. the I I during update.
I Calculation No. PRA-QNT-004, Rev. 0 Page 17 I Section Capability Gap Analysis Notes Changes for Model Update to Meet CC H Component boundaries addressed as part Component boundaries were reviewed and no SY-A8 Met of CCF; Updated data analysis will re- changes were necessary. Will be documented in check component boundaries; Need to cagsw eneces Willbocmti document explicitly updated System Notebooks.
SY-A9 Met Modules not used No Changes Required.
kHPI system success criteria were updated for small SY-AI0 Met Success criteria linked to IE/sequence; LOCAs. ESW pump requirements were addressed see AS/SC Notebooks in the update.
Needed components generally modeled; A review of system models concluded that some Need to review excluded/negligible minor additional failure modes (mainly passive contributors and ensure documentation valve failures) needed to be included. System fault meets SY-AI 5 requirement trees were updated as necessary.
Beneficial failures not modeled; watch No beneficial failures were modeled during the SY-A12 Met for these during update update.
Some flow diversions modeled (e.g., air System models were reviewed for flow diversions.
to SGPORV); Need to question each Some minor additional flow diversions were added.
SY-A 13 Met system for potential flow diversions to Other flow diversion modeling (e.g. pump discharge be modeled; Need to document flow check valve) was revised to be more realistic diversion assumptions for exclusions (requiring a running failure of the pump).
Needed failure modes generally No changes required other than those discussed in SY-A 14 Met modeled SY-A 13 and SY-A 11.
Sample of excluded/negligible contributors showed lack of quantitative Quantitative basis for excluded failures will be 15 Not Met basis as required; Need to review added to updated system notebooks. It is noted that excluded/negligible contributors and most low probability failure modes are included in ensure documentation meets the model for completeness.
requirement SY-A 16 I-II Pre-initiator HFEs included; See HRA No Changes Required.
SY-AI7 Met Post-initiator HFEs included; See HRA No Changes Required.
Need to review for isolation/trip System dependencies capture any required support SY-A 18 Not Met conditions and document conditions and systems consistent with plant design information exceptions (e.g. ESW pump room fan modeling)
SY-A 19 Met Unavailabilities modeled Unavailabilities were updated as part of the data update.
Need to review unavailability data for Opposite unit refueling outage modeling was SY-A20 Not Met planned activities with redundant improved to capture planned redundant activities equipment and document explicitly (such as dual ESW pump outages).
Model appears to adequately capture conditions that cause loss of function, SY-A21 Met Need to explicitly document conditions See SY-A 18.
and inclusion/exclusion (See also SY-A22)
I Calculation No. PRA-QNT-004, Rev. 0 Page 18 1 Section Capability Gap Analysis Notes Changes for Model Update to Meet CC 11 Generally met; Review TH-01-05, Rev I and Condition Report P-00-6947 for Switchgear room cooling fans were removed from SY-A22 II supporting calculations regarding room the system model based on analyses performed for cooling and ensure System notebooks the Fire PRA (Input 3.2).
reflect these conditions SY-A23 Met See PRA-BE-00I for basic event No Changes Required.
identification scheme Repair is modeled and justified; Review ESW and CCW pump repair modeling credit was SY-A24 Met uses of repair and ensure adequate removed where not justified (such as internal justification; see also DA-C 15 and DA- flooding ruptures or dual unit events).
D9 SY-B 1 I-11I CCF modeled; See CCF notebook CCF modeling was updated.
SY-B2 I-I1 Intersystem CCF not needed No Changes Required.
Dual Unit CCFs were added for electrical components, consistent with best practices.
SY-B4 Met CCF events incorporated properly No Changes Required.
CCW cooling dependencies were added for SI SY-B5 Met System dependencies modeled explicitly pumps, RHR pumps, and Containment Spray Pumps since there was no basis for exclusion. Model includes all required system dependencies.
Support systems generally supported by SY-B6 Met engineering calculations; See also SY- No Changes Required.
A21/22 Support system modeling is realistic or ESW pump requirements were updated to require SY-B7 1 Sprsstemondeingn is reas two pumps for LOCA events, due to the potential based on design-basis needs for pump runout.
Review walkdown notebook and ensure SY-B8 Met spatial/environmental issues (or lack No spatial/environmental issues were noted. Will thereof) are explicitly documented in be documented in updated System Notebooks.
system notebooks SY-B9 Met Support systems modeled See SY-B5.
Review ESFAS and other system SI actuation system modeling was improved during SY-B10 11-III notebooks to ensure adequate modeling the update to meet requirements. Valve and breaker of initiation/actuation interlocks are explicitly included in the model.
SY-B I I Met Dependence on air/power/cooling See SY-B5.
inventory modeled or justified SY-B12 Met Watch for any systems not modeled Loss of CCW, ESW, and DC are explicitly based on assumed recovery actions modeled.
SY-B 13 Met All needed components appear to be No Changes Required.
modeled Watch for modeling of components outside environmental qualifications, SY-B 14 Met including harsh environments due to No Changes Required.
containment failure as noted in RG 1.200
1 Calculation No. PRA-QNT-004, Rev. 0 Pap-e Page 1919 I1 I Calculation No. PRA-ONT-004. Rev. 0 Section Capability Gap Analysis Notes Changes for Model Update to Meet CC I!
SY-B15 Met Model appears adequate; see also issues No Changes Required.
related to SY-B 10 SY-C I Met System Notebooks are generally System Notebooks are being updated.
adequate Generally met; potential documentation improvements include: system boundaries, I&C requirements System Notebooks are being updated.
SY-C2 Met dependencies, T&M info, Tech Spec Documentation is being improved to address items references, walkdowns & interviews, listed.
and other issues identified in individual SRs SY-C3 Not Met Model uncertainties to be addressed in New Uncertainty Notebook being developed.
new Uncertainty Notebook 5.1.5 Internal Events PRA Model Update - Human Reliability Analysis Table 5.1-5 contains the gap analysis of the PRA standard supporting requirements for human reliability analysis. A summary of changes to address the gaps to Capability Category (CC) II is provided in the table.
Table 5.1 Gap Analysis for PRA Standard Supporting Requirements for Human Reliability Analysis Section Capability Gap Analysis Notes Changes for Model Update to Meet CC II Test, inspection, and maintenance aTivtinspestdomntead mainthnane HAAs discussed in the gap analysis notes, pre-initiators are discussed in the HRA notebook and in and in each specific system NB and are individual system notebooks, in the referenced HR-AI Met based on the review of procedures, the updated operating experience and plant practices. sections. Documentation is improved in Methodology described in Section 1.2.1. system notebooks and updated HRA notebooks. No Details provided in Section 2.0. new Pre-Initiator HFEs were identified.
Calibration activities documented in the HRA NB and in each specific system NB and are based on the review of HR-A2 Met procedures, operating experience and See HR-Al.
plant practices. Methodology described in Section 1.2.1. Details provided in Section 2.0.
Common trains' miscalibration had been HR-A3 Met analyzed and the methodology described See HR-Al.
in Section 1.2.1. Details provided in Section 2.0.
Screening analysis documented in HR-BI 1I-Il Section 1.2.1, especially in Task I and 2 No Changes Required.
sections. Followed criteria of NUREG/CR-4772.
I Calculation No. PRA-ONT-004, Rev. 0 Paue 20 1 Section Capability Gap Analysis Notes Changes for Model Update to Meet CC H Need to review activities that could simultaneously have an impact on A review of potential conditions was performed HR-B2 Not met multiple trains of a redundant system or during the update. No changes were identified.
diverse systems and document explicitly.
An HFE has been assigned to each HR-C l Met operator activity assessing the impact at No Changes Required.
the appropriate level.
It seems that HR-C2 is met. However, Pre-Initiator FHFEs were reviewed during the model HR-C2 11-111 need to analyze in more details each pre- update, and a few additional events were removed initiator FIFE to confirm it. based on screen criteria. No other changes were necessary.
HR-C3 Met Miscalibration is a failure mode No Changes Required.
included in the analysis.
HR-DI Met THERP has been used for quantification No Changes Required.
Review for any screening values have HR-D2 11 been applied to any pre-initiator HFE; THERP has been used for virtually all No screening values are used.
HFEs Seems that not many details are provided for quality of procedures, admin control, human-machine Updated HRA notebook will explicitly address these HR-D3 I interface, etc... Need to review these elements. A review of the requirements was aspects, adjust HEPs if necessary, and performed during the model update.
document. See examples of quality in RG 1.200 Self-recovery or recovery appears to not HR-D4 N/A be taken into account; review for use No self-recovery was credited during the update.
and, if found, ensure use meets requirement Previously HFE dependencies were addressed using separate HFEs in each accident sequence. A new No evidence of pre-initiator dependent dependency analysis was performed for the model HR-D5 Not Met actions. Need to examine potential update. The analysis is performed by quantifying dependencies, assess if necessary, and the model with all HFEs set to a high value (0.1) document. and then screening the high importance combinations for dependency. Cutset editing is then used to apply joint HEPs for the final quantification.
HR-D6 Met Error factors are provided when HEP is No Changes Required.
quantified based on THERP.
No evidence of requirement to check Updated HRA notebook will explicitly address this HR-D7 1-I1 reasonableness of HEPs in light of the check. A review was performed during the model plant's experience update and no changes were required.
HR-EI Met Plant-specific procedures reviewed to No Changes Required.
identify key human actions HR-E2 Met Set of actions identified. No Changes Required.
I Calculation No. PRA-ONT-004. Rev. 0 PaE~e 21 1 Section Capability Gap Analysis Notes Changes for Model Update to Meet CC I1 Operator interviews have been done and Operator interviews were performed during the HR-E3 Opraorumnter e bE dnand update for selected pre-existing HFEs and new documented for each HFE quantified HFEs.
Simulator observations and talk-through are documented in the HRA notebook.
HR-E4 II-1ll Need to clarify whether ALL HFEs have See HR-E3.
been talked-through or observed in the simulator Seems that an HFE has been assigned to each operator activity assessing the A review was performed of significant HFEs (such HR-Fl 1-11 impact at the appropriate level. a re v erfo recircant No ch However, detailed analysis on HFEs as switchover to EGGS recirculation). No changes needs to be reviewed to confirm were required during the update.
evaluation.
For each HFE, accident sequence, cues, HR-F2 II time windows, procedures, and tasks are No Changes Required.
provided.
Either detailed analysis or screening A review of H-Es was performed and screening HR-G 1 11 values have been used to estimate HEPs; values were either replaced with detailed analyses or confirm that risk-significant HEPs do not use screening values removed.
In many cases cognitive and execution portions of Bprobabilities are estimated. HFEs are combined into one event, separation of these events was performed when necessary.
Seems that all PSFs listed in the standard have been considered in the A review of HFEs for the update concluded that the HR-G3 lI-Il HEP estimation. However, need further PSFs required were considered in all HFEs.
review to confirm. See clarifications in Screening values were removed.
RG 1.200 As part of the update, confirmatory MAAP analyses Each HFE has a reference to the were performed. Selected risk-significant HFEs HR-G4 II supporting thermal-hydraulic were updated based on new MAAP analyses, the calculations or simulator observations most significant of which was the ECCS used for the time available recirculation HFE for small LOCAs. Other HFEs had a pre-existing basis for timing.
Seems that HFE action timings are HR-G5 11It based on operator interviews. Need No Changes Required, although operator interviews further investigation though to confirm. were performed.
Note that SR is "When needed."
No evidence that internal consistency of Updated HRA notebook will explicitly address this HR-G6 Not met check. A review was performed during the model update and no changes were required.
Dependency analysis has been done.
Need to verify' the degree of details of See HR-D5. Approach was identical for post-HR-G7 Met the analysis. Section 4 of the HRA NB describes the process but it is not clear where the actual assessment is done.
I Calculation No. PRA-ONT-004. Rev. 0 Pag~e Page 22 22 1 I Calculation No. PRA-ONT-004. Rev. 0 Section Capability Gap Analysis Notes Changes for Model Update to Meet CC II HR-G8 Met Table 1.2 provides HEPs THERP with error No Changes I Required.
factor calculated from A new HFE was developed to manually start the ECCS system (including all required supports) upon Seems that recovery actions are not SILarge actuation failure. LOCA.
or Medium This HFE CCWis not andcredited during ESW pump modeled.
recovery is modeled, particularly for support system initiating events.
See HR-HI. Operator interviews were conducted for the development of the new HFE discussed.
HR-H2 TBD Seems that recovery actions are not Extensive procedures and training: are provided for modeled. this action and recovery is a relatively simple action (start the required pumps) that can be perfonned in the control room.
HR-H3 TBD Seems that recovery actions are not See HR-D5. Approach is identical for recovery modeled, actions.
HRA has been documented in a manner Updated HRA notebook will continue to meet the HR-Il Met that facilitates PRA applications, requirements.
upgrades, and peer review HR-I2 Met Seems that all of HiR-12 arethe met,documentation items however further Updated HRA notebook will address the noted inv1Met eestiion of eved hed, issues. Screening values are no longer used.
investigation is needed.C HR-13 Not Met Model uncertainties to be addressed in New Uncertainty Notebook being in developed.
new Uncertainty Notebook 5.1.6 Internal Events PRA Model Update - Data Analysis Table 5.1-6 contains the gap analysis of the PRA standard supporting requirements for data analysis. A summary of changes to address the gaps to Capability Category (CC) II is provided in the table.
