ML15154B048

From kanterella
Jump to navigation Jump to search
Risk Analysis to Support Response to Requests for Additional Information Regarding One Time Emergency License Amendment Request to Revise Tech Spec Section 3.8.1 to Permit Extending the Completion Time. (RAI-APLA 2 Through 8)
ML15154B048
Person / Time
Site: Cook American Electric Power icon.png
Issue date: 05/29/2015
From: Heyeck J
Indiana Michigan Power Co
To:
Document Control Desk, Office of Nuclear Reactor Regulation
Shared Package
ML15154B043 List:
References
AEP-NRC-2015-52
Download: ML15154B048 (63)
v  d  e


Text

Enclosure 4 to AEP-NRC-2015-52 Risk Analysis to Support Response to Requests for Additional Information Regarding One Time Emergency License Amendment Request to revise Technical Specification Section 3.8.1 to permit extending the Completion Time. (RAI-APLA 2 through 8)

ZMERICAN D. C. COOK NUCLEAR PLANT PWRCALCULATION/REPORT COVER SHEET Document No. PRA-QNT-00.6 Rev No. 0 1 ulRv1Adnu IE Status Change

Title:

NRC RAI Response for One-Time Emergency Technical Specification Completion Time Change for Unit I AB EDG STATUS: 0 Approved El Superseded El Voided El Information Only Document Type/Class: 0 Calculation El Report IEClass I El Class 2 0 Class 3 QUALITY SYSTEM UNIT COMPUTER REVIEW METHOD:

CLASSIFICATION: CODE: NO.: MEDIA: 0 Detailed Review E] Safety-Related El Yes El Alternate Calculation LI Non-Safety Related with 0 No El Other Special Requirements NAPL I El N/A - Status/Class Change Only

[ Non-Safety Related Do any assumptions require later verification? El Yes Z No If yes, AT No.

==

Description:==

See Purpose This non-design calculation is exempted by the approver firom the configuration management requirements of 12-EHP-5040-DES-003 section 3.4.5.

If the Reviewer is the Preparer's supervisor, the supervisor review is needed and is approved: 0 N/A Supervisor's Manager's Name Title Signature Date Qualification Matrix Verification

  • The responsible Engineering Supervisor/Manager approval signature also serves to signify that the qualifications of the individual(s) assigned as Preparer(s) and Reviewer(s) and Independent Design Verifier(s) were verified in the Plant Qualification Matrix.

Priepairation & Review PREPARED BY: REVIEWED BY: *APPROVED BY:

Name: James M. Heyeck Stephen J. Cherba Gary Weber

Title:

PRA Engineer PRA Engineer Manager Organization: Pnghieering Programs/PRA Engineer ng Programs/PRA Configuration Management Date: ___-"_"_

El Sign-offs for additional Preparer(s) and Reviewer(s) on next page This document includes the following pages: Page 1

Calculation No. PRA-QNT-006, Rev. 0 Page 2 Table of Contents 1 Purpose ................................................................................................................. 4 2 M ethodology .................................................................................................... 5 3 Inputs ................................................................................................................... 6 4 A ssum ptions .................................................................................................... 7 5 Calculations .................................................................................... ................ 7 5.1 RAI Question #1 ....................................................................................................... 7 5.2 RAI Question #2 .......................................................................................................... 7 5.3 RAI Question #3 .......................................................................................................... 8 5.4 RAI Question #4 .......................................................................................................... 9 5.5 RAI Question #5 .......................................................................................................... 9 5.6 RAI Question #6 ............................................................................................................. 10 5.7 RAI Question #7 ............................................................................................................ 13 5.8 RAI Question #8 ............................................................................................................. 13 5.9 Risk Analysis of HELB Barrier Removal on I -ESLC and I -ELSCX ....................... 14 5.10 ICCDP and ICLERP Values with RAI Response ..................................................... 15 6 Conclusions .................................................................................................... 15 7 References ........................................................................................................... 16 List of Tables Table 5.3 Revised Unit 1 CD EDG Failure Probabilities for Surveillance Frequency Extension ..................... 8 Table 5.6 U pdated H FE V alues ............................................................................................................................. 12 Table 5.10 Final Total CDF and LERF Results ................................................................................................ 15 Table 5.10 ICCDP and ICLERP Results for 65 Day Completion Time .......................................................... 15 List of Attachments A ttaclm-ent I - F iles o n C D ........................................................................................................................................ 19 - MAAP Analysis Results ................................................ 20 - HRA Calculator Output ..................................................................................................................... 23

I Calculation No. PRA-QNT-006, Rev. 0 Calclaton N. PA-QN-00, Re. 0Pag~e 3 Page 3I List of Abbreviations AFW Auxiliary Feedwater AMSAC ATWS Mitigating System Actuation Circuitry ATWS Anticipated Transient Without Scram CCP Centrifugal Charging Pump CDF Core Damage Frequency CST Condensate Storage Tank CRDM Control Rod Drive Mechanism CTS Containment Spray system

.CVCS Chemical and Volume Control System ECCS Emergency Core Cooling System EDG Emergency Diesel Generator EOP Emergency Operating Procedure ESFAS Engineered Safety Features Actuation System ESW Essential Service Water FW Feedwater F-V Fussell-Vesely HEP Human Error Probability HFE Human Failure Event HLR High Level Requirement HSS High Safety Significant ICCDP Integrated Conditional Core Damage Probability ICLERP Integrated Conditional Large Early Release Probability IE Internal Events LERF Large Early Release Frequency LOCA Loss of Coolant Accident LSS Low Safety Significant MAAP Modular Accident Analysis Program MDAFP Motor-Driven Auxiliary Feedwater Pump MOR or MORW Model of Record MTI Maintenance Technical - Instrument and Control NRC Nuclear Regulatory Commission OOS Out of service or Unavailable PAC Plant Air Compressor PORV Power-Operated Relief Valve PRA Probabilistic Risk Assessment PDS Plant Damage State PRM Plant Response Model RAI Request for Additional Information RAW Risk Achievement Worth RCP Reactor Coolant Pump RCS Reactor Coolant System RHR Residual Heat Removal RWST Refueling Water Storage Tank SDG Supplemental Diesel Generator SBO Station Blackout SG Steam Generator SR Supporting Requirement SSPS Solid State Protection System SI Safety Injection SIP Safety Injection Pump TDAFP Turbine-Driven Auxiliary Feedwater Pump TS Technical Specification

Calculation No. PRA-QNT-006, Rev. 0 Page 4]

I Purpose This calculation provides responses to the NRC RAIs in support of the Unit 1 AB EDG one time completion time extension. The RAIs stated the following:

1. Provide clarification on changes made to the 2009 PRA Model of Record and the Fire PRA Model of Record in developing the PRA to support the Unit 1 AB EDG one-time CT extension. This RAT has been answered by PRA-QNT-005.
2. Confirm that CDFi,,t and LERFi.st (page 6, PRA-QNT-005) are also zero maintenance estimates.
3. Do the risk calculations include changes to the other surveillance intervals requested for 3.8.1.2, 3.8.1.3, and 3.8.1.7, or can those impacts be determined to be negligible based on the potential impact on the risk assessment?
4. The submittal provides a typical but not all inclusive list of other activities that will be performed during the one-time EDG CT extension (page 20 of enclosure 2). The submittal also states that required surveillances with short duration are not considered (Page 8 of PRA-QNT-005). However, some surveillances of short duration may increase the likelihood of a transient with a demand for the EDGs. How has this been considered?
5. The updated internal events results are included in both Table 5.4-1 (PRA-QNT-004) and Table 5.6-1 (PRA-QNT-005). CDF increased firom 1.412E-5/yr in the 2009 model of record to 1.268E-4/yr in the updated internal events model. Apparently this increase was primarily due to the removal of the "reduction factor" on CCFs for loss of CCW and ESW. Confirm that the updated internal events model increased the CDF by a factor of 10 over the 2009 model because of the modified CCF values.
6. A new human action 1FSBO---RCC-OMA associated with the new CVCS cross-tie and cooldown has been introduced. Table 5.2-1 (page 35 PRA-QNT-004), states that the execution time is 15 minutes and assigns a value of 6.58E-4. Provide a summary of all the actions needed to establish the cross-tie including time available, time needed, and the joint HEP used in the sequences.
7. The LAR states that Tier 3 actions include protecting the alternate (Train A) equipment. Justify not including the Train A motor-driven AFW pump on the protected equipment list discussed in Tier 3 compensatory measures.
8. The risk assessment credits use of Unit 2 CVCS and AFW via cross-ties as means to provide RCS inventory and heat removal. Justify not including the Unit 2 equipment credited in the Unit 1 risk analysis on the protected equipment list discussed hi Tier 3 compensatory measures.

In addition to the above response, it was noted during a review of the Unit 1 AB EDG block wall removal that 120 VAC distribution panels I-ELSC and 1-ELSCX would no longer be protected against HELBs. These panels power some equipment important to PRA, as identified below. Since Cook has recently submitted and received approval for the adoption of TSTF-427, Allowance for Non Technical Specification Barrier Degradation on Supported System Operability (Reference 7.22), a risk analysis is provided for components powered by those panels.

I Calculation No. PRA-QNT-006, Rev. 0 Page 5 2 Methodology Where needed to respond to RAIs, updated Regulatory Guide 1.177 (Reference 7.12) risk parameters are calculated using the following general equations:

ACDF = CDFinst - CDFbase where CDFinst the Unit 1 CDF value when only the Unit 1 AB EDG is unavailable, with appropriate allowances for the Unit 2-PAC & IW-MDAFP OOS tine and the operation and maintenance restrictions described below (Assumption 4.1) are in place CDFbse the Unit 1 "base case" zero maintenance CDF value (with the exceptions shown in Assumption 4.1).

ALERF = LERFnew - LERFbase where LERFins = the Unit I LERF value when only the Unit 1 AB EDG is unavailable, with an appropriate allowance for the Unit 2-PAC & IW-MDAFP OOS time, and the operation and maintenance restrictions described below (Assumption 4.1) are in place LERFav = the Unit 1 "base case" zero maintenance LERF value (with the exceptions shown in Assumption 4.1).

ICCDP = (ACDF)*(Duration (days) / 365 days/year)

ICLERP = (ALERF)*(Duration (days) /365 days/year)

Calculation No. PRA-QNT-006, Rev. 0 Page 6 3 Inputs 3.1 The 2009 WinNUPRA model of record (Reference 7.1) is currently undergoing a full model update (see details in Reference 7.20). For any risk infonnation obtained from the Internal Events model used to respond to RAIs, results are provided from the 2009 model and the updated model for comparison.

3.2 The Fire PRA model of record (Reference 7.2) was changed for this application as described in Reference 7.20. This model is used to provide any Fire PRA risk information needed to respond to RAIs.

3.3 The Safety Monitor Model of Record (Reference 7.25) is used to analyze the risk of HELB barrier removal on 120VAC Distribution Panels 1-ELSC and 1-ELSCX.

I Calculation No. PRA-QNT-006, Rev. 0 Page 7 1

.4 Assumptions 4.1 The average PRA model test and maintenance factors for the following equipment are adjusted to match the out of service durations during the Unit I AB EDG unavailability:

  • The Unit I West MDAFP was unavailable for approximately 28 hours3.240741e-4 days <br />0.00778 hours <br />4.62963e-5 weeks <br />1.0654e-5 months <br />. The test and maintenance term is therefore adjusted to 28 hrs/ (14 days
  • 24 hrs). This conservatively accounts for 28 hours3.240741e-4 days <br />0.00778 hours <br />4.62963e-5 weeks <br />1.0654e-5 months <br /> of unavailability during the onetime extended EDG unavailability window.
  • The Unit 2 PAC was unavailable for approximately 14 hours1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br />. The test and maintenance term is therefore adjusted to 14 hour1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br />s/(14 days
  • 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />). This conservatively accounts for 14 hours1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br /> of unavailability during the onetime extended EDG unavailability window.
  • The Unit I Middle Heater Drain Pump remained out of service for the majority of the EDG unavailability. This pump is not modeled in the Internal Events or Fire PRA.
  • Required surveillance runs with short-duration (-15 mins) unavailabilities are not considered. This includes surveillance tests on other EDGs to prove that they remain operable. For EDG runs, multiple equipment operators are stationed at the EDG being tested, such that the EDG can be restored in short order. This assumption was the subject of a specific RAI and is addressed below.

4.2 All previous assumptions listed in Reference 7.20 are used in this analysis, with the exception of the ESW crosstie configuration, since no flag settings exist in the 2009 Internal Events model to account for this configuration. This is judged to have an insignificant impact on the overall results, for the same reasons as Assumption 4.7 in Reference 7.20 for the Fire PRA.

5 Calculations 5.1 RAI Question #1 RAI Question #1 states:

"Provide clarification on changes made to the 2009 PRA Model of Record and the Fire PRA Model of Record in developing the PRA to support the Unit I AB EDG one-time CT extension."

Response

This RAI has been answered by PRA-QNT-005, as stated in the NRC RAI question (Reference 7.21) 5.2 RAI Question #2 RAI Question #2 states:

"Confirm that CDFist and LERFinst (page 6, PRA-QNT-005) are also zero maintenance estimates."

Response

They are zero maintenance estimates, other than the maintenance discussed in Assumption 4.1. The assessment in Assumption 4.1 and the risk assessment in general accounts for the entire completion time, starting from the original EDG unavailability which included the discussed maintenance windows.

Calculation No. PRA-QNT-006, Rev. 0 Page 81 This is a conservative assessment of the completion time risk. The unavailability of the West MDAFP is not a significant ICCDP/ICLERP contributor since it is the same train as the Unit I AB EDG.

5.3 RAI Question #3 RAI Question #3 states:

"Do the risk calculations include changes to the other surveillance intervals requested for 3.8.1.2, 3.8.1.3, and 3.8.1.7, or can those impacts be determined to be negligible based on the potential impact on the risk assessment?"

