Text

Emergency License Amendment Request to Extend Diesel Generator 3B Completion Time
	ML16365A240
Person / Time
Site:	Palo Verde
Issue date:	12/30/2016
From:	Lacal M; Arizona Public Service Co
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	102-07411-MLL/TNW
	Download: ML16365A240 (160)
	v • d • e

10 CFR 50.90 MARIA L. LACAL Senior Vice President, Nuclear Regulatory & Oversight Palo Verde Nuclear Generating Station 102-07411-MLL/TNW P.O. Box 52034 Phoenix, AZ 85072 December 30, 2016 Mail Station 7605 Tel 623.393.6491 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001

Dear Sirs:

Subject:

Palo Verde Nuclear Generating Station (PVNGS)

Unit 3 Docket No. STN 50-530 Renewed Operating License No. NPF-74 Emergency License Amendment Request to Extend Diesel Generator 3B Completion Time By letter number 102-07406, dated December 21, 2016 [Agency Documents Access and Management System (ADAMS) Accession Number ML16356A689], and supplemented by letter number 102-07410 (ADAMS Accession Number ML16356A715), dated December 23, 2016, Arizona Public Service Company (APS) submitted a deterministic license amendment request (LAR) to extend the Technical Specification (TS) required action 3.8.1.B.4 completion time from 10-days to 21-days for the purpose of collecting and analyzing data associated with the diesel generator engine failure and continue repair of the Unit 3 train B emergency diesel generator (3B DG). The NRC staff issued license amendment number 199 for Unit 3 by letter dated December 23, 2016 (ADAMS Accession Number ML16358A676).

As part of the LAR, APS indicated that after analysis of causal information and if there was a determination that there is no common mode failure potential for the Unit 3 train A DG, a risk-informed LAR would be submitted for the duration of the repair and testing of the 3B DG.

Disassembly and inspection of the damaged 3B DG has been aggressively and continuously pursued since initial failure on December 15, 2016. APS established an Outage Control Center (OCC) to schedule, manage and oversee the work activities needed for the repairs.

Multi-discipline teams were formed to assess the extent of damage, inspect and recover parts, and determine the cause of failure. APS has determined that the cause of failure of the 3B DG is attributed to high cycle fatigue and that the mode of failure is not common to the A train DG in Unit 3 or the DGs in Units 1 and 2.

Therefore, in accordance with the provisions of Section 50.90 of Title 10 of the Code of Federal Regulations (10 CFR), APS is submitting an emergency risk-informed LAR for an extension of the completion time described in TS 3.8.1.B.4 for the Palo Verde Nuclear Generating Station (PVNGS) 3B DG. Specifically, the emergency risk-informed LAR would extend, on a one-time basis, the TS required action 3.8.1.B.4 completion time from 21-days to 62-days for the purpose of completing repairs and testing to re-establish operability of the 3B DG.

A member of the STARS Alliance LLC Callaway

Diablo Canyon

Palo Verde

Wolf Creek

102-07411-MLL/TNW ATTN: Document Control Desk U. S. Nuclear Regulatory Commission LAR to Extend Diesel Generator 3B Completion Time Page 2 The enclosure to this letter provides a description and assessment of the proposed change including a summary of the technical evaluation, a regulatory evaluation, a no significant hazards consideration, and an environmental consideration. The enclosure also contains eighteen attachments. Attachment 1 provides the marked-up existing TS page. Attachment 2 provides the revised (clean) TS page. No TS Bases changes are proposed for this LAR. provides the compensatory measures and commitments associated with the LAR and Attachment 4 provides a summary of the causal evaluation. Attachments 5 through 15 provide information to demonstrate that the quality and level of detail of the PRA model used for this risk-informed LAR meet the NRC requirements in Regulatory Guide 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, Revision 2. Attachments 16 and 17 address specific risk-based technical concerns that were brought up during the pre-submittal conference call held on December 29, 2016. Attachment 18 is a summary description of the 3B DG Repair and Testing Schedule.

In accordance with the PVNGS Quality Assurance Program, the Plant Review Board and the Offsite Safety Review Committee have reviewed and approved this emergency LAR. By copy of this letter, this LAR is being forwarded to the Arizona Radiation Regulatory Agency in accordance with 10 CFR 50.91(b)(1).

APS requests approval of the LAR on an emergency basis prior to the expiration of the current 21-day completion time, which expires at 3:56 am on January 5, 2017. APS will implement the TS amendment immediately following NRC approval. Absent approval, PVNGS Unit 3 would be required to begin shutdown, pursuant to TS 3.8.1, Condition H.

Should you have any questions concerning the content of this letter, please contact Thomas Weber, Department Leader, Nuclear Regulatory Affairs, at (623) 393-5764.

I declare under penalty of perjury that the foregoing is true and correct.

Executed on : December 30, 2016 (Date)

Sincerely, Andrews, George Digitally signed by Andrews, George W(Z99748)

DN: cn=Andrews, George W(Z99748)

Reason: I am approving this document for Maria W(Z99748) Lacal Date: 2016.12.30 17:41:35 -07'00' MLL/TNW/CJS/af

Enclosure:

Description and Assessment of Proposed License Amendment cc: K. M. Kennedy NRC Region IV Regional Administrator S. P. Lingam NRC NRR Project Manager for PVNGS M. M. Watford NRC NRR Project Manager C. A. Peabody NRC Senior Resident Inspector for PVNGS T. Morales Arizona Radiation Regulatory Agency (ARRA)

Enclosure Description and Assessment of Proposed License Amendment Enclosure Description and Assessment of Proposed License Amendment

Enclosure Description and Assessment of Proposed License Amendment TABLE OF CONTENTS 1.0

SUMMARY

DESCRIPTION 2.0 DETAILED DESCRIPTION 2.1 Proposed Change to the Technical Specifications 2.2 Need for Proposed Change 2.3 Basis for Duration of Completion Time Extension

3.0 BACKGROUND

3.1 System Description 3.2 Cause Summary

4.0 TECHNICAL ANALYSIS

4.1 Deterministic Evaluation (Defense-in-Depth) 4.2 Safety Margin Evaluation 4.3 Evaluation of Risk Impacts 4.3.1 Tier 1: Probabilistic Risk Assessment Capability and Insights 4.3.2 Tier 2: Avoidance of Risk Significant Plant Configurations 4.3.3 Tier 3: Risk Informed Configuration Management 4.4 Review of Surveillance Tests 4.5 Operator Training

5.0 REGULATORY EVALUATION

5.1 Applicable Regulatory Requirements 5.2 Precedent 5.3 Emergency Circumstances 5.4 No Significant Hazards Consideration 5.5 Conclusion

6.0 ENVIRONMENTAL CONSIDERATION

7.0 REFERENCES

ATTACHMENTS

1. Marked-up Technical Specifications Page

2. Revised Technical Specifications Page (Clean Copy)

3. Compensatory Measures and Commitments

4. Causal Evaluation of Unit 3 DG Failure

5. Status of Plant Modifications and Evaluations Credited in the PRA

6. Unit 3 Baseline Average Annual CDF/LERF

7. ICCDP and ICLERP for One-Time Technical Specification Change i

Enclosure Description and Assessment of Proposed License Amendment

8. Internal Events PRA Peer Review A and B Level Findings

9. Internal Events PRA Self-Assessment of ASME SRs Not Met to Capability Category II

10. Internal Flood PRA Peer Review ASME SRs Not Met to Capability Category II

11. Seismic PRA Peer Review ASME SRs Not Met to Capability Category II

12. Internal Fire PRA Peer Review ASME SRs Not Met to Capability Category II

13. External Hazards Screening

14. Progressive Screening Approach for Addressing External Hazards

15. Disposition of Key Assumptions/Sources of Uncertainty

16. PRA Responses to NRC Technical Concerns from Pre-Submittal Conference Call of December 29, 2016

17. Responses to NRC Technical Concerns Regarding Portable Diesel Generators (DGs) from Pre-Submittal Conference Call of December 29, 2016

18. 3B DG Repair and Testing Schedule i

Enclosure Description and Assessment of Proposed License Amendment LIST OF ACRONYMS ac or AC Alternating Current AFAS Auxiliary Feedwater Actuation Signal AFP Auxiliary Feedwater Pump APS Arizona Public Service Company BOP-ESFAS Balance of Plant Engineered Safety Features Actuation System BTP Branch Technical Position CDF Core Damage Frequency CFR Code of Federal Regulations DC Direct Current DG Diesel Generator ESF Engineered Safety Feature ESFAS Engineered Safety Features Actuation System GDC General Design Criterion GSI Generic Safety Issue hp Horsepower HPSI High Pressure Safety Injection ICCDP Incremental Conditional Core Damage Probability ICLERP Incremental Conditional Large Early Release Probability kV kilovolts (1,000 volts)

LAR License Amendment Request LCO Limiting Condition for Operation LERF Large Early Release Frequency LOCA Loss of Coolant Accident LOOP Loss of Offsite Power LPSI Low Pressure Safety Injection MCC Motor Control Center PVNGS Palo Verde Nuclear Generating Station RCP Reactor Coolant Pump SBO Station Blackout SBOG Station Blackout Generators SIAS Safety Injection Actuation Signal SR Surveillance Requirement TS Technical Specification UFSAR Updated Final Safety Analysis Report ii

Enclosure Description and Assessment of Proposed License Amendment 1.0

SUMMARY

DESCRIPTION By letter number 102-07406, dated December 21, 2016 [Agency Documents Access and Management System (ADAMS) Accession Number ML16356A689], and supplemented by letter number 102-07410 (ADAMS Accession Number ML16356A715), dated December 23, 2016, Arizona Public Service Company (APS) submitted a deterministic license amendment request (LAR) to extend the Technical Specification (TS) required action 3.8.1.B.4 completion time from 10-days to 21-days for the purpose of collecting and analyzing data associated with the diesel generator engine failure and continue repair of the Unit 3 train B emergency diesel generator (3B DG). The NRC staff issued license amendment number 199 for Unit 3 by letter dated December 23, 2016 (ADAMS Accession Number ML16358A676).

As part of the LAR, APS indicated that after analysis of causal information and if there was a determination that there is no common mode failure potential for the Unit 3 train A DG, a risk-informed LAR would be submitted for the duration of the repair and testing of the 3B DG.

Disassembly and inspection of the damaged 3B DG has been aggressively and continuously pursued since initial failure on December 15, 2016. APS established an Outage Control Center (OCC) to schedule, manage and oversee the work activities needed for the repairs.

Multi-discipline teams were formed to assess the extent of damage, inspect and recover parts, and determine the cause of failure. APS has determined that the cause of failure of the 3B DG is attributed to high cycle fatigue and that the mode of failure is not common to the A train DG in Unit 3 or the DGs in Units 1 and 2.

Therefore, in accordance with the provisions of Section 50.90 of Title 10 of the Code of Federal Regulations (10 CFR), APS is submitting an emergency risk-informed LAR for an extension of the completion time described in TS 3.8.1.B.4 for the Palo Verde Nuclear Generating Station (PVNGS) 3B DG. Specifically, the emergency risk-informed LAR would extend, on a one-time basis, the TS required action 3.8.1.B.4 completion time from 21-days to 62-days for the purpose of completing repairs and testing to re-establish operability of the 3B DG.

This enclosure provides a description and assessment of the proposed changes including a summary of the technical evaluation, a regulatory evaluation, a no significant hazards consideration, and an environmental consideration. The enclosure also contains fifteen attachments. Attachment 1 provides the marked-up existing TS page. Attachment 2 provides the revised (clean) TS page. No TS Bases changes are proposed for this one-time LAR. Attachment 3 provides the compensatory measures and commitments associated with the LAR and Attachment 4 provides a summary of the causal evaluation. Attachments 5 through 15 provide information to demonstrate that the quality and level of detail of the PRA model used for the risk-informed LAR meet the NRC requirements in Regulatory Guide 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, Revision 2. Attachments 16 and 17 address specific risk-based technical concerns that were brought up during the pre-submittal conference call held on December 29, 2016. Attachment 18 is a summary description of the 3B DG Repair and Testing Schedule.

2.0 DETAILED DESCRIPTION 2.1 Proposed Change to the Technical Specifications 1

Enclosure Description and Assessment of Proposed License Amendment The following specific TS changes are proposed to extend the completion time on a one-time basis for the PVNGS 3B DG.

TS 3.8.1, Electrical Power Systems, AC Sources - Operating Modify NOTE in the Completion Time column, associated with Required Action B.4 of the TS 3.8.1 Action Table, to read as follows:

NOTE For the 3B DG failure on December 15, 2016, restore the inoperable DG to OPERABLE status within 62 days.

A marked-up TS page is provided in Attachment 1 and a revised TS page (clean copy) is provided in Attachment 2.

2.2 Need for Proposed Change During routine scheduled surveillance testing on December 15, 2016, the PVNGS Unit 3 B train DG was operating partially loaded when the load suddenly decreased and a low lube oil pressure trip occurred. The physical damage was readily apparent to plant operators when responding to the event. Oil and metal debris were observed on the engine room floor and the number nine right cylinder crankcase cover was deformed.

Physical damage was extensive, including but not limited to the number nine master and articulating rod separated and impacted internal areas of the engine base and block.

Both the 9R and 9L pistons, sleeves and associated components were damaged and will require replacement. The counterbalance was also fractured and the crankshaft was damaged at this number nine location. There was damage to the number eight master and articulating rod, including the physical fracture of two studs on the cap. A counterbalance at the number eight location was also fractured and damaged. The number three bearing seating surface was discovered to be cracked.

Current plans to repair the DG will exceed the TS required action completion time of 21 days approved by license amendment 199. Attachment 18 of this enclosure provides a high level schedule of activities planned to restore the 3B DG and perform startup and surveillance testing. APS has determined the cause of the 3B DG failure does not represent a common mode failure potential for the Unit 3 train A DG, and has evaluated the operational risk and is requesting an emergency LAR to extend the completion time to allow completion of repair and testing.

APS requests approval of the LAR on an emergency basis prior to the expiration of the current 21-day completion time, which expires at 3:56 am on January 5, 2017. APS will implement the TS amendment immediately following NRC approval. Absent approval, PVNGS Unit 3 would be required to begin shutdown, pursuant to TS 3.8.1, Condition H.

2.3 Basis for Duration of Completion Time Extension The 3B DG sustained extensive damage as a result of the recent failure. The repairs will require substantial disassembly, investigation, repair and/or replacement of damaged components, reassembly and retests. The requested completion time extension will allow for completion of repairs and testing of the 3B DG. Completed activities include 2

Enclosure Description and Assessment of Proposed License Amendment initial visual inspection, damage assessment, parts recovery, removal of the generator, flywheel, and crankshaft, precision alignment checks of the DG internals, removal of pistons, liners and connecting rods, line bore measurements, and block inspection.

Continued repair activities include block repairs and machining, foundation inspection and repairs, installation of a new crankshaft followed by engine, generator, and flywheel re-assemblies, system flushes, startup checks, and retests.

Retest of the 3B DG diesel will begin with several short maintenance runs which include integral monitoring and inspection activities. Then, an over-speed test will be performed followed by a 24-hour loaded run with a 100 percent load reject and a hot restart.

Finally, isochronous load testing will be performed to verify appropriate voltage and frequency response to sequenced loads. The retest activities are scheduled to take approximately 4.5 days.

These activities are described in Attachment 18, which reflects a 56 day duration. The requested required action completion time extension reflects 6 additional days for contingency to address unknowns. APS will restore the 3B DG to operable status as soon as possible.

3.0 BACKGROUND

3.1 System Description Off-Site Power Grid Reliability The off-site power source reliability is described to establish a context of the PVNGS operations. Salt River Project (SRP) operates and maintains the PVNGS 525 kV switchyard, and is the grid operator in the PVNGS area. SRP performs a load flow and dynamic stability (frequency and voltage) study of the grid periodically (typically on a three year frequency). The stability study examines the following conditions per the PVNGS UFSAR section 8.2.2, Analysis:

A permanent three-phase fault on the 525 kV switchyard bus with subsequent loss of the critical 525 kV line.

A sudden loss of one of three PVNGS units with no under frequency load shedding measures in effect.

The sudden loss of the largest single load in Arizona, New Mexico, Southern California, or Southern Nevada.

The stability study also complies with North American Electric Reliability Corporation (NERC) standards, and is one of the Nuclear Plant Interface Requirements (NPIRs). The study shows the grid remains stable in frequency, phase angle, and voltage.

Seven physically independent 525 kilovolt (kV) transmission lines of the Western Interconnection are connected to the Palo Verde Nuclear Generating Station (PVNGS) 525 kV switchyard, as shown in Figure 1. Three 525 kV tie lines supply power from the switchyard to three startup transformers, which supply power to six 13.8 kV intermediate buses (two per unit). Two physically independent circuits supply offsite (preferred) power to the onsite power system of each PVNGS unit.

3

Enclosure Description and Assessment of Proposed License Amendment Each diesel generator is normally connected to a single 4.16 kV safety features bus of a load group. However, there are provisions for connecting both ESF buses to a single diesel generator during emergency conditions. Each load group is independently capable of safely shutting down the unit or mitigating the consequences of a design basis accident.

The diesel generators are physically and electrically isolated from each other. Physical separation for fire and missile protection is provided by installing the diesel generators in separate rooms in a Seismic Category I structure. Power and control cables for the diesel generators and associated switchgear are routed in separate raceways.

The components of the standby power supply system, including related controls, required to supply power to ESF and cold shutdown loads conform to the requirements of General Design Criterion 17, IEEE 308, and IEEE 279 (References 15, 16, and 17).

Station Blackout 10 CFR Part 50.63 requires that each light water-cooled nuclear power plant be able to withstand and recover from a station blackout (SBO) of a specified duration. The PVNGS SBO 16-hour coping evaluation was submitted to the NRC in APS letter 102-05370 (Reference 18), dated October 28, 2005. Supplemental information was provided in APS letter 102-05465 (Reference 19), dated April 19, 2006. The NRC approved the 16-hour SBO coping evaluation in a Safety Evaluation dated October 31, 2006.

The 16-hour coping strategy analysis assumes that one of the two Station Blackout Generators (SBOG), which serves as the Alternate AC (AAC) for PVNGS, is started and connected to the AC distribution system to supply loads in the respective unit during the first hour to allow the analyzed SBO loads to be powered in accordance with administrative or emergency procedures.

Should a SBO occur in any one unit, i.e., a loss of offsite power coincident with the unavailability of both emergency diesel generators in that unit, an AAC power source is available to provide the power necessary to cope with a SBO for a minimum of 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months .

The PVNGS response to a SBO has been developed in accordance with RG 1.155, Station Blackout, and NUMARC 87-00, Guidelines and Technical Bases for NUMARC Initiatives Addressing Station Blackout at Light Water Reactors.

The non-safety related AAC power source consists of two 100 percent capacity SBOGs that can be connected to each unit at switchgear NAN-S03 via the primary winding of the ESF transformer that is normally aligned to the train A 4.16 kV bus. One SBOG is analyzed to supply all required SBO loads, which are located on the A train. The AAC starting system and diesel fuel oil supply is independent from the black-out units power systems and fuel oil supply systems, however, switchgear NAN-S03 at each unit is dependent upon the units non-safety related 125 V direct current (dc) power system.

This dc system is energized from the AAC power source to maintain its operability during the SBO event. The fuel oil storage tank associated with the SBOGs is maintained with sufficient fuel to support full load operation of the two SBOGs for 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months .

The AAC power system is not normally connected to the onsite power distribution system. Therefore failure of the AAC components cannot adversely affect the Class 1E power systems.

6

Enclosure Description and Assessment of Proposed License Amendment The AAC power system is physically located and physically protected so that an event initiating a SBO will not also affect the AAC system. Connections from the SBOGs to the units are made via cables routed through underground duct banks. Each SBOG has a minimum continuous output rating of 3400 kW at 13.8 kV under worst case anticipated site environmental conditions. This rating is sufficient to provide power to the loads identified as being important for coping with the SBO. Starting and loading of the AAC power system is performed manually; no autostart or automatic loading capability is provided.

The AAC power system is able to be aligned to provide power to Unit 3, however, from a defense-in-depth perspective for this LAR the PVNGS SBOGs are not credited to provide power to the 3B Class 1E 4160 VAC bus. APS has deployed three portable diesel generators at Unit 3 connected to the 4.16 kV AC FLEX connection box that can supply the train B 4.16 kV AC class bus to maintain the same level of defense-in-depth for safe shutdown of the plant.

3.2 Cause Summary This section is a summary of the causal evaluation that supports the risk-informed LAR. Attachment 4 provides a more detailed technical causal and common mode failure evaluation. The causal analysis for the 3B diesel engine has concluded that this engine had a misaligned crankshaft bore that resulted from the 1986 failure. The misalignment of the crankshaft bore resulted in sufficient cyclic stresses at the master rod ligament to initiate and propagate a fatigue crack. It is likely the misalignment also contributed to fretting between the master rod crank pin bore and bearing, contributing to the crack initiation. This crack would then propagate based on the elevated alternating stresses in the engine, which were increased at the crack location because of the misalignment. This eventually led to the cyclic fatigue failure.

Evidence indicates that the DG 3B misalignment was due to the previous connecting rod failures and subsequent in situ repair. The remaining five diesels at PVNGS (DG 1A, DG 1B, DG 2A, DG 2B and DG 3A) have never had a connecting rod failure or any other mechanical event that could have introduced misalignment. Additionally available performance data from the 3A DG does not contain the same variability as the 3B DG.

Therefore, the failure mechanism that caused either of the 1986 or 2016 3B DG failure is not present in the 3A DG or any other PVNGS Emergency Diesel Generator.

As documented throughout this evaluation there is no susceptibility to the DG 3A related to either the flaw and/or stress initiators that contributed to the previous Cooper-Bessemer KSV-20-cyclinder diesel engines in nuclear service. As such, there is no common mode failure to DG 3A.

4.0 TECHNICAL ANALYSIS

4.1 Deterministic Evaluation (Defense-in-Depth)

APS provided a deterministic evaluation to extend the TS required action 3.8.1.B.4 completion time from 10-days to 21-days. This evaluation was provided in APS letter number 102-07406, dated December 21, 2016 (ADAMS Accession Number ML16356A689). NRC approval of the change in license amendment number 199 for 7

Enclosure Description and Assessment of Proposed License Amendment 4.3 Evaluation of Risk Impacts The risk associated with extending the PVNGS Unit 3 one-time Technical Specification 3.8.1 Condition B.4 completion time for the 3B DG from the current 21-days to 62-days has been evaluated with a PRA model that meets all scope and quality requirements in RG 1.200, Revision 2 (Reference 1) to Capability Category II. This plant-specific risk assessment followed the guidance in RG 1.177, Revision 1 (Reference 11).

4.3.1 Tier 1: Probabilistic Risk Assessment Capability and Insights The baseline Core Damage Frequency (CDF) and Large Early Release Frequency (LERF) contributions from the PRA models are provided in Attachment 6. The total CDF and LERF meet the NRC RG 1.174, Revision 2 (Reference 10) acceptance criteria for risk-informed licensing changes (i.e., CDF less than 1E-4 per year and LERF less than 1E-5 per year). The risk impact associated with a one-time extension is provided in Attachment 7 and meets the acceptance criteria in RG 1.177, Revision 1 (Reference 11) where effective compensatory measures are implemented to reduce the sources of increased risk.

The PRA models used for demonstrating compliance with RG 1.177, Revision 1 (Reference 11) acceptance criteria, did not include quantitative credit for any portable equipment including:

Three portable diesel generators that are deployed at Unit 3 and connected to the 4.16 kV AC FLEX connection box that can supply the train B 4.16 kV AC class bus

A diesel-driven FLEX steam generator (SG) makeup pump that is deployed at Unit 3 The portable equipment was not credited in the risk assessment due to concerns that insufficient reliability data exists for this equipment, and thus RG 1.200 data requirements could not be met until that data became available. However, the portable diesel generators were considered quantitatively in sensitivity analyses requested by the NRC in Attachment 16 to demonstrate actual margin in the risk results from the acceptance criteria in RG 1.177. When doing so, a greater than 50 percent reduction in ICCDP and ICLERP is achieved.

Note that any two of the three portable diesel generators have sufficient capacity to supply train B loads necessary to prevent core damage in any event modeled in the PRA assuming failure of all train A safety systems, with the exception of a loss of coolant accident. Any two of the three portable diesel generators are capable of supplying the same loads as a single SBOG, including a motor-driven auxiliary feedwater pump, based on best-estimate analysis. In the previous LAR, each of the three portable DGs were required to satisfy BTP 8-8 to achieve design basis cold shutdown. The loads were described in Attachment 4 of the the previous LAR. The loads for cold shutdown exceed the required loads for station blackout and FLEX.

In the first pre-submittal meeting with the NRC on the proposed one-time emergency technical specification change request associated with the 3B DG (which ultimately became license amendment 199), a request was made to identify the major differences between the NRC Standardized Plant Analysis Risk (SPAR) model for Palo 9

Enclosure Description and Assessment of Proposed License Amendment Verde and the current APS RG 1.200 PRA model for Palo Verde Unit 3. Those major differences are summarized below:

The Palo Verde PRA model credits the proceduralized manual operation of the train A turbine-driven auxiliary feedwater pump after a loss of DC control power due to train A battery depletion following a loss of all AC power event.

The credit takes into account the longer battery depletion times for the lightly loaded train C and D batteries (less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ) that ensure operators have sufficient Control Room instrumentation available to support this action.

An NRC Region IV Senior Reactor Analyst observed the manual operation of this pump without DC control power during a reactor startup in April 2013 in support of a significance determination process (SDP) evaluation of a diesel generator finding. The SDP evaluation ultimately credited this capability and documented observation of this demonstration in an NRC Inspection Report dated August 9, 2013 (Adams Accession Number ML13221A202) (Reference 20).

Palo Verde Unit 3 implemented a significant risk-reducing modification during the fall 2016 refueling outage to cross-tie the site firewater loop to the discharge of the train N auxiliary feedwater pump. Use of this cross-connect is proceduralized in the emergency operating procedures and is further described in a Unit 3 Operations Night Order to emphasize the importance of timely use of this success path if necessary to prevent core damage. This modification enables any one of three 100 percent capacity firewater pumps (one electric-driven and two diesel-driven) to provide sufficient low pressure steam generator makeup to prevent core damage within 75 minutes of a loss of all feedwater event based on best-estimate thermal-hydraulic analysis. A hydraulic analysis of the flow path from the firewater pumps to the steam generators was performed to determine the flow rate assumed in the thermal-hydraulic analysis. Utilization of this success path requires opening of three easily accessible manual valves in the Turbine Building adjacent to the train N auxiliary feedwater pump and depressurization of the steam generators in the same manner as for using a condensate pump for steam generator makeup. Palo Verde has four atmospheric dump valves (two per steam generator) and any one valve is sufficient to depressurize the steam generator below the shutoff head of the firewater system. The firewater pumps start automatically on low firewater header pressure, thus no operator action is required to start the pumps. Note that this modification is not currently credited in the internal events or internal flood models, and will not be credited in the seismic PRA due to the susceptibility of the firewater system to fail in seismic events. This modification is credited in the fire PRA model. A fire in Unit 3 does not have the potential to impact these pumps since they are located at the physically separate Water Reclamation Facility and the power sources and controls for these pumps are not fed through Unit

3. A simulator exercise was performed to evaluate changes to emergency operating procedures involving this cross-connect and confirm timing assumptions for the PRA human reliability analysis (see Attachment 16).

4.3.2 Tier 2: Avoidance of Risk Significant Plant Configurations PVNGS plant risk associated with the proposed extended 3B DG completion time is determined from RG 1.200, Revision 2 (Reference 1) Capability Category II 10

Enclosure Description and Assessment of Proposed License Amendment compliant PRA models for internal events, internal flooding, seismic, and internal fires. Associated actions to avoid or respond to these events through function of onsite emergency backup power supplies, and inclusion of additional onsite emergency power are discussed in Tier 3 information below.