Table 5.1 Gap Analysis for PRA Standard Supporting Requirements for Data Analysis Section Capability Gap Analysis Notes Changes for Model Update to Meet CC U DA-AI Met Basic events appropriately identified. No changes required to pre-existing events.
Updated data meets this requirement.
Component boundaries only addressed DA-A2 Not Met as part of CCF; Updated data analysis See discussion for SY-A8.
will re-check component boundaries; Need to document explicitly; See SY-A8 Probably done, but not explicitly documented; Need to ensure appropriate Full uncertainty notebook is being developed. Data DA-A3 Met probability models used (e.g., binomial, update provided the needed probability Poisson) and document in updated distributions.
analysis No changes required to pre-existing events.
DA-A4 Met Parameters appropriately identified Nux Updated data meets this requirement.
I Calculation No. PRA-ONT-004, Rev. 0 Pa~e 23 1 Section Capability Gap Analysis Notes Changes for Model Update to Meet CC 11 Current analysis groups by type and DA-B1 II system for pumps; valve grouping No changes required to pre-existing events.
uncertain. Ensure new analysis also Updated data meets this requirement.
groups by type and system.
DA-B2 1-11 No evidence of including outliers since No outliers are credited in the model.
grouped by system.
New generic source to be used for DA-CI Met update. Ensure component boundaries Latest generic data pulled from NRC database.
are consistent.
DA-C2 Met New plant-specific data to be collected. Plant specific data was obtained through system engineer interviews and the plant process computer.
The main data exclusion period was the Unit 1 DA-C3 Met Justify' any exclusion made. extended forced outage due to the turbine event.
The reasons for exclusion will be documented in the system notebooks.
Need to document basis for Plant specific data collection and system engineer DA-C4 Not Met distinguishing failures. interviews explicitly addressed this issue and will be documented in the data notebook.
Plant specific data collection and system engineer DA-C5 Not Met Need to document handling of repeated interviews explicitly addressed this issue and will be documented in the data notebook.
Counting will be updated; need to Plant specific data collection and system engineer DA-C6 Met document NOT counting post- interviews explicitly addressed this issue and will be maintenance demands documented in the data notebook.
Surveillance test will be updated with Plant specific data collection and system engineer DA-C7 11-III actual practice. interviews explicitly addressed this issue and will be documented in the data notebook.
Plant-specific operational records will Alignment events are assumed to have a value of DA-C8 II-III be used for updating standby status as 0.5, since train work weeks typically require needed. alignments with approximately this value.
DA-C9 III Operational times will be updated with Plant specific data collection and system engineer interviewsdocumented explicitly addressed in the datathis issue and will be notebook.
Need to review surveillance test Plant specific data collection and system engineer DA-C10 1I procedure to ensure data fits failure interviews explicitly addressed this issue and will be modes, documented in the data notebook.
Update will include only T&M activities Plant specific data collection and system engineer DA-CI 1 Met that leave SSC unable to perform interviews explicitly addressed this issue and will be function. documented in the data notebook.
Need to ensure and document that Plant specific data collection and system engineer frontline system unavailability caused interviews explicitly addressed this issue and will be DA-CI2 Met by support system unavailability is not documented in the data notebook.
counted against frontline system.
Page 24 I II Calculation No. PRA-QNT-004, Rev. 00 Page 24 Section Capability Gap Analysis Notes Changes for Model Update to Meet CC I1 Plant specific data collection and system engineer interviews explicitly addressed this issue and will be documented in the data notebook. Since Cook is a Actual durations will be used during multi-unit site, maintenance occurring on outage DA-C13 Il-Ill update; include only at-power time as unit systems is counted in support of crosstie required functions. For other refueling outage coincident maintenance, the time is estimated using the online maintenance terms, which is conservative. This is thus currently met at CC I.
The main example of planned coincident maintenance at Cook is the dual ESW pump outage, which occurs during refueling outages. This is explicitly accounted for. For other refueling outage Check for and document coincident coincident maintenance (that may be planned or DA-C14 Not Met unavailability as a result of planned unplanned), the time is estimated using the online repetitive activities maintenance terns, which is conservative. Online maintenance tenrs can occur together on the same train, which accounts for possible unplanned maintenance on the same train. It is not normal plant practice to schedule maintenance at the same time on multiple safety related components.
Modeling of repair is included; need to DA-C15 Met review repair modeling in ESW and See discussion for SY-A24.
CCW and ensure SR is met; see also SY-A24 and DA-D9 LOOP recoveries were updated using NUREG/CR-DA-C 16 Met LOOP recovery times will be updated 6890 (Reference 7.10) data.
Plant specific data collection and system engineer DA-D1 II Data update will address significant interviews explicitly addressed this issue and will be basic events with Bayesian update documented in the data notebook.
Plant specific data collection and system engineer DA-D2 Met and document bases interviews explicitly addressed this issue and will be documented in the data notebook.
Means will be developed (medians Data update included probability distribution DA-D3 II needed for WinNUPRA?) information necessary for this task. Mean values are used as required.
Need to perform and document This check will be documented in the data reasonableness check of results notebook.
DA-D5 III Current model uses MGL model MGL factors (or i converted rprn halphapae factors) were used in preparing the update.
DA-D6 II Generic CCF probabilities will be used Generic CCF factors were used in the update.
DA-D7 Met Document any screening of generic data Where generic data was screened, an explanation in accordance with SR will be provided in the data notebook.
DA-D38 1* Document any cases where old data no No such cases exist, and this will be documented in longer applies or if no such cases exist the data notebook.
I Calculation No. PRA-ONT-004. Rev. 0 Page 25 1I Pa~e25 I Calculation No. PRA-QNT-004. Rev. 0 Section Capability Gap Analysis Notes Changes for Model Update to Meet CC II This SR was included in RG 1.200 and states:
"Cat I, I1,and III:
For each SSC for which repair is to be modeled, (Note: This SR is suggested by RG ESTIMATE, based on the data collected in DA-1.200, Rev 2, but is not in any version of the probability of failure to repair the SSC in time to prevent core damage as a function of the DA-D39 Met the Standard) accident sequence in which the SSC failure Need to review repair modeling in ESW appears.i and CCW and ensure SR is met; see also appears.
SY-A24 and DA-CS15ESW and CCW repair probabilities are assumed at 90 minutes, which is sufficient given the realistic time available following a loss of these systems. A discussion is provided in the ESW and CCW system notebooks.
DA-EI Met New Data Notebook to be created New data notebook will be created as discussed.
Generally met, need to ensure DA-E2 Met documentation of component boundaries Data notebook will address issues as required.
and other items identified above DA-E3 Not Met Model uncertainties to be addressed in new Uncertainty Notebook New Uncertainty Notebook being developed.
5.1.7 Internal Events PRA Model Update - Quantification Table 5.1-7 contains the gap analysis of the PRA standard supporting requirements for quantification. A summary of changes to address the gaps to Capability Category (CC) I1is provided in the table.
Table 5.1 Gap Analysis for PRA Standard Supporting Requirements for Quantification Section Capability Gap Analysis Notes Changes for Model Update to Meet CC I1 QU-A1 Met Currentaccounts model integrates all aspects and for dependencies Updated quantification meets all the requirements.
WinNUPRA model provides sequence WinNUPRA event tree model provides sequence quantifications information explicitly.
Current results show mean with uncertainty; unclear whether state-of-knowledge correlation (SOKC) is Updated uncertainty analysis and notebook will QU-A3 captured; Need to investigate how to do address this shortcoming in the 2009 model of with WinNUPRA (see e.g., PRA- record.
NUPRA-002 2009 MOR Section 5.6).
WinNUJPRA software produces the required QU-A4 Met Method discriminates contributors importane analyses.
importance analyses.
Repair probabilities modeled in fault trees as Recovery actions (repairs) are included discussed in SY-A24. Cutset editing is used for 6 QU-A5 Met where appropriate. HEPs generally hour mission time for EDGs after LOOP per included within the fault trees. assumptions about average offsite power recovery times.
I Calculation No. PRA-QNT-004, Rev. 0 Page 26 1 Section Capability Gap Analysis Notes Changes for Model Update to Meet CC I!
WinNUPRA provides appropriate results. Need to document any QU-B 1 Met limitations/features that could impact WinNUPRA is an accepted PRA software package.
results.
Truncation process in Section 5.1.1 of Truncation will be reviewed for the model update.
QU-B2 Met T On poess in tio 5.. In particular, cutsetreIewd merging is used and will be MOR Notebook is OK for this SR. reviewed.
Truncation process in Section 5.1.1 of Convergence truncation will be reviewed for the MOR Notebook does not appear to meet model update. Intermediate truncations in the convergence stated in the Standard; WinNUPRA make true convergence difficult to QU-B3 Not Met Need to update with an iterative process; show, standard approach is to quantify fault tree Need to review and document process equations a low level and process the event trees at used for intermediate truncations in sufficiently low level to provide reasonable WinNUPRA. assurance of convergence.
QU-B34 Met WinNUPRA uses "rare event No NRChanges Required.
approximation" Circular logic addressed in system Circular logic is addressed between ESW and the QU-B5 Met nEDGs by providing ESW fault trees without notebooks (e.g., ESW) dependence on AC power.
Review WinNUPRA handling of system WinNUPRA event tree quantification includes delete-terms for success logic. Successes are QU-B6 Unclear successes; note only needed as necessary captedter s by theus o f speiale to quantify CDF captured in transfers by the use of special files specific to downstream event trees.
Mutually exclusive cutsets are QU-B7 Met identified; Need to ensure No Changes Required.
documentation QU-B8 Met Mutually exclusive cutsets removed in No Changes Required.
WinNUPRA batch file Logic flags appear to be set QU-B39 Met TRUE/FALSE. Need to review and No Changes Required.
confirm; Need to ensure flag settings are documented in appropriate notebooks Model subtrees use common event QU-BI10 Met names to capture shared events No Changes Required.
Dependent HEPs identified by process in PRA-NB-HRA Sections 1.2.1 & 4.0, QU-CI Met which includes setting post-init HEPs to See HR-D5.
0.1 or higher and reviewing for multiple actions Dependencies for post-initiators was performed; Dependencies for pre-inits QU-C2 Met included in process; Need to review and See HR-D5.
update as necessary; Need to re-perform check of results for new combinations Transfers account for sequence Event tree transfers are passed via sequence characteristics equations from the initial event tree.
I Calculation No. PRA-ONT-004, Rev. 0 Pao~e 27 1 Section Capability Gap Analysis Notes Changes for Model Update to Meet CC If QU-DI Not Met Reviews of significant cutsets need to be Cutset review will be performed in final model performed and documented quantification notebook.
Reviews of PRA results for consistency Consistency review will be performed in final need to be performed and documented model quantification notebook.
QU-D3 Not Met Reviews to confirm logical results need Cutset review will be performed in final model to be performed and documented quantification notebook.
Comparison to similar plants needs to be Plant comparison will be performed in final model QU-D4 performed and documented quantification notebook.
QU-D5 Not Met Reviews of non-significant cutsets need Cutset review will be performed in final model to be performed and documented quantification notebook.
Contributors identified and will be Sequence review will be performed in final model updated with new model quantification notebook.
Not Met Reviews of importance results need to Importance review will be performed in final model be performed and documented quantification notebook.
QU-E1 Not Met Model uncertainties to be addressed in New Uncertainty Notebook being developed.
new Uncertainty Notebook Assumptions included in each notebook; QU-E2 Met also addressed in new Uncertainty New Uncertainty Notebook being developed.
Notebook Current results show mean with uncertainty; unclear whether SOKC is New Uncertainty Notebook being developed.
QU-E3 I captured; Need to investigate how to do Parameter uncertainties were developed as part of with WinNUPRA (see e.g., PRA- the data update.
NUPRA-002 2009 MOR Section 5.6).
Model uncertainties to be addressed in QU-E4 Not Met new Uncertainty Notebook New Uncertainty Notebook being developed.
Final model quantification notebook will be QU-F1 Met MOR Notebooks will be updated developed.
MOR Notebooks will be updated; N eed Final model quantification notebook will be QU-F2 Met to review list of typical documentation developed. All requirements will be addressed.
items for inclusion Significant contributors will be updated; Final model quantification notebook will be QU-F3 Met Need to provide detailed description of developed. All requirements will be addressed.
significant sequences QU-F4 Not Met Model uncertainties to be addressed in New Uncertainty Notebook being developed.
new Uncertainty Notebook WinNUPRA model presents several difficulties, Need to document limitations in mostly in the use of cutset merging and the various QU-F5 Not Met quantification process that would impact truncations. The process used to show convergence applications (see also QU-BI) will be documented in the final model quantification notebook.
