Text

Emergency License Amendment Request for a One-Time Extension of Diesel Generator Completion Time
	ML16356A689
Person / Time
Site:	Palo Verde
Issue date:	12/21/2016
From:	Lacal M; Arizona Public Service Co
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	102-07406-MLL/TNW
	Download: ML16356A689 (98)
	v • d • e

10 CFR 50.90 MARIA L. LACAL Senior Vice President, Nuclear Regulatory & Oversight Palo Verde Nuclear Generating Station P.O. Box 52034 102-07406-MLL/TNW Phoenix, AZ 85072 December 21, 2016 Mail Station 7605 Tel 623.393.6491 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001

Dear Sirs:

Subject:

Palo Verde Nuclear Generating Station (PVNGS)

Unit 3 Docket No. STN 50-530 Renewed Operating License No. NPF-74 Emergency License Amendment Request for a One-Time Extension of the Diesel Generator Completion Time In accordance with the provisions of Section 50.90 of Title 10 of the Code of Federal Regulations (10 CFR), Arizona Public Service Company (APS) is submitting an emergency license amendment request (LAR) for a one-time extension of the emergency diesel generator (DG) completion time described in the Technical Specifications (TS) for Palo Verde Nuclear Generating Station (PVNGS) Unit 3. Specifically, the emergency LAR would extend the TS required action 3.8.1.B.4 completion time from 10 days to 21 days for the purpose of collecting and analyzing data associated with the failure of the PVNGS Unit 3 train B DG and continue with the repair of the DG. During surveillance testing on December 15, 2016, the DG suffered a failure of the number nine right cylinder connecting rod and piston. Current plans to collect and analyze data associated with the engine failure and continue with the repair will exceed the TS required action completion time of 10 days. As a result, APS has evaluated the defense-in-depth and compensatory measures and is requesting a one-time deterministic license amendment to extend the completion time based upon the guidance of Branch Technical Position (BTP) 8-8, Onsite (Emergency Diesel Generators) and Offsite Power Sources Allowed Outage Time Extensions. to this letter provides a description and assessment of the proposed changes including a summary of the technical evaluation, a regulatory evaluation, a no significant hazards consideration, and an environmental consideration. The enclosure also contains five attachments. Attachment 1 provides the marked-up existing TS page. Attachment 2 provides the revised (clean) TS page. No TS Bases changes are proposed for this one-time LAR. Attachment 3 provides the compensatory measures, Attachment 4 provides the cold shutdown load summary, and Attachment 5 provides the commitments to control station activities. to this letter provides risk-insights, including the risk-impacts related to the compensatory measures. The risk of the extended completion time has been assessed and will be managed in accordance with the requirements of 10 CFR 50.65(a)(4) and Regulatory A member of the STARS Alliance LLC Callaway

Diablo Canyon

Palo Verde

Wolf Creek

102-07406-MLL/TNW ATTN: Document Control Desk U. S. Nuclear Regulatory Commission Emergency LAR for a One-Time Extension of the Diesel Generator Completion Time Page 2 Guide 1.160, Monitoring the Effectiveness of Maintenance at Nuclear Power Plants. As described in the enclosure, APS will provide the additional compensatory action of deploying temporary non-safety related diesel generator capability for defense-in-depth. After completion of the causal evaluation and if there is confirmation that there is not a common mode failure, a risk-informed license amendment request will be submitted for the duration of the repair and testing of the Unit 3 train B DG.

This letter contains commitments as described in Attachment 5 to Enclosure 1.

In accordance with the PVNGS Quality Assurance Program, the Plant Review Board and the Offsite Safety Review Committee have reviewed and approved the emergency LAR. By copy of this letter, this LAR is being forwarded to the Arizona Radiation Regulatory Agency in accordance with 10 CFR 50.91(b)(1).

APS requests approval of the LAR on an emergency basis prior to the expiration of the current 10 day completion time, which expires at 3:56 am, December 25, 2016. APS will implement the TS amendment immediately following NRC approval. Absent approval, PVNGS Unit 3 would be required to begin shutdown, pursuant to TS 3.8.1, Condition H.

Should you have any questions concerning the content of this letter, please contact Thomas Weber, Department Leader, Nuclear Regulatory Affairs, at (623) 393-5764.

I declare under penalty of perjury that the foregoing is true and correct.

Executed on : December 21, 2016__

(Date)

Sincerely, Digitally signed by Lacal, Lacal, Maria Maria L(Z06149)

DN: cn=Lacal, Maria L(Z06149) L(Z06149)

Date: 2016.12.21 21:38:34 -07'00' MLL/TNW/CJS/af

Enclosures:

1. Description and Assessment of Proposed License Amendment

2. Risk-Insights Related to One-Time Extended Completion Time cc: K. M. Kennedy NRC Region IV Regional Administrator S. P. Lingam NRC NRR Project Manager for PVNGS M. M. Watford NRC NRR Project Manager C. A. Peabody NRC Senior Resident Inspector for PVNGS T. Morales Arizona Radiation Regulatory Agency (ARRA)

Enclosure 1 Description and Assessment of Proposed License Amendment

Enclosure 1 Description and Assessment of Proposed License Amendment TABLE OF CONTENTS 1.0

SUMMARY

DESCRIPTION 2.0 DETAILED DESCRIPTION 2.1 Proposed Change to the Technical Specifications 2.2 Need for Proposed Change

3.0 BACKGROUND

3.1 System Description

4.0 TECHNICAL ANALYSIS

4.1 Deterministic Evaluation (Defense-in-Depth) 4.2 Safety Margin Evaluation 4.3 Risk Insights and Risk Management, Including Compensatory Actions 4.4 Review of Surveillance Tests 4.5 Operator Training

5.0 REGULATORY EVALUATION

5.1 Applicable Regulatory Requirements 5.2 Precedent 5.3 No Significant Hazards Consideration 5.4 Conclusion

6.0 ENVIRONMENTAL CONSIDERATION

7.0 REFERENCES

ATTACHMENTS

1. Marked-up Technical Specifications Page

2. Revised Technical Specifications Page (Clean Copy)

3. Compensatory Measures

4. Cold Shutdown Load Summary

5. Commitments to Control Station Activities i

Enclosure 1 Description and Assessment of Proposed License Amendment LIST OF ACRONYMS ac or AC Alternating Current AFAS Auxiliary Feedwater Actuation Signal AFP Auxiliary Feedwater Pump APS Arizona Public Service Company BOP-ESFAS Balance of Plant Engineered Safety Features Actuation System BTP Branch Technical Position CDF Core Damage Frequency CFR Code of Federal Regulations DC Direct Current DG Diesel Generator ESF Engineered Safety Feature ESFAS Engineered Safety Features Actuation System GDC General Design Criterion GSI Generic Safety Issue hp Horsepower HPSI High Pressure Safety Injection ICCDP Incremental Conditional Core Damage Probability ICLERP Incremental Conditional Large Early Release Probability kV kilovolts (1,000 volts)

LAR License Amendment Request LCO Limiting Condition for Operation LERF Large Early Release Frequency LOCA Loss of Coolant Accident LOOP Loss of Offsite Power LPSI Low Pressure Safety Injection MCC Motor Control Center PVNGS Palo Verde Nuclear Generating Station RCP Reactor Coolant Pump SBO Station Blackout SBOG Station Blackout Generator SIAS Safety Injection Actuation Signal SR Surveillance Requirement TS Technical Specification UFSAR Updated Final Safety Analysis Report ii

Enclosure 1 Description and Assessment of Proposed License Amendment 1.0

SUMMARY

DESCRIPTION In accordance with the provisions of Section 50.90 of Title 10 of the Code of Federal Regulations (10 CFR), Arizona Public Service Company (APS) is submitting an emergency license amendment request (LAR) for a one-time extension of the emergency diesel generator (DG) completion time described in the Technical Specifications (TS) for Palo Verde Nuclear Generating Station (PVNGS) Unit 3.

Specifically, the emergency LAR would extend the TS required action 3.8.1.B.4 completion time from 10 days to 21 days for continued repairs and for the purpose of collecting and analyzing data associated with the failure of the PVNGS Unit 3 train B DG. During surveillance testing on December 15, 2016, the B train DG for PVNGS Unit 3 experienced a failure of internal components associated with the number nine right cylinder. Current plans to collect and analyze the data associated with the engine failure and continue with the repair of the DG will exceed the TS required action completion time of 10 days.

As a result, APS has evaluated the aspects of this condition considering the guidance of Branch Technical Position (BTP) 8-8, Onsite (Emergency Diesel Generators) and Offsite Power Sources Allowed Outage Time Extensions (Reference 5), and is requesting a license amendment to extend the completion time on a one-time basis.

The completion time extension will allow for continued repairs and for the engineering team to perform the root cause investigation, understand the cause of the failure, and evaluate the extent of condition. Following this analysis, a determination on the potential existence of a common mode failure will be made.

Enclosure 1 provides a description and assessment of the proposed changes including a summary of the technical evaluation, a regulatory evaluation, a no significant hazards consideration and an environmental consideration. This enclosure also contains five attachments. Attachment 1 provides the marked-up existing TS page. Attachment 2 provides the revised (clean copy) TS page. No TS Bases changes are proposed for this one-time LAR. Attachment 3 provides the compensatory measures which will be used during the extended allowed outage time (AOT). Attachment 4 provides the electrical load summary for train B loss of offsite power (LOOP) loads to enter cold shutdown and Attachment 5 provides the commitments to control station activities.

Enclosure 2 to this letter provides a probabilistic risk assessment and insights associated with extending the PVNGS Unit 3 Technical Specification 3.8.1 Condition B.4 completion time for the train B DG from the current 10 days to 21 days. The PRA model meets all scope and quality requirements in Regulatory Guide (RG) 1.200, Revision 2 (Reference 1) to Capability Category II. This plant-specific risk assessment followed the guidance in RG 1.177, Revision 1 (Reference 3), and RG 1.174 (Reference 2) on defense-in-depth, safety margin and PRA information in support of a request for a one-time change to the plant technical specifications.

Enclosure 2 is provided as additional insights to the deterministic evaluation using defense-in-depth technical analysis and compensatory measures contained in this enclosure.

1

Enclosure 1 Description and Assessment of Proposed License Amendment 2.0 DETAILED DESCRIPTION 2.1 Proposed Change to the Technical Specifications The following specific TS changes are proposed to extend the completion time on a one-time basis for the PVNGS Unit 3 B train DG.

TS 3.8.1, Electrical Power Systems, AC Sources - Operating Add a new NOTE in the Completion Time column, associated with Required Action B.4 of the TS 3.8.1 Action Table, that reads as follows:

NOTE For the Unit 3 Train B DG failure on December 15, 2016, restore the inoperable DG to OPERABLE status within 21 days.

A marked-up TS page is provided in Attachment 1 of this enclosure and a revised TS page (clean copy) is provided in Attachment 2 of this enclosure.

2.2 Need for Proposed Change During routine scheduled surveillance testing on December 15, 2016, the PVNGS B train DG was operating partially loaded when the load suddenly decreased and a low lube oil pressure trip occurred. The physical damage was readily apparent to plant operators when responding to the event. Oil and metal debris were observed on the engine room floor and the number 9 right cylinder (9R) crankcase cover was deformed. Physical damage was extensive, including but not limited to the number 9 master and articulating rod separating and impacting internal areas of the engine base and block. Both the 9R and 9L pistons, sleeves and associated components were damaged and will require replacement. The counterbalance was also fractured and the crankshaft damaged at this number 9 location. There was damage to the number 8 master and articulating rod, including the physical fracture of two studs on the rod cap. A counterbalance at the number 8 location was also fractured and damaged. Current plans to repair the DG and collect and analyze the engine failure data will exceed the TS required completion time of 10 days. As a result, APS has evaluated the defense-in-depth and compensatory measures and is submitting an emergency LAR to extend the completion time to conduct repairs and allow the engineering team to perform the root cause investigation, understand the cause of the failure and evaluate the extent of condition. Following this analysis, a determination on the potential existence of a common mode failure of the train A DG will be made.

Basis for Duration of Completion Time Extension The completion time extension will allow for continued repairs and for the engineering team to perform the root cause investigation, understand the cause of the failure and evaluate the extent of condition. Following this analysis, a determination on the potential existence of a common mode failure will be made.

The duration to collect and analyze data is not expected to exceed a total of 21 days. Completed activities include initial visual inspection, damage assessment 2

Enclosure 1 Description and Assessment of Proposed License Amendment and parts recovery. Preparation for crankshaft and internal parts replacement is underway. Crankshaft removal and engine block repair require the following supporting activities: precision alignment checks of the DG internals, removal of pistons, liners and connecting rods, and removal of right and left bank intercoolers from turbo chargers. A new crankshaft will be installed, followed by engine assembly and retest.

To complete repairs and testing of the DG, it is expected that additional time beyond the 21-day extended AOT will be needed. After establishing the cause of failure and confirmation that a common mode failure does not affect the Unit 3 train A DG, a risk-informed license amendment request will be submitted for the duration of the repair of the U3 train B DG.

APS requests approval of the LAR on an emergency basis prior to the expiration of the current 10 day completion time, which expires at 3:56 am, December 25, 2016. APS will implement the TS amendment immediately following NRC approval. Absent approval, PVNGS Unit 3 would be required to begin shutdown, pursuant to TS 3.8.1, Condition H.

3.0 BACKGROUND

3.1 System Description Seven physically independent 525 kilovolt (kV) transmission lines of the Western Interconnection are connected to the Palo Verde Nuclear Generating Station (PVNGS) 525 kV switchyard, as shown in Figure 1 below. Three 525 kV tie lines supply power from the switchyard to three startup transformers, which supply power to six 13.8 kV intermediate buses (two per unit). Two physically independent circuits supply offsite (preferred) power to the onsite power system of each PVNGS unit.

Salt River Project (SRP) operates and maintains the PVNGS 525kv switchyard, and is the grid operator in the PVNGS area. SRP performs a load flow and dynamic stability (frequency and voltage) study of the grid periodically. The stability study examines the following conditions per the PVNGS UFSAR section

8.2.2 Analysis

A permanent three-phase fault on the 525kv switchyard bus with subsequent loss of the critical 525kv line.

A sudden loss of one of three PVNGS units with no underfrequency load shedding measures in effect.

The sudden loss of the largest single load in Arizona, New Mexico, Southern California, or Southern Nevada.

The stability study also complies with North American Electric Reliability Corporation (NERC) standards, and is one of the Nuclear Plant Interface Requirements (NPIRs). The study shows the grid remains stable in frequency, phase angle, and voltage.

The SRP 525 kV switchyard utilizes a breaker-and-a-half design in which three breakers are provided for every two terminations, either line or transformers.

3

Enclosure 1 Description and Assessment of Proposed License Amendment functions as a source of ac power for safe plant shutdown in the event of loss of preferred power and for post-accident operation of engineered safety feature (ESF) loads. Each diesel generator is rated at 5500 kW for continuous operation and 6050 kW for 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months out of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Each generator is driven by a turbocharged, four-cycle, 20-cylinder diesel engine. There are no provisions for automatically paralleling the two diesel generators within a unit. Interlocks are provided to prevent manual paralleling of the diesel generators. There are no direct interconnections between the standby power supplies of the individual units.

Each diesel generator is normally connected to a single 4.16 kV safety features bus of a load group. However, there are provisions for connecting both ESF buses to a single diesel generator during emergency conditions. Each load group is independently capable of safely shutting down the unit or mitigating the consequences of a design basis accident.

The diesel generators are physically and electrically isolated from each other.

Physical separation for fire and missile protection is provided by installing the diesel generators in separate rooms in a Seismic Category I structure. Power and control cables for the diesel generators and associated switchgear are routed in separate raceways.

The components of the standby power supply system, including related controls, required to supply power to ESF and cold shutdown loads conform to the requirements of General Design Criterion 17, IEEE 308, and IEEE 279 (References 6, 7, and 8).

Station Blackout 10 CFR Part 50.63 requires that each light water-cooled nuclear power plant be able to withstand and recover from a station blackout (SBO) of a specified duration. The PVNGS SBO 16-hour coping evaluation was submitted to the NRC in APS letter 102-05370 (Reference 9), dated October 28, 2005. Supplemental information was provided in APS letter 102-05465 (Reference 10), dated April 19, 2006. The NRC approved the 16-hour SBO coping evaluation in a Safety Evaluation dated October 31, 2006.

The 16-hour coping strategy analysis assumes that one of the two Station Blackout Generators (SBOG), which serves as the Alternate AC (AAC) for PVNGS, is started and connected to the AC distribution system to supply loads in the respective unit during the first hour to allow the analyzed SBO loads to be powered in accordance with administrative or emergency procedures.

Should a SBO occur in any one unit, i.e., a loss of offsite power coincident with the unavailability of both emergency diesel generators in that unit, an AAC power source is available to provide the power necessary to cope with a SBO for a minimum of 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months . The PVNGS response to a SBO has been developed in accordance with RG 1.155, Station Blackout, and NUMARC 87-00, Guidelines and Technical Bases for NUMARC Initiatives Addressing Station Blackout at Light Water Reactors (References 11 and 12).

5

Enclosure 1 Description and Assessment of Proposed License Amendment The non-safety related AAC power source consists of two 100 percent capacity SBOGs that can be connected to each unit at switchgear NAN-S03 via the primary winding of the ESF transformer that is normally aligned to the train A 4.16kV bus. One SBOG is analyzed to supply all required SBO loads, which are located on the A train. The AAC starting system and diesel fuel oil supply is independent from the black-out units power systems and fuel oil supply systems, however, switchgear NAN-S03 at each unit is dependent upon the units non-safety related 125V dc power system. This dc system is energized from the AAC power source to maintain its operability during the SBO event. Fuel oil storage tank associated with the SBOGs is maintained with sufficient fuel to support full load operation of the two SBOGs for 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months .

