RC-17-0019, Response to Request for Additional Information Regarding License Amendment Request LAR-15-01424, Implementation of WCAP-15376-P-A, Revision 1

From kanterella
(Redirected from ML17037D369)
Jump to navigation Jump to search

Response to Request for Additional Information Regarding License Amendment Request LAR-15-01424, Implementation of WCAP-15376-P-A, Revision 1
ML17037D369
Person / Time
Site: Summer 
(NPF-012)
Issue date: 02/06/2017
From: Lippard G
South Carolina Electric & Gas Co
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
LAR-15-01424, RC-17-0019
Download: ML17037D369 (75)
v  d  e


Text

George A. Lippard Vice President, Nuclear Operations 803.345.4810 A SCANA COMPANY February 6, 2017 RC-17-0019 U.S. Nuclear Regulatory Commission (NRC)

Document Control Desk Washington, DC 20555

Dear Sir/ Madam:

Subject:

VIRGIL C. SUMMER NUCLEAR STATION (VCSNS), UNIT 1 DOCKET NO. 50-395 OPERATING LICENSE NO. NPF-12 LICENSE AMENDMENT REQUEST - LAR-15-01424 IMPLEMENTATION OF WCAP-15376-P-A, REVISION 1 - "RISK-INFORMED ASSESSMENT OF THE RTS AND ESFAS SURVEILLANCE TEST INTERVALS AND REACTOR TRIP BREAKER TEST AND COMPLETION TIMES" RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION

References:

1. T. D. Gatlin, SCE&G, letter to Document Control Desk, NRC, License Amendment Request - LAR-15-01424 Implementation of WCAP-15376-P-A, Revision 1 - "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times,"dated December 16, 2015 [ML15356A048]
2. S. A. Williams, NRC, letter to G. A. Lippard, SCE&G, Virgil C. Summer Nuclear Station, Unit 1 - Supplemental Information Needed for Acceptance of License Amendment Request for Implementation of WCAP-15376-P-A, Rev. 1 (CAC NO. MF7196), dated February 22, 2016 [ML16032A170]
3. G. A. Lippard, SCE&G, letter to NRC Document Control Desk, License Amendment Request - LAR-15-01424, Implementation of WCAP-15376-P-A, Revision 1, Response to Request for Supplemental Information, dated March 7, 2016 [ML16069A021]
4. S. A. Williams, NRC, letter to G. A. Lippard, SCE&G, Virgil C. Summer Nuclear Station, Unit No. 1 - Request for Additional Information RE: License Amendment Request for Implementation ofTSTF-411 (WCAP-15376-P-A), Revision 1 (CAC NO. MF7196), dated November 8, 2016 [ML16302A125]

South Carolina Electric & Gas Company (SCE&G), acting for itself and as agent for South Carolina Public Service Authority pursuant to 10 CFR 50.90, submitted License Amendment Request (LAR) per Reference 1. In Reference 2, the NRC requested that SCE&G provide supplemental information so that the NRC could complete the acceptance review of the LAR.

SCE&G provided a supplement to Reference 1 in Reference 3. NRC review of References 1 V. C. Summer Nuclear Station

  • P. 0. Box 88
  • Jenkinsville, SC
  • 29065
  • F (803) 941-9776

Document Control Desk CR-15-01424 RC-17-0019 Page 2 of 2 and 3 determined that additional information was required and a request for additional information (RAI) was issued per Reference 4. This letter's Attachment I contains SCE&G's response to these RAIs.

In June 2016, the VCSNS PRA Model was Peer Reviewed by a group led by the Westinghouse Owner's Group. VCSNS has not received the final version of the Peer Review Report. Once the report is received, VCSNS will evaluate the findings and provide an assessment of the findings on LAR-15-01424. In addition, the updated commitment listing in Attachment II contains the response to RAI 14 and new commitments made in Responses to RAI 1, RAI 8, and RAI 9.

If you have any questions regarding this submittal, please contact Mr. Bruce L. Thompson at (803) 931-5042.

I certify under penalty that the foregoing is correct and true.

TS/GAL/wm Attachment I: VCSNS Response to Request for Additional Information Attachment II: List of Regulatory Commitments cc: Without Attachments unless noted K. B. Marsh S. A. Byrne J. B. Archie N. S. Cams J. H. Hamilton S.M. Shealy W. M. Cherry C. Haney S. A. Williams (with Attachment)

NRC Resident Inspector S. E. Jenkins (with Attachment)

Paulette Ledbetter (with Attachment K. M. Sutton NSRC RTS (CR-15-01424)

File (813.20)

PRSF (RC-17-0019) (with Attachment)

Executed on

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 1 of 69 VIRGIL C. SUMMER NUCLEAR STATION (VCSNS) UNIT 1 DOCKET NO. 50-395 OPERATING LICENSE NO. NPF-12 ATTACHMENT I VCSNS RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 2 of 69 By letter dated December 16, 2015 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML15356A048), as supplemented by letter dated March 7, 2016Property "Letter" (as page type) with input value "RC-16-0036, License Amendment Request - LAR-15-01424 - Implementation of WCAP-15376-P-A, Revision 1, Response to Request for Supplemental Information" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process. (ADAMS Accession No. ML16069A021), South Carolina Electric & Gas Company (SCE&G, the licensee), submitted a license amendment request (LAR) for the Virgil C.

Summer Nuclear Station, Unit No. 1 (VCSNS). The licensee proposes to revise Technical Specification (TS) 3/4.3.1, "Reactor Trip System Instrumentation," and TS 3/4.3.2, "Engineered Safety Feature Actuation System Instrumentation," to implement the allowed outage time, bypass test time, and surveillance frequency changes approved by the U.S. Nuclear Regulatory Commission (NRC) in Technical Specification Task Force (TSTF) Traveler TSTF-411, Revision 1, "Surveillance Test Interval Extension for Components of the Reactor Protection System (WCAP-15376-P)" (ADAMS Accession No. ML022470164).

The NRC staff has determined that the following requests for additional information (RAI) are required to complete its review.

RAI 1

Provide internal events probabilistic risk assessment (PRA) facts and observations (F&Os) from the following:

a.

2002 peer review

b.

2007 focused review

c.

2011 gap assessment that are (1) open or (2) closed by self-assessment for supporting requirements that the review or gap assessment found to be not-met or met at Capability Category I.

In addition, evaluate and provide the resolution of these F&Osto determine whether these F&Os are adequately resolved to support this application.

SCE&G Response

i.

2002 peer review A and B level F&Os from the 2002 peer review, as well as their resolution and assessment of impact are provided below. C and D F&Os are not presented below because they are comments or suggestions to improve documentation or traceability of analyses, but do not impact Supporting Requirement (SR) grades. A C-level F&O may provide a suggestion on an alternative approach to achieve an objective, but does not imply that the approach used is not sufficient to meet the SR. VCSNS has addressed each of these comments and considers them resolved. The related SRs are sufficient to support risk-informed applications.

IE-03 Spurious PSV and Spurious PORV Openings do not appear to be treated in the model. The NUREG/CR-5750 value for small break LOCAs as presented in calculation CN-RRA-02-32 is for pipe breaks only. The IPE Initiating Events Frequency Notebook includes a discussion of these

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 3 of 69 potential initiators which was marked to indicate that these were to be treated as consequential LOCAs. A spurious opening and a failure to reseat following a transient induced challenge are not the same thing. The spurious openings need to be treated as a source of a small LOCA initiator.

Resolution: Spurious Pressurizer Safety Valve opening and spurious Pressurizer PORV opening were added to the VCSNS PRA as a result of this comment.

IE-06 There were two issues identified with the ISLOCA initiating event frequency derivation.

The first issue is in quantification of the V-sequence frequency and any other cutsets whose frequency is proportional to XN, where X is a failure rate and N is a number of independent events in the cutset having the same failure rate, the mean frequency is not equal to the Nth power of the mean failure rate. For N=2 and the case where X is lognormally distributed, X2 =

M2 + V, where M is the mean failure rate and V is the variance of the lognormal distribution. The problem is more complicated with N>2. When dealing with the V-sequence the failure rates are very low and the variance is very high such that the variance term dominates. When this is taken into account the Mean V-sequence frequency can easily be an order of magnitude greater than the result obtained using a mean point estimate (M2). It is not clear that this has been taken into account in the V-sequence quantification.

The second issue is the need to consider a range of normally closed valve failure modes such that not only severe ruptures but large leaks that exceed the relieving capacity of low pressure side relief valves whose failure rates may be significantly higher than the gross rupture failure rates. Other PWR ISLOCA analyses (Seabrook and Watts Bar PRAs, for example) have found such failure modes to be more important than gross rupture failure modes. It is not clear that these failure modes or the relief valve capacities have been taken into account in the ISLOCA analysis.

Resolution: The ISLOCA initiating event frequency calculation was updated to account for the

'Mean V-sequence frequency and independent events larger than two' affect. Additionally, large leaks and their impacts are now modeled. More specifically, all large ISLOCAs, in particular, the ISLOCAs in the Residual Heat Removal (RHR) line, are now modeled as leading directly to core damage. For the smaller ISLOCA paths, more time is available to refill the RWST and in many cases it was shown that the most likely location for the break in the low pressure piping would be inside containment so that recirculation also provides a success path.

(While SCE&G initially considered the above resolution adequate to address this F&O, a review of the resolution actions noted additional work was needed on the ISLOCA analyses. See Observation IE-01-GA in Section ii below.)

AS-01 The success criteria for successfully mitigating an ISLOCA (due to pipe break) are questionable and inadequately justified. The model assumes that ISLOCAs do not result in CD or LERF if there is successful HPI, HPR and depressurization with long term makeup to the primary from an external source.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 4 of 69 The assumption that LP pipes would not rupture viz-a-viz a probabilistic treatment of LP pressure boundary components is questionable. There is inadequate documentation to support the assumption that LP pipes would not break. Also the assumption that nonpipe failure modes are not important is not justified. Industry studies have shown that flanges, heat exchanger components, and other non-pipe components have non-negligible failure probability.

Consideration of possible AB flooding effects was not evident. Also, termination with open ended makeup for a LOCA that does not permit sump recirculation is a bit aggressive. Further, some of the ISLOCA CDF sequences appear to credit recirculation and containment cooling.

This appears to be inconsistent with other ISLOCA treatments and may be reducing the ISLOCA CDF. If so, this could have a significant impact on LERF.

Resolution: To resolve this issue, large pipe breaks were added to the ISLOCA analysis. All large LOCAs (particularly RHR line ISLOCAs) are now modeled directly to core damage.

(While SCE&G initially considered the above resolution adequate to address this F&O, a review of the resolution actions taken to address this F&O noted additional work was needed on the ISLOCA analyses. See Observation IE-01-GA in Section ii below.)

AS-03 The Summer PRA includes a model for consequential LOCAs. A review of the consequential small LOCA model showed that only RCP seal failures given loss of cooling were treated as consequential LOCAs.

Resolution: Failure of Pressurizer PORVs and Safety Valves to reseat following lift was not initially considered consequential LOCAs in the VCSNS model. These failure modes were added to resolve this concern.

AS-08 Injection of 2 of 2 accumulators to the unbroken loops is required for success of LPI for Large LOCA initiating events. The success criteria basis for this is the FSAR. Unless an alternate success criterion is developed for the PRA using an appropriate T/H model, the licensing basis should be modeled.

Resolution: Injection of 2/2 ECCS Accumulators to the remaining (unbroken) loops for Large LOCAs was added to enable success to resolve this F&O. Revising the success criteria in this manner matches the FSAR criteria.

SY-01 A review of the VC Summer top logic fault tree indicates that the logic for the total loss of CCW

(%LCC initiator) does not account for failures of support components which may contribute to the initiating event frequency. The logic under gate %LCC includes only faults within the CCW system itself. This is contrary to the approach used in the total loss of service water, loss of instrument air, and other special initiator portions of the fault tree, where failures of support equipment appear to be factored into the logic. The assumed system alignments are CCW Train A normally running, with Train B in standby and swing pump C aligned to Train A; and both trains of Service Water normally running, but only one train required for operation.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 5 of 69 It is also assumed that maintenance is done on a train basis (e.g., train B CCW and train B SW would be in maintenance at the same time, so that the focus of these comments is on faults other than test & maintenance).

Failure to include the potential for failure of support equipment for the standby train can lead to an underestimate of the initiating event frequency (assuming that such failures are not already captured in the cutsets for another initiating event already modeled). For the LCC event, failures of the B train of Service Water would defeat the B train of CCW, either prior to or subsequent to failure of the A train of CCW, and might contribute significantly to the total loss of CCW frequency; failures of opposite train AC power would also contribute, but likely less significantly.

Resolution: To address this F&O, the Component Cooling Water support systems (Service Water, and AC/DC Power) were added to the Loss of CCW initiating event (special initiator) tree structure. This was necessary to make the model reflect the true initiator impact.

SY-05 The diesel fuel day tanks at VCSNS contain enough fuel for about 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> of full load operation for each diesel. For the extended mission times associated with loss of offsite power, the diesel fuel day tanks will need to be refilled about once or more an hour depending upon the control band. Thus, the fuel oil transfer pumps will be cycled multiple times. The VCSNS PRA model for the diesel generators do not include independent or common cause failure of the transfer pump and thus do not address the need to refill the day tank or the cycling of the transfer pumps. It is difficult to argue that this is covered by the generic diesel failure rates because the bulk of the data is based on one hour test runs.

Resolution: This finding was generated because the VCSNS PRA did not model the EDG Fuel Oil Transfer Pumps. The pumps (and associated common cause failures) have been added to the model.

SY-07 The reviewers identified two related issues regarding the EFW model:

(1) The mission time modeled in the PRA for EFW is 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for transients, and 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> for LOCAs/SI events requiring depressurization to allow LHI. The latter mission time is appropriate, since it reflects the time for which EFW is needed during the sequence, with the LHI mission time accounting for the remainder of the sequence mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> / stable end state.

However, the 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> transient mission time for EFW is based on the time in which the plant is expected to reach RHR entry conditions, beyond which normal RHR would be required for continued heat removal. But the VC Summer PRA does not model RHR for transients. So, by limiting EFW mission time for transients to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, the PRA does not account for a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time. While the "assumed success" of normal RHR following initial cooldown via EFW may have been a reasonable approximation for the IPE, it is contrary to NRC and industry expectations (e.g., as stated in the ASME PRA Standard) for current technology PRAs. Each sequence should account for at least a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time (if stable end conditions have been achieved), or longer if necessary to demonstrate stable sequence end conditions.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 6 of 69 (2) The useable capacity of the condensate storage tank for EFW supply is insufficient for a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time. Thus, a backup or alternate source of EFW supply is required to allow crediting EFW as a sole means of achieving success for transients. However, this backup alignment is not modeled in the PRA.

Resolution: Emergency Feedwater mission times for transient events were extended to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to resolve this observation. A second item in this F&O discussed the need to model Condensate Storage Tank refill capability. VCSNS did not implement this recommendation, choosing instead to document why modeling is not required. The justification for this was reviewed and deemed acceptable in the 2007 Gap Analysis (with AS-01-GA, discussed in Section ii below).

DA-02 The procedure for deciding when to apply Bayesian updating vs. relying only on generic or plant specific data in the Guidance PSA-05.doc is questioned as it is not necessary and has not been consistently applied. A check was made on 6 failure rates that were developed using only plant specific data vs. what would have occurred if Bayesian updating had been consistently applied.

In 3 cases the Bayesian update provides reasonable agreement with point estimates developed entirely from the plant specific evidence, but in 3 cases significant differences were noted mostly in the direction of higher values using the Bayesian method. In the case of SW pump fail to run a factor of 3 discrepancy was identified. In addition, the statistical methods used in both procedures are internally inconsistent (Chi Squared vs. Bayes). Statistical rules of thumb on when it is necessary to Bayesian update or not are much less desirable than applying Bayes itself to answer this question. If such valid formulas were applied they would be more complicated that just doing the Bayesian update all the time. The current procedure defeats the whole purpose of Bayesian updating: namely to figure out how to weigh the contributions of generic evidence and plant specific evidence in the development of a probability distribution. If very little evidence is applied, Bayes will return an updated distribution very similar to the generic distribution and when there is a lot of plant specific evidence it will return something very close to the current chi squared treatment. But in every case in between the appropriate weight will be applied. Finally, by deciding how to selectively apply Bayes you are just adding a step that really is not necessary, yet it creates another opportunity to introduce arbitrary judgments into the data handling flowsheet.

Resolution: This F&O dealt with a reviewer's preference that Bayesian updating be used in all cases as opposed to utilizing a set of rules for when Bayesian updating is appropriate. VCSNS elicited an expert opinion and chose to leave the rules in place vice 100% Bayesian updating.

VCSNS solicited another expert opinion who deemed the rules method acceptable.