Need to document the quantitative QU-F6 Not Met definition used for significant basic Final model quantification notebook will be event, significant cutset, and significant developed. All requirements will be addressed.
accident sequence
I Calculation No. PRA-QNT-004, Rev. 0 Calculation No. PRA-QNT-004, Rev. 0 Pa~e28 I J
28 Pa*e 5.1.8 Internal Events PRA Model Update - Large Early Release Table 5.1-8 contains the gap analysis of the PRA standard supporting requirements for large early release. A summary of changes to address the gaps to Capability Category (CC) I1 is provided in the table.
Table 5.1 Gap Analysis for PRA Standard Supporting Requirements for Large Early Release Section Capability Gap Analysis Notes Changes for Model Update to Meet CC 11 Generally met by current model; need to review and update containment isolation LE-AI Met modeling to include purge/vent valves Updated LERF model includes PDS information.
and updated pre-existing failure LERF notebook is being updated.
probability NB-LE identified the characteristics Updated LERF model includes PDS information.
linked to each failure LERF notebook is being updated Model uses combined event trees LERF is modeled as a top event in the Level I event LE-A3 Met incorporating both LI and L2 trees. Pressurizer PORV status is not always known, and is asked if hiportant.
See LE-A3. Top logic treatment of LERF provides Generally met through common event an acceptable method to account for those LE-A4 Met tree; need to review LERF fault trees to characteristics. Level 1 event trees provide the ensure all dependencies are captured necessary information with the exception of the Pressurizer PORVs, as discussed.
Plant damage states used, each of which PDSs are developed and will be documented in the LE-A5 Met is associated with a specific LER LERF notebook.
probability Based on NUREG/CR-6595 + Updated LERF model uses WCAP-16341-P consideration of ice condenser (Reference 7.5).
Based on NUREG/CR-6595; need to LE-B2I review for use of applicable generic or Updated LERF model uses WCAP-16341-P plant-specific analyses for significant (Reference 7.5).
challenges Assumptions not supported by Updated LERF model uses WCAP-16341-P tengineering analysis; need to review and (Reference assumptions 7.5). No other are made in the plant apply engineering analyses where specific LERF model.
possible Updated LERF model uses WCAP- 1634 1-P Need plant-specific challenges and (Reference 7.5). Plant specific containment design containment capability to get Cat II information (ultimate failure) is used. Hydrogen Igniter system is fully modeled using fault trees.
HEPs used are from WCAP- 1634 1-P (Reference Need realistic treatment of operator 7.5). Plant specific HEPs are used for initiation of LE-C2 atic nt Hydrogen Igniters as required by plant procedures.
This system is a major contributor to LERF for ice condenser plant.
Need to review significant sequences to SGTR and ISLOCA model HFEs were reviewed, LE-C3 I confirm existing repair and check for since these provide a direct LERF bypass. Repair is additional repair potential generally used for level 1 modeling. See SY-A24.
Calculation No. PRA-QNT-004, Rev. 0 Page 29 ]
Section Capability Gap Analysis Notes Changes for Model Update to Meet CC 11 Plantspecific HEPs are used for initiation of Hydrogen Igniters as required by plant procedures.
LE-C4 Need to model operator actions, This system is a major contributor to LERF for ice scrubbing, etc. condenser plant. If the igniters fail, the probability of containment failure is 0.97, regardless of other actions taken.
LE-C5 11 System success criteria is similar to No Changes Required.
Level 1 LE-C6 Met System models used are acceptable No Changes Required.
No specific treatment of HFEs; need to LE-C7 Not Met review for possible use; if none, then See LE-C4.
N/A LE-C8 Met Accident sequence dependencies No Changes Required.
captured in combined event trees LE-C9 I Need to review for possible credit in No credit taken for actions in harsh environments.
adverse environments LE-C10 1 Need to document review for possible Review will be documented in LERF notebook.
credit in adverse environments LE-CI 1 I Need to review for possible credit after No credit taken for equipment after containment containment failure failure.
Need to document review for possible No credit taken for equipment after containment credit after containment failure failure.
LE-C13 11-111 Containment bypass analyses in SGTR No Changes Required.
and ISLOCA are realistic LE-DI I Need to identify and use realistic Containment ultimate failure strength used.
containment capacity analysis Need analysis and documentation of LE-D2 Not Met treatment of seals, penetrations, hatches, Documentation to be included in LERF notebook.
etc.
LE-D3 11 Failure location is considered and No Changes Required.
accounted for Z R I
ISLOCA analysis appears realistic; need ISLOCA analysis was reviewed for the update; LE-D4 SLC to analysisw appearire review and confirm c nchanges were madesection.
as discussed above in IE SGTR analysis appears realistic; need to SGTR analysis was reviewed and no changes were LE-D5 11 review and confirm required.
TI-SGTR is treated simply per Updated LERF model uses realistic analysis in LE-D6 I NUREG/CR-6595; need to update with WCAP- 1634 1-P (Reference 7.5).
plant-specific analysis Containment several isolation analysis has sinmplifyuing assumptions; need to review and update containment isolation Data update addressed failure probability issue.
LE-D7 I rContainment Isolation model was reviewed with no modeling to include purge/vent valves changes required.
and updated pre-existing failure probability
ae3 I Caclto o R-N-0,Rv Calculation No. PRA-QNTý004, Rev. 0 Page 30 1 Section Capability Gap Analysis Notes Changes for Model Update to Meet CC 11 LE-E I Met Parameter details are consistent with No Changes Required.
simplified analysis Parameters are generally conservative Updated LERF model uses realistic analysis in LE-E2 I and generic; need to update to plant-specific/realistic wherever possible Simplified analysis using NUREG/CR-LE-E3 6595; need to update LERF Updated LERF model uses realistic analysis in assignments; may need to review MAAP WCAP-16341-P (Reference 7.5).
runs LERF quantification meets the requirements of the LE-E4 Mixed See QU review; LERF generally follows quantification supporting requirements, since it is calculated in the same manner CDF is.
Some contributors developed; need to LE-FI specifically evaluate LERF contributions Updated LERF notebook will address significant due to PDS and significant LERF contributors.
contributors per SR LE-F2 Not Met Reviews of contributors need to be Updated LERF notebook will address significant performed and documented contributors.
LE-F73 Not Met Model uncertainties to be addressed in New Uncertainty Notebook being developed.
new Uncertainty Notebook LE-G I Met Documentation will be updated LERF notebook is being updated.
LE-G2 Met Documentation will be updated LERF notebook is being updated.
Some contributors developed; need to specifically evaluate LERF contributions Updated LERF notebook will address significant LE-G3 I due to PDS, sequences, phenomena, contributors containment challenges, and containment failure modes per SR LE-G4 Not Met Model uncertainties to be addressed in New Uncertainty Notebook being developed.
new Uncertainty Notebook Need to document limitations in LERF LE-G5 Not Met quantification process that would impact Updated LERF notebook will address limitations.
applications Need to document the quantitative Updated LERF notebook will address significant LE-G6 Not Met definition used for significant accident contributors.
progression sequence
I Calculation No. PRA-QNT-004, Rev. 0 Page 31 1 5.1.9 Summary of Internal Events Supporting Requirements not Capability Category II Each section above discussed modifications to the internal events model made during the model update to address potential gaps to Capability Category II of the 2009 PRA standard (Reference 7.8) and RG 1.200 (Reference 7.11).
For the application specific model used in this analysis, not all of these requirements are met at Capability Category II. A summary of these remaining gaps and their impact on this analysis is included below.
In general, all documentation related Supporting Requirements are not met because the model notebooks are not yet fully reviewed and completed. The model has undergone an internal challenge review, and the results of the model are reviewed in this risk analysis. This is a documentation issue that has no significant impact on the final results. This includes the following requirements: IE-D1 through IE-D3, AS-CI through AS-C3, SC-Cl through SC-C3, SY-CI through SY-C3, HR-Il through HR-13, DA-EI through DA-E3, QU-FI through QU-F6, LE-GI through LE-G6.
Quantification documentation is provided in this analysis for the application specific model used.
- SY-A4 is considered met at Capability Category I since interviews are not yet complete. Since system models were developed in previous model revisions, and updated during the model update, no significant additional insights are expected for this update. This will have no impact on this application.
- DA-C13 is considered met at Capability Category I since conservative estimates are used for the coincident test and maintenance window. This has no impact to this application since the plant test and maintenance configuration is known.
- LE-DI is considered met at Capability Category I since the containment capacity analysis is conservative.
This has a minor conservative impact on this application.
- The risk metric calculations for this application are performed as point-estimates; full uncertainty calculations are not yet available from the full model update that is in progress. However, based on the full uncertainty calculations from the previous model of record and a review of the current data analysis, similar results are expected. That is, the mean risk results are expected to be similar to, but slightly greater than, the point-estimate results. As with the previous model of record, key state-of-knowledge uncertainties for ISLOCA initiating events are already included in the point estimate frequencies. In addition, for this application, the requested extension will have significant margin to the point-estimate risk results, thereby providing sufficient margin to support the request. Therefore, QU-E I, QU-E2, QU-E4 are not considered met. QU-E3 can be considered met at Capability Category I.
5.1.10 Convergence Analysis of Internal Events Model To meet the intent of Supporting Requirements QU-B3 and QU-F5, a convergence analysis must be performed.
Specifically, QU-B3 states (Reference 7.8):
"ESTABLISH truncation limits by an iterative process of demonstrating that the overall model results converge and that no significant accident sequences are inadvertently eliminated. For example, convergence can be considered sufficient when successive reductions in truncation value of one decade result in decreasing changes in CDF or LERF, and the final change is less than 5%."
Since the model update is not yet completed, this analysis has not been performed. For the purposes of this risk analysis, a convergence test will be used to ensure the results are truncated at a sufficient level. The convergence test is performed on the updated, average maintenance base model with credit for the SDS, since this is intended to be the final updated model.
I Calculation No. PRA-ONT-004, Rev. 0 Pap-e 32 1 Since the WinNUPRA quantification process includes cutoffs for fault tree equations (used as top event nodes in event trees) and in cutset merge steps for event trees, both truncations are tested. The results of the convergence test are shown below in Table 5.1-9.
Table 5.1 Convergence Analysis of Internal Events Model Fault Tree Cutoff Event Tree Cutoff CDF # CDF Cutsets LERF # LERF Cutsets 1.OOE-09 1.OOE-12 8.479E-06 178242 1.385E-06 214826 1.OOE-I0 L.00E-12 8.559E-06 184116 1.392E-06 211557 1.OOE-10 1.00E-13 8.558E-06 177107 1.392E-06 203486 It is noted in the table that the number of total cutsets produced is smaller in some cases with increasing cutoff values. This occurs because WinNUPRA applies a maximum number of cutsets per merge step cutoff during event tree processing. The final cutoff value used in the event tree processing is adjusted on-the-fly to account for this limit. Since this processing merges cutsets, cutsets that would be included at higher truncation levels (because the total number at merge steps was below the cutoff) can be stripped during this process. While no limit is possible, quantification time increases dramatically due to software and hardware limitations. This processing impacts low probability cutsets only, since the on-the-fly truncation readjustment strips the low probability cutsets first.
A review of the output files shows that this effect primarily impacts the CCW event tree, and that on-the-fly truncation adjustments were sufficiently low (in the 5E-12 range) to produce sufficient cutsets for convergence.
This value is set to 120,000 cutsets per merge step. Based on the results of the test a fault tree cutoff of 1E-10 and an event tree cutoff of IE-12 is used, since the results did not increase more than 5% as required by the standard. It is noted that increasing the fault tree cutoff from I E-9 to IE-10 only produced a 1% CDF increase. While this also meets the standard, I E- 10 is selected to account for uncertainty regarding cutset processing limits. It is noted that this is significantly greater convergence than shown in the 2009 Model of Record (Input 3.1) which contained roughly 4000 CDF cutsets.
5.2 Modifications to the Fire PRA model The Fire PRA model of record was created during the NFPA 805 transition. Since the model was developed several shortcomings have been noted:
I. The Fire PRA reduced the success criteria for AFW from supplying 2 of 4 SGs to 1 of 4 SGs. This reduction requires containment spray to be available (References 7.6 and 7.7) to prevent containment failure since insufficient containment heat removal is provided by one SG. This is corrected in the Fire PRA model used for this application.
- 2. An HFE was credited in the Fire PRA to re-power the Hydrogen Igniters after fires which left all the busses faulted on the fire affected unit. This action takes 3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> to complete and it was identified late in the transition period that the time to core damage could be as little as 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> in some sequences (such as AFW failure). The HEP was averaged in the final model to account for this.
For this application, there is increased potential for this action to be required since the Unit I AB EDG is not available. Therefore, a risk mitigating action is taken to stage the alternate power supply such that the action can be completed within the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> time window. No adjustment is made to the HEP on the basis of this action (Assumption 4.8).
- 3. The fire-induced SBO fault tree (1SBOINIT.LGC) was noted to contain an error. Successful operation of the TDAFP constituted success of the top gate, despite the fact that an RCP Seal LOCA would occur due to the blackout. RCS inventory makeup via the CVCS crosstie was added to this event. In the model of record, the 480 gpm/pump Seal LOCA could not be mitigated by the CVCS crosstie based on MAAP analyses (Reference 7.7).