The AAC power system is not normally connected to the onsite power distribution system. Therefore failure of the AAC components cannot adversely affect the Class 1E power systems.

The AAC power system is physically located and physically protected so that a likely event initiating a SBO will not also affect the AAC system. Connections from the SBOGs to the units are made via cables routed through underground duct banks. Each SBOG has a minimum continuous output rating of 3400 kW at 13.8 kV under worst case anticipated site environmental conditions. This rating is sufficient to provide power to the loads identified as being important for coping with the SBO. Starting and loading of the AAC power system is performed manually; no autostart or automatic loading capability is provided.

Although able to be aligned to Unit 3 train B from a defense in depth perspective, for this emergency LAR the PVNGS SBOGs are not credited to provide power to Unit 3 in response to a LOOP event based on the guidance of BTP 8-8. APS has deployed three portable diesel generators at Unit 3 connected to the 4.16 kV AC FLEX connection box that can supply the train B 4.16 kV AC class bus to maintain the same level of defense-in-depth for safe shutdown of the plant.

4.0 TECHNICAL ANALYSIS

4.1 Deterministic Evaluation PVNGS is connected to the Western Interconnection, one of the two major power grids in North America. Seven physically independent transmission lines supply the PVNGS 525 kV switchyard that supplies offsite power to all three units.

These seven transmission lines are designed and located to minimize the likelihood of simultaneous failure. Each unit is provided with two offsite supplies from two of the three startup transformers. For onsite power, each PVNGS unit has two DGs and shares two SBOGs between the three units. The system design configuration ensures that each of the DGs is electrically and physically isolated.

In addition, during the requested extended completion time, APS has deployed three portable diesel generators at Unit 3 connected to the 4.16 kV AC FLEX connection box that can supply the B train 4.16 kV AC class bus, and has deployed a diesel-driven FLEX steam generator (SG) makeup pump to Unit 3.

6

Enclosure 1 Description and Assessment of Proposed License Amendment The defense-in-depth philosophy requires multiple means or barriers to be in place to accomplish safety functions and prevent the release of radioactive material. In the event of a loss of the preferred offsite power sources, the SBOGs can be aligned to either of the 4.16 kV AC class busses per design.

During the period of this extended completion time for the train B DG, the associated train B 4.16 kV AC class bus will be powered from offsite power, and if offsite power is lost, would be powered by portable diesel generators, if necessary.

The unavailability of the train B DG for this one-time TS change does not reduce the amount of available equipment to a level below that necessary to mitigate a design basis accident. The train A DG is provided with adequate independence to mitigate all postulated accidents. The proposed change will continue to provide multiple means to accomplish safety functions and prevent the release of radioactive material, consistent with the defense-in-depth philosophy.

The proposed one-time extension of the TS completion time for the train B DG does not introduce any new common mode failure, and protection against failure modes previously considered in the UFSAR analyses is not compromised. The train A DG, SBOGs, and the portable diesel generators are all of diverse design, thus reducing the potential for common mode failures. The SBOGs are gas turbine generators. The three portable AC diesel generators are self-contained, enclosed tractor trailer mounted Cummins diesel generators. Two are 4.16 kV generators and the third is a 480 V generator with a step-up transformer to convert the output voltage to 4.16 kV. The control systems for the three portable diesel generators have a common design which supports parallel operations.

APS has evaluated the defense-in-depth aspects for onsite and offsite power sources from a deterministic perspective. The portable DGs are available as a backup to the inoperable train B DG to maintain the defense-in-depth design philosophy of the electrical system to meet its intended safety function. The portable DGs have the capability to support the loads necessary to mitigate a LOOP event and bring the unit to cold shutdown in case of an extended LOOP concurrent with a single failure of the train A DG during plant operation. The three portable DGs operate in parallel providing a combined output of approximately 4800 kW. Attachment 4 identifies the electrical load summary for the train B bus required for response to a LOOP event including placing the plant in cold shutdown. The load summary is conservatively determined to be approximately 4540 kW including losses for cables and transformers based upon the most heavily loaded of the six PVNGS DGs, which is the Unit 1 train B DG.

The result is that the three temporary portable DGs are sufficient to enable a cold shutdown of Unit 3 in the event of a LOOP with a single failure (e.g. DG A) during the extended time period while the B train DG is inoperable.

The portable DGs will be verified available and functional by the completion of a test run prior to the period of extended allowable outage time.

The station provides fuel delivery trucks and fuel trailers to perform refueling of the portable generators and the FLEX steam generator make-up pump diesel engine. On-site fuel oil tanks provide the ability to replenish fuel delivery trucks/trailers to support extended operation of the portable DGs. Designated 7

Enclosure 1 Description and Assessment of Proposed License Amendment personnel are available on all shifts to perform necessary refueling operations.

Local commercial fuel delivery provides ready replenishment of onsite inventories. During the extended AOT, routine inspections of the portable DGs will be performed by operations personnel to ensure normal standby conditions are maintained including lubrication and fuel levels, standby temperatures, and general equipment condition.

During the unavailability period of the Unit 3 train B DG, power to the class 1E DC distribution system, including the batteries, will be maintained through the battery chargers connected to the preferred power source (offsite power). The batteries will continue to maintain sufficient DC power capacity to satisfy the limiting two-hour design basis event load profile during a loss of coolant accident (LOCA) scenario as documented in the licensing basis. This LOCA scenario includes a loss of offsite power. The design calculation references that the two-hour battery capacity has at least 40% margin accounting for temperature effects, aging, and uncertainty. Following a LOOP, upon restoration of AC power to the train B bus from the portable DGs, charging of the class batteries will be initiated to ensure continued availability of the class 1E DC distribution system.

In the event of a loss of offsite power and the limiting single failure of the train A DG, both the SBOGs and the portable DGs have the capability to establish power to the train B 4.16 kV class bus within one hour using existing procedural guidance.

APS will take the following actions identified in Attachment 5 to ensure that necessary equipment remains available during the extended allowed outage time.

4.2 Safety Margin Evaluation The proposed one-time extension of the Unit 3 train B DG completion time remains consistent with the codes and standards applicable to the PVNGS onsite AC sources and electrical distribution system. A loss of all AC power event would require a loss of all offsite power sources, failure of the train A DG, failure of both SBOGs, and failure of the portable DGs. In addition, with deployment of the diesel-driven FLEX SG Makeup Pump at Unit 3, another backup supply of SG makeup independent of offsite power or the 4.16 kV AC buses is provided to mitigate the most likely scenarios associated with a loss of offsite power event.

Also, PVNGS has installed a cross-connection which allows make-up to SGs from the station fire protection system which provides additional defense-in-depth for the heat removal safety function. Therefore, there is no significant reduction in the margin of safety.

4.3 Risk Insights and Risk Management, Including Compensatory Actions The risk associated with a one-time extension of the PVNGS Unit 3 Technical Specification 3.8.1 Condition B.4 completion time for the train B DG from the current 10 days to 21 days has been evaluated with a PRA model that meets all scope and quality requirements in RG 1.200, Revision 2 (Reference 1) to Capability Category II. This plant-specific risk assessment followed the guidance in RG 1.177, Revision 1 (Reference 3), and RG 1.174 (Reference 2) on defense-in-depth, safety margin and PRA information in support of a request for a one-time change to the plant licensing basis. Enclosure 2 provides detailed 8

Enclosure 1 Description and Assessment of Proposed License Amendment information on the risk assessment and insights.

Compensatory actions as listed in Attachment 3 will be implemented in accordance with the PVNGS Configuration Risk Management Program (CRMP).

4.4 Review of Surveillance Tests A review of planned surveillance tests was conducted for the 21 day extended AOT being requested in this LAR. This review concluded no surveillance testing of safety related equipment that would impact operability is required and there were no surveillance test requirements that required deferral or an extension beyond their required surveillance interval.

4.5 Operator Training Operators are trained on the strategies and hierarchy of procedures for LOOP that specify use of alternate power sources, including the portable DGs.

Training, briefings, and walkdowns are provided to the Operators responsible for operating the portable DGs as part of the preparation for use of the generators.

Operations crews are briefed on the implementing procedure. Designated operators will be familiar with instructions for starting and operating the portable DGs. Operations staff has received classroom training for FLEX strategies, which included the use of the portable DGs.

5.0 REGULATORY EVALUATION

5.1 Applicable Regulatory Requirements Relevant elements of NRC requirements, as well as a brief overview of PVNGS design features related to those requirements, are described below, with the NRC requirement identified first, followed by the related PVNGS design features in italics.

The regulations in 10 CFR 50.36(c)(2)(ii)(B), Limiting conditions for operation, state:

Criterion 2. A process variable, design feature, or operating restriction that is an initial condition of a design basis accident or transient analysis that either assumes the failure of or presents a challenge to the integrity of a fission product barrier.

Technical Specification (TS) 3.8.1 currently meets this requirement and will continue to meet this requirement after the proposed one-time change is approved and implemented. The DGs act to mitigate the consequences of design basis accidents that assume a loss of offsite power. For that purpose, redundant DGs are provided to protect against a single-failure. During the current TS 10-day required action completion time, an operating unit is allowed by the TS to remove one of the DGs from service, thereby losing this single-failure protection.

This operating condition is considered acceptable for a limited period of 9

Enclosure 1 Description and Assessment of Proposed License Amendment time and is in conformance with 10 CFR 50.36(c)(2)(i), which authorizes licensees to follow any remedial action permitted by the technical specifications until the [limiting conditions for operation (LCO)] condition can be met.

General Design Criterion (GDC) 17 of Appendix A of 10CFR50 for Electric Power Systems defines design requirements. It does not specify operating requirements or stipulate operational restrictions regarding the loss of offsite power sources. With the implementation of the proposed change, PVNGS Unit 3 will continue to meet the applicable design criteria. The proposed change is a one-time extension to the TS required action completion time. It does not affect the design basis of the plant. In addition, PVNGS Unit 3 will remain within the scope of the TS LCO 3.8.1 and is still subject to the requirements of the action statements as governed by 10 CFR 50.36. PVNGS Unit 3 meets the requirements of GDC 17 (Reference 6). The design of the on-site power source is not changed by the extension of the required action completion time and compliance with the GDC is not affected.

The proposed change to extend the completion time does not alter the design basis for loss of all alternating current power governed by 10CFR50.63, Loss of all alternating current power (Station Blackout Rule). In addition, although the normal design of PVNGS Unit 3 is an alternate AC plant, the plant meets the requirements for a 16-hour coping plant, which is unchanged by this LAR.

The proposed change to extend the TS required action completion time is consistent with the criteria of RG 1.160 and 10 CFR 50.65, Requirements for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants (Maintenance Rule).

The regulations in 10 CFR 50.91(a)(5), provide the following allowances for issuance of an emergency license amendment:

(5) Where the Commission finds that an emergency situation exists, in that failure to act in a timely way would result in derating or shutdown of a nuclear power plant, or in prevention of either resumption of operation or of increase in power output up to the plant's licensed power level, it may issue a license amendment involving no significant hazards consideration without prior notice and opportunity for a hearing or for public comment The proposed change is required due to an emergent equipment failure and is necessary to prevent shutdown of PVNGS Unit 3. The change is needed sooner than can be issued under exigent circumstances and this license amendment request is timely considering the unplanned nature of the DG failure.

5.2 Precedent The proposed license amendment was developed using relevant information from an approved change (Reference 13) at another nuclear station.

10

Enclosure 1 Description and Assessment of Proposed License Amendment 5.3 No Significant Hazards Consideration As required by 10 CFR 50.91(a), Notice for Public Comment, an analysis of the issue of no significant hazards consideration using the standards in 10 CFR 50.92, Issuance of Amendment, is presented below:

1. Does the proposed amendment involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No.

The proposed change is a deterministic one-time extension of the Unit 3 B train Diesel Generator TS completion time from 10 days to 21 days. The PVNGS Unit 3 B train emergency diesel generator (DG) provides onsite electrical power to vital systems should offsite electrical power be interrupted.

It is not an initiator to any accident previously evaluated. Therefore, this extended period of operation with the B train DG out-of-service will not increase the probability of an accident previously evaluated.

The DGs act to mitigate the consequences of design basis accidents that assume a loss of offsite power. For that purpose, redundant DGs are provided to protect against a single-failure and the consequences of a loss of offsite power have already been evaluated. During the current Technical Specification (TS) 10-day required action completion time, an operating unit is allowed by the TS to remove one of the DGs from service, thereby losing this single-failure protection. This operating condition is considered acceptable. The consequences of a design basis accident coincident with a failure of the redundant DG during the proposed extended completion time are the same as those during the existing 10-day TS completion time.

Therefore, during the period of the proposed extended required action completion time, there is no significant increase in the consequences of an accident previously evaluated.

Therefore, the proposed change will not involve a significant increase in the probability or consequences of an accident previously evaluated.

2. Does the proposed amendment create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No.

The proposed change is a deterministic one-time extension of the Unit 3 B train DG TS completion time from 10 days to 21 days. The PVNGS Unit 3 B train emergency DG provides onsite electrical power to vital systems should offsite electrical power be interrupted. There are no new failure modes or mechanisms created due to plant operation for the extended period to collect and analyze data of the PVNGS Unit 3 B train DG. Extended operation with an inoperable DG does not involve any modification in the operational limits or physical design of existing plant systems. There are no new accident precursors generated due to the extended required action completion time.

11

Enclosure 1 Description and Assessment of Proposed License Amendment Therefore, the proposed change does not create the possibility of a new or different kind of accident from any accident previously evaluated.

3. Does the proposed amendment involve a significant reduction in a margin of safety?

Response: No.

The proposed change is a deterministic one-time extension of the Unit 3 B Diesel Generator TS completion time from 10 days to 21 days. The PVNGS Unit 3 B train emergency diesel generator (DG) provides onsite electrical power to vital systems should offsite electrical power be interrupted. During the extended completion time, sufficient compensatory measures including supplemental power sources have been established to maintain the defense-in-depth design philosophy to ensure the electrical power system meets its design safety function. The supplemental source has the capacity to bring the unit to cold shutdown in case of a loss of offsite power concurrent with a single failure during plant operation.

Therefore, the proposed change does not involve a significant reduction in a margin of safety as defined in the basis for any TS.

5.4 Conclusion APS concludes that operation of the facility in accordance with the proposed amendment does not involve a significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and, accordingly, a finding of "no significant hazards consideration" is justified. Based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or the health and safety of the public.

6.0 ENVIRONMENTAL CONSIDERATION

A review has determined that the proposed amendment would change a requirement with respect to installation or use of a facility component located within the restricted area, as defined in 10 CFR 20, Standards for Protection Against Radiation. However, the proposed amendment does not involve (i) a significant hazards consideration, (ii) a significant change in the types or a significant increase in the amounts of any effluents that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure. Accordingly, the proposed amendment meets the eligibility criterion for categorical exclusion set forth in 10 CFR 51.22(c)(9). Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed amendment.

12

Enclosure 1 Description and Assessment of Proposed License Amendment

7.0 REFERENCES

1. Regulatory Guide 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, Revision 2, dated March 2009

2. Regulatory Guide 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, Revision 2, dated April 2015

3. Regulatory Guide 1.177, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications, Revision 1, dated May 2011

4. Regulatory Guide 1.160, Monitoring the Effectiveness of Maintenance at Nuclear Power Plants, Revision 3, dated May 2012

5. NUREG-0800, Branch Technical Position (BTP) 8-8, Onsite (Emergency Diesel Generators) and Offsite Power Sources Allowed Outage Time Extensions, dated February 2012

6. 10 CFR 50, Appendix A, General Design Criterion 17, Electric Power Systems

7. IEEE 308, Institute of Electric and Electronic Engineers, Standard Criteria for Class 1E Electric Systems for Nuclear Power Generating Stations, 1971

8. IEEE 279, Institute of Electric and Electronic Engineers, Criteria for Protection Systems for Nuclear Power Generating Stations, 1971

9. APS letter 102-05370, Revised Station Blackout (SBO) Evaluation, dated October 28, 2005, (ADAMS Accession Number ML061720037)

10. APS letter 102-05465, Response to NRC Request for Additional Information (RAI) Regarding Revised Station Blackout Evaluation, dated April 19, 2006, (ADAMS Accession Number ML061160289)

11. Regulatory Guide 1.155, Station Blackout, Revision 0, dated August 1988

12. NUMARC 87-00, Nuclear Management and Resources Council, "Guidelines and Technical Bases for NUMARC Initiatives Addressing Station Blackout at Light Water Reactors, dated November 1987

13. NRC Letter dated February 24, 2015, Comanche Peak, Units 1 and 2 ---

Issuance of Amendments RE: Revision to Technical Specification 3.8.1 AC Sources - Operating, For a 14-Day Completion Time for Offsite Circuits (ADAMS Accession Number ML15008A33) 13

Enclosure 1 Description and Assessment of Proposed License Amendment ATTACHMENT 1 Marked-up Technical Specifications Page 3.8.1-3

AC Sources Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME B. (continued) B.4 Restore DG -------NOTE------

to OPERABLE For the Unit 3 status. Train B DG failure on December 15, 2016, restore the inoperable DG to OPERABLE status within 21 days.

10 days C. Two required offsite C.1 Declare required 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months from circuits inoperable. feature(s) discovery of inoperable when Condition C its redundant concurrent with required inoperability of feature(s) is redundant required inoperable. feature(s)

AND C.2 Restore one 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months required offsite circuit to OPERABLE status.

(continued)

PALO VERDE UNITS 1,2,3 3.8.1-3 AMENDMENT NO. 197,

Enclosure 1 Description and Assessment of Proposed License Amendment ATTACHMENT 2 Revised Technical Specifications Page (Clean Copy) 3.8.1-3

AC Sources Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME B. (continued) B.4 Restore DG -------NOTE------

to OPERABLE For the Unit 3 status. Train B DG failure on December 15, 2016, restore the inoperable DG to OPERABLE status within 21 days.

