w. 0)

0) 01 I

~1.1::w -"'6:r0pGm!od\'uM> rot -nm....WP<o""- 0 --"

E: -H""'&lcn!J'< fl -Fbolhimtar I (X>

TJ!I -Typbol LG -Lwull:log>

NO CX>

mo - RD:iSanoQ fgJT?ndU'O D:iLx:tar

~

CX>

Figure 2 - Gravity-supplied Service Water System Loads --"

Serial No.16-180 Docket Nos. 50-280/281 Attachment 2

MARKED-UP TECHNICAL SPECIFICATIONS AND BASIS PAGES (Basis Changes are for NRC Information Only)

Virginia Electric and Power Company (Dominion)

Surry Station Units 1 and 2

T. (Continued)

16. For the applicable U FSAR Chapter 14 Prior to operating above events, Surry 1 will re-analyze the 2546 MWt (98.4% RP).

transient consistent with VEPCO's NRG-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A.

If NRC review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRC for review prior to operation at the uprate power level. These commitments apply to the following Surry 1 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the1 Statistical DNBR Evaluation Methodology in VEP-NE-2-A:

• Section 14.2.7 - Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);

• Section 14.2.8 - Excessive Load Increase Incident;

• Section 14.2.9 - Loss of Reactor Coolant Flow; and

• Section 14.2.10 - Loss of External Electrical Load 4.

FOR THE NUCLEAR REGULATORY COMMISSION Original signed by:

Samuel J. Collins, Director Office of Nuclear Reactor Regulation

Attachment:

Appendix A, Technical Specifications Date of Issuance: March 20, 2003 Surry - Unit 1 Renewed License No. DPR-32 Amendment No.-2f9-

09 23 13 <E-T. (Continued)

16. For the applicable UFSAR Chapter 14 Prior to operating above events, Surry 2 will re-analyze the 2546 MWt (98.4% RP).

transient consistent with VEPCO's NRG-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A.

If NRC review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRC for review prior to operation at the uprate power level. These commitments apply to the following Surry 2 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the Statistical DNBR Evaluation Methodology in VEP-NE-2-A:

• Section 14.2.7 - Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);

• Section 14.2.8 - Excessive Load Increase Incident;

• Section 14.2.9 - Loss of Reactor Coolant Flow; and

• Section 14.2.10 - Loss of External Electrical Load

4. This renewed license is effective as of the date of issuance and shall expire at midnight on January 29, 2033.

FOR THE NUCLEAR REGULATORY COMMISSION Original signed by:

Samuel J. Collins, Director Office of Nuclear Reactor Regulation

Attachment:

Appendix A, Technical Specifications Date of Issuance: March 20, 2003 Surry - Unit 2 Renewed License No. DPR-37 Amendment No.~

TABLE 3.7-2 (Continued)

ENGINEERED SAFEGUARDS ACTION INSTRUMENT OPERATING CONDITIONS Minimum Permissible Total Number OPERABLE Channels Bypass Operator Functional Unit Of Channels Channels To Trip Conditions Actions

3. AUXILIARY FEEDWATER (continued)

e. Trip of main feedwater pumps - start motor driven 2/MFWpump l/MFW pump 2-1 each 24 pumps MFWpump

f. Automatic actuation logic 2 2 1 22

4. LOSS OF POWER

a. 4.16 kv emergency bus undervoltage (loss of voltage) 3/bus 2/bus 2/bus 26

b. 4.16 kv emergency bus undervoltage (degraded voltage) 3/bus 2/bus 2/bus 26

5. NON-ESSENTIAL SERVICE WATER ISOLATION

a. Low intake canal level* Nots g

b. Automatic actuation logic 4

2 3

2 3

1 20 14

.~ <E:-

6. ENGINEERED SAFEGAURDS ACTUATION INTERLOCKS - Note A

a. Pressurizer pressure, P-11 3 2 2 23

b. Low-low Tavg, P-12 3 2 2 23

c. Reactor trip, P-4 2 2 1 24

7. RECIRCULATION MODE TRANSFER

a. RWST Level - Low-Low* 4 3 2 25

b. Automatic Actuation Logic and Actuation Relays 2 2 1 14

8. RECIRCULATION SPRAY

a. RWST Level - Low Coincident with High High 4 3 2 20 Containment Pressure*

b. Automatic Actuation Logic and Actuation Relays 2 2 1 14 xc angers is m 1 e m e tripped condition. In this condition, two t t

TS 3.14-1

• -B9 23 13 3.14 CIRCULATING AND SERVICE WATER SYSTEMS Applicability Applies to the operational status of the Circulating and Service Water Systems.

Objective To define those limiting conditions of the Circulating and Service Water Systems necessary to assure safe station operation.

Specification A. The Reactor Coolant System temperature or pressure of a reactor unit shall not exceed 350° F or 450 psig, respectively, or the reactor shall not be critical unless:

1. The high level intake canal is filled to at least elevation +23.0 feet at the high level intake structure.

2. Unit subsystems, including piping and valves, shall be operable to the extent of being able to establish the following:

a. Flow to and from one bearing cooling water heat exchanger.

b. Flow to and from the component cooling heat exchangers required by Specification 3.13~ ,% ~

3. At least two circulating wate~ pumps are operating or are operable.

4. Three emergency service water pumps are operable; these pumps will service both units simultaneously.

Amendment Nos.~and~

TS 3.14-2 04-02-07 ~

5. Two service water flow paths to the charging pump service water subsystem are OPERABLE.

6. Two service water flow paths to the recirculation spray subsystems are OPERABLE.

7. Two service water flow paths to the main control room and emergency switchgear room air conditioning subsystems are OPERABLE.

B. The requirements of Specification 3.14.A.4 may be modified to allow one Emergency Service Water pump to remain inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place both units in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

The requirements of 3 .14.A.4 may be modified to have two Emergency Service Water pumps OPERABLE with one unit in COLD SHUTDOWN with combined Spent Fuel pit and shutdown unit decay heat loads of 25 million BTU/HR or less.

One of the two remaining pumps may be inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place the operating unit in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

i

~

~

Amendment Nos.~ and~

LBDCR!TSCR 441 - INSERT 1 on pages TS 3.14-2 and TS 3.14-3:

C. The requirements of Specifications 3.14.A.5 and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem and to the main control and emergency switchgear rooms air conditioning condensers. If the affected systems are not restored to the requirements of Specifications 3.14.A.5 and 3.14.A.7 within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If the requirements of Specifications 3.14.A.5 and 3.14.A.7 are not satisfied as allowed by this Specification, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

• D. The requirements of Specification 3.14.A.6 may b~ modified to allow unit operation with only one OPERABLE flow path to the recirculation spray subsystems. If the affected system is not restored to the requirements of Specification 3.14.A.6 within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the reactor shall be placed in HOT SHUTDOWN within *the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If the requirements of Specification 3.14.A.6 are not met within an additional 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, the reaCtor shall be placed in COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

TS 3.14-3 04 02=07 l be p aced m s o Specifications 3.14.A.5, 3.1 are not met within an additional ,% ~

48 c or shall be laced in COLD SHUTDOWN.

Basis The Circulating and Service Water Systems are designed for the removal of heat resulting from the operation of various systems and components of either or both of the units.

Untreated water, supplied from the James River and stored in the high level intake canal is circulated by gravity through the recirculation spray coolers and the bearing cooling water heat exchangers and to the charging pumps lubricating oil cooler service water pumps which supply service water to the charging pump lube oil coolers.

In addition, the Circulating and Service Water Systems supply cooling water to the component cooling water heat exchangers and to the main control and emergency switchgear rooms air conditioning condensers. The Component Cooling heat exchangers are used during normal plant operations to cool various station components and when in shutdown to remove residual heat from the reactor. Component Cooling is not required on the accident unit during a loss-of-coolant accident. If the loss-of-coolant accident is coincident with a loss of off-site power, the nonaccident unit will be maintained at HOT SHUTDOWN with the ability to reach COLD SHUTDOWN.

The long term Service Water requirement for a loss-of-coolant accident in one unit with simultaneous loss-of-station power and the second unit being brought to HOT SHUTDOWN is greater than 15,000 gpm. Additional Service Water is necessary to bring the nonaccident unit to COLD SHUTDOWN. Three diesel driven Emergency Service Water pumps with a design capacity of 15,000 gpm each, are provided to supply water to the High Level Intake canal during a loss-of-station power incident. Thus, considering the single active failure of one pump, three Emergency Service Water pumps are required to be OPERABLE. The allowed outage time of 7 days provides operational flexibility to allow for repairs up to and Amendment Nos.~and~

TS 3.14-4 09-23-13 including replacement of an Emergency Service Water pump without forcing dual unit outages, yet limits the amount of operating time without the specified number of pumps.

When one Unit is in Cold Shutdown and the heat load from the shutdown unit and spent fuel pool drops to less than 25 million BTU/HR, then one Emergency Service Water pump may be removed from service for the subsequent time that the unit remains in Cold Shutdown due to the reduced residual heat removal and hence component cooling requirements.

A minimum level of + 17 .2 feet in the High Level Intake canal is required to provide design flow of Service Water through the Recirculation Spray heat exchangers during a loss-of-coolant accident for the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If the water level falls below +23' 6",

signals are generated to trip both unit's turbines and to close the nonessential Circulating and Service Water valves. A High Level Intake canal level of +23' 6" ensures actuation prior to canal level falling to elevation +23'. The Circulating Water and Service Water isolation valves which are required to close to conserve Intake Canal inventory are periodically verified to limit total leakage flow out of the Intake Canal. In addition, passive vacuum breakers are installed on the Circulating Water pump discharge lines to assure that a reverse siphon is not continued for canal levels less than +23 feet when Circulating Water pumps are de-energized. The remaining six feet of canal level is provided coincident with ESW pump operation as the required source of Service Water for heat loads following the Design Basis Accident.

facilitate cleaning, inspecting, repairing (as needed), and recoating (as needed) of the ater (SW) supply line to the Component Cooling Heat Exchangers (CC s), a temporary, sa -related, seismic, not fully missile protected SW supply li temporary jumper) will be us as discussed in the temporary footnote to .14.A.2.b. The temporary jumper is requ

• d since service water is supplied e CCHXs by a single concrete-encased line. To re ve the SW supply I' from service for extended CCHXs is provided in Virgini y's letter Serial No.12-615, dated September 26, 2012. e use of the temporary jumper is on of up to 35 days d

• g each of the 2013 and 2015 Unit 1 refueling o ordance with the compensatory measures (including a Contin vided in the letter referenced above. The only automatic function in the ply line when Unit 1 is in COLD SHUTDOWN or REFUELING SHUTDOWN is Amendment Nos.~and~ ~ _

TS 3.14-4a 09 23 13 e SW supply motor operated valves, which close on low Intak'::!:e;...>-"_***~*

isolation valve in the tempor established by the Station Abnormal Procedures.

References:

UFSAR Section 9.9 Service Water System UFSAR Section 10.3.4 Circulating Water System UFSAR Section 14.5 Loss-of-Coolant Accidents, Including the Design Basis Accident Amendment Nos.~ and~

Serial No.16-180 Docket Nos. 50-280/281 Attachment 3 PROPOSED TECHNICAL SPECIFICATIONS AND BASIS PAGES (Basis Changes are for NRC Information Only)

Virginia Electric and Power Company (Dominion)

Surry Station Units 1 and 2

T. (Continued)

16. For the applicable UFSAR Chapter 14 Prior to operating above events, Surry 1 will re-analyze the 2546 MWt (98.4% RP).

transient consistent with VEPCO's NRG-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A.

If NRG review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRG for review prior to operation at the uprate power level. These commitments apply to the following Surry 1 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the Statistical DNBR Evaluation Methodology in VEP-NE-2-A:

• Section 14.2.7 - Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);

• Section 14.2.8 - Excessive Load Increase Incident;

• Section 14.2.9 - Loss of Reactor Coolant Flow; and

• Section 14.2.10 - Loss of External Electrical Load U. Deleted by Amendment No. _ _ __

4. This renewed license is effective as of the date of issuance and shall expire at midnight on May 25, 2032.

FOR THE NUCLEAR REGULATORY COMMISSION Original signed by:

Samuel J. Collins, Director Office of Nuclear Reactor Regulation

Attachment:

Appendix A, Technical Specifications Date of Issuance: March 20, 2003 Surry - Unit 1 Renewed License No. DPR-32 Amendment No.

T. (Continued) *

16. For the applicable UFSAR Chapter 14 Prior to operating above events, Surry 2 will re-analyze the 2546 MWt (98.4% RP).

transient consistent with VEPCO's N RC-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A.

If N RC review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRG for review prior to operation at the uprate power level. These commitments apply to the following Surry 2 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the Statistical DNBR Evaluation Methodology in VEP-NE-2-A:

• Section 14.2.7 - Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);

• Section 14.2.8 - Excessive Load Increase Incident;

• Section 14.2.9 - Loss of Reactor Coolant Flow; and

• Section 14.2.10 - Loss of External Electrical Load U. Deleted by Amendment No. _ _ __

4. This renewed license is effective as of the date of issuance and shall expire at midnight on January 29, 2033.

FOR THE NUCLEAR REGULATORY COMMISSION Original signed by:

Samuel J. Collins, Director Office of Nuclear Reactor Regulation

Attachment:

Appendix A, Technical Specifications Date of Issuance: March 20, 2003 Surry - Unit 2 Renewed License No. DPR-37 Amendment No.

TABLE 3.7-2 (Continued)

ENGINEERED SAFEGUARDS ACTION INSTRUMENT OPERATING CONDITIONS Minimum Permissible Total Number OPERABLE Channels Bypass Operator Functional Unit Of Channels Channels To Trip Conditions Actions

3. AUXILIARY FEEDWATER (continued)

e. Trip of main feedwater pumps - start motor driven 2/MFWpump l/MFWpump 2-1 each 24 pumps MFWpump

f. Automatic actuation logic 2 2 1 22

4. LOSS OF POWER

a. 4.16 kv emergency bus undervoltage (loss of voltage) 3/bus 2/bus 2/bus 26

b. 4.16 kv emergency bus undervoltage (degraded voltage) 3/bus 2/bus 2/bus 26

5. NON-ESSENTIAL SERVICE WATER ISOLATION

a. Low intake canal level* 4 3 3 20

b. Automatic actuation logic 2 2 l 14

6. ENGINEERED SAFEGUARDS ACTUATION INTERLOCKS - Note A

a. Pressurizer pressure, P-11 3 2 2 23

b. Low-low Tavg, P-12 3 2 2 23

c. Reactor trip, P-4 2 2 24

7. RECIRCULATION MODE TRANSFER

a. RWST Level- Low-Low* 4 3 2 25

b. Automatic Actuation Logic and Actuation Relays 2 2 l 14

8. RECIRCULATION SPRAY

a. RWST Level - Low Coincident with High High 4 3 2 20

~

g Containment Pressure*

p,. b. Automatic Actuation Logic and Actuation Relays 2 2 14 a

g Note A - Engineered Safeguards Actuation Interlocks are described in Table 4.1-A z

0

~

• There is a Safety Analysis Limit associated with this ESP function. If during calibration the setpoint is found to be conservative with respect to the Setting Limit but outside its predefined calibration tolerance, then the channel shall be brought back to within its predefined calibration tolerance before returning the channel to service. The calibration tolerances are specified in a document controlled under 10 CPR 50.59.

TS 3.14-1 3.14 CIRCULATING AND SERVICE WATER SYSTEMS Applicability Applies to the operational status of the Circulating and Service Water Systems.

Objective To define those limiting conditions of the Circulating and Service Water Systems necessary to assure safe station operation.

Specification A. The Reactor Coolant System temperature or pressure of a reactor unit shall not exceed 350° For 450 psig, respectively, or the reactor shall not be critical unless:

1. The high level intake canal is filled to at least elevation +23.0 feet at the high level intake structure.

2. Unit subsystems, including piping and valves, shall be operable to the extent of being able to establish the following:

a. Flow to and from one bearing cooling water heat exchanger.

b. Flow to and from the component cooling heat exchangers required by Specification 3.13.

3. At least two circulating water pumps are operating or are operable.

4. Three emergency service water pumps are operable; these pumps will service both units simultaneously.

Amendment Nos.

TS 3.14-2

5. Two service water flow paths to the charging pump service water subsystem are OPERABLE.

6. Two service water flow paths to the recirculation spray subsystems are OPERABLE.

7. Two service water flow paths to the main control room and emergency switchgear room air conditioning subsystems are OPERABLE.

B. The requirements of Specification 3.14.A.4 may be modified to allow one Emergency Service Water pump to remain inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place both units in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

The requirements of 3 .14.A.4 may be modified to have two Emergency Service Water pumps OPERABLE with one unit in COLD SHUTDOWN with combined Spent Fuel pit and shutdown unit decay heat loads of 25 million BTU/HR or less.

One of the two remaining pumps may be inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place the operating unit in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

C. The requirements of Specifications 3.14.A.5 and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem and to the main control and emergency switchgear rooms air conditioning condensers. If the affected systems are not restored to the requirements of Specifications 3.14.A.5 and 3.14.A.7 within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If the requirements of Specifications 3.14.A.5 and 3.14.A.7 are not satisfied as allowed by this Specification, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

D. The requirements of Specification 3.14.A.6 may be modified to allow unit operation with only one OPERABLE flow path to the recirculation spray subsystems. If the affected system is not restored to the requirements of Specification 3.14.A.6 within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If the requirements of Specification 3.14.A.6 are not met within an additional 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

Amendment Nos.

TS 3.14-3 Basis The Circulating and Service Water Systems are designed for the removal of heat resulting from the operation of various systems and components of either or both of the units.

Untreated water, supplied from the James River and stored in the high level intake canal is circulated by gravity through the recirculation spray coolers and the bearing cooling water heat exchangers and to the charging pumps lubricating oil cooler service water pumps which supply service water to the charging pump lube oil coolers.

In addition, the Circulating and Service Water Systems supply cooling water to the component cooling water heat exchangers and to the main control and emergency switchgear rooms air conditioning condensers. The Component Cooling heat exchangers are used during normal plant operations to cool various station components and when in shutdown to remove residual heat from the reactor. Component Cooling is not required on the accident unit during a loss-of-coolant accident. If the loss-of-coolant accident is coincident with a loss of off-site power, the nonaccident unit will be maintained at HOT SHUTDOWN with the ability to reach COLD SHUTDOWN.

The long term Service Water requirement for a loss-of-coolant accident in one unit with simultaneous loss-of-station power and the second unit being brought to HOT SHUTDOWN is greater than 15,000 gpm. Additional Service Water is necessary to bring the nonaccident unit to COLD SHUTDOWN. Three diesel driven Emergency Service Water pumps with a design capacity of 15,000 gpm each, are provided to supply water to the High Level Intake canal during a loss-of-station power incident. Thus, considering the single active failure of one pump, three Emergency Service Water pumps are required to be OPERABLE. The allowed outage time of 7 days provides operational flexibility to allow for repairs up to and Amendment Nos.

TS 3.14-4 including replacement of an Emergency Service Water pump without forcing dual unit outages, yet limits the amount of operating time without the specified number of pumps.

When one Unit is in Cold Shutdown and the heat load from the shutdown unit and spent fuel pool drops to less than 25 million BTU/HR, then one Emergency Service Water pump may be removed from service for the subsequent time that the unit remains in Cold Shutdown due to the reduced residual heat removal and hence component cooling requirements.

A minimum level of + 17 .2 feet in the High Level Intake canal is required to provide design flow of Service Water through the Recirculation Spray heat exchangers during a loss-of-coolant accident for the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If the water level falls below +23' 6",

signals are generated to trip both unit's turbines and to close the nonessential Circulating and Service Water valves. A High Level Intake canal level of +23' 6" ensures actuation prior to canal level falling to elevation +23'. The Circulating Water and Service Water isolation valves which are required to close to conserve Intake Canal inventory are periodically verified to limit total leakage flow out of the Intake Canal. In addition, passive vacuum breakers are installed on the Circulating Water pump discharge lines to assure that a reverse siphon is not continued for canal levels less than +23 feet when Circulating Water pumps are de-energized. The remaining six feet of canal level is provided coincident with ESW pump operation as the required source of Service Water for heat loads following the Design Basis Accident.

References:

UFSAR Section 9.9 Service Water System UFSAR Section 10.3.4 Circulating Water System UFSAR Section 14.5 Loss-of-Coolant Accidents, Including the Design Basis Accident Amendment Nos.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 TECHNICAL ADEQUACY OF THE PROBABILISTIC RISK ASSESSMENT MODEL Virginia Electric and Power Company (Dominion)

Surry Station Units 1 and 2

Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 1 of 36 TECHNICAL ADEQUACY OF THE PROBABILISTIC RISK ASSESSMENT CPRA) MODEL The PRA model used to analyze the risk of the LBDCR/TSCR 441 is referred to as S007Aa. The effective date of this model is September 30, 2009 . . Surry PRA Model Notebook QU.2, Revision 5, documents the quantification of the PRA model. This is the most recent evaluation of the SPS internal events at-power risk profile. The PRA model is maintained and updated under a PRA configuration control program in accordance with Dominion procedures. Plant changes, including physical and procedural modifications and changes in performance data, are reviewed and the PRA model is updated to reflect such changes periodically by qualified personnel, with independent reviews and approvals.