I Calculation No. PRA-QNT-004, Rev. 0 Page 33 MAAP case LI-2-36D (RCS inflow provided by the CVCS crosstie with AFW supplied 2 out of 4 SGs) resulted in a maximum core temperature of 2000F. While this was high enough to consider this case to be core damage in past analysis, the possibility exists to initiate a cooldown per Fire procedure OHP-4025-001-001, Emergency Remote Shutdown (Reference 7.14) or post-LOCA cooldown EOPs (Reference 7.16), for situations in which Emergency Remote Shutdown was not in use. Although NFPA 805 typically does not require a cooldown to Mode 5 (Cold Shutdown), it does generally require safe and stable conditions to be reached. Therefore, the specified cooldown in Reference 7.14 of a maximum 14F/hr cooldown using at least 2 SG PORVs will be considered. A MAAP analysis was performed to confirm that this cooldown does mitigate core damage.
The MAAP analyses results are shown in the figures below. The MAAP analysis made the following assumptions:
- AFW Flow to 2 SGs started at 40 minutes, for the duration of the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time.
- CVCS Crosstie flow of a constant 109 gpm started at 40 minutes for the duration of the 24 mission time.
Note that the Emergency Remote Shutdown Procedure (Reference 7.14) provides guidance to crosstie to the fire-affected unit's RWST once the opposite unit's RWST level goes below 37%. Sufficient RWST inventory is available in both units to support a 109 gpm injection flow for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
- RCS cooldown at a maximum rate of 14F/hr started at 55 minutes, using at least 2 SG PORVs. The SGs used for cooldown have AFW flow for the duration of the 24 mission time.
DIESELOUT d31
- DIESELOUT 600 500 400 U-U 300 200 100 0
0 5 10 15 20 25 30 TIME, HOURS Figure 5.2 MAAP Reactor Core Water Temperature for Emergency Remote Shutdown Cooldown
I Calculation No. PRA-QNT-004, Rev. 0 Page 34 I DIESELOUT d31
-DIESELOUT 2500 2000 ra 1500 1000 500 0
0 5 10 15 20 25 30 TIME, HOURS Figure 5.2 MAAP Primary System Pressure for Emergency Remote Shutdown Cooldown DIESELOUT d31
- DIESELOUT 1600 1400 1200 1000 800 600 400 200 0
0 5 10 15 20 25 30 TIME, HOURS Figure 5.2 MAAP Hottest Core Node Temperature for Emergency Remote Shutdown Cooldown Changes were made to the AFW and SBO fault trees as indicated in items 1 and 3 above.
Preliminary Fire PRA model results were reviewed and showed that conservative HFEs dominated model results, particularly in the use of HFEs that modeled fire-induced SBO. These HFEs were identical to those used to perform emergency remote shutdown upon evacuation of the control room. The HFE, 1ASD-SBONOTDPOMA will be divided into two separate actions, one for fires that occur in the main control room (whether they result in
I Calculation No. PRA-QNT-004, Rev. 0 Page 35 J evacuation or not) and fires that occur outside the main control room. The following HFEs in particular were reviewed for this analysis:
Table 5.2 Fire PRA HFE Review Summary HEP HFE value HFE Review Summary HFE will retain the value of 4.9E-2 and be used ONLY for scenarios in which IASD-SBONOTDPOMA 4.9E-2 the fire occurs inside the main control room, and stress is expected to be high.
Although, the HEP value in the HRAC is 1.33E-02.
New HFE.
HFE will model what 1ASD-SBONOTDPOMA used to for scenarios in which the fire occurs outside the main control room, and stress is expected to be moderate.
This HEP assessment for 1ASD-SBONOTDPOMA is very conservative in that a IFSBO--XTIE-OMA 5.3E-03 High Operator stress level has been assigned by default generating a high HEP value. However, since the action is practiced every two years, the plant should respond as expected (i.e., operators have the plant under control and are familiar and comfortable with the actions and procedures required, workload might be high, but PSFs should be optimal. This was confirmed by operators on phone interview (5/26/2015), therefore a moderate stress level is selected.
New HFE HFE will model a 14F/hr cooldown per OHP-4025-001-001, step 25 given success of IFSBO--XTIE-OMA using the same time window.
IFSBO---RCC-OMA 6.58E-04 Execution Time for operator action is 15 minutes, confirmed by operators.
Moderate stress level assumed based on operator phone Interview discussed above.
1E-RV--MRV2X3H-EF -- Removed from the model and superseded by I FSBO---RCC-OMA.
HEP agreed upon between DC Cook and the NRC and cannot be changed. If I -----
CCW-RCPHEF 4.80E-03 stress reduced, HEP = -2E-03 5.3 Risk Analysis of Unit 1 AB EDG Unavailability Four cases of the Internal Events and Fire PRA models are run consistent with the cases developed in Section 2.
The Unit I West MDAFP and Unit 2 Plant Air Compressor unavailability is taken from Assumption 4.1. These cases are:
- 1. A baseline CDF and LERF value with zero maintenance other than the exceptions listed in Assumption 4.1, without credit for the SDS. For this case, the following basic event modifications are made:
Table 5.3 Basic Event Settings for Baseline CDF and LERF without SDS Component Basic Event Probability Unit 1 West MDAFP IDBPM ---- PP3WTM 8.333E-2 Unit 2 Plant Air Compressor 2X-CM---OME41TM 4.167E-2 Shutdown Seal Failure SDSFAILTOACTUATE I
Caclto o PAQT04 ev ae3 1 Calculation No. PRA-QNT-004, Rev. 0 Page 36 1 Shutdown Seal Success SDSSUCCESS 0 Unit 1 West-Unit 2 East ESW Crosstie XHOS-1W2E-ESW-XT Closed (IE PRA Only)
All other Test or Maintenance Events Basic Events ending in "TM" 0
- 2. CDF and LERF values with the Unit I AB EDG failed, with zero maintenance other than the exceptions listed in Assumption 4.1, without credit for the SDS. For this case, the following basic event modifications are made:
Table 5.3 Basic Event Settings for Unit 1 AB EDG Failed CDF and LERF without SDS Component Basic Event Probability Unit I AB EDG ISBDG ---- DGABFR I Unit I West MDAFP IDBPM ----PP3WTM 8.333E-2 Unit 2 Plant Air'Compressor 2X-CM---OME41TM 4.167E-2 Shutdown Seal Failure SDSFAILTOACTUATE I Shutdown Seal Success SDSSUCCESS 0 Unit I West-Unit 2 East ESW Crosstie XHOS-IW2E-ESW-XT 1 Closed (IE PRA Only)
All other Test or Maintenance Events Basic Events ending in "TM" 0 For the Fire PRA, the quantification process produces a large global CDF and LERF equation that must be manipulated. These manipulations are made in the WinNUPRA sensitivity module. Since this module manipulates cutset values, this module is only used to manipulate event probabilities downward, as this will not produce non conservative results due to truncation.
I I Calculation No. PRA-QNT-004, Rev. 0 Page 37 1 5.4 CDF and LERF Results The CDF and LERF results from each case are shown below in Table 5.4-1. The ICCDP and ICLERP calculations are shown below in Table 5.4-2.
Table 5.4 Total CDF and LERF Results Internal Internal Fire CDF Fire LERF Total CDF Total Case Events Events CDF (/yr) LERF (fyr) (fyr) (/yr) (/yr) LERF (/yr)
Basecase (No 1.268E-04 4.237E-06 2.506E-05 2.355E-06 1.519E-04 6.592E-06 SDS) 1 AB EDG Failed (No 1.304E-04 5.119E-06 4.463E-05 3.152E-06 1.750E-04 8.271E-06 SDS) I I I I I Table 5.4 ICCDP and ICLERP Results for 65 Day Completion Time Metric 65 day CT ICCDP 4.126E-06 ICLERP 2.990E-07 5.5 Analysis of Results This section presents an analysis of the Internal Events and Fire PRA model results. Importance analyses and cutsets from risk-significant sequences are analyzed for risk insights.
5.5.1 Internal Events Model Results Analysis A comparison if the Internal Events initiating events is shown below in Table 5.5-1. This table compares the F-V importance from the baseline case with Unit I AB EDG failure case, with the test and maintenance considerations as described in Section 5.3. The results are ranked by the change in F-V between cases.
The results show that the increase to total CDF comes exclusively from the LOOP initiating events. This is a sensible result given the large number of AC power sources available during most non-LOOP initiators, including 69 kV emergency power and the SDGs, and the impact of the lack of one automatic source to LOOP response.
While consequential LOOP and random LOOP are modeled for all initiating events, those events were not major contributors in either case. This was due to the availability of power and crosstie support from Unit 2 in all cases. A small increase in Birnbaum importance was noted, due to the unavailability of the EDGs.
The top cutsets involving LOOP initiators were reviewed. The following example cutsets were noted for further review (in many cases, multiple variations of each cutset shown exist, but only one example was selected for review):
- 5. 916E-008 1PWRREC-10H-GR-S IE-LSP-GR 21GPM RCPLO1 XEQN-SDS-F OA-EP-TBUS---HE PDLOOP-GR 1SADG ---- DGCDFR U1 ------ TRAINA 1Y---RECIRCFBHE 5.080E-008 1PWRREC-10H-SC-S IE-LSP-SC 21GPM RCPLOI XEQN-SDS-F OA-EP-TBUS---HE
I Calculation No. PRA-ONT-004. Rev. 0 Page 38 I1 Paee38 I Calculation No. PRA-ONT-004, Rev. 0 PSLOOP-SC 1SADG ---- DGCDFR U1 ------ TRAINA 1Y---RECIRCFBHE
- 4. 178E-008 1PWRREC-10H-GR-S IE-LSP-GR 21GPM RCPLO1 XEQN-SDS-F PDLOOP-GR 1SADG ---- DGCDFR U1 ------ TRAINA COMBO 38 2.196E-008 1E-RV--MRV2--HE 1RABY--BANKCDFA 1PWRREC-90M-SC IE-LSP-SC XEQN-SDS-F F-SDG-FEED-ICD PSLOOP-SC In the first cutset, a grid-related LOOP occurs, and the Unit 1 CD EDG fails to run. Operators fail to align the SDGs to the safety bus successfully. Offsite power is recovered at 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, but eventual switchover to ECCS recirculation fails. The Unit 1 AB EDG has been logically failed.
The second cutset is identical to the first with the exception that the LOOP is switchyard-centered.
In the third cutset, a grid-related LOOP occurs, and the Unit 1 CD EDG fails to run. Basic event "COMBO 38" is a joint HFE which involves operators failing to align the SDGs to the safety bus successfully, and then subsequently failing to restore systems once offsite power is recovered at 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />. The Unit I AB EDG has been logically failed.
The fourth cutset involves a switchyard-centered LOOP with failure of the Train A battery (which prevents the Unit I CD EDG from operating correctly). The SDGs are successfully aligned to Train A, but operators fail to cooldown using the SGs. The Unit I AB EDG has been logically failed.
As expected, the top LOOP related cutsets involve failure of the remaining EDG and failure to align the SDGs properly. Based on these results risk management actions should generally be focused on preventing loss of offsite power, or making the remaining EDG or SDGs available at all times.