The impacts of moving the surveillance intervals were estimated using the approach provided in NEI 04-10 (Reference 7.23). The impacts are as follows:

1. Surveillance 3.8.1.2 states:

Verify each DG starts from standby conditions and achieves steady state voltage > 3910 V and

<4400 V, and frequency Ž_59.4 Hz and <60.5 Hz.

The extension is being requested from 31 days to 82 days. Per NEI 04-10, the analysis is performed by increasing the EDG fail to start and load run probability by a factor of 82/3 1 = 2.65.

2. Surveillance 3.8.1.3 states:

Verify each DG is synchronized and loaded and operates for-> 60 minutes at a load Ž_3150 kW and < 3500 kW.

The extension is being requested from 31 days to 82 days. Per NEI 04-10, the analysis is performed by increasing the EDG fail run probability by a factor of 82/31 = 2.65.

3. Surveillance 3.8.1.7 states:

Verify each fuel oil transfer system operates to automatically transfer fuel oil froln the storage tank to the day tank.

Each EDG has two fuel oil transfer pumps. Since both pumps must fail, these pumps were excluded from the PRA model on the basis that any failures of both pumps were included in the overall EDG start failures during data analysis (Reference). Therefore, the risk increase moving the surveillance frequency of these pumps is negligible and not included in the risk analysis.

To perform the assessment, the updated Internal Events model data for the Unit 1 CD EDG is used to develop the base case, since this represents the latest performance data for the EDG. The above factors are then applied to develop the case with the surveillance frequencies extended. Both values are summarized in the table below.

Table 5.3 Revised Unit 1 CD EDG Failure Probabilities for Surveillance Frequency Extension Baseline Surveillance Failure Mode Factor Extension Basic Event ValueValue Unit I CD EDG Fails to Run for 24 Hours 4.028E-02 2.65 1.067E-01 1SADG ---- DGCDFR Unit I CD EDG Fails to Start and Load Run 7.358E-03 2.65 1.950E-02 ISADG ----DGCDFS The baseline values are applied to the baseline CDF and LERF values, and the increased values are applied to the Unit 1 AB EDG failed CDF and LERF values. These values are used in the final revised ICCDP and ICLERP values provided below.

I Caclto o R-N-0,Rv ae9I I I Calculation No. PRA-QNT-006, Rev. 0 Page 9 1 5.4 RAI Question #4 RAI Question #4 states:

"The submittal provides a typical but not all inclusive list of other activities that will be performed during the one-time EDG CT extension (page 20 of enclosure 2). The submittal also states that required surveillances with short duration are not considered (Page 8 of PRA-QNT-005). However, some surveillances of short duration may increase the likelihood of a transient with a demand for the EDGs. How has this been considered?"

Response

Operations and Work Control has scrubbed the plant schedule for the period of the CT extension and have eliminated any Unit I work that is considered a significant trip/transient challenge or makes risk significant equipment more than momentarily unavailable. In particular, switchyard work beyond inspections and isolated work that will not challenge switchyard components that provide offsite power will not be performed. The schedule will be monitored to ensure continuing compliance throughout the CT extension period.

In addition to the schedule scrubbing, sensitivity was performed in the updated and 2009 Internal Events models, which increased the transient initiator by a factor of 10. In the 2009 model, no significant increase was noted in CDF or LERF. Cutsets were reviewed and showed no significant AC power dependency. In the updated model, this resulted in no increase in overall CDF or LERF. Note that the updated model included consequential as well as random LOOPs during transient events. Cutsets were reviewed, and none showed a significant dependence on AC power. If an SBO does occur as the result of failures, in addition to the Unit 1 TDAFP, the AFW and CVCS crossties from Unit 2 provide success paths using either one of the Unit 2 EDGs while providing decay heat removal and RCS inventory control.

This sensitivity is not included in the overall risk results for the reasons stated in the first paragraph above.

5.5 RAI Question #5 RAI Question #5 states:

"The updated internal events results are included in both Table 5.4-1 (PRA-QNT-004) and Table 5.6-1 (PRA-QNT-005). CDF increased from 1.412E-5/yr in the 2009 model of record to 1.268E-4/yr in the updated internal events model. Apparently this increase was primarily due to the removal of the "reduction factor" on CCFs for loss of CCW and ESW. Confirm that the updated internal events model increased the CDF by a factor of 10 over the 2009 model because of the modified CCF values."

Response

The updated internal events model did increase the CDF by a factor of 10 over the 2009 model because of the modified CCF values. Since Cook only has 4 ESW and 4 CCW pumps across both units, common cause running failures of all four pumps cause dual unit support system initiating events. Since CCW (and ESW since it cools CCW) is relied upon to cool the RCP seals and all ECCS pumps, a repair probability of these pumps is applied as discussed in Reference 7.20. The PRA model considers failure of the repair to result in core damage from a total loss of the support system. The use of CCF factors in support system initiating events is expected-to be conservative, but no consensus exists to reduce these factors as was previously done in the 2009 model of record.

Instead, efforts on the updated PRA model included credit for the Westinghouse Shutdown Seal to mitigate this event, however as noted in the LAR, the shutdown seals were "turned off' (or not credited) during model use for generating the LAR metrics.

I Calculation No. PRA-QNT-006, Rev. 0 Page 10 1 5.6 RAI Question #6 RAI Question #6 states:

"A new human action IFSBO---RCC-OMA associated with the new CVCS cross-tie and cooldown has been introduced. Table 5.2-1 (page 35 PRA-QNT-004), states that the execution time is 15 minutes and assigns a value of 6.58E-4. Provide a summary of all the actions needed to establish the cross-tie including time available, time needed, and the joint HEP used in the sequences."

Response

The timing analysis for the original NFPA 805 Recovery Action 1ASD-SBONOTDPOMA was reviewed in detail for this response. This operator action consists using the Emergency Remote Shutdown procedure (Reference 7.14) and completing the following steps. These actions require coordination of multiple operators to perform the steps.

Some specific operator tour assignments are shown in the procedure sections shown below. For example, "Aux Tour" refers to the Auxiliary Tour position, "Turb Tour" refers to the turbine building tour position, etc.

I-OHP-4025-001-001 "Emergency Remote Shutdown" Procedure 1-OHP-4025-001-001 (Reference 7.14) Step 18.b:

Initiate CVCS Cross-tie Operations:

b. (Aux Tour) Perfori 1-OHP-4025-LS-6, RCS Make-Up With CVCS Cross-Tie, LS-6-1, RCS Make-Up With CVCS Cross-Tie Using BIT Injection Procedure I-OHP-4025-LS-6 (Reference 7.19) is directed from 1-OHP-4025-001-001, Step 18b to crosstie CvCS.
2. Deenergize BIT Injection Valve Motors:
a. Open the following breakers (4KV Room, Mezzanine Area):

1-EZC-C-5B, Boron Injection to RC Loop # I Shutoff Valve 1-IMO-51 1-EZC-B-1 B, Boron Injection to RC Loop #2 Shutoff Valve I-IMO-52 1-EZC-D-IB, Boron Injection to RC Loop #3 Shutoff Valve I-IMO-53 1-EZC-A-5B, Boron Injection to RC Loop #4 Shutoff Valve 1-IMO-54

3. Align BIT For Injection:
a. Open I-AM-D-2B, BIT Train 'A' Outlet Containmnent Isol Valve 1-ICM-250 (633' Aux Bldg)
b. Open 1-ICM-250, Boron Injection Tank Outlet Train 'A' Cntmt Isolation Valve (612' Aux Bldg, BIT outlet valve room)
4. Isolate Seal Injection Flowpath:

Close 1-CS-302, CCP'S Flow Control Valve I-QRV-251 Inlet Valve (Reciprocating Charging Pump Room)

5. Verify CVCS Charging Pumps Discharge Crosstie Header Valves - CLOSED:

1-CS-536, Charging Pump Discharge Crosstie Header Unit 1 Shutoff Valve 1-CS-535, Charging Pump Discharge Crosstie Header To Ul RCP Seal Injection Emergency Flow Control Valve 2-CS-534, Charging Pump Discharge Crosstie header to Uint 2 BIT Emergency Flow Control Valve 2-CS-535, Charging Pump Discharge Crosstie header to U2 RCP Seal Injection Emergency Flow Control Valve SLOWLY Open 2-CS-536, Charging Pump Discharge Crosstie Header Unit 2 Shutoff Valve

I Calculation No. PRA-QNT-006, Rev. 0 Page I II

7. Initiate Flow through CVCS Cross-tie And Control Pressurizer level:
a. Verify the following Local/Remote switches on Panel I -LSI-3 in Local:

1-NLI-151, Pressurizer Level I-NPS- 122, RCS WR Pressure

b. Monitor the following during CVCS Cross-tie operations:

I-NLI- 151, Pressurizer Level (1-LSI-3) 12-QFI-201, Unit 1 To And From Unit 2 Charging Pumps Discharge Cross-Tie Flow Indicator

c. SLOWLY throttle open I-CS-534, Charging Pump Discharge Crosstie header to Unit I BIT Emergency Flow Control Valve, to establish and maintain PRZ level 20% TO 50% ACTUAL
d. Report RCS make-up initiated through CVCS Cross-Tie (Steps 5 through 7 are all accomplished in the auxiliary building central hallway 587' elevation. The Unit 1 valves are operated by remote handwheels accessible from within the unit I side of the hallway, and the unit 2 valves are similarly operated by handwheels in the hallway, about 15 feet from the unit 1 handwheels).

Step 19.

Turbine Tour) Align UNIT 2 MDAFPs For Cross-Tie Operation:

19.b Perform 0 I-OHP-4025-LS-2, Start-Up AFW, LS-2-1, Cross-Tie I E/2W AFW Step 20.

(BOP) Locally Establish SG Level In At Least Two Steam Generators As Follows:

  • IF 2W M4DAFP is to be used, THEN initiate 01-OHP-4025-LS-3, Steam Generator 2/3 Level Control, LS-3-1, SG 2/3 Level Control Using 2W MDAFP (BOP would be the Unit 1 Balance of Plant Licensed Reactor Operator)

Procedure 1-OHP-4025-LS-2 (Reference 7.17) is directed from I-OHP-4025-001-001, Step 19 to crosstie AFW. Only one unit 2 MDAFP is crosstied to unit 1; the following example is for the Unit 2 West MDAFP:

1. Contact Unit 2 Control Room To Verify Valves - CLOSED:

2-FMO-212, 2W MDAFP To #21 SG 2-FMO-242, 2W MDAFP To #24 SG 2-FRV-245, 2W MDAFP Test Valve (position indication and controls for these valves are in unit 2 control room)

2. Contact Unit 2 Control Room To Verify 2W Motor Driven Auxiliary Feedwater Pump NOT RUNNING (2W MDAFP controls are in the unit 2 control room)
3. Verify 2-FW-261, West MDAFP Test Valve 2-FRV-245 Inlet Shutoff Valve - Closed.
4. Open I-FW-129, 1E Motor Driven Auxiliary Feedwater Pump Discharge To Unit 2 Crosstie Shutoff Valve (This valve is located in the 2W MDAFP and readily accessible, it takes less than 5 minutes to go from the control room to this location)
5. Report I-OHP-4025-LS-2, Start-Up AFW, LS-2-1, Cross-Tie IE/2W AFW Complete A review of MAAP analyses in PRA-TH-L1-2 (Reference 7.7) found that AFW was started at 30 minutes for all RCP seal LOCA cases. Recovery action IASD-SBONOTDPOMA used a system time window of 85 minutes, which was not bounded by the existing MAAP analysis. A new, confirmatory MAAP analysis was run, which included:
  • Initiation of the AFW and CVCS crossties no later than 66 minutes. This time provides an AFW initiation time that prevents filling a nearly dry SG.

I Calculation No. PRA-QNT-006, Rev. 0 Page 12 1

" Initiation of cooldown using two SG PORVs starting no later than 125 minutes (the same cooldown timing used in PRA-QNT-004). This provides a reasonable time window between crosstie initiation and the cooldown to assess plant conditions.

  • An RCP Seal LOCA of 480 gpm/pump (the maximum seal LOCA size).

" DC Cook Unit 2 Parameters are derived from calculation PRA-TH-L1-2 (Reference 7.7). Unit 2 is typically used in MAAP analyses for the DC Cook PRA because Unit 2 operates at a higher thermal power, and bounds Unit 1.

This run, which included crossties for RCS inventory (via the CVCS crosstie) and AFW within a 66 minute time window from unit 2 demonstrated successful mitigation of core damage. MAAP HFE IASD-SBONOTDPOMA, Operator Fails to Crosstie AFW and CVCS per Emergency Remote Shutdown (Reference 7.14) for fires that occur in the Main Control Room, was re-calculated with the following assumptions:

  • Total time available (Tsw) = 66 minutes per MAAP analysis.
  • Delay time (Tdelay) = 6 minutes (to reach equipment, see Reference 7.27)
  • Cognitive Step Time (Tcog) = 2 minutes, in addition to Tdelay
  • Execution Step Time (Texe) = 25.7 minutes (includes 9.2 min for AFW cross-tie execution using LS-2 procedure and 16.5 min for CVCS cross-tie using LS-6 procedure, see Reference 7.27)
  • Stress Level is assumed to be high sincethe fire occurs in the main control room HFE 1FSBO--XTIE-OMA, Operator Fails to Crosstie AFW and CVCS per Emergency Remote Shutdown (Reference 7.14), for fires that do not occur in the Main Control Room, was recalculated with an identical timing analysis as IASD-SBONOTDPOMA. Stress level assumed to be medium, since the fire occurs outside the main control room.

HFE IFSBO---RCC-OMA, Operator Fails to initiate RCS Cooldown after success of CVCS and AFW crosstie per Emergency Remote Shutdown (Reference 7.14) was recalculated with the following assumptions:

  • Total time available (Tsw) = 125 minutes per MAAP analysis.
  • Delay thrie (Tdelay) = 66 minutes (time to complete 1FSBO--XTIE-OMA)
  • Cognitive Step Time (Tcog)- 0 minutes, since cognitive portion is zero.