The dominant risk scenarios associated with unavailability of train B DG include:

Loss of offsite power (i.e., grid, switchyard, or transformer failure)

Long term seismic induced loss of offsite power

Fires in the Unit 3 Non-Class Switchgear, Engineered Safety Features (ESF)

Switchgear, DC equipment and DC Battery Rooms, Main Control Room, and Auxiliary Building West and East Corridors and Electrical Chases The dominant contributors to the fire and seismic risk with train B DG out of service were reviewed to ensure they were minimal and correct as documented in Engineering Evaluation 16-15545-023 (Reference 14).

The dominant impact of all the above scenarios on critical safety functions is the loss of heat removal from the Steam Generators due to failure of all the auxiliary feedwater pumps or loss of power to those pumps. Random or induced loss of coolant accidents are not a dominant contributor to risk at PVNGS due to use of low leakage reactor coolant pump seals (Reference 12).

The PRA analysis assumes that other risk significant plant equipment outage configurations will not occur during the extended completion time period by prohibiting elective maintenance on other PRA risk significant plant equipment (i.e.,

prohibiting voluntary entry into yellow risk management action level configurations) and avoiding other activities that could challenge unit operation or cause fires in risk significant areas as described in the compensatory measures. A yellow risk management action level is entered when core damage frequency doubles or large early radioactive release fraction increases by factor of 4 above the nominal level with all risk significant plant equipment available. The use of the average test and maintenance model is considered very conservative based on the controls being taken to eliminate unavailability of equipment for planned maintenance, and the low likelihood of corrective maintenance occurring during the 62 day repair period. A sensitivity study was performed in Attachment 16 to address the impact of using the average test and maintenance PRA model. When crediting the portable DGs this study indicates a greater than 28 percent reduction in ICCDP and ICLERP.

The PRA analysis also assumes that the increased potential for a common cause failure of the train A diesel generator during the 62 day repair period for the train B diesel generator is minimal based on the cause evaluation described herein.

However, a sensitivity analysis was performed in Attachment 16 to evaluate the impact of increasing the common cause failure probability for the train A diesel generator to the alpha factor in the NRC common cause database. When crediting the portable DGs this study indicates a greater than 50 percent reduction in ICCDP and ICLERP.

In addition, the PRA analysis credits the following actions to further reduce fire PRA risk as documented in Engineering Evaluation 16-15545-023 (Reference 14). These additional actions have been added as commitments in the list of compensatory 11

Enclosure Description and Assessment of Proposed License Amendment measures being taken during this extended LAR period (See Attachment 3 to this enclosure):

Additional dedicated auxiliary operator added to each shift to implement the modification that cross-ties fire water to the train N auxiliary feedwater system

Posting a continuous fire watch with a fire extinguisher and training to utilize the extinguisher in fire zone FCCOR2 (120 Corridor Building). This action improves detection and response timing assumed in the fire PRA for this area since it contains no detectors or suppression systems. This area contains numerous power and control cables including offsite power supply, reactor coolant pump control, and nuclear cooling water control.

Establish transient combustible and hot work exclusion zones by procedure and using barriers/signage in the following compartments, and conducting shiftly walkdowns of these zones by the Fire Marshal or his designee. These areas were selected based on their high contribution to core damage frequency from transient combustible fires.

o Fire zones FCCOR2 (120 Corridor Building) and FCCOR2A (120 Corridor Riser Shaft) o Fire zones FCTB04 (upper level only, non-class DC Equipment,

[FCTB04-TRAN1])

o Fire zone FC86A (train A Seismic Gap, make part of train A Electrical Protected Equipment) o Fire zone FCTB100 zone ZT1G (SW corner, south half of 100 Turbine between columns TA and TC)

In addition, adverse weather such as extreme heat, extreme thunderstorms, icing or tornadoes are not assumed likely based on historical evidence during the period of this one-time extended completion time due to Palo Verdes location in the southwestern Sonoran Desert. The Tier 3 compensatory actions mitigate additional plant risk due to events beyond that associated with 3B DG unavailability represented in the ICCDP and ICLERP values furnished in the Tier 1 discussion above.

4.3.3 Tier 3: Risk Informed Configuration Management Risk would also be managed during the extended completion time via the Maintenance Rule 10 CFR 50.65(a)(4) Configuration Risk Management Program, which has been reviewed in prior risk-informed Technical Specification change requests (Reference 7).

Technical Adequacy of the PRA The following sections demonstrate that the quality and level of detail of the PRA model used in the requested change meet NRC requirements in NRC RG 1.200, Revision 2 (Reference 1). Attachment 5 provides the status of plant modifications and evaluations credited in the PRA models, which all have been completed for Unit

3. All the PRA models described below have been peer reviewed and there are no PRA upgrades that have not been peer reviewed. The findings and dispositions from the peer reviews impacting PRA technical quality are described in Attachments 8 through 12. Included in these Attachments are the Facts and Observations (F&Os) 12

Enclosure Description and Assessment of Proposed License Amendment from the indicated peer reviews impacting PRA quality, and do not include F&Os describing optional suggestions or industry best practices. The peer review finding dispositions show all peer review findings to be closed by APS, which indicates they have been resolved by APS and meet the associated ASME PRA Standard RA-Sa-2009 (Reference 9) supporting requirements to Capability Category II. Thus, all the PRA models described herein comply with all scope and quality Capability Category II supporting requirements per RG 1.200, Revision 2 (Reference 1).

The PRA models credited in this request are the same PRA models credited in the Risk-Informed Completion Time application dated July 31, 2015 (Reference 3) with plant modifications described herein and documented in Engineering Evaluation 16-15545-023 (Reference 14). No new methods were utilized in the PRA model changes implemented for this request. The only significant changes were revision of human reliability analyses to reflect the final design of the additional steam generator makeup capability and associated normal and emergency operating procedure changes. Excerpts from those human reliability analyses are provided in Attachment

16. All the plant modifications and evaluations referenced in that application (Reference 3) have been completed in Unit 3. The field routed cable routing differences between the three PVNGS units impacting the fire PRA model were resolved by creating one bounding fire PRA model that reflects the most limiting cable routing from each of the three units for each fire area. The breaker coordination issues associated with fire events described in the Risk-Informed Completion Time application were resolved by analysis with no plant modifications or procedure changes required at any of the three units.

A PRA model update is in process for these models and insights are available from updated inputs to the model (e.g., updated reliability, availability and initiating event data) to support the conclusion that the PRA model used for this application reflects the as-built, as-operated plant. All pending changes to these PRA models (e.g.,

design changes, procedure changes, corrective actions) have been reviewed for individual and aggregate impact on this evaluation and determined not to impact the conclusions of the evaluation (i.e., RG 1.174 and RG 1.177 acceptance criteria remain met) per Engineering Evaluation 16-15545-023 (Reference 14).

Internal Events and Internal Flooding Hazards This one-time Technical Specification change evaluation for the internal events and internal flooding hazards uses peer reviewed plant-specific Internal Events and Internal Flooding PRA models in accordance with RG 1.200, Revision 2 (Reference 1).

The APS risk management process ensures that the PRA model used in this application reflects the as-built and as-operated plant for each of the PVNGS units.

The Internal Events PRA model was peer reviewed in 1999 by the Combustion Engineering Owners Group (CEOG) prior to the issuance of Regulatory Guide 1.200.

As a result, a self-assessment was conducted by APS of the Internal Events PRA model in accordance with Appendix B of RG 1.200, Revision 2 (Reference 1) to address the PRA quality requirements not considered in the CEOG peer review. The Internal Events PRA quality (including the CEOG peer review and self-assessment results) has previously been reviewed by the NRC in requests to extend the Inverter Technical Specification Completion Time (Reference 7) and to implement TSTF-425 Risk-Informed Surveillance Frequency Control Program (Reference 8). No PRA upgrades as defined by the ASME PRA Standard RA-Sa-2009 (Reference 9) have 13

Enclosure Description and Assessment of Proposed License Amendment occurred to the Internal Events PRA model since conduct of the CEOG peer review in 1999. of this enclosure identifies the baseline Core Damage Frequency (CDF) and Large Early Release Frequency (LERF) for the Internal Events and Internal Flooding PRA models. Attachment 8 provides the status of A and B level findings from the CEOG peer review of the Internal Events PRA model conducted in accordance with NEI 00-02 (Reference 2). Attachment 9 provides the status of supporting requirements not met to Capability Category II from the APS self-assessment of the Internal Events PRA model conducted in accordance with Appendix B of RG 1.200, Revision 2 (Reference 1). Attachment 10 provides the status of findings associated with supporting requirements determined not met to Capability Category II from a peer review of the Internal Flooding PRA conducted in accordance with RG 1.200, Revision 2 (Reference 1). All these findings have been closed by APS dispositions.

Fire Hazards The one-time Technical Specification change evaluation of fire hazards will use a peer reviewed plant-specific Fire PRA model in accordance with RG 1.200, Revision 2 (Reference 1). The Fire PRA model is consistent with NUREG/CR-6850 (Reference 4) methodology with no exceptions. The APS risk management process ensures that the PRA model used in this application reflects the as-built and as-operated plant for each of the PVNGS units. Attachment 6 of this enclosure identifies the baseline CDF and LERF for the Fire PRA model. Attachment 12 of this enclosure provides the status of findings associated with supporting requirements for the internal fire PRA determined not met to Capability Category II from peer reviews conducted in accordance with RG 1.200, Revision 2 (Reference 1). Note that APS conducted its first fire PRA model peer review in accordance with RG 1.200, Revision 2 (Reference

1) in December 2012. APS conducted a second focused scope peer review of the internal fire PRA in December 2014 to address ASME PRA Standard (Reference 21) supporting requirements determined not met to Capability Category II in the first peer review. The second peer review did not just address F&Os from the first peer review on these supporting requirements, but included a complete re-review of the affected supporting requirements not met to Capability Category II in the first peer review. Therefore, the findings from the first peer review do not need to be included in Attachment 12. All of these findings have been closed by APS dispositions. At the request of the NRC, APS has provided in Attachment 16 all the F&Os from the focused scope fire PRA peer review, regardless of whether they impacted meeting an ASME PRA Standard (Reference 21) supporting requirement to Capability Category II.

Seismic Hazards The one-time Technical Specification change evaluation for seismic hazards will use a peer reviewed plant-specific seismic PRA model in accordance with RG 1.200, Revision 2 (Reference 1). The APS risk management process ensures that the PRA model used in this application reflects the as-built and as-operated plant for each of the PVNGS units. Attachment 6 of this enclosure identifies the baseline CDF and LERF for the Seismic PRA model. Attachment 11 of this enclosure provides the status of findings associated with SRs for the seismic PRA determined not met to Capability 14

Enclosure Description and Assessment of Proposed License Amendment Category II from a peer review conducted in accordance with RG 1.200, Revision 2 (Reference 1). All these findings have been closed by APS dispositions.

Other External Hazards All other external Hazards were screened for applicability to PVNGS per a peer reviewed plant-specific evaluation in accordance with RG 1.200, Revision 2 (Reference 1). There were no findings from the peer review. Attachment 13 of this enclosure provides a summary of the other external hazards screening results. 4 of this enclosure provides a summary of the progressive screening approach for external hazards.

PRA Uncertainty Evaluations Sources of model uncertainty and related assumptions have been identified for the PVNGS PRA models using the guidance of NUREG-1855, Section 5.3 (Reference 5) and EPRI TR-1016737, Treatment of Parameter and Model Uncertainty for Probabilistic Risk Assessment, Section 3.1.1 (Reference 6). The process in these references was mostly developed to evaluate the uncertainties associated with the internal events PRA model; however, the approach can be applied to other types of hazard groups.

The list of assumptions and sources of uncertainty were reviewed to identify those which would be significant for the evaluation of this application. If the PVNGS PRA model used a non-conservative treatment, or methods which are not commonly accepted, the underlying assumption or source of uncertainty was reviewed to determine its impact on this application. Only those assumptions or sources of uncertainty that could significantly impact the configuration risk calculations were considered key for this application.

The PVNGS PRA models do not contain any recovery action or recovery factor for failed emergency DGs. The PRA models used for this application contain numerous conservatisms. The following are the major conservatisms which address potential uncertainties associated with the risk of the proposed one-time DG completion time extension request:

The firewater to auxiliary feedwater cross-connect capability is not yet credited in the Unit 3 internal events or internal flood PRA model. This modification is only credited in the Unit 3 fire PRA model.

Temporary equipment such as the three portable diesel generators and FLEX SG makeup pump are not credited in the PRA models. Use of this portable equipment is proceduralized and its importance to risk mitigation is emphasized in a Unit 3 Operations Night Order specifically developed for the current plant condition with DG B out of service.

It is assumed that any fire will minimally result in a loss of main feedwater and subsequent reactor trip.

Simplified relay fragility analyses were performed that result in higher failure probabilities than if detailed fragility analyses had been performed. This over-estimates the failure probability of an emergency diesel generator during seismic events.

Hot shorts are conservatively assumed to occur with enough electrical contact to impose full voltage on the target conductor.

15

Enclosure Description and Assessment of Proposed License Amendment

For automatic suppression system failure probability, the highest failure probability for fixed suppression systems was used from Appendix P of NUREG/CR-6850 (Reference 4).

Non-rated fire barriers are always assumed to fail.

The main control room ventilation system is assumed unavailable or isolated during a fire. This assumption is conservative since the use of the smoke purge system would remove heat and smoke from the room, improving habitability.

It is assumed that containment isolation fails during all fire scenarios that necessitate main control room abandonment.

Key PVNGS PRA model specific assumptions and sources of uncertainty for this application are identified and dispositioned in Attachment 15. The conclusion of this review is that no additional sensitivity analyses are required to address PVNGS PRA model specific assumptions or sources of uncertainty for this application.

4.4 Review of Surveillance Tests A review of planned surveillance testing was conducted for the proposed 62-day extended duration being requested in this LAR. There were no surveillance test requirements that required deferral or an extension beyond their required surveillance interval. There are, however, several surveillance tests that will be required to be performed on the A train, while the B train DG is out of service. A number of these surveillance tests do not affect the operability of the equipment during the performance of the testing. Other scheduled surveillance tests do require declaring the tested SSC inoperable during performance of the tests. Several tests will use the provisions of TS SR 3.0.2 to schedule testing outside the 62-day extended duration, when needed.

For surveillance tests coming due that do require declaring the tested SSC inoperable, APS plans to enter TS 3.8.1.B.2 and the relevant TS LCOs to perform these required tests. The equipment in test will be maintained functional during the performance of the surveillance testing. It is expected that these tests can be performed within the specified 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months completion time of required action 3.8.1.B.2.

Specifically, the following surveillance tests have due dates during the 62-day extended completion time:

1. 73ST-9SP01 - Essential Spray Pond Pumps - Inservice Test

2. 73ST-9SI11 - Low Pressure Safety Injection Pumps Miniflow - Inservice Test

3. 73ST-9SI06 - Containment Spray Pumps and Check Valves - Inservice Test

4. 73ST-9XI13 - Train A HPSI Injection And Miscellaneous SI Valves - Quarterly

- Inservice Test The testing elements that require SSCs to be declared inoperable during testing, relate to use of temporary testing instruments or valve alignments that can be quickly restored, if needed.

4.5 Operator Training Operators are trained on the strategies and hierarchy of procedures for LOOP that specify use of alternate power sources, including the portable DGs.

16

Enclosure Description and Assessment of Proposed License Amendment Training, briefings, and walkdowns are provided to the Operators responsible for operating the portable DGs as part of the preparation for use of the generators.

Operating crews are briefed on the implementing procedure. Designated operators are familiar with instructions for starting and operating the portable DGs. Operations staff has received classroom training for FLEX strategies, which included the use of the portable DGs. Similar training is provided for the fire water to auxiliary feed water cross-tie.

5.0 REGULATORY EVALUATION

5.1 Applicable Regulatory Requirements Relevant elements of NRC requirements, as well as a brief overview of PVNGS design features related to those requirements, are described below, with the NRC requirement identified first, followed by the related PVNGS design features in italics.

The regulations in 10 CFR 50.36(c)(2)(ii)(C), Limiting conditions for operation, state:

Criterion 3. A structure, system, or component that is part of the primary success path and which functions or actuates to mitigate a design basis accident or transient that either assumes the failure of or presents a challenge to the integrity of a fission product barrier.

Technical Specification (TS) 3.8.1 currently meets this requirement and will continue to meet this requirement after the proposed one-time change is approved and implemented. The DGs act to mitigate the consequences of design basis accidents that assume a loss of offsite power. For that purpose, redundant DGs are provided to protect against a single-failure. During the current TS 21-day required action completion time for 3B DG, an operating unit is allowed by the TS to remove one of the DGs from service, thereby losing this single-failure protection. This operating condition is considered acceptable for a limited period of time and is in conformance with 10 CFR 50.36(c)(2)(i), which authorizes licensees to follow any remedial action permitted by the technical specifications until the [limiting conditions for operation (LCO)] condition can be met.

General Design Criterion (GDC) 17 of Appendix A of 10CFR50 for Electric Power Systems defines design requirements. It does not specify operating requirements or stipulate operational restrictions regarding the loss of offsite power sources. With the implementation of the proposed change, PVNGS Unit 3 will continue to meet the applicable design criteria. The proposed change is a one-time extension to the TS required action completion time. It does not affect the design basis of the plant. In addition, PVNGS Unit 3 will remain within the scope of the TS LCO 3.8.1 and is still subject to the requirements of the action statements as governed by 10 CFR 50.36.

PVNGS Unit 3 meets the requirements of GDC 17 (Reference 15). The design of the on-site power source is not changed by the extension of the required action completion time and compliance with the GDC is not affected.

The proposed change to extend the completion time does not alter the design basis for loss of all alternating current power governed by 10CFR50.63, Loss of all alternating current power (Station Blackout Rule). In addition, although the normal 17

Enclosure Description and Assessment of Proposed License Amendment design of PVNGS Unit 3 is an alternate AC plant, the plant meets the requirements for a 16-hour coping plant, which is unchanged by this LAR.

The proposed change to extend the TS required action completion time is consistent with the criteria of RG 1.160, Monitoring the Effectiveness of Maintenance at Nuclear Power Plants, Revision 3, dated May 2012, and 10 CFR 50.65, Requirements for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants (Maintenance Rule).

The regulations in 10 CFR 50.91(a)(5), provide the following allowances for issuance of an emergency license amendment:

(5) Where the Commission finds that an emergency situation exists, in that failure to act in a timely way would result in derating or shutdown of a nuclear power plant, or in prevention of either resumption of operation or of increase in power output up to the plant's licensed power level, it may issue a license amendment involving no significant hazards consideration without prior notice and opportunity for a hearing or for public comment The proposed change is required due to an emergent equipment failure and is necessary to prevent shutdown of PVNGS Unit 3. The change is needed sooner than can be issued under normal or exigent circumstances and this license amendment request is timely considering the unplanned nature of the DG failure.

Conclusions:

Independent Assessment An independent assessment that compares the 3A to 3B diesel engine was provided to PVNGS by MPR. The report stated the PVNGS mechanical maintenance and operating records provide no similar major events with EDG 3A as contrasted with the EDG 3B service life or the five connecting rod assembly failures within the nuclear industry.

There have been no major mechanical failures in EDG 3A after a comparable number of operating hours as EDG 3B.

This assessment concluded that it is extremely unlikely that the 3A engine would experience a major failure. This assessment is provided in Attachment A.

Palo Verde Assessment The causal analysis for the 3B diesel engine has concluded that this engine had a misaligned crankshaft bore that resulted from the 1986 failure. The misalignment of the crankshaft bore resulted in sufficient cyclic stresses at the master rod ligament to initiate and propagate a fatigue crack. It is likely the misalignment also contributed to fretting between the master rod crank pin bore and bearing, contributing to the crack initiation. This crack would then propagate based on the elevated alternating stresses in the engine, which were increased at the crack location because of the misalignment. This eventually led to the cyclic fatigue failure.

Evidence indicates that the EDG 3B misalignment was due to the previous connecting rod failures and subsequent in situ repair. The remaining five diesels at PVNGS (EDG 1A, EDG 1B, EDG 2A, EDG 2B and EDG 3A) have never had a connecting rod failure or any other mechanical event that could have introduced misalignment. Additionally available performance data from the 3A EDG does not contain the same variability as the 3B EDG. Therefore, the failure mechanism that caused either of the 1986 or 2016 3B EDG failure is not present in the 3A EDG or any other PVNGS Emergency Diesel Generator.

As documented throughout this evaluation there is no susceptibility to the EDG 3A related to either the flaw and/or stress initiators that contributed to the previous Cooper-Bessemer KSV-20-cyclinder diesel engines in nuclear service. As such, there is no common mode failure to EDG 3A.

References:

STWO 4698721 Cooper-Bessemer Original Drawing: KSV-6-1A CR-03-18103-4 PVNGS 3B 1986 Root Cause Attachments:

Attachment A- MPRs Independent Assessment of PVNGS Unit 3 EDGs PV-E0897 Ver. 6 81DP-0CC15

Enclosure Description and Assessment of Proposed License Amendment ATTACHMENT 5 Status of Plant Modifications and Evaluations Credited in the PRA The PRA model used for determining the risk associated with the one-time extension of the Diesel Generator completion time due to the failure of the 3B DG on December 15, 2016, credits the following modifications to achieve an overall CDF and LERF consistent with NRC Regulatory Guide 1.174 risk limits. The following table provides an updated status for Unit 3 as compared to the table provided in the License Amendment Request to allow risk informed completion times (ADAMS Accession Number ML15218A300).

Plant Modification/Evaluation Status Install fuses in Control Room DC ammeter circuits Complete to prevent secondary fires due to multiple fire induced faults.

Install fuses in non-class DC motor circuits to Complete prevent secondary fires due to multiple fire induced faults.

Replace RCP control cables with one-hour fire Complete rated cables.

Install an additional Steam Generator makeup Complete capability to reduce Internal Fire PRA risk.

Implement recovery procedures for breaker Not required. No plant modifications or coordination on class and non-class motor control procedure changes were required to centers/distribution panels that impact risk resolve breaker coordination issues.

significant functions in the Internal Fire PRA.

Supporting requirements of ASME/ANS RA-Sa- Complete 2009 SY-C1 and SY-C2 shall be fully met at Capability Category II prior to use of the RICT Program.

Validate that the Unit 1 Internal Fire PRA model is Complete. The Unit 1 internal fire PRA bounding for Units 2 and 3 to reflect field-routed model was adjusted to reflect a cabling or create unit-specific internal fire models bounding evaluation of field-routed for Units 2 and 3 prior to use of the RICT Program cabling for all three units.

at Units 2 and 3.

1

Enclosure Description and Assessment of Proposed License Amendment ATTACHMENT 6 Unit 3 Baseline Average Annual CDF/LERF CDF LERF Hazard (per reactor-year) (per reactor-year)

Internal events 1.3E-6 4.3E-8 Internal flooding 4.6E-7 2.1E-8 Seismic 3.1E-5 5.7E-6 Internal Fire 2.9E-5 2.4E-6 Total 6.2E-51 8.2E-62 Notes:

1. Total CDF meets the RG 1.174 acceptance criteria of < 1E-4 per year

2. Total LERF meets the RG 1.174 acceptance criteria of < 1E-5 per year

References:

1. Regulatory Guide 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, Revision 2, dated April 2015.

2. 13-NS-B067, At-Power Level 1 PRA Quantification, Revision 6

3. 13-NS-C042, At-Power Level 2 PRA LERF Quantification, Revision 1

4. 13-NS-C099, Internal Flooding PRA Modeling and Quantification, Revision 2

5. Westinghouse Calculation CN-RAM-12-022, Palo Verde Seismic PRA Quantification, Revision 1 1

Enclosure Description and Assessment of Proposed License Amendment ATTACHMENT 7 ICCDP and ICLERP for One-Time Technical Specification Change ICCDF ICCDP ICLERF ICLERP (per (62 (per (62 Hazard reactor- days) reactor- days) year) year)

Internal events 1.2E-6 2.0E-7 5.5E-8 9.3E-9 Internal flooding <1.0E-7 <1E-8 <1.0E-8 <1.0E-9 Seismic 4.1E-6 6.9E-7 3.2E-7 5.4E-8 Internal Fire 5.3E-5 8.9E-6 1.3E-6 2.2E-7 Total 5.8E-5 9.8E-61 1.6E-6 2.8E-72 Notes:

1. Total ICCDP meets the RG 1.177 acceptance criteria of < 1E-5 with effective compensatory measures not credited in the quantitative risk evaluation

2. Total ICLERP meets the RG 1.177 acceptance criteria of < 1E-6 with effective compensatory measures not credited in the quantitative risk evaluation

References:

1. Regulatory Guide 1.177, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications, Revision 1, dated May 2011.

1

Enclosure Description and Assessment of Proposed License Amendment ATTACHMENT 8 Internal Events PRA Peer Review A and B Level Findings Attachment 8: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

SY-10 SY-20 A Closed Demand failures of batteries are not considered (i.e., if The finding has been there is a demand for direct current (DC), battery resolved and closed by an failure is more likely). Only charger failures, bus update of the PRA model.

faults, circuit breaker failures, battery faults, Demand failure of maintenance and failure to restore after maintenance batteries has been added are modeled. to the model.

DA-04 DA-8 A Closed The following common cause factors are significantly The finding has been lower than Idaho National Engineering Environmental resolved and closed by an Laboratory (INEEL) recommended values: pumps update of the PRA model.

gamma and delta factors, emergency diesel generator The PRA model common failure to start beta, and auxiliary feedwater (AFW) cause factors have been pumps failure to run beta generic pumps - beta. Note: revised consistent with the these are based on generic sources, therefore there is NRC common cause a concern that the values are significantly different database.

from INEEL generic data. A sensitivity evaluation was performed which put these values to those similar to INEEL recommended values caused a CDF increase of approximately 7%.

DE-07 DE-7 A Closed In general, human actions across systems appear to The finding has been treat dependency appropriately. There are some cases resolved and closed by an where dependencies across systems are not properly update of the PRA model.

addressed. RE-AFA-LOCAL is used redundantly to The PRA model human 1ALFW-2HRS-HR in sequences 7634, 14966, etc. (per action dependencies PRA Study, 13-NS-C29 Rev. 3, PRA Change across systems have been Documentation) per C-29 Rev. 3 addressed.

1

Enclosure Description and Assessment of Proposed License Amendment Attachment 8: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

QU-03 QU-18, QU-19 A Closed Currently, RE-AFA-LOCAL is being used to recover The finding has been 1AFAP01-TPAFS. This is a hardware failure basic resolved and closed by an event. An evaluation should be done to determine the update of the PRA model.

fraction of the basic event that is recoverable. This The PRA model recovery appears in numerous sequences [e.g., 7830 & 14989 action for the AFA pump (per PRA Study 13-NS-C29 Rev.3, per C-29 Rev.3)]. has been modified to appropriately consider the fraction of recoverable events.

QU-04 QU-18, QU-19 A Closed Currently, RE-AFA-LOCAL is inappropriately being used The finding has been to recover some Stuck Open Safety Valve (SOSV) resolved and closed by an events. The initial failure of the AFW Pump A causes a update of the PRA model.

primary safety lift. The recovery of AFW Pump A The PRA model recovery would not prevent a lift. Therefore, RE-AFA-LOCAL has been removed from should not be used when the primary safety valves lift. stuck open safety valve events.

HR-04 HR-9 A Closed It was stated in the opening presentations that the The finding has been operators would take manual control of the AFW flow resolved and closed by an path globe valves. This action is not modeled. The update of the PRA model.

current model appears not to include any action to The PRA model now control flow with the exception of local manual control. credits remote manual operation of the AFW flow path valves.

SY-12 SY-18 A Closed Batteries C and D appear to have at least a 24-hour The finding has been mission time prior to depletion. This results in resolved and closed by an instrumentation being available to adequately control update of the PRA AFW. The bases for the 24-hour mission time are not documentation. The basis documented. for the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time is provided.

2

Enclosure Description and Assessment of Proposed License Amendment Attachment 8: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

HR-06 HR-20 A Closed The cycling of the AFW flow path globe and gate valves The finding has been to maintain AFW flow is not modeled. resolved and closed by an update of the PRA model.

The PRA model now includes cycling of the AFW flow path valves.