Summary of the SPS PRA History The Level 1 and Level 2 SPS PRA analyses were originally developed and submitted to the Nuclear Regulatory Commission (NRC) in 1991 as the Individual Plant Examination (IPE) submittal. The SPS PRA has been updated many times, since the original IPE. A summary of the SPS PRA history is as follows:

• Original IPE (August 1991)

• Individual Plant Examination External Events (IPEEE) 1991 through 1994

• 1998 - Data update; update to address issues needed to support the Maintenance Rule program

• 2001 - Data update; update to address more Maintenance Rule issues, address peer review Facts and Observations (F&Os)

• 2002 - Update RCP seal LOCA model due to installation of high temperature o-rings; added internal flooding, additional changes for Maintenance Rule and Safety Monitor

• 2004 - Update to address applicable F&Os from North Anna peer review

• 2005 - Update to include plant changes to reduce turbine building flood risk

• 2006 - Data update and update to address MSPI requirements

• 2006 - Update to support ESGR chilled water Tech Spec change; added loss of main control room HVAC and loss of instrument air to the model; added logic from the IPEEE fire and seismic models

• 2009 - Data update; addressed American Society of Mechanical Engineers (ASME) PRA Standard SRs that were not met; extensive changes throughout the model as the model was converted to CAFTA

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 2of36

• 2009 - Updated Interfacing Systems LOCA (ISLOCA) initiator frequency, added EOG and AAC diesel fails to load (FTL) basic events, and added rupture failure of the SW expansion joints for the CCW heat exchangers as flood scenarios (current model of record)

The SPS PRA model has benefited from the following technical PRA peer reviews.

1998 NEI PRA Peer Review The SPS internal events PRA received a formal industry PRA model peer review in 1998. The purpose of the PRA peer review process is to provide a method for establishing the technical quality of .a PRA model for the spectrum of potential risk-informed plant licensing applications for which the PRA model may be used. The PRA peer review process used a team composed of industry PRA and system analysts, each with significant expertise in both PRA model development and PRA applications. This team provided both an objective review of the PRA technical elements and a subjective assessment, based on their PRA experience, regarding the acceptability of the PRA elements. The team used a set of checklists as a framework within which to evaluate the scope, comprehensiveness, completeness, and fidelity of the PRA products available. The SPS review team used the "Westinghouse Owner's Group (WOG) Peer Review Process Guidance" as the basis for the review.

The general scope of the PRA peer review included a review of eleven main technical elements, using checklist tables (to cover the elements and sub-elements), for an at-power PRA including internal events, internal flooding, and containment performance, with focus on Large Early Release Frequency (LERF).

The F&Os from the PRA peer review were prioritized into four categories (A through D) based upon importance to the completeness of the model. Categories A and B F&Os are considered significant enough that the technical adequacy of the model may be impacted. Categories C and D are considered minor. Subsequent to the peer review, the model has been updated to address all Category A, B, and D F&Os. Category B items from the 1998 NEI PRA Peer Review (all closed) are listed below:

Serial No. 16-1SO Docket Nos. 50-280/281 Attachment 4 Page 3 of 36 1998 NEI PRA Peer Review Category B Closed Items OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION The models and analyses are consistent, as best as the Establish a formal process PRA update guidance was developed, which includes a This F&O is Closed.

(ID: AS-2 ) I reviewers could determine, with the as built plant, and for identifying changes to review of plant procedures (EOPs), assumptions for ElementAS I were consistent with plant operating procedures at the plant procedures components, and system recovery models based upon Subelement 5 and time the IPE was completed. However, there is no (EOPs/AOPs), and human actions (Nuclear Safety Analysis Manual - Part 9 (Also MU) process in place to identify and incorporate changes in evaluating the impact of IV, Chapter J, subsequently superseded by PRA Manual plant operation into the PRA model. This process these changes on the PRA - Part IV, Chapter A). The current industry guidance should also include periodic review of industry standards model. This process should suggests a voluntary periodic review of industry that may impact the PRA. Some examples of where also include periodic review standards, which will be considered as resources allow.

such a process could impact the model include, the of industry standards that Recent PRA updates (S03A, S05A) provide examples of timing for switchover to hot leg recirculation after event may affect modeling the process.

initiation (9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> in the current EOP), and a review of assumptions and success potential impacts on the PSA due to the power uprate criteria used in the PRA.

program. The focus of this comment is on the lack of The resolution of this process more than any current discrepancies found in comment should be the model, and is related to the IPE Maintenance and incorporated as an element Update Process elements. of the PRA Maintenance and Update Process.

OBSERVATION The RCP seal LOCA model appears to include an Consider an evaluation of An RC pump seal failure model (the so-called Rhodes The PRA adequately (ID: AS-8 ) I optimistic interpretation of the WOG and NRC models, the sensitivity of the PRA model) that is acceptable to the NRC for use in PRA addresses early seal Element _AS _ _ and does not include a contribution from early seal results to use of a model was developed and implemented for the T4, T1A and T6 failure contribution, so I Subelement failure. that includes the possibility event trees. This model addresses the probability of this F&O is CLOSED.

_AS-12_ of early seal failure. Also early seal failure, and does not allow restoration of seal Future model updates evaluate the potential cooling after a relatively brief cooling loss. For Surry, the are planned to include impact on the model due to model is discussed fully in SM-1296, implemented in the additional model detail recent changes to the WOG SOA-D PRA models. For the S03A model, the T1A (and remove seal cooling restoration (SBO) accident sequence model was revised to be fully conservatisms) for the emergency response consistent with the WOG2000 RCP seal LOCA model, seal failure contribution guidelines (advising against and the T4 and T6 accident sequences models were for events other than restoration of seal cooling revised to incorporate simplified logic consistent with the T1A.

after a relatively brief WOG2000 model.

coolinq loss).

Serial No. 16-18'D Docket Nos. 50-280/281 Attachment 4 Page 4 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION The models for the EDGs do include common cause Update the models to Miscalibration of instrumentation channels is resolved as This F&O is CLOSED.

(ID: DA-6 ) I failures of fuel oil system. In general the models do include common cause a human reliability rather than an equipment common Element ___QA_ I consider common/shared components and support instrumentation cause fault. The HEP fault behaves the same as an Subelement DA- systems explicitly. The models do not appear to include miscalibration. equipment CCF, but is quantified on the basis of human 11 the effects of common maintenance crews or l&C Documentation should at error rather than equipment reliability. For North Anna, technicians. Specifically, there is no consideration of least include a qualitative HEP events are created for the following instrument common cause miscalibration of instrumentation discussion of the potential channels: EOG, 1-LM-PT-100A/B/C/D, MS flow, MS channels. impact of common differential pressure, MS low pressure, and pressurizer maintenance crews and pressure. The models are discussed fully in SM-1269, similar procedures. The implemented in the NOA-D PRA models. For Surry, HEP documentation should also events are created for the following instrument channels:

highlight areas where CCF EOG, 1-LM-PT-100A/B/C/D, MS flow, MS differential was not included because of pressure, steam generator level, pressurizer pressure design diversity or other RWST level, intake canal level and RC delta T and similar considerations. TAVE. The models are discussed fully in SM-1310, implemented in the SOA-D PRA models.

OBSERVATION {Implementation of NUREG/CR-4780 methodology) Reevaluate CCF analysis as The common cause fault (CCF) approach is revised to This F&O is CLOSED.

(ID: DA-8 ) I Reviewers question the validity of the approach used for described in Surry guidance incorporate the following: Alpha-factor model, INEEL Element defining CCF terms, by adding fail to start and fail to run documents. Fully data base of CCF events from NUREG/CR-6268, DA/DE I data variables. Method added value of QD and A, but incorporate NUREG/CR- different failure modes (run and demand), and different Subelement DA- the events are not consistent (i.e. per-demand and per- 4780 methods. CCF events based upon population size (e.g., 2 of 3 as 12/DE-9 hour). Assuming a mission time of one hour and a well as 3 of 3 CCF events. Guidance for the CCF demand for the device, the terms can be added. But models was taken from NUREG/CR-5485, which what if: extends the technology developed for NUREG/CR-4780.

1. Common cause failure is dominated by running The models are discussed fully in SM-1309, failures, there is no mission time associated with the use implemented in the SOA-D PRA models for Surry, and in of the common cause term - non-conservative result the DA.3 notebook and revisions prepared for

2. Running failure rate is comparable to start term, but subsequent model updates (starting with S03A).

common cause dominated by start terms - overly conservative result.

OBSERVATION The common cause failure probability of valves failing Consider the use of a more The common cause fault (CCF) approach is revised to This F&O is CLOSED.

(ID: DA-9 ) I due to plugging is (0.1)(1.25-7 f/hr)(2160 hrs), or about realistic beta factor in the incorporate the following: Alpha-factor model, INEEL Element ___QA_ I 1E-4. The 0.1 beta factor used for this calculation may analysis. data base of CCF events from NUREG/CR-6268, Subelement _9__ be overly conservative. The net result is that many of different failure modes (run and demand), and different the top sequences (for the 3-year maintenance case) CCF events based upon population size (e.g., 2 of 3 as involve common cause valve plugging terms. It is well as 3 of 3 CCF events. Guidance for the CCF unusual to have passive equipment failures be so models was taken from NUREG/CR-5485, which prominent in the dominant cutsets (more prominent than extends the technology developed for NUREG/CR-4780.

active equipment failures). The models are discussed fully in SM-1309, implemented in the SOA-D PRA models for Surry, and in the DA.3 notebook and revisions prepared for subsequent model updates (startina with S03A).

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 5 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION The methods used to determine CCF groups are The generic data base The common cause fault (CCF) approach was revised to This F&O is CLOSED.

(ID: DE-3 ) I simplistic. Determination of the set of active development project incorporate the following: Alpha-factor model, !NEEL Element _DE_ I components based on 1% contribution to CDF severely identifies a large number of data base of CCF events from NUREG/CR-6268, Subelement _8_ _ limits the number and type of common cause terms common-cause groups. different failure modes (run and demand), and different used in the model. As an evaluation tool for plant Incorporate these groups or CCF events based upon population size (e.g., 2 of 3 as vulnerabilities (i.e., the IPE), it is more than sufficient, better justify their exclusion. well as 3 of 3 CCF events. Guidance for the CCF but as an evaluation tool for Risk-informed Applications, models was taken from NUREG/CR-5485, which it is not enough. Events that should be considered extends the technology developed for NUREG/CR-4780.

include: Breaker fail to operate (Open/Close) Auxiliary The models are discussed fully in SM-1309, Feedwater Pumps (back-leakage) Ventilation fans implemented in the SOA-D PRA models for Surry, and in the DA.3 notebook and revisions prepared for subsequent model updates (starting with S03A).

OBSERVATION Table D.1-1 of Section D.1 of the Surry IPE lists the pre- Provide the basis for Miscalibration of instrumentation channels is resolved as This F&O is CLOSED.

(ID: HR-2) I initiator errors considered in the analysis. The list excluding miscalibration a human reliability rather than an equipment common Element contains only mispositioning events (valves, blank events, or develop cause fault. The HEP fault behaves the same as an HR/DE/SY I flanges, etc.). No instrument miscalibration events are appropriate events for equipment CCF, but is quantified on the basis of human Subelements HR- contained in the list. The procedure for system analysis inclusion in the next update error rather than equipment reliability. For North Anna, 4,7/DE-7/SY (page 19 of 58) indicates that common cause His should of the PSA model. HEP events are created for the following instrument be modeled for miscalibration of instruments used to channels: EDG, 1-LM-PT-100NB/C/D, MS flow, MS initiate systems following an action or in any standby differential pressure, MS low pressure, and pressurizer equipment items such as the level instrumentation in pressure. The models are discussed fully in SM-1269, storage tanks. implemented in the NOA-D PRA models. For Surry, HEP events are created for the following instrument channels:

EOG, 1-LM-PT-100NB/C/D, MS flow, MS differential pressure, steam generator level, pressurizer pressure RWST level, intake canal level and RC delta T and TAVE. The models are discussed fully in SM-1310, implemented in the SOA-D PRA models.

OBSERVATION HEP development for the IPE model was extensively Perform and document The HEP events developed since the IPE have received This F&O is CLOSED.

(ID: HR-4 ) I documented; however, HEPs developed for subsequent development of HEPs that detailed analysis. For North Anna, the models are Element---1::!.R..__ I updates of the IPE model were not as well documented arise from model updates. discussed fully in SM-1269, implemented in the NOA-D Subelement _jL_ (and by implication, were not developed in as much PRA models. For Surry, the models are discussed fully detail). For many of the HEPs in subsequent updates, a in SM-1310, implemented in the SOA-D PRA models, value of 0.1 was used. It is not clear whether this is a and in the HR-series notebooks developed for the S03A screening value or some other value. and subsequent updates. This process was also reviewed as part of the HRA re-peer review exercise prior to the RG1 .200 review for Surrv.

Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 6 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION In a sensitivity analysis (SM-1174, Addendum A) to Reevaluate dependence The dependency among the HEPs is being evaluated This F&O is CLOSED.

(ID: HR-5 ) I evaluate dependency among His contained in cutsets, without excessive emphasis- based on the following principles (SM-1310):

Element __!:!R_ I time between actions was listed as the major factor in on time between actions. 1. Functions: If two HEPs are working for two different Subelement __.l.§_ establishing independence of the operator actions. In functions, these two HEPs will be justified as most cases, time (itself) is not an adequate factor, but is independent HEPs.

a parameter which can be associated with more 2. Steps of procedure: Because operators are trained to defensible factors. For example, one cutset contained follow procedure step by step, on the view of operators, two HEPs -- one for early SG isolation following a SGTR each step is a new and independent instruction. If two and one for late SG isolation. The time difference of HEPs are based on two different steps or two different several hours between the actions was cited as the procedures, even these two HEPs work for the same basis for the actions' independence. Better factors for function, they still may be justified as independent independence might have been different clues calling for HEPs. A sensitivity analysis was performed for the S03A the need to isolate the SG or actuation of the TSC, or model update (and has been incorporated into the PRA additional/new crew for the late isolation. All of these quantification process for subsequent updates) to review are related to time, but time (itself) is not the factor. the cutsets with multiple HEPs and determine if a dependency may exist between the HEPs. Refer to the PRA QU.2 notebooks for further detail. This process was also reviewed as part of the HRA re-peer review exercise prior to the RG1 .200 review for Surry.

OBSERVATION Initiating event frequencies have not been updated since Include an update of The North Anna and Surry initiating event frequencies This F&O is CLOSED.

(ID: IE-3 ) I the IPE submittal in 1991. As a result, recent industry initiating event frequencies were updated in the NOA-D and SOA-D PRA updates by Element _l_E_ I information and operating experience have not been during the next update. several sources. The rare initiator frequencies from Subelement _1_3_ incorporated into the initiating events analysis. This Also, individual applications NUREG/CR-5750 are used as priors for Bayesian (Also MU) information could alter the initiating event frequencies should be reviewed to updating with plant specific histories. The moderate currently contained in the model. For example: determine if they are frequency transient initiating event frequencies are Two plants (Salem and Wolf Creek) have affected before submittal or created from plant specific data (1990-2000 LERs) and experienced losses of circulating and service water that implementation. a non-informative gamma prior distribution. Finally, resulted in plant trips. some plant unique initiating events are quantified with One plant (Oconee) has experienced a small break new fault tree models directly linked to the integrated LOCA (thermal fatigue of charging line). PRA model. For North Anna, these models are One plant (WNP-2) has experienced an internal discussed fully in Calculation SM-1266, implemented in flood. the NOA-D PRA models. For Surry, these models are A draft NUREG updating initiating events has (very discussed fully in Calculation SM-1307, implemented in recently) been issued (LOCA frequencies, particularly, the SOA-D PRA models. All IE frequencies have have been affected). subsequently been updated in 2005 and documented in the IE.1 and IE.2 notebooks.

Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 7 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION A recent industry event (Oconee) involved a small break Evaluate the susceptibility of The referenced Oconee event was evaluated as part of This F&O is CLOSED.

(ID: IE-4 ) I LOCA (>10 gpm) at the charging line connection to the the Surry piping to this ** INPO SEN 163, Recurring Event, High Pressure Element _IE_ I RCS. The mechanism for the crack in the thermal failure mechanism, and Injection Line Leak, and as part of NRC IN 97-46, Subelement sleeve at the connection point was thermal fatigue. Is adjust the LOCA Unisolable Crack in High-Pressure Injection Piping.

7 (Also MU) the Surry piping subject to this type of event? If so, has frequencies, as appropriate. The design of the CVCS and HHSI systems at both it been considered in the initiating event frequency? North Anna and Surry is significantly different than that of Oconee, Unit 2. NAPS and SPS designs do not include combination CVCS makeup and HHSI lines.

Each unit has only one CVCS makeup line which carries full makeup flow and the eves system employs a regenerative heat exchanger to heat the makeup water to within 100 degrees of the RCS cold leg temperature, thereby minimizing thermal shock. The Oconee failure mechanism is not considered valid for the North Anna or Surry designs, and should not require LOCA frequency adjustment. The Current North Anna and Surry LOCA frequencies are developed from NUREG/CR-5750, per the evaluation in the IE.2 PRA notebook. This NUREG observed that no small LOCA events had occurred in U.

S. nuclear power plants up to 1995. However, the 1997 Oconee 2 event could possibly be categorized as a very small LOCA / leak, and four such events from 1987 -

1995 are included within the NUREG/CR-5750 initiating event frequencies.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 8 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION An industry issue of about 5-6 years ago was the Determine if the ISLOCA The industry issue initially surfaced in July 1984 as a Additional information (ID:: IE-5 ) I creation of an ISLOCA caused by a leak in an RCP path is applicable to the Westinghouse 10 CFR Part 21 issue. However, since can be found in a Element IE I thermal barrier heat exchanger and a failure to isolate Surry model, and address it, Westinghouse was not the source vendor for the Surry 7/9/1990 NRC letter Subelem~ the CCW lines that provided cooling water to the heat if appropriate. CC system, this Part 21 issue was not communicated to (Serial No.90-442), and 14 exchanger. How was this potential ISLOCA pathway Surry at that time. In May 1989, Surry communicated drawings 11448-FM-treated by the initiating events analysis? Does it apply this issue to NRC and subsequently, NRC Information 072A shts 1 through 4.

to the Surry model? Notice 89-54 (June 23, 1989) was issued to all This F&O is CLOSED.

licensees. This NRC IN is probably the source of the industry issue quoted in the certification comment. Surry submitted system design information to NRC in a June 5, 1989 letter to NRC (Serial No.89-406) clarifying resolution of the concern. This licensee response provides a detailed description of the problem and an assessment of the resolution. In summary, the operating history of Westinghouse RC Pump (RCP) thermal barriers indicates only one minor internal leak in over 12 million hours of operation (8.3 E-8/hr or 7.3 E-4/yr). Catastrophic failure of RCP thermal barrier is not a credible ~vent. Westinghouse calculated the credible leak rate at 7.5 gpm. This low leak rate is due to high water purity in RC and CC water, conservatism in tube design supporting tube collapse rather that cracking, and low crack propagation due to external forces tending to close crack. The existing 1989 design was sufficient for isolating the RCP thermal barrier leak, but design enhancements were pursued since manual operator action is required for the credible leak (automatic isolation would occur for leak rates higher than 10 gpm). The event would not be classified an interfacing system LOCA (ISLOCA) since the CC system would be isolated from the RCS, and all isolation would occur within the containment. More appropriately, the event would be classified a very small break LOCA (based upon the 7.5 gpm credible leak) with a frequency well below the Surry and North Anna IPE S2 frequency of 2.1 E-2/yr.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 9 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION The FMEA portion of the Initiating Events notebook Determine the plant's The Surry LOSW IE is actually an evolution of a loss of This F&O is CLOSED.

(ID: IE-8 ) I (page 12 of 28) states that screen wash pumps do not susceptibility to clogged circ water initiator. We do not currently model this with a Element _IE_/ have to operate during an accident. The implication is intake screens, and update fault tree, so there is no specific screen clogging Subelement _ll_ that because of this there is no need to consider the the initiating event contribution identified for this initiator. Currently, the screen wash system further. However, clogged screens frequency as appropriate. Surry PRA uses a plant specific Bayesian update of can cause plant trips, and this failure mechanism should generic industry experience for loss of Circulating Water be considered in the development of initiating event to evaluate the IE-T6 (Loss of Circulating Water) frequencies. Recent industry events at Salem and Wolf frequency. The plant specific clogged screen failure Creek illustrate a plant's susceptibility to clogged intake event is therefore considered, since it is part of the screens. overall industry and plant-specific experience leading to loss of CW. However, an evaluation has been performed for the S03A model update to establish that the IE frequency used for this event would encompass contributions from events such as clogged intake screens I screen wash faults. Should the model be changed in the future to model this IE with a fault tree, this failure mechanism would be addressed exolicitlv.

OBSERVATION The reactor core has been upgraded to 2586 MWt. Has Ensure that the effects of The effect of the 4.5% core power uprate on the timing This F&O is CLOSED.