" Execution Step Time (Texe) = 15 minutes (Procedure 1-OHP-4025-LS-3 (Reference 7.18), Section LS-3-3, SG 2/3 PORV Operation estimated time to completion is 15 minutes. Confirmed with operator interview.)

" Stress level assumed to be moderate, since the fire occurs outside the main control room.

The success of this action is dependent on completion of 1FSBO--XTIE-OMA. If the preceding action does not succeed, the cooldown is not possible since CVCS is not available for RCS inventory makeup and AFW is not available for decay heat removal. The cognitive portion is zero because this action is simply a continuation of the Emergency Remote Shutdown procedure. The dependency between 1FSBO--XTIE-OMA is complete, and as such IFSBO---RCC-OMA is not credited after the IFSBO--XTIE-OMA fails. Both actions are required to be successful to prevent core damage from an RCP seal LOCA.

The final values are shown in the table below:

Table 5.6 Updated HFE Values HFE Previous Value New Value 1ASD-SBONOTDPOMA 1..33E-02' 1.33E-02' 1FSBO--XTIE-OMA 5.33E-03 5.33E-03 1FSBO--RCC-OMA 6.45E-04 8.77E-04

- The value of this HFE was conservatively left at 4.9E-2 in the final NFPA 805 Fire PRA model and is left unmodified for this analysis

rCalculation No. PRA-QNT-006, Rev. 0 Page 131 Once AFW has been established, step 23 directs operators to stabilize the RCS temperatures and step 25 directs them to begin a 14F/hr cooldown. Both steps make use of procedure I-OHP-4025-LS-3 (Reference 7.18). A summary of these actions is as follows:

The actions to start cooling down are perfornied in the same area where the BOP operator has been controlling AFW crosstie flow to the two SGs on the affected unit. To put SG PORVs in operation and start a cooldown, the operator:

1-Checks that the backup Nitrogen supply (N2) to the SG PORVs is at least 85 psig and adjusts locally if needed, 2-Checks that the manual loaders (regulators to control N2 pressure to the SG PORVs) are set to 0%. 3-Transfers SG PORV control to the manual loader with a small three-way valve at the panel. 4-Uses the manual loaders to open the SG PORVs to start the cooldown. The operator monitors the cooldown progress and rate with RCS cold leg temperature indication which is also available at these control stations.

Since the Fire PRA contains a large number of fire scenarios, and the AFW and CVCS crossties may be initiated from a variety of procedures depending on the plant conditions, IFSBO--XTIE-OMA and IFSBO---RCC-OMA were analyzed using the most conservative path.to crosstie these systems in the event they were needed.

Specifically, they are modeled when the fire induces a SBO on the fire affected unit. Emergency remote shutdown involves multiple operator teams coordinating tasks from various plant locations, and thus bounds fire-induced SBO conditions in which the control room is still habitable and functional. Further risk margin could be obtained if these HFEs were further subdivided into the fire zones specifically listed in the Emergency Remote Shutdown procedure, and remaining fire scenarios that produce a fire induced SBO; however that would produce a significantly more complicated model.

5.7 RAI Question #7 RAI Question #7 states:

"The LAR states that Tier 3 actions include protecting the alternate (Train A) equipment. Justify not including the Train A motor-driven AFW pump on the protected equipment list discussed in Tier 3 compensatory measures."

Response

The Unit 1 Train A motor-driven AFW pump had been included on the fire related protected equipment listed below Item 2.2) of the LARs Tier 3 items, but had been inadvertently left out of the Item 1 list, above. It has been added to the protected equipment listed in Item #1 of the Tier 3 Actions, and included in the revised commitment contained in Enclosure 5 of the submittal.

Additionally, the line above the list of equipment should.be revised to read: "The following equipment or areas will be protected:" so as to elimninate site confusion over the terms protected and guarded. Protecting a train is not the same as guarding a piece of equipment. When equipment is guarded access to equipment outside of normal Operations, fire protection, security, or other tours, requires specific permission from the Shift Manager on a case by case basis. The "Protected train" means an entire train of equipment has no work activity or surveillance scheduled on the equipment, and provides a means by which plant personnel are aware which train of equipment is not to be subject to maintenance work.

5.8 RAI Question #8 RAI Question #8 states:

"The risk assessment credits use of Unit 2 CVCS and AFW via cross-ties as means to provide RCS inventory and heat removal. Justify not including the Unit 2 equipment credited in the Unit 1 risk analysis on the protected equipment list discussed in Tier 3 compensatory measures."

Calculation No. PRA-QNT-006, Rev. 0 Page 14

Response

It is not necessary to specifically include Unit 2 equipment credited in the Unit I risk analysis as protected equipment as Cook's work control processes always maintain one train (Either Train A or Train B) as the "Protected Train" for a work week on a regularly alternating basis. Train A will be protected for two work weeks and then Train B will be protected in the following two work weeks. Protecting a train is not the same as guarding a piece of equipment. When equipment is guarded access to equipment outside of normal Operations, fire protection, security, or other tours, requires specific permission from the Shift Manager on a case by case basis. The "Protected train" means an entire train of equipment has no work activity or surveillance scheduled on the equipment. The week's protected train process is a site recognized activity and discussed/reviewed as part of plant meetings and briefings on planning and executing plant work activities. This effectively prevents work on any equipment within one train, and personnel look for potential cross train errors on a continuous basis.

Additionally, Cook does not intend to perform any significant planned invasive maintenance, outside of that to repair emergent failures per the Tier 3, Section 3.4 RMAs discussed in the original LAR, on Unit 1 or Unit 2 PRA risk significant equipment (e.g., AFW, ESW, CCW, and CCP) during the one-time extended IAB-EDG CT. Only TS required surveillances will be continued, as indicated earlier in the LAR. These surveillances may result in some short term unavailability, such as a Safety Injection Pump surveillance, which requires closing the pumps manual discharge valve. In the specific instance of the SI pump an Auxiliary Equipment Operator is near the pump monitoring pump operation and is available to openthe discharge valve to restore pump function if required..

5.9 Risk Analysis of HELB Barrier Removal on 1-ESLC and 1-ELSCX In addition to the above response, it was noted during a review of the Unit I AB EDG block wall removal that 120 VAC distribution panels 1-ELSC and 1-ELSCX would no longer be protected against HELBs. These panels power some equipment important to PRA, specifically (Reference 7.28):

1. Train B DIS is powered from ELSC.
2. Analog Rod Position Indicators are powered from ELSC.
3. West MDAFP ELO FRV-247 is powered from ELSCX
4. Train B RVLIS is powered from ELSCX
5. TDAFP Train B Flow Retention and ELO control is powered from ELSCX
6. Various required radiation monitors are powered from ELSC The PRA components on the list are: Train B DIS, West MDAFP ELO valve, TDAFP Train B Flow Retention and ELO valve. A temporary modification is being pursued to swap the AFW ELO valves and flow retention power supplies to another power source (not in the EDG room) for the duration of the block wall removal. This leaves only Train B DIS.

Since Cook has recently submitted and received approval for the adoption of TSTF-427, Allowance for Non Teclmical Specification Barrier Degradation on Supported System Operability (Reference 7.22), a risk analysis of the Train B DIS unavailability during a HELB is performed using the Safety Monitor model of record (Input 3.3).

This analysis is done per the guidance in NEI 04-08 (Reference 7.24). Since DIS only impacts LERF, CDF metrics are not provided. The Safety Monitor model shows that the risk is negligible (1.49E- 1 for 30 days). This result is sensible as the DIS system is unavailable only during a HELB event. HELB events do not challenge offsite power availability. Since the risk is negligible, it is not included in the final risk results.

Calculation No. PRA-QNT-006, Rev. 0 Page 15 5.10 ICCDP and ICLERP Values with RAI Response The final ICCDP and ICLERP values, including the considerations from RAI 06 and RAI #3 are shown in the table below. Results from the updated Internal Events and 2009 Internal Events Model of Record are included, along with Fire PRA results.

Note that the Fire PRA was modified using the WinNUPRA sensitivity module, which manipulates cutsets. This can, in cases in which values are reduced upward, produce slightly non-conservative results. Since the Fire PRA produces a large number of cutsets (in excess of 5,000,000), this effect is negligible.

Table 5.10 Final Total CDF and LERF Results 2009 2009 Case Evets Internal Internal Evets Updated Internal Events: Updated Internal Events Fire CDF

(/)(f) Fire LERF Events Events CD /r EF(y) (/yr) (/yr)

CDF (/yr) LERF (/yr) CDF (fyr) LERF (/yr)

Basecase 1.403E-05 2.825E-06 1.274E-04 4.232E-06 2.358E-05 2.299E-06 1 AB EDG Failed 2.288E-05 3.906E-06 1.332E-04 5.823E-06 4.514E-05 3.231E-06 Table 5.10 ICCDP and ICLERP Results for 65 Day Completion Time Case Delta CDF (/yr) Delta LERF (/yr) ICCDP ICLERP 2009 Internal Events 8.85E-06 1.08E-06 1.58E-06 1.93E-07 Updated Internal Events 5.80E-06 1.59E-06 1.03E-06 2.83E-07 Fire PRA 2.16E-05 9.32E-07 3.84E-06 1.66E-07 Total (2009 Internal Events & Fire PRA) 3.04E-05 2.01E-06 5.42E-06 3.58E-07 Total (Updated Internal Events & Fire PRA) 2.74E-05 2.52E-06 4.87E-06 4.49E-07 6 Conclusions Using the 2009 Model of Record and the Fire PRA, the calculated values of 5.42E-6 ICCDP and 3.58E-7 ICLERP are well within the Regulatory Guide 1.177 acceptance guidelines of less than 1E-5 ICCDP and 1E-6 ICLERP for a one time TS change, given a total TS completion time of 65 days (Reference 7.12). The updated Internal Events model and Fire PRA values of 4.87E-6 ICCDP and 4.49E-7 ICLERP are also within the Regulatory Guide 1.177 guidelines. This one-time TS completion time change is therefore considered acceptable.

Calculation No. PRA-QNT-006, Rev. 0 Page 16 7 References 7.1 PRA-NUPRA-002, 2009 PRA Model of Record, Rev. 1 3/20/2009 7.2 PRA-FIRE-17663-005-LAR, DC Cook Fire PRA Fire-Induced Risk Model, Rev. 1, 11/5/2014 7.3 PRA-UNC-001, Uncertainty Parameters, Rev. 2, 3/20/2009 7.4 PWROG-14001-P, PRA Model for the Generation III Westinghouse Shutdown Seal, Rev. 1, July 2014 7.5 WCAP-16341-P, Simplified Level 2 Modeling Guidelines, Rev. 0, November 2005 7.6 PRA-TH-LI-I, Select Level I PRA MAAP4.0.5 Thermal-Hydraulic Analyses, Rev. 0, 5/15/2014 7.7 PRA-TH-LI-2, Level 1 PRA MAAP4.0.5 Thermal-Hydraulic Analyses, Rev. 0, 7/11/2014 7.8 ASME/ANS RA-Sa-2009, Addenda to ASME/ANS RA-S-2008, Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plants, 2/2/2009 7.9 NUREG-1829, Estimating Loss-of-Coolant Accident (LOCA) Frequencies Through the Elicitation Process, April 2008 7.10 NUREG/CR-6890, An Analysis of Loss of Offsite Power Events, December 2005 7.11 Regulatory Guide 1.200, AN APPROACH FOR DETERMINING THE TECHNICAL ADEQUACY OF PROBABILISTIC RISK ASSESSMENT RESULTS FOR RISK-INFORMED ACTIVITIES, Rev. 2, March 2009 7.12 Regulatory Guide 1.177, AN APPROACH FOR PLANT-SPECIFIC, RISK-INFORMED DECISIONMAKING: TECHNICAL SPECIFICATIONS, Rev. 1, May 2011 7.13 Regulatory Guide 1.174, AN APPROACH FOR USING PROBABILISTIC RISK ASSESSMENT IN RISK-INFORMED DECISIONS ON PLANTSPECIFIC CHANGES TO THE LICENSING BASIS Rev. 2 May 2011 7.14 1-OHP-4025-00 1-001, Emergency Remote Shutdown, Rev. 10, 10/23/2014 7.15 I-OHP-4025-R-INDEX, System Restoration Procedures Index, Rev. 4, 5/9/2013 7.16 1-OHP-4023-ES-1-2, Post LOCA Cooldown and Depressurization, Rev. 16, 3/28/2013 7.17 1-OHP-4025-LS-2, Start-Up AFW, Rev. 7, 3/16/2015 7.18 I-OHP-4025-LS-3, Steam Generator 2/3 Level Control, Rev. 5, 3/17/2015 7.19 I-OHP-4025-LS-6, RCS Makeup with CVCS Cross-tie, Rev. 7, 3/20/2015 7.20 PRA-QNT-004, Calculation of Regulatory Guide 1.177 Risk Parameters for Potential One-Time Emergency Technical Specification Completion Time Change for Unit 1 AB EDG, Rev. 0, 5/28/2015 7.21 PRA-QNT-005, Additional Calculation of Regulatory Guide 1.177 Risk Parameters for Potential One-Time Emergency Technical Specification Completion Time Change for Unit I AB EDG, Rev. 0, 5/29/2015

Calculation No. PRA-QNT-006, Rev. 0 Page 17 7.22 TSTF-427, Allowance for Non Technical Specification Barrier Degradation on Supported System Operability, Rev. 2, May 3, 2006 7.23 NEI 04-10, Risk-Informed Method for Control of Surveillance Frequencies, Rev. 1, April 2007 7.24 NEI 04-08, Allowance for Non Technical Specification Barrier Degradation on Supported System Operability Industry Implementation Guide, March 2008 7.25 PRA-SM-005, Safety Monitor PRA Model Change for SDG Protected Train Alignment, Rev. 0, 9/16/2014 7.26 PRA-NB-SY-AC, AC System Notebook, Rev. 3, 1/14/2009 7.27 R1900-0026-001, Recovery Action Transition in Support of NFPA 805, Rev. 1, September 2014 7.28 Drawing No. OP-1-12015, Rev. 38, 10/14/2014

I Calculation No. PRA-ONT-006, I Rev. 0 Paae

- 18 1 Attachment 1 - Files on CD

I Calculation No. PRA-QNT-006, Rev. 0 Page 191 Attachment 2 - MAAP Analysis Results This attachment shows the results of the MAAP analysis performed as described in Section 5.6. The MAAP analysis included:

  • Initiation of the AFW and CVCS crossties no later than 66 minutes. This time provides an AFW initiation time that prevents filling a nearly dry SG.
  • Initiation of cooldown using two SG PORVs starting no later than 125 minutes (the same cooldown timing used in PRA-QNT-004). This provides a reasonable time window between crosstie initiation and the cooldown to assess plant conditions.
  • An RCP Seal LOCA of 480 gpm/pump (the maximum seal LOCA size).
  • DC Cook Unit 2 Parameters are derived firom calculation PRA-TH-LI-2 (Reference 7.7). Unit 2 is typically used in MAAP analyses for the DC Cook PRA because Unit 2 operates at a higher thermal power, and bounds Unit I.