DA-03 VCSNS PRA has quantified "fatal" common cause failure events, that is, common cause failure of a given component type that would result in guaranteed system failure, and has then combined the various CCF elements for a system into a module which is inserted at the top of the system fault tree. This can result in missing "non-fatal" common cause failure combinations which when combined with a single random failure of another component will result in system failure. A key example is found in the EFW common cause failure module EFW-CCF-AII. This model includes a gate for common cause failure of the 2 motor driven pumps and an

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 7 of 69 independent failure of the TD pump. The module also includes a common cause failure of all 6 of the valves 3531, 3541.3551, 3536, 3546, and 3556. One combination that is not captured is common cause failure of 3531, 3541 and 3551 combined with an independent failure of the TD pump.

Resolution: Common cause was initially modeled for "fatal" combinations of failures at a high level. This method could result in some combinations of common cause failures being missed when paired with random failures. To resolve this issue, common cause was modeled at the component level to ensure that both fatal and non-fatal combinations are captured.

DA-08 Independent reviews of the CCF treatment have identified a number of issues that are currently being investigated for a future update. The purpose of this F&O is to provide input from a review team member who was responsible for developing many of the current industry methods for CCFA.

The first issue is the treatment of failure to run of CCW pumps in the Loss of CCW initiating event frequency calculation: the issue is what is the appropriate mission time. The answer is 8760 weighted by the plant annual average availability (even though only one CCW pump is normally running, since another must start once the first fails, to prevent loss of CCW). This is expected to result in relatively high loss of CCW frequency and loss of SW frequency and such results may be inconsistent with industry experience. Rather than shorten the mission time, alternative approaches should be used to attempt a more realistic treatment. The first is to question the magnitude of the beta factors that are derived from industry sources as very few if any of the experienced CCF events have actually resulted in a total loss of CCW or SW. Data screening for a severity factor is one approach to address this. An additional step is to consider a recovery action that would restore CCW or SW cooling following the initial loss that causes a plant trip. The bottom line is that this issue has nothing to do with the mission time which should be set as the time the pump failures are "at risk to cause the initiating event".

The second issue is the treatment of CCF between the motor and turbine driven pumps. A review of the actual CCF event data for AFW (Emergency Feedwater) pumps reveals that mechanical failure CCF events are dominated by the presence of common suction path for the pumps which may lead to steam binding, air binding or debris clogging both pumps and therefore unless very good justification can be provided for why these do not apply to Summer, the AFW pump group should include both types of pumps. This is actually recommended in NUREG/CR-4780. Alternatively if some justification can be provided this is inconsistent with the generic data that is used to quantify the CCF parameters for these components.

A third issue identified in this review is the need to consider CCF failure modes of heat exchangers and strainers in the SW system that arise from debris getting past the traveling screens and clogging the SW side of heat exchangers and any SW strainers. Data for this failure mode is in the INEEL CCF database.

A final related issue is tied into another issue in the Systems Analysis element regarding the omission of the EDG fuel transfer pumps from the SBO model. When this is added a common cause group involving these fuel transfer pumps should be added to the model (see SY-05).

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 8 of 69 Resolution: This observation involved four separate common cause issues. The items were resolved by changing (independently) the VCSNS common cause deficiencies as recommended.

HR-02 A generic set of arguments is made in the HRA calculation to summarily dismiss the potential for miscalibration of redundant instruments in the PRA model. These arguments, while including valid considerations that should be reflected in this aspect of the evaluation, are viewed by the review team to be insufficient to justify global elimination of this important class of human actions from the model. There is one specific class of miscalibration events that have appeared in industry data sources such as the common cause data that have been caused by errors in the calibration procedures, for example.

Resolution: Miscalibration common cause events were added to the model to address this F&O.

HR-03 The time window used in the HRA calculation for bleed and feed actions is 30 minutes for all scenarios. The footnote in Table A-2 refers to the success criteria for Task 26 which derived a value of 45 minutes for certain transient initiating events using 1 PORV. The actual task in the success criteria reference is Task 36. In Task 18 of the success criteria notebook it is stated for Small LOCAs that the time window is 15 minutes using 2 PORVs. Hence the use of 30 minutes as indicated in the Appendix A table is not appropriate for action OAB1.

Resolution: Mission times for several operator actions (including bleed and feed) were revised to be scenario-specific and to ensure consistent documentation.

HR-05 Table B-2 in Appendix B of Calculation DC00300-134 shows the dependent human actions in the Summer PRA. This table lists the level of dependency for the cognitive and execution portions of the HEP; however there is no discussion of the basis for assigning the level of dependency. Combination 1 in Table B-2 is failure of operator actions to manually actuate LCV0115C and LCV0115E. Both of these actions are for the same function and occur at the same time, therefore it appears that they should be highly correlated. The HEP for the second action is calculated as 0.50335. There are several combinations in Table B-2 such as Combination 7 involving what appear to be 3 concurrent actions in response to a loss of CCW including restoring the swing pump, restoring cooling water to CV pumps from one source, and restoring cooling water to CV pumps from a second source. These HEPs are then adjusted from a cumulative human recovery credit from 3E-6 to about 4E-5. While some adjustment is made to reflect dependence, the degree of dependence assumed is weak and the value for the combined HEP is extremely small for what the reviewers consider to be a very high stress event.

Resolution: Peer reviewers commented on the basis for choosing dependency levels between operator manual actions in the internal events model. The HRA Calculation was reviewed and revised to address each of these issues.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 9 of 69 While SCE&G initially considered the above resolution adequate to address this F&O, an independent review of the resolution noted additional work was needed to resolve the item. See HR-04-GA resolution in item ii below.

HR-06 It is not clear that the full plant level perspective of the symptoms and plant conditions that may influence the time available to perform Type C actions have been adequately taken into account. For example for sequences involving operator actions after a loss of CCW or loss of SW initiating events, it was not evident that the interactions and complexities associated with the plant being in multiple procedures at the same time was taken into account. The HRA evaluation of these actions make reference to the loss of CCW procedure but do not explicitly address the additional procedures such as E-0, procedures to cope with loss of CCW to charging pump and CVCS heat exchangers, etc. that the operators will be involved with during the scenario. Hence when the time window is compared with the time needed to complete a given action the time needed to address concurrent activities is not explicitly considered. This issue relates also to the treatment of human action dependencies in the following respect. The HEP values including the time window analysis is done for sequences independent of the underlying cutsets. Some of the cutsets involve concurrent human actions whose time to complete will be competing with those of a given action. Hence for these cases the time windows should be further adjusted.

Resolution: The reviewer for this F&O felt that a "full plant perspective" was not apparent in the timing and dependency evaluations for HRA. To address this, Operators were interviewed to gain a larger prospective for events having a plant-wide impact. Some dependency levels were changed based on these discussions.

While SCE&G initially considered the above resolution adequate to address this F&O, a review of the resolution noted additional work was needed to resolve the issue See HR-02-GA resolution in item ii below.

HR-08 The HEP value for PXOPMANUALRTHE, manual rod insertion during ATWS, appears to be optimistic at 1E-4 per demand in view of the very short time window for such actions, which is assumed in this analysis to be only 2 minutes. This does not appear to be internally consistent with other TYPE C actions in which longer time frames are available. In addition, this action is applied in many cutsets with additional human actions and common cause failures that would contribute to stress and compete for time. A review of the WOG PRA Results and Comparisons database indicates that HEPs applied for this action in various PRAs range from 1E-2 to 1 E-4.

In the HRA Calculation appendix that documents time windows it is stated that less than 1 minute is available (as opposed to the 2 minutes noted above) and a statement is presented that this action is not time dependent. Although the action in question is a memorized "immediate action", any action that has to be done in less than 1 minute or even 2 minutes must have at least some degree of time dependence.

Resolution: To resolve this observation regarding an HFE with short time frame, VCSNS reviewed all the HFEs with short time windows and performed time-reliability models to update one HRA probability.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 10 of 69 DE-03 The following observations were made regarding the internal flooding analysis.

1. The internal flooding analysis, as documented in the IPE Internal Flooding Analysis Notebook, included a number of assumptions, which are documented in Section 1.3 of the Internal Flooding Analysis notebook. The set of assumptions is reasonable with the possible exception of the following:

(a) Walls and doors are assumed to remain intact throughout the flooding event, and doors are assumed to remain intact and in their normal position. This is optimistic, and ignores the potential that non-water-tight doors could be failed by a rising water level, or that normally closed doors might be inadvertently left open, allowing flood propagation to adjacent rooms/areas.

(b)The potential for propagation through drains (grates, openings between floors, etc.) or vent lines is not addressed in the assumptions, nor is the ultimate disposition of the water, although the room-by-room evaluation indicates that propagation was considered in the analysis. However, where propagation is considered, it reflects the assumption noted in item 1 above, i.e., doors are assumed to limit propagation potential perfectly.

Review of the room-by-room screening documentation in the flooding notebook indicates that potential flood propagation was considered for each area, although details of the evaluation are sometimes sketchy. The extent of propagation considered is limited by use of the above assumptions, e.g., for some rooms, propagation is assumed to only be possible through the gaps under the doors, whereas additional propagation might be possible if failure of the doors was considered.

2. The IPE analysis makes assumptions regarding status, and even presence, of flood barriers.

Since these assumptions are an integral part of the analysis, they should be confirmed as still applicable (e.g., curbs still present).

3. The internal flooding analysis uses the existing transient accident scenarios to model plant response to an internal flooding initiator, appropriately failing equipment identified as potentially affected by the initiator. However, it does not appear that flood scenario-specific consideration has been given to human actions that are incorporated into the selected transient models.

Although many such actions would likely not be affected, it is important to evaluate to determine that each action is still possible given the flood effects that cues for action are not adversely affected by the flood, and that response times inherent in existing HEPs are not significantly changed by the flood scenario.

Resolution: Resolution of this F&O involved updating the entire VCSNS Flooding Analysis.

The internal flooding model has been updated, including treatment of door and wall failure evaluations/assumptions, propagation pathways, flood mitigation barrier walkdowns and confirmations, initiating event frequencies and scenarios and flood HEPs. This particular observation was closed with observation IF-01-GA described in the 2007 assessment.

However, the need for complete flooding model update was identified in the 2011 gap assessment (see observations in Section iii below).

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 11 of 69 DE-04 The Summer PRA does not model common cause blockage of the containment sump filters after switchover to recirculation cooling following a large or medium LOCA. The blowdown phase of a LOCA may produce sufficient debris in the sump to plug or significantly reduce the flow through the sump screens. This could result in failure of ECCS sump recirculation.

Resolution: VCSNS added a new basic event to include common cause failure of the containment sump screens (due to blockage during the recirculation phase) to address this F&O.

DE-05 The diesel generators are modeled as depending on room ventilation, with 1 of 2 ventilation fans being sufficient. Common cause failure of the diesel generator room ventilation fans was not modeled. Common cause failure of 2 of 2 fans for a given diesel will result in failure of the affected diesel. Common cause failure of all four ventilation fans will cause failure of both diesels.

Resolution: To address this F&O, VCSNS added new common cause failures for EDG room ventilation fans.

QU-04 During the review several updates of quantification results were presented to the review team, including Rev 3H. An earlier set of results was presented in Revision 2 that included the treatment of dependent human actions. Because this step in the quantification procedure influences the results and the profile of contributing accident sequences and cutsets, it should be recognized that any quantification update is incomplete until this dependent actions review step is done.

Resolution: Resolution of this F&O involved changing VCSNS PRA guidance to ensure multiple operator action strings are evaluated for dependence after each change in the PRA HRA. Subsequent updates include this evaluation.

QU-06 One of the updates presented to the review team included a sensitivity analysis to address "unusual" sources of uncertainty. However a parametric uncertainty analysis was not performed.

Future major updates should include an update of the sensitivity analysis and a parametric uncertainty analysis, as such analyses may be needed for certain risk informed applications.

Resolution: This F&O was resolved by performing updates to the sensitivity analysis and parametric uncertainty analysis for all major updates. This resolution was deemed acceptable, but a new observation was generated to strengthen documentation of key sources of uncertainty. See QU-02-GA in section ii below.

QU-07 A results summary was provided for a recent update to support the review. This summary included basic results for GDF, LERF and major contributions to LERF and some information that sensitivity analyses had been performed, but the results of these analyses and the insights

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 12 of 69 they support were not included in the summary. It is true that the sensitivity analyses were documented elsewhere in terms of numerical results, but the insights that such analyses normally are expected to provide should be evident in the results summary. Missing entirely from the summary are insights about the contributors to risk, key plant features that impact the results, any unique or specific modeling approaches that influence the results, and results of parametric uncertainty analysis (which was not performed).

Resolution: As in QU-06, resolution of this F&O involved performance of sensitivity and uncertainty analyses. VCSNS addressed this F&O by performing a parametric uncertainty analysis and a set of sensitivity analyses to evaluate specific issues. The documentation of the sensitivity analyses includes the basis for selecting the case and a discussion of the interpretation of the results and the insights gained.

VCSNS design calculation includes a set of pie charts showing CDF and LERF contribution by initiator. This document also includes the top 25 cutsets for each initiator. VCSNS performs the component and operator importance analyses as part of a separate report for distribution to plant staff.

L2-02 Early containment overpressure failures are not included in the Summer LERF model. At least philosophically, this is a significant exception from the NRC simplified LERF model in NUREG/CR-6595 and the LERF model at most other plants. The basis for this exception is covered in a brief qualitative discussion in CN-RRA-02-42 with a pointer to quantitative evaluation in CN-RRA-02-51. Because of the "philosophical significance" of this exception, CN-RRA-02-42 should include a very thorough discussion of the basis for not including early containment overpressure failure in the LERF model. This discussion should address key uncertainty issues such as the amount of zirconium oxidation and other severe accident phenomena that affect the magnitude of the containment pressure challenge.

Resolution: The reviewer felt that some methods for early containment failure were discounted in the VCSNS PRA model without adequate justification. To resolve this issue, VCSNS improved documentation for the assignments and generated a new calculation to house the associated bases.

ii.

2007 focused review The information below documents the results of the 2007 focused review. At the conclusion of this review, all the comments from the internal events peer review and actions taken to close the comments were judged to be resolved and adequate to support risk applications.

IE-01-GA In the original peer review, a B level F&O, IE-06, was issued for the ISLOCA analysis. One of the primary items was concern about the variance/polynomial treatment for quantifying the ISLOCA frequency (part of the "state-of-knowledge" issue") and the treatment of different valve

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 13 of 69 and component failure modes. A second F&O, AS-01, Significance Level B, raised concerns about the failure to treat large pipe failures and crediting recirculation to mitigate ISLOCAs. The ISLOCA treatment was revised. The ISLOCA frequency was calculated using the variance treatment. While the resulting frequency was a factor of 20 higher than the baseline, it was concluded that this was not significant and could be treated in the uncertainty analysis. It was not used to calculate the error factor and was only used in a sensitivity analysis. Large pipe breaks were addressed by introducing a split fraction that said 1% of ISLOCA initiators resulted in a pipe break. A review of the ISLOCA cutsets showed one cutset with an ISLOCA resulting in a large pipe break outside containment and failure to control ECCS flow. This is not a valid cutset. It is an artifact of the model structure which assumes mitigation even when a pipe break has occurred without fully achieving a safe stable end state.

Mr. R. Lutz (Westinghouse) was asked to review the ISLOCA supporting analyses to identify the basis for the revised ISLOCA. The results of this review indicated that the accident progression for an ISLOCA involving a pipe break outside containment in the 12 inch RHR suction line is based on the expected plant response as documented in the original IPE Success Criteria Notebook (Reference 15 in CN-RRA-02-81). Since there are no valves in the RHR suction line outside containment, a break in that line would disable the LPI injection function for the pump in the affected train. Thus, RWST drain down would be limited to one LPI pump and 2 charging pumps. The IPE Success Criteria Notebook indicates that for a completely depressurized RCS, this would drawdown the RWST at a rate of 3930 gpm. At some time into the event, the operators would go through the VCSNS Emergency Operating Procedures and stop all SI pumps and align a single charging pump to take suction from the RWST and discharge through the normal charging pathway that can be throttled (and the flow rate is indicated in the control room). This is detailed in Appendix A of CNRRA-02-81 and is shown to be able to be completed within 40 minutes. The original IPE success criteria then assumed that the operators would throttle RCS makeup to match the curve in the EOPs. In this case, if ECCS was terminated and throttling started at 44 minutes, the RWST would last for exactly 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. CN-RRA-02-081 references CN-RAS-95-57 for the 40 minute success criteria. CN-RAS-95-57 simply took the original IPE success criteria (44 minutes) and updated it for the power uprating to show that it is now 41 minutes, which was rounded to 40 minutes in CN-RRA-02-081. Thus, terminating all ECCS flow and initiating normal charging using suction from the RWST is a valid response to the ISLOCA pipe break event.