IE-7 IE-12 B Closed The Interfacing Systems Loss of Coolant Accident The finding has been (ISLOCA) treatment for the shutdown cooling suction resolved and closed by an line appears to have some questionable assumptions. update of the PRA model First, it is assumed that the Low Temperature Over which now includes failure Pressure (LTOP) valve would always open. While this is of the LTOP valve to open the most likely scenario, the LTOP valve can fail to and includes the shutdown open. Qualitative arguments were made that should cooling warm up crossover this happen, the resulting LOCA would be inside piping.

containment (primarily based on relative pipe lengths).

This ignores the fact that the high stress points and stress concentration points are outside containment.

Furthermore, the shutdown cooling warmup crossover piping was not considered.

IE-8 IE-5 B Closed Loss of multiple vital 125 VDC and loss of multiple vital The finding has been 120VAC buses are not considered as initiators. resolved and closed by an update of the PRA model which now includes loss of multiple vital 125 VDC and 120 VAC buses as initiators.

3

Enclosure Description and Assessment of Proposed License Amendment Attachment 8: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

AS-02 AS-04 B Closed A discussion of Reactor Vessel Rupture was not found. The finding has been A fire PRA was not performed so accident sequences resolved and closed by an were not generated to capture the impact of a fire. update of the PRA model Also there does not appear to be coding of locations which now includes for basic events. (Fire-Induced Vulnerability reactor vessel rupture Evaluation methodology was used to assess fire event. Separate internal impact). Internal flooding is also not specifically fire and internal flood included in the accident sequences and no spatial data models have subsequently appears to have been developed (same could be used been created to address for fire and flooding). Industry Degraded Core the remainder of the Rulemaking (IDCORE) methodology was used to finding.

perform flooding evaluation and this determined that there are no critical flooding areas.

AS-5 AS-24 B Closed The Modular Accident Analysis Program (MAAP) The finding has been analyses used to support timing for human actions resolved and closed by an look only at a selected set of parameters of interest update of the PRA model.

and neglect to look at the status of other systems Additional MAAP analyses which may affect timing and/or success criteria. One have been performed and particular example is that the Turbine Bypass System associated human is assumed to always work when evaluating the time reliability actions added to available for recovery of AFW. the PRA model to address the status of other systems which impact event timing.

SY-02 SY-1 B Closed There is no document that specifies the content, System studies have been requirements, and formatting for each system study. updated to meet ASME This would aid external observers and newcomers in SY-C1 and SY-C2 understanding the intent of the system analysis Capability Category II documentation. requirements.

4

Enclosure Description and Assessment of Proposed License Amendment Attachment 8: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

SY-03 SY-3 B Closed Many of the assumptions contained in the AFW The specific issue of AFW analysis address plant phenomena, but contain no diversion flow paths has plant references. For example, AF024, states no been addressed and significant diversion paths were identified. But no documented. System detailed discussion is provided. There are several studies have been updated piping taps from the condensate storage tank (CST). to meet ASME SY-C1 and From a walkdown some of these taps occur high in the SY-C2 Capability Category tank, while others associated with the condensate II requirements.

transfer pumps are low in the tank. It is not clear that potential diversions through the condensate transfer pumps have been examined. The drawings that illustrate the flow destination for the pumps are not referenced in the AFW system study: DGP-001, ECP-001, and EWP-001. It also appears that the assumptions themselves are not independently reviewed. As a result, the independent reviews of the system studies are not complete. Each individual assumption should have plant documentation and an independent review. The system study independent review would then only need to ensure that the assumption is applicable to and reflects the model itself. This appears to be what is done now, but without an independent review of the assumptions.

5

Enclosure Description and Assessment of Proposed License Amendment Attachment 8: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

SY-05 SY-4 B Closed It is difficult to verify that the systems are in System studies have been agreement with the as-built conditions. The current updated to meet ASME software is only capable of displaying a two by three SY-C1 and SY-C2 portion of the fault tree. When attempting to verify the Capability Category II AFW system, only a sample of the fault tree was requirements.

examined. From the portion examined no discrepancies were identified. There were no direct references between the fault tree supports and the plant drawings. For example the power supplies to the motor driven pumps are contained in the fault tree, but a plant drawing reference is not directly linked to this dependency. The back of the system study does provide a list of references, but the specific references are not linked to dependencies. Not only does this make review by outside personnel difficult, it makes internal independent reviews difficult as well.

DA-01 DA-4 B Closed In quantifying the failure rate of the turbine driven The finding has been AFW pump to start and run, failures were not resolved and closed by an considered based on modifications to prevent turbine update of the PRA overspeed trips due to excessive condensation in documentation. Sufficient steam lines. That is, failures that occurred prior to plant operating experience 1995 (that were determined to be due to excessive has elapsed since this condensation), were removed from consideration. A finding was provided to reduction in the impact of these failures would be substantiate exclusion of more appropriate than eliminating these failures from condensate line overspeed consideration. events from the failure rate of the AFA pump. This evidence was documented as part of the data update.

6

Enclosure Description and Assessment of Proposed License Amendment Attachment 8: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

DA-02 DA-06 B Closed Currently for demanded components, the failure The finding has been likelihood is assumed directly related to the resolved and closed by an surveillance interval. The equation used is 1-exp(- update of the PRA lambda*(interval)/2). This assumption is predicted on documentation. This issue the assumption that the likelihood of failure on has been resolved by demand is purely proportional to the hourly failure providing the requested likelihood. This is not necessarily true. Analysis should evidence in the PRA be done to ensure that the demand failure likelihoods documentation.

are appropriately calculated. There are components of the demand failure rate that are not proportional to time such as shock and human errors.

DA-9 DA-9 B Closed When grouping components together for data, are The finding has been component specific data differences reviewed. (i.e. are resolved and closed by an a disproportionate number of failures attributed to one update of the PRA component but spread out over several)? Also are the documentation. This issue numbers of demands/run hrs comparable? has been resolved by considering component specific differences in the grouping of components.

DA-07 DA-13 B Closed The NSAC document referenced in evaluating the loss The finding has been of offsite power (LOP) frequency and duration (NSAC- resolved and closed by an 203, Losses of Offsite Power at U.S. Nuclear Power update of the PRA model Plants thru 1993 is not current. More recent NSAC and and documentation.

EPRI documents are available as a reference source. Subsequent updates of the These documents have the potential to increase the PRA model have used the likelihood of offsite power recovery since LOP events current EPRI loss of offsite and their duration have trended downward. power data.

7

Enclosure Description and Assessment of Proposed License Amendment Attachment 8: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

DA-08 General B Closed Plant specific data was derived from a limited number The finding has been of years data (1994 thru 1996) resolved and closed by an update of the PRA model and documentation. Plant specific data has subsequently been updated up to 2014.

HR-01 HR-1, HR-14 B Closed Guidance effectively describes the quantification The finding has been process. Two areas were identified for possible resolved and closed by an improvements: update of the PRA

1. The process and degree of operation input and documentation. This issue review is not documented. Operation input as has been addressed by described appears to be marginal. It was stated that upgrading the human operator input was always obtained for knowledge reliability analysis based actions and was obtained as required for documentation to address complete skill and rule-based actions. A better the issues. The HFEs have practice would be to have all actions developed with been placed into the EPRI operator input. HRA calculator, which

2. The process for selecting Human Reliability Analyses provides a consistent and (HRAs) was not described. A process is identified in detailed documentation of Systematic Human Action Reliability Procedure the HRAs.

(SHARP). It appears that the SHARP process was not used. However, an undocumented, iterate process between the system analyst and the human action analyst appears to be adequate.

8

Enclosure Description and Assessment of Proposed License Amendment Attachment 8: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

HR-08 HR-25 B Closed A sensitivity study to determine human action The finding has been dependencies was not performed nor documented with resolved and closed by an the PRA results. This is considered to be a good update of the PRA practice to ensure dependent human actions are not documentation. The inappropriately used. A sensitivity analysis was requested sensitivity performed during this review. No issues were noted. analysis was performed and documented on human action dependencies.

HR-09 HR-20 B Closed Human Action (HA) 1AFN-MSIS----HR is failure of the The finding has been operator to override main steam isolation signal resolved and closed. The (MSIS) and align the N pump. This action includes human reliability analysis diagnosis error. The action 1AFN-MSIS-ND-HR, is a dependency process no modification factor to remove the diagnosis component longer applies recovery of 1AFN-MSIS----HR. In the quantification of these actions and HEP two elements (PRA Study 13-NS-B62, Human modifications through Reliability Analysis, p90 and p91) it is stated that cutset post-processing.

1AFN-MSIS-ND-HR is to be used with 1AFN-MSIS---- The HRA calculator HR when it occurs in conjunction with failure to align dependency function is or utilize the code pumps, i.e., in conjunction with used to manage another HA that had an equivalent diagnosis element. dependencies between This is considered appropriate. However, as seen in human actions, and this cutset 10 and others, these two HAs are being used process eliminates the together in cutsets which do not include another HA concern raised by the with the equivalent diagnosis element. This is finding.

inappropriate.

9

Enclosure Description and Assessment of Proposed License Amendment Attachment 8: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

HR-09 HR-20 B Closed In cutset 10, the initiator is loss of 125 VDC PKB-M42 continued which results in loss of one AFW pump, an MSIS, failure of the downcomer valves, failure of the turbine-driven AFW pump and the 1AFN-MSIS----HR/1AFN-MSIS-ND-HR combination. This does not appear to be appropriate because there is no other HA which includes the requisite diagnosis error. This is contrary to the stated application conditions in 13-NS-B62. The above discussion also applies for the 1AFW-MFW-----

HR/1AFW-MFW-ND-HR combination and any other equivalent combinations. After looking at models in more detail, found that there was another HA in the chain. Direct solution of the trees would yield a cutset with two Human Error Probabilities (HEPs). A recovery analysis pattern removed the two related HAs and replaced them with the pairings discussed above. The concept appears to be appropriate but the manner in which it is applied is confusing at least in this case.

10

Enclosure Description and Assessment of Proposed License Amendment Attachment 8: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

DE-02 DE-1, DE-3, B Closed As mentioned earlier there is no guidance for the The finding has been DE-5 system analysis process. This applies to the resolved and closed by an dependency aspect of the process as well. Section 3.3 update of the PRA of a system study lists the dependencies associated documentation.

with the system. In general, the attachment appears References for to completely describe the dependencies associated dependencies and HVAC with the system. I did notice several cases in the high success criteria have been pressure safety injection (HPSI) system study where added to the PRA the component numbers were not identified: documentation.

1PHAM37-480-1PW/GHLIA1-2, 1PHBM38-480-1PW/GHI2-9, 1SAARAS-TRA--1AT/GRASA-K405 (MOV 674), etc. In some cases, it was possible to determine the component dependency. In other cases, it was not. Each component and its associated dependency should be explicitly identified. The dependencies associated with hot leg injection appear to be improperly identified. MOV-321 should be 4PKCM43-125--1PW and MOV-331 should be 4PKDM44-125--

1PW. The plant references for the dependencies are not directly linked to unique component dependencies.

Instead, the references are listed in a single large mass in Appendix D. It would probably save time and lead to better traceability if the references are directly associated with each dependency. There are no plant references associated with the heating, ventilation and air conditioning (HVAC) dependencies dedicated to the HPSI system. This applies to 1EWAECOOLWA--1OP, 1EWBECOOLWB--1OP, 1PHBM38-480-1PW, 1SPAESPA---1OP, etc. The plant references could be a simple as Updated Final Safety Analysis Report (UFSAR) text if direct failure is assumed to be as complicated as design heat-up calculations.

11

Enclosure Description and Assessment of Proposed License Amendment Attachment 8: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

DE-05 DE-4 B Closed Although dependencies are identified in the system The finding has been analysis, there is no dependency matrix. A resolved and closed by an dependency matrix is a valuable tool for reviewers and update of the PRA newcomers to the group. I believe that our evaluation documentation. A of Accident Sequences would have been much more dependency matrix has comprehensive with a dependency matrix. There are been added to the PRA no plant references associated with the HVAC documentation.

dependencies dedicated to the HPSI system. This applies to 1EWAECOOLWA--1OP, 1EWBECOOLWB--

1OP, 1PHBM38-480-1PW, 1SPAESPA---1OP, etc. The plant references could be a simple as UFSAR text if direct failure is assumed to as complicated as design heat-up calculations.

DE-08 DE-7 B Closed Since the general rule is documented as one-recovery The finding has been action per sequence 13-NS-B62 (B-062), exceptions resolved and closed by an should be noted and justified. For example, the Station update of the PRA Blackout Generator recovery and the AFW pump A documentation. Exceptions recovery actions are credited redundantly. This is to the recovery actions probably appropriate, but the paragraph in B-062 were justified.

indicates this is not typically done. Therefore justifying the exceptions is probably appropriate.

DE-10 DE-12, DE-13, B Closed The documentation is considered marginal largely This issue was closed by DE-14 based on the lack of traceability of the system studies meeting ASME SR SY-C1 to plant documentation for each component for system notebook dependency. documentation.

QU-01 QU-1 B Closed The quantification report describes the quantification, The finding has been but the process is difficult to follow unless resolved and closed by an knowledgeable about the code used and the specific update of the PRA steps to follow. It is sometimes hard to determine the documentation.

basis for the delete term logic and the recovery patterns.

12

Enclosure Description and Assessment of Proposed License Amendment Attachment 8: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

QU-05 QU-18, QU-19 B Closed It would probably be a good idea to delete the front *s The finding has been in the recover search equations. I did not find any resolved and closed by an instances where this caused a problem in the existing update of the PRA model model, but it could be causing problems by recovery instructions.

accidentally selecting the middle of a basic event verses the beginning.

QU-07 QU-25, QU-26, B Closed Even though the data bases contain error factors and This issue has been QU-28 their code has the capability to easily perform addressed by performing numerical uncertainty analyses, APS did not perform and documenting the any uncertainty analyses for this update of the quantitative uncertainty Probabilistic Safety Assessment (PSA) and they did not analysis.

document any sensitivity studies on the impact of key assumptions as part of this PSA update.

MU-03 MU-4 B Closed The types of changes tracked by the PRA and how this The finding has been information is obtained are not specified in enough resolved and closed by an detail within the procedure. update of the PRA model update procedure.

MU-08 MU-11, MU-12 B Closed There is limited guidance on what needs to be The finding has been considered for reevaluation when a significant change resolved and closed by an to the PRA models takes place. update of the PRA model update procedure.

HR-03 HR-4, HR-5, B Closed In the HRA document (B62), Section 4.2, concludes The finding has been HR-6, HR-7 that miscalibration and common cause miscalibration resolved and closed by an of critical sensors is negligible at PVNGS. This is not update of the PRA model consistent with the results from other PRAs. common cause modeling Specifically, the first supporting paragraph of to match the NRC dedicated teams does not minimize exposure to common cause database common cause, it actually maximizes common cause. treatment.

PVNGSs staff previously identified this item.

13

Enclosure Description and Assessment of Proposed License Amendment Attachment 8: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

AS-03 AS-6, AS-7, B. Closed There are some differences between treatment of a The finding has been AS-8, AS-24 small LOCA associated with a pipe break and an resolved and closed by an induced small LOCA (pressurizer safety valve update of the PRA model reclosure) in the transient event trees. For example: and documentation.

In the small LOCA event tree, successful high pressure injection and recirculation lead to questioning whether containment heat removal is successful. In the Transient Type 2 and Transient Type 3 event trees, RCS integrity can be lost if pressurizer safety valves do not reset after lifting. In the sequences from these event trees where high pressure injection and recirculation are successful, the question relating to containment heat removal is not asked.

In the small LOCA event tree, RCS depressurization and use of low pressure injection and recirculation are considered if high pressure injection or recirculation fail. In the Transient Type 2 and Transient Type 3 event trees, consideration of RCS depressurization and use of low pressure systems is not included because the likelihood of high pressure injection or high pressure recirculation are small. It would seem that this assumption should apply to both cases, or not.

14

Enclosure Description and Assessment of Proposed License Amendment Attachment 8: Internal Events PRA Peer Review A and B Level Findings Observation Sub-Level Status Finding(s) Disposition ID Element(s)

SY-13 SY-17, SY-20 B Closed The control system study states that only single The finding has been failures that cause the failure mode of interest are resolved and closed by an considered. For the Auxiliary Feed Actuation System update of the PRA model (AFAS) generated signals, which results (these result) and documentation to add in modeling common cause only. Although this the indicated control approach may provide a good estimate of the failure system dependencies.

rate of these safety signals, it does not necessarily provide the confidence that the signals are appropriately modeled. For AFAS, it appears that since the AFW flow path valves must cycle that control system dependencies may have been missed. That is, normally engineered safety features actuation system (ESFAS) relays appeared to be locked-out following actuation, but for the AFAS valves, the relays need to react to the process system steam generator (S/G) low and high level). It is likely that 120 VAC Vital Bus A and B are needed.

15

Enclosure Description and Assessment of Proposed License Amendment ATTACHMENT 9 Internal Events PRA Self-Assessment of ASME SRs Not Met to Capability Category II Attachment 9: Internal Events PRA Self-Assessment of ASME SRs Not Met to Capability Category II SR Status Self-Assessment Comments Disposition SY-C1 Closed System analysis documentation developed during The System analysis documentation has been updated to the Individual Plant Examination (IPE) was reflect the documentation requirements of SY-C1.

abandoned prior to issuance of the ASME PRA. Key elements of the system analysis documentation have been subsequently captured in other PRA documentation that is not designated as system analysis documentation.

SY-C2 Closed The following subsections of SR SY-C2 are not met: The System analysis documentation has been updated to c, e, j, o, p. The original system analysis reflect the documentation requirements of SY-C2.

documentation developed during the IPE PRA development was abandoned prior to the issuance of the ASME PRA Standard. Other subsections of SR SY-C2 (a, b, d, f, g, h, i, k, l, m, n, q, r, s) are met by alternate documentation generated when the system analysis documentation was abandoned.

1

Enclosure Description and Assessment of Proposed License Amendment ATTACHMENT 10 Internal Flood PRA Peer Review ASME SRs Not Met to Capability Category II Attachment 10: Internal Flood PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition IFSO-B2 Closed As noted in SRs IFSO-A1, IFSO-A3, and IFSO-A5, some areas This finding has been resolved by a of the documentation do not provide sufficient detail about documentation update. The following PRA studies the process used. Specific items for which improved have been revised to provide detail about the documentation is needed include: specific items needed for improvement:

a. Documentation of sources in the Turbine Building. a. PRA Study 13-NS-C094 section 4.2.6 was

b. The basis for screening sources in the Fuel, Radwaste, and revised to include the flooding sources in the Turbine Buildings (i.e., the way in which the specified Turbine Building.

criteria are met for each source is not documented). For b. Revised PRA Study 13-NS-C094 sections 4.2.5 example, a walkdown during the peer review revealed that and 4.2.6 to include justification for screening there is section of the wet pipe fire protection (FP) system sources in the Fuel, Radwaste, and Turbine running above the turbine cooling water (TC) pumps that Building.

could potentially spray both pumps. It is not clear based c. The temperatures and pressures of the plant on 13-NS-C093 and 13-NS-C094 that this impact was fluid systems do not need to be defined as all considered and dispositioned. Likewise, feedline breaks in flooding impacts are inherently considered due the turbine building are assumed to be bounded by the to the Assumption 2 in PRA Study 13-NS-C096 loss of main feedwater initiating event, but may have which identifies that all equipment in the flood different impacts such as loss of instrument air due to area in which a flood initiates, is assumed humidity impacts. failed. Therefore it is not necessary to describe

c. The temperature and pressure of flood sources. systems in terms of pressure and temperature to determine potential flood induced failure modes.

1

Enclosure Description and Assessment of Proposed License Amendment Attachment 10: Internal Flood PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition IFEV-A7 Closed Potential flooding mechanisms are primarily limited to failures This finding has been resolved by a of components. Human-induced flooding is screened based documentation update. PRA Study 13-NS-C097 on plant maintenance practices (see 13 NS-C093, Section Section 4.1 was revised to document the review 3.2, Item 4 and 13-NS-C097, Section 3.5). This does not of human and maintenance induced flooding indicate that there was any search of plant operating events. Spray events such as sprinkler head experience and plant maintenance procedures to verify no failures during maintenance were considered on potential for human-induced flood mechanisms. an individual basis in the internal flood model. A review of PVNGS maintenance guidance documentation and procedures via plant personnel discussions did not identify any maintenance procedures which would lead to an internal flooding scenario.

IE-C5 Closed Generic pipe failure frequencies from EPRI TR-1013141 were This finding has been resolved by a not converted to a per reactor-year basis as required by SR documentation update. PVNGS has revised the IE-C5. quantification studies to clarify that the results are specifically in units of per critical-reactor year that is directly applicable to At-Power operating plant states. In addition, to support PRA applications that relate to risk in terms of annualized risk, the engineering studies documenting the quantification and results were revised to also provide converted core damage frequency (CDF) and large early release frequency (LERF) in units of per reactor-year (per calendar-year).

2

Enclosure Description and Assessment of Proposed License Amendment Attachment 10: Internal Flood PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition IFQU-A7 Closed Sources of model uncertainty and related assumptions for the This finding has been resolved by a Internal Flooding (IF) quantification are documented in 13- documentation update. PRA Study 13-NS-C099 NS-C099, Section 3.1.3. As noted in other SRs related to Section 4.4 was revised to incorporate the assumptions and sources of uncertainty, there is no characterization of model uncertainty sources.

characterization of the impact of these assumptions and Each assumption and source of model uncertainty sources of uncertainty on the IF model as would be required has been characterized according to WCAP-by backward reference to SRs QU-E4 and QU-F4 in SR IFQU- 17507, PRA Model Uncertainty Database A7. Guidance and Documentation Template for Characterization of Uncertainties from the Pressurized Water Reactor Owners Group (PWROG) PA-RMSC-0594.

IFSN- Closed Based on the decision trees in the Scenario document 13-NS- This finding has been resolved by a A16 096 Revision 0, (example Figure 4.2.1.1-1, Sequence documentation update. PRA Study 13-NS-C096 040A1S02), many flood sources that can be isolated have section 3.1.1 was revised to describe the reason been screened out based a simple assertion that the flood for screening out successfully isolated floods.

can be isolated without documenting any of the following:

a. Whether flood indication is available in the control room,

b. How and where the flood source can be isolated, and

c. Whether procedures exist for isolation and how much time is available for isolation.

Based on a discussion with the plant PRA personnel, the peer review team judged the screening to be reasonable, but documentation is not adequate. The review team judged this to be met at Category I, but even for this, proper documentation is needed as noted in the finding.

3

Enclosure Description and Assessment of Proposed License Amendment Attachment 10: Internal Flood PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition IFSN-A6 Closed RG 1.200 Revision 2 documents a qualified acceptance of this This finding has been resolved by a SR. The NRC resolution states that to meet Capability documentation update. Assumption 2 in PRA Category II, the impacts of flood-induced mechanisms that study 13-NS-C096 was rewritten to clarify that all are not formally addressed (e.g., using the mechanisms components within a flood area where the flood listed under Capability Category III of this requirement) must originates were assumed susceptible and failed as be qualitatively assessed using conservative assumptions. a result of the flood, spray, steam, jet impingement, pipe whip, humidity, condensation and temperature concerns except when component design (e.g., water-proofing), spatial effects, low pressure source potential or other reasonable judgment could be used for limiting the effect.

IFEV-A6 Closed There is no evidence in 13-NS-C097 that a search was made This finding has been resolved by a for plant-specific operating experience, plant design features, documentation update. PRA Study13-NS-C097 and conditions that may impact flood likelihood and no Section 4.1 was revised to add evidence of the Bayesian updating was performed. However, adjustments search for plant specific operating experience.

are made to some initiating event frequencies based on The PVNGS Site Work Management System system run times to account for differences between impacts database and License Event Reports were when the pumps are running or in standby.

searched for flood type events. Additionally, the PVNGS maintenance procedures were reviewed for flood prevention guidelines.

It was determined that none of the flood events identified represented a credible internal flooding scenario which would require additional modeling efforts. Additionally, the lack of internal flooding events does not provide sufficient information to perform a Bayesian update to the initiating event data, and therefore, no update was performed.

4

Enclosure Description and Assessment of Proposed License Amendment ATTACHMENT 11 Seismic PRA Peer Review ASME SRs Not Met to Capability Category II Attachment 11: Seismic PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition SHA-E1 Closed Insufficient site-specific velocity profile documentation exists This issue was resolved and reflected in the PRA to review the base case profile and possible uncertainties in model and documentation. New site specific data the site shear-wave velocity profile. Because the site was subsequently collected as part of the NTTF fundamental soil resonance may be near 1 second, a period 2.1 analysis.

that may be near a critical structural resonance, documentation of the epistemic uncertainty and aleatory variability of the site velocity profile should be developed.

SHA-E2 Closed The evaluation and incorporation of uncertainties in the site A SSHAC L3 analysis was performed subsequent response velocity profile may not be properly incorporated to the seismic PRA development as part of the because of insufficient or unreviewable site-specific data NTTF response to the NRC 50.54f letter on and/or its documentation. Also, the site response evaluation Fukushima. The SSHAC L3 analysis produced a was completed using a Senior Seismic Hazard Analysis site hazard curve which is bounded by the SSHAC Committee (SSHAC) Level 1 (L1) process which does not L1 hazard curve developed and used in the meet the ASME general Capability Category II guidelines. Seismic PRA model. Therefore, the issue is resolved by the updated SSHAC L3 hazard analysis.

1

Enclosure Description and Assessment of Proposed License Amendment Attachment 11: Seismic PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition SFR-A1 Closed Some of the dispositioning in the complete seismic This issue was resolved and reflected in the PRA equipment list (SEL) does not have adequate documentation model and documentation. Contractor performed to justify screening of selected components. For example, walkdown and screening evaluation to compare component 1ENANS01 (13.8 kV Non-Class 1E Switchgear the estimated seismic capacities of selected Non-1ENANS01) is dispositioned (screened) by the statement Safety Related equipment to the capacity "Seismically induced failure of NA system (non-seismic class) assigned to LOP.

assumed addressed through seismic LOP." The median Re-quantification was performed to reflect fragility of seismic LOP is 0.3 g. For this screening to be updated hazard, updated fragility information and viable, APS should demonstrate that the median fragility of updated S-PRA modeling following the resolution 1ENANS01 is significantly higher than 0.3 g. However, these of Findings and Observations from the industry are non-Class 1E electrical components. This type of peer review.

screening argument is used many times within the complete SEL presented in Appendix B of CN-RAM-12-015.

SFR-C6 Closed The CDF is dominated by peak ground acceleration (PGA) in This issue was resolved and reflected in the PRA the range of about 0.3 g. Therefore, the effect of using input model and documentation. Contractor performed motion at the 0.3g PGA level should be examined. Contrary evaluation of increased uncertainty for soil to the self-assessment, the soil data is not sufficient to justify properties.

a Cv =0.5. The effect of using Cv = 1.0 should be examined. Re-quantification was performed to reflect updated hazard, updated fragility information and updated S-PRA modeling following the resolution of Findings and Observations from the industry peer review.

2

Enclosure Description and Assessment of Proposed License Amendment Attachment 11: Seismic PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition SFR-F2 Closed The top seven cutsets involve seismic failure events (SF- This issue was resolved and reflected in the PRA TBBLD, SF-SOIL, and SF-MF) that are potentially model and documentation. Contractor performed conservative with respect to seismic fragility and may be seismic fragility investigation for PVNGS Unit 1 resulting in a seismic CDF that is not accurately reflecting the Main Feedwater (FW) system.

true plant response to seismic events. More analysis is Re-quantification was performed to reflect required to either justify the seismic fragilities presented or updated hazard, updated fragility information and to refine those values. updated S-PRA modeling following the resolution Event SF-TBBLD represents structural failure of the turbine of Findings and Observations from the industry building, resulting in collapse onto the underground pipe peer review.

tunnel from the CST. The concrete cover over the pipe tunnel is postulated to fail, resulting in failure of the AFW piping from the CST to the AFW pumps. There is the potential that the turbine building failure might not fail the pipe tunnel.

Event SF-MF involves seismic failure of main feedwater piping outside of containment (balance of plant). The fragility of this piping is based on a "generic" evaluation of SC-II components and is given a median acceleration of 0.21 g.