10 days C. Two required offsite C.1 Declare required 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months from circuits inoperable. feature(s) discovery of inoperable when Condition C its redundant concurrent with required inoperability of feature(s) is redundant required inoperable. feature(s)

AND C.2 Restore one 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months required offsite circuit to OPERABLE status.

(continued)

PALO VERDE UNITS 1,2,3 3.8.1-3 AMENDMENT NO. 197,

Enclosure 1 Description and Assessment of Proposed License Amendment ATTACHMENT 3 Compensatory Measures

1. The redundant train A DG (along with all of its required systems, subsystems, trains, components, and devices) will be verified OPERABLE (as required by Technical Specification) and no discretionary maintenance activities will be scheduled on the redundant (OPERABLE) DG.

2. No discretionary maintenance activities will be scheduled on the SBOGs.

3. No discretionary maintenance activities will be scheduled on the startup transformers.

4. No discretionary maintenance activities will be scheduled in the Salt River Project (SRP) switchyard or the units 13.8 kV power supply lines and transformers which could cause a line outage or challenge offsite power availability to the unit utilizing the extended DG completion time.

5. All activity, including access, in the SRP switchyard shall be closely monitored and controlled.

6. The SBOGs will not be used for non-safety functions (i.e., power peaking to the grid).

7. All maintenance activities associated with Unit 3 will be assessed and managed per 10 CFR 50.65(a)(4) (Maintenance Rule). Planned work will be controlled during the extended completion time so that Unit 3 does not voluntarily enter a YELLOW Risk Management Action Level.

8. The OPERABILITY of the steam driven auxiliary feedwater pump will be verified before entering the extended DG completion time.

9. The system dispatcher will be contacted once per day and informed of the DG status, along with the power needs of the facility.

10. Should a severe weather warning be issued for the local area that could affect the SRP switchyard or the offsite power supply during the extended DG completion time, an operator will be available locally at the SBOG should local operation of the SBOG be required as a result of on-site weather related damage.

11. No discretionary maintenance will be allowed on the main and unit auxiliary transformers associated with the unit.

12. APS has provided three portable diesel generators to ensure the ability to bring Unit 3 to cold shutdown in the event of a LOOP during the extended time period that the Unit 3 train B DG is inoperable. The three portable diesel generators operate in parallel as a set. The result is that the three portable diesel generators are sufficient to enable a cold shutdown of Unit 3 in the event of a LOOP with a single failure during the extended time period while the Unit 3 train B DG is inoperable. The three portable diesel generators are deployed and physically connected to the Unit 3 train B 4.16 kV AC FLEX connection box for the duration of the extended DG completion time

13. A diesel-driven FLEX SG Makeup Pump is deployed to its FLEX pad at Unit 3 for the duration of the extended DG completion time.

14. The following equipment will be protected by signage/chains for the duration of the extended completion time to prevent inadvertent impact from walkdowns, inspections, maintenance and potential for transient combustible fires:

a. Both SBOGs

b. Unit 3 train A DG 1

Enclosure 1 Description and Assessment of Proposed License Amendment

c. Unit 3 train A Engineered Safety Features (ESF) Switchgear, DC equipment and DC Battery Rooms

d. Three AC portable diesel generators deployed at Unit 3 and their connections to the train B FLEX 4.16 kV AC connection box

e. Diesel-driven FLEX SG Makeup Pump deployed at Unit 3

f. Turbine driven auxiliary feedwater pump 2

Enclosure 1 Description and Assessment of Proposed License Amendment ATTACHMENT 4 Cold Shutdown Load Summary Load Breakdown Load Description KW LOP/FS (LOOP) 1ENHND20load 120/240 AC DISTRIBUTION PANEL 18.74 SINGLE PHASE VOLTAGE 1ENNBV14 REGULATING TRANSFORMER 22.58 SINGLE PHASE VOLTAGE 1ENNNV18 REGULATING TRANSFORMER 16.89 PLANT COMPUTER MONITORING SYSTEM DIST PNL TRANSFER 1ENQNN01C2 SWITCH 37.35 1EPHBD32load 120/240 AC DISTRIBUTION PANEL 15.26 1EPHBD36load 120/240 AC DISTRIBUTION PANEL 9.6 1EPHBD38load 120/240 AC DISTRIBUTION PANEL 8.7 1EPKBH12 BATTERY CHARGER 36.27 1EPKBH16 BATTERY CHARGER (BACK-UP) 36.28 1EPKDH14 BATTERY CHARGER 17.93 SINGLE PHASE VOLTAGE 1EPNBV26 REGULATING TRANSFORMER 16.48 SINGLE PHASE VOLTAGE 1EPNDV28 REGULATING TRANSFORMER 9.39 SINGLE PHASE VOLTAGE 1EQBBV02 REGULATING TRANSFORMER 23.3 MAIN ESSENTIAL LIGHTING 1EQBND90 PANEL 108.67 1EQFNH13 COMM EQ CHARGER 3.87 1EQFNN01 COMM EQ UPS 9 CONDENSATE STORAGE TANK FREEZE PROTECTION 1EQJNX05 TRANSFORMER 27.81 SINGLE PHASE REGULATING 1EQMBV30 TRANSFORMER 5.87 RAD MONITOR RU141/142 HEAT 1EQMNC06Aload TRACE CABINET 3.03 REFUELING TANK HEAT TRACING 1EQMNX08B SECONDARY TRANSFORMER 26.46 1

Enclosure 1 Description and Assessment of Proposed License Amendment Load Breakdown Load Description KW LOP/FS (LOOP)

RADIATION MONITOR DISTRIBUTION PANEL FOR POST 1ESQND03load ACCIDENT MONITOR UNIT 4.69 RADIATION MONITOR 1ESQND09load DISTRIBUTION PANEL 4.67 ESSENTIAL CHILLER AUXILIARY 1JECBE02 POWER PANEL 2.92 FUEL BUILDING RADIATION 1JSQBRE145 MONITOR 1.4 FUEL BUILDING RADIATION 1JSQBRE146 MONITOR 1.4 CONTAINMENT BUILDING RADIATION MONITOR BLOWER 1JSQBRU01 MOTOR 1.4 CONTROL ROOM RADIATION 1JSQBRU30 MONITOR BLOWER MOTOR 1.4 CONTAINMENT BUILDING REFUEL RADIATION MONITOR 1JSQBRU34 BLOWER MOTOR 1.4 PLANT VENT LOW RADIATION 1JSQNRE143 MONITOR BLOWER MOTOR 0.47 PLANT VENT HIGH RADIATION 1JSQNRE144 MONITOR BLOWER MOTOR 0.47 1MAFBP01 AUXILIARY FEEDWATER PUMP 948.85 1MCHBP01 CHARGING PUMP 64.48 1MCHEP01 CHARGING PUMP 64.48 1MCTBP01 CONDENSATE TRANSFER PUMP 3.18 DIESEL GENERATOR FUEL OIL 1MDFBP01 TRANSFER PUMP 1.72 1MECBE01 ESSENTIAL CHILLER 427.79 ESSENTIAL CHILLED WATER 1MECBP01 PUMP 13.48 ESSENTIAL CHILLER B OIL PUMP 1MECBP10 MOTOR 1.35 ESSENTIAL COOLING WATER 1MEWBP01 SYSTEM PUMP 543.28 AUXILIARY BUILDING LPSI PUMP ROOM ESSENTIAL AIR CONTROL 1MHABZ02 UNIT 1.21 2

Enclosure 1 Description and Assessment of Proposed License Amendment Load Breakdown Load Description KW LOP/FS (LOOP)

AUXILIARY FEEDWATER PUMP ROOM ESSENTIAL AIR CONTROL 1MHABZ04 UNIT 2.85 AUX BUILDING ESSENTIAL COOLING WATERPUMP ROOM 1MHABZ05 ESSENTIAL AIR CONTROL UNIT 1.62 CONTAINMENT BUILDING 1MHCNA01B NORMAL AIR CONTROL UNIT 116.2 CONTAINMENT BUILDING 1MHCNA01D NORMAL AIR CONTROL UNIT 116.2 CONTAINMENT BUILDING CEDM 1MHCNA02B NORMAL AIR CONTROL UNIT 155.13 CONTAINMENT BUILDING CEDM 1MHCNA02D NORMAL AIR CONTROL UNIT 155.13 CONTAINMENT BUILDING REACTOR CAVITY NORMAL 1MHCNA03B COOLING FAN 33.65 CONTAINMENT BUILDING REACTOR CAVITY NORMAL 1MHCNA03D COOLING FAN 33.65 CONTAINMENT BUILDING PRESSURIZER NORMAL COOLING 1MHCNA06B FAN 8.68 DIESEL GENERATOR BUILDING CONTROL ROOM ESSENTIAL AIR 1MHDBA01 HANDLING UNIT 12.95 DIESEL GENERATOR BUILDING GENERATOR ROOM ESSENTIAL 1MHDBJ01 EXHAUST FAN 82.2 CONTROL ROOM ESSENTIAL AIR 1MHJBF04 FILTER 92.01 CONTROL BUILDING BATTERY ROOM D ESSENTIAL EXHAUST 1MHJBJ01A FAN 0.34 CONTROL BUILDING BATTERY ROOM B ESSENTIAL EXHAUST 1MHJBJ01B FAN 0.34 CONTROL BUILDING ESF SWITCHGEAR ESSENTIAL AIR 1MHJBZ03 HANDLING UNIT 4.77 3

Enclosure 1 Description and Assessment of Proposed License Amendment Load Breakdown Load Description KW LOP/FS (LOOP)

CONTROL BUILDING ESF EQUIPMENT ESSENTIAL AIR 1MHJBZ04 HANDLING UNIT 5.69 SPRAY POND PUMP HOUSE 1MHSBJ01 EXHAUST FAN 8.59 1MPCBP01 FUEL POOL COOLING PUMP 2 55.83 PRESSURIZER BACKUP HEATER 1MRCEA05 (FROM CLASS 1E BUS) 58.15 PRESSURIZER BACKUP HEATER 1MRCEA16 (FROM CLASS 1E BUS) 58.15 PRESSURIZER BACKUP HEATER 1MRCEB10 (FROM CLASS 1E BUS) 58.15 LOW PRESSURE SAFETY 1MSIBP01 INJECTION PUMP 2 418.37 1MSPBP01 ESSENTIAL SPRAY POND PUMP 471.88 Load Total 4494.05 Gen Description Total KW LOP/FS (LOOP) 1EPEBG02 (value includes EMERGENCY DIESEL GENERATOR 4538.38 additional losses in cables/transformers)

Portable Diesel COMBINED OUTPUT CAPACITY 4800.00 Generators 4

ATTACHMENT 5 Commitments to Control Station Activities APS makes the following regulatory commitments:

1. The system load dispatcher will be contacted once per day to ensure no significant grid perturbations (high grid loading unable to withstand a single contingency of line or generation outage) are expected during the extended allowed outage time.

2. Component testing or maintenance of safety systems and important non-safety equipment in the offsite power systems that can increase the likelihood of a plant transient (unit trip) or LOOP will be avoided.

3. Discretionary work will be prohibited in the SRP switchyard during the extended Unit 3 train B DG TS 3.8.1 Condition B required action completion time.

4. TS required systems, subsystems, trains, components, and devices that depend on the remaining power sources will be verified to be operable and positive measures will be provided to preclude subsequent testing or maintenance activities on these systems, subsystems, trains, components, and devices.

5. Steam-driven emergency feed water pump will be controlled as protected equipment.

6. Within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months following unavailability of a portable DG, Unit 3 will enter TS condition 3.8.1.H to place the unit in Mode 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

7. Availability of the portable DGs will be verified once per shift.

8. Approval of transient combustibles and hot work in Unit 3 will be controlled by the outage control center (OCC).

9. There will be an OCC position responsible for oversight and monitoring of the compensatory measures of Attachment 3 and the actions described in this attachment.

Reference:

1. RCTSAI 4848165

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Enclosure 2 Risk Insights Related to One-Time Extended Completion Time

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time TABLE OF CONTENTS 1.0 Introduction 2.0 Evaluation of Risk Impacts 2.1 Tier 1: Probabilistic Risk Assessment Capability and Insights 2.2 Tier 2: Avoidance of Risk Significant Plant Configurations 2.3 Tier 2: Risk Informed Configuration Management 3.0 References ATTACHMENTS

1. Status of Plant Modifications and Evaluations Credited in the PRA

2. Unit 3 Baseline Average Annual CDF/LERF

3. ICCDP and ICLERP for One-Time Technical Specification Change

4. Internal Events PRA Peer Review A and B Level Findings

5. Internal Events PRA Self-Assessment of ASME SRs Not Met to Capability Category II

6. Internal Flood PRA Peer Review ASME SRs Not Met to Capability Category II

7. Seismic PRA Peer Review ASME SRs Not Met to Capability Category II

8. Internal Fire PRA Peer Review ASME SRs Not Met to Capability Category II

9. External Hazards Screening

10. Progressive Screening Approach for Addressing External Hazards

11. Disposition of Key Assumptions/Sources of Uncertainty i

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time

1.0 INTRODUCTION

The risk associated with extending the PVNGS Unit 3 one-time Technical Specification 3.8.1 Condition B.4 completion time for the Unit 3 train B DG from the current 10 days to 21 days has been evaluated with a PRA model that meets all scope and quality requirements in RG 1.200, Revision 2 (Reference 1) to Capability Category II. This plant-specific risk assessment followed the guidance in RG 1.177, Revision 1 (Reference 11).

2.0 EVALUATION OF RISK IMPACTS 2.1 Tier 1: Probabilistic Risk Assessment Capability and Insights The CDF and LERF contributions from the PRA models are provided in Attachment 2.

The total CDF and LERF meet the NRC RG 1.174, Revision 2 (Reference 10) acceptance criteria for risk-informed licensing changes (i.e., CDF less than 1E-4 per year and LERF less than 1E-5 per year). The risk impact associated with a one-time extension is provided in Attachment 3 and meets the acceptance criteria in RG 1.177, Revision 1 (Reference 11) where compensatory measures are implemented to reduce the sources of increased risk. In the risk impact evaluation, the common cause failure probability term for both DGs failing to run was adjusted from its nominal value to the alpha common cause factor (i.e., an increase in probability of 7.6) to account for the increased potential for the train A DG to fail until the extent of condition analysis can conclude that the train A DG is not susceptible to the same failure cause as the train B DG. Compensatory measures such as deployed temporary or FLEX equipment has not been credited in the quantitative risk assessment.

2.2 Tier 2: Avoidance of Risk Significant Plant Configurations PVNGS plant risk associated with the proposed extended Unit 3 train B DG completion time is determined from RG 1.200, Revision 2 Capability Category II compliant PRA models for internal events, internal flooding, seismic, and internal fires. Associated actions to avoid or respond to these events through function of onsite emergency backup power supplies, and inclusion of additional onsite emergency power are discussed in Tier 3 information below.

The dominant risk scenarios associated with unavailability of Train B DG include:

Loss of offsite power (i.e., grid, switchyard, or transformer failure)

Long term seismic induced loss of offsite power

Fires in the Unit 3 Non-Class Switchgear, Engineered Safety Features (ESF)

Switchgear, DC equipment and DC Battery Rooms Main Control Room, and Auxiliary Building West and East Corridors and Electrical Chases The dominant impact of all the above scenarios on critical safety functions is the loss of heat removal from the Steam Generators due to failure of all the auxiliary feedwater pumps or loss of power to those pumps. Random or induced loss of coolant accidents are not a dominant contributor to risk at PVNGS due to use of low leakage Reactor Coolant Pump seals (Reference 12).

1

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time The PRA analysis assumes that other risk significant plant equipment outage configurations will not occur during the extended completion time period by prohibiting elective maintenance on other PRA risk significant plant equipment and avoiding other activities that could challenge unit operation or cause fires in risk significant areas. In addition, adverse weather such as extreme heat, extreme thunderstorms, icing or tornadoes are not assumed likely based on historical evidence during the period of this extended completion time due to Palo Verdes location in the southwestern Sonoran Desert. The Tier 3 compensatory actions mitigate additional plant risk due to events beyond that associated with Unit 3 train B DG unavailability represented in the ICCDP and ICLERP values furnished in the Tier 1 discussion above.

2.3 Tier 3: Risk Informed Configuration Management Risk would also be managed during the extended completion time via the Maintenance Rule 10 CFR 50.65(a)(4) Configuration Risk Management Program, which has been reviewed in prior risk-informed Technical Specification change requests (e.g., Reference 7).

Technical Adequacy of the PRA The following sections demonstrate that the quality and level of detail of the PRA model used in the requested change meet NRC requirements in NRC RG 1.200 Revision 2 (Reference 1). Attachment 1 provides the status of plant modifications and evaluations credited in the PRA models, which all have been completed for Unit

3. All the PRA models described below have been peer reviewed and there are no PRA upgrades that have not been peer reviewed. The findings and dispositions from the peer reviews impacting PRA technical quality are described in Attachments 4 through 8. Included in these Attachments are the Facts and Observations (F&Os) from the indicated peer reviews impacting PRA quality, and do not include F&Os describing optional suggestions or industry best practices. The peer review finding dispositions show all peer review findings to be closed by APS, which indicates they have been resolved by APS and meet the associated ASME PRA Standard (Reference

9) supporting requirements to Capability Category II. Thus, all the PRA models described herein comply with all scope and quality Capability Category II supporting requirements per RG 1.200 Revision 2 (Reference 1).

The PRA models credited in this request are the same PRA models credited in the Risk-Informed Completion Time application dated July 31, 2015 (Reference 3). All the plant modifications and evaluations referenced in that application have been completed in Unit 3. The field routed cable routing differences between the three PVNGS units impacting the fire PRA model were resolved by creating one bounding fire PRA model that reflects the most limiting cable routing from each of the three units for each fire area. The breaker coordination issues associated with fire events described in the Risk-Informed Completion Time application were resolved by analysis with no plant modifications or procedure changes required at any of the three units.