(ID: IE-9) I the effect of this change been considered on the increased core power have of HEPs used in the SPS PRA Model, and on the Element ___lg_ I moderator temperature coefficient/reactivity feedback, been properly accounted for success criteria of hardware credited in the SPS PRA Subelement particularly for early in a core's life? Also, has the in the analysis. Model has been evaluated using MAAP 4.0.5. The 16 (Also increased decay heat load been considered in the results of the analysis show that no changes are see AS-9, and MU) success criteria for decay heat removal? required to the current success criteria or HEP calculations. The details of the analysis are documented in SPS Notebook SPS-RA.MD.SC.001 Rev 0.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 10 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION The consequences of operator actions after core Include appropriate . Our Level I model takes into account all human error The approach taken is (ID: L2-2 ) I damage are not considered in the PSA or the LERF consideration of EOP (and probabilities due to EOP actions. The human error consistent with that Element L2 assessment. After core damage has occurred, the also SAMG) actions in the probabilities based on SAMG actions are not applied in other PWR I Subelement _8 control room staff will continue to attempt to implement PSA models incorporated into our model. According to WOG PRAs, but this issue will and 10_ EOP actions (and now SAMG actions). Considering the procedures, once the core temperature reaches 1200 F, be treated as a EOP actions, only those that prevent core damage the operator leaves the EOPs and enters the SAMGs recognized source of (have an impact on the GDF) are modeled in the Level 1 (control room guideline SACRG-1). Our Level I model uncertainty in the LERF PSA. Several EOP actions that can impact the LERF was developed independent of the SAMG actions. We model. With this action, are: recognize that inappropriate SAMG actions may cause this F&O is CLOSED.

FR-C.1 actions to depressurize the RCS at the onset negative consequences which may result in greater of core overheating greatly decreases the probability of source term releases to the atmosphere. For this a high pressure reactor vessel failure, while significantly reason a technical support center (TSC) is formed that increasing: a) the potential for core concrete reviews real time plant parameter data and provides interactions, and b) the fission product release from expert guidance to the operation staff during a severe RCS to containment (which, in turn, increases the accident condition. Additionally training on the SAMGs source term for containment failures). is provided every 3 years which includes a discussion of FR-H.1 actions to establish some type of feedwater these cautions and recommendations to the operators.

flow to the SGs increases the chances of SG tube failure The operators are taught to be aware of their plants due to thermal stresses of cold water being injected onto most dominant accident sequences and the hot SG tubes, but can also increase the potential for consequences of inadequate actions.

arresting the core damage in-vessel. These two aspects can impact the LERF.

ECA-0.0 actions to start sprays when offsite power is restored. This can prevent overpressure failure of containment, but can also de-inert containment and lead to a hydrogen burn. When combined with the added hydrogen from in-vessel recovery, the hydrogen burn may challenge containment. Also, these operator actions should be substantiated by an HRA analysis to determine th.e HEP. The plant has also completed implementation of the SAMG. The SAMG contains a set of accident management strategies that would be implemented for each of the core damage accidents.

The implementation of some of the strategies has neqative consequences that should be addressed.

OBSERVATION The core power has been upgraded. Effects of this At the next upgrade, See discussion for equivalent F&O IE-09. This F&O is CLOSED.

(ID: MU-2 ) I change have not been incorporated into the PSA model. evaluate the effects of the Element .....M!L.._ I Factors that could be affected by the core power core upgrade and Subelement _4__ upgrade include the moderator temperature coefficient incorporate, as appropriate, (for ATWS) and the decay heat load (for several into the PSA model.

accident sequences).

Serial No.16-180 '

Docket Nos. 50-280/281 Attachment 4 Page 11 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION Requirements for review of operating experience, plant Develop additional guidance PRA update guidance was developed, which includes a This F&O is Closed.

(ID: MU-3 ) I procedures, and plant-controlled documents in support on .the review process review of: (1) Technical Specification revisions, (2)

Element __M!L_ 1 of a PSA update are not detailed in the PSA guidance . requirements, describing station .engineering Design Qhange lists, (3) station Subelement _4_ documents. which data should be procedures, and (4) operating experience. (Nuclear reviewed and how the Safety Analysis Manual - Part IV, Chapter J, review should be subsequently superseded by PRA Manual~ Part IV, documented. Chapter A). Recent PRA updates (S03A, SOSA) provide examples of the process.

OBSERVATION Activities to evaluate the effects on the PSA of changes Revisit initiator frequencies, Both the Surry and North Anna PRA models have been This F&O is CLOSED.

(ID: MU-4 ) I to equipment failure rates, initiator frequencies, and equipment failure rates, and. updated to include changes in data. For North Anna Element __M!!__ I human error probabilities are minimal. human error probabilities and Surry, initiating events were updated as Subelement __§__ with each update to documented in calculations SM-1266 for North Anna determine whether they are and SM-1370 fqr Surry. Component unavailabilities were still adequately estimated. updated for both North Anna and Surry as documented in calculations SM-1266 and SM-1308, respectively. The component reliabilities for risk significant pumps and the EDGs were Bayesian updated with plant specific data for Surry as documented in SM-1311. Further, a full data update was performed in 2005 for the MSPI update, as documented in the DA series of PRA notebooks. The HEPs were reviewed and updated as necessary following the PRA self-assessment per RG1 .200 and in response to the subsequent HRA re-peer review comments. Input from Operations personnel at Surry was obtained to provide better estimation of the times associated with the performance of emergency procedures. A PRA update process and sched'ule addressing data updates has been implemented in the PRAManual.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 12 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION The program does not appear to have a formal The following suggestions, PRA update guidance was developed, which includes a This F&O is Closed.

(ID: SY-2) I requirement for incorporating changes based on plant while directed to the review of: (1) Technical Specification revisions, (2)

Element _SY_ I design changes. For example, a later EOP change systems analysis element, station engineering Design Change lists, (3) station Subelement identifies the time to hot leg recirculation switchover as 9 are actually applicable more procedures, and (4) operating experience. (Nuclear

_5_(See also AS- hours. The model says 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br />. There is an advantage broadly, within the context of Safety Analysis Manual - Part IV, Chapter J, 5, and MU) to identifying operator actions to specific procedure the overall PSA subsequently superseded by PRA Manual - Part IV, steps. The downside is, procedures change. Thus, the Maintenance and Update Chapter A). Recent PRA updates (S03A, SOSA) provide models and documentation need to be updated process. examples of the process.

periodically. 1. Develop a PSA change program that tracks identified changes to procedures, design, etc.

Develop a process for incorporating changes into the PSA. NOTE: This does necessarily mean formal review required; notification from the program sponsor (Procedures group, admin, design engineering, etc.) is sufficient for most changes.

2. Consider becoming part of the review cycle for selected changes (e.g., for risk significant system design changes, PSA review is required). This will probably require a change to plant, engineering procedures. There are going to be changes in plant configuration that could significantly affect the PSA.

A formal review by the PSA group for selected changes has the potential for saving money (change should not be made in terms of plant risk}, minimizing the effects of the change on the PSA and PSA based programs and possibly identifying alternative changes.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 13 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION - PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION The RPS model does not properly identify the required 1. Review the RPS system Fault trees RP1 for both Surry and North Anna were This F&O is CLOSED.

(ID: SY-4 ) I support systems. RPS logic receives power from Class and include DC power revised to include separate logic for RTA and RTB Element _SY_ I 1E 125V DC buses 1A and 18. Failure of the DC buses dependency. including the input logic signal with recovery. The Subelement removes power to the RTB shunt trip coils which limits models also include failure of the trip breaker

- 12_ operator action in the control room if reactor trip fails. (RTNRTB), and RTNRTB recovery thorough the shunt trip relay (including failure of 125 voe, human reliability model, and failure of the shunt trip relay). The models are discussed fully in SM-1151, implemented in the SOA-D PRA models for Surry, and in SM-1292, implemented in the NOA-D PRA models for North Anna.

OBSERVATION The RPS logic model is incorrect. The fault tree Correct the logic model. Fault trees RP1 for both Surry and North Anna were This F&O is CLOSED.

(ID: SY- 5 ) I indicates that success of either logic train allows revised to include separate logic for RTA and RTB Element _SY_ I challenge to both reactor trip breakers. Actual design is including the input logic signal with recovery. The Subelement logic train A sends signal to RTA and logic train B sends models also include failure of the trip breaker

_5_ _ signal to RTB. (RTNRTB), and RTA/RTB recovery thorough the shunt trip relay (including failure of 125 voe, human reliability model, and failure of the shunt trip relay). The models are discussed fully in SM-1151, implemented in the SOA-D PRA models for Surry, and in SM-1292, implemented in the NOA-D PRA models for North Anna.

OBSERVATION Review of HHSI: SM-1162, SPPR 97-018, S2.07.1 Set up Unit 2 model, or Surry charging pumps have seal coolers with a CC This F&O is CLOSED.

(ID: SY-11 ) I (page 7 of 27). System notebook update states 1A and address impact on CDF. cooling dependency that currently has a difference Element ...fil__ I 1C charging pumps are dependent on CCW (for between Units 1 and 2. For Surry Unit 1, the A & C Subelement SY-5 recirculation). What about Unit 2? 1B is not dependent pump seal coolers 1-CH-E-7NB/E/F require CC cooling, on CCW due to a design change. What about Unit 2? but the B pump seal coolers 1-CH-E-7C/D are isolated How are unit to unit differences identified and modeled? (11448-FM-071 B Sh 2). For Surry Unit 2, all NB/C Dependency table from IPE model wasn't updated in pump seal coolers 2-CH-E-7A/B/C/D/E/F require CC SM-1162 or SM-1165 to account for CCW dependency. cooling (11548-FM-071 B Sh 2). Potentially, all Surry Also, success criteria section of system notebook was charging pumps may be upgraded so that their CHP not updated. seal coolers can be isolated, but at this time, only the Surry Unit 1 B pump does not require CC cooling, which explains the difference between Surry Unit 1 and 2 charging pump CC cooling. Update as of S05A model:

the dependency on CC has been added to the 1B pump as well, to account for the possibility that cooling might be needed if the pumps were used for high head recirculation with hot sump water. Note: This is a legacy model issue. The current configuration of Surry Power Station is that no charging pump seal Coolers are normally isolated. The S007Aa model reflects the current olant confiauration.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 14 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION . - PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION Several HVAC systems are modeled in detail and are Develop more detailed HVAC dependencies are addressed in the fault trees This F&O is CLOSED.

(ID: TH-2 ) I well documented. These include ESGR room cooling documentation for modeling where needed, and discussions are provided in Element TH I and the Auxiliary Building Ventilation System, but these assumptions regarding individual system notebooks (SY.3 series) and the Subelement 8 are the only ventilation dependencies modeled in the HVAC requirements. dependency notebook (SY.1). An integrated HVAC PSA. Some of the systems models provide a one line Provide basis for excluding dependency document has not been prepared.

assumption stating that room cooling is not,required, but HVAC dependencies where Regarding specific dependencies: The charging pumps little if any basis is provided for these assumptions. HVAC is not modeled and the emergency switchgear room already have Based on discussions with the PSA group engineers explicitly. It may be ventilation dependencies included in the PRA model.

during this review, it appears that the HVAC appropriate to include an The other major components with potential HVAC requirements were adequately addressed in the overview of HVAC issues as dependencies were evaluated and found to have a modeling process, but the assumptions were not clearly part of a dependencies negligible ventilation dependency. Those SSC's are as documented, and no process is defined for the notebook. follows:

determination of the need for room cooling. Low Head Safety Injection pumps - The LHSI pumps take suction from the cold RWST early during a LOCA.

After Recirculation Mode Transfer, the sump water will be cooled by the RSHX's, so that LHSI ventilation is not necessary.

Outside Recirculation Spray pumps - The CS subsystem provides approximately 300 gpm 45oF water from RWST to each ORSP. There is no ceiling in the ORSP rooms. It is not a closed room. Hence, the room ventilation is not necessary.

Emergency Diesel Generators - The EDG's have self-contained cooling systems.

Alternate AC Generator - The AAC DG has a self-contained cooling system.

Auxiliary Feedwater pumps - These pumps take suction from the ECST or a backup system that is at ambient temperature. They are therefore self-cooling and require no HVAC.

Station batteries - The heat load in this room is the batteries themselves and the heat load from the batteries may be ignored.

Turbine building SSC's - The potentially important SSC's in the TB are the MFW and the CN pumps, in case they are needed as a backup to the AFW system.

On a reactor trip, the FW heaters no longer function as heaters and both CN and MFW flows are at relatively cold condenser temperatures. The Turbine Building SSC's are therefore self-coolinQ.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 15 of 36 There are only 3 Category C F&Os that need to be addressed and they are listed in below:

Category C F&Os that Need to be Addressed F&O Description DE-1 Develop a system to initiating event dependency matrix to better show the dependencies modeled for each initiator.

(PRA Configuration Control Database (PRACC) record 4023)

DE-4 Develop master dependency matrices for front-line to front-line, for support to front-line, and initiator to system dependencies. (PRACC record 4023)

SY-13 Update references that support mission times that are less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. (PRACC record 4012)

All three of these involve documentation issues that do not impact the PRA model results and do not affect the technical adequacy of the PRA model. Records have been added in the PRACC database to track the above tasks to completion.

2010 SPS PRA Focused Peer Review The Surry PRA model underwent a focused peer review in February 2010 using the PRA Peer Review Certification process performed by the Pressurized-Water Reactor Owners Group (PWROG). To determine whether a full scope or focused peer review was necessary, the changes to each of the model elements were reviewed to assess whether the changes involved either of the following:

• new methodology

• significant change in the scope or capability If changes to an element involved either a new methodology or a significant scope or capability change, then the element requires a peer review as required in the ASME PRA standard (RA-Sb-2005). Based on the assessment of the changes to each PRA model element, a peer review was performed on the elements shown below:

Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 16 of 36 Peer Reviewed Elements Element High Level Requirement IE - Initiating Events Initiating Events Review support system initiator modeling meets SRs IE- C6, C7, CS, C9, and C12.

AS - Accident Sequence Accident Sequence Review upgraded event trees for SBO, RCP Seal, LOCA, SGTR and ATVVS meets all HLRs for AS.

HR - Human Reliability Huma_n Reliability Review implementation of SPAR-H methodology meets Analysis HLR-HR-Analysis G.

IF - Internal Flooding Internal Flooding Review internal flooding model meets all HLR5 for IF.

QU - Quantification Quantification Review conversion to CAFTA meets HLRs for QU-B, C, and D.

The AS and IF elements required a full review against all of the high level requirements (HLRs). However, changes in the IE, HR and QU elements only required specific HLR verification. The review process included:

• Review of the PRA model against the technical elements and associated supporting requirements (SRs) - Focus is on meeting capability category II.

• At the SR level, the review team's judgment was used to assess whether the PRA meets one of the three capability categories for each of the SRs.

• Evaluation of the PRA-model is supported by:

o NEI 05-04 process, o Addendum to ASME/ANS PRA Standard RA-S-2008, o SR interpretations from ASME website, o NRC clarifications and qualifications as provided in Appendix A of RG 1.200, Rev. 2, o Reviewers' experience and knowledge, o Consensus with fellow reviewers, and o Input and clarifications from the host utility.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 17 of 36 The gaps identified during the self-assessment and the ones that remain to be addressed are listed in table below:

2010 SPS Peer Review Remaining Gaps that Need to be Addressed Title Description NEI Current Status I Comment Importance to Application Element/

ASMESR Gap For each flood area, identify the IFS0-81 No documentation on why None. This is judged to be a documentation

1. 1 potential sources of flooding floods in containment were consideration only and does not affect the technical screened out. adequacy of the PRA model or sequences relevant to this application.

Gap The NRC clarification for Cat II says IFSN~A6 No documentation discussing This is judged to be a primarily a documentation

1. 2 to address jet impingement, humidity, how jet impingement, pipe consideration only. This issue does not affect etc. qualitatively using conservative wipe, humidity and other types sequences relevant to this application.

assumptions of failures impact plant systems.

Gap Document the relative contribution of LE-G3 No documentation of LERF None. This is judged to be a documentation

1. 3 contributors to LERF contributions for accident consideration only arid does not affect the technical sequences. adequacy of the PRA model.

Gap Document the system functions and SY-C2 All documentation* None. This is judged to be a documentation

1. 7 boundaries. requirements are considered consideration only and does not affect the technical met except for completion of adequacy of the PRA model.

walkdown checklists.

Gap Initiating Event Fault Tree Modeling IE-C10 IE-C1 O: Not all possible A sensitivity study for this configuration demonstrated

1. 9 IE-C12 combination of cutsets are that the support system initiators as modeled did not 3

captured, impact the results. Comparison with generic IE-C12: No comparison with sources and similar plants is expected to render generic sources for initiating similar results to the IEs compared. 4 events modeled using fault trees.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 18 of 36 Title Description NEI Current Status I Comment Importance to Application Element/

ASMESR Gap Use of SPAR-H methodology, which HR-E3 New Human Error Probabilities This gap was evaluated by performing a sensitivity

1. 10 does not meet the intent of several HR-G4 (HEPS) added to the SPS PRA study (Sensitivity #1) which multiplies HEPs in the SRs in the HR element. HR-G6 were based on SPAR-H. The $007Aa model by 10. This sensitivity demonstrates HR-12 Peer Review identified the that this issue does not impact the results of this HR-13 SPAR-H methodology is not a analysis.

HR-E4 consensus model and has HR-G1 some limitations.

HR-G3 HR-G5 Gap Walkdown sheets do not contain all IFS0-82 IFS0-82: Complete the This is judged to be a primarily a documentation

1. 11 the requested information IFQU-A9 walkdown sheets and verify no consideration only. This issue does not affect impact to IF events. sequences relevant to this application.

IFQU-A9: Similiar to IFS0-82, need to clearly document the spatial relationship between flood sources and PRA equipment. '

Notes:

Note 1: Gaps 4, 5, 6 and 8 have been addressed in S007Aa.

Note 2: Gaps 9 through 11 were identified during the 2010 PWROG focused PRA peer review.

Note 3: IE-C10: If fault-tree modeling is used for initiating events, CAPTURE within the initiating event fault tree models all relevant combinations of events involving the annual frequency of one component failure combined with the unavailability (or failure during the repair time of the first component) of other components. Following are the Peer Review comments with applicability response to this proposed change:

F&O: 2-2, Assessment: Cat 1-111 is NQT Met 2-3 Basis: A review of SSIE cutsets found that they are not adequate due to:

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 19 of 36 (1) The cutsets do not include all possible combinations, idr i/Jxample, (a) Train A CCW pump fails-to-run and Train B CC pump fails-to-start is in the cutset, but other failure events that could lead to Train B CCW pump fails-to-start such as AC failure, No Actuation Signal are not included; (b) relief valve failure is not showing up in the cutsets of Joss ofCCW

Response

Fault tree reviews indicate that these types of basic events are modeled but are truncated out of the final results.

Therefore, this F&O does not impact this analysis.

(2) Cutsets including both PROB-xxxxxB-.STDBY (Train B) and -PROB-xxxxxA-STDBY (Train A) events may be underestimating the impact

Response

Cutset review indicated that alignment probabilities were not significant to this evaluation (3) Surry SSIE models do not include passive failures (i.e. pipe breaks affecting only the source system) which are screened from the flooding analysis. These failure modes may be important in the SSIE model. For the CC system the model includes this IE, (%FLOOD-AB-SPRA Y-CCP1ABCD SPRAY IN AUX BLDG 2'-0" ELEV IN VICINITY OF CC PUMPS 1-CC-P-1AIB/CID)

Response

Inclusion of these low probability passive failure modes would not impact the significant accident scenarios because general plant transients are not significant to this application.

Note 4: IE-C12: COMPARE results and EXPLAIN differences in the initiating event analysis with generic data sources to provide a reasonableness check of the results. Following are the Peer Review comments with applicability response to this proposed change:

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 20 of 36 F&O: 3-4 Assessment: Cat 1-111 is NOT Met Basis: Comparison of IE frequencies to industry mean values is performed in SPS PRA Notebook Part Ill, Volume IE.3, Revision 1, Table 2-4 by comparing 7 modeled Initiating Events with 5 other unit results and to NUREGICR-5750. The remaining 12 Initiating Events (with Fault Trees) are not compared. Other Initiating Events are not compared.

Response

This is primarily a documentation concern. The Loss of SW IE was compared to the standard and the industry and was demonstrated to be reasonable. The SPS Loss of SW IE is unique due to the gravity feed configuration. The comparison of the modeled IEs demonstrated that the Surry frequencies were within the range of the standard and similar plants. The IEs that were not compared are expected to have similar results.

The following F&Os from the 2010 SPS PRA Focused Peer Review are considered closed:

2010 SPS Peer Review Closed F&Os

Description:

F&O Comment: . Dominion Response: Status F&O: 1-10 Mission time for The turbine driven AFW pump logic used The modeling of the TDAFW pump failure to This F&O TDAFW during a under gate U1-SGC-BO is based on a 24 run with a mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> instead of question is SBO is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, hour mission time. This may be somewhat 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is conservative. The basic approach considered which is conservative since the turbine driven pump taken for adding different running failure Closed.

conservative. is only credited for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> in SBO. basic events with different mission times is that if the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time basic event has a high risk importance, then a new basic event with a mission time for the sequence would be developed. Since the importance of the TDAFW running failure basic events is not significant, a separate basic event was riot added.