SFR-F3 Closed The draft report LTR-RAM-II-12-074 indicates that the draft This issue was resolved and reflected in the PRA relay assessment uses the IPEEE relay assessment as the model and documentation. LTR-RAM-II-12-074, starting point but accounts for the updated seismic hazard Revision 2 incorporated the 69 previously curve at the site. However, the report includes the following unaddressed relays.

statement in Section 2.3 (Unaddressed Relays): Re-quantification was performed to reflect This list (unaddressed relays) included 69 such relays. Of the updated hazard, updated fragility information and relays that have been included in the SPRA, their seismic updated S-PRA modeling following the resolution fragility events are found in many of the dominant CDF of Findings and Observations from the industry cutsets. peer review.

3

Enclosure Description and Assessment of Proposed License Amendment Attachment 11: Seismic PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition SPR-B1 Closed CN-RAM-12-015, Rev. 0, Palo Verde SPRA Model The first part of this finding is considered resolved Development, identifies the following for the Self-Assessment based on conducting a RG 1.200 self-assessment for SPR-B1: "The S-PRA relies on an internal event model of the internal events PRA model described that is assumed to be compliant with CCII of the PRA elsewhere in this enclosure and subsequent peer Standard." reviews of the internal flood and internal fire PRA It is understood that the PVNGS PRA model received an models which are based on the internal events industry PRA peer review in 1995 per the CEOG guidelines PRA model.

when the PRA model existed in the Risk Spectrum software The second part of this finding is considered environment. The current PVNGS PRA model has since been resolved by CN-RAM-12-024 Revision 1 that converted to the CAFTA software environment. APS has since updated the seismic HEPs based on timing and performed a self-assessment of the PVNGS Fire PRA and closed all open items from Revision 0.

Internal Events (FPIE ) PRA model against the ASME/ANS Re-quantification was performed to reflect Standard, but a number of SRs do not meet Capability updated hazard, updated fragility information and Category II. updated S-PRA modeling following the resolution Furthermore, as discussed in Section 4.2 of CN-RAM-12-024, of Findings and Observations from the industry there are five (5) open items from the FPIE HRA. Open Item peer review.

5 addresses that many values of T1/2 were not provided in the HRA Calculator, which indicates that the time required to perform the actions may not be accurate (FPIE SR HR-G5).

In addition, Section 4.3.1.4 identifies that PVNGS only uses the Cause-Based Decision Tree Method, which is known to underestimate the impact of time constrained HEPs and as a result, current expectation for meeting supporting requirement HR-G3 is to use a combination of CBDTM and HCR methods to ensure that timing is accurately reflected.

4

Enclosure Description and Assessment of Proposed License Amendment Attachment 11: Seismic PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition SPR-B6 Closed The review team could find no evidence that operator actions This issue was resolved and reflected in the PRA following relay chatter events were reviewed to ensure task model and documentation. LTR-RAM-II-12-074, does not change (e.g., additional execution steps to reset Revision 2 performed a comprehensive relay relay) if action is in response to relay chatter-induced failure. assessment to address this finding.

Re-quantification was performed to reflect updated hazard, updated fragility information and updated S-PRA modeling following the resolution of Findings and Observations from the industry peer review.

SPR-B7 Closed Complementary success logic is added in the SPRA logic on a This finding is considered resolved based on sequence basis for the SIET via the SHIP software, but not meeting Addendum B of the ASME PRA Std, which for each basic event that represents a seismically-induced changed the requirement for this supporting failure. This is a limitation of the PRA technology and requirement.

software which was also noted in the Surry report. As such, this SR is assessed as Not Met.

However, SR SPR-B7 has been modified in the proposed revision of the PRA Standard (i.e., Addendum B). At the moment this calculation notes publication CCI/II of the equivalent SR in Addendum B (SPR-B5) reads as follows:

In the systems-analysis models, for each basic event that represents a significant seismically-caused failure, INCLUDE the complementary "success" state where applicable to a particular SSC, and DEFINE the criterion used for the term "significant" in this activity. Based on the wording of the new version, success logic addressing significant seismically caused failures are included in the model. With reference to the new wording of SR SPR-B5, this SR could be assessed as met at CCI/II.

5

Enclosure Description and Assessment of Proposed License Amendment Attachment 11: Seismic PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition SPR-B10 Closed Row SPR-B10 in Attachment 4.5-2 of CN-RAM-12-015 (i.e., CN-RAM-12-015 Revision 1 addressed this the summary attachment of the SPRA self-assessment) finding.

identifies the need to examine the effect of including a Re-quantification was performed to reflect seismically-induced small-small LOCA. The self-assessment updated hazard, updated fragility information and identifies that Section 5.1.3.9 discusses modeling a updated S-PRA modeling following the resolution concurrent small LOCA. of Findings and Observations from the industry Section 5.1.3.9 identifies that a seismic-induced Small LOCA peer review.

probabilistically models a seismic-induced LOP. It is assumed that this scenario would also address the scenario for a Seismic-induced LOP with a potential for a small-small LOCA.

6

Enclosure Description and Assessment of Proposed License Amendment ATTACHMENT 12 Internal Fire PRA Peer Review ASME SRs Not Met to Capability Category II Attachment 12: Internal Fire PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition FSS-D2 Closed Generic Hot Gas Layer (HGL) calculations were This finding has been resolved by PRA model and performed using Consolidated Model of Fire and Smoke documentation changes.

Transport (CFAST) and documented in Hughes report Generic CFAST evaluations were revised to be 0001-0014-002-002, Rev 1. The CFAST HGL results specific to account for the limitations and have not been applied in a manner consistent with the assumptions of the area being modeled.

limitations and assumptions described in the report.

FQ-E1 Closed Several Human Failure Events (HFEs) were discovered to This finding has been resolved by PRA model and have a failure probability set to zero during the documentation changes.

quantification instead of the documented screening value HFEs documented to have a screening value of of 1.0 developed during the HRA task. Having the HEPs 1.0 have been revised in the model to use this set to zero potentially impacts the quantification results screening value. All HFE tools were reviewed, and the ability to identify significant contributors to CDF, updated to be consistent with the HRA Calculator such as initiating events, accident sequences, equipment source database, and validated.

failures, common cause failures, and operator errors. A review of component and basic event There is no documentation that shows that a review of importance to ensure they make logical sense the importance of components and basic events to was subsequently conducted and documented.

determine that they make logical sense was performed. Conduct of cutset reviews was added to the PRA There is no documentation that a review of documentation.

nonsignificant cutsets or sequences was performed.

1

Enclosure Description and Assessment of Proposed License Amendment Attachment 12: Internal Fire PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition UNC-A1 Closed The following statement was made after several This finding has been resolved by PRA model and sensitivity results attachments: Because of the way the documentation changes.

cutsets were created, the numbers are not correct. The The sensitivity results were reviewed and exercise here is to show the ratios. This negates any of documented to show ratios of results.

the results reported in the results attachment. Documentation has been updated to include how The uncertainty analysis, for the most part, does not the PRA model is affected by model uncertainty include any review of the uncertainty results. Therefore, and related assumptions.

how the PRA model was affected and a check for the Sources of LERF uncertainty and assumptions reasonableness was not documented. Therefore it is not have been identified and documented.

clear that a check for reasonableness was performed. All assumptions used in the development of the There is a statement in the Uncertainty Analysis PRA model have been reviewed and documented.

notebook that this analysis was not performed for LERF. Instances of modeling simplification or Upon review of the notebook it was found that for some conservatism were so noted versus declared as uncertainty analyses were run for both CDF and LERF. A default assumptions. Assumptions with the review of the uncertainty analysis should be performed potential to significantly impact results were and all uncertainty analysis should be performed for CDF addressed in the Uncertainty and Sensitivity and LERF. analyses Many instances were found where assumptions were found in notebooks that were not documented in the assumption section. This could lead to missing an area that needs to be addressed in the uncertainty analysis.

(Review documents and verify that where the word "assumes" is used that an actual assumption is being made.)

2

Enclosure Description and Assessment of Proposed License Amendment ATTACHMENT 13 External Hazards Screening Attachment 13 External Hazards Screening Screening Result Screening External Hazard Screened?

Criterion Comment (Y/N)

(Note 1)

Airport hazard meets 1975 Standard Review Plan (SRP)

PS2 Aircraft Impact Y requirements. Additionally, airways PS4 hazard bounding analysis per NUREG-1855 is < 1E-6/y.

Not applicable to the site because of Avalanche Y C3 climate and topography.

Sudden influxes not applicable to the plant design [closed loop systems for Essential Cooling Water System (ECWS) and Component Biological Event Y C3, C5 Cooling Water System (CWS)].

Slowly developing growth can be detected and mitigated by surveillance.

Not applicable to the site because of Coastal Erosion Y C3 location.

Plant design eliminates drought as a Drought Y C5 concern and event is slowly developing.

Plant design meets 1975 SRP External Flooding Y PS2 requirements.

The plant design basis tornado has a frequency < 1E-7/y. The spray Extreme Wind or PS2 Y pond nozzles (not protected against Tornado PS4 missiles) have a bounding median risk < 1E-7/y.

Limited occurrence because of arid Fog Y C1 climate and negligible impact on the plant.

Not applicable to the site because of Forest or Range Fire Y C3 limited vegetation.

Limited occurrence because of arid Frost Y C1 climate.

1

Enclosure Description and Assessment of Proposed License Amendment Attachment 13 External Hazards Screening Screening Result Screening External Hazard Screened?

Criterion Comment (Y/N)

(Note 1)

Limited occurrence and bounded by C1 other events for which the plant is Hail Y C4 designed. Flooding impacts covered under Intense Precipitation.

Plant is designed for this hazard.

High Summer Y C1 Associated plant trips have not Temperature occurred and are not expected.

High Tide, Lake Level, Not applicable to the site because of Y C3 or River Stage location.

Covered under Extreme Wind or Hurricane Y C4 Tornado and Intense Precipitation.

Ice blockage causing flooding is not applicable to the site because of location (no nearby rivers and C3 Ice Cover Y climate conditions). Plant is C1 designed for freezing temperatures, which are infrequent and short in duration.

Explosive hazard impacts and Industrial or Military control room habitability impacts Y PS2 Facility Accident meet the 1975 SRP requirements (RGs 1.91 and 1.78).

PRAs addressing internal flooding have indicated this hazard typically results in CDFs 1E-6/y. Also, the Internal Flooding N None ASME/ANS PRA Standard requires a detailed PRA for this hazard which is addressed in the PVNGS Internal Flooding PRA.

PRAs addressing internal fire have indicated this hazard typically results in CDFs 1E-6/y. Also, the Internal Fire N None ASME/ANS PRA Standard requires a detailed PRA for this hazard which is addressed in the PVNGS Internal Fire PRA.

Not applicable to the site because of Landslide Y C3 topography.

2

Enclosure Description and Assessment of Proposed License Amendment Attachment 13 External Hazards Screening Screening Result Screening External Hazard Screened?

Criterion Comment (Y/N)

(Note 1)

Lightning strikes causing loss of offsite power or turbine trip are contributors to the initiating event frequencies for these events.

Lightning Y C1 However, other causes are also included. The impacts are no greater than already modeled in the internal events PRA.

Low Lake Level or Not applicable to the site because of Y C3 River Stage location.

Extended freezing temperatures are Low Winter C1 rare, the plant is designed for such Y

Temperature C5 events, and their impacts are slow to develop.

The frequency of meteorites greater Meteorite or Satellite than 100 lb striking the plant is Y PS4 Impact around 1E-8/y and corresponding satellite impacts is around 2E-9/y.

Pipelines are not close enough to Pipeline Accident Y C3 significantly impact plant structures.

Release of Chemicals Plant storage of chemicals meets Y PS2 in Onsite Storage 1975 SRP requirements.

Not applicable to the site because of River Diversion Y C3 location.

The plant is designed for such C1 events. Also, a procedure instructs Sand or Dust Storm Y C5 operators to replace filters before they become inoperable.

Not applicable to the site because of C3 Seiche Y location. Onsite reservoirs and C1 spray ponds designed for seiches.

PRAs addressing seismic activity have indicated this hazard typically results in CDFs 1E-6/y. Also, the ASME/ANS PRA Standard requires a Seismic Activity N None detailed PRA or Seismic Margins Assessment (SMA) for this hazard which is addressed in the PVNGS Seismic PRA.

3

Enclosure Description and Assessment of Proposed License Amendment Attachment 13 External Hazards Screening Screening Result Screening External Hazard Screened?

Criterion Comment (Y/N)

(Note 1)

The event damage potential is less than other events for which the C1 Snow Y plant is designed. Potential flooding C4 impacts covered under external flooding.

The potential for this hazard is low at the site, the plant design Soil Shrink-Swell C1 Y considers this hazard, and the Consolidation C5 hazard is slowly developing and can be mitigated.

Not applicable to the site because of Storm Surge Y C3 location.

Toxic gas covered under release of chemicals in onsite storage, Toxic Gas Y C4 industrial or military facility accident, and transportation accident.

Potential accidents meet the 1975 SRP requirements. Bounding analyses used for offsite rail PS2 shipment of chlorine gas and onsite Transportation PS4 truck shipment of ammonium Y

Accident C3 hydroxide. Marine accident not C4 applicable to the site because of location. Aviation and pipeline accidents covered under those specific categories.

Not applicable to the site because of Tsunami Y C3 location.

Turbine-Generated Potential accidents meet the 1975 Y PS2 Missiles SRP requirements.

Not applicable to the site because of Volcanic Activity Y C3 location.

Waves associated with adjacent large bodies of water are not C3 Waves Y applicable to the site. Waves C4 associated with external flooding are covered under that hazard.

Note 1 - See Attachment 14 for descriptions of the screening criteria.

4

Enclosure Description and Assessment of Proposed License Amendment ATTACHMENT 14 Progressive Screening Approach for Addressing External Hazards Attachment 14 Progressive Screening Approach for Addressing External Hazards Event Analysis Criterion Source Comments NUREG/CR-2300 C1. Event damage potential Initial Preliminary and ASME/ANS is < events for which plant Screening Standard RA-Sa-is designed.

2009 C2. Event has lower mean NUREG/CR-2300 frequency and no worse and ASME/ANS consequences than other Standard RA-Sa-events analyzed. 2009 NUREG/CR-2300 C3. Event cannot occur and ASME/ANS close enough to the plant Standard RA-Sa-to affect it.

2009 NUREG/CR-2300 Not used to screen.

C4. Event is included in the and ASME/ANS Used only to definition of another event. Standard RA-Sa- include within 2009 another event.

C5. Event develops slowly, allowing adequate time to ASME/ANS eliminate or mitigate the Standard threat.

PS1. Design basis hazard ASME/ANS Progressive cannot cause a core Standard RA-Sa-Screening damage accident. 2009 PS2. Design basis for the NUREG-1407 and event meets the criteria in ASME/ANS the NRC 1975 Standard Standard RA-Sa-Review Plan (SRP). 2009 PS3. Design basis event NUREG-1407 as mean frequency is < 1E- modified in 5/y and the mean ASME/ANS conditional core damage Standard RA-Sa-probability is < 0.1. 2009 NUREG-1407 and PS4. Bounding mean CDF is ASME/ANS

< 1E-6/y. Standard RA-Sa-2009 1

Enclosure Description and Assessment of Proposed License Amendment Attachment 14 Progressive Screening Approach for Addressing External Hazards Event Analysis Criterion Source Comments Screening not successful. NUREG-1407 and PRA needs to meet ASME/ANS Detailed PRA requirements in the Standard RA-Sa-ASME/ANS PRA Standard. 2009 2

Enclosure Description and Assessment of Proposed License Amendment ATTACHMENT 15 Disposition of Key Assumptions/Sources of Uncertainty Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty The only plant system SBOGs can be aligned to The existing PRA model modeled in the PRA that is multiple units to supply conservatively does not shared between the three limited loads. credit SBOGs in more than units is the station one unit. Therefore, no blackout generators sensitivity analysis is (SBOGs). Simultaneous required for this application.

multiple unit station blackout conditions are screened out based on low probability. SBOGs are assumed aligned to one unit only during an event.

3

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Reactor Coolant Pump RCP Seal Leak or Rupture is No sensitivity analysis is (RCP) Seal Leak or not modeled as a loss of required for this application.

Rupture RCS Inventory safety function. Based on Westinghouse WCAP-15749 (Reference 1) and pump seal vendor information, it was concluded that because of the very tight clearances, leakage into the seal package from the RCS is limited to about 17 gpm per pump. Each of the four RCPs has a seal package which consists of three seals. As a result, even if the seal package on all four RCPs failed, the total leak rate would be within the capacity of two charging pumps and does not qualify as a LOCA.

An analysis showed that continuing to model RCP seal leakage and requiring charging pumps to mitigate the leakage represented an insignificant contribution to CDF or LERF, even assuming one of the three seals on each pump failed. The analysis also showed that modeling catastrophic failure due to operator failure to secure the pumps upon loss of cooling and seal injection was an insignificant contributor to CDF or LERF.

4

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Loss of Coolant Accident NUREG/CR-6928 (Reference The slight variance in the (LOCA) Frequencies 2) restated the results from range of break sizes for NUREG-1829 (Reference 3). different LOCAs is not The LOCA frequencies are significant and is judged to based upon expert have minimal impact on elicitations. The LOCA sizes LOCA frequencies, within identified by the NRC are the uncertainties associated different from those with the expert elicitation estimated for PVNGS. values, and of insignificant impact. Therefore, no sensitivity analysis is required for this application.

Loss of Off-site Power The national LOP data The LOP frequencies are (LOP) Frequency presented in the latest EPRI based on recent industry events reports referenced in data and are appropriate to PRA Study 13-NS-C004 represent plant-specific (Reference 4) was used to conditions. SBOGs, as well obtain point-estimates for as other additional electric switchyard centered and power supplies, are severe weather related LOP available on site to mitigate frequencies. The EPRI LOP. Therefore, no Reports indicate that the sensitivity analysis is generic LOP data is subject required for this application.

to user modifications and screenings to fit the local plant designs and environmental conditions.

This approach of LOP screening is considered reasonable and necessary to avoid erroneous skewing of the LOP data. The frequency of extreme weather LOP category was obtained as that of the frequency of tornado occurrence with category F2 or higher. The frequency of grid related LOP was obtained by Bayesian updating the reported value for western region (Western Electricity Coordinating Council) in the Draft NRC NUREG/CR-INEEL/EXT-04-02326 (Reference 5).

5

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Loss of Off-site Power The probabilities of offsite The offsite power non-(LOP) at Switchyard power non-recoveries were recovery probabilities are Associated Non-Recovery obtained from Table 4-1 of based on the best available Probabilities the draft NRC NUREG/CR- data and are appropriate to INEEL/EXT-04-02326 represent plant-specific (Reference 5). The error conditions. SBO diesel factors associated with LOP generators, as well as other frequencies and LOP non- additional electric power recovery probabilities were supplies, are available on obtained from draft NRC site to mitigate LOP.

NUREG/CR-INEEL/EXT Therefore, no sensitivity 02326 (Reference 5) (when analysis is required for this provided); otherwise, by application.

using available in-house statistical programs for lognormal and Weibull distributions.

Battery Life Assumptions The PVNGS batteries are not Crediting the actual higher credited in the long term, capacities of the batteries because they are and updated load shedding conservatively assumed to actions from Fukushima be discharged after 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months driven procedure changes per calculation 01-EC-PK- would result in additional 0207. Although the IEEE mitigation capabilities made Class 1E batteries are available. Therefore, no designed to operate for 2 sensitivity analysis is hours, Engineering has required for this application.

determined that the class batteries' life is at least 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months in calculation 01-EC-PK-0207. Thus they are available for power recovery at the 3-hour point on the incident timeline.

6

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Human Failure Events Accessibility for completion A sensitivity analysis was (HFEs) during a seismic of non-screened human performed evaluating the event failure events (HFE) during impact of not crediting the a seismic event is assumed subject HFEs and there was possible for all non-screened minimal impact on the CDF HFEs besides those which and LERF. Therefore, no are assumed to fail in the additional sensitivity case where the corridor analysis is required for this building or turbine building application.

collapses. Both the collapse of the corridor building and turbine building and their impact on the access to the Main Steam Support Structure is considered in the Seismic PRA model.

There is a pinch point that leads into the MSSS that could restrict movement into the MSSS which would prevent local MSSS actions from being performed.

Seismic performance Seismic-only PSFs applied to This is considered a shaping factors (PSFs) the internal events HEPs will conservative assumption.

with respect to seismic- over-ride the flooding PSFs Therefore, no sensitivity induced flooding. based on the consideration analysis is required for this that the seismic events are application.

more global events than the specific flooding events. No additional modifications are made to the internal events HEP to consider the possibility of seismic-induced flooding events.

7

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty The Seismic PRA HFE The Seismic PRA The modification of the dependency analysis dependency analysis timing available due to assumes that once an seismic considerations may accident sequence is result in a longer response initiated, the operator action or identification time and timing for a seismically consequently a higher HEP.

induced event is similar to A sensitivity analysis was that of an internally induced performed in the seismic event for main control room PRA quantification actions. increasing the failure probability all HEPs to 1.0, resulting in a 39.36%

increase in CDF. For this application, the seismic risk contribution from the emergency diesel generator unavailability is only 5.5%

of the total ICCDF and 5.1%

of the total ICLERF.

Therefore, no sensitivity evaluation is required for this application.

Seismic PRA Weighting There is no standardized More emphasis was given to factors applied to three method to calculate human the Surry method since it approaches error probabilities (HEP) in a was a selective combination seismic PRA. Therefore, a of previous approaches and mean HEP for each basic the most recently performed event was calculated by and published method.

combining three accepted However, the Surry method approaches (Surry, has the potential to be the Kernkraftwerk Muhleberg least conservative approach (KKM), and Swiss Federal among the three methods. A Nuclear Safety Inspectorate sensitivity analysis was (ENSI)) using the following performed that ran the weighting factors: 0.7, 0.15, Seismic PRA model using 0.15, respectively. only the KKM and ENSI approaches, equally weighted. The change in CDF and LERF was -1.63%

and 0.42%. Therefore, no additional sensitivity analysis is required for this application.

8

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Relay chatter correlation Relay chatter between This is a conservative relays of the same assumption because the manufacturer, model demand experienced by a number, and plant location, relay is dictated by in-i.e., building and elevation cabinet response and not were assumed to be fully the in-structure response correlated. Also, each relay spectra (ISRS) which the identified as a control binning is based. Therefore, switch, push button, or no sensitivity analysis is motor starter are fully required for this application.

correlated with other generic, like components.

Simplified Relay Fragility Low risk importance relays This assumption is Parameters (based on Risk Achievement reasonable given that none Worth) were treated with a of the c values for the simplified fragility analysis relays evaluated using the and higher importance detailed fragility analysis relays (10 different types) were determined to have a were treated with a detailed c below 0.33 and most had fragility analysis. The c of around 0.5.

simplified relay chatter Therefore, no sensitivity fragility analysis assumed a analysis is required for this c of 0.35 based on application.

engineering judgment.

Seismic failure of relays For the relays modeled in PRA analyst experience is and basic event mapping the Seismic PRA, the basic credited in the selection of event associated with the the appropriate internal seismic failure of the relay events PRA model must be mapped to an component failure modes to existing internal events reflect postulated seismic target basic event. A key PRA model component source of modeling failure modes. This uncertainty is associated selection was performed by with the mapping of seismic Westinghouse PRA seismic basic events. Failure modes experts and reviewed by postulated for the PVNGS APS PRA engineers.

internal events model may Therefore, no sensitivity not fully align with their analysis is required for this assigned seismic application.

counterparts.

9

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Seismic PRA uses internal The PVNGS Seismic PRA The internal events PRA that events PRA as a starting assumes that the internal was used to develop the point events PRA that is used as a Seismic PRA was evaluated starting point meets the separately for its PRA requirements of Capability quality and was determined Category II of the PRA to meet Capability Category standard. II of the PRA standard.

Therefore, no sensitivity analysis is required for this application.

Success criteria for If not otherwise specified, The base case Seismic PRA Seismic PRA the success criteria uses a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time associated with the internal for the run time of events PRA logic are mitigating equipment. A considered valid and sensitivity case was applicable to accident developed to assess the sequences initiated by a impact of using a 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months seismic event. However, a mission time for equipment standard 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission run failures. The change in time may not be suitable for overall CDF and LERF for a seismic-induced accident this case is 2.73% and scenario because of the 0.69%, respectively.

longer time needed for Therefore, no additional offsite power recovery. sensitivity analysis is required for this application.

Seismic failure correlation Seismic failures are Overall, the main feedwater assumed to be completely fragility has the same correlated. This assumption generic value as the implies that a single basic steamline fragility (0.21g).

event is used to model the Since a variety of seismic failure of components in multiple components that are locations/elevations in the identified as pertaining to Turbine Building are the same fragility. Theres potentially involved with a one exception to this where variety of boundary failures in the steam path in conditions and anchorage the Turbine Building are not conditions, the two basic considered correlated with events associated with main failures of the feedwater feedwater and steamlines lines. fragility events should not realistically be correlated and this treatment was reviewed in the peer review.

Therefore, no sensitivity analysis is required for this application.

10

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Seismically induced Loss of The seismically induced LOP The basis for this Offsite Power (LOP) is assumed to bound the assumption is that fragility of non-seismic class seismically induced LOP has system. This assumption a generally low seismic implies that a number of capacity. Scenarios where non-seismic class systems the non-seismic support are not addressed with a systems incur seismically specific seismic failure. induced failures while offsite power is still available are considered realistic only for very low magnitude seismic events. Therefore, the most significant mitigating equipment will still be available. This is considered a conservative assumption.

Therefore, no sensitivity analysis is required for this application.

Seismic PRA LOP recovery In the Seismic PRA, LOOP It is realistic to consider that recovery is not credited for offsite power recovery is any seismic event above the available for low magnitude safe shutdown earthquake seismic events. The (SSE), while it is credited selection of the SSE as a with unchanged probability threshold between for a seismic event below recovery/no-recovery of the SSE. offsite power is arbitrary and conservative. Therefore, no sensitivity analysis is required for this application.

11

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Screening of equipment in Screening of equipment in Using a surrogate event for the Seismic Equipment List the Seismic Equipment List a number of components (SEL) (SEL) is based on fragility that have been screened out analysis. Equipment introduces a conservative screened by the fragility failure mode. The team as inherently rugged is uncertainty introduced by not modeled in the Seismic the use of surrogate PRA for their seismic equipment for the seismic induced failure. In order to class I system is judged to quantitatively capture the have a limited impact on the impact of screened out model. Therefore, no equipment, generic fragility sensitivity analysis is parameters for the building required for this application.

that housed the screened out equipment were used.

The screened equipment are modeled through a surrogate basic event at a system level.

Operators tripping the It is assumed that the This is considered a reactor above operating operators will always trip conservative assumption.

basis earthquake (OBE) the reactor in case of a Therefore, no sensitivity seismic event above OBE analysis is required for this even if the option for a application.

controlled shutdown is allowed.

Train N Auxiliary The AFN Pump is assumed A sensitivity case was Feedwater (AFN) Pump to remain functional with developed to assess the (AFN) is assumed to small breaks or leaks at uncertainty in crediting the remain functional following instrument tubing. The AFN pump and not the a design basis earthquake fragility analysis associated associated piping network.

with the AFN Pump only The capacity of the AFN addresses the pump and not pump was reduced to the the entire piping network. same system level fragility parameters associated with the instrument air system.

CDF and LERF increased by 0.08% and 0.03% and indicates little significance of uncertainty in this simplification of the analysis. Therefore, no additional sensitivity analysis is required for this application.

12

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Main steam line relief Main steam line relief valves A sensitivity case is valves not explicitly are screened out of the developed to assess the included in the SEL. analysis on the basis that impact of this assumption. A the steam generator and fully dependent seismic related piping & valves are failure across all 20 relief considered very rugged. For valves is modeled. CDF and this reason, the seismic LERF values did not change failure of the main steam when compared to the base line relief valves is not case results. This indicates modeled. that no significant uncertainty. Therefore, no additional sensitivity analysis is required for this application.