Table 5.5 Internal Events Initiating Events Comparison of Results Event Point F-V F-V lAB Initiating Event Estimate Baseline EDG Failed Change in F-V Description LOSS GRID OF OFFSITE RELATED POWER IE-LSP-GR 1.49E-02 1.84E-03 1.45E-02 1.27E-02 GRID RELATED LOSS OF OFFSITE CENTERED POWER IE-LSP-SC 1.09E-02 8.1OE-04 9.36E-03 8.55E-03 SW SWYD CENTERED LOSS OF OFFSITE POWER RELATED IE-LSP-WR 4.04E-03 5.79E-04 5.62E-03 5.04E-03 WETE WEATHER RELATED LOSS OF OFFS1TE POWER IE-LSP-PC 1.55E-03 8.81E-05 1.23E-03 1.14E-03 LANT CENTEPED PLANT CENTERED UNITS 1+2 FLOOD GROUP IE-FLOOD-T3-2 1.55E-06 4.75E-15 4.62E-15 -1.31E-16 T3 SWGR RM EYEWASH STN PIPE UNITS 1+2 FLOOD GROUP IE-FLOOD-T2-2 1.90E-06 8.06E-09 7.84E-09 -2.23E-10 T2 SWGR RM EYEWASH STN PIPE UNITS 1+2 FLOOD GROUP IE-FLOOD-T5-2 1.96E-06 8.32E-09 8.09E-09 -2.29E-10 T5 SWGR RM EYEWASH STN PIPE UNITS 1+2 FLOOD GROUP IE-FLOOD-T5-1 2.45E-06 1.04E-08 1.O1E-08 -2.80E-10 T5 SWGR RM EYEWASH STN PIPE UNITS 1+2 FLOOD GROUP IE-FLOOD-T4-2 3.26E-06 1.51E-08 1.47E-08 -4.20E-10 T4 SWGR RM EYEWASH STN PIPE
Page 39 I II Calculation No. PRA-QNT-004, Rev. 00 PRA-QNT-004, Rev. Page 39 Initiating Event Point Estimate F-V Baseline F-V Failed EDG I AB Change in F-V Description UNITS 1+2 FLOOD GROUP IE-FLOOD-T1-2 3.91E-06 1.78E-08 1.73E-08 -5.OOE-10 TI SWGR RM EYEWASH STN PIPE UNITS 1+2 FLOOD GROUP IE-FLOOD-T3-1 1.63E-06 1.17E-07 1.14E-07 -3.30E-09 T3 SWGR RM EYEWASH STN PIPE IE-ISL4 1.69E-09 3.17E-07 3.08E-07 -8.70E-09 INTERFACING SYSTEM LOCA ISL4 UNITS 1+2 FLOOD GROUP IE-FLOOD-NI-L2 3.08E-06 6.84E-07 6.66E-07 -1.89E-08 NI LARGE BREAK NO OP ACTION UNITS 1+2 FLOOD GROUP IE-FLOOD-TI-I 3.91E-06 1.96E-06 1.90E-06 -5.40E-08 TI SWGR RM EYEWASH STN PIPE UNITS 1+2 INTERNAL 1E-FLOOD-E1-A-IW 5.57E-06 2.50E-06 2.43E-06 -6.90E-08 FLOODING GROUP E IA S1W FLOOD RUPTURE UNITS 1+2 INTERNAL IE-FLOOD-EI-A-2E 5.83E-06 2.6 1E-06 2.54E-06 -7.20E-08 FLOODING GROUP EIA 2E FLOOD RUPTURE UNITS 1+2 FLOOD GROUP IE-FLOOD-T2-1 3.67E-06 2.67E-06 2.60E-06 -7.40E-08 T2 SWGR RM EYEWASH STN PIPE UNITS 1+2 INTERNAL IE-FLOOD-P4 2.74E-04 3.74E-06 3.64E-06 -1.03E-07 FLOODING GROUP P4 RUPTURE UNITS 1+2 FLOOD GROUP IE-FLOOD-N1-S2 1.71E-05 4.20E-06 4.08E-06 -1.16E-07 NI SMALL BREAK NO OP ACTION UNITS 1+2 FLOOD GROUP 3.46E-04 4.77E-06 4.63E-06 -1.3]E-07 W3 LARG B REAK IE-FLOOD-W 3-LI W3 LARGE BREAK UNITS 1+2 INTERNAL IE-FLOOD-E1-A-IE 5.57E-06 4.91E-06 4.77E-06 -1.36E-07 FLOODING GROUP EIA IE FLOOD RUPTURE UNITS 1+2 INTERNAL IE-FLOOD-E1-A-2W 5.83E-06 5.13E-06 4.99E-06 -1.41E-07 FLOODING GROUP E1A 2W FLOOD RUPTURE UNITS 1+2 INTERNAL IE-FLOOD-F4 6.29E-04 8.77E-06 8.53E-06 -2.42E-07 FLOODING GROUP F4 RUPTURE IE-ISL1 1.23E-09 9.93E-06 9.66E-06 -2.74E-07 INTERFACING SYSTEM LOCA ISLI UNITS 1+2 FLOOD GROUP IE-FLOOD-W3-S2 7.40E-04 1.04E-05 1.01 E-05 -2.90E-07 W3 SMALL BREAK NO OP ACTION UNITS 1+2 INTERNAL 1E-FLOOD-WI 1.33E-03 1.90E-05 1.85E-05 -5.20E-07 FLOODING GROUP WI RUPTURE UNITS 1 +2 FLOOD GROUP IE-FLOOD-N1-L1 4.57E-04 2.22E-05 2.16E-05 -6.1OE-07 NI LARG BREAK N I LARGE BREAK UNITS 1+2 INTERNAL IE-FLOOD-EI-B-1W 2.54E-07 2.38E-05 2.32E-05 -6.60E-07 FLOODING GROUP EIB S1W SPRAY RUPTURE
Page 40 I II Calculation Rev. 00 Calculation No. PRA-QNT-004, Rev. Page 40 Et Initiating Event Point Estimate F-V Baseline EDG lAB F-V Failed Change in F-V Description UNITS 1+2 INTERNAL IE-FLOOD-EI-B-1E 2.54E-07 2.42E-05 2.35E-05 -6.70E-07 FLOODING GROUP EIB IE SPRAY RUPTURE UNITS 1+2 INTERNAL IE-FLOOD-FI 1.96E-03 2.83E-05 2.75E-05 -7.80E-07 FLOODING GROUP FI RUPTURE UNIT I INTERNAL IE-FLOOD-I-CI0 1.98E-07 2.87E-05 2.79E-05 -7.90E-07 FLOODING GROUP CI0 RUPTURE UNIT 1 INTERNAL IE-FLOOD- 1-C3 1.79E-07 3.11E-05 3.03E-05 -8.60E-07 FLOODING GROUP C3 RUPTURE UNITS 1+2 INTERNAL IE-FLOOD-N6 2.16E-03 3.54E-05 3.44E-05 -9.80E-07 FLOODING GROUP N6 RUPTURE INTERFACING SYSTEM 9.46E-06 3.62E-05 3.52E-05 -1.00E-06 LOC A SYL E IE-ISL3 LOCA I SL3 UNITS 1+2 INTERNAL IE-FLOOD-F3 2.87E-03 4.15E-05 4.03E-05 -1.15E-06 FLOODING GROUP F3 RUPTURE UNITS 1+2 FLOOD GROUP 5.07E-03 7.37E-05 7.17E-05 -2.04E-06 W3 SMALL B REAK IE-FLOOD-W 3-SI W3 SMALL BREAK INITIATING EVENT IE-LOIA 6.18E-03 8.53E-05 8.29E-05 -2.36E-06 TRANSIENT LOSS OF INSTRUMENT AIR UNIT I INTERNAL IE-FLOOD-I-CI 5.94E-07 8.66E-05 8.42E-05 -2.39E-06 FLOODING GROUP CI RUPTURE UNITS 1+2 FLOOD GROUP 3.79E-03 1.89E-04 1.84E-04 -5.20E-06 NI SMALL B REAK IE-FLOOD-N I-S I N ISMALL BREAK UNITS 1+2 FLOOD GROUP IE-FLOOD-T4-1 3.26E-06 2.04E-04 I.99E-04 -5.60E-06 T4 SWGR RM EYEWASH STN PIPE LOCA BEYOND ECCS IE-VEF 2.90E-08 2.29E-04 2.22E-04 -6.30E-06 CAPABILITY INITIATING EVENT UNIT 1 INTERNAL IE-FLOOD-I-C6-E 1.65E-06 2.40E-04 2.33E-04 -6.70E-06 FLOODING GROUP C6 EAST RUPTURE UNIT I INTERNAL IE-FLOOD-I-C6-W 1.82E-06 2.65E-04 2.57E-04 -7.30E-06 FLOODING GROUP C6 WEST RUPTURE LOSS OF 250 VDC UNIT 1 IE-VDC-B 3.32E+02 4.12E-04 4.01E-04 -1.13E-05 TRAIN B INITIATING EVENT MAIN STEAM LINE IE-MSLBI 3.3 IE-04 4.54E-04 4.42E-04 -1.25E-05 BREAK INSIDE CONTAINMENT IE-MFLB 1.66E-03 4.92E-04 4.78E-04 -1.35E-05 MAIN FEED LINE BREAK LOSS OF 250 VDC UNIT 1 IE-VDC-A 3.32E+02 5.98E-04 5.8 1E-04 -1.65E-05 TRAIN A INITIATING EVENT
I Calculation No. PRA-ONT-004. Rev. 0 Page 41 Pa~e4I I Calculation No. PRA-ONT-004. Rev. 0 Initiating Event Point Estimate F-V Baseline F-V Failed EDG lAB Change in F-V Description MAIN STEAM LINE IE-MSLBO 3.64E-03 6.1 IE-04 5.95E-04 -1.68E-05 BREAK OUTSIDE CONTAINMENT INITIATING EVENT IE-LOCHS 4.62E-02 6.38E-04 6.20E-04 -1.76E-05 TRANSIENT LOSS OF COND HEAT SINK INITIATING EVENT IE-LOMF 4.81E-02 6.64E-04 6.45E-04 -1.83E-05 TRANSIENT LOSS OF MAIN FEEDWATER UNIT I INTERNAL IE-FLOOD-I-C7-E 5.59E-06 8.13E-04 7.90E-04 -2.25E-05 FLOODING GROUP C7 EAST RUPTURE UNIT I INTERNAL IE-FLOOD- 1-C7-W 5.59E-06 8.13E-04 7.90E-04 -2.25E-05 FLOODING GROUP C7 WEST RUPTURE UNITS 1+2 FLOOD GROUP IE-FLOOD-W3-L2 2.16E-06 9.07E-04 8.82E-04 -2.50E-05 W3 LARGE BREAK NO OP ACTION UNIT I INTERNAL IE-FLOOD-1-C2 6.44E-06 1.02E-03 9.88E-04 -2.80E-05 FLOODING GROUP C2 RUPTURE 1E-LLO 1.60E-06 1.33E-03 1.30E-03 -3.70E-05 LARGE LOCA INITIATOR (4 LOOP COMBINED)
INTERFACING SYSTEM IE-ISL2 8.62E-06 1.63E-03 1.59E-03 -4.50E-05 LECA SYL E LOCA ISL2 MEDIUM LOCA IE-MLO 1.39E-04 3.62E-03 3.52E-03 -1.00E-04 INIIAOR INITIATOR UNIT I INTERNAL IE-FLOOD-I-C9 4.47E-05 6.50E-03 6.32E-03 -1.79E-04 FLOODING GROUP C9 RUPTURE IE-SLO 3.34E-04 8.01 E-03 7.79E-03 -2.22E-04 SMALL LOCA INITIATING EVENT IE-TRA 5.96E-0I 8.52E-03 8.29E-03 -2.35E-04 TRANSIENT W/ POWER CONVERSION SYSTEM STEAM GENERATOR IE-SGTR 1.89E-03 8.67E-03 8.43E-03 -2.39E-04 TUBE RUPTURE INITIATOR LOSS OF ALL ESW IE-ESW 4 3.32E+02 4.50E-01 4.37E-01 -1.24E-02 INITI ATN EV N II INITIATING EVENT LOSS OF CCW INITIATING IE-CCW 3.32E+02 4.99E-01 4.86E-01 -1.37E-02 EVENT I EVENT
I Calculation No. PRA-QNT-004, Rev. 0 Page 42 1 5.5.2 Fire PRA Model Results Analysis Table 5.5-2 provides a comparison of the Fire Initiating Events from the baseline case to the case with the Unit I AB EDG failed, sorted by F-V importance.
Fire scenarios in the transformer yard increased from 12.7% of CDF to 40.8% of CDF. These fire scenarios impact the offsite power cables coming into Unit 1, which result in high probability potential fire spurious operation of the 12AB and 12CD offsite power breakers. Failure of these breakers causes a dual unit LOOP. The Unit I EP and SDG cabling coming into the plant are impacted by these fires as well, rendering them unable to provide power as well.
Selected top cutsets from fire scenario IE-YD--SDG (fire in the SDG yard) are shown below for the case with the Unit I AB EDG failed. Note that due to the nature of the WinNUPRA Fire PRA quantification process, these cutsets calculate CCDP (The "IE-FIRE" event is set to 1.0). The final fire initiating event frequency for the scenario (3.77e-3 for IE-YD--SDG) is multiplied in later in the quantification process.
3.842E-004 IE-FIRE OAACB ---- 12CDOSF OABCB ---- 12ABOSF 1SADG ---- DGCDFR 2SADG ---- DGCDFR 2SBDG ---- DGABF'R 2.008E-004 OAACB ---- 12CDOSF OABCB ---- 12ABOSF 1SADG ---- DGCDF'R 1--SY-BITOUT-OMA 1--LT480GPMPPSLF XEQN-SDS-1 IE-FIRE UNIT-1-W-CCW 2.008E-004 OAACB ---- 12CDOSF 0ABCB ---- 12ABOSF 1SADG ---- DGCDF'R 1--SY-BITOUT-OMA 1--LT480GPMPPSLF XEQN-SDS-1 IE-FIRE UNIT-I-E-CCW 1.778E-004 IE-FIRE 0AACB ---- 12CDOSF OABCB ---- 12ABOSF 1FSBO--XTIE-OMA 1SADG---- DGCDFR
- 1. 134E-004 IE-FIRE OAACB ---- 12CDOSF OABCB ---- 12ABOSF' 1SADG ---- DGCDFR DGFR ------ CCF34 8.053E-005 OAACB ---- 12CDOSF 0ABCB ---- 12ABOSF 1SADG ---- DGCDFR 1----- CCW-RCPHEF XEQN-SDS-1 I - FIRE UNIT-I-E-CCW 8.053E-005 OAACB ---- 12CDOSF OABCB ---- 12ABOSF 1SADG ---- DGCDFR 1----- CCW-RCPHEF XEQN-SDS-1 IE-FIRE UNIT-1-W-CCW
- 4. 194E-005 OAACB ---- 12CDOSF OABCB ---- 12ABOSF 1SADG---- DGCDFR 1---480GPMPP-SLF XEQN-SDS-1 IE-FIRE UNIT-1-W-CCW 4.194E-005 OAACB ---- 12CDOSF OABCB ---- 12ABOSF 1SADG ---- DGCDFR 1---480GPMPP-SLF XEQN-SDS-1 IE-FIRE UNIT-I-E-CCW 2.208E-005 IE-FIRE OAACB ---- 12CDOSF OABCB ---- 12ABOSF 1FSBO---RCC-OMA 1SADG ---- DGCDFR These cutsets show that the primary risk driver is the failure to mitigate the fire induced SBO resulting from this scenario. The top cutset involves the failure of the 3 remaining EDGs, including the opposite unit EDGs. The remaining cutsets involve failures to mitigate the SBO induced RCP seal LOCA. Failures include HFEs to crosstie systems to the opposite unit CVCS and AFW systems, failures to trip the RCPs (resulting in a large RCP Seal LOCA) and a failure to cooldown using the steam generators (also further damaging the RCP seals).