A PRA model update is in process for these models and insights are available from the updated inputs to the model (e.g., updated reliability, availability and initiating event data) to support the conclusion that the PRA model reflects the as-built, as-operated plant. All pending changes to these PRA models (e.g., design changes, procedure changes, corrective actions) have been reviewed for individual and 2

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time aggregate impact on this evaluation and determined not to impact the conclusions of the evaluation (i.e., RG 1.174 and RG 1.177 acceptance criteria remain met).

Internal Events and Internal Flooding Hazards This one-time Technical Specification change evaluation for the internal events and internal flooding hazards uses peer reviewed plant-specific Internal Events and Internal Flooding PRA models in accordance with RG 1.200, Revision 2 (Reference 1).

The APS risk management process ensures that the PRA model used in this application reflects the as-built and as-operated plant for each of the PVNGS units.

The Internal Events PRA model was peer reviewed in 1999 by the Combustion Engineering Owners Group (CEOG) prior to the issuance of Regulatory Guide 1.200.

As a result, a self-assessment was conducted by APS of the Internal Events PRA model in accordance with Appendix B of RG 1.200, Revision 2 (Reference 1) to address the PRA quality requirements not considered in the CEOG peer review. The Internal Events PRA quality (including the CEOG peer review and self-assessment results) has previously been reviewed by the NRC in requests to extend the Inverter Technical Specification Completion Time dated September 28, 2009 (Reference 7) and to implement TSTF-425 Risk-Informed Surveillance Frequency Control Program dated March 3, 2011 (Reference 8). No PRA upgrades as defined by the ASME PRA Standard RA-Sa-2009 (Reference 9) have occurred to the Internal Events PRA model since conduct of the CEOG peer review in 1999. of this enclosure identifies the Core Damage Frequency (CDF) and Large Early Release Frequency (LERF) for the Internal Events and Internal Flooding PRA models. Attachment 4 provides the status of A and B level findings from the CEOG peer review of the Internal Events PRA model conducted in accordance with NEI 00-02 (Reference 2). Attachment 5 provides the status of supporting requirements (SRs) not met to Capability Category II from the APS self-assessment of the Internal Events PRA model conducted in accordance with Appendix B of RG 1.200, Revision 2 (Reference 1). Attachment 6 provides the status of findings associated with supporting requirements determined not met to Capability Category II from a peer review of the Internal Flooding PRA conducted in accordance with RG 1.200, Revision 2 (Reference 1). All these findings have been closed by APS dispositions.

Fire Hazards The one-time Technical Specification change evaluation of fire hazards will use a peer reviewed plant-specific Fire PRA model in accordance with RG 1.200, Revision 2 (Reference 1). The Fire PRA model is consistent with NUREG/CR-6850 (Reference 4) methodology with no exceptions. The APS risk management process ensures that the PRA model used in this application reflects the as-built and as-operated plant for each of the PVNGS units. Attachment 2 of this enclosure identifies the CDF and LERF for the Fire PRA model. Attachment 8 of this enclosure provides the status of findings associated with supporting requirements (SRs) for the internal fire PRA determined not met to Capability Category II from peer reviews conducted in accordance with RG 1.200, Revision 2 (Reference 1). All of these findings have been closed by APS dispositions.

3

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Seismic Hazards The one-time Technical Specification change evaluation for seismic hazards will use a peer reviewed plant-specific seismic PRA model in accordance with RG 1.200, Revision 2 (Reference 1). The APS risk management process ensures that the PRA model used in this application reflects the as-built and as-operated plant for each of the PVNGS units. Attachment 2 of this enclosure identifies the CDF and LERF for the Seismic PRA model. Attachment 7 of this enclosure provides the status of findings associated with SRs for the seismic PRA determined not met to Capability Category II from a peer review conducted in accordance with RG 1.200, Revision 2 (Reference 1). All these findings have been closed by APS dispositions.

Other External Hazards All other external Hazards were screened for applicability to PVNGS per a peer reviewed plant-specific evaluation in accordance with RG 1.200, Revision 2 (Reference 1). There were no findings from the peer review. Attachment 9 of this enclosure provides a summary of the other external hazards screening results. 0 of this enclosure provides a summary of the progressive screening approach for external hazards.

PRA Uncertainty Evaluations Sources of model uncertainty and related assumptions have been identified for the PVNGS PRA models using the guidance of NUREG-1855 (Reference 5) and EPRI TR-1016737 Treatment of Parameter and Model Uncertainty for Probabilistic Risk Assessment (Reference 6).

The detailed process of identifying, characterizing and qualitative screening of model uncertainties is found in Section 5.3 of NUREG-1855 (Reference 5) and Section 3.1.1 of EPRI TR-1016737 (Reference 6). The process in these references was mostly developed to evaluate the uncertainties associated with the internal events PRA model; however, the approach can be applied to other types of hazard groups.

The list of assumptions and sources of uncertainty were reviewed to identify those which would be significant for the evaluation of this application. If the PVNGS PRA model used a non-conservative treatment, or methods which are not commonly accepted, the underlying assumption or source of uncertainty was reviewed to determine its impact on this application. Only those assumptions or sources of uncertainty that could significantly impact the configuration risk calculations were considered key for this application.

The PVNGS PRA models do not contain any recovery action or recovery factor for failed emergency DGs. Key PVNGS PRA model specific assumptions and sources of uncertainty for this application are identified and dispositioned in Attachment 11.

The conclusion of this review is that no additional sensitivity analyses are required to address PVNGS PRA model specific assumptions or sources of uncertainty for this application.

4

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time

3.0 REFERENCES

1. Regulatory Guide 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, Revision 2, dated March 2009

2. NEI 00-02, Probabilistic Risk Assessment (PRA) Peer Review Process Guidance, Nuclear Energy Institute, dated 2000

3. License Amendment Request to Revise Technical Specifications to implement Risk Informed Completion Time (ADAMS Accession Number ML15218A300) dated July 31, 2015

4. NUREG/CR-6850, EPRI/NRC-RES Fire PRA Methodology for Nuclear Power Facilities, dated September 2005

5. NUREG-1855, Guidance on the Treatment of Uncertainties Associated with PRAs in Risk-Informed Decision Making, dated March 2009

6. EPRI TR-1016737, Treatment of Parameter and Model Uncertainty for Probabilistic Risk Assessments, dated December 2008

7. Palo Verde Nuclear Generating Station, Units 1, 2, and 3, Issuance of Amendments Re: Changes To Technical Specification 3.8.7, "Inverters-Operating" (ADAMS Accession Number ML102670352) dated September 29, 2010

8. Palo Verde Nuclear Generating Station, Units 1, 2, and 3, Issuance Of Amendments Re: Adoption of TSTF-425, Revision 3, "Relocate Surveillance Frequencies To Licensee Control RITSTF Initiative 5b" (ADAMS Accession Number ML112620293) dated December 15, 2011

9. ASME/ANS RA-Sa-2009, Standard for Level l/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, Addendum A to RAS-2008, ASME, New York, NY, American Nuclear Society, La Grange Park, Illinois, dated February 2009

10. Regulatory Guide 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, Revision 2, dated April 2015.

11. Regulatory Guide 1.177, An Approach for Plant-Specific, Risk-Informed Decisionmaking:

Technical Specifications, Revision 1, dated May 2011.

12. WCAP-16175-P-A, Model for Failure of RCP Seals Given Loss of Seal Cooling in CE NSSS Plants, Revision 0, March 2007 5

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time ATTACHMENT 1 Status of Plant Modifications and Evaluations Credited in the PRA The PRA model used for determining the risk associated with the one-time extension of the Diesel Generator completion time due to the failure of the Unit 3 B Diesel Generator on December 15, 2016, credits the following modifications to achieve an overall CDF and LERF consistent with NRC Regulatory Guide 1.174 risk limits. The following table provides an updated status for Unit 3 as compared to the table provided in the License Amendment Request to allow risk informed completion times (ADAMS Accession Number ML15218A300).

Plant Modification/Evaluation Status Install fuses in Control Room DC ammeter circuits Complete to prevent secondary fires due to multiple fire induced faults.

Install fuses in non-class DC motor circuits to Complete prevent secondary fires due to multiple fire induced faults.

Replace RCP control cables with one-hour fire Complete rated cables.

Install an additional Steam Generator makeup Complete capability to reduce Internal Fire PRA risk.

Implement recovery procedures for breaker Not required. No plant modifications or coordination on class and non-class motor control procedure changes were required to centers/distribution panels that impact risk resolve breaker coordination issues.

significant functions in the Internal Fire PRA.

Supporting requirements of ASME/ANS RA-Sa- Complete 2009 SY-C1 and SY-C2 shall be fully met at Capability Category II prior to use of the RICT Program.

Validate that the Unit 1 Internal Fire PRA model is Complete. The Unit 1 internal fire PRA bounding for Units 2 and 3 to reflect field-routed model was adjusted to reflect a cabling or create unit-specific internal fire models bounding evaluation of field-routed for Units 2 and 3 prior to use of the RICT Program cabling for all three units.

at Units 2 and 3.

1

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time ATTACHMENT 2 Unit 3 Baseline Average Annual CDF/LERF CDF LERF Hazard (per year) (per year)

Internal events 1.3E-6 4.3E-8 Internal flooding 4.3E-7 1.9E-8 Seismic 2.8E-5 5.3E-6 Internal Fire 2.7E-5 2.0E-6 Total 5.7E-51 7.4E-62 Notes:

1. Total CDF meets the RG 1.174 acceptance criteria of < 1E-4 per year

2. Total LERF meets the RG 1.174 acceptance criteria of < 1E-5 per year

References:

1. Regulatory Guide 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, Revision 2, dated April 2015.

1

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time ATTACHMENT 3 ICCDP and ICLERP for One-Time Technical Specification Change ICCDF ICCDP ICLERF ICLERP Hazard (per (21 (per (21 year) days) year) days)

Internal 1.2E-6 6.9E-8 5.5E-8 3.2E-9 events Internal 1.0E-9 5.8E-11 1.0E-9 5.8E-11 flooding Seismic 3.0E-5 1.7E-6 1.6E-6 9.2E-8 Internal 1.1E-4 6.2E-6 2.8E-6 1.6E-7 Fire Total 1.4E-4 7.9E-61 4.5E-6 2.6E-72 Notes:

1. Total ICCDP meets the RG 1.177 acceptance criteria of < 1E-5 with compensatory measures not credited in the quantitative risk evaluation

2. Total ICLERP meets the RG 1.177 acceptance criteria of < 1E-6 with compensatory measures not credited in the quantitative risk evaluation

References:

1. Regulatory Guide 1.177, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications, Revision 1, dated May 2011.

1

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time ATTACHMENT 4 Internal Events PRA Peer Review A and B Level Findings Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

SY-10 SY-20 A Closed Demand failures of batteries are not considered (i.e., if The finding has been there is a demand for direct current (DC), battery resolved and closed by an failure is more likely). Only charger failures, bus update of the PRA model.

faults, circuit breaker failures, battery faults, Demand failure of maintenance and failure to restore after maintenance batteries has been added are modeled. to the model.

DA-04 DA-8 A Closed The following common cause factors are significantly The finding has been lower than Idaho National Engineering Environmental resolved and closed by an Laboratory (INEEL) recommended values: pumps update of the PRA model.

gamma and delta factors, emergency diesel generator The PRA model common failure to start beta, and auxiliary feedwater (AFW) cause factors have been pumps failure to run beta generic pumps - beta. Note: revised consistent with the these are based on generic sources, therefore there is NRC common cause a concern that the values are significantly different database.

from INEEL generic data. A sensitivity evaluation was performed which put these values to those similar to INEEL recommended values caused a CDF increase of approximately 7%.

DE-07 DE-7 A Closed In general, human actions across systems appear to The finding has been treat dependency appropriately. There are some cases resolved and closed by an where dependencies across systems are not properly update of the PRA model.

addressed. RE-AFA-LOCAL is used redundantly to The PRA model human 1ALFW-2HRS-HR in sequences 7634, 14966, etc. (per action dependencies PRA Study, 13-NS-C29 Rev. 3, PRA Change across systems have been Documentation) per C-29 Rev. 3 addressed.

1

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

QU-03 QU-18, QU-19 A Closed Currently, RE-AFA-LOCAL is being used to recover The finding has been 1AFAP01-TPAFS. This is a hardware failure basic resolved and closed by an event. An evaluation should be done to determine the update of the PRA model.

fraction of the basic event that is recoverable. This The PRA model recovery appears in numerous sequences [e.g., 7830 & 14989 action for the AFA pump (per PRA Study 13-NS-C29 Rev.3, per C-29 Rev.3)]. has been modified to appropriately consider the fraction of recoverable events.

QU-04 QU-18, QU-19 A Closed Currently, RE-AFA-LOCAL is inappropriately being used The finding has been to recover some Stuck Open Safety Valve (SOSV) resolved and closed by an events. The initial failure of the AFW Pump A causes a update of the PRA model.

primary safety lift. The recovery of AFW Pump A The PRA model recovery would not prevent a lift. Therefore, RE-AFA-LOCAL has been removed from should not be used when the primary safety valves lift. stuck open safety valve events.

HR-04 HR-9 A Closed It was stated in the opening presentations that the The finding has been operators would take manual control of the AFW flow resolved and closed by an path globe valves. This action is not modeled. The update of the PRA model.

current model appears not to include any action to The PRA model now control flow with the exception of local manual control. credits remote manual operation of the AFW flow path valves.

SY-12 SY-18 A Closed Batteries C and D appear to have at least a 24-hour The finding has been mission time prior to depletion. This results in resolved and closed by an instrumentation being available to adequately control update of the PRA AFW. The bases for the 24-hour mission time are not documentation. The basis documented. for the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time is provided.

2

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

HR-06 HR-20 A Closed The cycling of the AFW flow path globe and gate valves The finding has been to maintain AFW flow is not modeled. resolved and closed by an update of the PRA model.

The PRA model now includes cycling of the AFW flow path valves.

IE-7 IE-12 B Closed The Interfacing Systems Loss of Coolant Accident The finding has been (ISLOCA) treatment for the shutdown cooling suction resolved and closed by an line appears to have some questionable assumptions. update of the PRA model First, it is assumed that the Low Temperature Over which now includes failure Pressure (LTOP) valve would always open. While this is of the LTOP valve to open the most likely scenario, the LTOP valve can fail to and includes the shutdown open. Qualitative arguments were made that should cooling warm up crossover this happen, the resulting LOCA would be inside piping.

containment (primarily based on relative pipe lengths).

This ignores the fact that the high stress points and stress concentration points are outside containment.

Furthermore, the shutdown cooling warmup crossover piping was not considered.

IE-8 IE-5 B Closed Loss of multiple vital 125 VDC and loss of multiple vital The finding has been 120VAC buses are not considered as initiators. resolved and closed by an update of the PRA model which now includes loss of multiple vital 125 VDC and 120 VAC buses as initiators.

3

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

AS-02 AS-04 B Closed A discussion of Reactor Vessel Rupture was not found. The finding has been A fire PRA was not performed so accident sequences resolved and closed by an were not generated to capture the impact of a fire. update of the PRA model Also there does not appear to be coding of locations which now includes for basic events. (Fire-Induced Vulnerability reactor vessel rupture Evaluation methodology was used to assess fire event. Separate internal impact). Internal flooding is also not specifically fire and internal flood included in the accident sequences and no spatial data models have subsequently appears to have been developed (same could be used been created to address for fire and flooding). Industry Degraded Core the remainder of the Rulemaking (IDCORE) methodology was used to finding.

perform flooding evaluation and this determined that there are no critical flooding areas.

AS-5 AS-24 B Closed The Modular Accident Analysis Program (MAAP) The finding has been analyses used to support timing for human actions resolved and closed by an look only at a selected set of parameters of interest update of the PRA model.

and neglect to look at the status of other systems Additional MAAP analyses which may affect timing and/or success criteria. One have been performed and particular example is that the Turbine Bypass System associated human is assumed to always work when evaluating the time reliability actions added to available for recovery of AFW. the PRA model to address the status of other systems which impact event timing.

SY-02 SY-1 B Closed There is no document that specifies the content, System studies have been requirements, and formatting for each system study. updated to meet ASME This would aid external observers and newcomers in SY-C1 and SY-C2 understanding the intent of the system analysis Capability Category II documentation. requirements.

4

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

SY-03 SY-3 B Closed Many of the assumptions contained in the AFW The specific issue of AFW analysis address plant phenomena, but contain no diversion flow paths has plant references. For example, AF024, states no been addressed and significant diversion paths were identified. But no documented. System detailed discussion is provided. There are several studies have been updated piping taps from the condensate storage tank (CST). to meet ASME SY-C1 and From a walkdown some of these taps occur high in the SY-C2 Capability Category tank, while others associated with the condensate II requirements.

transfer pumps are low in the tank. It is not clear that potential diversions through the condensate transfer pumps have been examined. The drawings that illustrate the flow destination for the pumps are not referenced in the AFW system study: DGP-001, ECP-001, and EWP-001. It also appears that the assumptions themselves are not independently reviewed. As a result, the independent reviews of the system studies are not complete. Each individual assumption should have plant documentation and an independent review. The system study independent review would then only need to ensure that the assumption is applicable to and reflects the model itself. This appears to be what is done now, but without an independent review of the assumptions.

5

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

SY-05 SY-4 B Closed It is difficult to verify that the systems are in System studies have been agreement with the as-built conditions. The current updated to meet ASME software is only capable of displaying a two by three SY-C1 and SY-C2 portion of the fault tree. When attempting to verify the Capability Category II AFW system, only a sample of the fault tree was requirements.

examined. From the portion examined no discrepancies were identified. There were no direct references between the fault tree supports and the plant drawings. For example the power supplies to the motor driven pumps are contained in the fault tree, but a plant drawing reference is not directly linked to this dependency. The back of the system study does provide a list of references, but the specific references are not linked to dependencies. Not only does this make review by outside personnel difficult, it makes internal independent reviews difficult as well.