Serial No. 16-18()

Docket Nos. 50-280/281 Attachment 4 Page 21 of 36

Description:

F&O Comment: Dominion Response: Status F&O: 3-5 Consider adding Recovery events are added to cutsets The two recovery actions that the reviewer This F&O some recovery basic based on post-processing with identified as not being in the Surry PRA question is events to the fault QRECOVER and plant-specific rule file as model but were calculated in the HR.3 model considered tree model instead of discussed in SPS HR.3 notebook, Section notebook were removed from the model Closed.

adding as part of 2.2, and the QU.1 notebook. Some during the transition from the Winnupra post-quantification recovery actions (e.g., REC-FTSCC and model to the Cafta model. Since the standby processing using REC-FTSBC) should be modeled as HEPs pumps get an auto-start signal if the running QRECOVER. in the FT so all pertinent cutsets are pump fails, these recoveries were AND'd generated and dependency assessed. with the failure of the pressure switch. Since REC-FTSCC and REC-FTSBC are listed in these were not showing up in the cutsets, it HR.3 as recovery events; however, they was determine that credit for the operator are not utilized in the quantification recovery would not be included. If these process. These actions are typically pressure switch failure basic events had a utilized in Initiating Event fault trees in high importance, then adding the recovery conjunction with auto-start failures. Not credit would be considered.

modeling these actions may cause cutsets not to be generated, dependencies not evaluated, and overall results impacted.

F&O: 3-19 Use of SPAR-H for The plant's approach to analyzing HEPs is Since this F&O relates to using SPAR-H, and This F&O HRA has limited more involved than the Category I F&O 3-18 indicates that SPAR-H method is question is accounting for requirements (it is actually closer to not a valid method to meet Cat II, then this considered Performance Shaping Category 11/111), but it does not address all F&O will be closed out to F&O 3-18. Closed.

Factors of the PSFs identified for the Category 11/111 requirements (a limitation of the SPAR-H method); therefore, MET was selected for Category I. While SPAR-H methodology is close to meeting CC 11/111, one of the limitations is that the PSFs are limited to the eight chosen. Additionally, each of the eight PSFs should be evaluated for interaction impacts which are not covered by the method.

Serial No.16-180

• Docket Nos. 50-280/281 Attachment 4 Page 22 of 36

Description:

F&O Comment: Dominion Response: Status F&O: 2-8 QU.2 does not SPS QU.2 Notebook Sectio_n 2.3:2 Detailed descriptions of the CDF and LERF This F&O include detailed discusses the dominant core damage cutsets are contained in the worksheets question is description of the accident sequences and has a detailed named "Top 100 U1 CDF Cutsets" and "Top considered CDF and LERF description of the top 5 sequences. Section 100 U1 LERF Cutsets" in Attachment 3 of Closed.

cutsets. 2.3.3 discusses the top CDF cutsets but the QU.2 notebook.

does not document the review of a sample of significant cutsets. It is noted that Section 2.4.2 documents the review of nonsignificant cutsets. SPS QU.2 Notebook documents a review of the top 5 sequences but has no review of a sample of significant cutsets.

2012 SPS PRA Focused Peer Review A focused scope Peer Review of the SPS PRA model against the requirements of the ASME/ ANS PRA standard RA-Sb-2005 and any Clarifications and Qualifications provided in the NRC endorsement of the Standard contained in Revision 2 to RG 1.200 was conducted in June, 2012.

In the course of this review, thirty (30) new F&Os were prepared, including twenty-one (21) suggestions, and nine (9) findings. Many of these F&Os involve documentation issues. The 21 suggestions do not affect the technical adequacy of the PRA model and have no impact on the results of this evaluation. The following 9 findings have been evaluated as described in Table 4 below:

Nine Findings from 2012 SPS PRA Focused Peer Review F&O Element F&O Details Possible Resolution Basis of Significance Importance to Application 1-2 IE-C6 Scenario 1 in AS.2, Attachment 3, Appendix ISLOCA F Expand the discussion to include The calculated impact on There is no impact on CDF or is screened even though the event frequency would be the probability of operator failure CDF is small (<1 %), the LERF as this is a documentation greater than 1.0E-06 (calculated as 3.85E-06). This to secure HHSI and other failure impact needs to be more enhancement (Ref. PRACC scenario should be reconsidered to ensure the modes that would result in

• fully documented to ensure 16415), therefore this gap has no screening is appropriately justified using the criteria continued HHSI operation given a the screening criteria is met. impact on this application.

specified in IE-C6. rupture in the LHSI PiPina.

Serial No.16-18e'. "

Docket Nos. 50-280/281 Attachment 4 Page 23 of 36 F&O Element F&O Details Possible Resolution Basis of Significance Importance to Application 1-6 QU-87 This guidance does not seem to be technically Remove t~e mutually exclusive The impact of the removal A bounding sensitivity study supported by NUREG/CR-5485 Section 5.4.4 which logic for common cause failures or of the basic event evaluating the removal of the only supports removal of combinations of two common modify the logic to ensure only combinations cannot be mutually exclusive logic for cause failure events where the combinations include combinations of events including a estimated based on common cause failures results in the same pump (e.g., CCF of Pumps A and B in common component and failure available information. an increase in the baseline CDF combination with CCF of pumps A and C). Further, mode (e.g., Component A However, because this and LERF values (Ref. PRACC NUREG/CR-5485 Section 5.2 notes that NUREG/CR- Independent Failure to Start in process may impact the 16418). However, the new 4780, Volume 1 discusses conditions under which combination with CCF of importance of high safety increase baseline CDF/LERF these combinations may be valid (see NU REG/CR- Component A and B to Start) are significant components, it is values would not impact the delta 4780, Volume 1, Section 3.3.1). removed. designated as a finding. CDF/LERF results of this application because CCFs do not play a major role. With one CHSW header OOS, only 1 independent failure is required to fail the HHSI safety function.

1-8 DA-05 A global assumption is made that staggered testing is Provide justification for application The alpha factors for A bounding sensitivity study applicable to all common cause events SPS DA.3 of the staggered testing components tested on a changing all CCFs from Revision 5, Section 2.2.1, Item 1). Typically, some assumption to components tested non-staggered basis are "staggered basis" to "non-components such as containment isolation valves, on an outage frequency including typically higher than those staggered basis" results in an HHSI isolation valves, and others may only be tested verification that redundant tested on a staggered basis. increase in the baseline CDF and during the outages. Additional justification for components are tested by Therefore, this could be a LERF values (Ref. PRACC application of the staggered testing assumption to different personnel at different significant impact on CDF or 16419. However, the new those components tested on an 18 month basis during times or apply alpha factors based LERF depending on the increase baseline CDF/LERF outages is needed.* on a non-staggered testing specific components values would not impact the delta scheme to those components. affected. CDF/LERF results of this application because CCFs do not play a major role. With one CHSW header OOS, only 1 independent failure is required to fail the HHSI safety function.

Serial No. 16-18!Y Docket Nos. 50-280/281 Attachment 4 Page 24 of 36 F&O Element F&O Details Possible Resolution Basis of Significance Importance to Aoolication 1-10 OA-06 The AAC diesel is included in a common cause group There are two approaches that The qualitative discussion A bounding sensitivity study SY-83 with the other emergency diesel generators even can be considered. The most of not all diesel CCF evaluating the common cause though SPS notebook SY.3.EP states that "The AAC defensible approach would be to mechanisms existing group of emergency generators diesel has a different manufacturer for the generator identify all legitimate common between the EOGs and the results in an increase in the and the diesel engine and is unique to both units." elements between the EOGs and SBO diesel is legitimate. baseline COF and LERF values SPS OA.3 addresses this in an assumption that states the SBO diesel, review the However, the selection of (Ref. PRACC 16420). However, that "If SBO diesel is modeled as one of the EOG CCF CCFWIN database to exclude 0.1 does not have a the new increase in baseline groups, because of the less similarity between the diesel failure mechanisms that are numerical justification, and COF/LERF values would not EOG and SBO diesel, the alpha factor of 3 of 3 EOGs not common between the Surry could potentially be impact the delta COF/LERF

=

CCF to run may be set as 1.06E-2*0.9 9.54E-3 and EOGs and the SBO diesel, and conservative or non- results. Therefore, this gap has the alpha factor of AAC diesel and 2 EOGs CCF to run calculate the actual alpha factors. conservative, and it is not no impact on this application.

=

may be set as 1.06E-2

• 0.1 1.06E-3." However, The second approach would be to apparent the degree to there is no technical basis for the factor of 1O

• identify that the factor of 10 which it affects the results reduction, only a qualitative discussion, yet this is reduction in the alpha factor is an since no sensitivities were dispositioned as not being a source of uncertainty. estimate without a numerical documented.

basis, which makes it a plant- Any modeling assumption specific modeling uncertainty for that could result in lowering Surry. Then sensitivity analyses the importance of the could provide some insight into EOGs could impact the importance the assumed applications such as MSPI.

factor (0.1, 0.2, 0.5, etc.) would have on the results.

2-2 IE-C3 The issue of ISLOCA flood propagation and steaming For the successfully isolated Flood propagation and There is no impact on COF or effects in the Safeguards Building is not adequately ISLOCA sequences, consider steam effects may not be an LERF as this is a documentation addressed. Section 2.4 of the IE.1 notebook states potential flood and steam effects issue, but it cannot be enhancement (Ref. PRACC that flooding/spatial effects need not be considered from water that leaked out the determined for certain 16421), therefore this gap has no because an unisolated ISLOCA was assumed to go break prior to isolation. Also, without further evaluation. impact on this application.

directly to core damage. However, if there is a consider the potential for the successful isolation prior to core damage, there is still isolation valve to be failed due to a question about the effects of the water/steam that the effects.

was already leaked. For example, AFW pump operation should be shown not to be impacted, as well as potential effects on the credited isolation valve itself.

The PRA staff researched the issue during the peer review and provided information that appears to justify the operability of the isolation valve, but additional analysis is required and needs to be documented.

Serial No. 16-180-Docket Nos. 50-280/281 Attachment 4 Page 25 of 36 F&O Element F&O Details Possible Resolution Basis of Significance Importance to Application 2-3 DA-A2 Regarding component boundaries, Section 3.3.1 of the Review GCF (and even the While it is recognized that There is no impact on CDF or DA-D6 CCF GARD (NF-AA-PRA-101-2062, Rev. 4) states, independent failure data) for modeling extra events (such LERF as this is a documentation "When defining common cause failure events (and component boundary consistency as diesel generator output enhancement and as stated in utilizing generic data concerning the probability of with the generic data and CCF breakers when they are part the description adds modeling these events), the analyst must ensure that the factors. of the diesel component conservatism (Ref. PRACC component boundaries assumed for common cause boundary in NUREG/CR- 16422), therefore this gap has no failures are consistent with the boundaries used for the 6928) is conservative, for impact on this application.

independent failures." DOM.DA.1 Rev. 2 states "To accuracy and compliance ensure consistency between the generic database and with the Dominion GARD the plant specific database, the component boundary and DOM.DA.1 notebook, needs to be verified. This notebook documents the component boundaries generic database with component boundaries defined should be consistent with according to NUREG/CR-6928. This generic database the data.

shall be applicable to all of the Dominion PRA models."

However, Assumption 8 in Section 2.2.1 of SPS DA.3 Rev. 5 states "CCF data boundaries were not compared to the boundaries of DOM DA.1. Generic common cause failure factors were used because no plant specific common cause failures were identified.

A review of the generic common cause failures indicates that its boundaries were wider than DOM DA.1 boundaries."

Serial No.16-180'-

Docket Nos. 50-280/281 Attachment 4 Page 26 of 36 F&O Element F&O Details Possible Resolution Basis of Sianificance Importance to Application 2-5 SY-B3 The CCF grouping appears to have been performed Perform a thorough review of all The missing CCF A bounding sensitivity study of DA-A1 properly for pumps and some MOVs examined. system models to identify any component groups yields additional CCFs results in an However, checks of the Electric Power system model missing CCF groups. It is non-conservative and increase in the baseline CDF and and check valves in SI and FW models show CCF acceptable to treat the potentially significant LERF values (Ref. PRACC combinations that are missing. In the Electric Power combinations greater than 4 results. 16423). However, the new system model, the CCF of buses, inverters, breakers failures a single event as long as increase baseline CDF/LERF and fuel oil pump strainers (possibly other components the combinations are summed values would not impact the delta as well) were modeled for complete failure of all in the and treated as complete system CDF/LERF results of this group, but not for smaller numbers. For example, failure. For such cases, it is still application because CCFs do not Table 3.8-1 shows 1EETFM-C8-480TFM being necessary to model the play a major role. With one comprised of eight transformers. However, failure of a combinations of 2, 3 and 4 CHSW header OOS, only 1 group as small as 2 (e.g., transformer 1H/1J) could be failures. independent failure is required to significant, as these transformers feed the 480V buses fail the HHS! safety function.

that power the 1N2A and 1B/28 recirculation spray pumps. While it is acceptable to model CCF of combinations greater than 4 jointly (as is stated in the Section 3.2.2 of the GARD, this means creating a joint probability that sums all the 5/8, 6/8, 7/8 and 8/8 combinations into one), the individual combinations of 2, 3 and 4 still need to be captured.

The other logic reviewed that are missing combinations are seen under gates 1-Sl-82, 1-Sl-236, 1-FW-27, 1-FW-28, 1-FW-29 and 1-FW-61/1-FW-62.

These instances were identified in a short review of the system models, and the review team is concerned the problem is widespread.

Another item noted is Section 2.3 of the DOM.DA.3 notebook states "The Supply Breakers that feed the Emergency Buses, if there is a loss of off-site power, should be modeled for a common cause failure to open when the Emergency Diesel Generators are required to be running and supplying power to the emergency buses." This was not modeled in the EP fault trees (they would be expected under gates 1-EP-BKR-15H8-FTO and 1-EP-BKR-15J8-FTO-LC, etc.).

Serial No.16-180" Docket Nos. 50-280/281 Attachment 4 Page 27 of 36 F&O Element F&O Details Possible Resolution Basis of Sinnificance Importance to Aoolication 2-8 SY-83 The DOM.DA.3 R3 notebook Section 2.3 states that Update the_ model to be consistent This is presented as a There is no impact on CDF or DA-A1 CCF of air-cooled transformers would not be modeled. with the DOM DA.3 guidelines. finding because the PRA LERF as this is conservative and There is no mention of this in the EP system notebook. staff identified that the will be removed from the model Many of the transformers modeled in the PRA are air- assumption in the DA.3 (Ref. PRACC 16424); therefore, cooled but have CCF modeled. The Surry PRA model Rev. 3 notebook is correct this gap has no impact on this would need to be updated to match the assumption in and the model should be application.

the DOM DA.3 notebook. updated.

2-9 DA-E3 EPRI generic CCF sources of model uncertainty are Evaluate the plant-specific Sources of uncertainty There is no impact on CDF or tabulated in Table 1 of the SPS DA.3, Rev. 5 sources of model uncertainty specific to the Surry CCF LERF as this is a documentation notebook. DA-A-2 notes that component boundaries related to the Surry CCF analysis. analysis need to be enhancement (Ref. PRACC are not consistent with the failure data, but states that considered. 16425), therefore this gap has no this is a consensus model approach and not a source impact on this application.

-of uncertainty for Surry. This should be considered a source of model uncertainty and/or be corrected.

Missing from the evaluation of sources of model uncertainty are all SPS-specific assumptions, including those tabulated in SPS DA.3 Rev. 5 Section 2.2.

Review of Open Issues against the PRA Model (PRA Configuration Control)

The PRA Configuration control database (PRACC) was reviewed in order if any known modeling issues open against the S007Aa model could impact the results of this analysis. The following open issues were identified from Surry's PRACC database. These issues were addressed either by adjusting the S007Aa PRA model used to perform this risk evaluation, or by performing a sensitivity study to demonstrate that the issue was not significant to this analysis.

PRAC Date Description Importance to c Identified Application 1790 3/8/2004 Evaluate 1(2)CWHEP-LIC-1 (2)06A/B via HRA methods. Current value is selected to Addressed with HEP be consistent with 1CWHEP-LIC-LVL sensitivity #1 9486 10/21/2008 During the 2008 model update, the MAAP runs for the different scenarios were not Addressed with HEP completed in time before the model change freeze date. Need to update the HEPs in sensitivity #1 the HR.2 notebook usino the times calculated from the MAAP runs.

Serial No.16-180" Docket Nos. 50-280/281 Attachment 4 Page 28 of 36 PRAC Date Description Importance to c Identified -

. ~

-~.

~

Application 9804 3/12/2009 The 2-RC-P-1C RCP seal will be replaced with a new Flowserve seal that has low Addressed with leakage when there's a loss of .RCP seal cooling. These seals are similar to the seals Model change used by the Combustion Engineering (CE) plants. Therefore, the RCP seal LOCA model needs to be based on the CE seal LOCA model. WCAP-16175-P-A, RCP Seal Failure Model CE NSSS, documents the seal LOCA model.

New seal package was installed in pump 02-RC-P-1 C during the 2009 fall outage 11/18/09.

The operator action to trip the RCPs given failure of RCP Seal Cooling should have the Tsw (time available to perform the action) set to 20 minutes based on the following:

WCAP-16175-P-A Rev 0, Model for Failure of RCP Seals Given Loss of Seal Cooling in CE NSSS Plants NRC SER specifically references RCP seal failure model condition event tree (in Chapter 6 of WCAP-16175-P, Revision 0) for stopping the RCP(s) affected by a LOSC.

WCAP-16175-P-A Section 6.0, RCP Seal Failure Model. The event tree contains a node representing RCP20: RCPs Secured Within 20 Minutes?

Therefore, it can be interpreted the NRC SER approved securing (i.e., tripping) the RCPs within 20 minutes.

This has been agreed upon during discussion with Bill, Luke and Allen.

Note, currently 8007Aa does not model this operator action.

Acm 7/22/15

Serial No. 16-180~

Docket Nos. 50-280/281 Attachment 4 Page 29 of 36 PRAC Date Description Importance to c Identified -- - .._=...';;,_. - Application 10931 1/20/2010 SPS operator actions, HEP-C-CDSGTR (cool down and depressurize RCS after a Addressed with HEP SGTR) and HEP-C-SGTR (isolate affected SG after a SGTR), are documented as sensitivity #1 having the same engineering time, Te, of 60 minutes in the SPS HR.2 Notebook. The equivalent operator actions for NAPS, HEP-1 E3-13 (cool down and depressurize RCS after a SGTR) and HEP-1 E3-3 (isolate affected SG after a SGTR), are documented as having a Te of 75 minutes and 56 minutes, respectively, in the NAPS HR.2 Notebook.

Furthermore, HEP-C-CDSGTR does not have a valid MMP run available for the basis of the 60 m_inute Te, and HEP-1 E3-13 references older IPE MMP runs from NAPS and SPS. HEP-1 E3-3 also references an IPE MMP run.

Therefore, new MMP runs shol:Jld be run for HEP-C-CDSGTR, HEP-C-SGTR, HEP-1E3-13, and HEP-1 E3-3; and adequate documentation of the new MMP runs should be placed in HR.2 Notebooks.

4/23/2014 This should be considered complete and closed when the model SPS-R06 is released. IPE MMP runs are no longer used and all necessary MMP runs are documented in our SC element notebooks to support post HEP reauired timinas.

Serial No. 16-180-

• Docket Nos. 50-280/281 Attachment 4 Page 30 of 36 PRAC Date Description Importance to c Identified ... ~*.,,._. Application 11521 71712010 From the Surry 2010 Peer Review report documented in Surry notebook Part IV Addressed with HEP Appendix A.3. sensitivity #1 In 2002, an operator survey was complete to document timing estimates from operators of various experience levels. The timing results from the survey are used in the HRA for the HEPs. Table 6.1 of HR.2 states "the response times for operator actions may be estimated by procedure talk through or operator surveys. Therefore, this is retained as a source of uncertainty." For the SPAR-H HEPs, time available is based on engineering judgment. The delay (TDelay), action(TM) and response times (T1 /2) are conservative estimates based on a table top review of the procedures as well as input from other HEPs of similar actions and events.

For the SPAR-H HEPs recently added to the SPS PRA model, the time available to complete the actions were not based on applicable generic studies (e.g.

thermal/hydraulic analysis or simulations from similar plants) but on engineering judgment. In addition, prior HEPs were developed using the results of a 2002 survey and not on thermal/hydraulic analysis.

(This F&O originated from SR HR-G4)

Associated SR.(s)

HR-G4

Serial No.16-180. * '

Docket Nos. 50-280/281 Attachment 4 Page 31 of 36 PRAC Date Description Importance to c Identified Application 11522 7/7/2010 From the Surry 2010 Peer Review report documented in Surry notebook Part IV Addressed with HEP Appendix A.3. sensitivity #1 SPS HR.2 does not check the consistency of the post-initiator HEP quantifications. A comparison of previous HEP values with current HEP values is found in the QU.2 notebook supporting files but no relative comparisons are made.

A review of the SPS HEPs relative to each other to check for reasonableness has not been performed.

(This F&O originated from SR HR-G6)

Associated SR(s)

HR-G6

Serial No.16-180. ** T Docket Nos. 50-280/281 Attachment 4 Page 32 of 36 PRAC Date Description Importance to c Identified Application 11523 7/7/2010 From the Surry 2010 Peer Review report documented in Surry notebook Part IV Addressed with HEP Appendix A.3. sensitivity #1 The delay (Delay), action TM and response times (T1/2) are conservative estimates based on a table top review of the procedures as well as input from other HEPs of similar actions and events.

The newly added SPAR-H HEPs based the required time to complete actions on a table top review of the procedures and input from other procedures.

To meet CC II, base the required time to complete the actions (for significant HEPs) on action time measurements in either walkthroughs or talkthroughs of the procedures or simulator observations.