It is noted that a CCF of the remaining three EDGs is not included in the cutsets. In the original internal events model, components were only grouped in a common group if the capability existed to directly crosstie the systems.
This was conservatively modified in the updated Internal Events model. The CCF of the two Unit 2 EDGs is included in the results. The Fire PRA uses data from the 2009 model for the EDGs, which gave a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> EDG failure rate of 1.07E-1. This is conservative with respect to the updated Internal Events data which shows a failure rate of 4.028E-2. Given the conservative independent failure rates used in the Fire PRA, treatment of CCF combinations is conservatively bounded by the independent failure rates in the Fire PRA.
Calculation No. PRA-QNT-004, Rev. 0 Page 43 Table 5.5 Fire IE Comparison of Baseline Results with lAB EDG Failed Results FirelE Point POINT F-V Estimate F-V (Baseline) Fire IE (lAB EDG Failed) Estimate (lAB (JAB EDG (Baseline) (Baseline) EDG Failed) Failed)
IE-FZ9I-F 4.30E-03 1.25E-01 IE-YD--SDG 3.77E-03 2.07E-01 IE-YD--SDG 3.77E-03 6.87E-02 IE-YD--NW 2.03E-03 1.I OE-01 IE-FZ-15-F 2.71 E-03 5.95E-02 IE-FZ91-F 4.30E-03 8.22E-02 IE-FZ80-F 2.4 1E-03 3.77E-02 IE-YD--NE 2.44E-03 5.32E-02 IE-FZ79-F 2.41E-03 3.43E-02 IE-FZ-15-F 2.71E-03 3.91E-02 IE-YD--NW 2.03E-03 3.15E-02 IE-YD--SE 7.05E-04 3.83E-02 IE-FZ90Z-F 1.72E-02 2.84E-02 IE-FZ80-F 2.4 1E-03 2.48E-02 IE-FZ29G-F 6.77E-04 2.30E-02 IE-FZ79-F 2.4 1E-03 2.26E-02 IE-44NTI4A 3.99E-05 1.95E-02 IE-FZ90Z-F 1.72E-02 1.86E-02 IE-41-5HS 1.55E-05 1.95E-02 IE-FZ29G-F 6.77E-04 1.52E-02 IE-41-4AS 8.85E-05 1.68E-02 IE-44NT14A 3.99E-05 1.28E-02 IE-FZ79Z-F 9.63E-03 1.59E-02 IE-41-5HS 1.55E-05 1.28E-02 IE-2A-I 9.50E-03 1.57E-02 IE-41-4AS 8.85E-05 1.11 E-02 IE-YD--NE 2.44E-03 1.56E-02 IE-FZ79Z-F 9.63E-03 1.04E-02 IE-FZ-12-T 1.43E-04 1.45E-02 IE-2A-1 9.50E-03 1.03E-02 IE-FZ-15-T 6.45E-04 1.42E-02 IE-66-1 3.83E-04 1.31E-02 IE-YD--SE 7.05E-04 1.1OE-02 IE-FZ96-F 4.80E-03 1.07E-02
I Calculation No. PRA-QNT-004, Rev. 0 Page 44 I 6 Conclusions This calculation analyzes the risk impact with MODE I full power operation of Cook Unit 1 with the Unit I AB EDG out of service. The calculated values of 4.126E-06 ICCDP and 2.990E-7 ICLERP of are within the Regulatory Guide 1.177 acceptance guidelines of less than I E-5 ICCDP and 1E-6 ICLERP for one time TS completion time changes, giyen a total TS completion time of 65 days (Reference 7.12). This one-time TS completion time change is therefore considered acceptable.
I Calculation No. PRA-QNT-004, Rev. 0 Page 45 7 References 7.1 PRA-NUPRA-002, 2009 PRA Model of Record, Rev. 1 3/20/2009 7.2 PRA-FIRE-17663-005-LAR, DC Cook Fire PRA Fire-Induced Risk Model, Rev. 1, 11/5/2014 7.3 PRA-UNC-001, Uncertainty Parameters, Rev. 2, 3/20/2009 7.4 PWROG-14001-P, PRA Model for the Generation III Westinghouse Shutdown Seal, Rev. 1, July 2014 7.5 WCAP-16341-P, Simplified Level 2 Modeling Guidelines, Rev. 0, November 2005 7.6 PRA-TH-L I-I, Select Level I PRA MAAP4.0.5 Thermal-Hydraulic Analyses, Rev. 0, 5/15/2014 7.7 PRA-TH-L1-2, Level 1 PRA MAAP4.0.5 Thermal-Hydraulic Analyses, Rev. 0, 7/11/2014 7.8 ASME/ANS RA-Sa-2009, Addenda to ASME/ANS RA-S-2008, Standard for Level I/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plants, 2/2/2009 7.9 NUREG-1829, Estimating Loss-of-Coolant Accident (LOCA) Frequencies Through the Elicitation Process, April 2008 7.10 NUREG/CR-6890, An Analysis of Loss of Offsite Power Events, December 2005 7.11 Regulatory Guide 1.200, AN APPROACH FOR DETERMINING THE TECHNICAL ADEQUACY OF PROBABILISTIC RISK ASSESSMENT RESULTS FOR RISK-INFORMED ACTIVITIES, Rev. 2, March 2009 7.12 Regulatory Guide 1.177, AN APPROACH FOR PLANT-SPECIFIC, RISK-INFORMED DECISIONMAKING: TECHNICAL SPECIFICATIONS, Rev. 1, May 2011 7.13 Regulatory Guide 1.174, AN APPROACH FOR USING PROBABILISTIC RISK ASSESSMENT IN RISK-INFORMED DECISIONS ON PLANTSPECIFIC CHANGES TO THE LICENSING BASIS Rev. 2 May 2011 7.14 1-OHP-4025-001-001, Emergency Remote Shutdown, Rev. 10, 10/23/2014 7.15 1-OHP-4025-R-INDEX, System Restoration Procedures Index, Rev. 4, 5/9/2013 7.16 I-OHP-4023-ES-I-2, Post LOCA Cooldown and Depressurization, Rev. 16, 3/28/2013
I Calculation No. PRA-QNT-004, Rev. 0 Pane 46 1 Attachment 1 - Files on CD
Enclosure 5 to AEP-NRC-2015-49 REGULATORY COMMITMENTS The following table identifies an action committed to by Indiana Michigan Power Company (I&M) in this document. Any other actions discussed in this submittal represent intended or planned actions by I&M. They are described to the U. S. Nuclear Regulatory Commission (NRC) for the NRC's information and are not regulatory commitments. All commitments discussed in this table are one-time commitments.
Commitment Scheduled Completion Date (if applicable)
The following equipment will be protected ("Guarded Equipment") Prior to entering the in accordance with the plant On-Line Risk Management procedure, period of extended during the period of extended Completion Time (CT)) for the Ul AB Completion Time (CT) emergency diesel generator (EDG). The On-Line Risk and maintained for the Management procedure requirements include: posting the duration of the extended equipment with signs and barriers to prevent inadvertent operation, CT.
no routine work activities on protected equipment, and Operations Shift Manager approval for any emergent work involving protected equipment.
- Essential Service Water Pumps (All Unit 1 and Unit 2)
- The U1 TDAFP and associated direct current Power sources (including Battery Chargers) & Distribution
- 1 CD 4kV Switchgear Rooms, and the 600 VAC and mezzanine areas
- 1 CD Station Battery and Battery Chargers
- 1 CD 250-Vdc Distribution Panels/Room
- Ul Main and Unit Auxiliary Transformers
- Ul Reserve Feed Transformers
- 69kV Switchyard and SDGs
- Ul East Residual Heat Removal (RHR) Pump and Heat Exchanger Rooms
- Ul East Centrifugal Charging Pump (CCP)
- Ul North SI pump
- 345 & 765kV switchyards
- Ul DIS Trains
- Component Cooling Water Pumps (All Unit 1 and Unit 2) to AEP-NRC-2015-49 Page 2 Implement the following actions from Attachment 10 of Cook Prior to entering the Nuclear Plants (CNP's) Online Risk Management procedure: period of extended AOT and maintained for the a) On duty Fire Brigade and Operations crews will be duration of the extended made aware that an extended outage of Unit 1 fire risk AOT.
significant equipment (the 1 AB EDG) is being invoked, and the risk management actions below, and fire responses for those areas, should be reviewed.
b) The following fire zones are to be guarded as fires in these zones have the potential to damage Unit 1 Train A equipment, that are important with the 1 AB EDG (Train B EDG) unavailable:
- 15 Unit 1 CD Emergency Diesel Generator Room
- 17D Unit 1 East Motor Driven Auxiliary Feed Pump Room
- 29A & 29G Unit 1 East Essential Service Water Pump, and Screenhouse MCC, Rooms
- 40B Unit 1 Train A 4kV Switchgear Area
- 41 & 42A Unit 1 600V Switchgear Areas
- 42C Unit 1 Inverter Room
- 44S Unit 1/2 Auxiliary Building El. 609', Southwest End (CCW Pp Area)
- 55 Unit 1 Electrical Switchgear Room Cable Vault
- 62B Unit 1 East Centrifugal Charging Pump Room c) For each fire zone listed above:
- 1) No elective maintenance on fire detection or fire suppression equipment that will cause the fire detection or fire suppression equipment in the impacted fire zones to be inoperable.
- 2) Verify installed Fire Detection and Suppression systems are available, as applicable- AND -
Establish an hourly fire watch tour of the area
- OR -
Establish a continuous fire watch in the area
- 3) Verify no transient combustibles are stored in the immediate area, this excludes incidental transient combustible material as defined by station procedures.
- 4) No hot work is allowed in the area.
to AEP-NRC-2015-49 Page 3 d) Verify Unit 1 Train A is protected.
e) Operating Large Switchgear Breakers:
- 1) Operation of 4kV breakers (on 1A, T11A, 1B, T11B, 1C, T11C, 1D, & T11D) and large 600V breakers (on 11A, 11B, 11C, & 11D) is not allowed on Unit 1, except in response to emergent plant conditions (to minimize the possibility of high energy arc fault and other electrical fires).
- OR -
- 2) 4kV and 600V breakers may be operated in support of planned maintenance or Technical Specification surveillances provided the 609' El.
4kV and 600V switchgear areas automatic fire detection and C02 suppression systems are OPERABLE and in service (i.e. not isolated or bypassed). If not aligned for automatic discharge, C02 suppression systems must be capable of manual actuation and personnel are to be stationed at the actuation panel ready to actuate room C02 for the switchgear area, if directed.
Implement the following actions from Attachment 12 of Cook Prior to entering the Nuclear Plants (CNP's) Online Risk Management procedure: period of extended AOT and maintained for the a) On duty Fire Brigade and Operations crews will be made duration of the extended aware that an extended outage of Unit 1 fire risk significant AOT.
equipment (the 1 AB EDG) is being invoked, and the risk management actions below, and fire responses for those areas, should be reviewed.
b) The following fire zones are to be guarded as fires in these zones have the potential to damage all Unit 2 Safe Shutdown Equipment.
- 29GScreenhouse MCC Equipment Room
- 45 & 46A Unit 2 600V Switchgear Areas
- 46B Unit 2 Control Rod Drive Equipment Room
- 46C Unit 2 Inverter Room
- 46D Unit 2 AB Battery Room
- 54 Unit 2 Control Room
- 58 Unit 2 Control Room Cable Vault
- 59 Unit 2 Auxiliary Cable Vault
- 60 Unit 2 Electrical Switchgear Room Cable Vault to AEP-NRC-2015-49 Page 4
- 145 Unit 2 Hot Standby Panel Area c) For each fire zone listed above
- 1) No elective maintenance on fire detection or fire suppression equipment that will cause the fire detection or fire suppression equipment in the impacted fire zones to be inoperable.
- 2) Verify installed Fire Detection and Suppression systems are available, as applicable-AND-Establish and hourly fire watch tour in the area
-OR-Establish a continuous fire watch in the area
- 3) Verify no transient combustibles are stored in the immediate area, this excludes incidental transient combustible material as defined by station procedures.