DIESELOUT_66_D95

- DIESELOUT_66 1.60E+03 1.40E+03 1.20E+03 S1.OOE+03 8.OOE+02

  • 6.OOE+02 4.OOE+02 2.0OE+02 0.0OE+00 0 5 10 15 20 25 30 TIME, HOURS Figure 1 - Total Primary System Leakage

I Calculation No. PRA-QNT-006, Rev. 0 Page 20 20 1I Page I Calculation No. PRA-ONT-006, Rev. 0 DIESELOUT_66_D95

- DIESELOUT_66 2500 2000 1500 L-1000 500 0 "

0 5 10 15 20 25 30 TIME, HOURS Figure 2 - Primary System Pressure DIESELOUT_66_D95

- DIESELOUT_66 700 600 + + 4 4 +

500 LLt 400 300 200 100 0

0 5 10 15 20 25 30 TIME, HOURS Figure 3 - Core Water Temperature

Page2I I Calculation No. Rev. 00 No. PRA-QNT-006, Rev. Page 21 DIESELOUT_66_D95

-DIESELOUT_66 23 DIESEL

- -U 66 -D95 22.5 22 IJIZIl I I_____ _____ _____

U- 21.5 21 + 4 1 20.5 + 4 4 20 .4. 1 1 I' 19.5 0 5 10 15 20 25 30 TIME, HOURS Figure 4 - Two-Phase Water Level In Vessel DIESELOUT_66_D31

-DIESELOUT_66 1600 ______ ______ I V T 1400 1200 4 4 t I U.10 0 0 800 600 400 200 0

0 5 10 15 20 25 30 30 TIME, HOURS Figure 5 - Hottest Core Node Temperature

I Calculation No. PRA-QNT-006, Rev. 0 Paue 22 1 Attachment 3 - HRA Calculator Output 1ASD-SBONOTDPOMA, Operatorsfail to X-TIE AFW and CVCS given fire induced SBO with no TDAFP Plant Data File File Size File Date Record Date DC Cook DieselSENS-FIRE-May26.HRA 7081984 5/29/2015 5/29/2015 Name Date Analyst P. Moieni 10/14/2011 Reviewer DM 5/29/2015 HEP Summary IPcog Pexe Total HEP Error Factor Method CBDTM THERP CBDTM+THERP Without Recovery 6.00E-03 2.12E-0 I With Recovery 6.OOE-04 1.27E-02 1.33E-02 5 R A W F VIRisk Signifi 0.00E+00 0.00E+00 N/A I d e n t i f i c a t i o n a n d D e f i n i t i o n

1. Initial Conditions: Steady state, full power operation.
2. Initiating Event/s:

Fire in any of the following Fire Zones (unit 1)

FZ41 FZ55 FZ56 FZ57 MCR Fire induces any of the following internal initiating events:

LOSP TT RX trip LOMFW Loss DC SBO The SBO with no TDAFP is selected as the bounding initiating event as it has the most limiting timing.

3. Accident sequence (preceding functional failures and successes): SBO with no TDAFP Fire causes loss of all SG NR and SG WR control room instrumentation:

1/2-BLP-I-10, 111, 112, Loop I NR SG Level 1/2-BLP-120, 121, 122, Loop 2 NR SG Level 1/2-BLP-130, 131, 132, Loop 3 NR SG Level 1/2-BLP-140, 141, 142, Loop 4 NR SG Level

II CluainN.PAQT06Re.0Pg23I Calculation No. PRA-QNT-006, Rev. 0 Page 23 1 1/2-BLI-II 10, Loop I WR SG Level I/2-BLI-120, Loop 2 WR SG Level l/2-BLI-130, Loop 3 WR SG Level 1/2-BLI-140, Loop 4 WR SG Level

4. Preceding operator error or success in sequence:

Operators have diagnosed fire zone and entered , 01-OHP-4025-001.001, "Emergence Remote Shutdown" procedure

5. Operator action success criteria: Perfonr AFW and CVCS cross-tie given no control room SG level instrumentath
6. Consequence of failure: SG dryout and core damage.

Note: UI Fire Zones where action is required: FZ41, FZ55, FZ56, FZ57, MCR A s s i g n e d B a s i c E v e n t s 2 A S D - S B 0 N 0 T D P 0 M A[T C u e s a n d I n d i c a t i o n s I n i t i a C u e 1-BLI-120, #12 SG Wide Range Level 1-BLI-130, #13 SG Wide Range Level R e c o v e r y C u e C u e C o m m e n t s Local SG WR indications are placed inservice at I-LSI-2 inthis scenario.

D e g r e e o f C I a r i t Clarity of Cues and Indications are modeled explicitly inCBDTM P r o c e d u r e s C o g " i t i v e P r o c e d ti r e 01-OHP-4025-001-001 (Emergency Remote Shutdown) Revision: 10 Cognitive Step Number 1 8 , 1 9 a n d 2 0 Cognitive Instruction S t e p 1 8 b Initiate CVCS Cross-tie Operations:

b. (Aux Tour) Perform 1-OHP-4025-LS-6, RCS Make-Up Cross-Tie, LS-6-1, RCS Make-Up With CVCS Cross-Tie Step 19.

Turbine Tour) Align UNIT 2 MDAFPs For Cross-Tie Ope 19.b Perform 0 1-OHP-4025-LS-2, Start-Up AFW, LS-2-1 Step 20.

(BOP) Locally Establish SG Level In At Least Two Stean

  • IF 2W M4DAFP is to be used, THEN initiate 01-OHP-4, MDAFP E x e c u t i o n P r o c e d u r e 01-OHP-4025-LS-2 (START-UP AFW) Revision: 4 Execution Instruction 0 1 -OHP- 4 02 5- L S 1 :
1. Contact Unit 2 Control Room

I Calculation No. PRA-ONT-006, Rev. 0 Page 24 1 To Verify Valves - CLOSED:

El 2-FMO-212,2W MDAFP To

  1. 21 SG El 2-FMO-242, 2W MDAFP To
  1. 24 SG El 2-FRV-245, 2W MDAFP Test Valve
2. Contact Unit 2 Control Room To Verify 2W Motor Driven Auxiliary Feedwater Pump -

NOT RUNNING

3. Verify 2-FW-26 1, West MDAFP Test Valve 2-FRV-24
4. Open I-FW-129, IE Motor Driven Auxiliary Feedwater Pump Discharge To Unit 2 Crosstie Shutoff Valve
5. Report 1-OHP-4025-LS-2, Start-Up AFW, LS-2-1, Cross-Tie 1E/2W AFW Complete J o b P e r f o r m a n c e M e a s u r e AE-O-A003 (Auxiliary Feedwater System Unit Crosstie) Revision: 1 0 t h e r P r o c e d u r e s 01-OHP-4025-LS-301-OHP-4025-LS-3 (Steam Generator2/3 Level Control) Revision: 4 02-OHIP4025-LS-602-0H1P4025-LS-6 (RCS Make-Up With CVCS Cross.Tie) Revision: 6 N o t e s 01-OHP-4025-LS-3-1 (SG 2/3 Level Control Using 2W MDAFP):
1. Open Breakers:

El 1-EZC-D-R3B, 1-FMO-222 (lE MDAFP to #12 SG)

El I-EZC-D-R3C, 1-FMO-232 (1E MDAFP to #13 SG)

2. Proceed To I-LSI-2 And Locate The Following:

El 1-BLI-120, #12 SG Wide Range Level El 1-BLI-130, #13 SG Wide Range Level

3. Place SG Level Indication Remote/Local Switches In Local:

El 1-43-BLI-120, Steam Generator 2 Level 1-BLI-120 Indicator Select El 1-43-BLI-130, Steam Generator 3 Level 1-BLI-130 Indicator Select

4. Verify Auxiliary Feedwater To #12 And #13 Steam Generators - AVAILABLE:

El 2W MDAFP - RUNNING

Calculation No. PRA-QNT-006, Rev. 0 Page 25

5. Maintain #12 And #13 Steam Generators Levels - 50% TO 55%:

] Locally operate auxiliary feedwater flow control valves using handwheels:

0 1-FMO-222, IE/2W MDAFP To

  1. 12 SG L 1-FMO-232, IE/2W MDAFP To
  1. 13 SG L Monitor the following at I-LSI-2:

L 1-BLI-120, #12 SG Wide Range Level E 1-BLI-130, #13 SG Wide Range Level

6. Report 1-OHP-4025-LS-3, Steam Generator 2/3 Level Control, LS-3-1, SG 2/3 Level Control Using 2W MDAFP, Complete Upon Initiating Auxiliary Feedwater Flow To #12 And
  1. 13 Steam Generators 01-OHP-4025-LS-6-1 (RCS Make-Up From CVCS Cross-Tie Using BIT Injection):
2. Deenergize BIT Injection Valve Motors:
a. Open the following breakers (4KV Room, Mezzanine Area):

L 1-EZC-C-5B, Boron Injection to RC Loop #1 Shutoff Valve I-IMO-51 E I-EZC-B-1B, Boron Injection to RC Loop #2 Shutoff Valve I-IMO-52 0 1-EZC-D-1B, Boron Injection to RC Loop #3 Shutoff Valve I-IMO-53 E 1-EZC-A-5B, Boron Injection to RC Loop #4 Shutoff Valve I-IMO-54

3. Align BIT For Injection:
a. Open 1-AM-D-2B, BIT Train

'A' Outlet Containment Isol Valve 1-ICM-250 (633' Aux Bldg)

b. Open 1-ICM-250, Boron Injection Tank Outlet Train 'A' Cntmt Isolation Valve (612' Aux Bldg., BIT

Calculation No. PRA-QNT-006, Rev. 0 Page 26 outlet valve room)

4. Isolate Seal Injection Flowpath:

LI Close 1-CS-302, CCP'S Flow Control Valve I-QRV-251 Inlet Valve (Reciprocating Charging Pump Room)

5. Verify CVCS Charging Pumps Discharge Crosstie Header Valves - CLOSED:

LI 1-CS-536, Charging Pump Discharge Crosstie Header Unit I Shutoff Valve LI 1-CS-535, Charging Pump Discharge Crosstie Header To UI RCP Seal Injection Emergency Flow Control Valve LI 2-CS-534, Charging Pump Discharge Crosstie Header To Unit 2 BIT Emergency Flow Control Valve 11 2-CS-535, Charging Pump Discharge Crosstie Header To U2 RCP Seal Injection Emergency Flow Control Valve

6. SLOWLY Open 2-CS-536, Charging Pump Discharge Crosstie Header Unit 2 Shutoff Valve
7. Initiate Flow Through CVCS Cross-Tie And Control Pressurizer Level:
a. Verify the following ]

Local/Remote switches on I]

Panel 1-LSI-3 in LOCAL: ]

LI 1-NLI- 151, Pressurizer 0I Level LI I 1-NPS-122, RCS WR LI Pressure

b. Monitor the following during CVCS Cross-Tie operations:

LI 1-NLI-151, Pressurizer Level (1-LSI-3)

LI 12-QFI-201, Unit 1 To And From Unit 2 Charging Pumps Disch Crosstie Flow Indicator

c. SLOWLY throttle open

I Calculation No. PRA-QNT-006, Rev. 0 Page 27 1 1-CS-534, Charging Pump Discharge Crosstie Header To Unit I BIT Emergency Flow Control Valve, to establish and maintain PRZ level - 20% TO 50%

ACTUAL

d. Report RCS make-up initiated through CVCS Cross-Tie T r a i n i n - g C l a s s r o o m T r a i n i n g 5 p e r y e a r S i m u I a t o r T r a i n i n g 5 p e r y e a r C r e w M e m b e r I n clu ded Total Available ReqiiredforExecution N o t e s Auxiliary Equipment Operators (AEOs) No 0 2 Turbine Tour BOP N o t e s A s s u m p t i o n s
1. Operators are using the fire procedure/s and do not perform the EOPs or AOPs
2. Face-to-face commnunication does not introduce any delays in time required.
3. Face-to-face communication is equivalent to three-way-communication as applied in the control room.
4. Sufficient manpower is available for all required actions.
5. The other unit is not impacted by the fire, and AFW and CVCS are available to supply the cross-tie.
6. The habitability in local areas where actions are to be performed is not affected by the fire.
7. Tha habitability of areas to be transit through is not impacted by the fire.
8. Emergency lighting is available in all local areas to be transit through or where local actions are required.

0 p e r a t o r I n t e r v i e w I n s i g h t s FR-H. 1 (2004)

Cue to enter procedure is SG N/R level. In loss of feedwater events with loss of AFW, the SG NR levels are lost almost immediately. RCS high pressure usually does not appear as a cue. In the event of loss of MFW, would go almost instantly from"E-0 to FR-H-1. Would follow the RED path. OHI Status tree monitoring must begin on exiting E-0 or when directed in E-0 (page 46) - this is a generic instruction for the control room team.

Step I - Check if heat sink is required Step 2 - Check if centrifugal charging pump (CCP) status (should be rutming)

I Calculation No. PRA-QNT-006, Rev. 0 Page 28 Step 3 - Check if should initiate bleed & feed (If Yes go to Step 18). Try to establish AFW flow to at least 1 SG.