Structural failures of Structural failures of This is a conservative buildings building are assumed to assumption since the result in major collapse and fragility parameters failure of all equipment provided are addressing the hosted inside the building. beginning of the structural failure, and a failure of limited areas of the building may result in failure of only a limited number of equipment inside the building. The most significant example of this assumption is the structural failure of the Turbine Building assumed to be also impacting and failing the CST tunnel. Therefore, no sensitivity analysis is required for this application.

The Anticipated Transient The ATWS logic for seismic Moderator Temperature Without Scram (ATWS) PRA assumes that the RCS Coefficient (MTC) and ATWS logic for seismic PRA pressure will be above the pressure transient are not HPSI shutoff head for only a influenced by the fact that short period of time. the event is initiated by a seismic event rather than a spurious failure. Therefore, the success criteria developed for the internal events ATWS are considered valid for the seismic PRA.

Therefore, no sensitivity analysis is required for this application.

13

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty All flood scenarios on the A cutset review showed that This is a conservative 40ft and 51ft elevations of the contribution of Fire approach and should not the Auxiliary Building Protection (FP) initiators is have a significant impact on assumes that a pipe failure very low and that the the baseline Internal Flood drains the Refueling Water Internal Flood results are model. Therefore, no Tank (RWT). not being skewed by this sensitivity analysis is conservatism. required for this application.

A single internal events Since there are no It is a realistic assumption PRA model was developed significant differences that the Unit 1 SSC to quantify the plant flood between the units, the Unit designators are used, since risk for multiple units. 1 System, Structure, or there are no major Component (SSC) differences between the designators were used. It three units in terms of was therefore assumed that internal flood. Therefore, no the quantification results are sensitivity analysis is applicable to all units. required for this application.

All components within a This is a conservative This is a conservative flood area where the flood assumption that simplifies approach that simplifies the originates were assumed the impacted component impacted component list.

susceptible and failed as a list. Uncertainty exists Therefore, no sensitivity result of the flood, spray, where exactly the flood analysis is required for this steam, jet impingement, would occur, the impact due application.

pipe whip, humidity, to the geometry of the room condensation and and equipment, and the temperature concerns direction of the spray or except when component splash for a given scenario.

design (e.g., This assumption raises CDF.

waterproofing) spatial effects, low pressure source potential or other reasonable judgment could be used for limiting the effect.

Block walls are not Unless a treatment is non- This has no impact and is of credited in the analysis conservative, the block walls low consequence. Therefore, and are treated as typical are analyzed on an no sensitivity analysis is plant walls. individual basis. The amount required for this application.

of water that could flow through the gaps is unknown. This has no impact as there were no scenarios where the failure of block walls would lead to a non-conservative treatment.

14

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Breaks in pipes less than The basis for this This is a conservative or equal to two inches in assumption is as follows: approach. Therefore, no equivalent diameter were 1. Provides a practical limit sensitivity analysis is only considered if the to bound the scope of the required for this application.

break would directly result analysis to potentially large in a plant trip or result in a flow rate and significant flood induced equipment consequence events.

failure that would result in 2. Pipe sizes of less than or a plant trip or immediate equal to two inch diameter shutdown. do not accurately reflect plant fluid system flood impacts (i.e. two inch diameter pipes produce significantly smaller flood rates).

3. At low flow rates, typical of pressure boundary failure in pipes less than or equal to two inches, the operator response time is longer and less stressful. Such conditions enhance operator actions significantly to successfully mitigate the breaks in small bore pipes.

However, piping less than two inches in diameter is considered on an individual basis when necessary for spray and flooding events.

Specifically these events are considered in rooms without drains. Piping less than two inches was also considered for spatially specific spray events, however none were modeled and a detailed discussion of the possible events are documented.

Closed-loop systems and This is a conservative This is a conservative tanks were assumed to approach that allows for the approach. Therefore, no instantaneously release consideration of all sensitivity analysis is the entire system consequences and does not required for this application.

inventory require time based calculations.

15

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Control Room staff would Human Error Probability This is a conservative be unable to respond (HEP) and Performance approach. Therefore, no effectively to multiple Shaping Factors (PSF) sensitivity analysis is events immediately adjustments were made required for this application.

following the flooding during the early stages of a event flooding event to account for the additional stress influencing factors. The CDF is higher with this assumption.

No addition to the Control Operator actions to isolate It is a realistic assumption Room crew is credited the flood source are that there would be no early into a flood event required shortly after addition to the Control when assessing human detecting that a Pressure Room crew early into the actions. Boundary Failure (PBF) has flood event when assessing occurred. Often when human actions. Therefore, responding to flood events no sensitivity analysis is operators are responding to required for this application.

multiple alarms.

It is assumed that pipes The assumption is This is a conservative that are larger than 3" conservative as it includes approach. Therefore, no were capable of producing additional piping that may sensitivity analysis is major floods unless it was not be conducive to major required for this application.

determined that the piping flooding. Since, major floods was not capable of are not a major contributor producing a major flood. to the Pressure Boundary Failure frequency, its contribution to risk would be considered minimal.

External tanks were not External tanks that are There is no significant considered as a flood ruptured would not normally impact on the model.

source unless there is a propagate into the plant. Therefore, no sensitivity normally available There were no tanks analysis is required for this pathway into the plant identified in this Internal application.

whereby the tank contents Flood PRA that did not could empty into a room propagate into the plant. It within the main plant was assumed that the structures. impact of an external tank rupture was bounded by the evaluation performed for internal events. Breach of an external tank was assumed to discharge to the yard area and there would be no flood-induced failures of PRA related components.

16

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Floods are assumed to fail Cases in which equipment is It is a realistic assumption all equipment in the deemed as sufficiently high and is of low consequence.

initiating room and then or flood barriers are not Therefore, no sensitivity propagate out of the room expected to retain water to analysis is required for this to surrounding flood areas. sufficient flood levels are application.

treated on an individual basis. Additionally, splitting the flood areas would generate an unreasonable number of scenarios with no added insight. The Top cutsets are not impacted, however if very specific isolation actions were taken this assumption could be significant.

Floods are assumed to Water will flow down the It is a realistic assumption propagate down pipe path of least resistance and is of low consequence.

chases prior than down therefore a pipe chase is the Therefore, no sensitivity stairwells in situations preferred path over a analysis is required for this where pipe chases are not stairwell with a door in application.

surrounded by a curb front.

and/or a door must be opened to enter into the stairwell.

Floods are assumed to The hydrostatic load that a It is a realistic assumption propagate through door can handle is based on and is of low consequence.

doorways which open out, whether the door closes Therefore, no sensitivity away from the initiating against the frame or away analysis is required for this flood area more readily (with relation to the room application.

rather than doorways that the flood initiates). A which open in, towards the door that is against the initiating flood area. frame can withstand a greater load as opposed to away from the door frame.

17

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Floor drains were assumed This assumption is based on It is a realistic assumption to be capable of controlling the expectation that a spray and is of low consequence.

water levels for spray event will not result in a Therefore, no sensitivity events. significant accumulation of analysis is required for this standing water. During plant application.

walkdowns it was observed that drain entrances were maintained in proper working condition and free of debris. Drains were not credited for any flood or major flood events. It was assumed that spurious actuation of system relief valves would discharge a limited amount of inventory to a discharge tank. Such events were screened out as potential flood sources.

Grouping boundary Grouping boundary This is a conservative condition sets for the LERF condition sets for the LERF approach and is of low analysis results in analysis is a conservative consequence. Therefore, no conservative modeling of approach. The LERF sensitivity analysis is the containment isolation contribution of sequences required for this application.

valves. that have been grouped for the LERF analysis and involve failure of containment isolation valves are considered very low.

The piping layout for flood To the extent possible, the It is a realistic assumption sources included in the similarities were confirmed and is of low consequence.

Internal Flood PRA was during the plant walkdowns. Therefore, no sensitivity shown and estimated to be Therefore, Units 2 and 3 analysis is required for this similar for all three units. pipe lengths were assumed application.

to be identical to Unit 1 piping lengths. There are no major differences between the three units.

18

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty It is assumed that if a PBF There are no operator This is a conservative were to occur in the Safety procedures for isolating a assumption and is of low Injection (SI) or Chemical flood event, therefore the consequence. Therefore, no

& Volume Control (CH) most conservative and sensitivity analysis is system piping, that the bounding location to isolate required for this application.

operator would isolate the a flood of the SI or CH is flood at one of the two one of the two pipe headers.

pipe headers connecting By isolating at this point it the Refueling Water Tank results in the loss of at least (RWT) to the CH and SI one train of the ECCS. This systems. does cause a trip. Therefore the overall impact on the model is small.

It is assumed that spurious Spurious actuation of a This is of low consequence.

actuation of system relief system relief valve was not Therefore, no sensitivity valves would discharge a determined to be a credible analysis is required for this limited amount of flood source because the application.

inventory to a discharge inventory that was released tank and such events were would be retained within the screened out as potential flood area and would not flood sources. lead to an applicable initiating event. The risk is considered negligible as this is not considered to be a significant source of inventory.

Limited or no access to an There was no credit taken This is of low consequence.

area where flood initiation for mitigation when the Therefore, no sensitivity occurs was assumed. equipment relied on for analysis is required for this mitigation was located in the application.

flood initiation area.

Operators cannot get into flooded areas.

Only one internal flood The occurrence of It is a realistic assumption initiating event is assumed simultaneous multiple and is of low consequence.

to occur at a time. independent internal flood Therefore, no sensitivity events were considered to analysis is required for this be very unlikely and were application.

not considered in this evaluation. This is consistent with PRA modeling.

19

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty The breach of isolation This is a simplifying This is a conservative barrier(s) that may result assumption that has assumption and is of low in a maintenance-induced negligible impact on the consequence. Therefore, no flood event was assumed model. Propagation sensitivity analysis is to have no impact on pathways were made to be required for this application.

altering the propagation conservative for all paths related to other scenarios. Maintenance flooding mechanisms (i.e., induced failures such as pipe failure) for the flood sprinkler heads were source. specifically evaluated as spray events in the flood model where they could lead to a plant trip.

The indirect effects of a Closed looped systems were This is a conservative PBF on the operability of a considered to be normally assumption and is of low closed looped system were operating and provides consequence. Therefore, no considered to be cooling to equipment that is sensitivity analysis is immediate. relied on to maintain the required for this application.

plant in a power production state. It was therefore assumed that operator actions cannot be performed in a timely manner to preclude a plant trip. Most closed loop systems have a limited system capacity. A PBF would drain the system and in most cases an operator action to isolate the PBF would not be feasible. This assumption is conservative and raises CDF.

20

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty The spill rate resulting For a potentially unlimited It is a realistic assumption from a PBF of a potential source, a PBF that resulted and is of low consequence.

unlimited flood source that in a spray event (<100 Therefore, no sensitivity causes a spray event is gpm) would take an analysis is required for this low enough (i.e., <100 extraordinary amount of application.

gpm) to have no time to cause a loss of that significant impact on the system. Additionally, given operation of the affected that for most of the large system. nearly unlimited sources the makeup capabilities of the system would generally exceed the flow rate generated by a spray event.

It was therefore assumed that such systems have sufficient design margin to maintain the operability of the system and a plant trip would not occur. Note that for systems with a low system capacity (i.e. the CH system) this assumption was not valid.

21

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty The flow rate from a PBF is The spill rate resulting from This is a conservative assumed static at the a PBF of piping is considered assumption and is of low maximum possible rate to be the highest flow rate consequence. Therefore, no and the scenario is only possible from the system or sensitivity analysis is ended when the source piping, and for tank is was required for this application.

was exhausted or isolated. assumed to be constant at an assumed flow rate, and for systems requiring pumps is considered the realistic pump flow rate, for the particular break in the originating flood area until the flood source was isolated or its water supply was limited or exhausted.

The accumulation of flood water in a flood area was considered halted when the flood source was terminated, or when outflow from the flood area matches or exceeds the inflow of flood water to the flood area. A constant maximum spill rate minimizes the time to reach the critical heights for SSCs that are susceptible to flooding.

Spill rates were assumed to fall within the following categories:

Spray events: 100 gpm

Flood events: greater than 100 gpm but less than 2000 gpm (or maximum capacity of the system, whichever is lower)

Major flood events:

greater than 2000 gpm (or the maximum capacity of the system, whichever is lower) 22

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty The treatment of main Recovery of feedwater is This is of low consequence steamline break and main important for secondary side since the equipment/

feedwater line break heat removal. The internal components failed in the internal events analysis events analysis was believed internal events model is was assumed to address to provide sufficient analysis bounding. Feedwater line the impact of these events to be used in the internal breaks impact alternate in assessing whether main flooding model. feedwater, steam to feedwater can be auxiliary feedwater pump recovered following a A, turbine bypass valves and reactor trip. main feedwater. Steamline breaks impact auxiliary feedwater to the faulted steam generator (SG),

steam supply to auxiliary feedwater pump A, main feedwater and turbine bypass valves. Additionally, the atmospheric dump valves for steam line break and feedwater line break associated with the faulted SG would be impacted, but are not credited for the faulted SG. Therefore, no sensitivity analysis is required for this application.

It was assumed that The flood HRA dependency This is of low consequence.

minimal or no dependency analysis did not include Therefore, no sensitivity existed between flood- large early release specific analysis is required for this specific and large early HFEs. HFEs specific to large application.

release specific Human early releases (i.e., post-Failure Events (HFEs). core damage operator actions) are generally performed several hours after the initiating event occurs.

No dependency between early and late operator actions. There is no impact on the model.

23

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty The fire areas defined by Fire areas are required by It is a realistic assumption the Fire Hazards Analysis regulation to be sufficiently and is of low consequence.

(which is contained in the bounded to withstand the Therefore, no sensitivity UFSAR, Sections 9B.2.1 hazards associated with the analysis is required for this through 9B.2.22) will area as defined in Generic application.

substantially contain the Letter 86-10 (Enclosure 1 adverse effects of fires Section 4). Fire zone originating from any boundaries are similarly currently installed fixed assumed adequate; ignition source or however, because fire zones reasonably expected have a lesser pedigree than transient ignition source. fire areas, their boundaries Fire zone boundaries are are verified adequately in similarly assumed this notebook by a FHA adequate or combined. review and plant walkdowns. Fire zone boundaries that appear unable to withstand the fire hazards within the zone are combined. The fire PRA utilizes fire compartments which generally align with fire zones, but may be a combination of several fire zones.

24

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Systems and equipment The assumption that any fire It is a realistic assumption not credited in the fire- fails all equipment lacking and is of low consequence.

induced risk model (e.g., cable routing information Therefore, no sensitivity systems for which cable has the potential to affect analysis is required for this routing will not be the assessed fire risk. The application.

performed) are assumed assumption that any fire will to be failed in the fire- minimally result in a loss of induced risk model. These Main Feedwater and systems and equipment subsequent reactor trip are failed in the worst likely adds conservatism to possible failure mode, the Fire PRA results.

including spurious However, the degree of operation conservatism is relatively small compared with other It is assumed that any fire modeling uncertainties, will minimally result in a since Main Feedwater will loss of Main Feedwater and trip for most transient subsequent reactor trip. events.

This is a simplifying and conservative assumption The impact of these and is typical of Fire PRAs. assumptions was evaluated However, it may not be by a sensitivity analysis case true for all fires. which concluded that the risk reduction due to crediting all components assumed always failed was small.

It is assumed that the RPS design is sufficiently It is a realistic assumption Reactor Protection System fail-safe and redundant to and is of low consequence.

(RPS) design is sufficiently preclude fire-induce failure The low frequency of a fire fail-safe and redundant to to scram: Consistent with occurring coincident with the preclude fire-induce failure the guidance in NUREG/CR- low probability of to scram, or random 6850 Section 2.5.1, type of independent failure to scram failure to scram during a sequences that can be results in a negligible fire event, as a risk generally eliminated from contribution to fire risk.

significant contributor. consideration in Fire PRA Therefore, no sensitivity include sequences for which analysis is required for this a low frequency argument application.

can be made, and uses ATWS as a specific example, because fire-induced failures will almost certainly remove power from the control rods, resulting a trip, rather than cause a failure to scram condition.

25

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty Properly sized and Electrical protection design This is a conservative coordinated electrical calculations provide the approach because credited protective devices are documentation of the cable lengths have a margin assumed to function within electrical coordination of 20% or more applied to their design tripping between overcurrent the credited cable lengths to characteristics, thus protective devices. An ensure that applicable preventing initiation of evaluation was performed to raceways were identified.

secondary fires through assess the Fire PRA power Additionally, the fire-induced circuit faults created by supply coordination impact is modeled within the the initiating fire. requirements in accordance credited cable length.

with NUREG/CR 6850, and Therefore, no sensitivity provides a link to relevant analysis is required for this PVNGS electrical application.

coordination calculations that demonstrate selective tripping capability for each credited Fire PRA power supply. When selective tripping cannot be demonstrated, the current fire PRA model credits cable lengths to limit fault current that fails a power supply.

26

Enclosure Description and Assessment of Proposed License Amendment Attachment 15 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Discussion Disposition Uncertainty It is assumed that Fire PRA All raceways containing It is a realistic assumption targets were assigned the cables were assigned a and is of low consequence.

appropriate radiant heat radiant heat flux damage It was concluded that flux damage and threshold of 6kW/m2 and minimal benefit could be temperature damage 205 °C. Raceways obtained by further analysis criteria depending on the containing cables with to identify and model cable insulation thermoset insulation only raceways containing only information available. In may be assigned a radiant thermoset insulation.

other words, all raceways heat flux damage threshold Therefore, no sensitivity containing cables with of 11 kW/m2 and 330 °C analysis is required for this thermoplastic or unknown but have been initially application.

cable insulation were assigned the thermoplastic assigned a radiant heat damage thresholds. A brief flux damage threshold of review of the dominant 6kW/m2 and 205 °C. All scenarios identified the raceways containing cables existence of thermoplastic with thermoset insulation insulated cables within the only may be assigned a target raceways.

radiant heat flux damage threshold of 11 kW/m2 and 330 °C but have been initially assigned the thermoplastic damage thresholds.

References:

1. WCAP-15749, Guidance for the Implementation of the CEOG Model for Failure of RCP Seals Given Loss of Seal Cooling, Revision 0, December 2008

2. NUREG/CR-6928, Industry-Average Performance for Components and Initiating Events at U.S. Commercial Nuclear Power Plants, January 2007

3. NUREG-1829, Estimating Loss-of-Coolant Accident (LOCA) Frequencies through the Elicitation Process, Draft

4. 13-NS-C004, At-Power PRA Study for Loss Of Offsite Power Statistical Evaluation, Revision 7

5. NUREG/CR-INEEL/EXT 04-0236, Evaluation of Loss of Offsite Power Events at Nuclear Power Plants: 1986-2003, October 2004 27

Enclosure Description and Assessment of Proposed License Amendment ATTACHMENT 16 PRA Responses to NRC Technical Concerns from Pre-Submittal Conference Call of December 29, 2016 The following are responses to NRC technical concerns brought up during a pre-submittal conference call held on December 29, 2016.

NRC Technical Concern 1 The license amendment request (LAR) for Palo Verde Nuclear Generating Station (PVNGS),

Unit 3, dated December 21, 2016 (license amendment 199 approved by NRC on December 23, 2016), states that the plant-specific risk assessment of the proposed change to the Technical Specification (TS) completion time (CT) follows the guidance in Regulatory Guide (RG) 1.174, Revision 2, and RG 1.177, Revision 1. Both of these regulatory guides endorse the guidance in RG 1.200, Revision 2, as an acceptable approach for determining whether the technical adequacy of the PRA is sufficient for use in regulatory decision-making (e.g.,

changes to a plants licensing basis).

Section 4.2, Licensee Submittal Documentation, of RG 1.200 provides detailed guidance on what information should be included in a risk-informed submittal to demonstrate the technical adequacy of the PRA, including a discussion of the resolution of peer review (or self-assessment, for peer reviews performed using the criteria in NEI 00-02) findings and observations that are applicable to the submittal. Also stated in RG 1.200 is that the objective of the peer review is to demonstrate that the requirements in an NRC-endorsed standard (e.g., ASME/ANS RA-Sa-2009) have been met. of Enclosure 2 to the LAR lists those "Findings" from the peer review of the internal events PRA model (IEPRA) conducted in accordance with NEI 00-02. It is unclear whether these findings were dispositioned in a manner that demonstrates that the requirements in ASME/ANS RA-Sa-2009 (the ASME PRA Standard) have been met.

Therefore, address the following items related to these findings:

(a) Finding HR-01 cites concern that operation input into the human reliability analysis (HRA) may be marginal. The corresponding disposition explains that this finding was addressed by updating the HRA documentation, but does not explain whether the degree of operational input and review meets PRA standard ASME/ANS RA-Sa-2009, as qualified by RG 1.200, Revision 2. Supporting requirement (SR) HR-E3 of ASME/ANS RA-Sa-2009 requires talk-throughs of the procedures with plant operation and training personnel to ensure a consistent interpretation. Explain whether talk-throughs (i.e., detailed review) of the procedures with plant operation and training personnel were performed. Otherwise, justify why not performing talk-throughs is judged to have no significant impact on the quantification results used in this application.

(b) Finding HR-03 cites concern about not modelling miscalibration and common cause miscalibration of critical sensors. The corresponding disposition states that common cause modelling was updated in the PRA to match the NRC common cause database treatment. It is not clear from this statement how this finding 1

Enclosure Description and Assessment of Proposed License Amendment ATTACHMENT 16 PRA Responses to NRC Technical Concerns from Pre-Submittal Conference Call of December 29, 2016 was resolved in the PRA. Clarify how miscalibration errors were resolved in the IEPRA.

(c) Finding AS-03 asks why the plant response to small loss of coolant accidents (LOCAs) and induced small LOCAs were modelled differently. The corresponding disposition states that the finding has been resolved and closed by an update of the PRA model and documentation. Describe the update of the IEPRA model to resolve this finding, and, if applicable, explain and justify why the plant responses are different for these LOCAs.

APS Response to Technical Concern 1:

(a) Talk-throughs (i.e., detailed review) of the HRAs were conducted with two operating crews in 2012 in accordance with the ASME PRA Standard RA-Sa 2009.

(b) Instruments were screened for common cause as described in Engineering Study 13-NS-B064, Common Cause Failure Analysis for the Level 1 PRA. Common cause failure data for the screening was obtained from either published NUREG documents or the NRC common cause database. The instruments that screened in had common cause calculated for the respective instrument channels. Common cause miscalibration of instrument sensors is addressed as a pre-initiator Human Response Analysis (HRA) as documented in Engineering Study 13-NS-B062, At-Power PRA Study for Human Reliability Analysis. In addition to the common cause analysis, industry data in NUREG/CR 3289, Common Cause Fault Rate for Instrumentation, plant history, and instrument calibration procedures were reviewed for determining which instruments to model with a miscalibration HRA. These instruments were then assigned a pre-initiator HRA basic event in the model fault tree that would fail all associated instrument channels.

(c) No change was made to the internal events model. The model documentation needed enhancement. The explanation for the difference in modeling is provided below.

For small break LOCA hole sizes greater than two inches with no secondary cooling, sufficient containment pressure could build up that containment cooling is required.

Engineering Study 13-NS-B060, At-Power PRA System Study for Initiators, describes the small break size for PVNGS. Engineering Study 13-NS-B065, At-Power PRA MAAP 4.0.4 Analysis, describes the MAAP runs that demonstrated the need for containment cooling. The small break LOCA event tree conservatively treats all break sizes as being critical and asks for containment cooling when High Pressure Safety Injection (HPSI) and High Pressure Safety Recirculation (HPSR) are successful, but Reactor Coolant System (RCS) cool down and depressurization are unsuccessful, therefore adding sufficient energy to reach containment failure before core melt. Low pressure recirculation is needed for long term cooling with no HPSI for critical small break LOCAs and is supported by a specific MAAP run documented in engineering study 13-NS-B065.

2

Enclosure Description and Assessment of Proposed License Amendment ATTACHMENT 16 PRA Responses to NRC Technical Concerns from Pre-Submittal Conference Call of December 29, 2016 Induced small LOCAs are associated with challenges to the Primary Relief Valves (PSVs).

These are addressed under Type 2 and 3 Transient event trees. Type 2 Transients are initiators which result in a reactor trip prior to turbine trip with Alternate Feedwater (condensate pumps) available. There is no challenge to the PSVs by the initial transient.

If attempts to cool the steam generators (SGs) with auxiliary feedwater (AF) fail and Alternate Feedwater must be aligned, the RCS would reach saturation conditions and begin blowing down water through the PSVs. Type 3 Transients are initiators which result in a turbine trip preceding reactor trip. Transients of this nature could challenge the PSVs. For Type 2 and Type 3 event trees, secondary cooling (auxiliary feedwater or alternate feedwater) must be successful before RCS integrity is asked. So a HPSI and HPSR success will have cooled down RCS and has no containment failure in the MAAP runs documented in 13-NS-B065, therefore the containment cooling question is not required. Type 2 and 3 events without secondary cooling lead to core melt prior to containment failure.

NRC Technical Concern 2 The PVNGS LAR, dated December 21, 2016, states that the plant-specific risk assessment of the proposed change to the TS CT follows the guidance in RG 1.174, Revision 2, and RG 1.177, Revision 1. Both of these regulatory guides endorse the guidance in RG 1.200, Revision 2, as an acceptable approach for determining whether the technical adequacy of the PRA is sufficient for use in regulatory decision-making (e.g., changes to a plants licensing basis).

Section 4.2, Licensee Submittal Documentation, of RG 1.200 provides detailed guidance on what information should be included in a risk-informed submittal to demonstrate the technical adequacy of the PRA, including a discussion of the resolution of peer review (or self-assessment, for peer reviews performed using the criteria in NEI 00-02) findings and observations that are applicable to the submittal. Also stated in RG 1.200 is that the objective of the peer review is to demonstrate that the requirements in an NRC-endorsed standard (e.g., ASME/ANS RA-Sa-2009) have been met. of Enclosure 2 to the LAR lists facts and observations (F&Os) from the peer review of the seismic PRA model. The disposition to seismic PRA F&O SPR-B10 indicates that the finding has been resolved, but does not discuss the resolution. Discuss how this F&O was resolved.

APS Response to Technical Concern 2:

Per supporting requirement SPR-B10 of the ASME/ANS PRA Standard a seismically induced small-small LOCA (SSLOCA) event is postulated concurrent with SI-LOOP, SI-TYPE2, SI-TYPE3 sequences. The SI-LOOP, SI-TYPE2, and SI-TYPE3 event trees were modified by adding a small-small LOCA event after the PSV reseat event. Due to current lack of available industry guidance, the SSLOCA fragility parameters are assumed to be equivalent to the SLOCA fragility parameters. An SSLOCA can be mitigated by one of the three 3

Enclosure Description and Assessment of Proposed License Amendment ATTACHMENT 16 PRA Responses to NRC Technical Concerns from Pre-Submittal Conference Call of December 29, 2016 charging pumps. HPSI and HPSR may potentially also be used to mitigate SSLOCA accident sequences, however, these mitigations were conservatively not modeled. Therefore, the finding associated with SPR-B10 has been resolved.

NRC Technical Concern 3 The PVNGS LAR, dated December 21, 2016, states that the plant-specific risk assessment of the proposed change to the TS CT follows the guidance in RG 1.174, Revision 2, and RG 1.177, Revision 1. Both of these regulatory guides endorse the guidance in RG 1.200, Revision 2, as an acceptable approach for determining whether the technical adequacy of the PRA is sufficient for use in regulatory decision-making (e.g., changes to a plants licensing basis).

Section 4.2, Licensee Submittal Documentation, of RG 1.200 provides detailed guidance on what information should be included in a risk-informed submittal to demonstrate the technical adequacy of the PRA, including a discussion of the resolution of peer review (or self-assessment, for peer reviews performed using the criteria in NEI 00-02) findings and observations that are applicable to the submittal. Also stated in RG 1.200 is that the objective of the peer review is to demonstrate that the requirements in an NRC-endorsed standard (e.g., ASME/ANS RA-Sa-2009) have been met.