(This F&O originated from SR HR-G5)

Associated SR(s): HR-GS

Serial No. 16-180~' p Docket Nos. 50-280/281 Attachment 4 Page 33 of 36 PRAC Date Description* Importance to c Identified ". Application 11526 7/7/2010 ***Cloned from Record 11524*** Addressed with HEP sensitivity #1 From the Surry 2010 Peer Review report documented in Surry notebook Part IV Appendix A.3.

This F&O contained several different issues. Thus, this PRACC record was cloned so that each issue has its own PRACC record.

Several documentation issues were identified:

3. The SPAR-H HEPs recently added to the SPS PRA model are documented in HR.2. Four HEPs noted in Table A-2 (Neyv HEPs Added) that were evaluated, do not appear in the Fault Tree. One new HEP listed (HEP-CPORTGENRMP) was not analyzed and is also not in the FT. New HEPs added for the recent model update were not necessarily covered by the 2002 survey results. System Analysis notebooks and review of HR.2 does not indicate that simulator observations or talkthroughs with operators were performed.

For the SPAR-H HEPs recently added to the SPS PRA model, the time available to complete the actions were not based on applicable generic studies (e.g. thermal/hydraulic analysis or simulations from similar plants).

(This F&O originated from SR HR-11)

Associated SR(s)

HR-11 HR-12

Serial No.16-180'" "

Docket Nos. 50-280/281 Attachment 4 Page 34 of 36 PRAC Date Description Importance to c Identified Application 11538 7/8/2010 From the Surry 2010 Peer Review report documented in Surry notebook Part IV Addressed with HEP Appendix A.3. sensitivity #1 SPS GARD NF-AA-PRA-101-2052 states in Section 3.5, "the SPAR-H model is not recommended where more detailed analysis of diagnosis errors is needed" and references NUREG/CR-1842 for more information. The NUREG states "This approach results in a somewhat 'generic' answer that is suffiCient for some of the broad regulatory applications for which SPAR-H is intended, but perhaps is insufficient for detailed plant-specific evaluations (a limitation)" and also references NUREG-1792. This NUREG states "detailed assessments of the significant HFE contributors should be performed."

• The SPAR-H methodology is not a consensus model and seldom used in plant specific utility PRAs. Referenced documents show it should not be used to obtain detailed results. Additionally, it cannot be assumed that conservative results are obtained by SPAR-H as the evaluation of PSFs better than nominal can produce nonconservative values.

(This F&O originated from SR HR-G1)

Associated SR(s)

HR-G1

Serial No.16-180"' ' ,r Docket Nos. 50-280/281 Attachment 4 Page 35 of 36 PRAC Date Description Importance to c Identified - .. *- Application 11568 7/13/2010 From the Surry 2010 Peer Review report documented in Surry notebook Part IV Addressed with HEP Appendix A.3. sensitivity #1 The analysis uses an "engineering judgment" approach to dependency analysis which considers most "recognized" PSFs. Most of the dependencies are associated with one or two factors, and it is not clear how all of the "recognized" factors affect any single dependency analysis. There is no comparison of the "engineering judgment" based results to results that would be obtained from using other techniques such as the HRA calculator. A comparison of the Surry dependency results with those obtained from using an available dependency calculator produced the same results if only one PSF were considered. Also, differences were obtained when comparing 2-and 3-error combination dependencies.

Newer techniques for analyzing dependency are available. These techniques allow consideration of multiple PSFs during the analysis.

(This F&O originated from SR HR-G7)

Associated SR(s)

HR-G7 13932 7/11/2011 Changes RCP seal packages to N-9000 Flowserve. This potentially affects the Loss Addressed with of Seal Coolinq sequences as the RCP seals are modeled. Model change 16525 9/7/2012 REACTOR COOLANT PUMP SEAL REPLACEMENT 1-RC-P-1A Addressed with Model chanqe 16527 9/7/2012 REACTOR COOLANT PUMP (RCP) SEAL REPLACEMENT (1-RC-P-1C) Addressed with Model change 16674 12/6/2012 REACTOR COOLANT PUMP (RCP) SEAL REPLACEMENT (2-RC-P-1 B)/S/2 Addressed with Model change

,/'

Serial No. 16-180- * '~<"

Docket Nos. 50-280/281 Attachment 4 Page 36 of 36 PRAC Date Description Importance to c Identified Application 17079 3/12/2014 The MAAP parameter file lists parameter MWCSTO (ECST initial water inventory) as Addressed with HEP 91, 137 gal referencing Surry AFW Design Basis Document (SDBD-SPS-AFW) Rev. sensitivity #1

13. This value is different in the latest revision of Surry DBD, and the Tech Spec minimum is 96,000 gal. Consider revising parameter MWCSTO.

Also, HHSI pump flow curve (parameters ZHDP5 and WVPM5) references Rev.2 of ME-0771. The latest revision of this calculation is Rev.4 and it provides a slightly different pump curve (see test limit curve). Consider revising the HHSI pump curve per the latest revision of ME-0771.

4/15/2014 per email dtd.4/1/2014 from CBL NSA's ECST sizing calc SM-1612 seems to indicate that the ECST volume minimum setpoint is set so that the TS min available volume of 96,000 gal is met, accounting for unusable volume due to vortexing and -

suction nozzle position (page 12).

17822 1/12/2016 HR worksheet for HEP-C-XFERBS describes procedural actions to close feeder Addressed with breakers for transfer buses. In the SPSR06 model this HEP is and'ed with LOOP Model change initiators including CLOOP and RSST failures (initiators). Closing the feed fort transfer bus does not, in and of itself, help the station recover from LOOP or RSST failure.

Therefore this modeling is incorrect.

17872 3/10/2016 The SM-1123 calculation used as a basis for the fault tree structure for HEP-C- Addressed with HVACES for loss of chilled water/ESGR AHUs does not bound all of the initiating Model change events and accident sequences this HEP is applied to. The ESGR heat loads assumed in this calculation are for normal operating, 100% power conditions. Events such as LOCA which require SI have the potential for higher heat loads than what is assumed in SM-1123. Refer SY.2 assumption VS06. If chilled water is unavailable, it is uncertain as to whether the operator actions of O-AP-13.02 are sufficient to prevent failure of ESGR electrical equipment in accident sequences that require SI.

VIRGINIA ELECTRIC AND POWER COMPANY RICHMOND, VIRGINIA 23261 May 18, 2016 10 CFR 50.90 U. S. Nuclear Regulatory Commission Serial No.: 16-1~0 Attention: Document Control Desk SPS/LIC-CGL: RO Washington, DC 20555-0001 Docket Nos.: 50-280/281 License Nos.: DPR-32/37 VIRGINIA ELECTRIC AND POWER COMPANY SURRY POWER STATION UNITS 1 AND 2 PROPOSED LICENSE AMENDMENT REQUEST EXTENSION OF TS 3.14 SERVICE WATER FLOW PATH ALLOWED OUTAGE TIMES AND DELETION OF EXPIRED TEMPORARY SERVICE WATER JUMPER REQUIREMENTS Pursuant to 10 CFR 50.90, Virginia Electric and Power Company (Dominion) is submitting a license amendment request to revise Surry Power Station (Surry) Units 1 ahd 2 Technical Specification (TS) 3.14, "Circulating and Service Water Systems," to extend the Allowed Outage Time (AOT) for only one operable Service Water (SW) flow path to the Charging Pump SW (CPSW) subsystem and to the Main Control Room/Emergency Switchgear Room (MCR/ESGR) Air Conditioning (AC) subsystem.

TS 3.14.A.5 and TS 3.14.A.7 require two SW flow paths to the CPSW subsystem and to the MCR/ESGR AC subsystem, respectively, to be operable. Currently, the TS 3.14.C AOT for only one operable CPSW or MCR/ESGR AC flow path is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The proposed revision extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. A supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the Regulatory Guide (RG) 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change.

This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The proposed change also deletes the Operating License (OL) conditions, TS requirements, and TS 3.14 Basis discussion for the temporary SW jumper to the Component Cooling Heat Exchangers (CCHXs). These requirements have expired and are no longer necessary.*

Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis*

discussion is administrative in nature. provides a discussion and assessment of the proposed change, including the results and conclusions from the supporting PRA. The marked-up and proposed pages for the TS and TS Basis are provided in Attachments 2 and 3, respectively._ The TS Basis changes are provided for NRC information only. Attachment 4 provides a discussion of the technical adequacy of the PRA model.

We have evaluated the proposed amendment and have determined that it does not involve a significant hazards consideration as defined in 10 CFR 50.92. The basis for

Serial No.16-180 Docket Nos. 50-280/281 Page 2 of 3 this determination is included in Attachment 1. We have also determined that operation with the proposed change will not result in any significant increase in the amount of effluents that may be released offsite or any significant increase in individual or cumulative occupational radiation exposure. Therefore, the proposed amendment is eligible for categorical exclusion from an environmental assessment as set forth in 10 CFR 51.22(c)(9). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment is needed in connection with the approval of the proposed change. The proposed TS change has been reviewed and approved by the Facility Safety Review Committee.

Dominion requests approval of the proposed change by May 31, 2017 with a 60-day implementation period.

Should you have any questions or require additional information, please contact Mr. Gary D. Miller at (804) 273-2771.

Respectfully, Mark D. Sartain Vice President - Nuclear Engineering Commitments contained in this letter: None Attachments:

1. Discussion of Change

2. Marked-up Technical Specifications and Basis Pages

3. Proposed Technical Specifications and Basis Pages

4. Technical Adequacy of the Probabilistic Risk Assessment Model COMMONWEALTH OF VIRGINIA COUNTY OF HENRICO The foregoing document was acknowledged before me, in and for the County and Commonwealth aforesaid, today by Mr. Mark D. Sartain, who is Vice President - Nuclear Engineering, of Virginia Electric and Power Company. He has affirmed before me that he is duly authorized to execute and file the foregoing document in behalf of that company, and that the statements in the document are true to the best of his knowledge and belief.

Acknowledged before me this [ 8'Jlday of~ 2016.

My Commission Expires: 5 - 3 \ - \g .

-- .,.,. . . *. ;Ni~l t.~)~dtr* .. , '

. NOTARY PUBLIC

\ALL ~. 2:1u.e.e.

Notary Public

Commonwealth of Virginia

. Reg. It 1'fD5~~

My* commission !;.itp11v ..s Mt\l31;z.o 18

- - -

• v -

Serial No.16-180 Docket Nos. 50-280/281 Page 3 of 3 cc: U.S. Nuclear Regulatory Commission - Region II Marquis One Tower 245 Peachtree Center Avenue, NE Suite 1200 Atlanta, GA 30303-1257 State Health Commissioner Virginia Department of Health James Madison Building - ih floor 109 Governor Street Suite 730 Richmond, VA 23219 Ms. K. R. Cotton Gross NRC Project Manager - Surry U.S. Nuclear Regulatory Commission One White Flint North Mail Stop 08 G-9A 11555 Rockville Pike Rockville, MD 20852-2738 Dr. V. Sreenivas NRC Project Manager - North Anna U.S. Nuclear Regulatory Commission One White Flint North Mail Stop 08 G-9A 11555 Rockville Pike Rockville, MD 20852-2738 NRC Senior Resident Inspector Surry Power Station

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1

. DISCUSSION OF CHANGE Virginia Electric and Power Company (Dominion)

Surry Station Units 1 and 2

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 1 of 36 DISCUSSION OF CHANGE TABLE OF CONTENTS 1.0. Introduction 2.0 Description of Proposed Change 3.0 Technical Evaluation 3.1 Charging Pump Service Water Subsystem and Main Control Room and Emergency Switchgear Room Air Conditioning Subsystem Description 3.2 Evaluation of Extended Allowed Outage Time 3.3 Deletion of Requirements for Temporary Service Water Jumper to Component Cooling Heat Exchangers 4.0 Regulatory Evaluation 4.1 Applicable Regulatory Requirements 4.2 NUREG-1431, Standard Technical Specifications -

Westinghouse Plants 4.3 No Significant Hazards Consideration 5.0 Probabilistic Risk Assessment 5.1 Purpose 5.2 Introduction 5.3 Analysis 5.4 Results and Conclusions 6.0 Environmental Assessment 7 .0 Conclusion

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 2 of 36 DISCUSSION OF CHANGE

1.0 INTRODUCTION

The proposed change revises Surry Power Station (Surry) Units 1 and 2 Technical Specification (TS) 3.14, "Circulating and Service Water Systems," to extend the Allowed Outage Time (AOT) for only one operable Service Water (SW) flow path to the Charging Pump SW (CPSW) subsystem and to the Main Control Room/Emergency Switchgear Room (MCR/ESGR) Air Conditioning (AC) subsystem. TS 3.14.A.5 and TS 3.14.A.7 require two SW flow paths to the CPSW subsystem and to the MCR/ESGR AC subsystem, respectively, to be operable. Currently, the TS 3.14.C AOT for only one operable CPSW or MCR/ESGR AC flow path is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The proposed revision extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps. The proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the Charging/HHS! pumps). The proposed MCR/ESGR AC AOT extension revises the AOT .,to be the same as the CPSW AOT since both subsystems share common piping. The proposed increased AOTs for only one operable SW flow path to the CPSW subsystems and to the MCR/ESGR AC subsystems will provide a more reasonable time frame for performing system maintenance and repairs.

A supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes .is consistent with the Regulatory Guide (RG) 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Furthermore, no enhancements, procedure revisions, or compensatory actions are recommended as a result of the RG 1.177 Tier 2 evaluation.

The proposed change also deletes the Operating License (OL) conditions, TS requirements, and TS 3.14 Basis discussion for the temporary SW jumper to the Component Cooling Heat Exchangers (CCHXs). These requirements were included in the Surry TS to allow cleaning, inspection, repair and recoating of the SW supply piping to the CCHXs during the Unit 1 2013 and 2015 refueling outages. These requirements have expired and are no longer necessary. Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in nature. The TS 3.14 Basis deletion is provided to the NRC for information.

2.0 DESCRIPTION

OF PROPOSED CHANGE The proposed revision extends the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 3 of 36 TS 3.14.C currently states:

C. The requirements of Specifications 3.14.A.5, 3.14.A.6, and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem, the recirculation spray subsystems, and to the main control and emergency switchgear rooms air conditioning condensers. If the affected systems are not restored to the requirements of Specifications 3. 14.A.5, 3.14.A.6, and 3.14.A.7 within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the reactor shall be placed in HOT SHUTDOWN. If the requirements of Specifications 3. 14.A. 5, 3.14.A. 6, and 3. 14.A. 7 are not met within an additional 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, the reactor shall be placed in COLD SHUTDOWN.

The proposed change revises the Surry TS as follows: 1) TS 3.14.C is revised to extend the CPSW subsystem flow path and the MCR/ESGR AC condensers flow path AOTs from 24 to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and to relocate the flow path AOT for the Recirculation Spray (RS) subsystems to a new specification, and 2) new TS 3.14;0 is created for the existing flow path AOT for the RS subsystems. The flow path AOT in the new TS 3.14.D for the RS subsystems is not being modified. The revised TS 3.14.C and the new TS 3.14.D are proposed as follows:

C. The requirements of Specifications 3.14.A.5 and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem and to the main control and emergency switchgear rooms air conditioning condensers. If the affected systems are not restored to the requirements of Specifications 3.14.A.5 and 3.14.A.7 within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If the requirements of Specifications 3.14.A.5 and 3.14.A.7 are not satisfied as allowed by this Specification, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

D. The requirements of Specification 3.14.A.6 may be modified to allow unit operation with only one OPERABLE flow path to the recirculation spray subsystems. If the affected system is not restored to the requirements of Specification 3. 14.A. 6 within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If the requirements of Specification 3. 14.A. 6 are not met within an additional 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

The proposed revision also deletes the following requirements for the temporary SW jumper to the CCHXs:

1. Unit 1 License Condition U on page 9 of the Unit 1 Operating License

2. Unit 2 License Condition U on p~ge 9 of the Unit 2 Operating License

3. Note Bin TS Table 3.7-2 on page TS 3.7-20

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 4 of 36

4. The footnote associated with TS 3.14.A.2.b on page TS 3.14-1

5. The last paragraph in the TS 3.14 Basis on pages TS 3.14-4 and TS 3.14-4a

3.0 TECHNICAL EVALUATION

3.1 Charging Pump Service Water Subsystem and Main Control Room and Emergency Switchgear Room Air Conditioning Subsystem Description The Surry Units 1 and 2 Circulating Water (CW) and Service Water (SW) Systems, which are supplied by the James River, are designed for the removal of heat resulting from the operation of various systems and components for both units. The CW System cools the main condenser, and the SW System provides cooling water to the following components:

1. Bearing Cooling (BC) water heat exchangers,

2. Component Cooling (CC) heat exchangers,

3. Recirculation Spray (RS) heat exchangers,

4. Main control room and emergency switchgear room (MCR/ESGR) air conditioning (AC) condensers (chillers), and

5. Charging Pump Service Water (CPSW) subsystem.

The CW and SW Systems' configuration is shown in Figures 1 and 2 (located at the end of Attachment 1). Figure 3 below is provided for illustration purposes and shows the flow paths and components of interest.

The SW flow paths in the Mechanical Equipment Rooms (MERs) support both the CPSW subsystems and the MCR/ESGR AC subsystems. The MER flow paths include several interconnected and redundant trains, gravity fed from the Intake Canal. There are three 8-inch SW supply headers. Each header takes its supply from a 96-inch condenser inlet line, and the connection is upstream of the condenser isolation valves.

The three 8-inch headers supply two 6-inch headers. The 6-inch supply headers are 100% redundant (i.e., one header can supply 100% of the required SW flow).

Since the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem are being modified by the proposed revision, this design description focuses on the CPSW and the MCR/ESGR AC subsystems.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 5 of 36 1-VS* P - tA/1 -VS-£-" I* l *V P

• l C/1 -VS-C ..I C 2 W

• P* l i----- ]. W

• P l OO l W P - 100 l

• W

• P

• lOA ~==t X1 w. o l *V S *S

• 1A 2*$ W.,.78

}-

Tutb 8kl 8 n 2-s w ..... 7 x 2- ... 77 X 2 -S W ...7CI 1* W

• 7 7

c

(/)

0 :r I 0 C .W Line U,,.< 2A C .W. Une

• )

0 Figure 3 - SW Supply to the CPSW and the MCR/ESGR AC Subsystems CPSW Subsystem Description A CPSW subsystem for each unit provides water to cool the charging pump intermediate seal coolers and the charging pump lubricating oil coolers. The seal coolers reject their heat to a dedicated closed-loop subsystem of the CC System (i.e., the Charging Pump Component Cooling Water System). Heat from this system and the lube oil coolers is transferred to the CPSW subsystem.

Either of two 100%-capacity CPSW pumps (1-SW-P-10A/10B and 2-SW-P-10A/10B) delivers water from the SW System to the charging pump intermediate seal coolers and the charging pump lubricating oil coolers, thereby maintaining the charging pump lubricating oil and the CC System water used to cool the charging pump mechanical seals at the proper temperature. Each pump has a duplex suction strainer. To ensure that service water is continually available, one CPSW pump is in operation while the other pump is maintained in standby. The standby pump is automatically actuated on

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 6 of 36 low pump discharge pressure to supply SW in the event of failure of the operating pump.

The two redundant 100%-capacity CPSW pumps are located in MER-3 and MER-4 and are separated by seismic, missile-protected, 3-hour fire rated walls, ceiling, and floor.

The SW supply headers are normally cross-connected at the discharge of the strainers.

An automatic actuating fire safe isolation ball valve is installed in the cross-connect piping between the two pump trains. The separation and cross-connect of the two redundant pump trains is designed to meet the requirements in 10 CFR 50 Appendix R.

The installation of two full-capacity CPSW pumps provides 100% redundancy for this cooling water system. The components of the CPSW subsystem, including pumps and heat exchangers are designed to Seismic Class I criteria.

I The CPSW pumps are connected to the emergency electrical bus to ensure they will operate in the event of a loss of station power.

Post-accident monitoring requirements for the CPSW subsystem status are satisfied by flow and temperature measurement at the discharge of each CPSW pump. Flow and temperature indications are displayed in the MGR.

MCR/ESGR AC Subsystem Description The CPSW suction flow paths also supply suction for the A, B, and C MCR/ESGR chiller pumps (1-VS-P-1A/1B/1C) that supply the A, B, and C MCR/ESGR chillers (1-VS-E-4A/4B/4f), which are located in MER-3. Chiller pumps D and E (1-VS-P-1D/1E) that supply the D and E MCR/ESGR chillers (1-VS-E-4D/4E), which are located in MER-5, take suction upstream of the suction (rotating) strainers in MER-3/ MER-4 and downstream of a duplex strainer in MER-5.

Significant installed defense-in-depth exists for the chiller pumps and chillers, since there are a total of five MCR/ESGR chillers. As noted above, three chillers are located in MER-3, and two chillers are located in MER-5. This configuration ensures that MGR envelope air handling capacity remains available in the event that both CPSW headers in MER-3 and MER-4 are unavailable. In addition, this arrangement prevents full loss of cooling in the event of a fire in either MER-3 or MER-5. Three of the five chillers are powered from either of two buses, enabling maximum system flexibility in aligning the chillers as required. Additional equipment includes control panels and isolation switches for affected air handling units and cables routed to provide the required separation. The additional equipment is seismically and environmentally qualified, as applicable. Control of the AC system is remote manual from the control room.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 7 of 36 3.2 Evaluation of Extended Allowed Outage Time The CPSW subsystem is a support system for the charging pumps. As discussed in Section 3.1, the design function of the CPSW subsystem is to provide cooling to the charging pump intermediate seal coolers and the charging pump lubricating oil Qoolers.