The AFW cross-tie requires one control room MOV (the unit's normal AFW flow control valve) manipulation and the local opening of a valve in each units FW pump room FW-129. These valves have a metal seal (not much). It would take 5 minutes per valve to get open. The valve is high enough in the room that short people need a ladder to reach the hand wheel to open the valve.

Local actions in turbine hall to cross-tie AFW in step 4.d RNO would take about 15 minutes including traveling time. This is a relatively unique feature of DC Cook. During simulator training, this cross-tie is always failed to force them into the rest of the procedure. If the cross-tie is successful, the secondary heat sink is recovered.

LOSS OF AFW DURING FIRE (2011)

Cues for loss of AFW:

o AFW flow - if flow indicators are failed by fire look for additional cues RCS temperature decreasing Pump amps Pressure o On loss of AFW, SG narrow range will immediately drop and operators will expect to enter FR-H. 1 on AFW flow at 240 X 103 pph Time pressure - Ops, are not aware of any time constraints for loss of AFW.

Procedure path for loss of AFW will be the same for both the fire and non-fire case, operators don't expect any differences in response. They will stay in the EOPs as long as they are working.

o Procedure path .- E-0, ESO. 1, FR-H. I (transfer to FR-H. I using Critical safety function status trees) -

Estimated time to reach FR-H. 1: on the order of 5 minutes o Ops will REFER TO 01-OHP-4025-001-001 for additional information if necessary. For loss of AFW, Operators believe EOPs are adequate/sufficient. Will rely more on Fire procedures when the EOPs are non-sufficient and are not working.

"1 Cross-tie AFW o FR-H.1 Step 4.d. I RNO Go To Attachment A of 01-OHP-4022-055-003 o Check Total flow to SGs greater than 240X 103 PPH - If instrumentation is faulted in control room the operators will check locally before performing cross-tie.

o Once Step 4.d. 1 is reached the work for the cross-tie is passed onto the Work Control SRO.

o Execution for the cross tie requires NO ladder - Note in fire procedures is for extra information.

o To gain access to the west room requires operators to swipe badge o To get to valve FW-129 the operators must hand crank open a fire door.

o Operators estimate it would take 5-10 minutes to cross -tie AFW.

Attempt to restart AFW - Step 4.c if AFW fails to auto start, ops will start. Training and plant policy allow ops to start earlier if they notice auto started failed.

Q: Are the local SG level indications (l-BLI-120, #12 SG Wide Range Level, 1-BLI-130, #13 SG Wide Range Level) standard level indications?

A: These are "standard" in appearance as they are vertical Weschler meters, as are the control room level indicators, however the control room includes both narrow range indicators (which only cover a couple of feet of actual level in the SG) and the WR meters (where-as the wide range meters cover from the tube sheet to above the narrow range meters) next to each other. Thus there is wide range indication in the control room at which personnel are familiar.

Nonnal operating SG NR level corresponds to about 60 some % WR level (as can be seen in the photos).

Q: Are the tasks below (operate, monitor) performed by the same local operator?

Is LSI-2 in the same location as 1-FMO-222 / 1-FMO-232?

5. Maintain #12 And #13 Steam Generators Levels - 50% TO 55%:

Calculation No. PRA-QNT-006, Rev. 0 Page 29f

  • 1-FMO-222, 1E/2W M4DAFP To #12 SG
  • 1-FMO-232, IE/2W MDAFP To #13 SG
  • Monitor the following at 1-LSI-2:
  • 1-BLI-120, #12 SG Wide Range Level
  • 1-BLI-130, #13 SG Wide Range Level A: These would be performed by the same operator. The SG level indications are about 12 feet from the valves that would be operated. So the operator could easily look at the levels, establish a level trend in the associated SG, and walk over to the associated valves and open/close them as necessary. Backup would be provided by personnel at other stations monitoring RCS Loop temperatures to assure that the whole process is moving in the direction desired Q: Do they use check-off provisions / placekeeping aids in the fire procedures for control room actions?

A: I would expect that crews would use the circle and slash placekeeping action in the fire procedures, the same as they do for EOPs, AOPs, and almost any other procedure Operations executes. This is delineated in the OHI-4023 document, as well as other Operations OHI's and general plant PMPs for procedure use and adherence Q: Do they use check-off provisions / placekeeping aids in the fire procedures while performing local actions?

A: The expectation is that the circle and slash placekeeping actions would be applied locally, in the field, as is the current expectation for about any procedure being executed in the field, consistent with the same procedure requirements mentioned above.

Q: Is the 3-way conmnunication protocol hiplemented when communicating with the other unit? If so, how is it implemented?

A: As a minimum, the expectation is that 3-way conmnunication is used in all Operations comnmunications dealing with procedure execution/plant operation.

Q: Will the means of communication in a fire scenario be via phone or radio?

I am not sure if the telephone will remain available (as the PBX has its own battery) if one or both units were entirely blacked out. I would expect that if one unit has a fire and the other unit is otherwise unaffected the radio cormnunications capability would remain, using portable field radios. So as a minimum I would expect that radios would be usable.

Per the "Fire Protection Program Manual", Revision 11, Section 12.4:

The design for the upgraded radio system also takes into account concerns that the NRC expressed about the susceptibility of the present Fire& Emergency Radio System to a single fire. A single fire could disable the entire radio system by disabling the repeater, or power feed to the repeater or the main repeater antenna lead. The radio system was expanded so that the plant will now have three 'radio channels instead of one. One channel is dedicated to Unit 1, one channel dedicated to Unit 2 and the other channel for the Emergency Medical Team/Radiological Protection during emergencies, and general plant use during normal operation. The increase in number of channels as well as the dedication of channels to the control rooms greatly improves the radio system's traffic capacity.

The three channels are divided into two separate and independent systems. One system has the Unit I repeater and the EMTIRP repeater in it. The other system has the Unit 2 repeater in it. Both systems have their own antenna network and power supply. The two antenna networks are completely separate from each other. The two power supplies are both uninterruptible power systems, both with their own batteries, inverter, and distribution system. The two repeater systems are located in separate fife zones.

Coverage for both systems was improved from the original design by the following. Both of the upgraded antenna networks consist of seven antennas. The previous Fire & Emergency System had five. The additional antennas expands coverage considerably. In addition to the expanded antenna networks, a separate network of receiver antennas were installed. Their purpose is to compliment the antenna network in receiving the signals from the hand-

Calculation No. PRA-QNT-006, Rev. 0 Page 30 held radios. The receiver antenna network consists of four separate antennas, each antenna providing reception for both repeater systems (all three plant channels). Each repeater system has a voting system. This system is able to distinguish between a good signal and a poor signal and then re-transmit only the good signal. The expanded antenna network, complimented with the receiver antenna network in conjunction with the voting system greatly improves plant coverage.

The improvements described above provide adequate capacity and coverage to satisfy plant needs. In addition, by separating the channels into two systems located in different fife zones, with separate power supplies and antenna network the susceptibility of the entire radio system (both repeater systems) to complete failure due to a single fire becomes highly unlikely.

It should be noted that several locations throughout the plant are equipped with hard wired base stations. These stations are located in such areas as the control rooms, operation staging area, diesel generator rooms and other locations that either require the convenience of a hard wire console or due to plant control and instrumentation equipment that may be susceptible to RF interference at that location do not permit broadcasting of RF signals. In all cases, these consoles have the capability to switch from one channel to another channel. As a minimum, a channel fi-orn each repeater system has been provided at each base station location. The individual hand-held radios are able to switch from one channel to another (one channel from each system). This way, in the unlikely event that a channel is lost, another channel will be available.

One final note. The upgraded system was not designed to meet the separation criteria for ESS systems as described in Chapter 7 of the FSAR or any other industry separation criteria for TE systems. To have done this would have doubled the cost of this system with no operational benefit. The system was designed using good engineering and design judgment with consideration to cost of installation and present plant conditions.

T i m i n g A n a I y s i s TSw 66 Minutes Tdelay 6 Minutes Tcog 2 Minutes Texe25.7 Minuts Irevetsible Cue DamageState

.1 I Time available for cognition and recovery 3 4 3 M i n u t e s Time available for recovery 3 2 3 M i n u t *e s SPAR-H Available time (cognitive) 3 4 3 M i n u t e s SPAR-H Available time (execution) ratio 2 2 6 M i n u t e s EPRI Minimum level of dependence for recovery L D N o t e s Tsw = 66 per MAAP runs (5/29/2015)

Tdelay = 6 min (RI 900-0026-001, September 2014)

Texe = 25.7 min (includes 9.2 mrin for AFW cross-tie execution using LS-2 procedure and 16.5 min for CVCS cross-tie using LS-6 procedure) (R1900-0026-001, September 2014). Operator confirmed 25.7 is a reasonable time for execution.

TcoQ = 2 min (included in Tdelav, but an additional 2 min is assumed)

Calculation No. PRA-QNT-006, Rev. 0 Page31 C 0 g n- i t i v. e A n a I Y s i s Pc Failure Mechanism Branch HEP Pca: Availability of Information n/a Pcb: Failure of Attention n/a Pcc: Misread/miscommunicate data n/a Pcd: Information misleading n/a Pce: Skip a step in procedure 9 6.00e-003 Pcf: Misinterpret Instructions a n/a Pcg: Misinterpret decision logic k n/a Pch: Deliberate violation a n/a Initial Pc(without recovery credited) 6.00e-003 N0 t e s While in the MCR formal communication will be used.

Workload will be high due to fire.

There are no alarms or warning about re-establishing local instrumentation after the abandonment procedure directs the operators to leave the MCR.

Decision trees pca, b, c, and d are not applicable to this scenario since they operators will be following a fire procedure step by step.

(a) neg.

(b) neg.

(c) neg.

(d) 15e-003 (e)5.0e-002 (g) 5.0e-OO1 (g) o-oeMo Pcb: Failure of Attention

I Calculation No. PRA-ONT-006. Rev. 0 Pane 32 1 Low vs. Hi Check vs Front vs- Back Alarmed vs.

Wodkoad Monitor Pand N(tAlarned rod (a)neg-Bai (b) 15e-004 L11111111 (c)3e-003 Fut (d) 15e-004 (e)3De03 om* ( 3.oe-004 (g)60e-003 rmd (h) neg.

()neg-Bai 7.5e-004 (k) 15e.00 Fu(I) 7.5e-004 (m) 1-5e-002

[aa (n) 1.5e0303

-L II (o) 3.0e-002 ad Foumal Comina Value b~r Yes (a) neg.

-Wb(b) 3.0e-M0 Yes (c) 1 oe-003 No (d) 4.0e-M*

Im' (e) 3.0e-003 (r)G6oe-too3 Yes (g) 40e-003

- I1) 7.oeo Pcd: Information misleading

Page 33 I I Calculation No.

No. PRA-QNT-006, Rev. 0 Rev. Page 33 Yes (a) neg..

Yes aNb (b) 3.0e4003 Yes mer Yes (c)I.Oe-102 lag (d) I .e-O01 (e) 1 .e-,10o Yes (a)1.0e-003 (b) 3.0e-003 (c)3.-O403 (d) 1.0e-0J02 (e)2.0e-M0 (1)4.0e-003 (g) 60e-0413 (h)3e-002 (i)1.0e-O01 Pcf: Misinterpret Instructions

I Ca c l t o o R - NT 0 6 e . 0P g 4 I Calculation No. PRA-QNT-006, Rev. 0 Page 34 (a) neg-0b) 3.0e-003 (c) 3-0e-002 (d)3DOe4)03 (e) 3-0e-002 Mf6.De-t03 (g)6.0e-0J02 Value

- (a) 1.6e-002

- (b) 4S-9"M

- (C) 6~-0"w

- (d) 1.%-002

- (e) 2De4)03

- Mf6D0e-0O3

- (g) I -e-402

- (h) 3.1le-002

- QI) 3..0e-004 Q)1De-003 I

( k) neg-

-) (neg-Pch: Deliberate violation

Calculation No. PRA-QNT-006, Rev. 0 Page:35 Belief in Advese Reasonable Policy of Adequacy of Consequence Altemative "Vedxmf Value Instudion if Comply Coul*liance yes (a) neg-(b)5-0e-001 (c) 1.OeulI (d) neg.

(e) neg.

Cognitive Recover 04 > >-

> d)

Pca n/a - N/A 1E+00 0.0 Pcb n/a -- LD 1.0013+00 0.0 Pcc n/a -- N/A 1.0013+00 0.0 Pcd n/a -- N/A 1.00E+00 0.0 Pce 6.0- X N/A 1.0013-0 1 6O 003 04 Pcf n/a -- N/A 1.00E+00 0.0 Pcg n/a -rN/A 1.00E+00 0.0 Pch n/a -- N/A 1.0013+00 0.0 Final Pc (with recovery credited) 6.00E-04 Notes All SG Level indications are failed (at 0), which is the cue that local indications are needed to be placed in service as part of this scenario. See execution modeling.

E xe c uiti o n Pe eoFra' r for* m a*n ce S h rpi jctn t s Environment Lighting Normal Heat/Humidity Normal Radiation Background Atmosphere Normal Special Requirements Tools Required Special Requirements Tools Adequate Special Requirements Tools Available Complexity of Response Execution Simple Equipment Accessibility Control room Accessible (Cognitive)

Equipment Accessibility Turbine building 591' elevation With Difficulty (Execution)

Calculation No. PRA-QNT-006, Rev. 0 Page 36 S t r e s s High Plant Response As Expected: No Workload:I N/A Performance Shaping Factors: N/A N o t e S This is an Appendix R action that is practiced every year.

Workload is high due to fire Stress is considered high to due to fire.