The LAR discusses the peer review of the seismic PRA and fire PRA. The staff also reviewed information provided to the NRC by the licensee in its Risk-Informed Completion Time (RICT) application dated July 31, 2015 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML15218A300). It is unclear to the staff whether these peer reviews were full-scope reviews and what guidance documents were used to perform them. For example, the RICT application states the following, which suggests the 2012 peer review of the fire PRA was not a full-scope review:

A peer review of the PVNGS internal fire PRA was conducted in October 2012 Subsequently, a focused-scope peer review of the internal fire PRA was conducted in December 2014 (Reference 11 of this Attachment) to address ASME PRA Standard SRs not-met to Capability Category II requirements and those SRs not-reviewed in the prior October 2012 internal fire PRA peer review.

Confirm that peer reviews performed for the seismic PRA and fire PRA were full-scope reviews meeting industry guidance for a peer review and that they were reviewed against capability category II (in accordance with RG 1.200). In addition, discuss which organization performed the review, and list the guidance documents followed for each review, including the guidance used for the peer review process (e.g., NEI 07-12, Fire Probabilistic Risk Assessment (FPRA) Peer Review Process Guidelines). As applicable, provide the F&Os, including their dispositions, from the 2014 focused-scope peer review of the fire PRA determined not met to Capability Category II.

4

Enclosure Description and Assessment of Proposed License Amendment ATTACHMENT 16 PRA Responses to NRC Technical Concerns from Pre-Submittal Conference Call of December 29, 2016 APS Response to Technical Concern 3:

The seismic PRA and fire PRA peer reviews were full-scope reviews meeting industry guidance for a peer review and they were reviewed against capability category II in accordance with RG 1.200, Revision 2. A focused-scope peer review of the fire PRA was conducted after the initial full-scope fire peer review with the purpose of re-reviewing the ASME PRA Standard supporting requirements not determined met to capability category II in the full scope peer review. The focused-scope peer review of the fire PRA was not limited to review of the F&Os generated in the full-scope peer review.

The full-scope seismic PRA peer review was conducted by a team consisting of the following members:

Srinivasa Visweswaran (Westinghouse Electric Company, LLC) (team lead)

Steven Eide (Scientech/Curtiss Wright)

Lawrence Lee (ERIN Engineering and Research, Inc.)

Richard Lee (Los Alamos National Laboratory)

Nishikant Vaidya (Paul C. Rizzo Associates, Inc.)

The full-scope seismic PRA peer review was conducted in accordance with NEI 12-13, External Hazards PRA Peer Review Process Guidelines, August 2012. The following references were cited as used in the peer review process:

ASME/ANS RA-Sa-2009, Addenda to ASME/ANS RA-S-2008 Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, ASME and the American Nuclear Society, February 2009.

Regulatory Guide 1.200, Revision 2, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, USNRC, March 2009.

NEI 12-13, External Hazards PRA Peer Review Process Guidelines, August 2012.

NEI 05-04, Revision 2, Process for Performing Follow-On PRA Peer Reviews Using the ASME PRA Standard (Internal Events), Nuclear Energy Institute, November 2008.

The full-scope fire PRA peer review was conducted by a team consisting of the following members:

David Finnicum (Westinghouse Electric Company, LLC) (team lead)

Keith Vincent (TVA)

Paul Amico (Hughes Associates)

Benjamin Grace (EPM)

Fred Mowrer (Tri-En)

Jodine Jansen Vehec (Reliability and Safety Consulting Engineers, Inc.)

Greg Rozga (Maracor)

Clint Pierce (ERIN Engineering) 5

Enclosure Description and Assessment of Proposed License Amendment ATTACHMENT 16 PRA Responses to NRC Technical Concerns from Pre-Submittal Conference Call of December 29, 2016 The full-scope fire PRA peer review was conducted in accordance with NEI 07-12, Fire Probabilistic Risk Assessment (FPRA) Peer Review Process Guidelines. The following references were cited as used in the peer review process:

Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plan Applications, ASME and the American Nuclear Society, December 2008.

NEI 07-12, Fire Probabilistic Risk Assessment (FPRA) Peer Review Process Guidelines, Nuclear Energy Institute, November 2008.

NFPA 805, Performance-Based Standard for Fire Protection for Light Water Reactor Electric Generating Plants, 2001 Edition, National Fire Protection Association, 2001.

ANSI/ANS 58.23-2007, Fire PRA Methodology, American Nuclear Society, November 2007.

NUREG/CR-6850, EPRI/NRC-RES Fire PRA Methodology for Nuclear Power

Facilities, Electric Power Research Institute and the U.S. Nuclear Regulatory Commission, September 2005.

Regulatory Guide 1.205, Risk-Informed, Performance-Based Fire Protection for Existing Light-Water Nuclear Power Plants, U.S. NRC, May 2006.

NEI 05-04, Revision 1 Process for Performing Follow-On PRA Peer Reviews Using the ASME PRA Standard (Internal Events), Nuclear Energy Institute, November 2007.

The EPRI HRA Calculator 3.0, 2005.

Regulatory Guide 1.200, Revision 2, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, USNRC, 2009.

NUREG-1921, EPRI/NRC-RES Fire Human Reliability Guidelines, Electric Power Research Institute and the U.S. Nuclear Regulatory Commission, November 2009

NEI 00-02, Revision 3A, Probabilistic Risk Assessment (PRA) Peer Review Process Guidance, March 2000.

10 CFR 50.48, Fire Protection (45 FR 76602).

GL 88-20, Individual Plant Examination for Severe Accident Vulnerabilities - 10 CFR 50.54(f), USNRC, November 1988.

The focused-scope fire PRA peer review was conducted by a team consisting of the following members:

Andy Ratchford (Ratchford Diversified Services) (team lead)

Susan LeStrange (Hughes Associates)

Justin Hiller (Ameren - Callaway Plant)

Bob Lichtenstein (Westinghouse)

The focused-scope fire PRA peer review was conducted in accordance with NEI 07-12, Fire Probabilistic Risk Assessment (FPRA) Peer Review Process Guidelines sections 3.5 and 4.4.

The following references were cited as used in the peer review process:

ASME/ANS RA-Sa-2009, Addenda A to ASME/ANS RA-S-2008, Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, ASME and the American Nuclear Society, December 2008.

6

Enclosure Description and Assessment of Proposed License Amendment ATTACHMENT 16 PRA Responses to NRC Technical Concerns from Pre-Submittal Conference Call of December 29, 2016

NEI 07-12, Revision 1, Fire Probabilistic Risk Assessment (FPRA) Peer Review process Guidelines, Nuclear Energy Institute, July 2010.

ANSI/ANS 58.23-2007, Fire PRA Methodology, American Nuclear Society, November 2007.

NUREG/CR-6850, EPRI/NRC-RES Fire PRA Methodology for Nuclear Power Facilities, Electric Power Research Institute and the U.S. Nuclear Regulatory Commission, September 2005.

NEI 05-04, Revision 2 Process for Performing Follow-On PRA Peer Reviews Using the ASME PRA Standard (Internal Events), Nuclear Energy Institute, November 2008.

Regulatory Guide 1.200, Revision 2, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, USNRC, 2009.

10 CFR 50.69, Risk-Informed Categorization and Treatment of Structures, Systems and Components for Nuclear Power Reactors The following table provides a listing of all F&Os from the focused-scope fire PRA peer review and their indicated dispositions.

7

Enclosure Description and Assessment of Proposed License Amendment Focused-Scope Fire PRA Peer Review Findings and Resolutions F&O Issue Resolution CF-A1-01 A review of the FSS database, design drawings, and circuit The Fire Scenario Selection (FSS) database, circuit (finding) failure supporting documentation identified several failure review worksheets and Cable Selection and instances where an inappropriate circuit failure probability Circuit Analysis [CS/CF] study have been revised to was assigned in the Fire PRA. correct the inappropriate application of the circuit

Circuit failure review worksheets, highlighted failure probability.

elementary diagrams, and the FSS database for valve CHN-LV-110, associated with BE The FSS database table 1CHELV110P-AVFC Failure of AOV Valve LV110P tbl_raw_CF_CableInfo_CFLA for valve CHN-LV-fails to Isolate following ISLOCA were reviewed. 110P, and its associated instrument cables The review determined that cables 1ECH58NC1XA, (1ECH58NC1XA, 1ECH58NC1XB, and 1ECH58NC1XB, and 1ECH58NC1XC were assigned 1ECH58NC1XC) was revised to exclude these an aggregate CF probability of 0.56, based on Table cables from being assigned a conditional 4-1 of NUREG/CR-7150 for SOV, single break, spurious probability.

ungrounded dc, thermo-set cable. Upon review of the circuit, the cables of concern appear to be The FSS database table associated with instrumentation signals related to tbl_raw_CF_CableInfo_CFLA and associated the control of the valve (4-20 mA signal cable as circuit failure review worksheets for valve HPB-opposed to 125 vdc control cable). As discussed in UV-002 was revised for power cables Section 3 and 7.3 of NUREG/CR-7150, conditional 1EHP02BC1KA and 1EHP02BC1KC. The circuit spurious probability estimates should not be applied failure review worksheets were revised to to instrumentation circuits. indicate that power cables 1EHP02BC1KA and

Circuit failure review worksheets, highlighted 1EHP02BC1KC are not required for the valve to elementary diagrams, and the FSS database for remain closed. tbl_raw_CF_CableInfo_CFLA was valve Component Functional State revised to exclude power cables 1EHP02BC1KA 1JHPBUV2:Closed:Closed, associated with BE and 1EHP02BC1KC from being assigned a 1HPBP36V02-MV-RC Failure of MOV Globe VLV conditional spurious probability.

HPB-UV002 to Remain Closed for CTMNT Isolation were reviewed. The component is a normally A review of the specific circuit types (i.e.,

closed, desired closed MOV. The eeview instrumentation circuit failure probabilities determined that the power cables for this valve incorrectly assigned and MOV power cable were identified as required for the valve functional identification and assignment of circuit failure state, although the power cables (i.e., probabilities) for similar component types was 1EHP02BC1KA, and 1EHP02BC1KC) are not performed. The following additional corrections required for the valve to remain closed. In addition, were incorporated during this review to address the these cables were assigned a spurious operation Finding details:

8

Enclosure Description and Assessment of Proposed License Amendment Focused-Scope Fire PRA Peer Review Findings and Resolutions F&O Issue Resolution probability from Table 4-3 of NUREG/CR-7150, Revised tbl_raw_CF_CableInfo_CFLA in the FSS which is intended for grounded MOV single break database for valve CHN-LV-110Q, and its control circuits (not power cables). Other instances associated instrument cables (1ECH58NC1XA, were identified during the review where MOV power 1ECH58NC1XB, and 1ECH58NC1XC) to exclude cables for passive MOVs that were analyzed only for these cables from being assigned a conditional spurious operation had their power cables identified spurious probability.

as "required" and assigned spurious operation The FSS database tbl_raw_CF_CableInfo_CFLA probability. and associated circuit failure review worksheets Identification of incorrect spurious operation probability for for valve HPA-UV-001 was revised for power specific types can underestimate fire risk (e.g., AOV Valve cables 1EHP02AC1KA and 1EHP02AC1KC. The LV110P example) or overestimate fire risk (e.g., MOV circuit failure review worksheets were revised to Globe VLV HPB-UV002 example). indicate that power cables 1EHP02AC1KA and Recommendation: Review the specific circuit types (i.e., 1EHP02AC1KC are not required for the valve to instrumentation circuit failure probabilities incorrectly remain closed. tbl_raw_CF_CableInfo_CFLA was assigned and MOV power cable identification and revised to remove power cables 1EHP02AC1KA assignment of circuit failure probabilities) for these and 1EHP02AC1KC from being assigned a components and other similar component types. Update conditional spurious probability.

the methodology and results in the Fire PRA Notebook Fire PRA Cable Selection and Circuit Analysis and any other The Cable Selection and Circuit Analysis [CS/CF]

necessary supporting documents and databases. study section 2.2 was revised to provide additional guidance when performing cable failure mode likelihood calculations for instrument and power cables.

CF-B1-01 It is recommended that the Fire PRA Notebook Fire PRA The referenced documents were reviewed and (suggestion) Cable Selection and Circuit Analysis be updated to ensure updated to ensure consistent description of consistent discussion and treatment of failure modes. methodology and results in the cable selection and Specific items that should be addressed in documentation circuit failure mode likelihood tasks. Resolution of updates include: this Suggesting was documentation only.

Consistent treatment of 3-phase ac hot shorts throughout the Fire PRA (there currently exists old Specifically, the following updates were performed treatment from NUREG/CR-6850, mixed with the to ensure consistent implementation and "incredible" treatment from NUREG/CR-7150 (See description:

sections 2.1.2, 2.1.4(7, 8, and 9). This discussion should include the relevance of "high consequence Treatment of 3-phase ac hot shorts:

equipment" which is discussed in Section 5.6 of the The Cable Selection and Circuit Analysis [CS/CF]

9

Enclosure Description and Assessment of Proposed License Amendment Focused-Scope Fire PRA Peer Review Findings and Resolutions F&O Issue Resolution ES Notebook. study Section 2.2.1 was revise to clarify the

Ground fault equivalent hot shorts were deemed to application of failure probabilities to 3-phase hot be bounded by existing treatment in Section 2.1.4 short schemes. Section 2.1.2 retains the (10) of the Fire PRA Cable Selection and Circuit statements that the schemes are required to be Analysis Notebook, but it appears that they were addressed (although the probability may be considered by selection of the "aggregate" circuit incredible) failure values for ungrounded dc circuits. Treatment of ground fault equivalent hot shorts:

It is suggested that "NUREG/CR-6850 Supplement The Cable Selection and Circuit Analysis [CS/CF]

1 (Reference 19) based on FAQ 08-0051 study Section 2.1.4 (10) was revised to include (Reference 20)" be characterized in Section 2.2.3 the following statement: Detailed circuit of the Fire PRA Cable Selection and Circuit Analysis analysis may prove this fault to be incredible for Notebook as being superseded by NUREG/CR-7150 certain fire scenarios; however, if detailed circuit or removed from the notebook to avoid potentially analysis is not performed, cable selection must future conflicting guidance. consider this to be a plausible fault.

Since the circuit failure probability determination is Treatment of hot short duration:

manipulated in the FSS database as described in The Cable Selection and Circuit Analysis [CS/CF]

section 4.3.9 of the FSS notebook, it is recommend study Section 2.2.3 was revised to only include that a descriptive cross reference be provided in NUREG/CR-7150 Vol. 2 as the definitive the circuit failure notebook (e.g., in Section 2.2.2) reference for hot short duration.

to the FSS notebook, since the values determined Treatment of circuit failure Exclusive OR by the cable analyst may not be the final values quantification:

used in the Fire PRA (e.g., the Exclusive OR The Cable Selection and Circuit Analysis [CS/CF]

treatment). Specific technical issues were study Section 2.2.2 was revised to ensure that identified in F&O CF-A1-01. This F&O is intended to the Exclusive OR treatment of the circuit failure address other documentation items that were probabilities is appropriately cross-referenced to identified during the review, but were not deemed section 4.3.9 of the Fire PRA - Fire Scenario to be significant enough to warrant a Finding F&O Selection and Seismic-Fire Interactions [FSS/SF]

or a "Not Met" SR characterization. study.

Recommendation: Review and update the referenced documents to ensure consistent description of methodology and results in the cable selection and circuit failure mode likelihood tasks. Specifically, ensure that the treatment of 3-phase ac hot shorts is consistently implemented and described, clarity on the treatment of ground fault equivalent hot shorts, that NUREG/CR-7150 10

Enclosure Description and Assessment of Proposed License Amendment Focused-Scope Fire PRA Peer Review Findings and Resolutions F&O Issue Resolution Vol. 2 is referred to as the definitive reference for hot short duration, and the Exclusive OR treatment circuit failure probabilities is appropriately cross-referenced in the CS/CF notebook.

FQ-E1-01 Back-reference SR QU-D5 states: REVIEW a sampling of Reviews of the dominant scenarios (top 95%

(finding) nonsignificant accident cutsets or sequences to determine contribution to CDF and LERF) were performed by they are reasonable and have physical meaning. There is reviewing a significant portion of the top cutsets, as no documentation that a review of nonsignificant cutsets well as a reasonable sampling of the middle and or sequences was performed. bottom [non-significant] cutsets. In addition, a Recommendation: Perform and document a review of a reasonable sampling of the non-dominant scenarios sampling of nonsignificant accident cutsets or sequences to was also performed to review the top, middle, and determine they are reasonable and have physical meaning. bottom [non-significant] cutsets.

Documentation of the cutset reviews conducted was added to the Quantification study. The reviews are described along with the results and conclusions FQ-E1-02 Back-reference SR QU-D7 states: REVIEW the importance Fussell-Vesely and Risk Achievement Worth were (finding) of components and basic events to determine that they calculated for the Basic Events and Components make logical sense. There is no documentation that shows using the combined cutset file and EPRI Risk &

that a review of the importance of components and basic Reliability SysImp software. Values were computed events to determine that they make logical sense was for both CDF and LERF. They were reviewed to see performed. Recommendation: Perform and document a if they made logical sense. The review included the review of the importance of components and basic events top 500 importances and samples of the middle and to determine that they make logical sense. bottom importances The review and the top 100 basic events based on FV and components based on RAW were documented in the Quantification study.

FQ-E1-03 Back-reference SR QU-D3 states: REVIEW results to The following model files are reviewed by two (suggestion) determine that the flag event settings, mutually exclusive methods; direct review during development and event rules, and recovery rules yield logical results. These documentation, and indirect review during final files were changed in response to an F&O written by a peer cutset review. Although the final cutset review review team. There is no documentation in the notebook effectively reviews the files, documentation of their which indicates this requirement was performed. Since the development was improved and better commented file were changed the file must have been reviewed. within the files.

Documentation showing that this review was performed MasterFlag.txt should be added to the notebook. Recommendation: A RECRULE_FIRE_[date].recv possible resolution is to add tables for the mutually MUTEX logic (PV_FIRE_[date].caf) 11

Enclosure Description and Assessment of Proposed License Amendment Focused-Scope Fire PRA Peer Review Findings and Resolutions F&O Issue Resolution exclusive file and the recovery rules. This table would have two purposes: The Internal Events model MUTEX logic was

1. To document the basis for each entry into the reviewed for applicability during the Fire model above files, and development. The review table is provided in the

2. As a reference for new engineers to the PRA group Quantification Study. Cross references were added to understand the use of these two files. to denote the origin of these logic fault trees from This would ensure that any tribal knowledge associated the Internal Events CAFTA model and validation with the two files is passed on to the newer engineers. calculation studies, The MasterFlag and RECRULE files were also explicitly documented and reviewed in the Fire Scenario Selection study.

FQ-E1-04 Several Human Failure Events (HFEs) were discovered to A full review of the HRA Calculator database, HRA (finding) have a failure probability set to zero during the spreadsheet, and the fault tree database .RR file quantification instead of the documented screening value was conducted. To correct the identified of 1.0 developed during the HRA task. Examples include: discrepancies, all HEPs were validated against the 1RWT-SI-MVX---HR, 1SG-OVFLAFAS- HR, 4SDCPROC-OP-- HRA Calculator. The HFE spreadsheet numbers 2HR, 4SIAB-ILOKOVR-HL. Having the HEPs set to zero were validated to the HRA Calculator and revised to potentially impacts the quantification results and the ability match the HRA Calculator. The spreadsheet was to identify significant contributors to CDF, such as initiating then validated against the Fire HRA screening and events, accident sequences, equipment failures, common any unscreened HRAs added to the HFE cause failures, and operator errors. spreadsheet and developed in the HRA Calculator FQ-E1 requires identification of significant contributors in for fire. A worksheet was added to the HFE accordance with HLR-QU-D and HLR-LE-F and their SRs in spreadsheet to compute multipliers and input those Part 2. values into the matrix worksheet in the QU-D6 requires identification of significant contributors to spreadsheet. All fire HEPs from the spreadsheet CDF, such as initiating events, accident sequences, were then validated in the .RR file, and revised to equipment failures, common cause failures, and operator match the spreadsheet if different. This validated all frequencies and event mitigation of the HFE values to be correct and corrected any Recommendation: Systematically identify HEPs that were that had been inadvertently set to a different value inappropriately credited as perfectly reliable (set to zero), such as zero.

correct the HEPs to either their screening value or an estimated HEP based on a detailed analysis, re-quantify the model and identify significant contributors to CDF, such as initiating events, accident sequences, equipment 12

Enclosure Description and Assessment of Proposed License Amendment Focused-Scope Fire PRA Peer Review Findings and Resolutions F&O Issue Resolution failures, common cause failures, and operator errors.

FSS-D2-01 Generic HGL calculations were performed using CFAST and Generic CFAST evaluations were revised to be (finding) documented in Hughes Report 0001-0014-002-002, Rev. specific to account for the limitations and

1. The CFAST HGL results have not been applied in a assumptions of the area being modeled.

manner consistent with the limitations and assumptions described in the report. All fire compartments were systematically reviewed The report lists limitations for application of the HGL to locate areas within each fire compartment where results. Limitation 1 says "The generic fire scenarios are the room length-width aspect ratio restriction limited to configurations that are similar to or are bound (Limitation 5) was exceeded. Each fire by the configurations modeled." Limitation 5 says "The compartment plan drawing in the Pre-Fire enclosure dimensions are limited to an aspect ratio (length Strategies was scanned to identify narrow to width) of 5:1." Limitation 6 says "The actual room width enclosures. When a narrow enclosure was to height or room length to height ratio should be less than identified, then Fire Scenario Selection study 5.7". Attachment 7 Cable & Raceway Layout Drawings It appears that the CFAST HGL results have been applied with Scenario Zones-of-Influence was consulted to to rooms that do not fall within the limitations. Two identify any ignition source located within in the examples are FC42D and FC37, which are not simple restricted enclosure. The ignition source scenario parallelepipeds, as assumed in the CFAST calculations, but was corrected in FSS Database table are interconnected corridor-like rooms, with aspect ratios tbl_raw_Ignition_Source_Data to indicate the outside of the limitations. scenario can progress to hot gas layer. In addition, Assumption 15 of the CFAST HGL report says "When the time to hot gas layer was adjusted to equal the assessing the hot gas layer conditions in spaces with an time to damage the first target. Twelve scenarios elevated fire base, only the enclosure volume above the were adjusted that comprised three fire fire base should therefore be included." In reviewing the compartments, FC37, FC39, and FC57J. FC42D had FSS database, table "tbl_Raw_Ignition_Source_Data", it no scenarios that needed to be adjusted because does not appear that this was taken into consideration. the aspect ratios in the sub-areas did not exceed Recommendation: A review of the fire compartment Limitation 5.

configuration and the fire height for each application of the CFAST HGL results is needed to ensure that the generic Assumption 15 was addressed by reducing the CFAST results are applied in accordance with the ceiling height by two meters for ignition frequency assumptions and limitations listed in the report. bin 15.1. . Nine compartments were affected by the lower enclosure volume that impacted 27 ignition sources.

FSS-G5-01 Two types of active fire barriers are listed in Table 5.1-1 of A generic barrier failure probability (BFP) of 0.05 is (suggestion) the PP notebook: (1) fire dampers and (2) fire doors that applied to FC12-to-FC14 and FC13-to-FC14 for the 13

Enclosure Description and Assessment of Proposed License Amendment Focused-Scope Fire PRA Peer Review Findings and Resolutions F&O Issue Resolution are magnetically held open and close upon a fire alarm.The Fire Detector to Activate Door Closure barrier barrier failure probabilities (BFPs) are taken from type. FPRA - Fire Scenario Selection Study Table 4-NUREG/CR-6850. The BFP applied for the normally open 10 has been revised to include this generic failure door (e.g., FC12-to-FC14) is taken to be the same as a fire probability with the others which are obtained from door that is closed. NUREG/CR-6850, Appendix P. The BFP is No consideration is given to a failure of the fire detector to documented in the TBL_MCA_BARRIER_COUNT activate the door closure. table of FSS Database.

Recommendation: It is suggested that the smoke detector failure probability of 0.05 (NUREG/CR-6850, App. P) be used in the BFP calculation.

PRM-A3-01 During review of the PRM Notebook and associated The PRM Study and associated Fire PRA studies (finding) documentation several inconsistencies and reference have been correlated to eliminate inconsistencies errors were identified. These items did not appear to and cross reference errors.

impact the final modeling but could be misleading to The following corrections were incorporated during reviewers and individuals responsible for model this review to address the Finding details:

maintenance. The following examples were noted:

Section 4.3.1 does not list everything from the

PRM Section 4.3.1 (now 4.2.1) addresses all Equipment Selection report Table 5.4-1 (loss of RCS of the initiating events described at the end makeup, spurious isolation of tanks, VCT isolation of Section 5.3 in the Equipment Selection valve openings, spurious starts of RHR, others); Study where it is cross-referenced. PRM

Section 4.3.3 does not list induced LOCA discussed Section 4.3.1 also references the summary in section 5.3 of the ES Report; at the end of Section 5.4 in the Equipment

Section 4.3.4.1 refers to the ES Notebook Section Selection Study which lists the MSO Attachment 1 for always failed components, but scenarios modeled as a result of the Attachment 1 is the annunciator response review; evaluation in Section 5.4. The PRM

Section 4.3.4.2 refers to the HRA Notebook Section addresses the equipment identified to be 4.3.4 for dependency analysis but the dependency modeled from the Equipment Selection analysis is found in Section 4.2.4; study, not all of the equipment that was

Section 4.3.5.2 indicates a truncation limit of 1E-7 evaluated, so it matches the and 1E-8 is used for CDF and LERF, respectively, summary/results, not the contents of the but section 4.3.5.5 indicates values of 1E-8 and 1E- table.

9;

PRM Section 4.3.3 (now 4.2.3) added the

Table 4.3.5.2-1 does not include discussion of the word induced to the ISLOCAs initiated by MUTEX modeling added for the Train E changing fire induced valve failure.

pump power alignments.

PRM Section 4.3.4.1 (now 4.2.4.1) cross references were corrected to the proper 14

Enclosure Description and Assessment of Proposed License Amendment Focused-Scope Fire PRA Peer Review Findings and Resolutions F&O Issue Resolution PRM-A3 requires the PRM model to be capable of locations in the final studies.

identifying the fire risk significant contributors. Errors in

PRM Section 4.3.4.2 (now 4.2.4.2) was interpretation or future maintenance could impact the revised to generically explain the final ability of the Fire PRA plant response model to be capable process used to correct for dependencies.

of determining the significant fire risk contributors.

PRM Sections 4.3.5.2 through 4.3.5.5 were Recommendation: Perform a detailed review of the PRM deleted. The quantification process as Notebook to identify any additional inconsistencies and described in the Fire PRA Qualitative &

reference errors; correct the items noted under this F&O Quantitative Screening and Fire and any other items identified that could negatively impact Quantification study was revised to be the ability of the PRM to determine the significant fire risk comprehensive of the entire quantification contributors. process and corrected to the final methodology.

Discussion of the MUTEX modeling for the Train E charging pump was provided in the Fire PRA Qualitative & Quantitative Screening and Fire Quantification study Table 7.1-1.