There are two weaknesses in this success criteria:

1) The assumption that ECCS flow is stopped at 40 minutes and the normal charging pathway, taking suction from the RWST, is used just gets to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> before the RWST is emptied. This is not a safe stable state. Revising the PRA to model RWST refill at a rate of at least 115 gpm (see table 3.9 of the IPE Success Criteria Notebook adjusted for the 4% power uprating from CN-RAS-95-57) would resolve this issue.
2) The operator action to terminate SI, re-align a charging pump to the normal charging discharge pathway (but taking suction from the RWST) and then continually throttle the charging pump flow according to the plot in the EOPs is a key modeling assumption that is not modeled in the PRA. Without success in stopping the ECCS pumps and re-aligning a charging pump, RWST refill would have to be started before 100 minutes and at a rate of 3930 gpm. Revising the PRA model to include this operator action would resolve this issue.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 14 of 69 The ISLOCA analysis needs to be revisited. First, if mitigation is to be credited, refill of the RWST and the operator action to terminate SI and realign the charging pump need to be modeled. Alternately, the pipe rupture branch can be taken directly to core damage. Second, once these model changes are made, the variance treatment needs to be revisited, particularly for those sequences that can lead to a large pipe break outside containment. Calculation of rupture probability should consider, at least qualitatively, all low pressure components in the line and where the break is credited as small enough to mitigate, the bases need to be carefully and thoroughly documented.

Resolution: This comment was resolved in conjunction with Internal Events F&O's IE-06 and AS-01 noted above in section i. This ISLOCA analysis was updated to ensure that all large ISLOCAs and in particular the ISLOCAs in the RHR line, are modeled as leading directly to core damage. For the smaller ISLOCA paths, more time is available to refill the RWST and in most cases it was shown that the most likely location for the break in the low pressure piping would be inside containment so that recirculation is also an option.

IE-02-GA VCSNS Calculates their initiating event frequency based on a reactor critical year basis.

Flowever, they do not adjust them to account for the fraction of time that the plant is at power during a given year. Adjust the initiating event frequencies by the fraction of time that the plant is at power during a calendar year. That can be accomplished by multiplying the initiating event frequencies by the average plant availability. Since all lEs are based on reactor year currently.

Resolution: Resolution of this finding involved multiplying the overall CDF by plant availability to account for the time the plant is at power. (Initiating event frequencies are calculated on a critical reactor year basis.)

AS-01-GA See original F&O SY-07, Issue 2. The issue is that the CST is credited as lasting throughout the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time so realignment is not modeled. VCSNS decided to address this issue by providing a number of qualitative arguments as to why the treatment was appropriate. The arguments were not conclusive. The minimum inventory in the CST, 179,850 gallons, is stated to be adequate to maintain the plant in hot standby for 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br />, but this is not demonstrated to be adequate for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The next argument is that the CST level would be above the low level alarm setpoint at the time of the transient and would have an inventory of over 350,000 gallons.

This appears reasonable, but there is no calculation that this inventory is sufficient for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of operation. There is also no proof that the level will be above the low level alarm point. The tech spec limit is the 179,850 gallons. VCSNS needs to provide additional proof of the added inventory using alarm response procedures to show that the CST is promptly refilled on a low level alarm and provide plant operating experience to demonstrate that the tank always has greater than 117,850. VCSNS also stated that there are three redundant alternatives. The first two involve manual actions (refill CST or switch to hot well) which would probably involve highly dependent operator actions (diagnosis). Note also that, depending on the initiator, the hot well may have only a few hours supply. The third alternative is an automatic realignment to service water. These are all argued to be highly reliable, with limited bases, so that they don't need to be included in the model. VCSNS should provide stronger, more quantitative arguments to

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 15 of 69 address the issues above or incorporate refill of CST in the model. The volume arguments may be the most effective when the decrease in decay heat is considered, but a calculation of some sort should be performed.

Resolution:

VCSNS addressed this issue by providing better documentation of the initial CST Volume available at the start of a transient. VCSNS documented that the CST volume is automatically refilled by the Demineralized Water System whenever the level in the tank decreases to 30 feet to refill it to a level of 35 feet. The inventories corresponding to these two levels are 404,000 gallons and 468,500 gallons respectively. Both are significantly higher than the 350,000 gallon inventory which was determined to be just sufficient for a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission.

This provides an acceptable justification for the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time so this F&O is closed.

AS-02-GA VCSNS does not have a stand-alone database or document identifying all of the assumptions or sources of uncertainty included in their PRA. The VCSNS practice is to capture the assumptions associated when each element of the PRA in the documentation associated that element or in the PRA update documentation. DC00300-146 contained a small set of assumptions, but there is no indication they had been reviewed for significance. A review of the updated success criteria report indicated that there was no compilation of assumptions used but assumptions could be identified by a careful reading of the individual tasks. In the event tree notebook, DC00300-130, the assumptions section states that the assumptions are contained in the individual event tree sections. The assumptions could be identified through a careful reading of the text, but there was no assessment of the importance of the assumptions and there was no compilation of the assumptions. A review of the HRA Documentation also shows that it is difficult to identify the assumptions and there appears to be no assessment of the significance of assumptions. The Systems Notebooks were also reviewed and they have a fairly good set of assumptions for each of the systems analyses. Again, there appears to be neither an assessment of the significance of the assumptions nor an assessment of the uncertainty.

VCSNS should consider establishing a compilation of the assumptions used in their PRA model.

As a minimum, VCSNS should identify and track key sources of uncertainty, in particular, epistemic uncertainty. The assumptions should be identified by PRA Element and include at least a qualitative assessment of the importance of each assumption. Note that no problems were identified with respect to specific assumptions or the ability to ascertain the validity of any specific analysis. This is primarily a documentation issue.

Resolution: This item dealt with documentation of assumptions and their impacts/uncertainties on the model. To resolve the issue, VCSNS improved the method of documenting assumptions as changes are made to the model.

HR-01-GA Capability Category 2/3 for this SR contains a list of 11 PSFs that must be explicitly addresses when estimating HEPs for significant human actions (Type C). VCSNS uses the old Scientech implementation of the EPRI Cause Based Decision Tree Methodology (CBDTM) which explicitly

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 16 of 69 considers a limited set of PSFs, time available and time required to complete a response, stress level and complexity of the response. The new EPRI HRA Calculator includes provisions for explicitly addressing all of the PSFs listed in the Capability 2/3 requirements for SR HR-G3. It is recommended that VCSNS switch to the HRA Calculator at least for the significant human actions.

Resolution: This F&O involved the Performance Shaping Factors chosen for HEPs. VCSNS adopted the EPRI HRA Calculator (which explicitly addresses the required PSFs) to address this F&O.

HR-02-GA See F&O HR-06 from the original peer review (Section i above).

Resolution: To address this issue, VCSNS PRA worked with Operations personnel to ensure that the model reflects actions from a full plant perspective and that dependencies are properly accounted for.

HR-04-GA VCSNS has performed a dependency evaluation for combinations of human actions that occur together in cutsets. The documentation includes a table that shows the HEPs that occur in combination arranged in time order and assigns a dependency level (CD, HD, MD, LD and ZD) for both the cognitive and execution portions of the second and subsequent actions. However, there is limited discussion of the factors considered in determining the dependency level and there is no documentation of the basis for assigning the dependency levels for various HEP combinations.

A review of Table B-2 "Dependent Basic Event Combinations and Dependency Levels" revealed several combinations for which the dependency levels might be questioned. These include:

{PXOPMANUALRTHE (OPERATOR FAILS TO MANUALLY INITIATE A REACTOR TRIP) /

MRI_2 (FAILURE OF MANUAL ROD INSERTION)} or

{CCPMXPP1CHE (OPERATOR FAILS TO MANUALLY ACTUATE MDP XPP-1C) / OAAC (OPERATOR ACTION TO ESTABLISH ALTERNATE COOLING TO CS PUMPS)}.

VCS should improve their documentation of the dependency analysis in several areas. First, there should be a discussion of the specific factors considered when evaluating the dependency between actions. These factors should cover those listed in SR HR-G7. Second, VCSNS should indicate the basis for assigning the dependency levels for the second and subsequent actions in a set, especially for the LD and ZD dependencies.

Resolution: This finding detailed a lack of documentation concerning the assigned level of dependence between HEPs. VCSNS improved documentation and provided the bases for dependence assignments.

DA-01-GA

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 17 of 69 The VCSNS Data Analysis Guidance, PSA05, focuses primarily on the Bayesian Analysis process and provides limited guidance on how to actually collect the plant specific data that is used. Supporting Requirements (SRs) DA-C4, DA-C5, DA-C6, DA-C7, DA-C8, DA-C9, DAC10, DA-C11, DA-C12 and DA-C13 identify a number of specific concerns associated with the use of plant specific data. It is recommended that PSA05 be updated to specifically address these concerns to the extent that it is possible to discern the practices used at VCSNS. The updated guidance should specifically address how failure counts are determined, how success (hours/demand) is determined and how test/maintenance unavailability is determined. This should be tied to the maintenance rule program documentation.

Resolution: This comment was generated due to lack of detail in the documented process to perform data updating. VCSNS revised the data update guideline to define the process and rules used.

DA-02-GA A review of the revision 4 update report, the data update documents and the data analysis process document, PSA05, revealed that there were few data analysis assumptions explicitly listed. Some assumptions could be picked out by careful reading of the documentation and others could be inferred. While VCSNS does not appear to have used any inappropriate assumptions, the data analysis assumptions need to be documented in a manner that facilitates evaluation of these assumptions. (See AS-02-GA above.)

Resolution: Similar to AS-02-GA above, this finding concerned lack of detail regarding assumptions in the VCSNS analyses. VCSNS improved the level of detail in the update guideline and the HRA guideline and calculations. Additionally, the HRA report now includes a table listing all of the multiple HEP combinations found in the model. For each element in a multiple HEP group, the table lists the level of dependence and defines the basis for the assigned level of dependence QU-03-GA The update 4 report does not provide the importance measures for the updated model. This is a requirement of SR QU-F2. The importance measures report should be generated and added to this report.

Resolution: This finding documented that VCSNS updates did not include importance measures for basic events. VCSNS now includes both CDF and LERF importance measures in model updates.

QU-04-GA SR QU-F4 has been revised in Addendum B to the ASME PRA Standard. The revised SR reads, "Document key assumptions and key sources of uncertainty, such as: possible optimistic or conservative success criteria, suitability of the reliability data, possible modeling uncertainties (modeling limitations due to the method selected), degree completeness in the selection of

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 18 of 69 initiating events, spatial dependencies, etc." While to a limited extent, some of this information can be found scattered through the existing documentation, it is generally only indirectly addressed and it is not covered in any coherent fashion. VCSNS may want to consider adding a new section to their update reports to specifically discuss the major areas of assumptions and uncertainties listed in this SR. VCSNS should also think about any items unique to their plant or model.

Resolution: Similar to AS-02-GA above, this finding concerned lack of detail regarding assumptions in the VCSNS analyses. VCSNS improved the level of detail in the update guideline and the HRA guideline and calculations.

QU-05-GA VCSNS does not have a definition of "Significant". VCSNS should update their quantification process to add a definition for "Significant". This definition should be consistent with the definition in section 2 of the standard. Note that the definition of "Significant" will factor into documentation of what is reviewed and documented. Therefore, the updated procedure should also address the documentation of "Significant" assumptions and sources of uncertainty as well as the review of significant cutsets and accident sequences. VCSNS should look at the SRs that talk about "Significant" Items when updating the quantification process.

Resolution: This finding recommended that VCSNS include a definition of "significant" in the quantification process. VCSNS added the definition to the quantification guideline.

DE-03 See Section i for finding.

Resolution: This observation was closed with observation IF-01-GA below. However, the need for complete flooding model update was identified in the 2011 gap assessment (see observations related to IFEV Supporting Requirements in Section ii below).

IF-01-GA One issue identified in F&O DE-03 from the original peer review was the assumption that doors would remain intact. This is an optimistic assumption that has been cited. VCSNS has an old hand calculation "demonstrating" the ability of the standard doors to hold against flood heights of 8". This evaluation is an extrapolation from a wind-loading analysis. For the updated flood analysis, VCSNS should expand on the analysis to include the calculation of the water height equivalents for the wind loads. Furthermore, after the flood depth re-evaluations are completed, VCSNS should review each room analysis to confirm that no door will be exposed to a water depth greater than 8". If any door does see a greater depth, VCSNS needs to calculate a failure probability based on the water depth actually anticipated.

Resolution: This comment dealt with documentation of the VCSNS assumption that doors remain intact during flooding events. The flooding analysis was updated and additional documentation was provided to show that the assumption is valid. Additionally, as a result of the 2011 gap analysis, VCSNS updated the entire internal flooding model, including door failure treatment.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 19 of 69 QU-02-GA The discussion of key sources of model uncertainty is somewhat limited. A quantitative parametric uncertainty analysis was performed and there was a limited set of sensitivity analyses linked to some specific changes in the update. However, the overall discussion of key sources of uncertainty seemed somewhat limited. VCSNS may want to consider developing a list of key sources of uncertainty and providing a discussion of the overall potential impact of these assumptions on the robustness of the model.

Resolution: This comment noted that the discussion concerning key sources of uncertainty in VCSNS modeling was limited. Similar to AS-02-GA above, VCSNS documented the key sources of uncertainty and discussed their impact.

iii.

2011 gap assessment In 2011, VCSNS performed a self-assessment to identify gaps in meeting Capability Category II in the ASME/ANS Standard. In most cases, this assessment did not distinguish between comments needed to meet CC-II and suggestions made to enhance the model. For this reason, all the suggestions/findings and their resolutions are provided below with the exception of the few that specifically noted the SR is met at CC-II or that no resolution was necessary. VCSNS has completed resolution of each of these items (as discussed below) with the exception of observations 4_6, 3_3, 1_43, 6_9 which are still in progress.

With the exception of the four observations specifically noted above, VCSNS considers the finding resolutions complete and adequate to support risk informed applications. The impact on LAR 15-01424 of the four items still in progress is provided in the appropriate section below.

1_26 The ATWS event is not consistent with WCAP-15831 which provides an ATWS model (focusing on the pressure relief issue) reviewed and approved by the NRC (essentially an industry standard for W NSSS plants). In addition, it's not clear where the UETs fit in or if the dependency between OAs have been addressed. The ATWS sequences modeled don't appear to be consistent with WCAP-15831. (SR-A5)

Resolution: The VCSNS ATWS model (including UETs) was updated per the guidance in WCAP-15831.

1_30 Secondary side pressure relief is not modeled consistent with the success criteria.

Resolution: The VCSNS model was changed to add secondary pressure relief to the model.

1_25 Mitigation of systems impacted by the initiating event do not appear to be addressed from review of ETREE1. This could be an issue for secondary side breaks outside of containment.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 20 of 69 The potential impact of the steam release on equipment required to operate should be addressed. (SRAS-B1)

Resolution: The potential impact was assessed for initiating events. Secondary Side breaks outside of containment and ISLOCAs were identified as the events that can impact mitigation equipment. These items were addressed by completely updating the ISLOCA and Internal Flooding model, including the impact on plant equipment.

7_3 Sump blockage was not based on the latest PWROG information form WCAP-16882. The VCSNS model for sump blockage is from IPE days and does not address GSI-191 concerns.

The current model only includes CCF of sump screens due to blockage for %LLO and %MLO based on a generic data based for different conditions. Sump blockage is not modeled in other initiators that go to ECC recirculation and does not follow the latest PWROG recommendations in WCAP-16882. (SR AS-B3)

Resolution: VCSNS revised the sump model to be consistent with WCAP-16882.

1_24 Operator actions are discussed in the section 'Accident Progression through the EOPs' but not all actions, are identified in the top event descriptions. (SR AS-A4)

Resolution: To resolve this issue, tables were added to the Accident Sequence Notebook to list the operator actions associated with each top event.

1 31 The ATWS event is not consistent with WCAP-15831 which provides an ATWS model (focusing on the pressure relief issue) reviewed and approved by the NRC (essentially an industry standard for W NSSS plants). In addition, it's not clear where the UETs fit in or if the dependency between OAs have been addressed.

Resolution: The ATWS model was updated consistent with WCAP-15831 and the UETs were modeled appropriately.

1_48 Realism of the interrelationship between the EDG failure rate, LOOP recovery times, and battery depletion should be improved. (AS-B7)

Resolution: To improve realism, the VCSNS model was updated to incorporate power recovery using the convolution method.

1_29, 4_8, 1 38, 1_40, 7_8, 1_23, and 1_16 Sources of model uncertainty, related assumptions, and their possible impact on the model, have not been identified and documented. (SR AS-C3, DA E-3, QU-F4, SC-C3, SY-C3, QU-E4)

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 21 of 69 Resolution: VCSNS developed an Uncertainties Notebook which documents the model assumptions and sources of model uncertainty, and characterizes the uncertainties with regard to their potential impact on the PRA model results.

4_5 Generic parameters used in the VCSNS data analysis come from the ALWR database (EPRI TR-016780). Consistent groupings are used. (SR DA-C1)

Basis for Significance: Examine the information in WCAPN15376 for cards and master relays.

Generic parameters used in the VCSNS data analysis come from the ALWR database (EPRI TR-016780). Update the generic failure probabilities using NUREG-6928 and WCAP-15376 and re-calculate the component failure probabilities Resolution: The data analysis was updated using the cited generic failure probabilities and this document is referenced in the Data Notebook.

4_2 Improve documentation to show that support system unavailability is not double-counted in data analysis. SR DA-C12)

Resolution: The Data Analysis notebook was updated to better define the component failure modes and groupings.