The charging pumps provide a charging (i.e., reactor coolant makeup) function during normal plant operation and are also used as High Head Safety Injection (HHSI) pumps to supply borated water to . the Reactor Coolant System (RCS) during accident conditions.

Surry TS 3.3, "Safety Injection System," specifies in TS 3.3.A.3 that two Safety Injection (SI) subsystems are required to be operable with the subsystems including one operable HHSI pump. With one SI subsystem inoperable, TS 3.3.B.3 requires restoration of the inoperable subsystem to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The proposed extension of the AOT for the SW flow paths to the CPSW subsystem from 24 to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> brings the support system AOT into alignment with the AOT for the supported component (i.e., Charging/HHS! pump). In addition, the design functions of the CPSW subsystem and the Charging/HHS! pumps are not impacted by the proposed revision.

As shown in Figure 3, the CPSW suction paths also supply suction for the A,. B, and C MCR/ESGR chillers. Since the CPSW subsyste.m and the MCR/ESGR AC subsystem share common piping, it is appropriate for the AOTs for the two subsystems to be the.

same. The MCR/ESGR AC subsystem is a support system for the A, B, and C MCR/ESGR chillers. TS 3.23, "Main Control Room and Emergency Switchgear Room Air Conditioning System," specifies a 7-day time frame to return an inoperable/not powered as required chiller to operable status in TS 3.23.A.1.c; thus, the proposed 72.-

hour AOT for the MCR/ESGR AC subsystem is more limiting that the AOT for the supported components (i.e., A, B, and C MCR/ESGR chillers). In addition, the design functions of the MCR/ESGR AC subsystem and the MCR/ESGR chillers are not impacted by the proposed revision.

Leakage in the fiberglass reinforced p1pmg portion of the CPSW and the MCR/ESGR AC subsystems has occurred recently. The current 24-hour AOTs present an unnecessarily limited time frame to facilitate repairs. The proposed increased AOTs for only one operable SW flow path to the CPSW subsystems and to the MCR/ESGR AC subsystems will provide a more reasonable time frame for performing system maintenance and repairs.

3.3 Deletion . of Requirements for Temporary . Service Water Jumper to Component Cooling Heat Exchangers The OL conditions and the requirements in TS Table 3.7-2 and TS 3.14 for the temporary SW jumper to the CCHXs were approved by the NRC by TS Amendments 279/279 issued on September 23, 2013. These requirements were included in the

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 8of36 Surry TS to allow cleaning, inspection, repair, and recoating in the SW supply piping to the CCHXs during the Unit 1 2013 and 2015 refueling outages. Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in nature and is appropriate since the requirements have expired and are no longer necessary. The TS 3.14 Basis deletion is provided to the NRC for information.

4.0 REGULATORY EVALUATION

4.1 Applicable Regulatory Requirements The regulations in Appendix A to Title 10 of the Code of Federal Regulations (10 CFR)

Part 50 establish minimum principal design criteria for water-cooled nuclear power plants, while 10 CFR 50 Appendix B and the licen$ee quality assurance programs establish quality assurance requirements for the design, manufacture, construction, and operation of structures, systems, and components. The current regulatory requirements of 10 CFR 50 Appendix A that are applicable to the CPSW support function for the charging pumps include: General Design Criteria (GDC) 1, 35, 36, and 37. The current regulatory requirements that are applicable to the MCR/ESGR AC function for providing safe conditions in the control room is GDC 19.

During the initial plant licensing of Surry Units 1 and 2, it was demonstrated that the design of the SI Systems met the regulatory requirements in place at that time. The GDC included in Appendix A to 10 CFR 50 did not become effective until May 21, 1971.

The Construction Permits for SPS Units 1 and 2 were issued prior to May 21, 1971; consequently, Surry Units 1 and 2 were not subject to current GDC requirements (SECY-92-223, dated September 18, 1992). The following information demonstrates SPS Units 1 and 2 meet the intent of the GDC published in 1967 (Draft GDC).

Specifically, Section 1.4 of the SPS Units 1 and 2 Updated Final Safety Analysis Report (UFSAR) discusses SPS compliance with these criteria. The draft GDC associated with the Emergency Core Cooling System (ECCS) are addressed below since the CPSW system provides a support function for the charging pumps, which are also used as HHSI pumps to supply borated water to the RCS during accident conditions. The draft criterion associated with the Control Room is also addressed below.

• Quality Standards (Criterion 1 - draft)

Those systems and components of reactor facilities that are essential to the prevention of accidents which could affect the public health and safety or to the mitigation of their consequences are designed, fabricated, and erected in accordance with quality standards that reflect the importance of the safety function to be performed. Where generally recognized codes or standards on design, materials, fabrication, and inspection are used, they shall be identified. Where adherence to such codes or standards does not suffice to assure a quality product in

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 9 of 36 keeping with the safety function, they shall be supplemented or modified as necessary. A showing of sufficiency and applicability of codes, standards, quality assurance programs, test procedures, and inspection acceptance levels used is required.

Design Conformance Structures, systems, and components important to safety are designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed.

The SI System includes features necessary to ensure core cooling and negative reactivity following a limiting event. Approved design codes are used when appropriate to the nuclear application. Vessels comply with Section Ill of the ASME Code under the specific classification dictated by their use. Piping conforms to the requirements of USAS 831.1.

The Quality Assurance Program was established to provide assurance that

• safety-related structures, systems, and components satisfactorily perform their intended safety functions.

• Control Room (Criterion 11 - draft)

The facility shall be provided with a control room from which actions to maintain safe

• operational status of the plant can be controlled. Adequate radiation protection shall be provided to permit access, even under accident conditions, to equipment in the

• control room or other areas necessary to shut down and maintain safe control of the facility without radiation exposures of personnel in excess of 10 CFR 20 limits. It shall be possible to shut the reactor down and maintain it in a safe condition if access to the control room is lost due to fire or other causes.

Design Conformance The control room is located at grade level in the service building. Safety-related switchgear, motor-generator sets, auxiliary instrument areas, battery rooms, and communications equipment are located in the basement of the service building.

Sufficient shielding, distance, and containment integrity are provided to ensure that under postulated accident conditions during occupancy of the control room, control room personnel shall not be subjected to doses that, in the aggregate, would exceed the limits in 10 CFR 50.67. Emergency air-conditioning equipment is provided within the envelope of the shielded control room and associated portions of the basement, collectively called the control and relay room area. The control room is provided with the switchyard control panel, electrical recording panels, de distribution panels, and a control panel for the operation of the diesel-generator system. The control panels contain those instruments and controls necessary for the operation of station and

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 10of36 unit systems such as the reactor and its auxiliary systems, the turbine generator, and the steam and power conversion systems. Loading from the various station electrical distribution boards, such as the start-up boards, shutdown boards, and motor control centers, is accomplished from the station control panels.

The control room is common to the two units and is continuously occupied by qualified operating personnel under all operating and accident conditions. In the event that access to the control room is restricted, either local control stations or the manual operation of critical components within the main control area can be used to affect hot shutdown from outside the control room.

• Engineered Safety Features Basis for Design (Criterion 37 - draft)

Engineered safety features shall be provideo in the facility to back up the safety provided by the core design, the reactor coolant pressure boundary, and their protection systems. As a minimum, such engineered safety features shall be designed to cope with any size reactor coolant pressure boundary break up to and including the circumferential rupture of any pipe in that boundary assuming unobstructed discharge from both ends.

Design Conformance Engineered safeguards are provided in the facility to back up the safety provided by the design of the core, the reactor coolant pressure boundary, and their protection systems. Engineered safeguards are provided to cope with any size reactor coolant pipe break up to and including the circumferential rupture of any pipe in that boundary and an unobstructed discharge from both ends, and to separately cope with any* steam or feedwater line break. Limiting the release of fission products from the reactor fuel is accomplished by the SI System, which, by cooling the core, keeps the fuel in place and substantially intact and significantly limits the metal.:.water reaction ..

• Reliability and Testability of Engineered Safety Features (Criterion 38 - draft)

All engineered safety features shall oe designed to provide high functional reliability and ready testability. In determining the suitability of a facility for a proposed site,

. the degree of reliance upon and acceptance of the inherent and engineered safety afforded by the systems, including engineered safety features, will be influenced by the known and the demonstrated performance capability and reliability of the systems, arid by the extent to which the operability of such systems can be tested and inspected where appropriate during the life of the plant.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 11of36 Design Conformance Engineered safeguards are designed to provide such functional reliability and ready testability as is necessary to avoid undue risk to the health and safety of the public.

A comprehensive program of testing has been formulated for equipment, systems, and system controls vital to the functioning of engineered safeguards. The program consists of performance tests of individual pieces of equipment in the manufacturer's shop, integrated tests of the system as a whole, and periodic tests of the activation circuitry and mechanical components to ensure reliable performance, upon demand, throughout the unit lifetime.

Design provisions are made so that components of the SI System can be tested periodically for operability and functional performance.

The engineered safeguards components are checked periodically and routinely. In the event that one of the components requires maintenance as a result of failure to perform according to prescribed limits during the test, the necessary corrections or minor maintenance are accomplished and the component is retested im.mediately.

• Engineered Safety Features Performance Capability (Criterion 41 - draft)

Engineered safety features, such as emergency core cooling and containment heat removal systems, shall provide sufficient performance capability to accommodate partial loss of installed capacity and still fulfill the required safety function. As a minimum, each. engineered safety feature shall provide this required safety function assuming a failure of a single active component.

Design Conformance Engineered safeguards, such as the SI System and the containment heat removal system, provide sufficient performance capability to accommodate the failure of any single active component without any undue risk to the health and safety of the public. The overall capability of the engineered safeguards meets the suggested requirements of 10 CFR 50.67 or RG 1.183, as applicable, for the occurrence of any rupture of a reactor coolant or Main Steam System pipe, including the double-ended rupture of a reactor coolant pipe, known as the design-basis accident.

• Emergency Core Cooling Systems Capability (Criterion 44 - draft)

At least two emergency core cooling systems, preferably of different design principles, each with a capability for accomplishing abundant emergency core cooling, shall be provided. Each emergency core cooling system and the core shall be designed to prevent fuel and clad damage that would interfere with the emergency core cooling *function and to limit the clad metal-water reaction to negligible amounts for all sizes of breaks in the reactor coolant pressure boundary,

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 12 of 36 including the double-ended rupture of the largest pipe. The performance of each emergency core cooling system shall be evaluated conservatively in each area of uncertainty.

Design Conformance The SI System employs a passive system of accumulators that do not require any external signals or source of power for their operation to cope with the short-term cooling requirements of a large reactor coolant pipe break. The HHSI and the Low Head SI (LHSI) Systems, each capable of supplying the required emergency cooling, are also provided for small-break protection and to keep the core submerged after the accumulators have discharged following a large break. These systems are arranged so that the single failure of any active component does not interfere with meeting the short-term cooling requirements. The HHSI and LHSI Systems are each capable of fulfilling long-term cooling requirements. The failure of any single active component or the development of excessive leakage during the long-term cooling period does not interfere with the ability to meet necessary long-term cooling objectives with one of the systems.

The primary purpose of the SI System is to automatically deliver cooling water to the reactor core in the everit of a LOCA. This limits the fuel clad temperature and thereby ensures that the core remains intact and in place with its essential heat transfer geometry preserved. This protection is afforded for: all pipe break sizes up to and including the hypothetical instantaneous circumferential rupture of a reactor coolant loop, assuming unobstructed discharge from both ends; a loss of coolant associated with the rod ejection accident; and a steam generator tube rupture.

• Inspection of Emergency Core Cooling Systems (Criterion 45 - draft)

Design provisions shall be made to facilitate physical inspection of all critical parts of the emergency core cooling systems, including reactor vessel internals and water injection nozzles.

Design Conformance Design provisions are made for the inspection of components of the SI System to the extent practical. An inspection is performed periodically to demonstrate system readiness. The pressure containment boundaries can be inspected for leaks from pump seals, valve packing, flanged joints, and safety valves during system testing.

In addition, critical parts of the reactor vessel internals, injection nozzles, pipes, valves, and SI pumps can be inspected visually or by boroscopic examination for evidence of erosion, corrosion, and vibration wear, and non-destructive tests can be performed where such techniques are desirable, practical, and appropriate.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 13 of 36

• Testing of Emergency Core Cooling Systems (Criterion 47 - draft)

A capability shall be provided to test periodically the delivery capability of the emergency core cooling systems at a location as close to the core as is practical.

Design Conformance Design provisions include special instrumentation, testing, and sampling lines to perform the tests, and unit shutdown to demonstrate the proper automatic operation of the SI System. A test signal is supplied to initiate automatic action. The test

• demonstrates the operation of the valves, pump circuit bre.akers, and autOmatic circuitry. In addition, other tests are performed periodically to verify that the SI pumps attain required discharge heads.

Quality Assurance Quality assurance criteria provided in 10 CFR Part 50, Appendix B, applicable to the subject systems include: Criteria Ill, V, XI, XVI, and XVII. Criteria Ill and V require measures to ensure that applicable regulatory requirements and the design basis, as defined -in 10 CFR 50.2, "Definitions," and as specified in the license application, are correctly translated into controlled specifications, drawings, procedures, and a

instructions. Criterion XI requires test program to ensure that the subject systems will perform satisfactorily *in service and requires that test results shall be documented and evaluated to ensure that test requirements have been satisfied. Criterion XVI requires measures to ensure. that conditions adverse to quality, such as failures, malfunctions, deficiencies, deviations, defective material and equipment, and nonconformances, are promptly*.identified and corrected, and that significant conditions *adverse to quality are documented and reported to management. Criterion XVII requires maintenance of records of activities affecting quality.

4.2 NUREG-1431, Standard Technical Specifications- Westinghouse Plants The proposed change was compared to similar requirements in TS 3. 7 .8, Service Water System (SWS) in NUREG-1431, Standard Technical Specifications - Westinghouse Plants. It was determined that the proposed change for the CPSW subsystem is consistent with the 72-hour completion time for restoration of one inoperable SWS train to operable status in NUREG-1431.

• 4.3 No Significant Hazards Consideration The proposed change revises Surry Power Station (Surry) Units 1 and 2 Technical Specification (TS) 3.14, "Circulating and Service Water Systems," to extend the Allowed Outage Time (AOT) for only one operable Service Water (SW) flow path to the Charging Pump SW (CPSW) subsystem and to the Main Control Room/Emergency Switchgear Room (MCR/ESGR) Air Conditioning (AC) subsystem. TS 3.14.A.5 and TS 3.14.A.7

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 14 of 36 require two SW flow paths to the CPSW subsystem _and to the MCR/ESGR AC subsystem, respectively, to be operable. Currently, the TS 3.14.C AOT for only one operable CPSW or MCR/ESGR AC flow path is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The proposed revision extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps; the proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the

• Charging/HHS! pumps). The proposed MCR/ESGR AC AOT extension revises the AOT to be the same as the CPSW AOT since both subsystems share common piping ..

The proposed increased AOTs for only one operable SW flow path to the CPSW subsystems and to the MCR/ESGR AC subsystems will provide a more reasonable time frame for performing system maintenance and repairs.

• A supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the Regulatory Guide (RG) 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable.SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24:to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Furthermore, no enhancements, procedure revisions, or compensatory actions are recommended as a result of the RG 1.177 Tier 2 evaluation.

The proposed change also deletes the Operating License (OL) conditions, TS requirements, and TS 3.14 Basis discussion for the temporary SW jumper to the Component Cooling Heat Exchangers (CCHXs). These requirements were included in the Surry TS to allow cleaning, inspection, repair, and recoating of the SW supply piping to the CCHXs during the Unit 1 2013 and 2015 refueling outages. These requirements*

have expired and are no longer necessary. Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in

• nature. The TS 3.14 Basis deletion is provided to the NRC for information.

Dominion has evaluated whether a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of amendment," as discussed below:

1. Does the proposed change involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No.

The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps; the proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the Charging/HHS! pumps). The proposed MCR/ESGR

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1

• Page 15 of 36 AC AOT extension revises the AOT to be the same as the CPSW AOT since both subsystems share common piping. The design function of the CPSW system, which is to provide cooling to the charging pump *intermediate seal coolers and the charging pump lubricating oil coolers, *is not impacted by the proposed revision, nor is the design function of the Charging/HHS! pumps impacted. Furthermore, the design functions of the MCR/ESGR AC subsystem and the MCR/ESGR chillers are not impacted by the proposed revision. In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs. The deletion of these temporary requirements is administrative in nature. As a result, the proposed change does not involve a significant increase in the probability or consequences of an accident previously evaluated.

2. Does the proposed change create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No.

The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. In addition, the proposed change deletes the now expired and no longer necessary requirements for .the temporary SW jumper to the CCHXs. The proposed change does not involve a physical alteration of the plant (i.e., no new or different type of equipment will be installed) and does not impact plant operation. Furthermore, the proposed change does not impose any new or different requirements that could initiate an acddent. The proposed change does not alter assumptions made in the safety analysis and is consistent with the safety analysis assumptions. Therefore, the proposed change does not create the possibility of a new or different kind of acddent from any accident previously evaluated.

3. Does the proposed change involve a significant reduction in a margin of safety?

Response: No.

The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The proposed change does not adversely affect any current plant safety margins or the reliability of the equipment assumed in the safety analysis. There are no changes being made to any safety analysis assumptions, safety limits, or limiting safety system settings that would adversely affect plant safety as a result of the proposed change. Furthermore, as noted above, a supporting PRA was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the HG 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 16 of 36 In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs. The deletion of these temporary requirements is administrative in nature. Therefore, the proposed change does not involve a significant reduction in a margin of safety.

Based on the above, Dominion concludes that the proposed change presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and, accordingly, a finding of "no significant hazards consideration" is justified.

5.0 PROBABILISTIC RISK ASSESSMENT 5.1 Purpose The purpose of this assessment is to utilize the Surry PRA to evaluate the impact on Core Damage Frequency (CDF) and Large, Early Release Frequency (LERF) for the CPSW and MCR/ESGR AC subsystems flow path AOT extensions. Using guidance from RG 1.174 and RG 1.177, this assessment evaluates the risk of changing Surry TS 3.14.C to allow a single service water flow path to be available to the CPSW subsystem and to the MCR/ESGR AC subsystem for up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

5.2 Introduction The S007Aa PRA model allows analysis of the conditional risk at Surry Power Station when one or more SW flow paths to safety-related loads in the MERs are unavailable utilizing a detailed probabilistic assessment of risk from internal events and internal flooding :hazards at power. This risk evaluation will be supplemented with qualitative insights to assess the fire, seismic, shutdown and other external risks.

RG 1.177 identifies a three-tiered approach for licensees to evaluate the risk associated with proposed TS Configuration Time (CT) changes. Tier 1 is an evaluation of the impact on plant risk of the proposed TS change as expressed by the change in core damage frequency (~CDF), the incremental conditional core damage probability (ICCDP), the change in large early release frequency (~LERF), and the incremental conditional large early release probability (ICLERP). Tier 2 is an identification of potentially high-risk configurations that could exist if equipment, in addition to that associated with the change, were to be taken out of service simultaneously or other risk-significant operational factors, such as concurrent system or equipment testing were also involved. The objective of this part of the evaluation. is to ensure that appropriate restrictions on dominant risk-significant configurations associated with the change are in place. Tier 3 is the establishment of an overall configuration risk management program (CRMP) to ensure that other potentially lower probability, but nonetheless risk-significant, configurations resulting from maintenance and other operational activities are identified and compensated for.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 17 of 36 Figure 3 in Section 3.1 above shows the SW supply to the CPSW and the MCR/ESGR AC subsystems. The SW flow paths in the MERs support both the CPSW subsystems and the MCR/ESGR AC subsystems. The MER flow paths include several interconnected and redundant trains, gravity fed from the Intake Canal. Originating at the Intake Canal, there are three 8-inch SW supply headers. Each header takes its supply from a 96-inch condenser inlet line, and the connection is upstream of the condenser isolation valves. The three 8-inch headers supply two 6-inch headers. The 6-inch supply headers are 100% redundant (i.e., one header can supply 100% of the required SW flow). The SW supply headers are normally cross-connected in MER-3 and MER-4 via the 1-SW-263 valve. This valve is closed during a fire in related equipment areas in accordance with the 10 CFR 50 Appendix R fire protection program.

Two motor operated strainers are normally in service on each of the 6-inch SW supply headers. Each strainer is supplied with a back wash from the discharge of the control room chiller service water pumps. For the following analysis and discussion, SW flow through 1-VS-S-1A is referred to as the "A SW Header" and SW flow through 1-VS-S-18 is referred to as the "B SW Header".

The CPSW system is credited in Surry's PRA as a support system for HHSI. The CPSW *system supplies SW flow to the charging pump intermediate seal coolers and lube oil coolers. *Heat from the lube oil cooler is transferred to the CPSW subsystem.

The seal coolers reject their heat to a dedicated closed-loop subsystem of the CC System (i.e., the Charging Pump Component Cooling Water System). Heat from this system and the lube oil coolers is transferred to the CPSW subsystem.