Calculation No. PRA-QNT-006, Rev. 0 Page 37 1FSBO--XTIE-OMA, Operatorsfail to X-TIE AFW and CVCS given fire induced SBO with no TDAFP Plant Data File File Size File Date Record Date DC Cook DieseISENS-FIRE-May26.HRA 7081984 5/29/2015 5/29/2015 Name Date Analyst DM 5/26/2015 Reviewer HEP Summary Pcog Pexe Total HEP Error Factor Method CBDTM THERP CBDTM+THERP Without Recovery 6.00E-03 8.7 1E-02 With Recovery 6.00E-04 4.70E-03 5.30E-03 5 R A WIF VI Risk Significanti 0.00E+00 0.100-E+00 N/A I d e n t i f i c a t i o n a n d D e f i n i t i o n

1. Initial Conditions: Steady state, full power operation.
2. Initiating Event/s:

Fire in any of the following Fire Zones (unit 1)

FZ41 FZ55 FZ56 FZ57 MCR Fire induces any of the following internal initiating events:

LOSP TT RX trip LOMFW Loss DC SBO The SBO with no TDAFP is selected as the bounding initiating event as it has the most limiting timing.

3. Accident sequence (preceding functional failures and successes): SBO with no TDAFP Fire causes loss of all SG NR and SG WR control room instrumentation:

1/2-BLP-I-10, 111, 112, Loop I NR SG Level I/2-BLP-120, 121, 122, Loop 2 NR SG Level 1/2-BLP-130, 131, 132, Loop 3 NR SG Level 1/2-BLP-140, 141, 142, Loop 4 NR SG Level 1/2-BLI-11 10, Loop 1 WR SG Level 1/2-BLI-120, Loop 2 WR SG Level

I Calculation No. PRA-QNT-006, Rev. 0 Page 388 1/2-BLI-130, Loop 3 WR SG Level 1/2-BLI-140, Loop 4 WR SG Level

4. Preceding operator error or success in sequence:

Operators have diagnosed fire zone and entered, 01-OHP-4025-001.001, "Emergence Remote Shutdown" procedure

5. Operator action success criteria: Perform AFW and CVCS cross-tie given no control room SG level instrumentatic
6. Consequence of failure: SG dryout and core damage.

Note: UI Fire Zones where action is required: FZ41, FZ55, FZ56, FZ57, MCR C u e s a n d 1 1n d i c a t i o n s I n i t i a I C u e 1-BLI-120, #12 SG Wide Range Level I-BLI-130, #13 SG Wide Range Level R e c o v e r y C u e C u e C o m m e n t s Local SG WR indications are placed inservice at I-LSI-2 inthis scenario.

D e g r e e o f C I a r i t y Clarity of Cues and Indications are modeled explicitly in CBDTM P r o c e d u r e s C o g n i t i v e P r o c e d u r e 01-OHP-4025-001-001 (Einergency Remote Shutdown) Revision: 10 Cognitive Step Number 1 8 , 1 9 a n d 2 0 Cognitive Instruction S t e p 1 8 b Initiate CVCS Cross-tie Operations:

b. (Aux Tour) Perform I -O1IP-4025-LS-6, RCS Make-Up Cross-Tie, LS-6-1, RCS Make-Up With CVCS Cross-Tie Step 19.

Turbine Tour) Align UNIT 2 MDAFPs For Cross-Tie Opc 19.b Perform 01-OHP-4025-LS-2, Start-Up AFW, LS-2-1 Step 20.

(BOP) Locally Establish SG Level In At Least Two Stearr

  • IF 2W M4DAFP is to be used, THEN initiate 01-OHP-4(

MDAFP E x e c u t i o n P r o c e d u r e 01-OHP-4025-LS-2 (START-UP AFW) Revision: 4 Execution Instruction 0 1 -O HP-4 02 5 -L S I

1. Contact Unit 2 Control Room To Verify Valves - CLOSED:

E] 2-FMO-212,2W MDAFP To

  1. 21 SG L 2-FMO-242, 2W MDAFP To
  1. 24 SG 0 2-FRV-245, 2W MDAFP Test

I Calculation No. PRA-QNT-006, Rev. 0 Page 39 1 Valve

2. Contact Unit 2 Control Room To Verify 2W Motor Driven Auxiliary Feedwater Pump -

NOT RUNNING

3. Verify 2-FW-261, West MDAFP Test Valve 2-FRV-24
4. Open 1-FW-129, lE Motor Driven Auxiliary Feedwater Pump Discharge To Unit 2 Crosstie Shutoff Valve
5. Report 1-OHP-4025-LS-2, Start-Up AFW, LS-2-1, Cross-Tie 1E/2W AFW Complete J o b P e r f o r m a n c e M e a s u r e AE-O-A003 (Auxiliary Feedwater System Unit Crosstie) Revision: I 0 t h e r P r o c e d u r e s 01-OfP-4025-LS-301-OHP-4025-LS-3 (Steam Generator 2/3 Level Control) Revision: 4 02-0HIP4025-LS-602-0HIP4025-LS-6 (RCS Make-Up With CVCS Cross-Tie) Revision: 6 N o t e s 01-OHFP-4025-LS-3-1 (SG 2/3 Level Control Using 2W MDAFP):
1. Open Breakers:

U 1-EZC-D-R3B, 1-FMO-222 (1E MDAFP to #12 SG)

U 1-EZC-D-R3C, 1-FMO-232 (lE MDAFP to #13 SG)

2. Proceed To 1-LSI-2 And Locate The Following:

U 1-BLI- 120, # 12 SG Wide Range Level U 1-BLI-130, #13 SG Wide Range Level

3. Place SG Level Indication Remote/Local Switches In Local:

U 1-43-BLI-120, Steam Generator 2 Level I-BLI-120 Indicator Select U 1-43-BLI-130, Steam Generator 3 Level 1-BLI-130 Indicator Select

4. Verify Auxiliary Feedwater To # 12 And # 13 Steam Generators - AVAILABLE:

U 2W MDAFP - RUNNING

5. Maintain #12 And #13 Steam Generators Levels - 50% TO 55%:

U Locally operate auxiliary feedwater flow control

Calculation No. PRA-QNT-006, Rev. 0 Page 407 valves using handwheels:

0 1-FMO-222, I E/2W MDAFP To

  1. 12 SG Li 1-FMO-232, 1E/2W MDAFP To
  1. 13 SG LI Monitor the following at 1-LSI-2:

D 1-BLI-120, #12 SG Wide Range Level LI 1-BLI-130, #13 SG Wide Range Level

6. Report 1-OHP-4025-LS-3, Steam Generator 2/3 Level Control, LS-3-1, SG 2/3 Level Control Using 2W MDAFP, Complete Upon Initiating Auxiliary Feedwater Flow To #12 And
  1. 13 Steam Generators 0 1-OHP-4025-LS-6-1 (RCS Make-Up From CVCS Cross-Tie Using BIT Injection):
2. Deenergize BIT Injection Valve Motors:
a. Open the following breakers (4KV Room, Mezzanine Area):

LI 1-EZC-C-5B, Boron Injection to RC Loop #1 Shutoff Valve 1-IMO-51 LI I-EZC-B-1B, Boron Injection to RC Loop #2 Shutoff Valve 1-IMO-52 LI 1-EZC-D-1B, Boron Injection to RC Loop #3 Shutoff Valve I-IMO-53 LI 1-EZC-A-5B, Boron Injection to RC Loop #4 Shutoff Valve 1-IMO-54

3. Align BIT For Injection:
a. Open 1-AM-D-2B, BIT Train

'A' Outlet Containment Isol Valve 1-ICM-250 (633' Aux Bldg)

b. Open 1-ICM-250, Boron Injection Tank Outlet Train 'A' Cntmt Isolation Valve (612' Aux Bldg, BIT outlet valve room)
4. Isolate Seal Injection Flowpath:

LI Close 1-CS-302, CCP'S Flow Control Valve

Calculation No. PRA-QNT-006, Rev. 0 Page 41 I-QRV-251 Inlet Valve (Reciprocating Charging Pump Room)

5. Verify CVCS Charging Pumps Discharge Crosstie Header Valves - CLOSED:

E 1-CS-536, Charging Pump Discharge Crosstie Header Unit 1 Shutoff Valve D 1-CS-535, Charging Pump Discharge Crosstie Header To U1 RCP Seal Injection Emergency Flow Control Valve

] 2-CS-534, Charging Pump Discharge Crosstie Header To Unit 2 BIT Emergency Flow Control Valve E 2-CS-535, Charging Pump Discharge Crosstie Header To U2 RCP Seal Injection Emergency Flow Control Valve

6. SLOWLY Open 2-CS-536, Charging Pump Discharge Crosstie Header Unit 2 Shutoff Valve
7. Initiate Flow Through CVCS Cross-Tie And Control Pressurizer Level:
a. Verify the following L Local/Remote switches on L Panel 1-LSI-3 in LOCAL: 0 0 I -NLI- 151, Pressurizer LI Level LI LI 1-NPS-122, RCS WRL Pressure
  • b. Monitor the following during CVCS Cross-Tie operations:

I 1-NLI-151, Pressurizer Level (I-LSI-3)

LI 12-QFI-201, Unit I To And From Unit 2 Charging Pumps Disch Crosstie Flow Indicator

c. SLOWLY throttle open 1-CS-534, Charging Pump Discharge Crosstie Header To Unit 1 BIT Emergency Flow Control Valve, to establish and maintain PRZ level - 20% TO 50%

Calculation No. PRA-QNT-006, Rev. 0 Page 42 ACTUAL

d. Report RCS make-up initiated through CVCS Cross-Tie T r a in i n C I a s s r o o m T r a i ni n g 5 p e r y e a r S i m u I a t o r T r a i n i n g . 5 p e r y e a r C r e w M e m b e r Included Total Available RequiredforExecution N o t e s Auxiliary Equipment Operators (AEOs) No 0 2 Turbine Tour I BOP N o t e s A s s u m p t i o n s
1. Operators are using the fire procedure/s and do not perform the EOPs or AOPs
2. Face-to-face communication does not introduce any delays in time required.
3. Face-to-face communication is equivalent to three-way-communication as applied in the control room.
4. Sufficient manpower is available for all required actions.
5. The other unit is not impacted by the fire, and AFW and CVCS are available to supply the cross-tie.
6. The habitability in local areas where actions are to be performed is not affected by the fire.
7. Tha habitability of areas to be transit through is not impacted by the fire.
8. Emergency lighting is available in all local areas to be transit through or where local actions are required.

O p e r a t o r I n t e r v i e w I n s i g h ts]

FR-H.1 (2004)

Cue to enter procedure is SG N/R level. In loss of feedwater events with loss of AFW, the SG NR levels are lost almost immediately. RCS high pressure usually does not appear as a cue. In the event of loss of MFW, would go almost instantly from E-0 to FR-H-I. Would follow the RED path. OHI Status tree monitoring must begin on exiting E-0 or when directed in E-0 (page 46) - this is a generic instruction for the control room team.

Step I - Check if heat sink is required Step 2 - Check if centrifugal charging pump (CCP) status (should be running)

Step 3 - Check if should initiate bleed & feed (If Yes go to Step 18). Try to establish AFW flow to at least 1 SG.

The AFW cross-tie requires one control room MOV (the unit's normal AFW flow control valve) manipulation and the local opening of a valve in each units FW pump room FW-129. These valves have a metal seal (not much). It would take 5 minutes per valve to get open. The valve is high enough in the room that short people need a ladder to reach the hand wheel to open the valve.

Calculation No. PRA-QNT-006, Rev. 0 Page 43 Local actions in turbine hall to cross-tie AFW in step 4.d RNO would take about 15 minutes including traveling time. This is a relatively unique feature of DC Cook. During simulator training, this cross-tie is always failed to force them into the rest of the procedure. If the cross-tie is successful, the secondary heat sink is recovered.

LOSS OF AFW DURING FIRE (2011)

"1 Cues for loss of AFW:

o AFW flow - if flow indicators are failed by fire look for additional cues "1 RCS temperature decreasing Pump amps Pressure o On loss of AFW, SG narrow range will immediately drop and operators will expect to enter FR-H.I on AFW flow at 240 X 103 pph Time pressure - Ops, are not aware of any time constraints for loss of AFW.

Procedure path for loss of AFW will be the same for both the fire and non-fire case, operators don't expect any differences in response. They will stay in the EOPs as long as they are working.

o Procedure path - E-0, ESO.1, FR-H. 1 (transfer to FR-H. I using Critical safety function status trees) -

Estimated time to reach FR-H. 1: on the order of 5 minutes o Ops will REFER TO 01-OHIP-4025-001-001 for additional information if necessary. For loss of AFW, Operators believe EOPs are adequate/sufficient. Will rely more on Fire procedures when the EOPs are non-sufficient and are not working.

It Cross-tie AFW o FR-H.1 Step 4.d.l RNO Go To Attachment A of 01-OHP-4022-055-003 o Check Total flow to SGs greater than 240X 103 PPH - If instrumentation is faulted in control room the operators will check locally before performing cross-tie.

o Once Step 4.d. 1 is reached the work for the cross-tie is passed onto the Work Control SRO.

o Execution for the cross tie requires NO ladder - Note in fire procedures is for extra information.

o To gain access to the west room requires operators to swipe badge o To get to valve FW-129 the operators must hand crank open a fire door.

o Operators estimate it would take 5-10 minutes to cross -tie AFW.

Attempt to restart AFW - Step 4.c if AFW fails to auto start, ops will start. Training and plant policy allow ops to start earlier if they notice auto started failed.

Q: Are the local SG level indications (1-BLI-120, #12 SG Wide Range Level, 1-BLI-130, #13 SG Wide Range Level) standard level indications?

A: These are "standard" in appearance as they are vertical Weschler meters, as are the control room level indicators, however the control room includes both narrow range indicators (which only cover a couple of feet of actual level in the SG) and the WR meters (where-as the wide range meters cover from the tube sheet to above the narrow range meters) next to each other. Thus there is wide range indication in the control room at which personnel are familiar.

Normal operating SG NR level corresponds to about 60 some % WR level (as can be seen in the photos).

Q: Are the tasks below (operate, monitor) performed by the same local operator?

Is LSI-2 in the same location as 1-FMO-222 / 1-FMO-232?