- 4) No hot work is allowed in the area.
d) Operations brief on the following procedures
- 2-OHP-4025-001-001, Emergency Remote Shutdown
- 12-OHP-4025-001-002, Fire Response Guidelines e) Operating Large Switchgear Breakers::
- 1) Operation of 4kV breakers (on 1A, T11A, 1B, T11B, 1C, T11C, 1D, & T11D) and large 600V breakers (on 11A, 11B, 11C, & 11D) is not allowed on Unit 1, except in response to emergent plant conditions (to minimize the possibility of high energy arc fault and other electrical fires).
- OR -
- 2) 4kV and 600V breakers may be operated in support of planned maintenance or Technical Specification surveillances provided the 609' El.
4kV and 600V switchgear areas automatic fire detection and C02 suppression systems are OPERABLE and in service (i.e. not isolated or bypassed). If not aligned for automatic discharge, C02 suppression systems must be capable of manual actuation and personnel are to be stationed at the actuation panel ready to actuate room C02 for the switchgear area, if directed.
to AEP-NRC-2015-49 Page 5 The Unit 1 CD-EDG (Train A EDG) day tank shall be filled to just Prior to entering the under the high level alarm, so as to provide as much run time for period of extended AOT this EDG as possible before the day tank requires replenishment. and maintained for the This will provide approximately 87 minutes of Train A operation at duration of the extended full load if all other sources of power are lost, allowing additional AOT.
time for personnel to restore offsite power from other sources if required.
Elective Maintenance or test activities which could lead to a unit Prior to entering the trip, excluding TS required surveillances, will not be performed period of extended AOT unless needed to address an emergent failure that could challenge and maintained for the continued unit operation or the protected equipment for this CT duration of the extended extension. AOT.
Operations personnel will periodically monitor weather and grid Prior to entering the conditions that may challenge offsite power reliability and inform period of extended AOT Plant Management so that actions can be taken to reduce or and maintained for the eliminate, to the extent practicable, those challenges. The system duration of the extended load dispatcher will be contacted once per day to ensure no AOT.
significant grid perturbations are expected during the extended CT.
Also, the system load dispatcher typically informs the plant operator if conditions change during the extended CT (e.g., when the predicted voltages would be unacceptable as a result of a trip of the nuclear unit).
A temporary non-safety related diesel generator (NDG) capable of Prior to entering the supplying power to the Train B 4kV Emergency bus will be staged period of extended AOT in the CNP protected area. The NDG will be connected to the bus and maintained for the in the event of a loss of off-site power. Operations will be provided duration of the extended with instructions regarding start, operation, and breaker operation AOT.
of this equipment, to utilize this diesel for Unit 1 if needed.
Appropriate guidance for using this equipment will be in place prior to entering the extended CT.
0 to AEP-NRC-2015-49 Page 6 A smaller diverse and flexible strategies (FLEX) DG will be brought Prior to entering the to the plant protected area location to support Unit 1, with period of extended AOT necessary cabling stowed nearby, to relatively quickly connect and maintained for the these diesels through established FLEX connections and duration of the extended procedures to provide an additional emergency operating power for AOT.
a train of Unit l's Containment DIS.
Monitor condenser pit and circulating water system piping, valves, Prior to entering the condenser water boxes, and flexible couplings in both units for period of extended AOT indication of failures that could cause turbine building flooding, and and maintained for the bring these to the attention of Plant Management for prompt duration of the extended evaluation and, if required, action. Operating crews will be briefed AOT.
to promptly investigate condenser pit sump level, condenser pit flooded alarms, and condenser/circulating water system anomalous behavior, so as to take actions needed to arrest turbine building flooding due to circulating water system piping failures in the turbine building.
Monitor ESW pipe tunnel alarms and ESW system indications in Prior to entering the both units for indication of failures that could cause ESW Pipe period of extended AOT tunnel flooding, and bring these to the attention of Plant and maintained for the Management for prompt evaluation and, if required, action. duration of the extended Operating crews will be briefed to promptly investigate pipe tunnel AOT.
sump alarms or anomalous ESW system behavior, so as to take actions needed to address any ESW initiated flooding due to ESW system piping failures. If ESW pipe tunnel sump alarms are not functional, the crews should periodically monitor ESW piping in the ESW pipe tunnel for leaks i
The Operations department will periodically (every twelve hours) Prior to entering the verify that the generator is properly staged and that the guidance period of extended AOT necessary to connect it to the emergency bus is available at the and maintained for the machine duration of the extended AOT.
These compensatory measures will be promulgated to the Prior to entering the operating crews in an operations department standing order. period of extended AOT and maintained for the duration of the extended AOT.
Enclosure 6 to AEP-NRC-2015-49 Donald C. Cook Nuclear Plant Probabilistic Risk Assessment Technical Adequacy Justification The Probabilistic Risk Assessment (PRA) model used to assess risk of extending the Donald C. Cook Nuclear Plant (CNP) Unit 1 Technical Specification (TS) 3.8.1, Condition B, Completion Time (CT) to 65 days for CNP Unit 1 is a WinNUPRA event tree model with system fault trees. It is an updated version of the current Internal Event (IE) PRA model of record (09MORW), which had an effective date of February 20, 2009. This updated model is under development as CNP's new updated PRA Model of Record and is scheduled for July 2015 Peer Review. Changes in the updated model include revisions accomplished to:
o Update failure and initiating event frequencies with recent industry and CNP specific information o Improve support system modeling to more closely resemble actual operating practices and address system operational limitations in scenarios o Include plant modifications that had not previously been incorporated but are expected to play a significant role (such as adding a backup air supply to the steam generator (SG) atmospheric relief valves, including the restored residual heat removal (RHR) injection crosstie function, and including the reactor coolant pump (RCP) Gen III Shutdown Seals (SDS) o Reviewed and updated/improved human reliability analysis (HRA) analysis to assure adequate documentation and correct treatment o Review and update the internal flooding analysis to use recent updated piping failure rates and validate prior walkdowns of plant areas, flood sources, and targets o Include updated Level 2 large early release frequency (LERF) modeling consistent with recent Pressurized Water Reactor Owners' Group (PWROG) documents removing significant conservatism from model LERF results o Incorporate various other desired low level items/improvements in the model since 2009 CNP calculation PRA-NUPRA-002, 2009 WinNUPRA PRA Model of Record, Revision 1, documents quantification of the current PRA model of record, in combination with model associated system notebooks, on which the updated model used in this assessment is based.
The updated model used for this assessment is the most recent evaluation of the CNP lEs at-power risk profile from the PRA-NUPRA-002 model. CNP's PRA models are maintained and updated under a PRA configuration control program in accordance with CNP procedures. Plant changes, including physical and procedural modifications and changes in performance data, are reviewed and the PRA model is periodically updated to reflect such changes by qualified personnel, with independent reviews and approvals. The fire PRA model used in this assessment is an updated, improved version of the PRA model on which the CNP National Fire Protection Association (NFPA)-805 Fire PRA model was based, and recently used to obtain approval to transition to NFPA-805.
Indiana Michigan Power Company (I&M) considers the updated CNP IE PRA (IEPRA) adequate to support extending Unit 1 TS 3.8.1, Condition B, Required Action B.5, CT. The update to the 09MORW model is based on a prior model initially Peer Reviewed September 24th - 28th, 2001.
That 2001 Peer Review noted a number of facts and observations (F&Os) based on sub-elements included in the then-current Nuclear Energy Institute guidance for conduct of peer reviews. The PWROG issued a report containing the results of the CNP IEPRA Review at the
Enclosure 6 to AEP-NRC-2015-49 Page 2 end of December 2002 (which was the report associated with the 2001 Peer Review).
Summaries of F&Os, the status of the disposition of a small portion of F&Os, and the impact of open F&Os considered as possibly affecting this application are provided in Table 1.0.
Following resolution of all significant F&Os (Class A & B) from the 2001 Peer Review, a Gap Assessment was performed in 2004 by an independent contractor. The Gap Assessment provided comments related to a number of the then-current American Society of Mechanical Engineers (ASME) PRA Standard supporting requirements.
F&Os from the CNP 2001 PRA peer review were prioritized into four categories (A through D) based on importance to the completeness of the model. Category A and B F&Os are significant enough that the technical adequacy of the model may be impacted. Categories C and D are considered minor. Subsequent to the peer review, the model was updated to address all Category A, B, F&Os, several C & D F&Os were addressed as well, but not all were closed.
Following several small model and various system related updates, a Focused-Scope Peer Review was conducted in 2009, associated with CNP's Fire PRA effort. The Focused-Scope Peer Review identified a number of F&Os based on the supporting requirements in the-then current U.S. Nuclear Regulatory Commission (NRC) Regulatory Guide (RG) 1.200, Revision 1.
The detailed findings and comments from both the 2001 Peer Review and 2004 Gap Assessment have been previously submitted to NRC, and along with the 2009 Peer Review are available to NRC staff if additional detail is needed. In late 2012, an additional model gap analysis was conducted as part of responding to a request for additional information associated with the proposed NFPA-805 amendment. That Gap Assessment was conducted to RA-Sa-2009 and has been reviewed/evaluated for consideration of the impact on metrics associated with this particular request. Of these gaps, most were related to proper documentation associated with uncertainty, or documentation associated with various data or information that should be in model notebooks. None indicated significant model non-conservative results, and of those that did discuss results, the indication was that the modeling was too conservative, and produced overly conservative results. Review of this assessment found none significant enough to non-conservatively affect the outcome for this proposed CT extension.
Status of the eleven Peer Review F&Os considered as possibly significant with regard to the one time TS 3.8.1 CT extension are included and discussed in Table 1.0, below:
RG 1.200, Revision 2 Compliance Summary The CNP IEPRA satisfies the applicable portions of the combined PRA Standard as implemented by RG 1.200, Revision 2 as described below. A Gap Assessment of the current IEPRA model was conducted by a third party as part of the update process to evaluate differences between the CNP IEPRA and the Supporting Requirements (SRs) of ASME/American Nuclear Society RA-Sa-2003 and the SRs of RA-Sa-2009 as endorsed by RG 1.200, Revision 2. In general, most model gaps were found to be in the form of documentation shortcomings with no significant impact on the PRA model and metrics used for the TS 3.8.1, Condition B, CT extension license amendment request for the 1 AB EDG.
Enclosure 6 to AEP-NRC-2015-49 Page 3 A general discussion description of the gap analysis is provided below.
The current model of record Gap Assessment performed in the 2012-2013 time-frame identified significant gaps (too much conservatism) in LERF modeling. The Level 2 PRA model was subsequently revised to address the applicable issues. A focused scope review on the Level 2 PRA model changes was completed. Following these PRA model changes, the focused scope reviewers judged the revised LERF model as still unable to meet CC II because the current model remains conservative. This condition, while not optimal for a CC II Model, produces conservative results for the associated extension. The Level 2 LERF modeling was subsequently, again revised using methods and considerations from WCAP 16341-P, Simplified Level 2 Modeling Guidelines, Revision 0, which removed considerable conservatism in overall model LERF results, and has been carried over into the updated model used for this assessment.
The 2012 gap assessment also found that Test and Maintenance (T&M) factors were applied differently in the model than standard industry practice. A focused scope peer review was conducted on this gap and confirmed the need to revise the PRA model to conform to industry practice for T&M treatment. The IEPRA and Fire PRA models were updated to change the T&M mission time treatment to conform to standard industry practice. An updated revised model was used to obtain the metrics associated with the extension that are provided in this document.
2012 Gap Assessment Description The 2012 Gap Assessment identified 115 SRs with potential gaps in the IEPRA model due to the different standards' versions of the various SRs. None of these gaps indicated a significant non-conservative concern for model results. For these 115 potential gaps, the IEPRA model was judged against the RA-Sa-2009 CC II requirements. For 47 SRs with potential gaps, the IEPRA model was judged to meet the RA-Sa-2009 CC II requirements; therefore, no actual gap(s) existed for those SRs. The remaining 68 SRs with potential gaps were determined to indicate actual gaps because they involved differences between the RA-Sa-2009 CC II SR and the IEPRA model. Many of these actual gaps are related to documentation rather than technical concerns with modeling or results and may be resolved by enhancement/update of existing documentation. Resolution of these documentation related gaps is not expected to result in any impact to the model or its associated metrics. Of the 68 identified actual gaps between the RA-Sa-2009 CC II SR and the IEPRA model, there are 53 gaps whose resolutions are expected to result in changes to the model, but these changes are not expected to be significant. For example, the IEPRA model was identified as having a gap with respect to SR AS-C2, whose content was significantly different in the 2009 Standard. The IEPRA gap was identified as both documentation and a modeling deficiency. The documentation deficiency does not represent any IEPRA impact; however, the modeling deficiency involved not having fully incorporated the latest consensus RCP seal loss of coolant accident (LOCA) model i.e., the WOG2000 model developed by the Westinghouse Owners Group (WOG). Once properly incorporated, as it is in the updated model used for this assessment, this IEPRA modeling gap has no impact on the IEPRA, or the results associated with the TS 3.8.1 Condition B, CT extension, beyond a small insignificant reduction in overall metrics, with virtually no change in core damage frequency (ACDF) and ALERF results. Other additional examples were six IEPRA model gaps related to uncertainty analysis. Gaps of this nature have no impact on the IEPRA model metrics.
to AEP-NRC-2015-49 Page 4 The remaining 15 actual gaps involve resolutions impacting the PRA model and model associated documentation. All of these gaps are related to LERF associated modeling, or modeling related documentation. The gaps in many of the PRA Large Early Release SRs were determined to have no numerical impact on LERF, or indicated an overly conservative LERF treatment. Ultimately, a new Level 2 model was developed using recent WCAP guidance and incorporated into the model.
to AEP-NRC-2015-49 Page 5 Table 1.0 - Internal Events PRA Peer Review - Pertinent Facts & Observations (F&Os) for CT Extension F&O # F&O Summary Status F&O Disposition for TS 3.8.1 Extension AS-04 In the event tree (ET) for Station Black-Out Open This F&O identifies what appears to be an inconsistency (SBO), existing logic for Auxiliary Feed affecting only the IEPRA model SBO ET. This 2001 Water (AFW) functions asked successively Peer Review F&O was issued as a Level C low does not require correlation between significance item. It pertained to Turbine-Driven success of the prior branch and the failure Auxiliary Feedwater Pump (TDAFP) operation for four of the latter branch. (Significance Level C) hours followed by the potential for an additional two hours of operation in event of an SBO. It was directed at potentially requiring different TDAFP to SG valves to be opened and does not have much merit in that if the TDAFP is satisfactorily providing flow at four hours to all four SGs as would typically be done, or to any combination of the available four SGs, the probability that significant changes or equipment operation have to be made to system operation for it to continue for an additional two hours are judged to be small. The subsequent WOG 2009 Peer review specifically assessed the SBO ET and had no comments on this ET construction. As such, it is judged as not significant to overall model results and did/does not warrant revision.