Downstream of the 6-inch SW supply headers are two CPSW pump trains for each unit

• 'I' (four total). Each pump traih can provide 100% required flow for its unit, so there is 100% redundancy for each unit. The CPSW pump trains can be cross-connected via tie lines that are normally isolated. Hence, the Unit 2 CPSW pumps can be aligned to cool Unit 1 charging pump lube oil coolers and vice versa; this alignment is not automatic and requires local operation. One CPSW pump per unit is normally running and the other is in sta~dby. The standby CPSW pump will auto start on low discharge pressure for the running pump.

The output of either pump can feed the three charging pump lube oil coolers for one unit. The charging pump lube oil cooler outlet control valves are actuated automatically when the charging pump is running. No operator actions are required to start or control CPSW flow to a specific lube oil cooler. The CPSW lube oil cooler discharge flow is directed to the discharge tunnel via a single pipe. The success criterion for the CPSW system to service its required loads is: one CPSW pump available, taking suction from at least one available 6-inch SW header.

Five chillers are installed in the MERs. The condenser water pump for ttie chillers takes suction from the SW supply line, pumps it through the chiller condenser, and returns it to the CW System. Three chillers (A/B/C) are in MER-3 downstream of the rotating

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 18 of 36 strainers; two chillers (D/E) are in MER-5 upstream of the rotating strainers and downstream of a duplex strainer. These units provide chilled water that circulates through air handlers to remove heat from the atmosphere in the MCR, emergency switchgear rooms, and relay rooms. Air conditioning of these areas prevents electrical equipment from overheating and supports control room habitability during design basis

. accidents. During normal plant operation one or two chillers may be operating depending on SW temperatures. During an emergency, the 1/2-E-O procedure verifies that one control room chiller is operating, with a results not obtained step to start required equipment within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> in accordance with O-OP-VS..:006. The Surry PRA models the ESGR HVAC as a support system for the emergency electrical power systems, 4160 V, 480 V, 125 VAC, and 120 VDC.

In order to satisfy TS 3.14.A.5 and .3.14.A.7 at least two independent SW flow paths must be available to supply MER loads. This risk assessment analyzes conditional risk with only one SW flow path to the MERs ..

5.3 Analysis Inputs The following inputs are used for this assessment:

• Surry Average Maintenance PRA model S007Aa,

• RG 1.174,

• RG 1.177, and

• CAFTA code suite.

Risk Impact Evaluation The NRC staff has identified a three-tiered approach in RG 1.177 for licensees to evaluate the risk associated with proposed TS Completion Time {CT) changes. The following sections document the three tiered evaluation for CPSW and MCR/ESGR. AC

. subsystems flow path AOT extensions.

RG 1.177 PRA Quality Evaluation RG 1.177 contains the following discussion of PRA Technical Adequacy:

The technical adequacy of the PRA must be compatible with the safety implications of the TS change being requested and the role that the PRA plays in justifying that change. That is, the more the potential change in risk or the greater the uncertainty in that risk from the requested TS change, or both, the more rigor that must go into ensuring the technical adequacy of the PRA. This applies to Tier 1 (above), and it also applies to Tier 2 and Tier 3 to the extent that a PRA model is used.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 19 of 36 Regulatory Guide 1.200 describes one acceptable approach for determining whether the technical adequacy of the PRA, in total or the parts that are used to support an application, is sufficient to provide confidence in the results such that the PRA can be used in regulatory decisionmaking for light-water reactors.

A detailed discussion and evaluation of PRA quality of the S007Aa model with respect to this application is provided in Attachment 4.

RG 1.177 Tier 1 Analysis RG 1:177 contains the following discussion concerning Tier 1 Analysis:

In Tier 1, the licensee should assess the impact of the proposed TS change on GDF, ICCDP, LERF, and ICLERP. To support this assessment, two aspects need to be considered: (1) the validity of the PRA and (2) the PRA insights and findings. The licensee should demonstrate that its PRA is valid for assessing the proposed TS changes and identify the impact of the TS change on plant risk.

TS conditions addressed by CTs are entered infrequently and are temp9rary by their very nature. However, TS do not typically restrict the frequency of entry into conditions addressed by* CTs. Therefore, the following TS acceptance guidelines specific to permanent CT changes are provided for evaluating the risk associated with the revised CT, in addition to those acceptance guidelines given in Regulatory Guide 1. 174.

The licensee has demonstrated that the TS CT change has only a small quantitative impact on plant risk. An /CCDP of less than 1.0x10-6 and an ICLERP of less than

1. Ox10-7 are considered small fOr a single TS condition entry. (Tier 1}.

RG 1.174 Acceptance Criteria are as follows:

• When the calculated increase in GDF is very small, which is taken as being less than 10-6 per reactor year, the change will be considered regardless of whether there is a calculation of the total GDF (Region Ill).

• When the calculated increase in GDF is in the range of 10-6 per reactor year to 10-5 per reactor year, applications will be considered only if it can be* reasonably shown that the total GDF is less than 10-4 per reactor year (Region II).

• Applications that result in increases to GDF above 10-5 per reactor year (Region I) would not normally be considered.

Acceptance criteria for LERF are structured similarly at an order of magnitude less (1 E-7, etc.).

Tier 1 Analysis Assumptions

• The PRA model S007Aa is valid for performing this assessment.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1

. Page 20 of 36

• For the purposes of ~CDF/~LERF calculations, this assessment assumes the MER SW headers will accumulate 15 days of unavailable configuration time every year as a result of the proposed change. This is a conservative assumption based on Surry's Operating Experience for CPSW headers and the desired maintenance strategy for Surry.

• This analysis assumes that if only one SW flow path to MER loads is available, SW is being supplied to the MER SW loads from one CW inlet, to one 8-inch SW supply header, to one 6-inch SW header, through one rotating strainer. This is a conservative assumption.

Tier 1 Analysis Results MER SW header maintenance is explicitly modeled in the average maintenance model S007Aa. Therefore, a ~CDF and ~LERF for the proposed change to AOTs for MER SW flow paths to the CPSW subsystem and to the MCR/ESGR AC subsystem may be directly calculated from the model by comparing CDF results with increased unavailability on MER headers (refer to second bulleted assumption). Incremental core damage and large early release probabilities for a single 72-hour period are also calculated. The MER headers supply SW to safety-related loads at both Surry units; therefore, risk at both units is explicitly analyzed. Results are as follows:

Table 1: RG 1.177Tier1 Analysis Results RG 1.177 RG 1.177 15 Day Header U1 U2 ACDF U1 U2 ALE RF Unavailability ACDF ACDF Criteria ALE RF ALE RF Criteria 9.20E- 1.05E-A SW Header 08 07 1.00E-06 3.02E-08 4.23E-08 1.00E-07 8.29E- 1.25E-B SW Header 08 08 1.00E-06 6.47E-08 5.61E-09 1.00E-07 RG 1.177 RG 1.177 Single 72hr TS U1 U2 ICCDP U1 U2 IC LE RP entry ICCDP ICCDP Criteria ICLERP IC LE RP Criteria 1.84E- 2.09E-A SW Header 08 08 1.00E-06 6.03E-09 8.46E-09 1.00E-07 1.66E- 2.50E-B SW Header 08 09 1.00E-06 1.29E-08 1.12E-09 1.00E-07 Note: These risk metrics are simultaneously applicable to both TS 3.14.A.5 and TS 3.14.A. 7 for CPSW and MCR/ESGR SW supplies, respectively The tightest margin to RG 1.177 acceptance criteria is on Unit 1 LERF with "B" SW header out of service for 15 days over one year. Cutsets for these configurations were reviewed and are discussed in detail below.

Serial No.16-180

• Docket Nos. 50-280/281 Attachment 1 Page 21of36 An engineering GOTHIC calculation establishes that the ESGR does not require chiller operation during the PRA mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, as long as one of the ESGR air handling units (per unit) is operating, and there is not a initiating event which requires SI, which may have higher heat loads than assumed in this engineering calculation.

During normal operating conditions, a total loss of chilled water can be successfully mitigated by control room evacuation and shutdown from the remote shutdown panels in conjunction with performance of contingency actions of O-AP-13.02 (opening doors, temporary cooling etc.). These actions have been shown by GOTHIC calculations to substantially improve environmental conditions in the ESGR in loss of chilled water events. If SI is required to mitigate an event, then a subsequent loss of chilled water is assumed to fail ESGR HVAC, and no recovery is possible. In these sequences, the loss of ESGR HVAC is modeled as a Station Blackout (SBO).

In a configuration with only one SW flow path available to the MCR/ESGR chillers, accident sequences that require SI to successfully avoid core damage such as SLOCA and SGTR become elevated in the PRA. These sequences involve failure of the in-service SW flow path, upstream of D/E chiller suction in MER 5. Since this flow path is gravity fed, its primary failure mode is via obstruction (plugging). S007Aa has identified that the most probable means of rendering the sole SW flow path unavailable is obstruction of CW intake/traveling water screens at the high level intake structure.

The PRA has assigned a probability of 8E-5 that CW obstruction would occur during the 24-hour mission time following an initiating event. A SGTR event that involves SBO caused by loss of ESGR HVAC is considered a Large Early Release by S007Aa.

In a configuration with one CPSW header isolated, cutsets that involve failure of the second CPSW header become elevated in the PRA. Loss of the second SW header renders HHSI unavailable, which is important to CDF for SLOCA and SGTR sequences.

In SLOCA with HHSI failure, operators must successfully cooldown and depressurize the RCS and then place the RCS on Low Head Recirculation. For SGTR with HHSI failure, isolation of the ruptured SG becomes important to mitigate the event. The dominant failure mode for CPSW flow paths is obstruction of the rotating strainers 1-VS-S-1 A/B. Bypass SW flow paths around the rotating strainers are not credited *in the PRA model. The S007Aa model assesses the probability that the in-service rotating strainer would fail via plugging during a 24-hour mission time following an initiating

• event to be approximately 1.5E-4.

Another potential failure mode for the in-service SW header is a loss of power to the in-service rotating strainer. The 8007Aa model has a 480V Emergency Power dependency modeled for the rotating strainers 1-VS-S-1A/B. It is assumed that loss of power to a rotating strainer will cause the strainer to become obstructed within the mission time. Bypass SW flow paths around the rotating strainers are not credited in the PRA model. The electric power dependency in the model is creating asymmetric SGTR delta risk results across the two units and two headers. In a configuration with one CPSW header out of service, the model has identified that a catastrophic failure (fault or other de-energization sequence via LOOP) of a single emergency bus could

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 22 of 36 disable HHSI via the in-service rotating strainer and also the SG isolation safety function via 480V EP dependency for SG Isolation MOVs. This is also a significant LERF sequence for this configuration, as SGTR with failure of HHSI and SG isolation is considered Large Early Release in S007Aa.

The following are known conservatisms in this analysis that give very high confidence that the proposed change meets Tier 1 acceptance criteria with high margin:

• No credit in the PRA model is given for placing a second or third SW header in service in accordance with O-AP-12, Attachment 1. Some SW crosstie flow paths (such as the 2A Header) may be available or recoverable during maintenance configurations where TS 3.14.A.5 and TS 3.14.A.7 are not considered met. These flow paths could be used to bypass an ob.structed CW intake.

• No credit in the PRA model is given for manual operator action to bypass an obstructed rotating strainer by placing the duplex strainer 1-SW-S-10 in service in accordance with O-AP-12.

• No credit in the PRA model is given for operator action in accordance with the EOPs to cooldown and depressurize the RCS in SGTR scenarios where Auxiliary Feedwater (AFW) is successful but HHSI fails. Human Reliability Analysis for this credit is under development and stations, such as North Anna which is similar to Surry, have this operator action credited with a Human Event Probabi.lity (HEP).

• The 8007Aa models an electric power dependency for rotating strainers 1-VS-S-1A/B. It is modeled in the internal events PRA that the strainers will become obstructed If not rotating (Probability=1). Actual strainer behavior with no rotation during accident sequences is uncertain. It is unlikely (Probability<1) that the strainer will become obstructed in a 24-hour mission time if not rotating since debris must be present in order for the strainer to become obstructed.

The results of this analysis indicate that the potential increase in core damage risk due to the proposed change is very small and satisfies the Region 111 criteria of RG 1.177 Tier 1 analysis. [Refer to Table 1, above.]

Shutdown Risk Evaluation In cases where there is no probabilistic shutdown PRA model available for evaluating the risk impact of a proposed change, as is currently the case with the Surry PRA, a qualitative evaluation process may be applied to assess shutdown risk. In general, this approach involves determining whether or not the proposed change affects functions that are credited in OU-AA-200, Shutdown Risk Management, and then considering what impacts the application may have on shutdown defense-in-depth, in particular the following shutdown plant key safety functions: Decay Heat Removal, RCS/Spent Fuel Pool (SFP) Inventory Control, Reactivity Control, Electrical Power, SFP Cooling and Containment Integrity.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 23 of 36 The CPSW system supports HHSI pumps, which contributes to the RCS/SFP inventory control and reactivity control shutdown key safety functions. During plant shutdown, the LHSI System provides the primary source for RCS inventory control/make-up. The HHSI System provides additional defense-in-depth for inventory/reactivity control.

Therefore, it is concluded that the proposed change has a very small impact on defense-in depth for the associated shutdown Key Safety Functions and shutdown risk.

The MCR/ESGR ventilation system does not directly support any of the Shutdown Key safety functions, but it does support control room habitability during a fuel handling accident. The discussion of failure modes in the internal events discussion also applies to shutdown modes; therefore, it is concluded that proposed change has a very small impact on shutdown risk.

It is concluded that the proposed change has negligible impact on shutdown CDF and LERF.

Internal Fire Hazard Evaluation The Individual Plant Examination for External Events (IPEEE) and the Fire Contingency Action (FCA) procedures are used to evaluate the impact of the AOT change for configurations with only one SW flow path to the CPSW subsystem and the ESGR and MCR chillers on the fire risk since a full-scope fire PRA model has not been developed for Surry. The IPEEE screened out all but four areas as insignificant contributors to the fire CDF. The areas which did not screen out include the Cable Vault and Tunnel (CVT), the Emergency Switchgear Room (ESGR), the Main Control Room (MCR), and the Normal Switchgear Room (NSGR), so these areas are included in the scope of this

. analysis. A review of the Appendix R Report and the IPEEE shows that a fire in two areas, Mechanical Equipment Room 3 (MER 3) and Mechanical Equipment Room 4 (MER 4), may damage multiple CPSW components and the SW supply to the ESGR and MCR chillers. Unavailability of a SW Header in addition to the fire damage could cause a failure of these subsystems. As a result, MER 3 and MER 4 are included in the scope of this analysis even though they screened out as low risk in the IPEEE.

Although a fire in Mechanical Equipment Room 5 (MER 5) may damage two of the five ESGR and MCR chillers, this area is screened out since additional equipment damage is limited and a LOCA is not expected, so the ESGR and MCR chillers are not required during the PRA mission time as discussed in the internal events analysis. A review of the Appendix R Report indicates that power or control cables for one or more CPSW pumps, Rotating Strainers, or ESGR and MCR chillers may be damaged in each of these areas except the NSGR. Given the defense-in-depth available for these subsystems and the lack of emergency equipment damaged in an NSGR fire, this area is screened out from further evaluation.

An FCA procedure is available for each of the remaining areas to support safe shutdown (SSD) during a limiting fire, which is characterized by the actual or imminent loss of a component that supports the SSD functions monitored in O-AP-48.00. It is

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 24 of 36 assumed that a fire in these areas which does not cause sufficient damage to enter the respective FCA procedure can be characterized as a general transient and is adequately addressed by the internal events analysis.

The impact of the AOT change on the fire risk is dependent on the exact configuration for which the TS is entered. The fire scenarios on which the proposed change is expected to have the most impact are those in which the fire damages one or more components affecting the SW supply to or redundant equipment for the CPSW subsystem or the ESGR and MCR chillers. The TS 3.14.C action statement could be entered for having two of the three 8" SW supply headers unavailable and/or one of the two 6" SW supply headers unavailable. If the maintenance configuration only involves two of the 8" headers, the impact on fire risk from the CPSW subsystem is negligible since the remaining 8" line is not susceptible to fire damage. However, this configuration could result in the SW supply to the MER 5 chillers (40, 4E) being unavailable, which could lead to a loss of ESGR and MCR chillers if a fire damages the remaining in service equipment. If the maintenance configuration only involves unavailability of one of the 6" SW headers, fire damage to susceptible components on the opposite 6" SW supply could cause a failure of the entire CPSW subsystem and three of the ESGR and MCR chillers. Unavailability of the two 8" SW headers supplying the MER 5 chillers in addition to unavailability of one 6" SW header would allow fire damage to the available 6" header to result in a loss of all ESGR and MCR chillers. In order to bound the consequences of a fire on various possible maintenance configurations of the SW headers, the following analysis considers the impact of unavailability of a 6" SW Header on the CPSW subsystem, and it considers the impact of unavailability of two 8" SW headers and a 6" SW Header on the ESGR and MCR chiller subsystem.

The IPEEE Quantitative Screening models the Rotating Strainers as mechanical strainers that do not require electrical power, and they are assumed to be unaffected by fire damage. Given a loss of power to the strainer, flow through the strainer is not obstructed unless debris causes plugging within the PRA mission time. As a result of the uncertainty associated with the failure rate due to plugging of the Rotating Strainers following a loss of electrical power, the internal events PRA model conservatively assumes this condition leads to a loss of SW flow through the strainer. If the Rotating Strainers are considered susceptible to fire damage, then damage to a Rotating Strainer concurrent with unavailability of the opposite 6" SW Header would cause a loss of CPSW and failure of three chillers. In order to be consistent with the internal events analysis, this fire analysis will qualitatively investigate the impact of the AOT change on the fire risk conservatively assuming fire damage to the power or control cables for the strainer will result in failure of the SW flow path.

CVTs and ESGRs Fires in the CVTs and ESGRs cause varying amounts of damage to the CPSW subsystem as described by the Appendix R Report and the IPEEE. The FCA

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 25 of 36 procedures used to achieve SSD for these fire areas include 1-FCA-3.00 and 2-FCA-3.00 for the U1 and U2 CVTs, respectively, and 1-FCA-4.00 and 2-FCA-4.00 for the U1 and U2 ESGRs, respectively. A fire in the U1 CVT may damage the cables for 1-SW-P-10A and 1-VS-S-1A, and a fire in the U2 CVT will not damage any of the CPSW pumps or strainers. A fire in the U1 ESGR may damage the cables for both U1 CPSW pumps, and a fire in the U2 ESGR may damage the cables for both U2 CPSW pumps and 1-VS-S-1 B. Fire damage in each of these areas may disable Charging for the fire-affected unit. As a result, the fire strategies rely on the opposite unit to provide Inventory Control to the fire-affected unit through the Charging Cross-Tie (CH-XTIE).

The additional unavailability of a SW Header due to the AOT extension increases the likelihood of losing all Charging to both units during a fire due to CPSW failure. During a U2 CVT fire or U1 ESGR fire with a SW Header unavailable, random failure of the second SW header or the opposite unit CPSW pumps is needed to cause a loss of Charging. During a U1 CVT or U2 ESGR fire, power to one of the Rotating Strainers may be damaged by the fire, which would fail one of the SW Headers. If the opposite SW Header is unavailable, a total loss of CPSW would occur. Since no random failures are required in addition to the fire damage and SW Header unavailability, the fire scenarios in the U1 CVT and U2 ESGR are the most limiting of these areas. However, given.the likelihood of the SW Header unavailability, which contributes to these potential CPSW failures, the failure to supply Charging to the fire-affected unit is still dominated

• by the HEP to establish the CH-XTIE between units.

If the Heactor Coolant System (RCS) remains intact, the accident resembles a transient, and the consequences of losing all Charging are minimal since core heat removal can be achieved using Natural Circulation of the RCS with secondary cooling provided by Auxiliary Feedwater (AFW). These conditions are established by actions taken with the

• FCA procedures. Spurious operations could affect the High/Low pressure boundary by opening valves and causing a LOCA, but actions taken in the FCA procedures mitigate this potential. RCS integrity is maintained by isolating the Reactor Head Vents, the Pressurizer PORVs, and Letdown. Isolation switches in the Control Room ensure that these valves will not be reopened by the fire. In addition, RCP seal cooling is terminated by isolating seal injection and thermal barrier cooling after the pumps have been tripped. The likelihood of developing an RCP seal LOCA is minimized due to the Flowserve low-leakage seals, and proactive isolation of the RCP seals using manual valves precludes the potential for spurious operations to re-introduce cold water to the hot seals, which would cause catastrophic seal failure due to*thermal shock. Alignment of suction sources and a flow path to the steam generators (SGs) for AFW is directed by the FCAs as well and includes AFW cross-tie from the opposite unit, if necessary. The AFW flow path is protected from spurious operations by prepositioning the MOVs and then de-energizing them. In addition, the AFW cross-tie MOVs are located in the opposite unit's Safeguards Building, thus preventing fire damage from affecting the ability to utilize the cross-tie. The fire strategies for these areas address the potential loss of Charging, and the resulting impact of the change in SW Header AOT on the fire risk for these areas is low,

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 26 of 36 As discussed in the internal events analysis, ESGR and MCR chiller operation within the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> PRA mission time is not required as long as one of the ESGR AHUs per unit is operating or a LOCA has not occurred, although, in the case of ESGR fires, ventilation is not credited for the fire-affected unit. For fires in the U2 CVT and U1 ESGR, at least one chiller will remain available and the 6 SW headers are not affected by the fire. As a result, additional random failures would be required to cause a loss of ESGR and MCR cooling, so the impact of the TS change due to fires in these areas is negligible. A fire in the U1 CVT will not damage any of the chillers, but it may damage 1-VS-S-1A, which would isolate the A 6" SW header supplying CPSW, as well as chillers 4A, 4B, and 4C. If a fire occurred in this area concurrent with maintenance on the B 6" SW Header and the 2A and 2C 8" SW headers supplying the 40 and 4E chillers, then a loss of all five chillers would occur. A fire in the U2 ESGR may damage the normal power and control cables for all five chillers. To account for this potential, chillers 40 and 4E have an alternate power supply (AAC Diesel Generator) and local controls which are aligned using O-FCA-19.00 and allow these chillers to be used during a U2 ESGR fire. However, maintenance on the 2A and 2C 8" SW headers would cause the 40 and 4E chillers to be unavailable, resulting in a loss of all five chillers. The U1 CVT and U2 ESGR are the most limiting of these areas since no random failures are required in addition to the fire and maintenance configuration to cause a loss of all five chillers. In order for a total loss of chillers to cause an SBO due to loss of ESGR HVAC during a fire, either both of the dedicated AHUs must fail or a LOCA must develop.