DA-01 DA-4 B Closed In quantifying the failure rate of the turbine driven The finding has been AFW pump to start and run, failures were not resolved and closed by an considered based on modifications to prevent turbine update of the PRA overspeed trips due to excessive condensation in documentation. Sufficient steam lines. That is, failures that occurred prior to plant operating experience 1995 (that were determined to be due to excessive has elapsed since this condensation), were removed from consideration. A finding was provided to reduction in the impact of these failures would be substantiate exclusion of more appropriate than eliminating these failures from condensate line overspeed consideration. events from the failure rate of the AFA pump. This evidence was documented as part of the data update.

6

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

DA-02 DA-06 B Closed Currently for demanded components, the failure The finding has been likelihood is assumed directly related to the resolved and closed by an surveillance interval. The equation used is 1-exp(- update of the PRA lambda*(interval)/2). This assumption is predicted on documentation. This issue the assumption that the likelihood of failure on has been resolved by demand is purely proportional to the hourly failure providing the requested likelihood. This is not necessarily true. Analysis should evidence in the PRA be done to ensure that the demand failure likelihoods documentation.

are appropriately calculated. There are components of the demand failure rate that are not proportional to time such as shock and human errors.

DA-9 DA-9 B Closed When grouping components together for data, are The finding has been component specific data differences reviewed. (i.e. are resolved and closed by an a disproportionate number of failures attributed to one update of the PRA component but spread out over several)? Also are the documentation. This issue numbers of demands/run hrs comparable? has been resolved by considering component specific differences in the grouping of components.

DA-07 DA-13 B Closed The NSAC document referenced in evaluating the loss The finding has been of offsite power (LOP) frequency and duration (NSAC- resolved and closed by an 203, Losses of Offsite Power at U.S. Nuclear Power update of the PRA model Plants thru 1993 is not current. More recent NSAC and and documentation.

EPRI documents are available as a reference source. Subsequent updates of the These documents have the potential to increase the PRA model have used the likelihood of offsite power recovery since LOP events current EPRI loss of offsite and their duration have trended downward. power data.

7

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

DA-08 General B Closed Plant specific data was derived from a limited number The finding has been of years data (1994 thru 1996) resolved and closed by an update of the PRA model and documentation. Plant specific data has subsequently been updated up to 2014.

HR-01 HR-1, HR-14 B Closed Guidance effectively describes the quantification The finding has been process. Two areas were identified for possible resolved and closed by an improvements: update of the PRA

1. The process and degree of operation input and documentation. This issue review is not documented. Operation input as has been addressed by described appears to be marginal. It was stated that upgrading the human operator input was always obtained for knowledge reliability analysis based actions and was obtained as required for documentation to address complete skill and rule-based actions. A better the issues. The HFEs have practice would be to have all actions developed with been placed into the EPRI operator input. HRA calculator, which

2. The process for selecting Human Reliability Analyses provides a consistent and (HRAs) was not described. A process is identified in detailed documentation of Systematic Human Action Reliability Procedure the HRAs.

(SHARP). It appears that the SHARP process was not used. However, an undocumented, iterate process between the system analyst and the human action analyst appears to be adequate.

8

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

HR-08 HR-25 B Closed A sensitivity study to determine human action The finding has been dependencies was not performed nor documented with resolved and closed by an the PRA results. This is considered to be a good update of the PRA practice to ensure dependent human actions are not documentation. The inappropriately used. A sensitivity analysis was requested sensitivity performed during this review. No issues were noted. analysis was performed and documented on human action dependencies.

HR-09 HR-20 B Closed Human Action (HA) 1AFN-MSIS----HR is failure of the The finding has been operator to override main steam isolation signal resolved and closed. The (MSIS) and align the N pump. This action includes human reliability analysis diagnosis error. The action 1AFN-MSIS-ND-HR, is a dependency process no modification factor to remove the diagnosis component longer applies recovery of 1AFN-MSIS----HR. In the quantification of these actions and HEP two elements (PRA Study 13-NS-B62, Human modifications through Reliability Analysis, p90 and p91) it is stated that cutset post-processing.

1AFN-MSIS-ND-HR is to be used with 1AFN-MSIS---- The HRA calculator HR when it occurs in conjunction with failure to align dependency function is or utilize the code pumps, i.e., in conjunction with used to manage another HA that had an equivalent diagnosis element. dependencies between This is considered appropriate. However, as seen in human actions, and this cutset 10 and others, these two HAs are being used process eliminates the together in cutsets which do not include another HA concern raised by the with the equivalent diagnosis element. This is finding.

inappropriate.

9

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

HR-09 HR-20 B Closed In cutset 10, the initiator is loss of 125 VDC PKB-M42 continued which results in loss of one AFW pump, an MSIS, failure of the downcomer valves, failure of the turbine-driven AFW pump and the 1AFN-MSIS----HR/1AFN-MSIS-ND-HR combination. This does not appear to be appropriate because there is no other HA which includes the requisite diagnosis error. This is contrary to the stated application conditions in 13-NS-B62. The above discussion also applies for the 1AFW-MFW-----

HR/1AFW-MFW-ND-HR combination and any other equivalent combinations. After looking at models in more detail, found that there was another HA in the chain. Direct solution of the trees would yield a cutset with two Human Error Probabilities (HEPs). A recovery analysis pattern removed the two related HAs and replaced them with the pairings discussed above. The concept appears to be appropriate but the manner in which it is applied is confusing at least in this case.

10

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

DE-02 DE-1, DE-3, B Closed As mentioned earlier there is no guidance for the The finding has been DE-5 system analysis process. This applies to the resolved and closed by an dependency aspect of the process as well. Section 3.3 update of the PRA of a system study lists the dependencies associated documentation.

with the system. In general, the attachment appears References for to completely describe the dependencies associated dependencies and HVAC with the system. I did notice several cases in the high success criteria have been pressure safety injection (HPSI) system study where added to the PRA the component numbers were not identified: documentation.

1PHAM37-480-1PW/GHLIA1-2, 1PHBM38-480-1PW/GHI2-9, 1SAARAS-TRA--1AT/GRASA-K405 (MOV 674), etc. In some cases, it was possible to determine the component dependency. In other cases, it was not. Each component and its associated dependency should be explicitly identified. The dependencies associated with hot leg injection appear to be improperly identified. MOV-321 should be 4PKCM43-125--1PW and MOV-331 should be 4PKDM44-125--

1PW. The plant references for the dependencies are not directly linked to unique component dependencies.

Instead, the references are listed in a single large mass in Appendix D. It would probably save time and lead to better traceability if the references are directly associated with each dependency. There are no plant references associated with the heating, ventilation and air conditioning (HVAC) dependencies dedicated to the HPSI system. This applies to 1EWAECOOLWA--1OP, 1EWBECOOLWB--1OP, 1PHBM38-480-1PW, 1SPAESPA---1OP, etc. The plant references could be a simple as Updated Final Safety Analysis Report (UFSAR) text if direct failure is assumed to be as complicated as design heat-up calculations.

11

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

DE-05 DE-4 B Closed Although dependencies are identified in the system The finding has been analysis, there is no dependency matrix. A resolved and closed by an dependency matrix is a valuable tool for reviewers and update of the PRA newcomers to the group. I believe that our evaluation documentation. A of Accident Sequences would have been much more dependency matrix has comprehensive with a dependency matrix. There are been added to the PRA no plant references associated with the HVAC documentation.

dependencies dedicated to the HPSI system. This applies to 1EWAECOOLWA--1OP, 1EWBECOOLWB--

1OP, 1PHBM38-480-1PW, 1SPAESPA---1OP, etc. The plant references could be a simple as UFSAR text if direct failure is assumed to as complicated as design heat-up calculations.

DE-08 DE-7 B Closed Since the general rule is documented as one-recovery The finding has been action per sequence 13-NS-B62 (B-062), exceptions resolved and closed by an should be noted and justified. For example, the Station update of the PRA Blackout Generator recovery and the AFW pump A documentation. Exceptions recovery actions are credited redundantly. This is to the recovery actions probably appropriate, but the paragraph in B-062 were justified.

indicates this is not typically done. Therefore justifying the exceptions is probably appropriate.

DE-10 DE-12, DE-13, B Closed The documentation is considered marginal largely This issue was closed by DE-14 based on the lack of traceability of the system studies meeting ASME SR SY-C1 to plant documentation for each component for system notebook dependency. documentation.

QU-01 QU-1 B Closed The quantification report describes the quantification, The finding has been but the process is difficult to follow unless resolved and closed by an knowledgeable about the code used and the specific update of the PRA steps to follow. It is sometimes hard to determine the documentation.

basis for the delete term logic and the recovery patterns.

12

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

QU-05 QU-18, QU-19 B Closed It would probably be a good idea to delete the front *s The finding has been in the recover search equations. I did not find any resolved and closed by an instances where this caused a problem in the existing update of the PRA model model, but it could be causing problems by recovery instructions.

accidentally selecting the middle of a basic event verses the beginning.

QU-07 QU-25, QU-26, B Closed Even though the data bases contain error factors and This issue has been QU-28 their code has the capability to easily perform addressed by performing numerical uncertainty analyses, APS did not perform and documenting the any uncertainty analyses for this update of the quantitative uncertainty Probabilistic Safety Assessment (PSA) and they did not analysis.

document any sensitivity studies on the impact of key assumptions as part of this PSA update.

MU-03 MU-4 B Closed The types of changes tracked by the PRA and how this The finding has been information is obtained are not specified in enough resolved and closed by an detail within the procedure. update of the PRA model update procedure.

MU-08 MU-11, MU-12 B Closed There is limited guidance on what needs to be The finding has been considered for reevaluation when a significant change resolved and closed by an to the PRA models takes place. update of the PRA model update procedure.

HR-03 HR-4, HR-5, B Closed In the HRA document (B62), Section 4.2, concludes The finding has been HR-6, HR-7 that miscalibration and common cause miscalibration resolved and closed by an of critical sensors is negligible at PVNGS. This is not update of the PRA model consistent with the results from other PRAs. common cause modeling Specifically, the first supporting paragraph of to match the NRC dedicated teams does not minimize exposure to common cause database common cause, it actually maximizes common cause. treatment.

PVNGSs staff previously identified this item.

13

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

AS-03 AS-6, AS-7, B. Closed There are some differences between treatment of a The finding has been AS-8, AS-24 small LOCA associated with a pipe break and an resolved and closed by an induced small LOCA (pressurizer safety valve update of the PRA model reclosure) in the transient event trees. For example: and documentation.

In the small LOCA event tree, successful high pressure injection and recirculation lead to questioning whether containment heat removal is successful. In the Transient Type 2 and Transient Type 3 event trees, RCS integrity can be lost if pressurizer safety valves do not reset after lifting. In the sequences from these event trees where high pressure injection and recirculation are successful, the question relating to containment heat removal is not asked.

In the small LOCA event tree, RCS depressurization and use of low pressure injection and recirculation are considered if high pressure injection or recirculation fail. In the Transient Type 2 and Transient Type 3 event trees, consideration of RCS depressurization and use of low pressure systems is not included because the likelihood of high pressure injection or high pressure recirculation are small. It would seem that this assumption should apply to both cases, or not.

14

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

SY-13 SY-17, SY-20 B Closed The control system study states that only single The finding has been failures that cause the failure mode of interest are resolved and closed by an considered. For the Auxiliary Feed Actuation System update of the PRA model (AFAS) generated signals, which results (these result) and documentation to add in modeling common cause only. Although this the indicated control approach may provide a good estimate of the failure system dependencies.

rate of these safety signals, it does not necessarily provide the confidence that the signals are appropriately modeled. For AFAS, it appears that since the AFW flow path valves must cycle that control system dependencies may have been missed. That is, normally engineered safety features actuation system (ESFAS) relays appeared to be locked-out following actuation, but for the AFAS valves, the relays need to react to the process system steam generator (S/G) low and high level). It is likely that 120 VAC Vital Bus A and B are needed.

15

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time ATTACHMENT 5 Internal Events PRA Self-Assessment of ASME SRs Not Met to Capability Category II Attachment 5: Internal Events PRA Self-Assessment of ASME SRs Not Met to Capability Category II SR Status Self-Assessment Comments Disposition SY-C1 Closed System analysis documentation developed during The System analysis documentation has been updated to the Individual Plant Examination (IPE) was reflect the documentation requirements of SY-C1.

abandoned prior to issuance of the ASME PRA. Key elements of the system analysis documentation have been subsequently captured in other PRA documentation that is not designated as system analysis documentation.

SY-C2 Closed The following subsections of SR SY-C2 are not met: The System analysis documentation has been updated to c, e, j, o, p. The original system analysis reflect the documentation requirements of SY-C2.

documentation developed during the IPE PRA development was abandoned prior to the issuance of the ASME PRA Standard. Other subsections of SR SY-C2 (a, b, d, f, g, h, i, k, l, m, n, q, r, s) are met by alternate documentation generated when the system analysis documentation was abandoned.

1

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time ATTACHMENT 6 Internal Flood PRA Peer Review ASME SRs Not Met to Capability Category II Attachment 6: Internal Flood PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition IFSO-B2 Closed As noted in SRs IFSO-A1, IFSO-A3, and IFSO-A5, some areas This finding has been resolved by a of the documentation do not provide sufficient detail about documentation update. The following PRA studies the process used. Specific items for which improved have been revised to provide detail about the documentation is needed include: specific items needed for improvement:

a. Documentation of sources in the Turbine Building. a. PRA Study 13-NS-C094 section 4.2.6 was

b. The basis for screening sources in the Fuel, Radwaste, and revised to include the flooding sources in the Turbine Buildings (i.e., the way in which the specified Turbine Building.

criteria are met for each source is not documented). For b. Revised PRA Study 13-NS-C094 sections 4.2.5 example, a walkdown during the peer review revealed that and 4.2.6 to include justification for screening there is section of the wet pipe fire protection (FP) system sources in the Fuel, Radwaste, and Turbine running above the turbine cooling water (TC) pumps that Building.

could potentially spray both pumps. It is not clear based c. The temperatures and pressures of the plant on 13-NS-C093 and 13-NS-C094 that this impact was fluid systems do not need to be defined as all considered and dispositioned. Likewise, feedline breaks in flooding impacts are inherently considered due the turbine building are assumed to be bounded by the to the Assumption 2 in PRA Study 13-NS-C096 loss of main feedwater initiating event, but may have which identifies that all equipment in the flood different impacts such as loss of instrument air due to area in which a flood initiates, is assumed humidity impacts. failed. Therefore it is not necessary to describe

c. The temperature and pressure of flood sources. systems in terms of pressure and temperature to determine potential flood induced failure modes.

1

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 6: Internal Flood PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition IFEV-A7 Closed Potential flooding mechanisms are primarily limited to failures This finding has been resolved by a of components. Human-induced flooding is screened based documentation update. PRA Study 13-NS-C097 on plant maintenance practices (see 13 NS-C093, Section Section 4.1 was revised to document the review 3.2, Item 4 and 13-NS-C097, Section 3.5). This does not of human and maintenance induced flooding indicate that there was any search of plant operating events. Spray events such as sprinkler head experience and plant maintenance procedures to verify no failures during maintenance were considered on potential for human-induced flood mechanisms. an individual basis in the internal flood model. A review of PVNGS maintenance guidance documentation and procedures via plant personnel discussions did not identify any maintenance procedures which would lead to an internal flooding scenario.

IE-C5 Closed Generic pipe failure frequencies from EPRI TR-1013141 were This finding has been resolved by a not converted to a per reactor-year basis as required by SR documentation update. PVNGS has revised the IE-C5. quantification studies to clarify that the results are specifically in units of per critical-reactor year that is directly applicable to At-Power operating plant states. In addition, to support PRA applications that relate to risk in terms of annualized risk, the engineering studies documenting the quantification and results were revised to also provide converted core damage frequency (CDF) and large early release frequency (LERF) in units of per reactor-year (per calendar-year).

2

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 6: Internal Flood PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition IFQU-A7 Closed Sources of model uncertainty and related assumptions for the This finding has been resolved by a Internal Flooding (IF) quantification are documented in 13- documentation update. PRA Study 13-NS-C099 NS-C099, Section 3.1.3. As noted in other SRs related to Section 4.4 was revised to incorporate the assumptions and sources of uncertainty, there is no characterization of model uncertainty sources.

characterization of the impact of these assumptions and Each assumption and source of model uncertainty sources of uncertainty on the IF model as would be required has been characterized according to WCAP-by backward reference to SRs QU-E4 and QU-F4 in SR IFQU- 17507, PRA Model Uncertainty Database A7. Guidance and Documentation Template for Characterization of Uncertainties from the Pressurized Water Reactor Owners Group (PWROG) PA-RMSC-0594.

IFSN- Closed Based on the decision trees in the Scenario document 13-NS- This finding has been resolved by a A16 096 Revision 0, (example Figure 4.2.1.1-1, Sequence documentation update. PRA Study 13-NS-C096 040A1S02), many flood sources that can be isolated have section 3.1.1 was revised to describe the reason been screened out based a simple assertion that the flood for screening out successfully isolated floods.

can be isolated without documenting any of the following:

a. Whether flood indication is available in the control room,

b. How and where the flood source can be isolated, and

c. Whether procedures exist for isolation and how much time is available for isolation.

Based on a discussion with the plant PRA personnel, the peer review team judged the screening to be reasonable, but documentation is not adequate. The review team judged this to be met at Category I, but even for this, proper documentation is needed as noted in the finding.