47 The loss of CCW and Service Water event trees contain a recovery event for CCW that is based on a conservative estimate (0.5) rather than on actual data. (DA-C16)

Resolution: VCSNS investigated the noted recoveries and determined there was insufficient data to justify plant specific recoveries. The recoveries were removed from the model.

4_6 No repeated failures within a short time interval were noted in the review of the data analysis, but there is no guidance to ensure such failures are counted as single failures.

Resolution: VCSNS will update PSA-05, "Data Update Guideline with Emphasis on Bayesian Updating," to specify that repetitive problems that cause the same failure accumulated in a short time frame should be counted as one failure and one demand. This is a documentation/guideline issue since no examples were identified that do not meet the requirement, and observation 4_6, therefore, does not impact implementation of LAR 15-01424.

1_22, 1_27,1 28, 3_1, 5_2, 1_39, 1_41, 7_2, 1_21, 7_7, 1_22, 1_12, 6_19 The documentation for many of the analyses needs to be updated to meet the ASME/ANS PRA Standard requirements. These are all capture in this line item: System Notebooks : Electric

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 22 of 69 Power, Reactor Protection System, Component Cooling Water, Service Water, Emergency Core Cooling, Emergency Feedwater, Miscellaneous Systems, Reactor Building Cooling, Reactor Building Sprays, Reactor Building Isolation, Other Notebooks: Initiating Events, Accident Sequence, Success Criteria, Dependency, Data, Containment, Quantification Resolution: The documentation was enhanced to be consistent with the ASME/ANS PRA Standard requirements.

3_2 The first execution step for some Type A Human Error Probabilities appear to be inappropriate.

(HR-D4)

Resolution: All the Type A HEPs were reviewed and the execution steps were found to be modeled appropriately. However, during this review, several incorrect THERP values for independent verification were identified. These HEPs have been corrected in the VCSNS model.

3_3 Documentation suggestion: Enhance the design guide for Human Reliability Analysis to provide additional guidance on recovery of pre-initiators. (HR-D7)

Resolution: VCSNS will revise PSA-04, "Human Reliability Analysis," to provide guidance to consider confirmation testing, independent verification, written checklists and daily/shift checks in determining whether to apply recoveries. (During the 2011 assessment it was noted that the controlled copy of PSA-04 had the suggested information 'hand marked-up'; the suggestion is to formalize this in the guideline. This is a documentation issue and does not affect implementation of LAR 15-01424.)

1_44 In general, VCS covers all expected classes of IE. However, all the initiating event categories should be re-reviewed to ensure SR IE-A2 is met. (IE-A2)

Resolution: The initiating event categories were re-reviewed and the Initiating Events notebook was updated to confirm that initiating events are properly dispositioned.

5_1 No documentation of interviews with plant personnel was documented regarding identification of initiating events. (IE-A5)

Resolution: The initiating event notebook was updated to reference the IPE, which documents interface with plant personnel in identifying initiating events to be considered in the model.

1 47

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 23 of 69 The ISLOCA model uses the Variance Method and results in a high LERF. The basis for the ISLOCA method used should be better documented and the LERF results should be evaluated.

(IE C-14)

Resolution: VCSNS updated the ISLOCA model, including documentation and evaluation, to be consistent with the guidance in WCAP-17154-P.

5_3 Grid behavior has radically changed over the past several years, since 2000. The most recent PRA model update does not use the "most" recent data. (IE-C2)

Resolution: VCSNS has updated the Loss of Offsite Power model to use recent data and to incorporate the convolution recovery methodology.

1_45 The initiating event frequency calculations for Steam Line Break Inside Containment and Feed Line Break Outside Containment are possibly incorrect. (IE-C4)

Resolution: VCSNS reviewed the calculations and verified they are correct.

1_46 There is confusion in whether the plant capacity factor is included in the model results. (IE-C5)

Resolution: VCSNS confirmed the plant capacity factor is appropriately accounted for and the Initiating Event Notebook was updated to provide a better description of its inclusion.

8_17 The plant initiating event group is identified, but the scenario-induced failures of SSCs are not.

There is no flooding induced transient or LOCA in this analysis. (IFEV-A1)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The updated VCSNS Internal Flooding model includes a task for identifying, modeling and quantifying flood induced scenarios. Following model update, IFEV-A1 was re-evaluated (internally) and rated as met at CC-II.

8_18 FILR-IE-A was not met. This Initiating Event analysis did not produce a reasonably complete identification of lEs. (IFEV-A5)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The updated VCSNS Internal Flooding model includes a complete task for identifying flood initiating events.

Following model update, IFEV-A5 was re-evaluated (internally) and rated as met at CC-I/II/III.

1 56

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 24 of 69 Basis for Significance: Plant specific information for maintenance or pipe condition is not considered in determining flood initiating event frequency. (IFEV-A6)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The updated VCSNS Internal Flooding model includes a thorough evaluation of flooding initiating event identification and frequencies. Following model update, IFEV-A6 was re-evaluated (internally) and rated as met at CC-II/III.

8_19 Human-induced floods were not accounted for. (IFEV-A7)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The updated VCSNS Internal Flooding model includes a maintenance-induced flooding component.

Following model update, IFEV-A7 was re-evaluated (internally) and rated as met at CC-I/II.

1_57 Basis for Significance: No IEF is generated for human induced floods. (IFEV-A7)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The updated VCSNS Internal Flooding model includes a maintenance-induced flooding component.

Following model update, IFEV-A7 was re-evaluated (internally) and rated as met at CC-I/II.

1_58 Basis for Significance: Model uncertainty is not addressed in the Internal Flooding Notebook.

(IFEV-B3)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The updated VCSNS Internal Flooding model notebook includes a discussion on assumptions and sources of model uncertainty. Following model update, IFEV-B3 was re-evaluated (internally) and rated as met at CC-I/II/III.

8_1 As there is little documentation in support of the definition of flood areas (as discussed in IFPP-Al); in addition to this, the walkdowns were only performed for rooms not initially screened out, thus further reducing the level of documentation available in support of the flood area definition.

This SR is judged to be not met. (IFPP-A4)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The updated VCSNS Internal Flooding model documents flood area definitions and walkdowns (in a separate

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 25 of 69 notebook). Following model update, IFPP-A4 was re-evaluated (internally) and rated as met at CC-I/II/III.

8_2 This SR is judged to be not met. While walkdowns were performed and documented, they were limited to rooms not initially screened out and only focused on equipment location and flood sources identification. There is little documentation in the walkdown report of attention being paid to the defining characteristics of the flood area. (SR IFPP-A5)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The updated VCSNS Internal Flooding model documents flood area definitions and walkdowns (in Walkdown notebook). The Flooding notebook documents the room characteristics (room number, floor area, drains, etc.), target components, and flood sources. Following model update, IFPP-A5 was re-evaluated (internally) and rated as met at CC-I/II/III.

8_3 Not met. For example there is no discussion on how the analysis meets the SRs of the standard. (IFPP-B1)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The updated VCSNS Internal Flooding model notebook includes a map to the ASME Standard. Following model update, IFPP-B1 was re-evaluated (internally) and rated as met at CC-I/II/III.

8_22 Not discussed in the Flooding Analysis. (IFQU-A9)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The updated VCSNS Internal Flooding model notebook includes a discussion on quantification and sensitivity analyses. Following model update, IFQU-A9 was re-evaluated (internally) and rated as met at CC-I/II/III.

1_60 Basis for Significance: No discussion of flooding scenarios considered, screened, and retained is found in the Internal Flooding Notebook. (SR IFQU-B2)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The updated VCSNS Internal Flooding model calculation includes a discussion on screening and characterizing flooding scenarios. Following model update, IFQU-B2 was re-evaluated (internally) and rated as met at CC-I/II/III.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 26 of 69 1 61 Basis for Significance: Uncertainty is not documented for Internal Flooding Scenarios/events.

(IFQU-B3)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The updated VCSNS Internal Flooding model quantification and modeling documentation addresses uncertainty. Following model update, IFQU-B3 was re-evaluated (internally) and rated as met at CC-I/II/III.

8_9 Not met. No full propagation path assessed. (IFSN-A1)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The updated VCSNS Internal Flooding model calculation addresses propagation in flooding scenarios.

Following model update, IFSN-A1 was re-evaluated (internally) and rated as met at CC-I/II/III.

8_12 Not met. For example, sump pumps are credited with perfect reliability (IFSN-A13)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. Following model update, IFSN-A13 was re-evaluated (internally) and rated as met at CC-I/II/III.

8_13 No Flood specific HRA is reported. (IFSN-A14)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The update includes a complete update of FIRA for flooding. Following model update, IFSN-A14 was re-evaluated (internally) and rated as met at CC-I/II/III.

8_14 Not met. The scope is always limited to one flood/area rooms, so there is not enough documentation on the flood source having or not having enough capacity to induce a reactor trip along the rest of the propagation path. (IFSN-A15)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The update includes a complete update of scenario propagation assessment. Requirement IFSN-A15 has been deleted from the ASME/ANS RA-Sb-2013 Standard.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 27 of 69 8_15 No Flood specific HRA is reported (suspect that Ref. 19 is based on deterministic flood analysis ANS standard, which allows 30 minutes positive identification and isolation. (IFSN-A16)

Resolution: VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The update includes a complete update of HRA for flooding. Requirement IFSN-A16 has been deleted from the ASME/ANS RA-Sb-2013 Standard.

8_16 No discussion supporting c). Mitigative features not systematically reported (i.e., not beyond generic notes) (IFSN-A17)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The update includes a complete update of scenario propagation assessment which includes plant design features that can be used to terminate the propagation of flooding. Following model update, IFSN-A17 was re-evaluated (internally) and rated as met at CC-I/II/III.

8_10 There is discussion on plant design features that would terminate or contain flood propagation.

The documentation is not systematically summarized in the walkdowns report. (IFSN-A2)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The update includes performance and documentation of flooding walkdowns. Following model update, IFSN-A2 was re-evaluated (internally) and rated as met at CC-I/II/III.

1_52 Assumption was made that flood termination would occur within 30 minutes for non-major SW floods, rather than considering automatic or operator responses that have the ability to terminate or contain the flood propagation. These assumptions are made in design flooding cafes and not in PRA flooding analysis. (IFSN A3)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The update reflects automatic and operator responses that can terminate the flood in accordance with the as-built as-operated plant. Following model update, IFSN-A3 was re-evaluated (internally) and rated as met at CC-I/II/III.

1_53 Basis for Significance: Areas were screened out based on assumption that door and wall failures would not occur. (IFSN-A8)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The update

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 28 of 69 includes re-assessment of door and wall failures. Following model update, IFSN-A8 was re-evaluated (internally) and rated as met at CC-II.

1_54 Basis for Significance: Time for equipment is not calculated. Final state is not sufficient to meet this SR. (IFSN-A9)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The update includes re-assessment of flood consequences including spill rate and equipment heights.

Following model update, IFSN-A9 was re-evaluated (internally) and rated as met at CC-I/II/III.

8 11 One reference is mentioned (Ref.19) for maximum elevation in rooms. Need to check how those calculations are performed (e.g., if positive isolation after 30 minutes is considered, those assessments may not be credible in PRA space) (IFSN-A9)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The update includes re-assessment of flood heights and target equipment heights based on the as-built as-operated plant. Following model update, IFSN-A9 was re-evaluated (internally) and rated as met at CC-I/II/III.

1_55 Basis for Significance: Documentation of assumptions for eliminating or justifying propagation pathways, specifically assuming doors do not fail, is weak and shows no justification. Areas were screened out without consideration in determining of flood levels above door failure calculations. (IFSN-B2)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The update includes re-assessment of door failures. Following model update, IFSN-B2 was re-evaluated (internally) and rated as met at CC-I/II/III.

8-5 There is no systematic review of fluid system to define which one is a credible flood source and which one is not. There is no consideration of in-leakage since there is no modeling of propagation paths. (IFSO-A1)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The update includes a complete update of scenario propagation assessment which includes plant design features that can be used to terminate the propagation of flooding. Following model update, IFSO-A1 was re-evaluated (internally) and rated as met at CC-I/II/III.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 29 of 69 1 51 Basis for Significance: Flooding mechanisms did not address all failure modes listed, such as:

(a) pipes, gaskets, expansion joints, seals, etc. (b) human-induced mechanisms that could lead to overfilling tanks, diversion of flow through openings created to perform maintenance; inadvertent actuation of fire-suppression system. (IFSO-A4)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The update includes a complete update of flood source identification. Following model update, IFSO-A4 was re-evaluated (internally) and rated as met at CC-I/II/III 8_6 Not met. No considerations of human/induced or maintenance/related flooding. Only flood/spray mechanism is pipe rupture. (IFSO-A4)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The updated VCSNS Internal Flooding model includes maintenance-induced flooding assessments.

Following model update, IFSO-A4 was re-evaluated (internally) and rated as met at CC-I/II/III.

8_7 There is discussion on main characteristics of the flood sources that are modeled; not all requested details are always reported. (IFSO-A5)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The update includes a complete update of flood source identification and documentation. Following model update, IFSO-A5 was re-evaluated (internally) and rated as met at CC-I/II/III 8_8 Plant walkdowns to support flood sources are performed. In-leakage/propagation path are not followed till the final accumulation point. (IFSO-A6)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The update includes a complete update of scenario propagation assessment which includes plant design features that can be used to terminate the propagation of flooding. Following model update, IFSO-A6 was re-evaluated (internally) and rated as met at CC-I/II/III.

8_23 This SR may essentially be considered met, as the IF assessment is done on a room-by-room basis. Although fire area are used without any further considerations on physical barrier that may or may not be the same for a flood or a fire area (e.g., the presence of a normally open fire damper may make two adjacent rooms essentially one flood area). The walkdown documentation attached to the documentation does not provide significant documentation of

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 30 of 69 physical characteristics for each room (beyond which system piping is routed in the room and which component is there). (IFPP-A1)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The update includes performance and documentation of flooding walkdowns. Following model update, IFPP-A1 was re-evaluated (internally) and rated as met at CC-I/II/III.

8_4 Not met. There is no discussion on model uncertainties associated with plant partitioning phase.

Check PWROG Assumptions and Uncertainties Database. (IFPP-B3)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The update includes reevaluation and documentation of model uncertainties. Following model update, IFPP-B3 was re-evaluated (internally) and rated as met at CC-I/II/III.

8_24 CCI/II. Only spray and submergence is considered. Notice that this will become a CCI only when Addendum B comes out. (IFSN-A6)

Resolution: Due to the numerous Internal Flooding observations, VCSNS performed a complete Internal Flooding Model update following the 2011 self-assessment. The update includes reevaluation and documentation of flooding sources. Following model update, IFSN-A6 was re-evaluated (internally) and rated as met at CC-II/III.

1_49 Various concerns were identified in the ISLOCA model. Treatment of SOKC (State-of-Knowledge Correlation) should be reviewed with respect to WCAP-17154-P "ISLOCA Risk Model", April 2010. (LE-C1)

Resolution: The VCSNS ISLOCA model was updated per the guidance in WCAP-17154-P.

1_50 LERF analysis uncertainty treatment needs improvement. LERF model needs to consider both parameter and model uncertainty. Parameter uncertainty is associated with selection of values used in the PRA model including uncertainties with the containment fragility curve. Model uncertainty includes consideration of the impact of the neglect of human actions and the treatment of DCH, H2, induced SGTR, and other low potential failure modes. (LE-F3)

Resolution: The VCSNS containment model (including uncertainty analysis) was updated to a simplified Level 2 model (previously a containment bypass model) per the guidance in WCAP-16341-P. Sources of uncertainty and assumptions are documented in the Uncertainties and Assumptions notebook.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 31 of 69 1_43 The PSA Update Guideline (PSA-08) does not provide specifics regarding sources for monitoring technology changes. This suggestion recommends adding specific types of industry meetings and conferences to attend and report sources to monitor. (MU-A2)

Resolution: VCS has developed a list of meetings, conferences and document sources to monitor for technology changes. This list will be added to PSA-08. This is a suggested enhancement to the update process and does not impact implementation of LAR 15-01424.

1_32 Accident sequences are not specifically quantified and all sequence logic is not confirmed.

Recommend quantifying each accident sequence separately and confirm the logic is correct and the sequence CDF is reasonable. (QU-A2)

Resolution: Accident sequences were quantified and sequence logic was confirmed correct with reasonable CDF results.

1_42 Uncertainty intervals are estimated based on the parameter uncertainties. State of Knowledge Correlation needs to be addressed in the uncertainties assessment. (QU-E3)

Resolution: To resolve this issue, VCSNS uses correlated data in the CAFTA type code table.

This, combined with the use of the UNCERT tool, ensures the State of Knowledge Correlation is accounted for.

1_34 Dependencies are addressed between post-initiators, but not between pre-initiators. Add the pre-initiator dependency determination to the process of determining HRA dependencies or confirm that dependencies of pre-initiators are not important. (QU-C2)

Resolution: Pre-initiator HEPs were reviewed and those identified as dependent were assigned dependencies in the Human Reliability Analysis.