PRM-B6-01 During review of the PRM Notebook and associated The time requirement to trip the RCPs to preclude (finding) documentation, issues with clarity and completeness were guaranteed seal failure during a Loss of RCP Seal identified. The applicable elements from Standard Section Cooling MSO scenario was adjusted from 45 2, AS-A1 through AS-B7 were reviewed and, except for minutes to 20 minutes. This removed the AS-A10, were determined to be appropriately addressed inconsistency and aligned the model with the with respect to modeling the required PRM elements for methodology outlined in the referenced documents the fire risk assessment. LTR-RAM-II-13-035 PRA Model for Loss of Cooling The basis for modeling certain elements of the new RCP to RCP Seals and Bearings at Palo Verde Units 1, 2 seal failure modes is not clearly documented and is and 3, and WCAP-16175-P-A Model for Failure of inconsistent with the description provided in LTR-RAM-II- RCP Seals Given Loss of Seal Cooling in CE NSSS13-035. Specifically, guaranteed damage to the seals on Plants. Documentation of the basis was revised to running RCPs with a loss of cooling is modeled to occur at provide a more direct relation to the methodology 45 minutes but is assumed in LTR-RAM-II-13-035 to occur source documents.

at 20 minutes, which impacts system and operator The Loss of Seal Cooling event tree was also response requirements under AS-A10. The basis for this amended to include a Primary Safety Valve (PSV) modeling decision needs to be clearly documented and failure to reseat sequence consistent with the Loss between the PRM developed for RCP seal leakage and the of Feedwater Pumps (IEFWP) event tree given that 15

Enclosure Description and Assessment of Proposed License Amendment Focused-Scope Fire PRA Peer Review Findings and Resolutions F&O Issue Resolution Misc Event uncomplicated SCRAM PRM from the internal Main Feedwater is modeled as always failed.

events model. Additionally, the modifications to the Misc The model adjustments were completed after the Event PRM, specifically, the removal of the PSV failure final model quantification results had been prepared event tree top for application to the RCP leakage PRM, and documented. Therefore, the Quantification should be documented taking into account that a PSV study was amended with Appendix A to document LOCA could be concurrent with up to 4 RCP seal leakage the revised model results. Impact on the events. The purpose would be to demonstrate that these quantification review of dominant factors and event concurrent events do not impact the downstream PRM. importances was also assessed and documented in PRM-B6 requires the PPA to model accident sequences for the Appendix. The original quantification provides any new initiating events identified per PRM-B3 and any for a de-facto sensitivity case for the effect of accident sequences identified per PRM-B5 reflective of the increasing the minimal acceptable time to trip the possible plant responses to the fire induced initiating RCPs upon loss of all seal cooling from 20 minutes events in accordance with HLR-AS-A and HLR-AS-B and (conservatively modeled with a bounding seal their SRs in Part 2 taking fire impacts into consideration. failure probability) to 45 minutes (more AS-A10 requires inclusion, for each modeled initiating representative of manufacturer testing and industry event, sufficient detail that significant differences in experience demonstrating no catastrophic seal requirements on systems and operator responses are failures.)

captured. Accurate documentation and justification for modeling decisions are important to understand potential impact on these requirements.

Recommendation: Documentation for the identified items should be enhanced to clarify the ties between the internal events PRM and the fire PRM as well as the changes made.

Justification for RCP damage timing needs to be clearly documented and consistent with the final modeling.

Alternatively, a sensitivity could be performed to determine the importance of this modeling decision and either modeling or documentation changes made based on the results.

QLS-A1-01 The QLS-A1-01 requirement is to retain for quantitative The Fire Quantification Study was revised to (finding) analysis those physical analysis units that contain describe the quantitative screening criteria that equipment or cables required to ensure as-designed circuit were used.

operation, or whose failure could cause spurious operation, of any equipment, system, function, or operator action Fire Compartments (FCs) were screened from credited in the Fire PRA plant response model. quantitative analysis by analyzing them from two 16

Enclosure Description and Assessment of Proposed License Amendment Focused-Scope Fire PRA Peer Review Findings and Resolutions F&O Issue Resolution The criteria for quantitative screening, section 5.2 of the different perspectives, single compartment and Quantification and Screening cumulative compartment. Single compartment risk notebook, is not clear. As can be seen below the criteria is criteria screens each FC if its risk is less than 1E-confusing: 7/yr for CDF and less than 1E-8/yr for LERF. The 5.2 Quantitative Screening single compartment thresholds for both CDF and Table 5.2-1 presents all the FCs with their LERF were established as follows:

respective FAAs and their CDF and LERF contributions. Columns 7, 8, 9 and 10 are marked CDF FC Threshold = 1E-7 / Total CDF = 0.433%

with an X if the FC or FAA contribution is < 1% of the estimated total CDF and LERF. Values of LERF FC Threshold = 1E-8 / Total LERF = 0.4596%

.04%CDF and .007% LERF were selected to establish a conservatively low limit to ensure that Additionally, to ensure that the highest risk Fire the sum of all screened fire compartments would Analysis Areas (FAAs) and their associated FCs are not exceed 1E-7/yr. CDF and 1E-8/yr. Fire not screened, a FAA screening criteria of 0.1% was Compartment thresholds, nor exceed the 10% conservatively selected such that the sum of the Internal Events threshold. Therefore if columns 7, risk contribution from all FCs within the screened 8, 9 and 10 are marked with an X then that FC FAAs remains less than 1.0E-7/yr and <1.0E-8/yr may be screened from further analysis. An FC that for CDF and LERF, respectively.

meets the screening criteria for low CDF and LERF will screen out from fire modeling only if its Furthermore, the CDF and LERF cumulative respective FAA also screens out. This is further compartment risk criteria is based on limiting the represented in the last column of Table 5.2-1. cumulative risk of screened out compartments to The screening criteria can be interpreted as being 10% or less than 10% of the total internal events risk (i.e.,

.04% and .007% for both fire compartments and fire from the Internal Events PRA). The cumulative areas. Review of the spreadsheet used for the screening compartment thresholds for both CDF and LERF showed what criteria was used. The method in the were determined as follows:

spreadsheet agrees with NUREG/CR-6850 for fire compartments. So this meets the SR. CDF Total screened FC acceptance criteria =

The basis for the fire area criteria is not documented and is (Internal Events CDF)

0.1 = 1.27E-07 confusing. The spreadsheet shows it to be .04% and

.007% which is reflected in Table 5.2-1 of the LERF Total screened FC acceptance criteria =

Quantification and Screening notebook. (Internal Events LERF)

0.1 = 4.33E-09 Recommendation: To ensure that the criteria is met, the criteria needs to be stated in Section 5.2 of the The single compartments threshold and FAA Quantification and Screening Notebook in a clear and screening criteria values were selected to ensure 17

Enclosure Description and Assessment of Proposed License Amendment Focused-Scope Fire PRA Peer Review Findings and Resolutions F&O Issue Resolution concise manner. It also needs to agree with the method that the cumulative compartment risk criteria were used in the spreadsheet. Rewrite Section 5.2 so that the met. An FC screens out as a low risk contributor screening criteria is clear and the basis is documented. when the single and cumulative risk criteria are met for both the FC and its associated FAA.

UNC-A1-01 Back-reference SR QU-E2 states: IDENTIFY assumptions The listed examples have been revised to correct (finding) made in the development of the PRA model. Many the inappropriate application of the word assume.

instances were found where assumptions were found in The examples were revised in the Plant Response notebooks that were not documented in the assumption Model study as follows:

section. This could lead to missing area that need to be 1. The scenario in which a spurious alarm has address in the uncertainty analysis. The following are caused the operators to trip one of the charging examples of assumptions that were not included in the pumps is functionally equivalent to the pump failing uncertainty analysis but were assumptions in the to run.

notebooks: 2. The Fire PRA models spurious operation of one

1. The scenario in which it is assumed that a spurious or more pressurizer heater banks precedes PSV alarm has caused the operators to trip one of the failure to reseat after steam relief (gate GPSV-STM-charging pumps is functionally equivalent to the CHAL-FIRE) and spurious operation of charging pump failing to run pump(s) precedes PSV failure to reseat after water

2. The Fire PRA model assumes spurious operation of relief scenario (gate GPSV-WTR-CHAL-FIRE).

one or more pressurizer heater banks precedes PSV failure to reseat after steam relief (gate GPSV-STM- Additionally, a review of all assumptions in all Fire CHAL-FIRE) and spurious operation of charging PRA studies was performed to ensure that where pump(s) precedes PSV failure to reseat after water the word assumes is used that an actual relief scenario (gate GPSV-WTRCHAL- FIRE). assumption was being made. The Fire PRA studies Recommendation: Review documents and verify that were revised if an inappropriate application of the where the word "assumes" is used that an actual word assume was used. All assumptions have assumption is being made. If it is an actual assumption been documented in the assumption section for ensure that the statement is included in the assumption each appropriate Fire PRA study. Each of the section and the basis for the assumption is documented. A assumptions listed in the Fire PRA studies in the review should then be performed to be sure that the Assumptions section were reviewed, and a assumption is being addressed appropriately in the determination was made on whether or not it was a uncertainty analysis. key assumption, or if it was merely a statement of fact or a methodology. Only assumptions important to the final risk results were included for consideration in the Uncertainty and Sensitivity 18

Enclosure Description and Assessment of Proposed License Amendment Focused-Scope Fire PRA Peer Review Findings and Resolutions F&O Issue Resolution Analyses [UNC] study.

UNC-A1-02 Back-reference SR LE-F2 states: REVIEW LERF The Uncertainty and Sensitivity Analyses [UNC]

(finding) contributors for reasonableness (e.g., to assure excessive study was revised to document that both CDF and conservatisms have not skewed the results, level of plant LERF analyses were performed for all sensitivity specificity is appropriate for significant contributors, etc.). cases.

Back-reference SR LE-F3 states: IDENTIFY and characterize the LERF sources of model uncertainty and related assumptions in a manner consistent with the applicable requirements of Tables 2-2.7-2(d) and 2-2.7-2(e).

There is a statement in the Uncertainty Analysis notebook that this analysis was not performed for LERF. Upon review of the notebook it was found that for some uncertainty analyses were run for both CDF and LERF. A review of the uncertainty analysis should be performed and all uncertainty analysis should be performed for CDF and LERF. Recommendation: Review all the uncertainty analysis and ensure that the analysis was performed for both CDF and LERF. Also ensure that the documentation reflects the analysis of both CDF and LERF.

UNC-A1-03 Back-reference SR QU-E4 states: For each source of model A review was performed for all sensitivity cases in (finding) uncertainty and related assumption identified in QU-E1 and the Uncertainty and Sensitivity Analyses [UNC]

QU-E2, respectively, IDENTIFY how the PRA model is study. The results were reviewed for affected (e.g., introduction of a new basic event, changes reasonableness and described. In addition, all to basic event probabilities, change in success criterion). sensitivity cases were reviewed for their impact on The uncertainty analysis, for the most part, does not the PRA model.

include any review of the uncertainty results. Therefore, how the PRA model was affected and a check for the reasonableness was not documented. Therefore it is not clear that a check for reasonableness was performed.

Recommendation: Perform a review of the results of each uncertainty result. Ensure that these reviews are documented in the Uncertainty Analysis Notebook.

UNC-A1-04 The following statement was made after several sensitivity The Uncertainty and Sensitivity Analyses [UNC]

(finding) results tables: study was revised to document both CDF and LERF 19

Enclosure Description and Assessment of Proposed License Amendment Focused-Scope Fire PRA Peer Review Findings and Resolutions F&O Issue Resolution Because of the way the cutsets were created, the analyses for all sensitivity cases. Its results were numbers are not correct. The exercise here is to reviewed to ensure the validity of the sensitivity show the ratios. cases. The uncertainty analysis study reports valid This statement negates any of the results reported in the results and ratios. The statement referenced in the results table. Finding no longer appears after tables in the If the numbers are incorrect, then the use of the numbers sensitivity results.

for comparison to the base value is invalid. There appears no reason to do the sensitivity if the results are incorrect and the ratio obtained offers no insights to uncertainty.

This statement draws into question the validity of the uncertainty analysis.

Recommendation: First, ensure that the purpose of the statement is understood. Next, either explain the purpose or remove the statement. The uncertainty analysis should use valid results and ratios.

20

Enclosure Description and Assessment of Proposed License Amendment NRC Technical Concern 4 The PVNGS LAR, dated December 21, 2016, states that the plant-specific risk assessment of the proposed change to the TS CT follows the guidance in RG 1.174, Revision 2, and RG 1.177, Revision 1. Both of these regulatory guides endorse the guidance in RG 1.200, Revision 2, as an acceptable approach for determining whether the technical adequacy of the PRA is sufficient for use in regulatory decision-making (e.g., changes to a plants licensing basis). RG 1.200 endorses, with clarifications and qualifications, the ASME PRA Standard. Section 5-2.3, Seismic Plant Response Analysis, of the ASME PRA Standard states:

The restoration of safety functions can be inhibited by any of several types of causes; these include damage or failure, access problems, confusion, loss of supporting staff to other post[-]earthquake-recovery functions, and so on.

Careful consideration of these must be given before recoveries are credited in the initial period after a large earthquake. This is especially true for earthquake-caused loss of off-site power (LOOP), given that the damage could be to switchyard components or to the off-site grid towers, which are generally difficult to fix quickly. While this part does not require the analyst to assume an unrecoverable LOOP after a large earthquake, the general practice in seismic PRAs has been to make such an assumption. 1 of Enclosure 2 to the LAR discusses a seismic assumption/uncertainty regarding LOOP recovery. The licensee states:

It is realistic to consider that offsite power recovery is available for low magnitude seismic events. The selection of the [safe shutdown earthquake] SSE as a threshold between recovery/no-recovery of offsite power is arbitrary and conservative. Therefore, no sensitivity analysis is required for this application.

Provide additional justification for this assumption and why it is considered conservative.

Explain whether it is conservative in terms of baseline risk (i.e., CDF and LERF) or delta risk (i.e., ICCDP and ICLERP). Include in this discussion your assumptions about damage to switchyard components, offsite power transformers, or to the off-site grid towers, which are generally difficult to fix quickly. Alternatively, alter the credit for offsite power recovery in the seismic PRA as part of the sensitivity analysis.

APS Response to Technical Concern 4:

The one seismically-induced LOOP that has occurred in the United States was at the North Anna site. The induced LOOP was determined to be caused by spurious actuation of the sudden pressure relays causing a protective lock out of the Reserve Station Service Transformers (RSST). The Peak Ground Acceleration (PGA) for that event was approximately 0.26g. While this was a significant event, it did not involve widespread infrastructure impact. The PVNGS SSE is 0.25g, which is bounded by this event which did not involve infrastructure collapse.

A potential cause of seismically induced loss of offsite power is collapse of transmission lines, which have been historically shown to occur for events in the 0.3g range.

Transmission line collapse is expected to be bound by grid failures and exceeds the PVNGS SSE threshold.

21

Enclosure Description and Assessment of Proposed License Amendment A documented comment from the Seismic PRA Peer Review was that the selection of the SSE value for when to stop crediting LOOP recovery was judged to be appropriate, as no documentation exists on seismic-specific offsite power recovery.

In addition, the selection of the SSE (0.25g) as the threshold between recovery/non-recovery is considered to be conservative because of a robust switchyard design at PVNGS. Seven physically independent 525 kV transmission lines of the Western Interconnection are connected to the Palo Verde 525 kV switchyard. The transmission lines have a diverse path to the switchyard, with a maximum of three lines sharing a common routing. Three 525 kV tie lines supply power from the switchyard to three startup transformers, which supply power to six 13.8 kV intermediate buses. Two physically independent circuits supply offsite power to the onsite power system of each unit. The three startup transformers connect to the Palo Verde 525 kV switchyard through two 525 kV switchyard breakers each, and feed six 13.8 kV intermediate buses.

These buses are arranged in three pairs, each pair feeding only one unit. Therefore, with the robust design and rare occurrence of seismically-induced Loss of Offsite Power in industry, the modeling recovery/non-recovery threshold at the SSE is conservative.

NRC Technical Concern 5 The PVNGS LAR, dated December 21, 2016, states that the plant-specific risk assessment of the proposed change to the TS CT follows the guidance in RG 1.174, Revision 2, and RG 1.177, Revision 1. Section 2.5.5, Comparisons with Acceptance Guidelines, of RG 1.174 states that when the contributions from the contributors modeled in the PRA are close to the risk acceptance guidelines, the argument that the contribution from the missing items is not significant must be convincing and in some cases may require additional PRA analyses (e.g., bounding analyses, detailed analyses, or by a demonstration that the change has no impact on the unmodeled contributors to risk).

When the margin is significant, a qualitative argument may be sufficient. In addition, Section 2.5.3, Model Uncertainty, of RG 1.174 states that the impact of using alternative assumptions or models may be addressed by performing appropriate sensitivity studies or by using qualitative arguments.

Section 2.3 of Enclosure 2 to the LAR states that the fire PRA model is consistent with the NUREG/CR-6850 (dated September 2005) methodology with no exceptions. However, there have been numerous changes to fire PRA methodology since 2005, including the following:

The NRC staff has formally accepted methods during resolution of unreviewed analysis methods (UAMs) for fire PRAs, as well as NUREG/CR-6850 (as supplemented in September 2010), or frequently asked question (FAQ) guidance developed for the National Fire Protection Association Standard (NFPA) 805, "Performance Based Standard for Fire Protection for Light Water Reactor Electric Generating Plants. FAQs that may be relevant for the fire PRA include:

FAQ 13-0004, (ADAMS Accession No. ML13322A085)

FAQ 13-0005, (ADAMS Accession No. ML13319B181)

FAQ 13-0006, (ADAMS Accession No. ML13331B213)

FAQ 14-0008, (ADAMS Accession No. ML14190B307)

FAQ 14-0009, (ADAMS Accession No. ML15119A176)

FAQ 12-0064, (ADAMS Accession No. ML12346A488)

FAQ 08-0053. (ADAMS Accession No. ML121440155) 22

Enclosure Description and Assessment of Proposed License Amendment FAQ 08-0052, (ADAMS Accession No. ML092120501)

FAQ 08-0050, (ADAMS Accession No. ML092190555)

FAQ 08-0049, (ADAMS Accession No. ML092100274)

FAQ 08-0045, (ADAMS Accession No. ML091240311)

FAQ 08-0044, (ADAMS Accession No. ML092110516)

FAQ 08-0043, (ADAMS Accession No. ML092120448)

FAQ 08-0042, (ADAMS Accession No. ML092110537)

FAQ 07-0035, (ADAMS Accession No. ML091620572)

FAQ 07-0031, (ADAMS Accession No. ML072840658)

FAQ 06-0018, (ADAMS Accession No. ML072500273)

FAQ 06-0017, (ADAMS Accession No. ML072500300)

FAQ 06-0016, (ADAMS Accession No. ML072700475)

The NRC has also issued a letter, Recent Fire PRA Methods Review Panel Decisions and EPRI 1022993, Evaluation of Peak Heat Release Rates in Electrical Cabinet Fires (ADAMS Accession No. ML12171A583), June 21, 2012, providing staff positions on 1) frequencies for cable fires initiated by welding and cutting, 2) clarifications for transient fires, 3) alignment factor for pump oil fires, 4) electrical cabinet fire treatment refinement details, and 5) the EPRI 1022993 report.

The NRC has published NUREG/CR-7150, "Joint Assessment of Cable Damage and Quantification of Effects from Fire (JACQUE-FIRE)," Volume 2, which is supported by a letter from the NRC to NEI, "Supplemental Interim Technical Guidance on Fire-Induced Circuit Failure Mode Likelihood Analysis" (ADAMS Accession Nos.

ML14086A165 and ML14017A135).

The NRC has published NUREG-2169, Nuclear Power Plant Fire Ignition Frequency and Non-Suppression Probability Estimation Using the Updated Fire Events Database: United States Fire Event Experience Through 2009 (ADAMS Accession No. ML15016A069).

Guidance on the credit taken for very early warning fire detection system (VEWFDS) is available in NUREG-2180, "Determining the Effectiveness, Limitations, and Operator Response for Very Early Warning Fire Detection Systems in Nuclear Facilities, (DELORES-VEWFIRE)" (ADAMS Accession Nos.

ML16343A058). The guidance provided in FAQ 08-0046, "Closure of National Fire Protection Association 805 Frequently Asked Question 08-0046 Incipient Fire Detection Systems" (ADAMS Accession No. ML093220426), has been retired.

Based on the PVNGS LAR, dated December 21, 2016, the calculated incremental conditional core damage probability (ICCDP) and incremental conditional large early release probability (ICLERP) are close to the RG 1.177 risk acceptance guidelines.

However, the integration of NRC-accepted fire PRA methods and studies described above that are relevant to this submittal could potentially result in an exceedance of the risk acceptance guidelines. For example, previous risk-informed LARs have shown that integration of NRC approved methods can lead to a calculated risk increase of up to approximately 3 in some cases. Therefore, in accordance with Section 2.5.5 of RG 1.174, additional analysis is necessary to ensure that contributions from this influence would not change the conclusions of the LAR. The NRC staff requests the licensee address one of the following:

(a) Provide a detailed justification for why the integration of NRC-accepted fire PRA methods and studies in the fire PRA would not change the conclusions of the LAR.

23

Enclosure Description and Assessment of Proposed License Amendment As part of this justification, identify the fire PRA methodologies used in the fire PRA that have not been formally accepted by the NRC staff. For these methodologies, provide technical justification for their use and evaluate the significance of their use on the results of this submittal.

(b) Alternatively, demonstrate through a sensitivity study of the proposed TS change, which credits the compensatory measures, that the risk results (i.e., total ICCDP and total ICLERP) meet the risk acceptance guidelines by a large margin. This sensitivity study may take into consideration, as necessary, credit for compensatory measures such as deployment of the portable AC diesel generators and the diesel-driven FLEX steam generator makeup pump, provided that they are modeled in a way that is consistent with RGs, 1.174, 1.177, and 1.200. Provide the associated risk results (i.e., those results in Attachments 2 and 3 of Enclosure 2 to the LAR) and a discussion of how the compensatory measures were credited in the PRA models, including:

Discuss the conservatisms in the analysis.

Discuss which accident scenarios were credited for the compensatory measures.

Explain how the failure rates/probabilities of hardware failures (e.g., random failures, unavailability due to testing and maintenance) associated with setup and operation were estimated.

Explain how the timelines for operator actions were established. Describe the cues or indications operators will use to initiate use of credited FLEX equipment and how the time available and time required to complete operator actions were estimated.

APS Response to Technical Concern 5:

The fire PRA model used for this application utilized NUREG/CR-6850 including FAQs as the basis for methodology and did not use any unendorsed/unapproved methods.

However, some of the more recent endorsed methods have not yet been incorporated into the fire PRA model. Resolution of these differences in the short time frame available for NRC to review this application is impractical. Therefore, APS will utilize the suggested alternative in (b) above to address the NRC technical concern.

A sensitivity was performed crediting the portable diesel generators deployed at Unit 3 in the fire PRA analysis. The failure rates assumed for the portable diesel generators were based on EWR 16-08430-004 Document Compliance with NRC RIS 2008-15 and NEI 16-06 for Crediting of 4160V FLEX Generators and dominated by the human error probability (see HRA provided later in Attachment 16):

Failure to start 3.22E-1

Failure to run for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months 1.04E-1 The portable AC diesel generators were modeled for the sensitivity case by substituting the portable AC diesel generator HRA and data values in place of corresponding basic events in the Train B Emergency Diesel Generator logic. As such, any scenario that may credit the Train B Emergency Diesel Generator for emergency AC power may credit the portable AC diesel generators in the sensitivity case.

The fire induced initiating events either initially require restoration of steam generator heat removal or are slow developing events that eventually require safety injection.

These accident progressions allow sufficient time to restore power to the class bus in 24

Enclosure Description and Assessment of Proposed License Amendment order to recover safety functions and mitigate the event. The dominant fire scenarios that challenge RCS Integrity (induce an RCP Seal Leak) are initiated by a failure to de-energize an RCP which is generally not the case for Loss of Offsite Power events that predominantly challenge the Class 4160 VAC buses.

The impact of crediting the portable diesel generators on the risk metrics is found in the table below. There was a significant reduction in ICCDP and ICLERP, and margin to the RG 1.177 acceptance criteria. Note that effective compensatory measures remain uncredited including the FLEX steam generator makeup pump deployed at Unit 3. When doing so, a greater than 50 percent reduction in ICCDP and ICLERP is achieved.

ICCDP and ICLERP for One-Time Technical Specification Change ICCDF ICCDP ICLERF ICLERP (per (62 (per (62 Hazard reactor- days) reactor- days) year) year)

Internal events 1.2E-6 2.0E-7 5.5E-8 9.3E-9 Internal flooding <1.0E-7 <1E-8 <1.0E-8 <1.0E-9 Seismic 4.1E-6 6.9E-7 3.2E-7 5.4E-8 Internal Fire 1.1E-5 1.8E-6 3.8E-7 6.4E-8 Total 1.6E-5 2.7E-61 7.5E-6 1.2E-72 Notes:

1. Total ICCDP meets the RG 1.177 acceptance criteria of < 1E-5 with effective compensatory measures not credited in the quantitative risk evaluation

2. Total ICLERP meets the RG 1.177 acceptance criteria of < 1E-6 with effective compensatory measures not credited in the quantitative risk evaluation Additional Technical Concerns Provided in Pre-submittal Meeting NRC Technical Concern 6:

Explain how the failure rates/probabilities of hardware failures (e.g., random failures, unavailability due to testing and maintenance) associated with setup and operation were estimated.

APS Response to Technical Concern 6:

A review of industry data sources was conducted to develop a fail to run and fail to start value for the portable AC diesel generators. Ultimately, the NRC RADS database values for Station Blackout emergency diesel generators were selected. The portable AC diesel 25

Enclosure Description and Assessment of Proposed License Amendment generators are similar equipment to Station Blackout emergency diesel generators, and the RADS database had greater detail and was more current than other data sources.

See Engineering Evaluation 16-08430-004 for further details.

NRC Technical Concern 7:

Determine the impact on ICCDP and ICLERP result from assuming average test and maintenance during the extended completion time.

APS Response to Technical Concern 7:

A sensitivity case was run assuming average test and maintenance unavailabilities and crediting the portable diesel generators. The results are provided below in the table and they continue to meet RG 1.177 acceptance criteria. Note that effective compensatory measures remain uncredited including the FLEX steam generator makeup pump deployed at Unit 3. When crediting the portable DGs this study indicates a greater than 28 percent reduction in ICCDP and ICLERP.

ICCDP and ICLERP for One-Time Technical Specification Change ICCDF ICCDP ICLERF ICLERP (per (62 (per (62 Hazard reactor- days) reactor- days) year) year)

Internal events 1.2E-6 2.0E-7 5.5E-8 9.3E-9 Internal flooding <1.0E-7 <1E-8 <1.0E-8 <1.0E-9 Seismic 4.1E-6 6.9E-7 3.2E-7 5.4E-8 Internal Fire 3.3E-5 5.6E-6 7.8E-7 1.3E-7 Total 3.8E-5 6.5E-61 1.2E-6 2.0E-72 Notes:

1. Total ICCDP meets the RG 1.177 acceptance criteria of < 1E-5 with effective compensatory measures not credited in the quantitative risk evaluation

2. Total ICLERP meets the RG 1.177 acceptance criteria of < 1E-6 with effective compensatory measures not credited in the quantitative risk evaluation 26

Enclosure Description and Assessment of Proposed License Amendment NRC Technical Concern 8:

Determine the impact on ICCDP and ICLERP result from assuming an increased common cause potential for failure of the train A diesel generator during the during the extended completion time.

APS Response to Technical Concern 8:

A sensitivity case was run assuming an increase in the train A DG common cause failure rate to the NRC database common cause alpha factor and crediting the portable DGs. The results are provided below in the table and they continue to meet RG 1.177 acceptance criteria. Note that effective compensatory measures remain uncredited including the FLEX steam generator makeup pump deployed at Unit 3. When crediting the portable DGs this study indicates a greater than 50 percent reduction in ICCDP and ICLERP.

ICCDP and ICLERP for One-Time Technical Specification Change ICCDF ICCDP ICLERF ICLERP (per (62 (per (62 Hazard reactor- days) reactor- days) year) year)

Internal events 1.2E-6 2.0E-7 5.5E-8 9.3E-9 Internal flooding <1.0E-7 <1E-8 <1.0E-8 <1.0E-9 Seismic 4.1E-6 6.9E-7 3.2E-7 5.4E-8 Internal Fire 1.2E-5 2.0E-6 4.1E-7 7.0E-8 Total 1.7E-5 2.9E-61 7.8E-7 1.3E-72 Notes:

1. Total ICCDP meets the RG 1.177 acceptance criteria of < 1E-5 with effective compensatory measures not credited in the quantitative risk evaluation

2. Total ICLERP meets the RG 1.177 acceptance criteria of < 1E-6 with effective compensatory measures not credited in the quantitative risk evaluation NRC Technical Concern 9:

Identify the sensitivity of changes in the human reliability analyses generated for this application on the ICCDP and ICLERP results.