3

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 6: Internal Flood PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition IFSN-A6 Closed RG 1.200 Revision 2 documents a qualified acceptance of this This finding has been resolved by a SR. The NRC resolution states that to meet Capability documentation update. Assumption 2 in PRA Category II, the impacts of flood-induced mechanisms that study 13-NS-C096 was rewritten to clarify that all are not formally addressed (e.g., using the mechanisms components within a flood area where the flood listed under Capability Category III of this requirement) must originates were assumed susceptible and failed as be qualitatively assessed using conservative assumptions. a result of the flood, spray, steam, jet impingement, pipe whip, humidity, condensation and temperature concerns except when component design (e.g., water-proofing), spatial effects, low pressure source potential or other reasonable judgment could be used for limiting the effect.

IFEV-A6 Closed There is no evidence in 13-NS-C097 that a search was made This finding has been resolved by a for plant-specific operating experience, plant design features, documentation update. PRA Study13-NS-C097 and conditions that may impact flood likelihood and no Section 4.1 was revised to add evidence of the Bayesian updating was performed. However, adjustments search for plant specific operating experience.

are made to some initiating event frequencies based on The PVNGS Site Work Management System system run times to account for differences between impacts database and License Event Reports were when the pumps are running or in standby.

searched for flood type events. Additionally, the PVNGS maintenance procedures were reviewed for flood prevention guidelines.

It was determined that none of the flood events identified represented a credible internal flooding scenario which would require additional modeling efforts. Additionally, the lack of internal flooding events does not provide sufficient information to perform a Bayesian update to the initiating event data, and therefore, no update was performed.

4

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time ATTACHMENT 7 Seismic PRA Peer Review ASME SRs Not Met to Capability Attachment 7: Seismic PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition SHA-E1 Closed Insufficient site-specific velocity profile documentation exists This issue was resolved and reflected in the PRA to review the base case profile and possible uncertainties in model and documentation. New site specific data the site shear-wave velocity profile. Because the site was subsequently collected as part of the NTTF fundamental soil resonance may be near 1 second, a period 2.1 analysis.

that may be near a critical structural resonance, documentation of the epistemic uncertainty and aleatory variability of the site velocity profile should be developed.

SHA-E2 Closed The evaluation and incorporation of uncertainties in the site A SSHAC L3 analysis was performed subsequent response velocity profile may not be properly incorporated to the seismic PRA development as part of the because of insufficient or unreviewable site-specific data NTTF response to the NRC 50.54f letter on and/or its documentation. Also, the site response evaluation Fukushima. The SSHAC L3 analysis produced a was completed using a Senior Seismic Hazard Analysis site hazard curve which is bounded by the SSHAC Committee (SSHAC) Level 1 (L1) process which does not L1 hazard curve developed and used in the meet the ASME general Capability Category II guidelines. Seismic PRA model. Therefore, the issue is resolved by the updated SSHAC L3 hazard analysis.

SFR-A1 Closed Some of the dispositioning in the complete seismic This issue was resolved and reflected in the PRA equipment list (SEL) does not have adequate documentation model and documentation. Contractor performed to justify screening of selected components. For example, walkdown and screening evaluation to compare component 1ENANS01 (13.8 kV Non-Class 1E Switchgear the estimated seismic capacities of selected Non-1ENANS01) is dispositioned (screened) by the statement Safety Related equipment to the capacity "Seismically induced failure of NA system (non-seismic class) assigned to LOP.

assumed addressed through seismic LOP." The median Re-quantification was performed to reflect fragility of seismic LOP is 0.3 g. For this screening to be updated hazard, updated fragility information and viable, APS should demonstrate that the median fragility of updated S-PRA modeling following the resolution 1ENANS01 is significantly higher than 0.3 g. However, these of Findings and Observations from the industry are non-Class 1E electrical components. This type of peer review.

screening argument is used many times within the complete SEL presented in Appendix B of CN-RAM-12-015.

1

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 7: Seismic PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition SFR-C6 Closed The CDF is dominated by peak ground acceleration (PGA) in This issue was resolved and reflected in the PRA the range of about 0.3 g. Therefore, the effect of using input model and documentation. Contractor performed motion at the 0.3g PGA level should be examined. Contrary evaluation of increased uncertainty for soil to the self-assessment, the soil data is not sufficient to justify properties.

a Cv =0.5. The effect of using Cv = 1.0 should be examined. Re-quantification was performed to reflect updated hazard, updated fragility information and updated S-PRA modeling following the resolution of Findings and Observations from the industry peer review.

SFR-F2 Closed The top seven cutsets involve seismic failure events (SF- This issue was resolved and reflected in the PRA TBBLD, SF-SOIL, and SF-MF) that are potentially model and documentation. Contractor performed conservative with respect to seismic fragility and may be seismic fragility investigation for PVNGS Unit 1 resulting in a seismic CDF that is not accurately reflecting the Main Feedwater (FW) system.

true plant response to seismic events. More analysis is Re-quantification was performed to reflect required to either justify the seismic fragilities presented or updated hazard, updated fragility information and to refine those values. updated S-PRA modeling following the resolution Event SF-TBBLD represents structural failure of the turbine of Findings and Observations from the industry building, resulting in collapse onto the underground pipe peer review.

tunnel from the CST. The concrete cover over the pipe tunnel is postulated to fail, resulting in failure of the AFW piping from the CST to the AFW pumps. There is the potential that the turbine building failure might not fail the pipe tunnel.

Event SF-MF involves seismic failure of main feedwater piping outside of containment (balance of plant). The fragility of this piping is based on a "generic" evaluation of SC-II components and is given a median acceleration of 0.21 g.

2

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 7: Seismic PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition SFR-F3 Closed The draft report LTR-RAM-II-12-074 indicates that the draft This issue was resolved and reflected in the PRA relay assessment uses the IPEEE relay assessment as the model and documentation. LTR-RAM-II-12-074, starting point but accounts for the updated seismic hazard Revision 2 incorporated the 69 previously curve at the site. However, the report includes the following unaddressed relays.

statement in Section 2.3 (Unaddressed Relays): Re-quantification was performed to reflect This list (unaddressed relays) included 69 such relays. Of the updated hazard, updated fragility information and relays that have been included in the SPRA, their seismic updated S-PRA modeling following the resolution fragility events are found in many of the dominant CDF of Findings and Observations from the industry cutsets. peer review.

3

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 7: Seismic PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition SPR-B1 Closed CN-RAM-12-015, Rev. 0, Palo Verde SPRA Model The first part of this finding is considered resolved Development, identifies the following for the Self-Assessment based on conducting a RG 1.200 self-assessment for SPR-B1: "The S-PRA relies on an internal event model of the internal events PRA model described that is assumed to be compliant with CCII of the PRA elsewhere in this enclosure and subsequent peer Standard." reviews of the internal flood and internal fire PRA It is understood that the PVNGS PRA model received an models which are based on the internal events industry PRA peer review in 1995 per the CEOG guidelines PRA model.

when the PRA model existed in the Risk Spectrum software The second part of this finding is considered environment. The current PVNGS PRA model has since been resolved by CN-RAM-12-024 Revision 1 that converted to the CAFTA software environment. APS has since updated the seismic HEPs based on timing and performed a self-assessment of the PVNGS Fire PRA and closed all open items from Revision 0.

Internal Events (FPIE ) PRA model against the ASME/ANS Re-quantification was performed to reflect Standard, but a number of SRs do not meet Capability updated hazard, updated fragility information and Category II. updated S-PRA modeling following the resolution Furthermore, as discussed in Section 4.2 of CN-RAM-12-024, of Findings and Observations from the industry there are five (5) open items from the FPIE HRA. Open Item peer review.

5 addresses that many values of T1/2 were not provided in the HRA Calculator, which indicates that the time required to perform the actions may not be accurate (FPIE SR HR-G5).

In addition, Section 4.3.1.4 identifies that PVNGS only uses the Cause-Based Decision Tree Method, which is known to underestimate the impact of time constrained HEPs and as a result, current expectation for meeting supporting requirement HR-G3 is to use a combination of CBDTM and HCR methods to ensure that timing is accurately reflected.

SPR-B6 Closed The review team could find no evidence that operator actions This issue was resolved and reflected in the PRA following relay chatter events were reviewed to ensure task model and documentation. LTR-RAM-II-12-074, does not change (e.g., additional execution steps to reset Revision 2 performed a comprehensive relay relay) if action is in response to relay chatter-induced failure. assessment to address this finding.

Re-quantification was performed to reflect updated hazard, updated fragility information and updated S-PRA modeling following the resolution of Findings and Observations from the industry peer review.

4

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 7: Seismic PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition SPR-B7 Closed Complementary success logic is added in the SPRA logic on a This finding is considered resolved based on sequence basis for the SIET via the SHIP software, but not meeting Addendum B of the ASME PRA Std, which for each basic event that represents a seismically-induced changed the requirement for this supporting failure. This is a limitation of the PRA technology and requirement.

software which was also noted in the Surry report. As such, this SR is assessed as Not Met.

However, SR SPR-B7 has been modified in the proposed revision of the PRA Standard (i.e., Addendum B). At the moment this calculation notes publication CCI/II of the equivalent SR in Addendum B (SPR-B5) reads as follows:

In the systems-analysis models, for each basic event that represents a significant seismically-caused failure, INCLUDE the complementary "success" state where applicable to a particular SSC, and DEFINE the criterion used for the term "significant" in this activity. Based on the wording of the new version, success logic addressing significant seismically caused failures are included in the model. With reference to the new wording of SR SPR-B5, this SR could be assessed as met at CCI/II.

SPR-B10 Closed Row SPR-B10 in Attachment 4.5-2 of CN-RAM-12-015 (i.e., CN-RAM-12-015 Revision 1 addressed this the summary attachment of the SPRA self-assessment) finding.

identifies the need to examine the effect of including a Re-quantification was performed to reflect seismically-induced small-small LOCA. The self-assessment updated hazard, updated fragility information and identifies that Section 5.1.3.9 discusses modeling a updated S-PRA modeling following the resolution concurrent small LOCA. of Findings and Observations from the industry Section 5.1.3.9 identifies that a seismic-induced Small LOCA peer review.

probabilistically models a seismic-induced LOP. It is assumed that this scenario would also address the scenario for a Seismic-induced LOP with a potential for a small-small LOCA.

5

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time ATTACHMENT 8 Internal Fire PRA Peer Review ASME SRs Not Met to Capability Category II Attachment 8: Internal Fire PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition FSS-D2 Closed Generic Hot Gas Layer (HGL) calculations were This finding has been resolved by PRA model and performed using Consolidated Model of Fire and Smoke documentation changes.

Transport (CFAST) and documented in Hughes report Generic CFAST evaluations were revised to be 0001-0014-002-002, Rev 1. The CFAST HGL results specific to account for the limitations and have not been applied in a manner consistent with the assumptions of the area being modeled.

limitations and assumptions described in the report.

FQ-E1 Closed Several Human Failure Events (HFEs) were discovered to This finding has been resolved by PRA model and have a failure probability set to zero during the documentation changes.

quantification instead of the documented screening value HFEs documented to have a screening value of of 1.0 developed during the HRA task. Having the HEPs 1.0 have been revised in the model to use this set to zero potentially impacts the quantification results screening value. All HFE tools were reviewed, and the ability to identify significant contributors to CDF, updated to be consistent with the HRA Calculator such as initiating events, accident sequences, equipment source database, and validated.

failures, common cause failures, and operator errors. A review of component and basic event There is no documentation that shows that a review of importance to ensure they make logical sense the importance of components and basic events to was subsequently conducted and documented.

determine that they make logical sense was performed. Conduct of cutset reviews was added to the PRA There is no documentation that a review of documentation.

nonsignificant cutsets or sequences was performed.

1

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 8: Internal Fire PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition UNC-A1 Closed The following statement was made after several This finding has been resolved by PRA model and sensitivity results attachments: Because of the way the documentation changes.

cutsets were created, the numbers are not correct. The The sensitivity results were reviewed and exercise here is to show the ratios. This negates any of documented to show ratios of results.

the results reported in the results attachment. Documentation has been updated to include how The uncertainty analysis, for the most part, does not the PRA model is affected by model uncertainty include any review of the uncertainty results. Therefore, and related assumptions.

how the PRA model was affected and a check for the Sources of LERF uncertainty and assumptions reasonableness was not documented. Therefore it is not have been identified and documented.

clear that a check for reasonableness was performed. All assumptions used in the development of the There is a statement in the Uncertainty Analysis PRA model have been reviewed and documented.

notebook that this analysis was not performed for LERF. Instances of modeling simplification or Upon review of the notebook it was found that for some conservatism were so noted versus declared as uncertainty analyses were run for both CDF and LERF. A default assumptions. Assumptions with the review of the uncertainty analysis should be performed potential to significantly impact results were and all uncertainty analysis should be performed for CDF addressed in the Uncertainty and Sensitivity and LERF. analyses Many instances were found where assumptions were found in notebooks that were not documented in the assumption section. This could lead to missing an area that needs to be addressed in the uncertainty analysis.

(Review documents and verify that where the word "assumes" is used that an actual assumption is being made.)

2

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time ATTACHMENT 9 External Hazards Screening Attachment 9 External Hazards Screening Screening Result Screening External Hazard Screened?

Criterion Comment (Y/N)

(Note 1)

Airport hazard meets 1975 Standard Review Plan (SRP)

PS2 Aircraft Impact Y requirements. Additionally, airways PS4 hazard bounding analysis per NUREG-1855 is < 1E-6/y.

Not applicable to the site because of Avalanche Y C3 climate and topography.

Sudden influxes not applicable to the plant design [closed loop systems for Essential Cooling Water System (ECWS) and Component Biological Event Y C3, C5 Cooling Water System (CWS)].

Slowly developing growth can be detected and mitigated by surveillance.

Not applicable to the site because of Coastal Erosion Y C3 location.

Plant design eliminates drought as a Drought Y C5 concern and event is slowly developing.

Plant design meets 1975 SRP External Flooding Y PS2 requirements.

The plant design basis tornado has a frequency < 1E-7/y. The spray Extreme Wind or PS2 Y pond nozzles (not protected against Tornado PS4 missiles) have a bounding median risk < 1E-7/y.

Limited occurrence because of arid Fog Y C1 climate and negligible impact on the plant.

Not applicable to the site because of Forest or Range Fire Y C3 limited vegetation.

Limited occurrence because of arid Frost Y C1 climate.

1

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 9 External Hazards Screening Screening Result Screening External Hazard Screened?

Criterion Comment (Y/N)

(Note 1)

Limited occurrence and bounded by C1 other events for which the plant is Hail Y C4 designed. Flooding impacts covered under Intense Precipitation.

Plant is designed for this hazard.

High Summer Y C1 Associated plant trips have not Temperature occurred and are not expected.

High Tide, Lake Level, Not applicable to the site because of Y C3 or River Stage location.

Covered under Extreme Wind or Hurricane Y C4 Tornado and Intense Precipitation.

Ice blockage causing flooding is not applicable to the site because of location (no nearby rivers and C3 Ice Cover Y climate conditions). Plant is C1 designed for freezing temperatures, which are infrequent and short in duration.

Explosive hazard impacts and Industrial or Military control room habitability impacts Y PS2 Facility Accident meet the 1975 SRP requirements (RGs 1.91 and 1.78).

PRAs addressing internal flooding have indicated this hazard typically results in CDFs 1E-6/y. Also, the Internal Flooding N None ASME/ANS PRA Standard requires a detailed PRA for this hazard which is addressed in the PVNGS Internal Flooding PRA.

PRAs addressing internal fire have indicated this hazard typically results in CDFs 1E-6/y. Also, the Internal Fire N None ASME/ANS PRA Standard requires a detailed PRA for this hazard which is addressed in the PVNGS Internal Fire PRA.

Not applicable to the site because of Landslide Y C3 topography.

2

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 9 External Hazards Screening Screening Result Screening External Hazard Screened?

Criterion Comment (Y/N)

(Note 1)

Lightning strikes causing loss of offsite power or turbine trip are contributors to the initiating event frequencies for these events.

Lightning Y C1 However, other causes are also included. The impacts are no greater than already modeled in the internal events PRA.

Low Lake Level or Not applicable to the site because of Y C3 River Stage location.

Extended freezing temperatures are Low Winter C1 rare, the plant is designed for such Y

Temperature C5 events, and their impacts are slow to develop.

The frequency of meteorites greater Meteorite or Satellite than 100 lb striking the plant is Y PS4 Impact around 1E-8/y and corresponding satellite impacts is around 2E-9/y.

Pipelines are not close enough to Pipeline Accident Y C3 significantly impact plant structures.

Release of Chemicals Plant storage of chemicals meets Y PS2 in Onsite Storage 1975 SRP requirements.

Not applicable to the site because of River Diversion Y C3 location.

The plant is designed for such C1 events. Also, a procedure instructs Sand or Dust Storm Y C5 operators to replace filters before they become inoperable.

Not applicable to the site because of C3 Seiche Y location. Onsite reservoirs and C1 spray ponds designed for seiches.

PRAs addressing seismic activity have indicated this hazard typically results in CDFs 1E-6/y. Also, the ASME/ANS PRA Standard requires a Seismic Activity N None detailed PRA or Seismic Margins Assessment (SMA) for this hazard which is addressed in the PVNGS Seismic PRA.

3

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 9 External Hazards Screening Screening Result Screening External Hazard Screened?

Criterion Comment (Y/N)

(Note 1)

The event damage potential is less than other events for which the C1 Snow Y plant is designed. Potential flooding C4 impacts covered under external flooding.

The potential for this hazard is low at the site, the plant design Soil Shrink-Swell C1 Y considers this hazard, and the Consolidation C5 hazard is slowly developing and can be mitigated.

Not applicable to the site because of Storm Surge Y C3 location.

Toxic gas covered under release of chemicals in onsite storage, Toxic Gas Y C4 industrial or military facility accident, and transportation accident.