5. Maintain #12 And #13 Steam Generators Levels - 50% TO 55%:
  • 1-FMO-222, lE/2W M4DAFP To #12 SG
  • 1-FMO-232, IE/2W MDAFP To #13 SG
  • Monitor the following at I-LSI-2:
  • 1-BLI-120, #12 SG Wide Range Level
  • I-BLI-130, #13 SG Wide Range Level

I Calculation No. PRA-QNT-006, Rev. 0 Page 44 A: These would be perforned by the same operator. The SG level indications are about 12 feet from the valves that would be operated. So the operator could easily look at the levels, establish a level trend in the associated SG, and walk over to the associated valves and open/close them as necessary. Backup would be provided by personnel at other stations monitoring RCS Loop temperatures to assure that the whole process is moving in the direction desired Q: Do they use check-off provisions / placekeeping aids in the fire procedures for control room actions?

A: I would expect that crews would use the circle and slash placekeeping action in the fire procedures, the same as they do for EOPs, AOPs, and almost any other procedure Operations executes. This is delineated in the OHI-4023 document, as well as other Operations OHI's and general plant PMPs for procedure use and adherence Q: Do they use check-off provisions /placekeeping aids in the fire procedures while performing local actions?

A: The expectation is that the circle and slash placekeeping actions would be applied locally, in the field, as is the current expectation for about any procedure being executed in the field, consistent with the same procedure requirements mentioned above.

Q: Is the 3-way communication protocol implemented when communicating with the other unit? If so, how is it implemented?

A: As a minimum, the expectation is that 3-way communication is used in all Operations communications dealing with procedure execution/plant operation.

Q: Will the means of communication in a fire scenario be via phone or radio?

I am not sure if the telephone will remain available (as the PBX has its own battery) if one or both units were entirely blacked out. I would expect that if one unit has a fire and the other unit is otherwise unaffected the radio communications capability would remain, using portable field radios. So as a minimum I would expect that radios would be usable.

Per the "Fire Protection Program Manual", Revision 11, Section 12.4:

The design for the upgraded radio system also takes into account concerns that the NRC expressed about the susceptibility of the present Fire & Emergency Radio System to a single fire. A single fire could disable the entire radio system by disabling the repeater, or power feed to the repeater or the main repeater antenna lead. The radio system was expanded so that the plant will now have three 'radio channels instead of one. One channel is dedicated to Unit 1, one channel dedicated to Unit 2 and the other channel for the Emergency Medical Team/Radiological Protection during emergencies, and general plant use during normal operation. The increase in number of channels as well as the dedication of channels to the control rooms greatly improves the radio system's traffic capacity.

The three channels are divided into two separate and independent systems. One system has the Unit I repeater and the EMTIRP repeater in it. The other system has the Unit 2 repeater in it. Both systems have their own antenna network and power supply. The two antenna networks are completely separate from each other. The two power supplies are both uninterruptible power systems, both with their own batteries, inverter, and distribution system. The two repeater systems are located in separate fife zones.

Coverage for both systems was improved from the original design by the following. Both of the upgraded antenna networks consist of seven antennas. The previous Fire & Emergency System had five. The additional antennas expands coverage considerably. In addition to the expanded antenna networks, a separate network of receiver antennas were installed. Their purpose is to compliment the antenna network in receiving the signals from the hand-held radios. The receiver antenna network consists of four separate antennas, each antenna providing reception for both repeater systems (all three plant channels). Each repeater system has a voting system. This system is able to distinguish between a good signal and a poor signal and then re-transmit only the good signal. The expanded antenna network, complimented with the receiver antenna network in conjunction with the voting system greatly improves plant coverage.

Calculation No. PRA-QNT-006, Rev. 0 Page 45 The improvements described above provide adequate capacity and coverage to satisfy plant needs. In addition, by separating the channels into two systems located in different fife zones, with separate power supplies and antenna network the susceptibility of the entire radio system (both repeater systems) to complete failure due to a single fire becomes highly unlikely.

It should be noted that several locations throughout the plant are equipped with hard wired base stations. These stations are located in such areas as the control rooms, operation staging area, diesel generator rooms and other locations that either require the convenience of a hard wire console or due to plant control and instrumentation equipment that may be susceptible to RF interference at that location do not permit broadcasting of RF signals. In all cases, these consoles have the capability to switch from one chanmel to another channel. As a minimum, a channel from each repeater system has been provided at each base station location. The individual hand-held radios are able to switch from one channel to another (one channel from each system). This way, in the unlikely event that a channel is lost, another channel will be available.

One final note. The upgraded system was not designed to meet the separation criteria for ESS systems as described in Chapter 7 of the FSAR or any other industry separation criteria for LE systems. To have done this would have doubled the cost of this system with no operational benefit. The system was designed using good engineering and design judgment with consideration to cost of installation and present plant conditions.

T i m i 1 g A n a I y s i s Tsw 66 Minutes Tdly6 Minutes Tcg2 Minutes Texe261 Minu S1 eireversible 1=0 I SCue I

DamageState Time available for cognition and recovery 3 4 3 M i n u t e s Time available for recovery 3 2 3 M i n u t e s SPAR-H Available time (cognitive) 3 4 3 M i n u t e s SPAR-H Available time (execution) ratio 2 2 6 M i n u t e s EPRI Minimum level of dependence for recovery L D N o t es Tsw = 66 per MAAP runs (5/29/2015)

Tdelay = 6 min (R1900-0026-001, September 2014)

Texe = 25.7 min (includes 9.2 min for AFW cross-tie execution using LS-2 procedure and 16.5 min for CVCS cross-tie using LS-6 procedure) (R1900-0026-001, September 2014). Operator confirmed 25.7 is a reasonable time for execution (phone interview 5/26/2015).

Tcog = 2 min (included in Tdelay, but an additional 2 min is assumed)

C o g n i t i v e A n a I y s i s Pc Failure Mechanism Branch HEP Pca: Availability of Information n/a Pcb: Failure of Attention n/a

Calculation No. PRA-QNT-006, Rev. 0 Page 46 Pcc: Misread/miscommunicate data n/a Pcd: Information misleading n/a Pce: Skip a step in procedure g 6.00e-003 Pcf: Misinterpret Instructions a n/a Pcg: Misinterpret decision logic k n/a Pch: Deliberate violation a n/a Initial Pc(without recovery credited) 6.00e-003 No t Cs While in the MCR formal communication will be used.

Workload will be high due to fire.

There are no alarms or warning about re-establishing local instrumentation after the abandonment procedure directs the operators to leave the MCR.

Decision trees pca, b, c, and d are not applicable to this scenario since they operators will be following a fire procedure step by step.

(a) neg-(b)neg-(c) neg-(d) 15e-M0

( -e) 4e-M (f)5-0e-001 (g) -O~e+fJ Pcb: Failure of Attention

I I Calculation No. PRA-QNT-006, Rev. 0 Page 47 1 Flui

- (a) neg-

- (b) I -e-004

- (c) 3D0e-M0

- (d) I 5eM04

-(e) 3DOe4003 Mt3D0e-0O4

-(g)6DOe4003

- h)-neg-

-) (neg..

-) 75e-004

-k (I iSe-M

-) )7-Se-404

-(M) i5eAJO

-(n) 15e0303

-(6) 31)e-(102 Value (a) neg-(b)3-0e-M0 (c) 1De-00 (d)4-0e-003 (e) 3Ae-.003 (f) 6De-4M0 (g)4e-003 (h) 7-0e-003 Pcd: Information misleadina

I Calculation No. PRA-QNT-006, Rev. 0 Page 48 1 (a)neg j Yes ib (b) 3.0e-003 Yes Yes (c)I Doe-002 (d) 1.e-001 (e) 1.OeOOo (a) 1DOe-003 (b)3-0e-003 (c) 3-0e-003 (d) I iOe-4302 (e)2De-003 (g)6D-W403 (h) 13e-002

(~i) 1De-4101 Pcf: Misinterpret Instructions

I Calculation No. PRA-QNT-006, Rev. 0 Page 49 1 SCalcuatio No. AllQT-06 Rev. uPge 9 Anlbigus All Required Training on Slep Value Wording (a) neg-0b) 3-04033 (c) 3.0e-002 (d) 3e-0033 (e) 3.0e-002 (1)6A-eA033 (g) 6.0e-002 Value

- (a) 1 .6-&xJ02

- (b)4-9e-002

- (c) 6-0e-003

- (d 1-9e-002

- (e) 20e-003

- (1) 6e-tJ0

- (J) I Oe-002

- (h) 3.1e-002

- i3DeM04 1 -ODe-M0

- k) neg-

-) )neg-Pch: Deliberate violation

Page 50 I II Calculation No. PRA-QNT-006, Rev. 00 PRA-QNT-006, Rev. Page 50 1 (a)neg-(b) 5.0e-00O1 (c) 1DOetOO (d)neg (e)rueg-

_ognitive ...... Recover-

~< >

Pcb n/ - L 1.0E0 0.0 Pc na) 4d N/- .0E0 .

U N/A 1 Pca n/a - - N/A L.00E+00 0.0 6.00- a)- 6.00E Pcb,Pce n/a X

- -- - - -LD N/A L.OOE+00 1.00E-0 0.0 Pcc n/a 003 - - N/A 1.00E+00 040.0 Pcd n/a - - N/A 1.00E+00 0.0 6.00e- M 6.OOE-Final Pc (with recovery credited) 04 04 Notes All SG Level indications are failed (at 0), which is the cue that local indications are needed to be placed in service as vart of this scenario. See execution modelin2.

E x xtrc e upin t on o m n e h g a c t o r s FPer Environment Lighting Normal Heat/Humidity Normal Radiation Background Atmosphere Normal Special Requirements Tools Required Special Requirements Tools Adequate Special Requirements Tools Available Complexity of Response Execution Simple Equipment Accessibility Control room Accessible (Cognitive)

Equipment Accessibility Turbine building 591' elevation With Difficulty (Execution)

Calculation No. PRA-QNT-006, Rev. 0 Page 51 S t r e S s Moderate Plant Response As Expected: Yes Workload: High Perfonnance Shaping Factors: Optimal N o t e S This is an Appendix R action that is practiced every 2 years. Phone interviews with operators confirmed that plant responds as expected (transfer to cross-tie is happening at the beginning of the scenario). Workload is high due to fire.

Stress is considered moderate.

Calculation No. PRA-QNT-006, Rev. 0 Page 52 IFSBO---RCC-OMA, Operatorsfail to establish RCS cooldown given fire induced SBO with no TDAFP Plant Data File File Size File Date Record Date DC Cook DieselSENS-FIRE-May26.HRA 7081984 5/29/2015 5/29/2015 Name Date Analyst DM 05/29/2015 Reviewer HEP Summary Pcog Pexe Total HEP Error Factor Method CBDTM THERP CBDTM+THERP Without Recovery 0.OOE+00 1.65E-02 With Recovery 0.003E+00 8.77E-04 8.77E-04 10 R A WIF V Risk Significanti 0.OOE+00 0.OOE+00 N/A I d e n t i f i c a t i o n a n d D e f i n i t i o n T h i s i s j u s t a n e x e c u t i o n a c t i o n

1. Initial Conditions: Steady state, full power operation.
2. Initiating Event/s:

Fire in any of the following Fire Zones (unit 1)

FZ41 FZ55 FZ56 FZ57 MCR Fire induces any of the following internal initiating events:

LOSP TT RX trip LOMFW Loss DC SBO The SBO with no TDAFP is selected as the bounding initiating event as it has the most limiting timing.

3. Accident sequence (preceding functional failures and successes): SBO with no TDAFP Fire causes loss of all SG NR and SG WR control room instrumentation:

1/2-BLP-1-10, 111, 112, Loop 1 NR SG Level 1/2-BLP-120, 121, 122, Loop 2 NR SG Level 1/2-BLP-130, 131, 132, Loop 3 NR SG Level 1/2-BLP-140, 141, 142, Loop 4 NR SG Level 1/2-BLI-1I 10, Loop I WR SG Level

I Calculation No. PRA-QNT-006, Rev. 0 Page 53 1 1/2-BLI-120, Loop 2 WR SG Level l/2-BLI-130, Loop 3 WR SG Level l/2-BLI-140, Loop 4 WR SG Level

4. Preceding operator error or success in sequence:

Operators have diagnosed fire zone and entered, 01-OHP-4025-001.001, "Emergence Remote Shutdown" procedure

5. Operator action success criteria: Establish RCS cooldown after successful AFW and CVCS cross-tie given no coni
6. Consequence of failure: SG dryout and core damage.

Note: UI Fire Zones where action is required: FZ41, FZ55, FZ56, FZ57, MCR C u e s a n d I n d i c a t i o n s I n i t i a I C u e Success of AFW and CVCS cross--tie R e c o v ,e r y C u e C u e C o m m e n t s Establish RCS cooldown after success ofAFW and CVCS cross-tie.

D e g r e e o f C I a r i t y Clarity ofCues and Indications are modeled explicitly in CBDTM P r o c e d u r e s Cognitive Procedure Cognitive: Not Selected Cognitive Step Number Cognitive Instruction E x e c u t i o n P r o c e d u r e I-OHP-4025-00l-0Ol (EMERGENCY REMOTE SHUTDOWN) Revisioi: 10 E x e c u t i o n I n s t r u c t i o n Commence RCSCooldownTo-LESSTHAN350OF:

J o b P e r f o r m a n c e M e a s u r e AE-O-A003 (Auxiliary Feedwater System Unit Crosstie) Revision: I N o t e s T r a i n i n C I a s s r o o m T r a i n i 5 p e r y e a r S i m u I a t o r Tra i n 5 p e r y e a r C r e w M e m b e r I ncluded Total Available Required for Execution N o t e s Auxiliary Equipment Operators (AEOs) No 0 2 Turbine Tour BOP N 0 t e s A s s u m p t i 0 n s

1. Operators are using the fire procedure/s and do not perform the EOPs or AOPs
2. Face-to-face communication does not introduce any delays in time required.