APS Response to Technical Concern 9:

An inspection of the dominant fire PRA cutsets (i.e., scenarios) with train B diesel generator out of service for repair in the base case results provided in Attachment 7 and sensitivity analyses provided in Attachment 16 indicates that the results are very 27

Enclosure Description and Assessment of Proposed License Amendment sensitive to the human reliability analyses generated for use of the firewater to auxiliary feedwater cross-connect to makeup a steam generator in a loss of all feedwater event and re-powering the train B 4160V AC Class Bus from the portable diesel generators in a loss of offsite power event. It should be assumed that the ICCDP and ICLERP results for these cases will increase by the same percentage as an increase in each of these HRAs, since these events are contained in almost all the dominant cutsets. As a reminder, the portable diesel generators were not credited in the PRA analysis provided in Attachment 7, which is the basis for the proposed Completion Time request.

NRC Technical Concern 10:

Provide timing information for the new human error probabilities generated in support of this application.

APS Response to Technical Concern 10:

The system time window is estimated to be 75 minutes from MAAP4.0.4 case pzr1d, Study 13-NS-B065, Appendix C, Revision 6. This time window represents the time to recover AFN-P01 following the loss of all feedwater. This scenario accounts for a partial loss of power, meaning that there is a loss of power to the class bus with power still available to the non-class busses, and is bounding as all RCPs are still available, resulting in a shorter time to core damage. Normal expectation is that in a Loss of Offsite Power (LOOP) or Station Blackout (SBO) event, RCPs would not be available, and the system time window would then be 126 minutes (MAAP4.0.4 case pzr1c, Study 13-NS-B065, Appendix C, Revision 6. Therefore, Tsw = 75 minutes.

This event is only credited when the temporary 4160 VAC portable generators have been installed for risk reduction and PBB-S04 is to be energized from the temporary 4160 VAC portable generators. The loss of power to PBB-S04 is already diagnosed and other means of restoration attempted before the decision is made to use the 4160 VAC portable generators. However, since the system time window starts with the loss of power to PBB-S04, the time needed to diagnose loss of power and attempt to align another power source such as the SBOG must be accounted for with the delay time.

From the operator interviews, it would take approximately 2 minutes in the control room to diagnose the cues and initiate action to start the SBOGs. Per corrective action 3337041 (SBOG Timing), the recorded "total time" to start and be ready to load the SBOGs is 36 minutes. This was assumed as the time needed to identify that the SBOGs had failed.

Therefore Tdelay = 38 minutes (2 minutes + 36 minutes).

The loss of power to PBB-S04 is already diagnosed and other means of restoration attempted before the decision is made to use the 4160 VAC portable generators. From the operator interviews, it would take approximately 2 minutes in the control room to initiate action to start the 4160 VAC portable generators (diagnosis time). Therefore diagnosis time = 2 minutes.

Once the SBOGs fail to start or load, the 4160 VAC portable generators will be used to provide power to PBB-S04 and start an auxiliary feedwater pump. No warm up time has been included in this HRA as the temporary 4160 VAC portable generators will have power supplied to the portable generator jacket water heaters as part of the installation work order (allows fast start of 10 seconds or less).

28

Enclosure Description and Assessment of Proposed License Amendment From the Operator interviews, it would take 15 minutes for the operators to complete the required actions per 40MT-9ZZ01 and an additional 5 minutes to start feeding the steam generators using AFN-P01 Appendix 41 of 40EP-9EO10. Therefore execution time = 20 minutes (15 minutes + 5 minutes). Subsequently, 40MT-9ZZ01 has been revised to improve operator response. Based upon operator walk-throughs with the revised procedures the maximum time recorded for these actions was 23 minutes.

Engineering Evaluation 16-08430-004 contains further details regarding development of this HRA.

The following are excerpts from the EPRI HRA Calculator report for the new human error probabilities generated for this risk assessment:

Utilizing the portable diesel generators to supply a 4160VAC class bus

Aligning the firewater to auxiliary feedwater cross-connect to inject into a steam generator o Normal (base case) o Crediting additional compensatory measures taken during extended completion time In some cases, the following excerpts use train A equipment, which is equivalent to the B train.

1FLEX-4160V--FAIL, Operators Fail to Align the 4160 VAC Portable Generators HEP Summary Pcog Pexe Total HEP Error Factor Method CBDTM THERP CBDTM+THERP Without Recovery 3.00E-03 3.21E-01 With Recovery 1.51E-03 3.21E-01 3.22E-01 3 RAW FV Risk Significant 0.00E+00 0.00E+00 N/A Identification and Definition

1. Initial conditions: Steady state, full power operation with the 4160 VAC portable generators staged and connected to Train A. The 4160 VAC portable generators have been connected due to a reduction in defense-in-depth to the MVAC safety function which is known and does not need diagnosis (for example Train A EDG outage). The temporary 4160 VAC portable generators are required to have power supplied to the portable generator jacket water heaters if the ambient temperatures are less than 100 degrees F (allows fast start of 10 seconds or less). However, to credit the 4160 VAC portable generators during a LOOP or Station Blackout, a night order or shiftly Control Room briefing is required with guidance to start the temporary 4160 VAC portable generators using 40MT-9ZZ01 if the emergency DG is unavailable and the SBOGs fail, due to simultaneously being in the EOPs.

2. Initiating event: Loss of Offsite Power (LOOP) or Station Blackout (SBO). This scenario is specifically accounting for a partial loss off power, meaning that we have a loss of power to the class bus with power still available to the non-class busses.

29

Enclosure Description and Assessment of Proposed License Amendment The partial loss of power is considered bounding as all RCPs are still available, which decreases the time before core damage. Failure of AFA-P01 is bounding, since use of motor-driven AFW pumps requires power. Since the AFN-P01 pump has more steps for startup, the HRA bounds the AFB-P01 pump.

3. Accident sequence - preceding functional failures and successes: Loss of Off-site power/SBO and/or loss of power to PBA-S03, Train A EDG unavailable, AFA-P01 fails to run, SBOGs fail to start or load.

4. Procedural progression: Operators start with Standard Post-Trip Actions to diagnose event. Since there are multiple functions not met (Loss of MVAC and Steam Generator Heat Removal), operators go to the Functional Recovery Procedure. Operators will enter 40AL-9RK1A to diagnose and proceed to 40MT-9ZZ01 Section 6.4 and Appendix D to energize PBA-S03 from the 4160 VAC portable generators and start AFN-P01 to feed the steam generators using Appendix 41 of 40EP-9EO10. Per Operator interview, energizing PBA-S03 from the 4160 VAC portable generator would be done in parallel to recovering Steam Generator Heat Removal.

5. Operator action high level success criteria: Operators successfully energize PBA-S03 using the temporary 4160 VAC portable generators and feed the steam generators using AFN-P01.

6. Timing analysis: The system time window is estimated to be 75 minutes from MAAP4.0.4 case pzr1d, Study 13- NS-B065 Appendix C (Revision 6). This time window represents the time to recover AFN-P01 following the loss of all feedwater. As previously noted, this scenario accounts for a partial loss off power, meaning that we have a loss of power to the class bus with power still available to the non-class busses, and is bounding as all RCPs are still available, resulting in a shorter time to core damage. Normal expectation is that in a Loss of Offsite Power (LOOP) or Station Blackout (SBO) event, RCPs would not be available, and the system time window would then be 126 minutes (MAAP4.0.4 case pzr1c, Study 13-NS-B065 Rev. 6 Appendix C).

Therefore, Tsw = 75 minutes.

This event is only credited when the temporary 4160 VAC portable generators have been installed for risk reduction and PBA-S03 is to be energized from the temporary 4160 VAC portable generators. The loss of power to PBA-S03 is already diagnosed and other means of restoration attempted before the decision is made to use the 4160 VAC portable generators. However, since Tsw starts with the loss of power to PBA-S03, the time needed to diagnose loss of power and attempt to align another power source such as the SBOG must be accounted for with Tdelay.

From the operator interviews, it would take approximately 2 minutes in the control room to diagnose the cues and initiate action to start the SBOGs. Per corrective action 3337041 (SBOG Timing), the recorded "total time" to start and be ready to load the SBOGs is 36 minutes. This was assumed as the time needed to identify that the SBOGs had failed. Therefore Tdelay = 38 minutes (2 minutes + 36 minutes).

The loss of power to PBA-S03 is already diagnosed and other means of restoration attempted before the decision is made to use the 4160 VAC portable generators. From the operator interviews, it would take approximately 2 minutes in the control room to initiate action to start the 4160 VAC portable generators (Tcog). Therefore Tcog = 2 minutes.

30

Enclosure Description and Assessment of Proposed License Amendment Once the SBOGs fail to start or load, the 4160 VAC portable generators will be used to provide power to PBA-S03 and start AFN-P01. No warm up time has been included in this HRA as the temporary 4160 VAC portable generators will have power supplied to the portable generator jacket water heaters as part of the installation work order (allows fast start of 10 seconds or less). From the Operator interviews, it would take 15 minutes for the operators to complete the required actions per 40MT-9ZZ01 and an additional 5 minutes to start feeding the steam generators using AFN-P01 Appendix 41 of 40EP-9EO10. Therefore Texe = 20 minutes (15 minutes + 5 minutes).

Cues and Indications Initial Cue Loss of PBA-S03 Recovery Cue Cue Although the evaluation refers to the A train for nomenclature, it is Comments also applicable to B train.

Degree of Clarity of Cues and Indications are modeled explicitly in CBDTM Clarity Procedure Cognitive 40AL-9RK1A (Panel B01A Alarm Responses) Revision: 2B Procedure Cognitive Step Alarm Index 1A06B Number Cognitive IF ALL of the following:

Instruction - PBA-S03 is deenergized

- Temporary 4160V FLEX generators have been installed for risk reduction

- The SM/CRS directs energizing PBA-S03 from the temporary 4160V FLEX generators THEN GO TO 40MT-9ZZ01, Operations Maintenance Activities, to energize PBA-S03 from the temporary 4160V FLEX generators Execution 40MT-9ZZ01 (Operations Maintenance Activities) Revision: 2 Procedure Execution IF directed by the SM/CRS, Instruction THEN perform Appendix D - Temporary 4160V FLEX Generator Use Job Performance JPM: Not Selected Measure 31

Enclosure Description and Assessment of Proposed License Amendment Notes Per EWR 16-08430-004 Attachment G, each operating crew that comes on shift has designated operators that are responsible for reviewing 40MT-9ZZ01 Appendix D and walking down the 4160 VAC portable generators with the purpose of ensuring familiarity with the actions and equipment.

Crew Member Include Total Required for Notes d Available Execution Shift Manager No 1 0 Shift Supervisor No 1 0 STA No 1 0 Reactor Yes 2 2 operators Plant operators Yes 4 3 Area 9 Operator required to start SBOG, so unavailable for action Mechanics Yes 2 0 Electricians Yes 2 0 I&C Technicians Yes 2 0 Health Physics Yes 2 0 Technicians Chemistry Yes 1 0 Technicians Notes 32

Enclosure Description and Assessment of Proposed License Amendment 1AF-FLEX-SGHR-HL, Operator Fails to Align FP to AF cross- connect to feed SG HEP P1 P2 Pco Pex Total HEP Error Method CBDTM HCR/ORE Maximum THERP HEP 5.02E-04 3.05E-04 5.02E-04 2.88E-02 2.93E-02 5 RAW FV Risk Significant 0.00E+00 0.00E+00 N/A Identification and Definition

1. Initial conditions: Steady state, full power operation, FP to AF cross-connect is installed and available. To ensure successful implementation of the FP to AF cross-connect during a maintenance condition that reduces the decay heat removal defense in depth (such as an EDG outage), shiftly operator briefings must be performed to ensure operators know that FP to AF cross-connect in Standard Appendix 118 should be tried before concluding that There are NO other available methods to feed the SGs per 40AL-9RK5B step 3.4.

2. Initiating event: Loss of All Feedwater (MFW, AFW, Alternate Feedwater).

3. Accident sequence - preceding functional failures and successes: Plant operators fail to align FP to AF cross-connect to feed the SG Makeup within 75 minutes of a loss of all feedwater.

4. Procedural progression: Operators start with Standard Post-Trip Actions to diagnose event. Operators will enter Loss of all Feedwater Procedure 40EP-9EO06, Step 6.1 and Standard Appendix 118 to guide the Operators to align Cross-connect FP to AF.

5. Operator action high level success criteria: Operators successfully feed the SG using the FP to AF cross-connect to provide cooling to at least one SG within 75 minutes following a loss of All feedwater. This HRA assesses the probability of the Operators to mitigate core damage by manually feeding the SG using the FP to AF cross-connect.

6. Timing Analysis:

System Time Window (Tsw):

The system time window is estimated to be 75 minutes from MAAP4.0.7 case pzr1d (Appendix C of 13-NS-B065 Revision 6). This time window represents the time to diagnose loss of all feedwater, attempts to start/align priority systems (FP-AF cross-connect, AFW/AltFW), diagnosis of SG dryout, and feed SG using the FP to AF cross-connect. Tsw = 75 min.

The loss of All Feedwater to SG is already diagnosed and other means of restoration attempted before the decision is made to use the FP to AF cross-connect. However, since Tsw starts with the loss of All Feedwater to SG, the time needed to diagnose 34

Enclosure Description and Assessment of Proposed License Amendment loss of all feedwater and attempt to align another feedwater source must be accounted for with Tdelay.

From HRA 1ALFW-NOMFW---HR (Operators Fail to Depressurize SG and Supply AltFW, No MFW Available), it would take approximately 41 minutes in the control room to diagnose the cues and initiate action to restore AFW and AltFW. This was assumed as the time needed to identify that the FP to AF cross connect would be used to feed the SG (loss of MFW, AFW, and AltFW). Therefore Tdelay = 41 minutes.

Note: A MAAP4.0.5 run was performed to confirm that SG depressurization occurs quickly so that feed from the 500-psia condensate pump is achievable per HRA 1ALFW-NOMFW---HR. The MAAP4 case included loss of all feedwater and ONE ADV fully open.

The pressure in the SG with open ADV decreased to 500 psia in about 10 minutes.

The loss of All Feedwater is already diagnosed and other means of restoration attempted before the decision is made to use the FP to AF cross connect. Assume 1 min for diagnosis based on simulator runs to initiate action to align FP to AF cross-connect (Tcog). Therefore Tcog = 1 minutes Manipulation Time (Tm):

This is the time required to send an operator to open and close valves to align FP to AF cross- connect using 40EP- 9EO10 Appendix 118, if there is no OTHER means to feed the SG (loss of MFW, AFW, and AltFW). Based on simulator runs, it will take 20 minutes to send an operator to close and open valves, depressurize an SG and to begin feeding the SG using the FP to AF cross-connect. Therefore Tm = 20 minutes.

Cues and Indications Initial Cue Loss of Feed Water Alarm Recovery Cue Cue Although the evaluation refers to feeding SG1 with Fire Water (Appendix Comments 118-A), it is also applicable to feeding SG2 (Appendix 118-B). Appendix 118-A has the same number of steps/actions as Appendix 118-B.

Auxiliary feedwater would be unavailable for one of several reasons, and the Operators would be guided into contingency action in step 6.1 of Loss of all Feedwater procedure (40EP-9EO06 Rev 20) to go to Standard Appendix 118 (40EP-9EO10 Rev 99). SG cooling is high priority following a trip, however, normally operators would probably first attempt to restore AF before aligning Alternate Feedwater. The operators would attempt to align FP to AF cross- connect first before aligning the FLEX mod to recover AF.

There are numerous alarms/indications that SGs are drying out. The loss of secondary cooling is available to the Operators by several alarms and indications.

Degree of Clarity of Cues and Indications are modeled explicitly in CBDTM Clarity 35

Enclosure Description and Assessment of Proposed License Amendment Procedure Cognitive Procedure 40EP-9EO06 (Loss of All Feedwater) Revision: 20 Cognitive Step Number 6.1 Cognitive Instruction Perform the following to establish a low pressure feedwater source:

b. IF feeding a Steam Generator with a fire pump is desired, THEN PERFORM Appendix 118, Cross-connect FP to AF.

Execution Procedure 40OP-9EO10 (Standard Appendices) Revision: 99 Execution Instruction Appendix 118 - Cross-connect FP to AF Job Performance Measure JPM: Not Selected Notes Loss of all Feedwater Procedure 40EP-9EO06, Step 6.1 and Standard Appendices procedure 40EP-9EO10, Appendix 118 guide the Operators to align Cross-connect FP to AF. The operator response procedure is written such that the priority is set on the pumps.

Crew Requir Shift 0 Shift 1 STA 0 Reactor 1 Plant 1 Mechanics 0 Electricians 0 I&C 0 Health 0 Chemistry 0 Notes 36

Enclosure Description and Assessment of Proposed License Amendment 1AF-FLEX-SGHR-HL, Operator Fails to Align FP to AF cross- connect to feed SG HEP P1 P2 Pco Pex Total HEP Error Method CBDTM HCR/ORE Maximum THERP HEP 5.20E-05 1.37E-06 5.20E-05 3.27E-03 3.32E-03 5 RAW FV Risk Significant 0.00E+00 0.00E+00 N/A Identification and Definition

1. Initial conditions: Steady state, full power operation, FP to AF cross-connect is installed and available. To ensure successful implementation of the FP to AF cross-connect during a maintenance condition that reduces the decay heat removal defense in depth (such as an EDG outage), shiftly operator briefings must be performed to ensure operators know that FP to AF cross-connect in Standard Appendix 118 should be tried before concluding that There are NO other available methods to feed the SGs per 40AL-9RK5B step 3.4.

2. Initiating event: Loss of All Feedwater (MFW, AFW, Alternate Feedwater).

3. Accident sequence - preceding functional failures and successes: Plant operators fail to align FP to AF cross-connect to feed the SG Makeup within 75 minutes of a loss of all feedwater. An additional Auxiliary Operator is assigned to the unit to perform FP to AF cross-connect in parallel to the actions required for MFW, AFW, and Alternate Feedwater.

4. Procedural progression: Operators start with Standard Post-Trip Actions to diagnose event. Operators will enter Loss of all Feedwater Procedure 40EP-9EO06, Step 6.1 and Standard Appendix 118 to guide the Operators to align Cross-connect FP to AF.

5. Operator action high level success criteria: Operators successfully feed the SG using the FP to AF cross-connect to provide cooling to at least one SG within 75 minutes following a loss of All feedwater. This HRA assesses the probability of the Operators to mitigate core damage by manually feeding the SG using the FP to AF cross-connect.

6. Timing Analysis:

System Time Window (Tsw):

The system time window is estimated to be 75 minutes from MAAP4.0.7 case pzr1d (Appendix C of 13-NS-B065 Revision 6). This time window represents the time to diagnose loss of all feedwater, attempts to start/align priority systems (FP-AF cross-connect, AFW/AltFW), diagnosis of SG dryout, and feed SG using the FP to AF cross-connect. Tsw = 75 min.

The loss of All Feedwater to SG is already diagnosed and other means of restoration attempted before the decision is made to use the FP to AF cross-connect. However, since Tsw starts with the loss of All Feedwater to SG, the time needed to diagnose loss of all feedwater and attempt to align another feedwater source must be accounted for with Tdelay.

38

Enclosure Description and Assessment of Proposed License Amendment Based on simulator runs, it takes approximately 18 minutes to diagnose the cues, initiate action to restore AFW, and notify the designated AO to implement Appendix 118. This was assumed as the time needed to identify that the FP to AF cross connect would be used to feed the SG (loss of MFW and AFW). Therefore Tdelay = 18 minutes.

Note: A MAAP4.0.5 run was performed to confirm that SG depressurization occurs quickly so that feed from the 500-psia condensate pump is achievable per HRA 1ALFW-NOMFW---

HR. The MAAP4 case included loss of all feedwater and ONE ADV fully open. The pressure in the SG with open ADV decreased to 500 psia in about 10 minutes.

The loss of All Feedwater is already diagnosed and other means of restoration attempted before the decision is made to use the FP to AF cross connect. Assume 1 min for diagnosis based on simulator runs to initiate action to align FP to AF cross-connect (Tcog).

Therefore Tcog = 1 minutes.

Manipulation Time (Tm):

This is the time required to send an operator to open and close valves to align FP to AF cross- connect using 40EP- 9EO10 Appendix 118, if there is no OTHER means to feed the SG (loss of MFW, AFW, and AltFW). Based on simulator runs, it will take 20 minutes to send an operator to close and open valves, depressurize an SG and to begin feeding the SG using the FP to AF cross-connect. Therefore Tm = 20 minutes.

Cues and Indications Initial Cue Loss of Feed Water Alarm Recovery Cue Cue Although the evaluation refers to feeding SG1 with Fire Water (Appendix Comments 118-A), it is also applicable to feeding SG2 (Appendix 118-B). Appendix 118-A has the same number of steps/actions as Appendix 118-B.

Auxiliary feedwater would be unavailable for one of several reasons, and the Operators would be guided into contingency action in step 6.1 of Loss of all Feedwater procedure (40EP-9EO06 Rev 20) to go to Standard Appendix 118 (40EP-9EO10 Rev 99). SG cooling is high priority following a trip, however, normally operators would probably first attempt to restore AF before aligning Alternate Feedwater. The operators would attempt to align FP to AF cross-connect first before aligning the FLEX mod to recover AF.

There are numerous alarms/indications that SGs are drying out. The loss of secondary cooling is available to the Operators by several alarms and indications.

Degree of Clarity of Cues and Indications are modeled explicitly in CBDTM Clarity 39

Enclosure Description and Assessment of Proposed License Amendment Time available for cognition and recovery 37 Minutes Time available for recovery 36 Minutes SPAR-H Available time (cognitive) 37 Minutes SPAR-H Available time (execution) ratio 2.80 Minutes EPRI Minimum level of dependence for recovery LD Notes See scenario description for timing analysis.

Cognitive Pc Failure Mechanism Branch HEP Pca: Availability of Information a n/a Pcb: Failure of Attention a n/a Pcc: Misread/miscommunicate data a n/a Pcd: Information misleading a n/a Pce: Skip a step in procedure e 2.00E-03 Pcf: Misinterpret Instructions a n/a Pcg: Misinterpret decision logic k n/a Pch: Deliberate violation a n/a Initial Pc(without recovery credited) 2.00E-03 Notes 41

Enclosure Description and Assessment of Proposed License Amendment ATTACHMENT 17 Responses to NRC Technical Concerns Regarding Portable Diesel Generators (DGs) from Pre-Submittal Conference Call of December 29, 2016 NRC Portable DG Technical Concern 1:

NRC brought up the need for information regarding the timeline for Operations to energize loads on Train B bus when portable DGs are used.

APS Response to Portable DG Technical Concern 1:

The three portable diesel generator combination will have a total continuous load capability of 4800 kw. It has an ultimate load capacity of 6000 kw that it could sustain for a period of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months which is well in excess of the current load list associated with a LOOP (Loss of Offsite Power). During an event where the B DG is out of service, but where the associated bus is required to be powered by the three paralleled generators, the sequencer will not energize loads as the large loads have had their 86 lockout devices tripped during the FLEX DG start-up procedure. This action allows a controlled re-energization of equipment, based on the crews needs for event mitigation. Once the 4kv bus is energized, the 480v load centers will be re-energized, to allow re-energization the battery chargers and enabling the starting of additional 480v loads. The loads can be started in any sequence, provided that the interval between motor starts is such that the inrush starting currents are allowed to dissipate between starts . The control room staff would coordinate loading of the FLEX DGs with the dedicated operator stationed at the generators. The local operator monitors voltage, current, and loading of the generator and would communicate these values to the control room operators before and after each large motor start.

The large loads that would be started without delay and in a controlled manner after bus restoration would include:

Auxiliary Feedwater Pump B (949 kw)

Essential Spray Pond Pump B and exhaust fan (480 kw)

Essential Cooling water pump B (543 kw)

Essential Chiller B and auxiliaries (443 kw)

Control room essential ventilation B (92 kw)

Low Pressure Safety Injection pump (418 kw) once shutdown cooling entry conditions have been achieved Once shutdown cooling is established the B Auxiliary Feedwater Pump could be secured.

1

Enclosure Description and Assessment of Proposed License Amendment ATTACHMENT 17 Responses to NRC Technical Concerns Regarding Portable Diesel Generators (DGs) from Pre-Submittal Conference Call of December 29, 2016 NRC Portable DG Technical Concern 2:

Technical concern expressed the need for information regarding how loads are shared on the portable DGs and how the control systems work for the DGs (droop/isochronous modes).

APS Response to Portable DG Technical Concern 2:

The three electrically paralleled diesel generators each operate in the isochronous mode. Droop mode would only be used if paralleling to an offsite power source, which is not an option for Palo Verdes configuration. The generators operate within a tight frequency control band, utilizing digital frequency and voltage regulation. The specifications, as documented in Palo Verdes SDOC NM1000-A00182 Rev 0 page 18 indicates a frequency regulation of +/- 0.25% from no load to full load. The voltage regulation is +/- .5% from no load to full load. A communications cable connected between the three generators ensures that both real and reactive power is equally shared across each running generator.

2

Enclosure Description and Assessment of Proposed License Amendment ATTACHMENT 18 3B DG Repair and Testing Schedule Unit 3 B Diesel Generator Repair - 56 days*

12/15/2016 - 02/11/2017 Disassembly and Damage Assessment 12/17/16 - 01/04/17 Block Repair and Line Bore 12/28/16 - 01/24/17 Install Crankshaft and Assembly 01/24/17 - 02/02/17 Retest and Evaluation of Results 02/02/17 - 02/09/17 Contingency

56 days does not include 6 02/09/17 -

days of contingency 02/15/17 1

Enclosure Description and Assessment of Proposed License Amendment ATTACHMENT 18 3B DG Repair and Testing Schedule Disassembly and Damage Assessment Disassembly and damage assessment includes activities that have been completed as well as activities that are still in progress, such as Engineering non-destructive examination of critical parts. Completed activities include initial visual inspection, damage assessment, parts recovery, removal of the generator, flywheel, crankshaft, precision alignment checks of the DG internals, removal of pistons, liners and connecting rods, and removal of instrument panels.

Also included in this portion of the repair was the removal of the exhaust manifold, right and left bank intercoolers from the turbo charger, and removal of the turbo charger. This allowed for line bore measurements and block inspection. A complex rigging platform was designed and fabricated to support these activities. The duration for this portion is scheduled to be 18 days.

Block Repair and Line Bore Continued repair activities include block repairs, to include machining block mating surfaces, line bore, and foundation check after line bore. Line boring is an engine machining process to establish straight bores for the crankshaft housing. This will ensure the housing and crankshaft are aligned properly. The duration for this portion is scheduled to be 27 days and will be performed in parallel with appropriate activities.

Install Crankshaft and Assembly Installation of the new crankshaft and reassembly of the diesel engine, generator, and flywheel is scheduled to take approximately 8 days.

Retest and Evaluation of Results System flushes, startup checks, and retests will take a total of 7 days. Retest of the Unit 3 B diesel will begin with several short maintenance runs which include integral monitoring and inspection activities. An over-speed test will be performed followed by a 24-hour loaded run with a 100 percent load reject and a hot restart.

Finally, isochronous load testing will be performed to verify appropriate voltage and frequency response to sequenced loads. The retest activities are scheduled to take approximately 4.5 days.

Contingency These activities reflect a 56 day repair duration, with some activities performed in parallel.

The requested required action completion time extension reflects 6 additional days for contingency to address unknowns.

2

v t e Letter Sequence Request
CAC:MF9019, Relocate Surveillance Frequencies to Licensee Control - RITSTF Initiative 5B (Approved, Closed)
Initiation Request, Request, Request Acceptance... Administration Meeting, Meeting Questions 2 January 2017 Answers 2 January 2017 Results Approval, Approval, Approval, Approval Other:
MONTHYEAR2016-12-30 [Table View]

ML16365A240

Text

Dear Sirs:

Subject:

Enclosure:

SUMMARY

3.0 BACKGROUND

4.0 TECHNICAL ANALYSIS

5.0 REGULATORY EVALUATION

6.0 ENVIRONMENTAL CONSIDERATION

7.0 REFERENCES

SUMMARY

3.0 BACKGROUND

4.0 TECHNICAL ANALYSIS

5.0 REGULATORY EVALUATION

Conclusions:

References:

References:

References:

References:

Navigation menu

Search