1_36 Comparison data with other PRA models is old and probably not relevant. (QU-04)

Resolution: VCSNS updated the plant comparison with recent data. The VCSNS PRA data compares favorably with the two 'sister' plants chosen.

1_37 Procedures require a review of non-significant cutsets. No evidence is available to document this review (SR QU-D5)

Resolution: VCSNS completed a review of non-significant cutsets. All of the cutsets reviewed were determined to be reasonable and have physical meaning.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 32 of 69 7_1 Thermal & Hydraulic analyses use a combination of MAAP and TREAT analyses, but the versions of these codes have been updated since the VCSNS runs. Some analyses are based on generic WCAP results. Suggest reexamining all Success Criteria based on latest information available. (SC-B1)

Resolution: VCSNS compared success criteria against that of two plants that use updated codes and were judged to meet the ASME/ANS Standard at CC II. Where significant differences were noted, VCSNS performed a Success Criteria Update using results from updated T&H codes.

1_20 There is no evidence that a comparison of success criteria with similar plants has been done.

Discussions with SCE&G PRA personnel indicate this has not been done. (SC B5)

Resolution: VCSNS performed a success criteria comparison with two similar plants and concluded that the results compare favorably and differences can be explained due to plant design and/or operating differences.

76 There was no evidence of comparison of the VCSNS success criteria to that from similar plants.

Suggest tabulating the VCSNS SC against that for Farley and Harris. (SC B5)

Resolution: VCSNS performed a plant comparison and tabulated the success criteria, comparing VCSNS to the Farley and Harris stations.

7_5 The definition of core damage used for the majority of the success criteria is consistent with that given in Section 1-2 of the Standard and is provided in the VCSNS SC Notebook. However, several of the success criteria use other definitions and this is not succinctly stated except in the actual documentation of the particular SC analysis. Possible Resolution: Suggest that a table be developed showing the definition of core damage used for each SC. (SC-A1)

Resolution: This observation was designated as a "suggestion." VCSNS considers this a documentation-only issue because, as noted in the suggestion, the actual documentation in the Success Criteria analysis provides the required information. The suggestion has no impact on risk applications.

1_19 ATWS UETs are not plant specific. UETs used in the ATWS events should be plant/cycle specific. (SC-B1)

Resolution: VCSNS updated the ATWS model to be consistent with WCAP-15831-P-A.

VCSNS did not convert to plant-specific UETs; instead, the updated ATWS model provides justification for using the generic values chosen.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 33 of 69 6_9 Several component and component failure modes were identified as being screened from the model without meeting the justification specified in SY-A15, SY-A11, SY-B13, SY-A13, and SY-A14. Flow diversion pathways were screened based on relative cross sectional areas rather than pressures/flows and some components were screened based on assumed low failure probabilities rather than quantifications. For all systems, provide quantitative justification for screening components, failure modes, and flow diversion paths from the model.

Resolution: VCSNS has generated updated screening criteria that match the requirements of the standard. Two systems (Emergency Feedwater and Reactor Building Spray) have been re-screened to the new requirements. VCSNS has yet to complete re-screening all of the systems.

Of the two systems that have been re-screened (EFW and Reactor Building Spray), the result is that six manual valves need to be considered for 'plugging' failures, and spurious closure failures need to be added for five motor operated valves. The RPS/ESFAS model has since been updated to include all necessary components and failure modes to meet the Standard, so LAR 15-01524 implementation should not be impacted by this observation.

1_4 Transmitter mis-calibration needs to be modeled for individual analog channels. (SY-A16)

Resolution: VCSNS updated the ESFAS/RPS model to include instrument miscalibration.

6_10 Pre-initiator HEPs were not addressed in individual system notebooks. Reviewers also suggested having all HFE's associated with a particular system in one section of each system notebook. (SY-A16)

Resolution: Each system notebook was updated to include the recommended section and information regarding HEPs.

1_5 Although the RPS is expected to operate early during an event, prior to environmental conditions impacting its ability to function, there are some actuations that occur later in events (such as RWST switchover). It should be confirmed that environmental effects from SSBs do not impact the later actuations of the RPS. (SY-A18)

Resolution: The RPS/ESFAS Notebook was updated to provide confirmation and basis that the subject equipment/functions will not be negatively affected by environmental impacts.

1_7 No documentation exists to document the impact of secondary side breaks on RPS ability to perform its function. (SY-A21)

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 34 of 69 Resolution: The RPS/ESFAS Notebook was updated to provide confirmation and basis that the subject equipment/functions will not be negatively affected by environmental impacts, including those from secondary side breaks.

6_12 No component environmental condition operability calculations are referenced in the system notebooks for CCW and EFW. (SY-A22)

Resolution: The CCW and EFW notebooks were updated to include sections on environmental/spatial dependencies.

6_13 The naming convention used does not define all characters in the basic event, nor does it define gate naming. (SY-A23)

Resolution: VCSNS adopted a new naming convention to be in line with the standard, and incorporated the convention in the PRA model.

6_3 System notebook descriptions do not meet all needed elements. Notebooks should be revised to include sections covering spatial and environmental hazards, operating procedures, and system boundaries. (SY-A3)

Resolution: All system notebooks were updated to include sections on system boundaries, environmental/spatial dependencies and procedures.

6_4 System Notebooks do not document operator and system engineer talk-throughs. (SR SY-A4)

Resolution: System Notebooks were revised to include specific sections documenting operating interviews and system engineer talk-throughs.

1_1 The RPS Notebook does not document that plant system personnel or operators were involved in the notebook review. (SY-A4)

Resolution: The RPS/ESFAS Notebook was updated and includes a section documenting review by plant personnel as well as a summary of how the model is kept current to reflect changes in how the plant is configured and operated.

6_5 System Notebooks do not describe alternate system alignments. (SY-A5)

Resolution: System Notebooks were updated to include a section describing alternate system operations.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 35 of 69 6_6 SY-A6 seems to be met, but special attention needs to be paid to any valves outside the system modeled that may be included as part of a support system transfer. (SY-A6)

Resolution: All system notebooks were updated and this requirement is covered in the sections providing the PRA system boundaries and in the simplified flow diagrams for each system.

6_8 The system notebooks do not reference the component boundaries in the data Notebook. (SY-A8)

Resolution: The system notebooks were updated to reference the Data Notebook in the section which provides the system boundaries.

6_17 Some signals in CCW and EFW are not modeled based on qualitative screening criteria. (SY-A15)

Resolution: VCSNS reviewed the noted signals and updated the RPS/ESFAS model to ensure that the required signals are modeled.

1_10 Event specific actuation signals are not always modeled. Expand the number of actuation signals to address the actual signals expected for the various accidents and system actuations.

(SY-B10)

Resolution: VCSNS updated the RPS/ESFAS model by expanding the number of modeled signals and ensuring the appropriate signals are modeled to meet the standard.

1_11 RPS: Environmental impact on the RPS does not appear to have been addressed. Determine if the RPS can be impacted by high energy line breaks outside the Reactor Building. (SY B-14)

Resolution: The RPS system notebook was updated to document the expected impact on the system from High Energy Line Breaks.

6 11 CCW/EFW: The system notebooks should include a discussion and justification of conditions that once exceeded cause the system to fail. Suggested resolution: The notebooks should include a discussion on Spatial and Environmental Hazards. (SY-B14, SY-A18, SY-A21, SY-B8)

Resolution: All system notebooks were updated to include sections on system boundaries, environmental/spatial dependencies and procedures.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 36 of 69 1_8 RPS Notebook: There appears to be a lack of common cause modeling for some components of the RPS, such as comparators. (SY-B3)

Resolution: The RPS/ESFAS model was updated to include common cause groupings for analog channel comparators.

6_16 CCW/EFW: Engineering analyses were not referenced in system notebooks. (SY-B6)

Resolution: All system notebooks were updated and address this requirement. This is addressed in each system notebook in one of several sections: Transients and Accident Analysis, Alternate System Operation, and Modeling Notes. The engineering analyses referenced are primarily the FSAR for design basis capabilities, design basis documents, and the Success Criteria Notebook for plant specific or best-estimate capabilities.

1_9 RPS Notebook: There is no evidence that spatial and environmental hazards were addressed for RPS. (SY-B8)

Resolution: The RPS system notebook was updated to document the spatial and environmental hazards. Additionally, a section was added to all system notebooks to ensure this is addressed.

6_1 Suggest creating a table to find specific documentation of Accident Sequences to Systems Analysis. (SY-A1)

Resolution: New sections were added to each system notebook to specifically delineate the system's role in the accident sequences model and to provide the model system top event descriptions.

1_3 RPS: Limited representative signals are used in the reactor trip and engineered safety features actuation signals. Identify additional signals to model and add them to the appropriate locations in the PRA model.

Resolution: VCSNS updated the RPS/ESFAS model by expanding the number of modeled signals and ensuring the appropriate signals are modeled to meet the standard.

1_6 RPS Notebook: Maintenance unavailability of analog channels does not appear to be modeled.

Add maintenance unavailability for the analog channels and confirm maintenance unavailability

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 37 of 69 for the slave and master relays and logic cabinets is modeled. Similar checks should be performed for test unavailability. (SY-A19)

Resolution: VCSNS updated the RPS/ESFAS model to meet the standard. Testing and maintenance unavailability is now accounted for in the model for master and slave relays, analog channels, and logic cabinets.

6 2 Suggestion to better document SOPs, AOPs and EOPs and also to document interviews with system engineers and operators in the notebook. (SY-A2)

Resolution: The system notebooks were updated to specifically address these items in each system notebook.

1_17 Suggestion to document information related to system operating experience to the system notebooks and factor it into the assessment as appropriate. (SY-A2)

Resolution: A new section was added to each system notebook to specifically address operating experience.

1_18 RPS Notebook: Not all the RPS tests are listed. In addition, crediting the channel check as the transmitter test interval may not be appropriate, since this surveillance may not be able to identify all transmitter failures, such as, failing as-is. (SR SY-A3)

Resolution: VCSNS updated the RPS Notebook to include a complete listing of RPS tests.

Additionally, VCSNS updated the RPS/ESFAS model and Data Analysis to ensure the requirements of the standard are met. VCSNS credit for channel checks is consistent with implementation guidance in WCAP-14333-P-A.

1_2 RPS Notebook: RPS: Although not explicitly stated, other than test and maintenance alignments there are no other alignments for this system. An explicit statement to this end would be acceptable. (SY-A5)

Resolution: The RPS/ESFAS notebook was updated to incorporate this comment.

Additionally, all notebooks were updated to capture this information.

6_18 CCW/EFW: Support systems were modeled, but it is unclear as to whether or not the inventories of air, power, or cooling were considered. Possible Resolution: Ensure that inventories of support systems were considered in the availability of the support system. (SY-B11)

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 38 of 69 Resolution: VCSNS documented that inventories and support systems were considered in the availability of support systems.

While VCSNS has performed work to address each of the items identified above (and considers their status adequate to support LAR 15-01424 approval and implementation) it should be noted that VCSNS coordinated a peer review of the Internal Events and Internal Flood PRA through the Westinghouse Owner's Group during June 2016. Upon receipt of the final report documenting this review, VCSNS will evaluate the resulting Facts and Observations and update the NRC concerning the impact on LAR-15-01424.

RAI 2

LAR Section 4.6 states that the PRA model is maintained and updated in accordance with VCSNS procedures and has been updated to meet the American Society of Mechanical Engineers (ASME) PRA standard and Regulatory Guide (RG) 1.200, Revision 2, "An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities" (ADAMS Accession No. ML090410014). Address the following:

i.

Describe the applicable VCSNS PRA maintenance procedures, including configuration control.

ii.

Clarify the version of the ASME PRA standard and RG 1.200 used.

SCE&G Response 2i.

The VCSNS PRA Model is maintained in accordance with NL-126, "Probabilistic Risk Assessment Activities." NL-126 delineates the processes used for maintaining the PRA Model and includes the requirements for configuration control. These processes ensure that VCSNS maintains an as-built, as-operated PRA model of the plant. It also defines the process for tracking issues identified as potentially affecting the PRA model (e.g., due to changes in the plant, errors or limitations identified in the model, industry operating experience, etc.), and for controlling the model and associated computer files.

PRA model updates are defined as comprehensive revisions to the PRA model and the associated documentation to ensure that the model reasonably reflects the current configuration and as-operated condition of the plant. The update process includes a review of plant changes, selected plant procedures, and plant operating and equipment history data to determine the effect of revisions on the PRA model. Additionally, plant specific initiating event frequencies, failure rates and other data-driven parameters are revised as part of the update process. PRA maintenance is typically smaller in scope than updates and consists of the identification and evaluation of new information, and the incorporation of this information into the PRA on an as-needed basis. More extensive maintenance may be performed as an update if a specific application requires refinement of certain parts of the model. PRA maintenance serves to keep the PRA current between PRA updates. NL-126 specifies that both model updates and model maintenance are documented in accordance with ES-412, "Initiation and Control of Design Calculations," and verified in accordance with ES-110, "Review and Verification of Controlled Documents." Design Engineering Guideline PSA-08 "PRA Model Updates," provides more

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 39 of 69 detail concerning the frequency of model updates, how to evaluate the need for an update, how to conduct and document the update, and how to disseminate the results to the plant.

NL-126 provides the convention for naming and archiving the computer files electronically in a location that is backed-up by the Information Systems and Technology Group. PSA-08 provides additional information regarding computer control and maintenance, as well as software testing and deficiency tracking. It should be noted that VCSNS uses the EOOS model to implement the Configuration Risk Management Program. The EOOS model uses the same fault trees and databases as the PRA model. Changes that only impact the EOOS model (no impact on CDF or LERF of the PRA model) can be documented using a PRA Evaluation rather than the calculation program in ES-412. Examples of this are changes to the mapping of components to basic events or changes that are made only to impact EOOS display. These "EOOS-only" changes are required to be captured in the next model update or maintenance (ES-412 calculation). Additionally, while EOOS-only changes are not processed via the calculation program initially, NL-126 specifies that the implementing PRA Evaluation be reviewed per the requirements of ES-110. (ES-110 establishes the process for verification of Controlled Engineering Documents developed by the Engineering Services Group for VCSNS and for the review of other documents developed by Engineering Services or other groups.) VCSNS uses a sequential number for PRA model updates, a sequential letter for PRA maintenance performed between updates and a sequential number for EOOS-only changes, such that the second EOOS-only change following the third maintenance model in the fourth update would be named "4c_2."

2ii.

The VCSNS Internal Events Model has been updated to meet the requirements of Regulatory Guide 1.200, Revision 2, and the ANS/ASME Standards. Specifically, the Internal Events model is maintained to the requirements of ASME/ANS RA-Sa-2009, Part 2 and the Internal Flooding model has been updated to the requirements in ASME/ANS RA-Sb-2013, Part 3.

The 2011 gap assessment referenced in RAI 1 identified the gaps to Regulatory Guide 1.200, Revision 2 and the combined ASME/ANS RA-Sa-2009 standard. VCSNS addressed the gaps by updating the PRA model and, in the process of this update, revised the Internal Flooding portion of the model to meet the ASME/ANS RA-Sb-2013 standard. While it is noted that ASME/ANS RA-Sb-2013 has not been reviewed or endorsed by the NRC, VCSNS considers the Internal Flooding model requirements in the 2013 Standard to better represent the components needed to identify risk vulnerabilities due to flooding.

RAI3:

The LAR includes extending the surveillance frequency for TS 3/4.3.1, Table 4.3-1, "Reactor Trip System Instrumentation Surveillance Requirements," reactor trip system (RTS) function 15, reactor trip on reactor coolant pump undervoltage, and TS 3/4.3.1, Table 4.3-1, RTS function 16, reactor trip on reactor coolant pump underfrequency. The LAR also states that these two functions were not included in the TSTF-411 program.

The NRC staffs safety evaluation report (SER) on WCAP-10271-P-A, dated February 21, 1985 (ADAMS Legacy Library Accession No. 8503010427), states that these reactor coolant pump undervoltage and underfrequency functional units were included in the

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 40 of 69 unavailability models of the WCAP and that the approvals made by the staff in the SER for analogue channels also apply to these functional units. According to the LAR, Topical Report (TR) WCAP-15376-P-A, Revision 1, Section 11, states, in part, that, "These recommendations are applicable to all the signals evaluated in WOG TOP [Westinghouse Owners Group Technical Specification Optimization Program] for both solid state and relay protection systems."

The NRC staff stated in a letter, dated December 20, 2002 (ADAMS Accession No. ML023540534), that the TR is acceptable for referencing in licensing applications to the extent specified and under the limitations delineated in the report and in the associated NRC safety evaluation (SE). Since the LAR is proposing the TSTF-411 TS changes for these two signals, the NRC staffs SE, dated December 20, 2002, for WCAP-15376-P-A limitations and conditions should also be applied to them.

Please provide your evaluation of these two functions (RTS functions 15 and 16) against each of the five limitations and conditions.

SCE&G Response Condition 1 states a licensee is expected to confirm the applicability of the topical report to their plant, and to perform a plant-specific assessment of containment failures and address any design or performance differences that may affect the proposed changes.