Potential accidents meet the 1975 SRP requirements. Bounding analyses used for offsite rail PS2 shipment of chlorine gas and onsite Transportation PS4 truck shipment of ammonium Y

Accident C3 hydroxide. Marine accident not C4 applicable to the site because of location. Aviation and pipeline accidents covered under those specific categories.

Not applicable to the site because of Tsunami Y C3 location.

Turbine-Generated Potential accidents meet the 1975 Y PS2 Missiles SRP requirements.

Not applicable to the site because of Volcanic Activity Y C3 location.

Waves associated with adjacent large bodies of water are not C3 Waves Y applicable to the site. Waves C4 associated with external flooding are covered under that hazard.

Note 1 - See Attachment 10 for descriptions of the screening criteria.

4

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time ATTACHMENT 10 Progressive Screening Approach for Addressing External Hazards Attachment 10 Progressive Screening Approach for Addressing External Hazards Event Analysis Criterion Source Comments NUREG/CR-2300 C1. Event damage potential Initial Preliminary and ASME/ANS is < events for which plant Screening Standard RA-Sa-is designed.

2009 C2. Event has lower mean NUREG/CR-2300 frequency and no worse and ASME/ANS consequences than other Standard RA-Sa-events analyzed. 2009 NUREG/CR-2300 C3. Event cannot occur and ASME/ANS close enough to the plant Standard RA-Sa-to affect it.

2009 NUREG/CR-2300 Not used to screen.

C4. Event is included in the and ASME/ANS Used only to definition of another event. Standard RA-Sa- include within 2009 another event.

C5. Event develops slowly, allowing adequate time to ASME/ANS eliminate or mitigate the Standard threat.

PS1. Design basis hazard ASME/ANS Progressive cannot cause a core Standard RA-Sa-Screening damage accident. 2009 PS2. Design basis for the NUREG-1407 and event meets the criteria in ASME/ANS the NRC 1975 Standard Standard RA-Sa-Review Plan (SRP). 2009 PS3. Design basis event NUREG-1407 as mean frequency is < 1E- modified in 5/y and the mean ASME/ANS conditional core damage Standard RA-Sa-probability is < 0.1. 2009 NUREG-1407 and PS4. Bounding mean CDF is ASME/ANS

< 1E-6/y. Standard RA-Sa-2009 1

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 10 Progressive Screening Approach for Addressing External Hazards Event Analysis Criterion Source Comments Screening not successful. NUREG-1407 and PRA needs to meet ASME/ANS Detailed PRA requirements in the Standard RA-Sa-ASME/ANS PRA Standard. 2009 2

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time ATTACHMENT 11 Disposition of Key Assumptions/Sources of Uncertainty Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty The only plant system SBOGs can be aligned to The existing PRA model modeled in the PRA that is multiple units to supply conservatively does not shared between the three limited loads. credit SBOGs in more than units is the station one unit. Therefore, no blackout generators sensitivity analysis is (SBOGs). Simultaneous required for this application.

multiple unit station blackout conditions are screened out based on low probability. SBOGs are assumed aligned to one unit only during an event.

1

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Reactor Coolant Pump RCP Seal Leak or Rupture is No sensitivity analysis is (RCP) Seal Leak or not modeled as a loss of required for this application.

Rupture RCS Inventory safety function. Based on Westinghouse WCAP-15749 (Reference 1) and pump seal vendor information, it was concluded that because of the very tight clearances, leakage into the seal package from the RCS is limited to about 17 gpm per pump. Each of the four RCPs has a seal package which consists of three seals. As a result, even if the seal package on all four RCPs failed, the total leak rate would be within the capacity of two charging pumps and does not qualify as a LOCA.

An analysis showed that continuing to model RCP seal leakage and requiring charging pumps to mitigate the leakage represented an insignificant contribution to CDF or LERF, even assuming one of the three seals on each pump failed. The analysis also showed that modeling catastrophic failure due to operator failure to secure the pumps upon loss of cooling and seal injection was an insignificant contributor to CDF or LERF.

2

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Loss of Coolant Accident NUREG/CR-6928 (Reference The slight variance in the (LOCA) Frequencies 2) restated the results from range of break sizes for NUREG-1829 (Reference 3). different LOCAs is not The LOCA frequencies are significant and is judged to based upon expert have minimal impact on elicitations. The LOCA sizes LOCA frequencies, within identified by the NRC are the uncertainties associated different from those with the expert elicitation estimated for PVNGS. values, and of insignificant impact. Therefore, no sensitivity analysis is required for this application.

Loss of Off-site Power The national LOP data The LOP frequencies are (LOP) Frequency presented in the latest EPRI based on recent industry events reports referenced in data and are appropriate to PRA Study 13-NS-C004 represent plant-specific (Reference 4) was used to conditions. SBOGs, as well obtain point-estimates for as other additional electric switchyard centered and power supplies, are severe weather related LOP available on site to mitigate frequencies. The EPRI LOP. Therefore, no Reports indicate that the sensitivity analysis is generic LOP data is subject required for this application.

to user modifications and screenings to fit the local plant designs and environmental conditions.

This approach of LOP screening is considered reasonable and necessary to avoid erroneous skewing of the LOP data. The frequency of extreme weather LOP category was obtained as that of the frequency of tornado occurrence with category F2 or higher. The frequency of grid related LOP was obtained by Bayesian updating the reported value for western region (Western Electricity Coordinating Council) in the Draft NRC NUREG/CR-INEEL/EXT-04-02326 (Reference 5).

3

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Loss of Off-site Power The probabilities of offsite The offsite power non-(LOP) at Switchyard power non-recoveries were recovery probabilities are Associated Non-Recovery obtained from Table 4-1 of based on the best available Probabilities the draft NRC NUREG/CR- data and are appropriate to INEEL/EXT-04-02326 represent plant-specific (Reference 5). The error conditions. SBO diesel factors associated with LOP generators, as well as other frequencies and LOP non- additional electric power recovery probabilities were supplies, are available on obtained from draft NRC site to mitigate LOP.

NUREG/CR-INEEL/EXT Therefore, no sensitivity 02326 (Reference 5) (when analysis is required for this provided); otherwise, by application.

using available in-house statistical programs for lognormal and Weibull distributions.

Battery Life Assumptions The PVNGS batteries are not Crediting the actual higher credited in the long term, capacities of the batteries because they are and updated load shedding conservatively assumed to actions from Fukushima be discharged after 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months driven procedure changes per calculation 01-EC-PK- would result in additional 0207. Although the IEEE mitigation capabilities made Class 1E batteries are available. Therefore, no designed to operate for 2 sensitivity analysis is hours, Engineering has required for this application.

determined that the class batteries' life is at least 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months in calculation 01-EC-PK-0207. Thus they are available for power recovery at the 3-hour point on the incident timeline.

4

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Human Failure Events Accessibility for completion A sensitivity analysis was (HFEs) during a seismic of non-screened human performed evaluating the event failure events (HFE) during impact of not crediting the a seismic event is assumed subject HFEs and there was possible for all non-screened minimal impact on the CDF HFEs besides those which and LERF. Therefore, no are assumed to fail in the additional sensitivity case where the corridor analysis is required for this building or turbine building application.

collapses. Both the collapse of the corridor building and turbine building and their impact on the access to the Main Steam Support Structure is considered in the Seismic PRA model.

There is a pinch point that leads into the MSSS that could restrict movement into the MSSS which would prevent local MSSS actions from being performed.

Seismic performance Seismic-only PSFs applied to This is considered a shaping factors (PSFs) the internal events HEPs will conservative assumption.

with respect to seismic- over-ride the flooding PSFs Therefore, no sensitivity induced flooding. based on the consideration analysis is required for this that the seismic events are application.

more global events than the specific flooding events. No additional modifications are made to the internal events HEP to consider the possibility of seismic-induced flooding events.

5

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty The Seismic PRA HFE The Seismic PRA The modification of the dependency analysis dependency analysis timing available due to assumes that once an seismic considerations may accident sequence is result in a longer response initiated, the operator action or identification time and timing for a seismically consequently a higher HEP.

induced event is similar to A sensitivity analysis was that of an internally induced performed in the seismic event for main control room PRA quantification actions. increasing the failure probability all HEPs to 1.0, resulting in a 39.36%

increase in CDF. For this application, the seismic risk contribution from the emergency diesel generator unavailability is only 5.5%

of the total ICCDF and 5.1%

of the total ICLERF.

Therefore, no sensitivity evaluation is required for this application.

Seismic PRA Weighting There is no standardized More emphasis was given to factors applied to three method to calculate human the Surry method since it approaches error probabilities (HEP) in a was a selective combination seismic PRA. Therefore, a of previous approaches and mean HEP for each basic the most recently performed event was calculated by and published method.

combining three accepted However, the Surry method approaches (Surry, has the potential to be the Kernkraftwerk Muhleberg least conservative approach (KKM), and Swiss Federal among the three methods. A Nuclear Safety Inspectorate sensitivity analysis was (ENSI)) using the following performed that ran the weighting factors: 0.7, 0.15, Seismic PRA model using 0.15, respectively. only the KKM and ENSI approaches, equally weighted. The change in CDF and LERF was -1.63%

and 0.42%. Therefore, no additional sensitivity analysis is required for this application.

6

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Relay chatter correlation Relay chatter between This is a conservative relays of the same assumption because the manufacturer, model demand experienced by a number, and plant location, relay is dictated by in-i.e., building and elevation cabinet response and not were assumed to be fully the in-structure response correlated. Also, each relay spectra (ISRS) which the identified as a control binning is based. Therefore, switch, push button, or no sensitivity analysis is motor starter are fully required for this application.

correlated with other generic, like components.

Simplified Relay Fragility Low risk importance relays This assumption is Parameters (based on Risk Achievement reasonable given that none Worth) were treated with a of the c values for the simplified fragility analysis relays evaluated using the and higher importance detailed fragility analysis relays (10 different types) were determined to have a were treated with a detailed c below 0.33 and most had fragility analysis. The c of around 0.5.

simplified relay chatter Therefore, no sensitivity fragility analysis assumed a analysis is required for this c of 0.35 based on application.

engineering judgment.

Seismic failure of relays For the relays modeled in PRA analyst experience is and basic event mapping the Seismic PRA, the basic credited in the selection of event associated with the the appropriate internal seismic failure of the relay events PRA model must be mapped to an component failure modes to existing internal events reflect postulated seismic target basic event. A key PRA model component source of modeling failure modes. This uncertainty is associated selection was performed by with the mapping of seismic Westinghouse PRA seismic basic events. Failure modes experts and reviewed by postulated for the PVNGS APS PRA engineers.

internal events model may Therefore, no sensitivity not fully align with their analysis is required for this assigned seismic application.

counterparts.

7

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Seismic PRA uses internal The PVNGS Seismic PRA The internal events PRA that events PRA as a starting assumes that the internal was used to develop the point events PRA that is used as a Seismic PRA was evaluated starting point meets the separately for its PRA requirements of Capability quality and was determined Category II of the PRA to meet Capability Category standard. II of the PRA standard.

Therefore, no sensitivity analysis is required for this application.

Success criteria for If not otherwise specified, The base case Seismic PRA Seismic PRA the success criteria uses a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time associated with the internal for the run time of events PRA logic are mitigating equipment. A considered valid and sensitivity case was applicable to accident developed to assess the sequences initiated by a impact of using a 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months seismic event. However, a mission time for equipment standard 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission run failures. The change in time may not be suitable for overall CDF and LERF for a seismic-induced accident this case is 2.73% and scenario because of the 0.69%, respectively.

longer time needed for Therefore, no additional offsite power recovery. sensitivity analysis is required for this application.

Seismic failure correlation Seismic failures are Overall, the main feedwater assumed to be completely fragility has the same correlated. This assumption generic value as the implies that a single basic steamline fragility (0.21g).

event is used to model the Since a variety of seismic failure of components in multiple components that are locations/elevations in the identified as pertaining to Turbine Building are the same fragility. Theres potentially involved with a one exception to this where variety of boundary failures in the steam path in conditions and anchorage the Turbine Building are not conditions, the two basic considered correlated with events associated with main failures of the feedwater feedwater and steamlines lines. fragility events should not realistically be correlated and this treatment was reviewed in the peer review.

Therefore, no sensitivity analysis is required for this application.

8

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Seismically induced Loss of The seismically induced LOP The basis for this Offsite Power (LOP) is assumed to bound the assumption is that fragility of non-seismic class seismically induced LOP has system. This assumption a generally low seismic implies that a number of capacity. Scenarios where non-seismic class systems the non-seismic support are not addressed with a systems incur seismically specific seismic failure. induced failures while offsite power is still available are considered realistic only for very low magnitude seismic events. Therefore, the most significant mitigating equipment will still be available. This is considered a conservative assumption.

Therefore, no sensitivity analysis is required for this application.

Seismic PRA LOP recovery In the Seismic PRA, LOSP It is realistic to consider that recovery is not credited for offsite power recovery is any seismic event above the available for low magnitude safe shutdown earthquake seismic events. The (SSE), while it is credited selection of the SSE as a with unchanged probability threshold between for a seismic event below recovery/no-recovery of the SSE. offsite power is arbitrary and conservative. Therefore, no sensitivity analysis is required for this application.

9

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Screening of equipment in Screening of equipment in Using a surrogate event for the Seismic Equipment List the Seismic Equipment List a number of components (SEL) (SEL) is based on fragility that have been screened out analysis. Equipment introduces a conservative screened by the fragility failure mode. The team as inherently rugged is uncertainty introduced by not modeled in the Seismic the use of surrogate PRA for their seismic equipment for the seismic induced failure. In order to class I system is judged to quantitatively capture the have a limited impact on the impact of screened out model. Therefore, no equipment, generic fragility sensitivity analysis is parameters for the building required for this application.

that housed the screened out equipment were used.

The screened equipment are modeled through a surrogate basic event at a system level.

Operators tripping the It is assumed that the This is considered a reactor above operating operators will always trip conservative assumption.

basis earthquake (OBE) the reactor in case of a Therefore, no sensitivity seismic event above OBE if analysis is required for this even the option for a application.

controlled shutdown is allowed.

Train N Auxiliary The AFN Pump is assumed A sensitivity case was Feedwater (AFN) Pump to remain functional with developed to assess the (AFN) is assumed to small breaks or leaks at uncertainty in crediting the remain functional following instrument tubing. The AFN pump and not the a design basis earthquake fragility analysis associated associated piping network.

with the AFN Pump only The capacity of the AFN addresses the pump and not pump was reduced to the the entire piping network. same system level fragility parameters associated with the instrument air system.

CDF and LERF increased by 0.08% and 0.03% and indicates little significance of uncertainty in this simplification of the analysis. Therefore, no additional sensitivity analysis is required for this application.

10

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Main steam line relief Main steam line relief valves A sensitivity case is valves not explicitly are screened out of the developed to assess the included in the SEL. analysis on the basis that impact of this assumption. A the steam generator and fully dependent seismic related piping & valves are failure across all 20 relief considered very rugged. For valves is modeled. CDF and this reason, the seismic LERF values did not change failure of the main steam when compared to the base line relief valves is not case results. This indicates modeled. that no significant uncertainty. Therefore, no additional sensitivity analysis is required for this application.

Structural failures of Structural failures of This is a conservative buildings building are assumed to assumption since the result in major collapse and fragility parameters failure of all equipment provided are addressing the hosted inside the building. beginning of the structural failure, and a failure of limited areas of the building may result in failure of only a limited number of equipment inside the building. The most significant example of this assumption is the structural failure of the Turbine Building assumed to be also impacting and failing the CST tunnel. Therefore, no sensitivity analysis is required for this application.

The Anticipated Transient The ATWS logic for seismic Moderator Temperature Without Scram (ATWS) PRA assumes that the RCS Coefficient (MTC) and ATWS logic for seismic PRA pressure will be above the pressure transient are not HPSI shutoff head for only a influenced by the fact that short period of time. the event is initiated by a seismic event rather than a spurious failure. Therefore, the success criteria developed for the internal events ATWS are considered valid for the seismic PRA.

Therefore, no sensitivity analysis is required for this application.

11

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty All flood scenarios on the A cutset review showed that This is a conservative 40ft and 51ft elevations of the contribution of Fire approach and should not the Auxiliary Building Protection (FP) initiators is have a significant impact on assumes that a pipe failure very low and that the the baseline Internal Flood drains the Refueling Water Internal Flood results are model. Therefore, no Tank (RWT). not being skewed by this sensitivity analysis is conservatism. required for this application.

A single internal events Since there are no It is a realistic assumption PRA model was developed significant differences that the Unit 1 SSC to quantify the plant flood between the units, the Unit designators are used, since risk for multiple units. 1 System, Structure, or there are no major Component (SSC) differences between the designators were used. It three units in terms of was therefore assumed that internal flood. Therefore, no the quantification results are sensitivity analysis is applicable to all units. required for this application.

All components within a This is a conservative This is a conservative flood area where the flood assumption that simplifies approach that simplifies the originates were assumed the impacted component impacted component list.

susceptible and failed as a list. Uncertainty exists Therefore, no sensitivity result of the flood, spray, where exactly the flood analysis is required for this steam, jet impingement, would occur, the impact due application.

pipe whip, humidity, to the geometry of the room condensation and and equipment, and the temperature concerns direction of the spray or except when component splash for a given scenario.

design (e.g., This assumption raises CDF.

waterproofing) spatial effects, low pressure source potential or other reasonable judgment could be used for limiting the effect.

Block walls are not Unless a treatment is non- This has no impact and is of credited in the analysis conservative, the block walls low consequence. Therefore, and are treated as typical are analyzed on an no sensitivity analysis is plant walls. individual basis. The amount required for this application.

of water that could flow through the gaps is unknown. This has no impact as there were no scenarios where the failure of block walls would lead to a non-conservative treatment.