I Calculation No. PRA-QNT-006, Rev. 0 Page 54 1

3. Face-to-face communication is equivalent to three-way-communication as applied in the control room.
4. Sufficient manpower is available for all required actions.
5. The other unit is not impacted by the fue, and AFW and CVCS are available to supply the cross-tie.
6. The habitability in local areas where actions are to be performed is not affected by the fire.
7. Tha habitability of areas to be transit through is not impacted by the fire.
8. Emergency lighting is available in all local areas to be transit through or where local actions are required.

0 p e r a t o r I n t e r v i e w I n s i g h t s FR-H. 1 (2004)

Cue to enter procedure is SG N/R level. In loss of feedwater events with loss of AFW, the SG NR levels are lost almost immediately. RCS high pressure usually does not appear as a cue. In the event of loss of MFW, would go almost instantly from E-0 to FR-H-I. Would follow the RED path. OHI Status tree monitoring must begin on exiting E-0 or when directed in E-0 (page 46) - this is a generic instruction for the control room team.

Step 1 - Check if heat sink is required Step 2 - Check if centrifugal charging pump (CCP) status (should be running)

Step 3 - Check if should initiate bleed & feed (If Yes go to Step 18). Try to establish AFW flow to at least 1 SG.

The AFW cross-tie requires one control room MOV (the unit's normal AFW flow control valve) manipulation and the local opening of a valve in each units FW pump room FW-129. These valves have a metal seal (not much). It would take 5 minutes per valve to get open. The valve is high enough in the room that short people need a ladder to reach the hand wheel to open the valve.

Local actions in turbine hall to cross-tie AFW in step 4.d RNO would take about 15 minutes including traveling time. This is a relatively unique feature of DC Cook. During simulator training, this cross-tie is always failed to force them into the rest of the procedure. If the cross-tie is successful, the secondary heat sink is recovered.

LOSS OF AFW DURING FIRE (2011)

"1 Cues for loss of AFW:

o AFW flow - if flow indicators are failed by fire look for additional cues RCS temperature decreasing Pump amps Pressure o On loss of AFW, SG narrow range will immediately drop and operators will expect to enter FR-H. I on AFW flow at 240 X 103 pph Time pressure - Ops, are not aware of any time constraints for loss of AFW.

Procedure path for loss of AFW will be the same for both the fire and non-fire case, operators don't expect any differences in response. They will stay in the EOPs as long as they are working.

o Procedure path - E-0, ESO. 1, FR-H. I (transfer to FR-H. I using Critical safety function status trees) -

Estimated time to reach FR-H. 1: on the order of 5 minutes o Ops will REFER TO 01-OHP-4025-001-001 for additional information if necessary. For loss of AFW, Operators believe EOPs are adequate/sufficient. Will rely more on Fire procedures when the EOPs are non-sufficient and are not working.

"1 Cross-tie AFW o FR-H. I Step 4.d.1 RNO Go To Attachment A of 01-OHP-4022-055-003 o Check Total flow to SGs greater than 240X 103 PPH - If instrumentation is faulted in control room the operators will check locally before perfonriing, cross-tie.

Calculation No. PRA-QNT-006, Rev. 0 Page 55 o Once Step 4.d. I is reached the work for the cross-tie is passed onto the Work Control SRO.

o Execution for the cross tie requires NO ladder - Note in fire procedures is for extra information.

o To gain access to the west room requires operators to swipe badge o To get to valve FW-129 the operators must hand crank open a fire door.

o Operators estimate it would take 5-10 minutes to cross -tie AFW.

" Attempt to restart AFW - Step 4.c if AFW fails to auto start, ops will start. Training and plant policy allow ops to start earlier if they notice auto started failed.

Q: Are the local SG level indications (I-BLI-120, #12 SG Wide Range Level, I-BLI-130, #13 SG Wide Range Level) standard level indications?

A: These are "standard" in appearance as they are vertical Weschler meters, as are the control room level indicators, however the control room includes both narrow range indicators (which only cover a couple of feet of actual level in the SG) and the WR meters (where-as the wide range meters cover from the tube sheet to above the narrow range meters) next to each other. Thus there is wide range indication in the control room at which personnel are familiar.

Normal operating SG NR level corresponds to about 60 some % WR level (as can be seen in the photos).

Q: Are the tasks below (operate, monitor) perfornmed by the same local operator?

Is LSI-2 in the same location as 1-FMO-222 / 1-FMO-232?

5. Maintain #12 And #13 Steam Generators Levels - 50% TO 55%:
  • 1-FMO-222, IE/2W M4DAFP To #12 SG
  • 1-FMO-232, IE/2W MDAFP To #13 SG
  • Monitor the following at 1-LSI-2:
  • 1-BLI-120, #12 SG Wide Range Level
  • 1-BLI-130, #13 SG Wide Range Level A: These would be performed by the same operator. The SG level indications are about 12 feet from the valves that would be operated. So the operator could easily look at the levels, establish a level trend in the associated SG, and walk over to the associated valves and open/close them as necessary. Backup would be provided by personnel at other stations monitoring RCS Loop temperatures to assure that the whole process is moving in the direction desired Q: Do they use check-off provisions / placekeeping aids in the fire procedures for control room actions?

A: I would expect that crews would use the circle and slash placekeeping action in the fire procedures, the same as they do for EOPs, AOPs, and almost any other procedure Operations executes. This is delineated in the OHI-4023 document, as well as other Operations OHI's and general plant PMPs for procedure use and adherence Q: Do they use check-off provisions / placekeeping aids in the fire procedures while performing local actions?

A: The expectation is that the circle and slash placekeeping actions would be applied locally, in the field, as is the current expectation for about any procedure being executed in the field, consistent with the same procedure requirements mentioned above.

Q: Is the 3-way communication protocol implemented when communicating with the other unit? If so, how is it implemented?

A: As a minimum, the expectation is that 3-way communication is used in all Operations communications dealing with procedure execution/plant operation.

Q: Will the means of communication in a fire scenario be via phone or radio?

I am not sure if the telephone will remain available (as the PBX has its own battery) if one or both units were

I Calculation No. PRA-QNT-006, Rev. 0 Page 56 entirely blacked out. I would expect that if one unit has a fire and the other unit is otherwise unaffected the radio communications capability would remain, using portable field radios. So as a minimum I would expect that radios would be usable.

Per the "Fire Protection Program Manual", Revision 11, Section 12.4:

The design for the upgraded radio system also takes into account concerns that the NRC expressed about the susceptibility of the present Fire & Emergency Radio System to asingle fire. A single fire could disable the entire radio system by disabling the repeater, or power feed to the repeater or the main repeater antenna lead. The radio system was expanded so that the plant will now have three 'radio channels instead of one. One channel is dedicated to Unit 1, one channel dedicated to Unit 2 and the other channel for the Emergency Medical Team/Radiological Protection during emergencies, and general plant use during normal operation. The increase in number of channels as well as the dedication of channels to the control rooms greatly improves the radio system's traffic capacity.

The three channels are divided into two separate and independent systems. One system has the Unit I repeater and the EMTIRP repeater in it. The other system has the Unit 2 repeater in it. Both systems have their own antenna network and power supply. The two antenna networks are completely separate from each other. The two power supplies are both uninterruptible power systems, both with their own batteries, inverter, and distribution system. The two repeater systems are located in separate fife zones.

Coverage for both systems was improved fi'om the original design by the following. Both of the upgraded antenna networks consist of seven antennas. The previous Fire & Emergency System had five. The additional antennas expands coverage considerably. In addition to the expanded antenna networks, a separate network of receiver antennas were installed. Their purpose is to compliment the antenna network in receiving the signals from the hand-held radios. The receiver antenna network consists of four separate antennas, each antenna providing reception for both repeater systems (all three plant channels). Each repeater system has a voting system. This system is able to distinguish between a good signal and a poor signal and then re-transmit only the good signal. The expanded antenna network, complimented with the receiver antenna network in conjunction with the voting system greatly improves plant coverage.

The improvements described above provide adequate capacity and coverage to satisfy plant needs. In addition, by separating the channels into two systems located in different fife zones, with separate power supplies and antenna network the susceptibility of the entire radio system (both repeater systems) to complete failure due to a single fire becomes highly unlikely.

It should be noted that several locations throughout the plant are equipped with hard wired base stations. These stations are located in such areas as the control rooms, operation staging area, diesel generator rooms and other locations that either require the convenience of a hard wire console or due to plant control and instrumentation equipment that may be susceptible to RF interference at that location do not pennit broadcasting of RF signals. In all cases, these consoles have the capability to switch from one channel to another channel. As a minimum, a channel from each repeater system has been provided at each base station location. The individual hand-held radios are able to switch from one channel to another (one channel from each system). This way, in the unlikely event that a channel is lost, another channel will be available.

One final note. The upgraded system was not designed to meet the separation criteria for ESS systems as described in Chapter 7 of the FSAR or any other industry separation criteria for IE systems. To have done this would have doubled the cost of this system with no operational benefit. The system was designed using good engineering and design judgment with consideration to cost of installation and present plant conditions.

T i m i n g A n a I y s i s

[Calculation No. PR-A-QNT-006, Rev. 0 Page 57 1 TSW 125 Minutes Tdelay 66 Minutes Tcog O Minutes Texel 5 Minut-ms "l I" hifeversible Cue DamageState I I I

t=O Time available for cognition and recovery 4 4 M i n u t e s 4

Time available for recovery 4 M i n u t e s SPAR-H Available time (cognitive) 4 4 M i n u t e s SPAR-H Available time (execution) ratio 3 9 3 M i n u t e s EPRI Minimum level of dependence for recovery L D N o t e s Tsw = 125 min as per MAAP runs (5/29/2015)

Tdelay = 66 min (Start AFW flow and RCS inflow at 66 minutes)

Texe = Per operator interview (phone interview 5/26/2015), 15 minutes are assessed to be reasonable for execution.

C o g n i t i v e A n a I y s i S Pc Failure Mechanism Branch HEP Pca: Availability of Information n/a Pcb: Failure of Attention n/a Pcc: Misread/miscommunicate data n/a Pcd: Information misleading n/a Pce: Skip a step in procedure n/a Pcf: Misinterpret Instructions a n/a Pcg: Misinterpret decision logic k n/a Pch: Deliberate violation a n/a Initial Pc(without recovery credited) 0.OOe+000 N o t e s Pca: Availability of Information

m I Calculation No. PRA-QNT-006, Rev. 0 Page 58 1 (a) neg-.

(b) neg.

(c)neg.

(d) 1..00 (e) 5e-002 (05.oeC0o1 (g) Ooe+00o Value (a) neg.

(b)15e-004 (c)3.e-003 (d) 15e-004 (e)3.o-03 (f) 3-W-004 (g) 6-e-003 (h) neg.

(u)neg.

Q)75e-004 (k) 15e-002 Q)75e-004 (m) 15e-002 (n) 1.5e-00 (6) 30eC002 Pcc: Misread/miscommunicate data

I Calculation No. PRA-QNT-006, Rev. 0 Page 59 Yes (a) neg.

(b) 3.0e-t003 (c)1.Oe-O3 (d) 4-00303 (e)3.0e4-03 (I) 6D0e-003 (g)4.0e-003 Qi) OeAO3 Yes (a) neg-A Yes Yes (b) 3We-003 lb Yes (c)1 We-002 me d Yes

"*4-N0 (d) 1I Ae-OOI (e) 1I e..OO Pce: Skip a steD in procedure

1 Calculation No. PRA-QNT-006, Rev. 0 Pa~e 60 Page 6 I I Calculation No. PRA-ONT-006. Rev. 0 I

Yes

- (a) 1 .Oe4M0

- (b) 30-O"M

- (c)3.-0033

- (dQ I -e-002

-(e) 2DOe4033

- Mt4DOe4)O3

- (g) 6e-0003

- (h) Ue-4102

- (p) I -e-001 Value (a)neg..

(b)3Ale4M0 (c) 3-0e-002 (d)30-0033 (e)3-0e-002 (M6AOe-4]03 (g)6-0e-002 Pccq: Misinterpret decision logic

Caclto o R-NT06 e.0Pg 1I 1 Calculation No. PRA-QNT-006, Rev. 0 Page 61 1 (a) I .6-&002 (b)4.9e-0012 (c) 6DOe4)03 (d)1-9e-M0 (e) 2DOe4M0 Mf6A.W4303 (g)1 De-002 (h) 3-1e-002

()3..0e-004 I D1OM-O (k) neg-(I)neg-(a) neg (b) 5-0e-001 (c) 1.Defooo (d) neg (e) neg_

Cogitive Rec very -

>)

~< I a) -~ >

as 0 - a Pca n/a - - - - - _ N/A 1.OOE+0O _ 0.0

[Calculation No. PRA-QNT-006, Rev. 0 Page 62 Pcb n/a - LD L.OOE+00 0.0 Pcc n/a - N/A LOOE+00 0.0 Pcd n/a - N/A L.OOE+00 0.0 Pce n/a X N/A 1.OOE-01 0.0 Pcf n/a - N/A 1.OOE+00 0.0 Pcg n/a - N/A 1.00E+00 0.0 Pch n/a - N/A L.OOE+00 0.0 Final Pc (with recovery credited) 0.00E+00 Notes All SG Level indications are failed (at 0), which is the cue that local indications are needed to be placed in service as part of this scenario. See execution modeling.

Execution Performance Shaping Factors Environment Lighting Normal Heat/Humidity Normal Radiation Background Atmosphere Normal Special Requirements Tools Required Special Requirements Tools Adequate Special Requirements Tools Available Complexity of Response Execution Simple Equipment Accessibility Control room Accessible (Cognitive)

Equipment Accessibility Turbine building 591' elevation With Difficulty (Execution)

S t r e s s Moderate Plant Response As Expected: Yes Workload: High Performance Shaping Factors: Optimal N o t e s This is an Appendix R action that is practiced every 2 years. Phone interviews with operators confirmed that plant responds as expected (transfer to cross-tie is happening at the beginning of the scenario). Workload is high due to fire.

Stress is considered moderate.

Retrieved from "https://kanterella.com/w/index.php?title=ML15154B048&oldid=2232769"