Although Reactor Trip Functions 15 and 16 were not included in TSTF-411, the WCAP-15376-P-A evaluation should be applicable to these two functions due to the justification given in WCAP-14333-P-A. Applicability of RTS Functions 15 and 16 can be justified because WCAP-10271-P-A included these signals. WCAP-14333-P-A then further modified the TADOT intervals using the same justification. WCAP-15376-P-A modifies all TADOT functions modified in WCAP-14333-P-A.

The RTS Functions listed above were included in the evaluations performed to justify the changes in WCAP-10271-P-A. One of the changes justified in WCAP-10271-P-A was the extension of the applicable Surveillance Frequency for RTS Functions 15 and 16 from 1 month to 3 months. The affected Surveillance is called a TADOT.

WCAP-14333-P-A justified extending the bypass test times and Completion Times for the signals included in WCAP-10271-P-A and its supplements, by utilizing a "representative signal approach," in the unavailability analysis that determined the impact of the proposed changes on the signal unavailability. The results of the evaluation of the "representative signals," were representative of all of the signals that were evaluated in WCAP-10271-P-A and its supplements. The bypass test time and Completion Time changes that were justified in WCAP-14333-P-A are identified in Tables 5.1 and 5.2. Note that the maintenance time and interval, and test time and interval values listed are for the "Analog Channels" and are applicable to both COT and TADOT surveillances. The analysis did not distinguish between the two types of tests. This is stated in Section 11 of WCAP-14333-P-A as: "These recommendations are applicable to all the signals evaluated in WOG TOP for both solid state and relay protection systems" (i.e., all signals evaluated in WCAP-10271-P-A and its supplements).

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 41 of 69 WCAP-15376-P-A justified extending the Surveillance Frequencies and reactor trip breaker bypass test time and Completion Times identified in Tables 4.1 and 4.2. Additionally, WCAP-15376-P-A utilized the "representative signal approach" that was utilized in WCAP-14333-P-A.

One of the changes justified in WCAP-15376-P-A was the extension of the Frequency of the COT from 92 days to 184 days. This change is identified as "Analog Channels" in the "Component Column" of Tables 4.1 and 4.2 of WCAP-15376-P-A. The value of 6 months listed in the "Surveillance Test Intervals," column associated with the "Analog Channel" in Tables 4.1 and 4.2 of WCAP-15376-P-A is applicable to both the COT and the TADOT. There was no intent to exclude the TADOT from the test interval extension to 6 months. Since the applicable TADOT frequencies were justified to be extended from 1 month to 3 months in WCAP-10271-P-A and its supplements, and the changes justified in WCAP-14333-P-A, Revision 1 and WCAP-15376-P-A, Revision 1 are applicable to all of the signals included in WCAP-10271-P-A and its supplements, the extension of the above listed TADOT Frequencies from 92 days to 184 days was also justified by WCAP-15376-P-A. This is stated in Section 11 of WCAP-15376-P-A as "These recommendations are applicable to all the signals evaluated in WOG TOP for both solid state and relay protection systems..." (i.e., all signals evaluated in WCAP-10271-P-A and its supplements).

Therefore, the extension of the TADOT Frequencies from 92 days to 184 days justified in WCAP-14333-P-A and WCAP-15376-P-A are applicable to the RTS Functions 15 and 16 and meet the limitations and conditions for the other TADOT surveillances pertaining to the RTS system functionality.

Additional information on containment failures is provided in response to RAI #4.

Condition 2 states to address the Tier 2 and Tier 3 analyses including risk significant configuration insights and confirm that these insights are incorporated into the plant-specific configuration risk management program.

The objective of the second tier is to provide reasonable assurance that risk-significant plant equipment outage configurations will not occur when equipment is out of service. If risk-significant configurations do occur, then enhancements to Technical Specifications or procedures, such as limiting unavailability of backup systems, increased surveillance frequencies, or upgrading procedures or training, can be made that avoid, limit, or lessen the importance of these configurations.

Restrictions on concurrent removal of certain equipment when an RTB is out of service are identified in the following:

  • The probability of failing to trip the reactor on demand will increase when a RTB is removed from service, therefore, systems designed for mitigating an ATWS event should be maintained available. RCS pressure relief, auxiliary feedwater flow (for RCS heat removal),

AMSAC, and turbine trip are important to alternate ATWS mitigation. Therefore, activities that degrade the availability of the auxiliary feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC, or turbine trip should not be scheduled when a RTB is out of service.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 42 of 69

  • Due to the increased dependence on the available reactor trip train when one logic cabinet is removed from service, activities that degrade other components of the RPS, including master relays or slave relays and activities that cause analog channels to be unavailable should not be scheduled when a logic cabinet is unavailable.
  • Activities on electrical systems (e.g., AC and DC power) that support the systems or functions listed in the first two bullets should not be scheduled when a RTB is unavailable.

The objective of the third-tier is to ensure that the risk impact of out-of-service equipment is evaluated prior to performing any maintenance activity. As stated in RG-1.174, "a viable program would be one that is able to uncover risk-significant plant equipment outage configurations as they evolve during real-time, normal plant operation." The third-tier requirement is an extension of the second-tier requirement, but addresses the limitation of being able to identify all possible risk-significant plant configurations in the second-tier evaluation.

These Tier 2 and Tier 3 requirements are addressed with the application of VCSNS Equipment Out of Service (EOOS) risk monitor for the Configuration Risk Management Program as described in the response to RAI #9.

Condition 3 addresses the risk impact of concurrent testing of logic cabinets and reactor trip breaker on a plant-specific basis. VCSNS Solid State Protection System (SSPS) Actuation Logic and Master Relay Testing verify operability of the Reactor Trip Breakers, Reactor Trip System and ESFAS in a single test (one test for each train). (This surveillance tests all of the ESFAS and RTS signals, not just the two items noted above.) The Reactor Trip Bypass Breaker on the applicable train is racked-in during conduct of this test so the function of the Reactor Trip Breaker is unavailable during the test. The LAR proposes extending the STI for this test from monthly to quarterly, so one result of the LAR will be a decrease in Reactor Trip Breaker unavailability due to testing.

The proposed STI extension will result in decreased unavailability (due to testing) of Solid State Protection System (SSPS) components. Because testing of SSPS will be conducted less frequently, it is possible that l&C SSPS components may be unavailable for longer times prior to discovery. The impact of this increased exposure time on SSPS components (such as the logic cabinet) was evaluated in WCAP-15376-P-A and found acceptable.

Condition 4 states to ensure consistency with the reference plant, the model assumptions for human reliability in WCAP-15376-P-A, Revision 0 should be confirmed to be applicable to the plant-specific configuration. The simplest approach to show consistency with the human reliability assumptions is to confirm that the key requirements for crediting operator actions credited in WCAP-15376-P-A analysis are met for the plant. Table 3-1 lists the operator actions credited in WCAP-15376-P-A analysis.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 43 of 69 Table 3-1 WCAP-15376-P-A Applicability of the Human Reliability Analysis Operator Action Reactor trip from the main control board switches Reactor trip by interrupting power to the motor-generator sets Insertion of the control rods via the rod control system Safety injection actuation from the main control board switches Safety injection by actuation of individual components Auxiliary feedwater pump start For the two functions 15 (reactor trip on reactor coolant pump undervoltage) and 16 (reactor trip on reactor coolant pump underfrequency) none of the listed operator actions deal specifically with these signals, therefore the model assumptions in WCAP-15376-P-A are confirmed.

As noted in the LAR, Condition 5 (digital upgrade) is not applicable to VCSNS.

RAI 4

Condition 1 in the NRC staffs SE, dated December 20, 2002, limitations and conditions section states:

A licensee is expected to confirm the applicability of the topical report to their plant, and to perform a plant-specific assessment of containment failures and address any design or performance differences that may affect the proposed changes."

The NRC staffs SE also discusses containment failures in terms of how the TR addressed large early release frequency (LERF):

These values are based on the assumption that the only contributions to LERF would come from containment bypass events and core damage events with the containment not isolated. The contributions from containment failure events are not considered in WCAP-15376-P, Rev. 0 based on the Vogtle PRA and the assumption that Vogtle is representative of all Westinghouse plants.

The LAR disposition for this condition is that, "The WCAP analysis and determination of LERF is based on a large dry containment. VCSNS Unit 1 is a large dry containment; therefore, the results are applicable." This statement only is related to the applicability of the TR.

Please provide a discussion on the plant-specific assessment of containment failures performed and your conclusions regarding design or performance differences that may affect the proposed changes, consistent with Condition 1.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 44 of 69 SCE&G Response WCAP-15376-P-A guidelines specify containment failure modes considered are typical of a large dry containment. Specifically, containment failure modes considered should include containment isolation failure; containment bypasses from Interfacing System LOCA (ISLOCA),

SGTR, and SG tube creep rupture; and containment failure from steam explosion, hydrogen burns, direct containment heating, and containment steam overpressurization. Additionally, significant contributors should be containment isolation failure and containment bypass events.

Table 4-1 shows the LERF model (WCAP-10271-P-A, Supplement 1-P-A) broken down by failure modes.

Table 4-1 LERF Type VCSNS LERF (per reactor operating state year)

VCSNS % LERF Contribution ISLOCA 2.66E-09 4.27%

Spontaneous SGTR (Level 1 Bypass) (tube creep) 4.87E-10 0.78%

TI-SGTR 7.35E-09 11.81%

PI-SGTR 2.59E-08 41.53%

Loss of Containment Isolation 1.29E-08 20.67%

High Pressure Containment Fails Early 0.00E+00 0.00%

Low Pressure Containment Fails Early:

Ex-vessel steam explosion 1.30E-08 20.94%

Low Pressure Containment Fails Early:

(H2 Burns) 0.00E+00 0.00%

Total 6.22E-08 100.00%

The results show that the VCSNS plant evaluated the modes assumed to be affected by WCAP-15376-P-A. No specific guidelines for LERF contribution were given in the implementations.

Flowever, the implementation guidelines state that for large dry containments, the largest contributions to LERF are containment isolation failure and containment bypasses from ISLOCA and SGTR events, excluding tube creep events. Given that these are the dominant contributors for LERF at VCSNS, the performance is considered similar and meets the requirements.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 45 of 69 Additionally, the plant specific containment design has no major design differences as it is neither an ice condenser plant nor a sub-atmospheric design.

RAI 5

As noted in the LAR, Attachment 5, Table 1, WCAP-15376-P-A used a transient frequency of 3.6/year, and the plant-specific frequency is 0.441/year. Please provide justification for the large difference.

SCE&G Response WCAP-15376-P-A implementation guidelines specify that the total transient frequency requiring a reactor trip need to be less than 3.6 events per year. The latest version of the VCS internal event initiating events notebook documents the plant specific frequency calculation for each initiating event type and meets ASME/ANS RA-Sa-2009) standards. For this analysis, the initiating events that required a reactor trip were summed per WCAP-15376-P-A implementation guidelines noted in Table 1, footnote 7 of the guidelines and are listed in the Table 5-1 below.

The calculated frequency of 4.41 E-01/yr was the sum of the transients. This satisfies the implementation guidelines, as 3.6 events per year is the upper threshold value for WCAP-15376-P-A implementation and the 4.41E-01/yr value is more representative of station performance. Furthermore, the frequencies of turbine trip and loss of main feedwater (partial and total) have been significantly reduced since WCAP-15376-P-A was published.

Table 5-1 Initiating Event Basic Event IEF (per reactor operating state year)

Positive Reactivity Insertion

%PRI 3.78E-02 Loss of Reactor Coolant Flow

%RCS 2.44E-02 Total Loss of Main Feedwater Flow

%LMF 3.84E-02 Partial Loss of Main Feedwater Flow

%PMF 2.06E-01 Loss of Condenser

%LOC 3.42E-02 Turbine Trip

%TT 9.26E-02 Primary System Transient

%PST 8.97E-04 Inadvertent Safety Injection Signal

%SIS 3.58E-03 Inadvertent Opening of Steam Valve

%IOSV 2.70E-03 SUM 4.41 E-01

RAI 6

As noted in the LAR, Attachment 5, Table 1, the VCSNS anticipated transient without scram contribution to core damage frequency (CDF) is much less than that assumed in WCAP-15376-P-A. Please explain the difference.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 46 of 69 SCE&G Response WCAP-15376-P-A implementation guidelines specify that ATWS contribution to CDF be less than 1.06E-06/yr. The current VCS internal event model quantification provides a summary of the contributions from each initiating event, including ATWS. This model meets ASME/ANS RA-Sa-2009 standards and is considered appropriate for this requirement. The calculated ATWS contribution to CDF was determined to be 5.29E-08/yr, which is 2.4% of the total CDF (LERF would be even less). This satisfies the requirement of WCAP-15376-P-A implementation guidelines table 1, footnote 8. Note that this is slightly different than the original LAR submitted in December 2015, however the conclusion remains that the plant specific ATWS CDF contribution meets the WCAP-15376-P-A implementation guidelines.

RAI 7

The LAR is proposing a semi-annual surveillance test interval for two plant-specific signals: 6.h, "Suction transfer on low pressure," and 8.a. "RWST [refueling water storage tank] level low-low," as shown in the marked-up Table 4.3.2, "Engineered Safety Feature Actuation System Instrumentation Surveillance Requirements." The NRC staff requested supplemental information in a letter dated February 22, 2016 (ADAMS Accession No. ML16032A170), for its acceptance review of the LAR. The supplemental information request included the following:

Please provide the required plant-specific risk evaluation results and technical justification, as well as the TSTF-411 traveler plant-specific analyses information for these two functions."

The response to the requested information by the licensee, dated March 7, 2016, was not provided in its entirety. Additional information on the technical justification and evaluation results are requested below.

RG 1.200, Section 3.3, "Demonstration of Technical Adequacy of the PRA," states, in part:

There are two aspects to demonstrating the technical adequacy of the pieces of the PRA to support an application. The first aspect is the assurance that the pieces of the PRA used in the application have been performed in a technically correct manner. The second aspect is the assurance that the assumptions and approximations used in developing the PRA are appropriate."

Additional discussion on PRA technical adequacy is provided in RG 1.200.

TR WCAP-15376-P-A provided the technical basis for signals analyzed, and, as stated in the associated NRC staff SE, utilized the Vogtle Electric Generating Plant's PRA model.

Plant-specific signals 8.a and 6.h were not evaluated in WCAP-15376-P-A. Therefore, for signal functions 8.a and 6.h, provide the following PRA technical adequacy information, consistent with RG 1.200, and plant-specific information, consistent with the NRC staffs SE of WCAP 15376 P-A, dated December 20, 2002:

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 47 of 69

a.

Discuss whether these signals and functions are modeled in the PRA. If not, describe the method used for the risk results provided in the response to the NRC staffs supplemental information request.

b.

TSTF-411 extends the surveillance test interval (STI) for instrumentation and control (l&C) components such as analogue channel, master relay, and logic cabinet. However, slave relays are not included in the TSTF-411 STI extensions.

Explain how the necessary l&C components are modeled in the PRA for the functions of these two plant-specific signals. If all necessary l&C components are not included in the PRA model, explain which ones are not included and why the PRA model is technically adequate to support the risk analysis results provided in the supplementary information. If a surrogate method is used to model these function(s), describe the surrogate and why it is technically adequate for this application, including justification for conservatisms or for probabilities assigned to it. Please include in the discussion the PRA modeling of the solid state protection system.

c.

These signals would be required for certain initiating events and would perform functions for the plant response.

i.

Explain how these signals are modeled for the necessary initiating events in the PRA model.

ii.

Explain the expected plant response for these signals and how it is incorporated into the PRA model. Confirm that the plant response of these two signals in the PRA model reflects the as-built, as-operated plant.

iii.

If there is any model incompleteness with respect to these signals and initiating events or plant response in the PRA model, describe the model incompleteness, which is important for the application, and how it was addressed for the risk evaluation results provided in the response to the NRC staffs request for supplementary information.

iv.

If a surrogate method is used to model the function(s) (see part b above),

explain how the surrogate method ensures the initiating events and plant response (see parts c.i and c.ii above) are accounted for in the PRA model.

d.

Describe how common cause failure for these l&C components and functions is incorporated into the PRA model. Describe the method used to evaluate common cause failure for the STI extension.

e.

Explain whether the l&C data for the PRA modeling of the unavailability of these two plant-specific signals uses WCAP-15376-P-A or other data, and discuss why the data is applicable.

f.

Describe the method for calculating the unavailability from the fault exposure time associated with the proposed STI extensions for these two signals. Confirm it is consistent with that given in WCAP-15376-P-A used for calculating signal unavailabilities or identify any differences. Provide a comparison of the unavailability results for the proposed STI extension against the previous STI

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 48 of 69 extension (i.e., from WCAP-10271-P-A). If the l&C components were not included in the WCAP-10271-P-A STI extensions, provide the unavailability results for the proposed STI extension.

g.

The response to the NRC staff request for supplemental information shows an increase in core damage frequency (CDF) and a decrease in LERF for function 6.h, and an increase in CDF/LERF for function 8.a.

i.