The updated model retained this construction from previous model updates.
The Fire PRA credits the TDAFP for a full 24-hour mission time in all cases, based credited human actions from fire event procedures.
AS-07 Initiating event dependencies are not Closed In the updated IE model, the ETs were significantly retained by ET transfers. modified. Initiating event dependencies were retained (Significance Level A) in ET transfers through the quantification process,
Enclosure 6 to AEP-NRC-2015-49 Page 6 Table 1.0 - Internal Events PRA Peer Review - Pertinent Facts & Observations (F&Os) for CT Extension F&O # F&O Summary Status F&O Disposition for TS 3.8.1 Extension although the reliance on event tree transfers was reduced.
AS-10 The ETs do not include a heading for Closed The F&O identifies the lack of Cl failure top event in the containment isolation (Cl) failure, resulting in various ETs as inconsistent with the LERF modeling improper assignment of LERF. (Significance approach adopted by I&M (i.e., NUREG/CR-6595).
Level B) Rather than changing all ETs to include Cl, the LERF fault tree was modified to include Cl. Specifically, the Cl model was incorporated explicitly into the LERF analysis by including failure to isolate under an OR-gate for each of the LERF functional equations utilized in the ET. Appropriate use of house events accounted for initiator dependencies.
The updated model used in this assessment has not made any significant change to this response.
Enclosure 6 to AEP-NRC-2015-49 Page 7 Table 1.0 - Internal Events PRA Peer Review - Pertinent Facts & Observations (F&Os) for CT Extension F&O # F&O Summary Status F&O Disposition for TS 3.8.1 Extension AS-Al 0, Interfacing Systems Loss of Coolant Accident Open This issue relates specifically to the IEPRA model for AS-B3, SC- (ISLOCA) modeling should: (1) separate the ISLOCA and the relatively simple treatment provided in A6 human reliability and hardware (valve) reliability all model ISLOCA ETs, and specifically that two of the when modeling potential isolation of the ISLOCA ETs did not include ET manual, or system appropriate breaks, (2) address valve shutoff mitigating, actions. The ISLOCA sequences modeled by delta-P capability for valves credited for these latter two ETs have historically been judged to be isolation, (3) valve failure rates indicative of sufficiently low probability that additional analytical functional degradation due to harsh development was not cost beneficial.
environment for RHR pump seal failure events, An ISLOCA event is a direct containment bypass event, (4) operations procedures should address does not depend on Cl functions or failure probability for remote manual isolation of ISLOCA events, mitigation, and it is not impacted by changes to the probability of Cl failure. Contributions from these events would be the same in the base and proposed one-time T,S, 3.8.1 amendment case, and would have no net impact on proposed one-time TS 3.8.1 amendment metrics.
The updated model used in this assessment has not made any significant change to this response.
QU-04 Some loss of containment cooling water (CCW) Closed The observations and possible resolutions included in and essential service water (ESW) sequences this F&O cover several issues. Each is discussed involving tripping the RCPs, depressurizing the below.
reactor coolant system (RCS), and restoring CCW or ESW, appear to be overly optimistic. 1. The time allowed for the operators to trip RCPs, (Significance Level B) following loss of CCW or ESW, has been revised to two minutes in all notebooks and this timing is used in the analysis. The ET Notebook and HRA Notebook have been revised to reflect this change and to be consistent
Enclosure 6 to AEP-NRC-2015-49 Page 8 Table 1.0 - Internal Events PRA Peer Review - Pertinent Facts & Observations (F&Os) for CT Extension F&O # F&O Summary Status F&O Disposition for TS 3.8.1 Extension with one another.
Failure of the RCP breakers to open has been added to the fault tree used for the RCP top event.
- 2. The accident progression in the ET Notebook was revised to reflect the use of FR-C.2 to initiate RCS cooldown with FR-C.1 as a backup. The timing of the cues that cause the operators to enter these procedures was confirmed with Modular Accident Assessment Program (MAAP) runs and this timing was incorporated into the Human Error Probability (HEPs) that model the cooldown. The HRA notebook was also revised to QU-04 reflect this timing.
The capability of two out of four SG Power Operated Relief Valve (PORVs) to complete depressurization and allow accumulator and RHR injection was confirmed with MAAP runs. These MAAP runs also removed the requirement for pressurizer PORVs on depressurization.
- 3. Recovery of ESW and CCW is modeled with fault trees that consider the failure involved and these fault trees have been incorporated into the quantification process. Also, the MAAP runs mentioned above allow up to two hours to recover cooling to RHR pumps before core damage.
Based on the discussion of the problems and actions
Enclosure 6 to AEP-NRC-2015-49 Page 9 Table 1.0 - Internal Events PRA Peer Review - Pertinent Facts & Observations (F&Os) for CT Extension F&O # F&O Summary Status F&O Disposition for TS 3.8.1 Extension taken, this F&O does not affect the metrics associated with the one-time TS 3.8.1 CT extension. Additionally, better modeling for these system initiators in the updated model have increased the relative/fractional contribution from these systems to IE CDF & LERF.
SY-05 Diversion flow paths that adversely affect Closed Fault Tree Modeling Guidelines were developed and success criteria or timing of events may have implemented that include flow diversion considerations.
been eliminated without sufficient justification. A review of flow diversion paths has been performed on (Significance Level B) those systems included in the PRA model based on these guidelines and this review is documented in the revised PRA system notebooks. The specifics regarding inclusion and exclusion of potential system flow diversions are addressed in Section 5.1 of each of the system notebooks, "Assumptions and Boundary Conditions." The 10 percent of flow area criteria (or 1/3 diameter) included previously, as a general assumption in some of the system notebooks is no longer used for any of the system models.
The updated model used in this assessment has not made any significant change to this response.
to AEP-NRC-2015-49 Page 10 Table 1.0 - Internal Events PRA Peer Review - Pertinent Facts & Observations (F&Os) for CT Extension F&O # F&O Summary Status F&O Disposition for TS 3.8.1 Extension SY-1 1 Passive failure modelina in the loss of service Closed Fault Tree Modelina Guidelines were develoDed that water system IE logic is inadequate. include passive failure considerations. Passive failures (Significance Level A) have been addressed in accordance with these Guidelines for all system models. Specific modeling assumptions are included in Section 5 of each system notebook for which passive failures have been included.
In addition, heat exchanger ruptures, system leaks, and heat exchanger plugging have been addressed for the CCW and ESW systems in both their IE models and plugging has been added to their system response models. Common Cause Failure (CCF) of ESW system strainers is treated consistently for all initiators. CCW heat exchanger rupture has been removed and treated as an internal flood initiator.
The updated model used in this assessment has not made any significant change to this response.
to AEP-NRC-2015-49 Page 11 Table 1.0 - Internal Events PRA Peer Review - Pertinent Facts & Observations (F&Os) for CT Extension F&O # F&O Summary Status F&O Disposition for TS 3.8.1 Extension SY-1 7 Cross-tie for AFW from Unit 2 does not consider Open The Fire PRA revised the AFW cross-tie model to the need for AFW at Unit 2, so the fault trees explicitly account for the possibility that the non-fire-presume both motor driven pumps at Unit 2 are affected unit AFW was unavailable for use due to its available for supply to Unit 1 in the event the own AFW demand. This involved adding another failure three pumps at Unit 1 fail. (Significance Level mode for the AFW cross-tie that consists of random C) failure or test and maintenance of the unaffected unit's turbine-driven AFW pump coincident with a random failure or test and maintenance of one of the two motor-driven AFW pumps at the unaffected unit. Since this failure mode involves two independent train failures, its likelihood is significantly less than the scoping value of 0.1 that is used for the HEP for cross-tying the AFW flow between units. As a result, this lack of model detail is judged to not have an appreciable impact on model results.
In the updated model this consideration was carried over into the updated internal events & flooding PRA used in this assessment.
Enclosure 6 to AEP-NRC-2015-49 Page 12 Table 1.0 - Internal Events PRA Peer Review - Pertinent Facts & Observations (F&Os) for CT Extension F&O # F&O Summary Status F&O Disposition for TS 3.8.1 Extension SY-19 Recovery for ESW and CCW does not consider Closed Both the ESW and CCW fault trees were modified to the cause of failure; NSAC-161 recovery factors specifically address the differing recovery probabilities are applied to all system failures evenly. for valve and pump failures, while the ESW fault tree (Significance Level B) was modified to also consider recovery for strainer plugging. Recovery of pump or valve failure requires operator actions that would be performed outside the control room. As a result, recovery credit is limited to correction of only one of the potentially several recoverable valve or pump faults that may have resulted in failure of the system. Recovery of plugged strainers can be accomplished by automatic action to shift the on-line strainer to the standby strainer. Rather than use a generic recovery probability, the strainer shift was modeled directly in the ESW system fault trees during the update for support system initiating events.
The updated model used in this assessment included changes to CCW and ESW system modeling to both improve the fidelity to plant operation and operator response to events involving these systems, and limitations regarding pump capability for certain situations for ESW. Overall, without the Gen III SDS seal in place and functioning, these become the largest contributor to internal event risk, barring any further model changes
Enclosure 6 to AEP-NRC-2015-49 Page 13 Table 1.0 - Internal Events PRA Peer Review - Pertinent Facts & Observations (F&Os) for CT Extension F&O # F&O Summary Status F&O Disposition for TS 3.8.1 Extension TH-06 The basic success criteria based on MAAP Closed In response to this F&O, American Electric Power analyses were developed in the 1991/1992 time performed a re-analysis of the success criteria of RCS frame. (Significance Level B) cooldown and depressurization for small and medium LOCAs. These cases were chosen because the F&O identified these as the most important success criteria.
The new analyses were performed to establish the timing for these success criteria based on a more modern version of MAAP (i.e., MAAP 4.0.5).
In support of Fire PRA model development, a calculation was performed to establish revised Level 1 thermal-hydraulic success criteria. The calculation includes 92 new MAAP runs performed using MAAP 4.0.5. The 92 new cases included 45 success criteria cases involving transients with stuck-open SG PORVs, RCP seal LOCAs, and various small LOCA sizes.
These cases yielded an unsuccessful outcome, then sequence timing information was determined. The IEPRA model has not yet been updated to account for these cases. Review of these cases show that the original Individual Plant Examination (IPE)-based success criteria are conservative. The updated IE Model used in this assessment included new, additional MAAP runs specifically in support of the update to refine both thermal-hydraulic information and HEP response timing in some cases.
Enclosure 6 to AEP-NRC-2015-49 Page 14 Table 1.0 - Internal Events PRA Peer Review - Pertinent Facts & Observations (F&Os) for CT Extension F&O # F&O Summary Status F&O Disposition for TS 3.8.1 Extension TH-08 Unable to establish basis for the time available Closed In support of Fire PRA model development, a to actuate bleed and feed for transients without calculation has been performed to establish revised steam conversion. (Significance Level C) Level i thermal-hydraulic success criteria. The calculation includes 92 new MAAP runs performed using MAAP 4.0.5. The 92 new cases include 12 transient cases that investigated sequence timing given a loss of AFW to determine the time available for initiating bleed and feed or the minimum equipment required to mitigate the scenario. Review of these scenarios confirmed that the time available to initiate bleed and feed for transients without steam conversion mentioned in the F&O are conservative.
The Fire PRA used the results of this calculation. The updated IE Model used in this assessment included new, additional MAAP runs specifically in support of the update to refine both thermal-hydraulic information and HEP response timing. This F&O does not affect the one time TS 3.8.1 CT extension in a non-conservative manner.