12

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Breaks in pipes less than The basis for this This is a conservative or equal to two inches in assumption is as follows: approach. Therefore, no equivalent diameter were 1. Provides a practical limit sensitivity analysis is only considered if the to bound the scope of the required for this application.

break would directly result analysis to potentially large in a plant trip or result in a flow rate and significant flood induced equipment consequence events.

failure that would result in 2. Pipe sizes of less than or a plant trip or immediate equal to two inch diameter shutdown. do not accurately reflect plant fluid system flood impacts (i.e. two inch diameter pipes produce significantly smaller flood rates).

3. At low flow rates, typical of pressure boundary failure in pipes less than or equal to two inches, the operator response time is longer and less stressful. Such conditions enhance operator actions significantly to successfully mitigate the breaks in small bore pipes.

However, piping less than two inches in diameter is considered on an individual basis when necessary for spray and flooding events.

Specifically these events are considered in rooms without drains. Piping less than two inches was also considered for spatially specific spray events, however none were modeled and a detailed discussion of the possible events are documented.

Closed-loop systems and This is a conservative This is a conservative tanks were assumed to approach that allows for the approach. Therefore, no instantaneously release consideration of all sensitivity analysis is the entire system consequences and does not required for this application.

inventory require time based calculations.

13

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Control Room staff would Human Error Probability This is a conservative be unable to respond (HEP) and Performance approach. Therefore, no effectively to multiple Shaping Factors (PSF) sensitivity analysis is events immediately adjustments were made required for this application.

following the flooding during the early stages of a event flooding event to account for the additional stress influencing factors. The CDF is higher with this assumption.

No addition to the Control Operator actions to isolate It is a realistic assumption Room crew is credited the flood source are that there would be no early into a flood event required shortly after addition to the Control when assessing human detecting that a Pressure Room crew early into the actions. Boundary Failure (PBF) has flood event when assessing occurred. Often when human actions. Therefore, responding to flood events no sensitivity analysis is operators are responding to required for this application.

multiple alarms.

It is assumed that pipes The assumption is This is a conservative that are larger than 3" conservative as it includes approach. Therefore, no were capable of producing additional piping that may sensitivity analysis is major floods unless it was not be conducive to major required for this application.

determined that the piping flooding. Since, major floods was not capable of are not a major contributor producing a major flood. to the Pressure Boundary Failure frequency, its contribution to risk would be considered minimal.

External tanks were not External tanks that are There is no significant considered as a flood ruptured would not normally impact on the model.

source unless there is a propagate into the plant. Therefore, no sensitivity normally available There were no tanks analysis is required for this pathway into the plant identified in this Internal application.

whereby the tank contents Flood PRA that did not could empty into a room propagate into the plant. It within the main plant was assumed that the structures. impact of an external tank rupture was bounded by the evaluation performed for internal events. Breach of an external tank was assumed to discharge to the yard area and there would be no flood-induced failures of PRA related components.

14

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Floods are assumed to fail Cases in which equipment is It is a realistic assumption all equipment in the deemed as sufficiently high and is of low consequence.

initiating room and then or flood barriers are not Therefore, no sensitivity propagate out of the room expected to retain water to analysis is required for this to surrounding flood areas. sufficient flood levels are application.

treated on an individual basis. Additionally, splitting the flood areas would generate an unreasonable number of scenarios with no added insight. The Top cutsets are not impacted, however if very specific isolation actions were taken this assumption could be significant.

Floods are assumed to Water will flow down the It is a realistic assumption propagate down pipe path of least resistance and is of low consequence.

chases prior than down therefore a pipe chase is the Therefore, no sensitivity stairwells in situations preferred path over a analysis is required for this where pipe chases are not stairwell with a door in application.

surrounded by a curb front.

and/or a door must be opened to enter into the stairwell.

Floods are assumed to The hydrostatic load that a It is a realistic assumption propagate through door can handle is based on and is of low consequence.

doorways which open out, whether the door closes Therefore, no sensitivity away from the initiating against the frame or away analysis is required for this flood area more readily (with relation to the room application.

rather than doorways that the flood initiates). A which open in, towards the door that is against the initiating flood area. frame can withstand a greater load as opposed to away from the door frame.

15

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Floor drains were assumed This assumption is based on It is a realistic assumption to be capable of controlling the expectation that a spray and is of low consequence.

water levels for spray event will not result in a Therefore, no sensitivity events. significant accumulation of analysis is required for this standing water. During plant application.

walkdowns it was observed that drain entrances were maintained in proper working condition and free of debris. Drains were not credited for any flood or major flood events. It was assumed that spurious actuation of system relief valves would discharge a limited amount of inventory to a discharge tank. Such events were screened out as potential flood sources.

Grouping boundary Grouping boundary This is a conservative condition sets for the LERF condition sets for the LERF approach and is of low analysis results in analysis is a conservative consequence. Therefore, no conservative modeling of approach. The LERF sensitivity analysis is the containment isolation contribution of sequences required for this application.

valves. that have been grouped for the LERF analysis and involve failure of containment isolation valves are considered very low.

The piping layout for flood To the extent possible, the It is a realistic assumption sources included in the similarities were confirmed and is of low consequence.

Internal Flood PRA was during the plant walkdowns. Therefore, no sensitivity shown and estimated to be Therefore, Units 2 and 3 analysis is required for this similar for all three units. pipe lengths were assumed application.

to be identical to Unit 1 piping lengths. There are no major differences between the three units.

16

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty It is assumed that if a PBF There are no operator This is a conservative were to occur in the Safety procedures for isolating a assumption and is of low Injection (SI) or Chemical flood event, therefore the consequence. Therefore, no

& Volume Control (CH) most conservative and sensitivity analysis is system piping, that the bounding location to isolate required for this application.

operator would isolate the a flood of the SI or CH is flood at one of the two one of the two pipe headers.

pipe headers connecting By isolating at this point it the Refueling Water Tank results in the loss of at least (RWT) to the CH and SI one train of the ECCS. This systems. does cause a trip. Therefore the overall impact on the model is small.

It is assumed that spurious Spurious actuation of a This is of low consequence.

actuation of system relief system relief valve was not Therefore, no sensitivity valves would discharge a determined to be a credible analysis is required for this limited amount of flood source because the application.

inventory to a discharge inventory that was released tank and such events were would be retained within the screened out as potential flood area and would not flood sources. lead to an applicable initiating event. The risk is considered negligible as this is not considered to be a significant source of inventory.

Limited or no access to an There was no credit taken This is of low consequence.

area where flood initiation for mitigation when the Therefore, no sensitivity occurs was assumed. equipment relied on for analysis is required for this mitigation was located in the application.

flood initiation area.

Operators cannot get into flooded areas.

Only one internal flood The occurrence of It is a realistic assumption initiating event is assumed simultaneous multiple and is of low consequence.

to occur at a time. independent internal flood Therefore, no sensitivity events were considered to analysis is required for this be very unlikely and were application.

not considered in this evaluation. This is consistent with PRA modeling.

17

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty The breach of isolation This is a simplifying This is a conservative barrier(s) that may result assumption that has assumption and is of low in a maintenance-induced negligible impact on the consequence. Therefore, no flood event was assumed model. Propagation sensitivity analysis is to have no impact on pathways were made to be required for this application.

altering the propagation conservative for all paths related to other scenarios. Maintenance flooding mechanisms (i.e., induced failures such as pipe failure) for the flood sprinkler heads were source. specifically evaluated as spray events in the flood model where they could lead to a plant trip.

The indirect effects of a Closed looped systems were This is a conservative PBF on the operability of a considered to be normally assumption and is of low closed looped system were operating and provides consequence. Therefore, no considered to be cooling to equipment that is sensitivity analysis is immediate. relied on to maintain the required for this application.

plant in a power production state. It was therefore assumed that operator actions cannot be performed in a timely manner to preclude a plant trip. Most closed loop systems have a limited system capacity. A PBF would drain the system and in most cases an operator action to isolate the PBF would not be feasible. This assumption is conservative and raises CDF.

18

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty The spill rate resulting For a potentially unlimited It is a realistic assumption from a PBF of a potential source, a PBF that resulted and is of low consequence.

unlimited flood source that in a spray event (<100 Therefore, no sensitivity causes a spray event is gpm) would take an analysis is required for this low enough (i.e., <100 extraordinary amount of application.

gpm) to have no time to cause a loss of that significant impact on the system. Additionally, given operation of the affected that for most of the large system. nearly unlimited sources the makeup capabilities of the system would generally exceed the flow rate generated by a spray event.

It was therefore assumed that such systems have sufficient design margin to maintain the operability of the system and a plant trip would not occur. Note that for systems with a low system capacity (i.e. the CH system) this assumption was not valid.

19

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty The flow rate from a PBF is The spill rate resulting from This is a conservative assumed static at the a PBF of piping is considered assumption and is of low maximum possible rate to be the highest flow rate consequence. Therefore, no and the scenario is only possible from the system or sensitivity analysis is ended when the source piping, and for tank is was required for this application.

was exhausted or isolated. assumed to be constant at an assumed flow rate, and for systems requiring pumps is considered the realistic pump flow rate, for the particular break in the originating flood area until the flood source was isolated or its water supply was limited or exhausted.

The accumulation of flood water in a flood area was considered halted when the flood source was terminated, or when outflow from the flood area matches or exceeds the inflow of flood water to the flood area. A constant maximum spill rate minimizes the time to reach the critical heights for SSCs that are susceptible to flooding.

Spill rates were assumed to fall within the following categories:

Spray events: 100 gpm

Flood events: greater than 100 gpm but less than 2000 gpm (or maximum capacity of the system, whichever is lower)

Major flood events:

greater than 2000 gpm (or the maximum capacity of the system, whichever is lower) 20

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty The treatment of main Recovery of feedwater is This is of low consequence steamline break and main important for secondary side since the equipment/

feedwater line break heat removal. The internal components failed in the internal events analysis events analysis was believed internal events model is was assumed to address to provide sufficient analysis bounding. Feedwater line the impact of these events to be used in the internal breaks impact alternate in assessing whether main flooding model. feedwater, steam to feedwater can be auxiliary feedwater pump recovered following a A, turbine bypass valves and reactor trip. main feedwater. Steamline breaks impact auxiliary feedwater to the faulted steam generator (SG),

steam supply to auxiliary feedwater pump A, main feedwater and turbine bypass valves. Additionally, the atmospheric dump valves for steam line break and feedwater line break associated with the faulted SG would be impacted, but are not credited for the faulted SG. Therefore, no sensitivity analysis is required for this application.

It was assumed that The flood HRA dependency This is of low consequence.

minimal or no dependency analysis did not include Therefore, no sensitivity existed between flood- large early release specific analysis is required for this specific and large early HFEs. HFEs specific to large application.

release specific Human early releases (i.e., post-Failure Events (HFEs). core damage operator actions) are generally performed several hours after the initiating event occurs.

No dependency between early and late operator actions. There is no impact on the model.

21

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty The fire areas defined by Fire areas are required by It is a realistic assumption the Fire Hazards Analysis regulation to be sufficiently and is of low consequence.

(which is contained in the bounded to withstand the Therefore, no sensitivity UFSAR, Sections 9B.2.1 hazards associated with the analysis is required for this through 9B.2.22) will area as defined in Generic application.

substantially contain the Letter 86-10 (Enclosure 1 adverse effects of fires Section 4). Fire zone originating from any boundaries are similarly currently installed fixed assumed adequate; ignition source or however, because fire zones reasonably expected have a lesser pedigree than transient ignition source. fire areas, their boundaries Fire zone boundaries are are verified adequately in similarly assumed this notebook by a FHA adequate or combined. review and plant walkdowns. Fire zone boundaries that appear unable to withstand the fire hazards within the zone are combined. The fire PRA utilizes fire compartments which generally align with fire zones, but may be a combination of several fire zones.

22

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Systems and equipment The assumption that any fire It is a realistic assumption not credited in the fire- fails all equipment lacking and is of low consequence.

induced risk model (e.g., cable routing information Therefore, no sensitivity systems for which cable has the potential to affect analysis is required for this routing will not be the assessed fire risk. The application.

performed) are assumed assumption that any fire will to be failed in the fire- minimally result in a loss of induced risk model. These Main Feedwater and systems and equipment subsequent reactor trip are failed in the worst likely adds conservatism to possible failure mode, the Fire PRA results.

including spurious However, the degree of operation conservatism is relatively small compared with other It is assumed that any fire modeling uncertainties, will minimally result in a since Main Feedwater will loss of Main Feedwater and trip for most transient subsequent reactor trip. events.

This is a simplifying and conservative assumption The impact of these and is typical of Fire PRAs. assumptions was evaluated However, it may not be by a sensitivity analysis case true for all fires. which concluded that the risk reduction due to crediting all components assumed always failed was small.

It is assumed that the RPS design is sufficiently It is a realistic assumption Reactor Protection System fail-safe and redundant to and is of low consequence.

(RPS) design is sufficiently preclude fire-induce failure The low frequency of a fire fail-safe and redundant to to scram: Consistent with occurring coincident with the preclude fire-induce failure the guidance in NUREG/CR- low probability of to scram, or random 6850 Section 2.5.1, type of independent failure to scram failure to scram during a sequences that can be results in a negligible fire event, as a risk generally eliminated from contribution to fire risk.

significant contributor. consideration in Fire PRA Therefore, no sensitivity include sequences for which analysis is required for this a low frequency argument application.

can be made, and uses ATWS as a specific example, because fire-induced failures will almost certainly remove power from the control rods, resulting a trip, rather than cause a failure to scram condition.

23

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Properly sized and Electrical protection design This is a conservative coordinated electrical calculations provide the approach because credited protective devices are documentation of the cable lengths have a margin assumed to function within electrical coordination of 20% or more applied to their design tripping between overcurrent the credited cable lengths to characteristics, thus protective devices. An ensure that applicable preventing initiation of evaluation was performed to raceways were identified.

secondary fires through assess the Fire PRA power Additionally, the fire-induced circuit faults created by supply coordination impact is modeled within the the initiating fire. requirements in accordance credited cable length.

with NUREG/CR 6850, and Therefore, no sensitivity provides a link to relevant analysis is required for this PVNGS electrical application.

coordination calculations that demonstrate selective tripping capability for each credited Fire PRA power supply. When selective tripping cannot be demonstrated, the current fire PRA model credits cable lengths to limit fault current that fails a power supply.

24

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty It is assumed that Fire PRA All raceways containing It is a realistic assumption targets were assigned the cables were assigned a and is of low consequence.

appropriate radiant heat radiant heat flux damage It was concluded that flux damage and threshold of 6kW/m2 and minimal benefit could be temperature damage 205 °C. Raceways obtained by further analysis criteria depending on the containing cables with to identify and model cable insulation thermoset insulation only raceways containing only information available. In may be assigned a radiant thermoset insulation.

other words, all raceways heat flux damage threshold Therefore, no sensitivity containing cables with of 11 kW/m2 and 330 °C analysis is required for this thermoplastic or unknown but have been initially application.

cable insulation were assigned the thermoplastic assigned a radiant heat damage thresholds. A brief flux damage threshold of review of the dominant 6kW/m2 and 205 °C. All scenarios identified the raceways containing cables existence of thermoplastic with thermoset insulation insulated cables within the only may be assigned a target raceways.

radiant heat flux damage threshold of 11 kW/m2 and 330 °C but have been initially assigned the thermoplastic damage thresholds.

25

Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Planned plant This approach introduces This assumption that the modifications and recovery uncertainty in the results, planned plant modifications actions are assumed in the because the actual will be installed and base case model. These modifications may vary for tested/operated as assumed modeled modifications are those assumed or they may in the fire PRA model has assumed to correct the fire not function as modeled. significant impact. The vulnerability and not The assumed modifications assumption is realistic since introduce any new failure are documented in the Fire the PRA analysis provided modes. PRA studies. Plant and details to the design model configuration and modifications group in control mechanisms are in developing the plant place to ensure that the fire modifications and model will be updated to procedures. Therefore, no reflect the as-installed sensitivity analysis is modifications. One specific required for this application.

planned plant modification is the installation of an additional Steam Generator makeup capability to address Fire PRA risk. A sensitivity was performed that removes this modification from the model

References:

1. WCAP-15749, Guidance for the Implementation of the CEOG Model for Failure of RCP Seals Given Loss of Seal Cooling, Revision 0, December 2008

2. NUREG/CR-6928, Industry-Average Performance for Components and Initiating Events at U.S. Commercial Nuclear Power Plants, January 2007

3. NUREG-1829, Estimating Loss-of-Coolant Accident (LOCA) Frequencies through the Elicitation Process, Draft

4. 13-NS-C004, At-Power PRA Study for Loss Of Offsite Power Statistical Evaluation, Revision 7

5. NUREG/CR-INEEL/EXT 04-0236, Evaluation of Loss of Offsite Power Events at Nuclear Power Plants: 1986-2003, October 2004 26

v t e Letter Sequence Request
CAC:MF9019, Relocate Surveillance Frequencies to Licensee Control - RITSTF Initiative 5B (Approved, Closed)
Initiation Request, Request, Request Acceptance... Administration Meeting, Meeting Questions 2 January 2017 Answers 2 January 2017 Results Approval, Approval, Approval, Approval Other:
MONTHYEAR2016-12-30 [Table View]

ML16356A689

Text

Dear Sirs:

Subject:

Enclosures:

SUMMARY

3.0 BACKGROUND

4.0 TECHNICAL ANALYSIS

5.0 REGULATORY EVALUATION

6.0 ENVIRONMENTAL CONSIDERATION

7.0 REFERENCES

SUMMARY

3.0 BACKGROUND

8.2.2 Analysis

4.0 TECHNICAL ANALYSIS

5.0 REGULATORY EVALUATION

6.0 ENVIRONMENTAL CONSIDERATION

7.0 REFERENCES

Reference:

1.0 INTRODUCTION

3.0 REFERENCES

References:

References:

References:

Navigation menu

Search