Explain why the increase in CDF/LERF for the new signals given in the supplementary information response is low.

ii.

If the decrease in LERF for function 6.h is a calculation-generated result due to algorithmic technique limitations, provide a LERF calculation result that removes the limitations or is a bounding/conservative estimate, and include a discussion on how the LERF was calculated. If this is not the case, explain why the results show a decrease in LERF and an increase in CDF.

iii.

Discuss sources of uncertainty associated with these risk estimates and their importance for the application.

h.

The response to the NRC staff request for supplemental information does not discuss the risk contribution from external events for these two signals. Discuss and include the fire and external events risk analyses in your evaluation of these two functions.

i.

While the LAR shows these two signals are Engineered Safety Feature Actuation System Instrumentation Surveillance Requirements signals, confirm there is no relation to the reactor trip breaker unavailability associated with the STI extension or in performing the STI for the analogue channel operational test. If this is not the case, explain its significance for the application.

j.

If the proposed STI for other l&C components (e.g., logic cabinet) can have a contribution to the risk associated with these two plant-specific signals, explain how the PRA model is capable of evaluating the risk contribution.

If such risk contributions can occur, confirm these contributions are in the risk results reported in the response to the supplemental information or update the results as appropriate.

k.

The limitations and conditions in the NRC staffs SE for the TR WCAP-15376-P-A also apply for these two signals. Provide your assessment of each of the five limitations and conditions.

i.

With respect to Condition 1, discuss your assessment for these two signals if they have a unique impact (not covered in PRA RAI 3) on the plant-specific assessment of containment failures and discuss your conclusions regarding design or performance differences that may affect the proposed changes.

ii.

With respect to Condition 2, LAR Section 4.2, identities Tier 2 restrictions that will be implemented when a reactor trip breaker train

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 49 of 69 becomes inoperable when operating under the proposed completion times. Since these two signals were not part of the TR evaluation in identifying Tier 2 restrictions, consider these two signals in your Tier 2 assessment and determine if any additional Tier 2 restrictions are necessary. Include in your assessment whether testing of these two Engineered Safety Feature Actuation System Instrumentation Surveillance Requirements signals should be avoided, based on Tier 2 risk significance, when a logic cabinet or a reactor trip breaker is inoperable.

iii.

With respect to Conditions 3, 4, and 5, address whether the information provided in the LAR is sufficient for these two signals or provide additional justification for these conditions, as necessary.

SCE&G Response 7a.

The signals are represented in the PRA model by combinational gates (3 of 4 failure logic).

Each channel feeding into the combinational gate includes comparator failure including common cause, loop power supply including common cause, transmitter failure including common cause, slave relays de-energized, common cause miscalibration, maintenance signal processing failure, and input relay failure including common cause.

7b.

EFW Suction Transfer on Low Pressure (6.h)

The modeled signal is represented by four separate channels feeding into a 3 of 4 combination gate. The following components and failures within these channels are modeled: the comparator failure including common cause, loop power supply failure including common cause, EFW suction pressure transmitter failure including common cause, slave relays de-energized, common cause miscalibration of EFW suction header pressure, maintenance signal processing, input relay failure including common cause.

Additionally, universal logic card failure including common cause and safeguard driver card failure including common cause are modeled. Master relay including common cause and ESFAS train unavailable due to maintenance and test are also included.

All necessary l&C components are modeled in the PRA. Therefore, the EFW Suction Transfer on Low Pressure signal is modeled sufficiently for this application.

Automatic Switchover to Containment Sump on RWST Level Low-Low (8.a)

The modeled signal is represented by four separate channels feeding into a 3 of 4 combination gate. The following are modeled within these channels: the comparator failure including common cause, loop power supply including common cause, slave relays de-energized, RWST level transmitter failure including common cause, common cause miscalibration of low-low RWST level, maintenance signal processing failure, and input relay failure including common cause.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 50 of 69 Additionally, universal logic card failure including common cause and safeguard driver card failure including common cause are modeled. Master relay including common cause and ESFAS train unavailable due to maintenance and test are also included.

All necessary l&C components are modeled in the PRA. Therefore, the Automatic Switchover to Containment Sump on RWST Level Low-Low signal is modeled sufficiently for this application.

7ci.

See response to c.ii below.

7cii.

The four channels associated with the 6.h function (Emergency Feedwater suction Transfer on low pressure) are modeled in the PRA model logic. This function propagates through the model logic to provide opening of motor operated valves. These valves are automatically opened via a low level signal (sensed by pressure switches) in the CST, and may be opened by plant operators on the MCB instrumentation panel in the control room in the event the condensate water supply is otherwise unavailable.

The four channels associated with the 8.a function (Automatic Switchover to Containment Sump upon RWST level low-low) are modeled in the PRA model logic. This function propagates through the model logic to provide opening of RHR Sump isolation valves in the event of low-low RWST level to initiate RFIR recirculation.

The model reflects the as-built as-operated plant.

The signals are modeled more for the function they provide rather than for the initiating event. If the initiating event requires this function in response to the initiating event then the function is available for that initiating event.

7ciii.

The signals are modeled in that the various components in the analog channel and ESFAS components are represented. No model incompleteness concerning these signals exists with respect to initiating events or plant responses.

7civ.

No surrogate method has been used to model the two function(s).

7dL Common cause for these signals is incorporated into the PRA model through the use of computer aided fault tree analysis (CAFTA) via the software. Common cause failure basic event groupings are identified and the software generates the appropriate common cause basic events using Multiple Greek Letter (MGL) common cause factors.

7e.

Data for these two signals is taken from WCAP-15376-P-A for the comparator and loop power supply. The master relay data is from WCAP-15376-P-A and data for the input relay is from NUREG-CR-5500, "Reliability Study: Combustion Engineering Reactor Protection System, 198401998." Slave relay and universal logic card data is from WCAP-15376-P-A. Safeguard

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 51 of 69 driver card data is from WCAP-15376-P-A. Pressure sensor and level transmitter data is taken from NUREG/CR-6928, "Industry-Average Performance for Components and Initiating Events at U.S. Commercial Nuclear Power Plants." All data sources are applicable to this evaluation because they have been used to support the WCAP-15376-P-A analysis.

7f.

Functions 8.a and 6.h were not evaluated generically in WCAP-10271-P-A or WCAP-15376-P-A requiring the need for site specific evaluations to show applicability of these functions to the changes in the Westinghouse Technical Specifications Optimization Program (TOP).

The approach used in WCAP-15376-P-A to justify the proposed CTs and STIs for the RTS and ESFAS is consistent with the guidance outlined in Regulatory Guides 1.174 and 1.177. The plant specific risk-informed analysis performed to implement WCAP-15376-P-A, Revision 1 was performed in accordance Regulatory Guide 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Current Licensing Basis," and RG 1.177, "An Approach for Plant-Specific, Risk-Informed Decision-making:

Technical Specifications."

The specific analog channel basic event probabilities of the these signals in the probabilistic risk assessment (PRA) base model were taken to be based upon the three-month operational testing. To represent the change in operational testing to six-months, these analog channel basic event failure probabilities were conservatively doubled. In addition, no credit has been taken for the reduced amount of time that the components may be unavailable due to increased test interval. These functions are tested in the "bypassed" condition (i.e., only one channel tested at a time during analog channel operability testing). This removes the bypassed channel's output to the actuation logic. Therefore, a function that is normally a 2 of 4 coincidence logic becomes a 2 of 3 coincidence logic. Per RG 1.177, regular surveillance testing of a component, as performed for safety system components, is considered to influence its performance. Generally, for most components, the increase of a surveillance interval beyond a certain value may reduce the component's performance (i.e., increase the failure rate).

Associated common cause was addressed via the computer aided fault tree analysis (CAFTA) software used in this analysis.

The CDF and LERF were then re-quantified and these new values used to determine the change in risk from the three-month to the six-month change in operational testing. The change in risk is acceptable based upon RG 1.174 limits.

7gi.

Only the basic events identified within the analog channel were changed to reflect the change in STI. Both of these functions use 2 of 4 actuation logic circuitry which, per the TOP analysis noted in WCAP-10271-P-A, results in a minor contribution to signal unavailability. Therefore, the resultant small increase in CDF/LERF is as-expected.

7gii.

The change in LERF for function 6.h is reported as a negative number. This is due to post-processing treatment by the PRA software tool in very low cutsets, and has negligible impact on the calculation.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 52 of 69 LERF quantification has decreased when going from the three-month to the six-month case.

During removal of common cause and re-application of common cause via the CAFTA software, small changes sometimes occur in lower cutsets. In the six-month LERF cutset (in comparison to the LERF Base (three-month) cutset) there are differences in scenario composition near cutset #476. Two cutsets with common cause basic events appear in the LERF Base (three-month) cutsets file that do not appear in the LERF (six-month) cutset file and these additional cutsets result in the difference. The differences are negligible and do not affect the conclusions of the analysis.

7giii.

To represent the change in operational testing of the analog channel to the six-month test interval, the analog channel basic event probabilities were conservatively doubled from the three-month probabilities. Additionally, all other basic events modeled within the signal path have their individual data uncertainties based upon data sources from where they were derived.

This is considered realistic and should not be a source of detrimental uncertainty. There are no additional sources of uncertainty to account for in this application.

7h.

Fire:

Subsection 3.3.2.3 of NUREG-1742, "Perspectives Gained from the Individual Plant Examination for External Events (IPEEE)," Volume 1 discusses the dominant contributors from fire vulnerability assessments based on the results of IPEEE assessments. These studies have determined that the dominant fire scenarios are those which result in a plant transient. The plant transients identified include loss of feedwater, main steam isolation valve (MSIV) closure, loss of offsite power (LOOP), and loss of support system transients. The loss of support system events include loss of alternating current (AC) and direct current (DC) electrical buses, loss of cooling water systems, loss of instrument air, and loss of heating, ventilation, and air conditioning systems.

Fire events typically cause a reactor trip and compromise safety-related equipment needed to mitigate the plant event. As noted above, the events that typically result from fires are loss of feedwater, MSIV closure, LOOP, and loss of support system transients. The loss of feedwater, MSIV closure, and LOOP events require removal of decay heat, continued cooling the reactor coolant pump (RCP) seals, and plant shutdown. Decay heat removal can be provided by recovery of the main feedwater system, automatic or manual actuation of auxiliary feedwater system (AFW), or manual actuation of feed and bleed. The AFW pumps are actuated by the ESFAS signals, AMSAC or operator action. Fire-induced loss of main feedwater results in the emergency feedwater start which can be considered a success strategy. Function 6h only has impact on EFW source availability.

A LOOP will be caused by fires in the switchyard and possibly by fires in the electrical buses.

LOOP mitigation requires the start of the diesel generators (DGs). Signals to perform this action are not impacted by the proposed STI change. Following start of the DGs, decay heat removal is required, and the functions in question have no impact on starting the mitigation equipment.

Therefore, the proposed change should have no impact on plant risk related to fire-induced LOOP events.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 53 of 69 Fire-induced loss-of-coolant accidents (LOCAs) were considered by plants, but were generally found not to be important with the exception of RCP seal LOCAs. LOCAs related to spurious opening of power operated relief valves or safety relief valves were generally not identified as significant contributors to fire-induced plant risk. The lone exception to this was RCP seal LOCAs related to loss of support systems, such as, service water and component cooling water.

Loss of service water and loss of component cooling water events require manual recovery of systems or manual alignment and actuation of backup systems. Since the recovery actions required manual operation of components, operator actions dominate these events and the subject signals play no role in mitigation of RCP-seal LOCAs caused by loss of these support systems due to fire events. As such, it is concluded that the risk impact of the proposed change related to fire-induced loss of service water and component cooling water support systems is negligible, even though function 8a does impact the RCP seal LOCA and spurious valve LOCA response once the RWST empties by providing an alternate makeup source; the operator actions (as noted) would dominate.

In this analysis, only the analog components' probabilities have been doubled to reflect changing the STI from 3-months to 6-months. For these signals (EFW Suction Transfer on Low Pressure and Automatic Switchover to Containment Sump on RWST Level Low-Low), there are four separate channels feeding into a 3 of 4 combinational gate. A fire would have to take out three of four channels and the corresponding ESFAS portion of the signal path to completely eliminate these signals from being used to open appropriate valves and this is deemed to be a low probability event that would result in an insignificant increase in CDF or LERF due to fire.

The extended STI for these signals have been shown to be negligible risk increase (for internal events), and since fires do not cause any greater reliance on these functions, fire impact is acceptable also. Additionally, per NUREG-6850, tanks are not made unavailable due to fires.

Furthermore, functions 6.h and 8.a are not risk-important in the VCSNS Fire PRA.

There is no increased reliance on these two functions for fire events (compared to their importance during internal events, which the WCAP showed negligible increase in CDF/LERF).

Seismic:

Subsection 2.3.1.3 of NUREG-1742, Vol. 1 discusses the dominant contributors from seismic PRA models and weak links from seismic margin assessments. These studies have identified that the most frequently observed failures are related to offsite power, electrical system components, emergency DGs, and DC batteries. Frequently observed failures included block walls; auxiliary, turbine, and control room buildings; service water system; component cooling water system; auxiliary feedwater system; residual heat removal (RHR) system; condensate storage tank; and pump house/pump intake structure. These failures can result in plant transient events and LOOP events that need to be mitigated, but they do not cause LOCAs, Steam Generator Tube Ruptures (SGTRs), or secondary side breaks (SSBs), although loss of service water or component cooling water can lead to loss of RCP seal cooling and, therefore, an RCP seal LOCA.

Seismic events can cause a range of plant events depending on the seismic event level. At the high end of the spectrum, a seismic event can potentially cause LOCA or SSB events, with mitigation equipment failures. At the low end of the range, seismic events can cause LOOP and transient events without mitigation equipment failure. Above this low end, a seismic event can

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 54 of 69 cause loss of support systems and small LOCAs, or reactor coolant leaks due to instrument tube failures.

Considering the high end of the range, the frequencies of such events are extremely low and can be associated with seismically-induced failures of the mitigation systems, such as the emergency core cooling system (ECCS). The low frequency of these events coupled with the distinct possibility of failure of mitigation equipment leads to the conclusion that the proposed increase in test interval of the functions will have negligible impact on plant risk from this level of seismic events. In addition, the information presented in NUREG-1742, Volume 1 indicates that seismically-induced LOCAs have not been identified as an issue.

Small LOCAs can occur due to pipe breaks and other reasons, such as, failure of instrument lines. It may be possible for a seismic event of an appropriate magnitude to cause a small LOCA via instrument line failure, and not impact the mitigation systems. However, instrument line failures were not found to be a failure issue related to seismic events; therefore, the proposed change should have no impact on the risk from seismically-induced small LOCAs.

The failure of some major tanks contributes approximately 11% to core damage. The tanks involved are the CCW surge tank, the condensate storage tank (CST), the refueling water storage tank (RWST), and the chiller tank for emergency chillers. If a seismic event caused the RWST to fail (making an alternate source desirable), function 8a would not be available (before or after the LAR approval) because the inventory would not make it to the sump.

The two functions address alternate sources for the EFW and RWST. The extended STI for these signals have been shown to be negligible risk increase (for internal events), and since these functions combined with operator actions only serve to provide a success strategy for the EFW and RWST, the seismic contribution of the functions is acceptable.

Based on the above discussion, it is concluded that the proposed changes will not have an impact on plant risk related to seismic events.

Other External events:

Other external events include high winds, external floods, and events such as aircraft crashes and transportation and nearby facility accidents. As reported in NUREG-1742, Volume 1, the typical dominant sequences associated with high winds involved LOOP with random failure of emergency AC power. Other random failures, as reported in the NUREG, include loss of service water, auxiliary feedwater, feed and bleed cooling, and high pressure injection. None are specifically related to these functions. As discussed in the seismic events assessment, during a LOOP event, it is not necessary to generate a reactor trip signal in the RPS to trip the plant. As such, it is concluded that there is no risk impact of the proposed change related to high winds.

The dominant sequences associated with external floods involve LOOP which is assumed to be irrecoverable. Again, it is not necessary to generate a reactor trip signal in the RPS to trip the plant during a LOOP event. Therefore, it is concluded that there is no risk impact of the proposed change related to external flooding.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 55 of 69 No other external events were identified that could lead to events in which the functions would be required for mitigation.

In conclusion, this change extends the interval between surveillances and there is nothing specific to external events that make the changes to these signals more (or less) important.

Therefore, the results of the analysis which shows negligible impact for internal events (which doubled the signal failure rates) is applicable to external events impact.

7i.

There is no relation between the Reactor Trip Breaker unavailability and Engineered Safety Feature Actuation System (ESFAS) Instrumentation Functional Units 6.h (EFW Suction Transfer on low pressure) and 8.a (RWST level low-low) surveillances except that VCSNS Solid State Protection System (SSPS) Actuation Logic and Master Relay Testing verifies operability of the Reactor Trip Breakers, Reactor Trip System and ESFAS in a single test (one test for each train).

(This surveillance tests all of the ESFAS and RTS signals, not just the two items noted above.)