Combining the frequency of the fire, the probability of the maintenance configuration with only one SW supply line available, and the probabilities of the AHUs failing or a LOCA developing, which is minimized by the fire strategies and low-leakage RCP seals, causes the resulting cutsets to be low risk contributors. Accounting for fire severity and suppression would further reduce the results of these cutsets. Given the low frequency of these failure combinations, the impact of the change in SW Header AOT on the fire risk for these scenarios is low.

The MCR contains control cables for all of the CPSW pumps. There is physical separation between units for the CPSW pump controls in the MCR, and control of each pump can also be transferred to the Appendix R Panel in the ESGR. The fire strategy to achieve SSD during an MCR fire is O-FCA-1.00. If the fire severity necessitates evacuation of the control room, the operators will transfer control of the CPSW pumps to the Appendix R Panel. The Rotating Strainers are locally controlled from the MERs and are unaffected by a fire in the MCR. If one of the SW Headers is unavailable, random failure of the second SW header or the all of the CPSW pumps is needed to cause a loss of Charging. The fire strategy for the MCR is very similar to the strategies for the CVTs and ESGRs in that an RCS High/Low pressure boundary is established, allowing Natural Circulation of the RCS to be used, and AFW is aligned to the SGs for secondary cooling. The Reactor Head Vents, the Pressurizer PORVs, and Letdown are isolated from the MCR at the Auxiliary Shutdown Panel (ASP) in the ESGR, and the isolation switches ensure the valves will not reopen due to the fire. The failure of CPSW would

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 27 of 36 cause a loss of RCP seal injection, but thermal barrier cooling may continue to be supplied to the RCP seals. Since RCP seal cooling is not proactively isolated during this fire scenario, RCP seal injection is monitored and the seals are isolated when flow is lost. As a result, the potential for thermal shock of the seals is mitigated, and the likelihood of seal failure remains low. Since the potential for a LOCA is mitigated by actions taken to ensure the integrity of the RCS pressure boundary is maintained and by the low-leakage seals, this accident will most likely resemble a transient. Alignment of suction sources and a flow path to the steam generators (SGs) for AFW is directed by the FCA procedure and includes AFW cross-tie from the opposite unit, if necessary.

The AFW flow path is protected from spurious operations by transferring control of the AFW pumps and discharge MOVs to the ASP. The fire strategy for this scenario addresses the potential loss of Charging, and the resulting impact of the change in SW Header AOT on the fire risk for this scenario is low.

The MGR contains control cables for all of the ESGR and MGR chillers as well.

However, isolation switches are available for three of the five chillers, which can be controlled from outside the control room. One ESGR AHU per unit is isolated from the control room as well. Consistent with previous discussion, the chillers are not required within the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> PRA mission time if one ESGR AHU per unit is operation and a LOCA has not developed. The frequency of fires requiring evacuation of the control room is low given the control room is continuously manned, so detection and suppression of the fires before evacuation is likely. Similar to the ESGR and CVT fire scenarios, the frequency of the fire, the probability of the maintenance configuration with only one .sw supply line available, and random failure of the chillers unaffected by the fire are a low frequency combination of faiilures. The probabilities of the AHUs failing or a LOCA developing in addition to these failures cause the resulting cutsets to be low risk contributors. Given the low frequency of these failure combinations, the impact of the change in SW Header AOT on the .fire risk for these scenarios is low.

If the fire is small enough that habitability conditions and extent of equipment damage allow operators to remain in the control room, the FCA procedure for the MGR is not entered and the fire is considered non-limiting. The impact of the SW Header AOT change on this fire scenario is considered bounded by the internal events analysis.

MER 3 and MER 4 These fire areas were included in the scope of the analysis due to the extent of potential damage to the CPSW pumps, Rotating Strainers, and damage to piping supplying the 4A, 48, and 4C chillers. The FCA procedure used to achieve SSD for both of these fire areas is O-FCA-7.00. In each of these areas, three of the four CPSW pumps and one of the two Rotating Strainers may be damaged. In addition, portions of the 6" SW supply piping are non-metallic and susceptible to fire damage. The FCA procedure relies on the available CPSW pump and strainer to provide Charging Pump Cooling and uses the CPSW pump discharge cross-tie to cool both units' Charging Pumps. Random failure of the fourth CPSW pump would cause a failure of CPSW, but this system failure mode is

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 28 of 36 not impacted by the unavailability of the SW Header. However, if the fire damages the Rotating Strainer or non-metallic piping and the opposite 6" SW Header is unavailable, a loss of CPSW and three chillers would occur. Fire damage to the non-metallic piping during maintenance involving the 2A and 2C 8" SW headers in addition to the opposite 6" SW header would result in a loss of all five ESGR and MCR chillers.

The equipment damaged by a fire in MER 4 is limited and will not cause a fire-induced LOCA. As a result, a loss of Charging or the ESGR and MCR chillers due to a fire in this area during SW Header maintenance is easily mitigated by station procedures and available equipment, and the impact of the AOT change is negligible.

The potential equipment damaged from a fire in MER 3 is more extensive and includes electrical cables for the #3 EOG output breaker, #2 EOG output breaker, and the 2H emergency bus offsite power supply breaker. However, if the damage is limited to this equipment, the loss of Charging due to a fire in this area during SW Header maintenance does not have a significant adverse impact on the fire risk since a fire-induced LOCA will not occur, and shutdown can be achieved using the available station procedures. Fire damage alone to the EOG and 2H bus breakers would fail the EOG output ,breakers open, preventing the EOGs from supplying the emergency buses, and the 2H bus offsite supply breaker closed, preventing it from opening following a LOOP signal. This damage state would *allow both U2 emergency buses to remain energized from offsite power. If offsite power to one of the U2 emergency buses is lost due to fire-induced spurious opening of the 2H bus supply breaker or random failure of either emergency bus, 2-FCA-4.00 is entered. As discussed for the limiting U2 ESGR fire scenario, a loss of all Charging and failure of both Unit 2 emergency buses is adequately addressed by 2-FCA-4.00.

Three of the five ESGR and MCR chillers may be damaged by a fire in MER 3. The MER 5 chillers are unaffected by a fire in this area, but they could be unavailable due to 8" SW header maintenance. Given equipment damage in this area is limited, multiple random failures would be required in addition to SW Header maintenance for this scenario to lead to a loss .of ESGR cooling resulting in an SBO. Due to the low frequency of these cutsets, the impact of the SW Header AOT change on the fire risk for these scenarios is negligible.

MER 3 contains non-metallic SW supply piping which is susceptible to fire damage, and a flood propagation path exists between the MER 3 and the ESGRs. In order to mitigate flooding from the failed piping, the SW supply to MER 3 is isolated as directed by the FCA. If isolation of the SW supply fails and the flood propagates to the ESGRs, loss of all Charging would occur as a consequence of the emergency bus failures, so there is no additional impact due tq the additional SW Header maintenance. Since the extent of damage due to a fire in MER 3 is limited relative to other areas evaluated and a fire-induced LOCA will not occur, the impact of the SW Header AOT change on the fire risk for this area is low.

... , Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 29of36 Conclusion The most limiting fire scenarios for this evaluation are those that involve fire-induced failure of a Rotating Strainer, which could cause a total loss of CPSW and three ESGR

• and MCR chillers if the alternate 6" header is unavailable, and loss of all five chillers if the 8" SW headers supplying MER 5 are also unavailable. The known conservatisms in this analysis include assumed failure of the Rotating Strainers due to fire damage, which are assumed to be unaffected by fire damage in the IPEEE, and lack of credit for the duplex strainer to bypass a plugged Rotating Strainer, which could be aligned using O-AP-12.00 unless the 6" A SW Header is isolated upstream of the Rotating Strainer 1-VS-S-1A. If the IPEEE treatment of the Rotating Strainers is used, the impact on the fire risk is negligible. Based on the review of the significant fire areas, the expected equipment damage, and the fire strategies used to achieve SSD, it is concluded that the consequence of losing CPSW during these scenarios is small, and the likelihood of causing an SBO due to failure of ESGR cooling is low. These insights demonstrate the impact of the SW Header AOT change on the overall fire risk is acceptable and bounded by the internal events analysis.

Seismic* Hazard Evaluation Generic Letter (GL) 88-20 Supplement 4 was issued by the NRC in June 1991. This letter and NUREG-1407 requested each nuclear plant licensee to perform an IPEEE.. In a December 1991 letter to the NRC, Surry identified the planned approach to address the IPEEE. For non-seismic external events and fires, the IPEEE effort was completed and a report was submitted to the NRC in December 1997.

Surry was categorized in NUREG-1407 as a focused scope plant. As identified in Surry's December 1991 letter, the Seismic Margins Method (SMM) developed by Electric Power Research Institute (EPRI) with enhancements was selected for Surry . .* A completion schedule for IPEEE - Seismic was initially provided by . Surry in its September 1992 letter to the NRC which also noted that elements of the effort to resolve IPEEE - Seismic, notably plant walkdowns, will be integrated with the resolution of Unresolved Safety Issue (USI) A-46 identified in NRC's Supplement 1 to GL 87-02 of May 1992.

In September 1995, the NRC issued Supplement 5 to GL 88-20. This letter gave further guidance on the basis for selection of components that needed capacity evaluation.

Based on GL 88-20, Supplement 5, Surry submitted a revised approach to NRC in November 1995. This approach, while still retaining the Seismic Probabilistic Risk Assessment (SPRA) methodology and treating Surry as a focused scope plant, identified areas where screening and judgment by experienced and trained engineers would eliminate the need for performing capacity calculations for rugged components, structures, and systems; and require such evaluations only for weaker and critical components. The IPEEE - Seismic program at Surry has been performed in

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 30 of 36 accordance with the SPRA methodology for a focused plant and Surry's stated commitments.

In February 1996, a peer review was conducted to assess the implementation of the IPEEE - Seismic program at Surry. This review included walkdown of about 15% of the items representing all classes of equipment in the Safe Shutdown Equipment List.

Although a few open issues were noted at the time of the review, the reviewer concluded that the Seismic Review Teams involved did an excellent seismic walkdown review at Surry.

In summary, the IPEEE-Seismic program, integrated with the USI A-46 effort, resulted in several plant improvements and design modifications. The SPRA quantification concluded that no severe accident vulnerabilities exist at Surry from a potential seismic event. No other .cost beneficial upgrade can be performed to improve the seismic margin and the core damage frequency of the plant.

• The Surry Seismic Probability Risk Assessment Pilot Plant Report was reviewed and this proposed change does not impact the conclusions drawn in that report. The following is a discussion of SPRA quantification results from that report.

The dominant Seismic PRA sequence (52%) involves the failure of the turbine building, starting a chain of events that fails SW. Since the power cables to the CW isolation valves run through cable trays in the turbine building, it was assumed that the failure of the steel superstructure would fail the valve cables, even though they are in the concrete portion of the turbine building below ground elevation. Failure of the cables prevents the CW isolation valves from closing, the canal will rapidly drain through the CW lines, SW cooling will be lost, and core damage is assumed. The proposed change does not have an adverse impact on this sequence.

25.7% of SPS seismic risk is associated with seismic-induced SW flooding. This risk is dominated by seismic-induced ruptures of BC heat exchangers. The proposed change does not have an adverse effect on seismic induced flooding sequences.

Seismic induced LOCA, SGTR and MSLB sequences where MER SW supply has a support function make up approximately 2% of seismic core damage risk. Therefore, it is concluded that the proposed change has a negligible impact on seismic risk and is screened from further evaluation.

Other External Hazards Evaluation The other external hazards, as identified by NUREG/CR-2300 and NUREG/CR-4839, have been taken into consideration. Following the initial screening, seven events were identified as needing more detailed evaluation. These events included aircraft accidents, external flooding, tornado generated missiles and high winds, pipeline accidents, transportation accidents, accidents in nearby industrial or military facilities,

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 31 of 36 and release of chemicals from on-site storage. Since the effects of these external events on Surry Power Station were analyzed as part of NUREG-1150, the analysis performed in the IPEEE used the method and in some cases the results obtained by NUREG/CR-4550. However, in each case the Surry UFSAR information was used to make sure that the results obtained by NUREG/CR-4550 were still valid.

The study concluded that there are no significant external events other than those identified in NUREG-1407. The non-seismic external events of interest, except for aircraft impacts, pipeline accidents and external flooding, were screened out based on the UFSAR information and the results reached by NUREG/CR-4550. The bounding analysis performed for the effects of aircraft impacts and pipeline accidents were based on the methods used by NUREG/CR-4550. The results of these two analyses indicate that the frequency of the events occurring is small. The actual risk from these hazards to the safe operation of the plant would be less than the screening value, because most safety-related equipment is inside Class I structures and is designed to withstand the loads imposed by the external event. The bounding analysis for external flooding considered the worst case occurrence of the 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> in 1 square mile probable maximum precipitation (PMP). The consequences of this occurrence were mitigated by implementation of a procedural revision and modification of turbine building. roof parapets to reduce roof top accumulation during intense precipitation. Therefore, it can be concluded that non-seismic external events do not pose a significant risk to the safe operation of Surry Power Station.

• Based on the above, other External Events have been screened from further evaluation for this proposed change.

RG 1.177 Tier 2: Avoidance *of Risk Significant Plant Configurations RG 1.177 contains the following discussion concerning Tier 2 analysis:

The licensee should provide reasonable assurance that risk-significant plant equipment outage configurations will not occur when specific plant equipment is out of service consistent with the proposed TS change. An effective way to perform such an assessment is to evaluate equipment according to its contribution to plant risk (or safety) while the equipment covered by the proposed CT change is out of service.

Evaluation of such combinations of equipment out of service against the Tier 1 ICCDP and ICLERP. acceptance guidelines could be one appropriate method of identifying risk-significant configurations. Once plant equipment is so evaluated, an assessment can be made as whether certain enhancements to the TS or procedures are needed to avoid risk significant plant configurations. In addition,* compensatory actions that can mitigate any corresponding increase in risk (e.g., backup equipment, increased surveillance frequency, or upgraded procedures and training) should be identified and evaluated. Any changes made to the plant design or operating procedures as a result of such a risk evaluation (e.g., required backup equipment, increased surveillance frequency, or upgraded procedures and training required before certain plant system

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 32 of 36 configurations can be entered) should be incorporated into the analyses utilized for TS changes as described under Tier 1 above.

A detailed review of PRA importance metrics (Risk Achievement Worth, Fussell-Vesely) from the Tier 1 PRA Model did not reveal any risk significant maintenance configurations when one MER header is considered unavailable. No enhancements, procedure revisions or compensatory actions are recommended from the Tier 2 evaluation.

RG 1.177 Tier 3: Risk-Informed Plant Configuration Control and Management The Dominion 10 CFR 50.65(a)(4) program fully satisfies the recommendations of RG 1.177 Tier 3. RG 1.177 Section 2.3 states that:

The licensee should develop a program that ensures that the risk impact of out-of-service equipment is appropriately evaluated prior to performing any maintenance activity. A viable program would be one that is able to uncover risk-significant plant equipment outage configurations in a timely manner during normal plant operation.

The Dominion 10 CFR 50.65(a)(4) program performs PRA analyses of planned maintenance configurations in advance. The MER SW system is included in the 10 CFR 50.65(a)(4) scope and its removal from service is monitored, analyzed, and

.' ~ managed. Configurations that approach or exceed the NUMARC 93-01 risk limits are identified and either avoided or addressed by risk management actions. Emergent configurations are identified and analyzed by the on-shift staff for prompt determination of whether risk management actions are needed. The configuration analysis and risk management processes are fully proceduralized in compliance with the requirements of 10 CFR 50.65(a)(4). Dominion's (a)(4) program is implemented with station procedures WM-AA-300, Work Management, and NF-AA-PRA-370, MRule (a)(4) Risk Monitor Guidance.

To support Dominion's 10CFR 50.65(a)(4) program, a dedicated PRA model is used to perform configuration risk analysis. The model uses the S007Aa model as a framework with some adjustments to optimize the model for configuration risk calculations. The model allows for quantitative Level 1 and Level 2 (LERF) assessments of internal events and internal floods hazards for at-power configurations. Risk during shutdown configurations and risks due to other hazards are assessed qualitatively. Changes in plant configuration or PRA model features are dispositioned and managed by Dominion's PRA configuration control process. Procedures are in place to ensure that actions are taken as necessary to qualitatively assess configurations outside the scope of the PRA model.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 33 of 36 5.4 Results and Conclusions The increase in risk associated with the proposed change is consistent with the RG 1.174 and RG 1.177 acceptance guidelines for a permanent TS Completion Time change. This evaluation demonstrates that nuclear defense-in-depth will not be significantly impacted by allowing a single SW flow path to be available to the CPSW subsystem and to the MCR/ESGR AC subsystem for up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

6.0 ENVIRONMENTAL ASSESSMENT The proposed change will revise a requirement with respect to installation or use of a facility component located within the restricted area, as defined in 10 CFR 20.

Specifically, the proposed change extends the AOT for only one operable flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs. However,*

the proposed change does not involve (i) a significant hazards consideration, (ii) a significant change in the types or a significant increase in the amounts of any effluent that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure.

Accordingly, the proposed change meets the eligibility criterion for categorical exclusion set forth. in 10 CFR 51.22(c)(9). Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed change.

7.0 CONCLUSION

The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps. The proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the Charging/HHS! pumps). The proposed MCR/ESGR AC AOT extension revises the AOT to be the same as the CPSW AOT since both subsystems share common piping. The design functions of the CPSW subsystem and the Charging/HHS!. pumps, as well as the design functions of the MCR/ESGR AC subsystem and chillers are not impacted by the proposed revision. In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs; the deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in nature. The proposed change does not physically alter plant equipment, does not impact plant operation, and does not affect the safety analyses.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 34 of 36 Furthermore, a supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the Regulatory Guide (RG) 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Furthermore, no enhancements, procedure revisions, or compensatory actions are recommended as a result of the RG 1.177 Tier 2 evaluation.

Therefore, Dominion concludes, based on the considerations discussed herein, that (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.

Discharge Canru )

105 r---------------------i 205 l i Unit.1 RSHXS B&C ~~~~~---- -------~ Unlt2 RSHXS B&C i MER4  !

I I I '

104  !  ! 204 j__ __ ---- ---- ______ _l CCHXS (Commoo)

Unlt 1 BCHXS Abandoned r-------I cwMovs 1 206  :

A B c I I

I I

I 101 103 "U 0 (/)

n> O CD RWMUPP ca o  ::i.

- - - - - 1 1 1 1 1 1 1 1 1 1 111111111 111111111 *HlllHlll----------------------~11.Hl*I 1111*1*1 11*11111* 1 1 1 1 1 1 1 1 ' - - * - - - - CD A" IU CD -

C LJnjj 1 Unit 2 w ...... z HL Intake Intake Canal HL Intake 01 z

0 0' 0

w.(/)

0)

0) 01 I 0 -->.

I (X)

Figure 1 - Service Water System Simplified Diagram No CX>

0 i'3 CX>

Fram!l:i<1.rnlful:2

~--------~--------~ a~~1~'f"'

ToUn~t CO::hargg Ta:r.:.I

• 10u,;,,

D'~Tum<<r.C.mit Sv:Ilam Dmi!FFhJr S.W

'-"'""'OM!i.lfu>Uolod Fmm-r 111:1'1 103

/l I IJD!I 103 8

MrN tll2 l.agmid tA *1B 1C 10 TDTuofuo \J 0 CJ)

Eli:lgS'll ID 0 CD C\sdJ -lliv.httgo [!!] -lll:id\'>1.-o s,,..,,,.,;i;, .Sdiq..... ca o  ::::!.

115 sw.12 (!)  ;;>;"" ID

-RGcircSpmy !JC -~ Cooliog

-llorJ!l:io:~

(!) -

l!X P1 -Pm~~.to.:fmkr W.-..z SIY It

-Sm.i:o'Walcr

-A:n#Eommt Tl -T<mJlGIU!unolndi>:>:r*

Mooh-Modmniool 0) 0 z 0 0.

~kD Jkl::.llJimE ...... CJ) --"

RIA -Rmfuli:n Monlcr CC -Cbmp:oin!Cooing p -"""1> FG -FbwG.uu