The Reactor Trip Bypass Breaker on the applicable train is racked-in during conduct of this test so the function of the Reactor Trip Breaker is unavailable during the test. The LAR proposes extending the STI for this test from monthly to quarterly, so one result of the LAR will be a decrease in Reactor Trip Breaker unavailability due to testing.

Functional Units 6.h and 8.a provide alternate inventory sources for ESFAS functions and are independent of the Reactor Trip System. There is no relation between Reactor Trip Breaker unavailability and the Analog Channel Operational Tests for the two ESFAS functional units.

The Reactor Trip Breakers remain available throughout these operational tests.

7j-The proposed STI extension will result in decreased unavailability (due to testing) of Solid State Protection System (SSPS) components. Because testing of SSPS will be conducted less frequently, it is possible that l&C SSPS components may be unavailable for longer times prior to discovery. The impact of this increased exposure time on SSPS components (such as the logic cabinet) was evaluated in WCAP-15376-P-A and found acceptable.

ESFAS Functional units 6.h and 8.a are 2 of 4 coincidence functions and are independently modeled in the VCSNS PRA. To ensure that the total risk contribution of the STI extension for these two signals was considered, the failure rates for the two functions were conservatively doubled (i.e., for each of the four channels associated with each functional unit, the failure rates for each loop power supply and bistable were doubled) to obtain the risk results reported in the supplemental information provided for this LAR. Additionally, no credit was taken for the risk reduction due to increased functional unit availability resulting from the extended STI. It is judged that doubling the failure rates (as described above) and not crediting decreased unavailability is adequate to encompass the overall risk due to the proposed STI.

7ki.

Condition 1 states a licensee is expected to confirm the applicability of the topical report to their plant, and to perform a plant-specific assessment of containment failures and address any design or performance differences that may affect the proposed changes.

Functional Units 6.h and 8.a provide alternate inventory sources for ESFAS functions and are independent of the Reactor Trip System. Containment failures typically considered in PRA

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 56 of 69 include containment isolation failure, containment bypasses from ISLOCA, SGTR, and SG tube creep rupture; and containment failure from steam explosion, hydrogen burns, direct containment heating, and containment steam over pressurization. The significant contributors to LERF for large dry containment and sub atmospheric designs are typically containment isolation failure and containment bypasses not alternate inventory sources. This leads to the conclusion that the two signals do not have a unique impact on containment failures.

Additional information has been provided in response to RAI #4.

7 k i i.

There is no relation between the Reactor Trip Breaker unavailability and Engineered Safety Feature Actuation System (ESFAS) Instrumentation Functional Units 6.h (EFW Suction Transfer on low pressure) and 8.a (RWST level low-low) surveillances except that VCSNS Solid State Protection System (SSPS) Actuation Logic and Master Relay Testing verifies operability of the Reactor Trip Breakers, Reactor Trip System and ESFAS in a single test (one test for each train).

(This surveillance tests all of the ESFAS and RTS signals, not just the two items noted above.)

The Reactor Trip Bypass Breaker on the applicable train is racked-in during conduct of this test so the function of the Reactor Trip Breaker is unavailable during the test. The LAR proposes extending the STI for this test from monthly to quarterly, so one result of the LAR will be a decrease in Reactor Trip Breaker unavailability due to testing.

Functional Units 6.h and 8.a provide alternate inventory sources for ESFAS functions and are independent of the Reactor Trip System. There is no relation between Reactor Trip Breaker unavailability and the Analog Channel Operational Tests for the two ESFAS functional units.

The Reactor Trip Breakers remain available throughout these operational tests, thus no additional Tier 2 restrictions are necessary.

7kiii.

Condition 3 addresses the risk impact of concurrent testing of logic cabinets and reactor trip breaker on a plant-specific basis. There is no relation between the Reactor Trip Breaker unavailability and Engineered Safety Feature Actuation System (ESFAS) Instrumentation Functional Units 6.h (EFW Suction Transfer on low pressure) and 8.a (RWST level low-low) surveillances except that VCSNS Solid State Protection System (SSPS) Actuation Logic and Master Relay Testing verifies operability of the Reactor Trip Breakers, Reactor Trip System and ESFAS in a single test (one test for each train). (This surveillance tests all of the ESFAS and RTS signals, not just the two items noted above.) The Reactor Trip Bypass Breaker on the applicable train is racked-in during conduct of this test so the function of the Reactor Trip Breaker is unavailable during the test. The LAR proposes extending the STI for this test from monthly to quarterly, so one result of the LAR will be a decrease in Reactor Trip Breaker unavailability due to testing.

Functional Units 6.h and 8.a provide alternate inventory sources for ESFAS functions and are independent of the Reactor Trip System. There is no relation between Reactor Trip Breaker unavailability and the Analog Channel Operational Tests for the two ESFAS functional units.

The Reactor Trip Breakers remain available throughout these operational tests.

The proposed STI extension will result in decreased unavailability (due to testing) of Solid State Protection System (SSPS) components. Because testing of SSPS will be conducted less frequently, it is possible that l&C SSPS components may be unavailable for longer times prior to

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 57 of 69 discovery. The impact of this increased exposure time on SSPS components (such as the logic cabinet) was evaluated in WCAP-15376-P-A and found acceptable.

Condition 4 states to ensure consistency with the reference plant, the model assumptions for human reliability in WCAP-15376-P-A, Revision 0 should be confirmed to be applicable to the plant-specific configuration. The simplest approach to show consistency with the human reliability assumptions is to confirm that the key requirements for crediting operator actions credited in WCAP-15376-P-A analysis are met for the plant. Table 7-1 lists the operator actions credited in WCAP-15376-P-A analysis.

Table 7-1 WCAP-15376-P-A Applicability of the Human Reliability Analysis Operator Action Reactor trip from the main control board switches Reactor trip by interrupting power to the motor-generator sets Insertion of the control rods via the rod control system Safety injection actuation from the main control board switches Safety injection by actuation of individual components Auxiliary feedwater pump start For Functions 6.h (EFW Suction Transfer on low pressure) and 8.a (RWST level low-low), none of the listed operator actions deal with these signals, therefore the model assumptions in WCAP-15376-P-A are confirmed.

To assess the impact of increasing the AOTs and STIs associated with the RWST and CST Switchover functions for WCAP-10271-P-A implementation, VCSNS examined the ESFAS configuration for the two functions (analog channel logic and process circuitry, logic cabinet circuitry, master and slave relay configurations, switchover procedures and analog channel test configurations) and compared them to functions that were specifically analyzed in WCAP-10271 -P-A to show that the results of WCAP-10271 -P-A are applicable. Specifically, the RWST Switchover design and function was compared to an auxiliary feedwater pump start on low steam generator level, and the CST Switchover design and function was compared to the ESFAS pressurizer pressure channel and the auxiliary feedwater pump start on low steam generator level. The results of this review showed that the impact of implementing the TOP AOT and STI requirements on RWST and CST switchover were conservative when compared to the impact of the functions that were specifically analyzed in the WCAP-10271-P-A analyses.

Contributors to this result included the following: First, the analog channel operability tests for these two functions were conducted with the channels in the tripped condition instead of bypassed as modeled in WCAP-10271-P-A (both of these functions use 2 of 4 actuation logic circuitry which the TOP analyses noted as resulting in a minor contribution to signal unavailability). It should be noted that VCS now tests the analog channel operability in the bypassed condition, consistent with WCAP-10271-P-A. Secondly, the procedural direction includes operator action to back-up both automatic functions (and the RWST switchover requires an operator action to complete the swap).

As noted in the LAR, Condition 5 (digital upgrade) is not applicable to VCSNS.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 58 of 69 Based upon the above discussions no additional justification is necessary for conditions 3, 4, or 5 on the two functions EFW Suction Transfer on Low Pressure (6.h) and Automatic Switchover to Containment Sump on RWST Level Low-Low (8.a).

RAI 8

The LAR notes that the licensee has developed and implemented the guidance in the configuration risk management program (CRMP) at VCSNS; however, the LAR does not conclude that the CRMP meets the guidance in RG 1.177, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications," August 1998 (ADAMS Accession No. ML003740176). Explain how the CRMP meets RG 1.177, Section 2.3.7.2, "Key Components of the CRMP."

If there are key component areas that have not been satisfied for the CRMP, discuss them and your plans to address them.

SCE&G Response The VCSNS Configuration Risk Management Program (CRMP) meets the requirements in Regulatory Guide 1.177. A discussion of the four Key Components of RG 1.177 is provided below.

Key Components 1 and 3: (Implementation of CRMP) and (Level 1 Risk-Informed Assessment)

VCSNS utilizes the Equipment Out of Service (EOOS) risk monitor for the Configuration Risk Management Program. EOOS uses the same fault trees and database as the internal events PRA model, so it is fully capable of evaluating CDF and LERF risk for internal events.

The main difference between the internal events PRA model and EOOS is that, whereas the internal events model uses yearly average values for maintenance and testing, EOOS assumes zero maintenance and testing (the EOOS user inputs testing/maintenance 'real-time' as the plant configuration changes). The provisions of 10CFR50.65(a)(4) are implemented at VCSNS by using EOOS for scheduling and implementation of planned maintenance as well as during emergent conditions.

SAP-208, "Integrated Risk Assessment," OAP-102.1, "Conduct of Operations Scheduling Unit," SSP-001, "Planning and Scheduling of Maintenance Activities," and SAP-157, "Maintenance Rule Program," are used to implement the CRMP at VCSNS. SAP-208 defines the overall risk management program at VCSNS. OAP-102.1 provides guidance to the Operations Scheduling group and Operators in the Control Room for using EOOS to schedule, monitor, and manage the risk of activities, whether planned or emergent. SSP-001 is used by the schedulers and Work Week Managers to manage the risk of the activities in the planned work schedule. SAP-157 establishes the Maintenance Rule at VCSNS and provides a description of the program.

When maintenance or testing is scheduled on a Reactor Trip Breaker (RTB) train or RTS/ESFAS instrumentation associated with this LAR, the Operations Scheduling group and

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 59 of 69 the Work Week Management group will perform risk analyses using the EOOS program.

These analyses will ensure that risk significant configurations are evaluated and the resulting risk insights are incorporated during the scheduling process. Configurations that meet specified thresholds for instantaneous Core Damage Frequency or Large Early Release Frequency require higher levels of approval or may not be allowed, depending on the risk associated with the activity. Additionally, the scheduling tool in the EOOS program will be revised to 'flag' the specific Tier 2 conditions to be avoided when an RTB train is unavailable and procedures will be revised to ensure such configurations are avoided.

For unplanned entries into the Technical Specification Action Statements for RTBs or RTS/ESFAS instrumentation associated with this LAR, Control Room personnel will enter the configuration into the EOOS program to assess and manage the risk of the emergent condition. Likewise, if VCSNS is in an Action Statement associated with this LAR and additional components become unavailable, the configuration will be evaluated using EOOS and risk will be managed accordingly. Additionally, the operations tool in the EOOS program will be revised to 'flag' the specific Tier 2 conditions to be avoided when an RTB train is unavailable and procedure(s) will be revised to ensure the configuration is managed as described in the proposed Technical Specification Bases 3/4.3.1 and 3/4.3.2, "Reactor Trip and Engineered Safety Feature Actuation System Instrumentation."

Key Component 2: Control and Use of the CRMP Assessment Tool VCSNS PRA personnel monitor and assess plant modifications and procedure changes to determine if the PRA model (and, therefore, EOOS) needs revision. VCS-SAP-139, "Document Review and Approval Process," requires PRA review of all changes to Emergency Operations Procedures (EOPs), Abnormal Operating Procedures (AOPs) and Severe Accident Management Guidelines. Additionally, the PRA Principle Engineer is a member of the Principle Engineer Review Group and reviews proposed modifications for impact on the PRA model. Procedure NL-126, "Probabilistic Risk Assessment Activities,"

directs the PRA Model update process and requires review of changes to EOPs, AOPs, System Operating Procedures, and plant modifications since the previous update be evaluated for inclusion. Additionally, PSA-08, "PRA Model Updates," provides guidance for determining when updates are required and specifies that an evaluation of the need for a PRA update is performed every cycle, but if plant modifications or changes result in an estimated 25% (or greater) increase in CDF or LERF an immediate update is warranted.

Such an update will be performed as soon as practical consistent with the required change importance and the applications being used.

OAP-102.1 recognizes there are limitations in EOOS and specifically directs consideration of external events and site activities that can result in significant plant events. Such conditions are evaluated in EOOS through multiplication of initiating event frequencies. Additionally, OAP-102.1 specifies that EOOS users should be licensed plant operators because knowledge of the EOPs is necessary to ensure equipment availability is properly accounted for and because judgment is needed to determine whether conditions exist that increase the likelihood of plant transients.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 60 of 69 Key Component 4: Level 2 Issues and External Hazards Refer to the response to RAI 9i for a discussion on Level 2 and External Hazards.

RAI 9

The LAR does not describe the CRMP model. Therefore:

i.

Describe your CRMP model, including its capability to evaluate internal events, fire, external events, and LERF issues. If certain events are not in the model, describe how the Tier 3 analysis will evaluate them.

ii.

Explain whether all the proposed signals and functions for the proposed TS changes in the LAR can be evaluated with the CRMP model. If not, describe the limitations and how the limitations are addressed for the CRMP evaluation.

iii.

If surrogates are used, describe all surrogates and provide justification for their use in a CRMP evaluation.

SCE&G Response 9i.

VCSNS utilizes the Equipment Out of Service (EOOS) risk monitor for the Configuration Risk Management Program. EOOS uses the same fault trees and database as the internal events PRA model, so it is fully capable of evaluating CDF and LERF risk for internal events.

The main difference between the internal events PRA model and EOOS is that, whereas the internal events model uses yearly average values for maintenance and testing, EOOS assumes zero maintenance and testing (the EOOS user inputs testing/maintenance 'real-time' as the plant configuration changes). The provisions of 10CFR50.65(a)(4) are implemented at VCSNS by using EOOS for scheduling and implementation of planned maintenance as well as during emergent conditions.

The EOOS PRA model does not evaluate the risk of fire numerically. Instead, when equipment needed to safely shut the plant down during a fire is removed from service, EOOS notifies the user to take action to raise awareness of the fire vulnerability, limit the time the plant can remain in the vulnerable configuration, and take Risk Management Actions when required. These steps are taken as part of the VCSNS Fire Equipment Procedure Risk program to meet the guidance in NUMARC 93-01 Revision 4A, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants." The FEP Risk program considers equipment removed from service for planned maintenance, emergent work and testing.

External events such as high winds and seismic activity are not explicitly included in the VCSNS EOOS program. However, the 'activities' feature in EOOS is used to evaluate the increase in risk for tornado and hurricane watches or warnings by multiplying the Loss of

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 61 of 69 Offsite Power initiating event frequency. Administrative procedures are used to limit risk associated with items which can impact external events but are not explicitly modeled in EOOS such as snubbers for seismic concern and potential missiles during high winds.

When a particular activity or failure results in a component's seismic qualification failing, the component is declared inoperable and considered unavailable in EOOS, or a surrogate is used to evaluate its risk impact. An example of this is use of a lift device over an Emergency Diesel Generator (EDG) for replacing light fixtures (or other work). Because the lift is not seismically qualified, the EDG is declared inoperable. The EOOS activity "MAN LIFT EDG" is entered in EOOS and mapped to an EDG failure rate ten times the normal value to account for the potential increased unavailability should the lift fail during a seismic (or other) event.

9ii.

Not all of the signals affected by the LAR are modeled in the VCSNS PRA. Reactor Trip signals are modeled for Low-Low Steam Generator Level and High Pressurizer Pressure.

Safety Injection signals for Low Pressurizer Pressure, Low Steam Line Pressure and High Containment Pressure are modeled. Turbine Trip and Feedwater Isolation are modeled on High -High Steam Generator Level. ESFAS signals for Reactor Building Spray, Containment Isolation (Phase A and B), EFW Swap-over to Service Water, Low-Low RWST Level Swap-over to Reactor Building Sump are specifically included in the PRA model. For Reactor Trip signals that are modeled, the function is modeled from the sensors/detectors through the Reactor Trip and Bypass Breakers. For ESFAS modeling, components are analyzed from the sensors/detectors through the slave relays or the output steps of the Engineered Safeguard Features Loading Sequencer (ESFLS).

For the components modeled in the PRA, the CRMP (EOOS) can be used to determine the risk impact of unavailability. In the case of some transmitters, even if a specific reactor trip or safety injection signal from that component is not explicitly modeled, VCSNS has evaluated the component and assigned surrogate values for their unavailability (e.g.,

Reactor Trip or Safety Injection initiating event frequency increased by a factor of two). (This use of surrogate initiating event mapping is also used for surveillance tests that have an impact on the plant.) Multiplying initiating event frequencies (Reactor Trip or Safety Injection) is a valid surrogate for failed RPS/ESFAS signals because VCSNS procedures require the protection bistables for such failures to be placed in the tripped (conservative) condition. (Or, in the case of many surveillances, the affected bistables are placed in the tripped condition.)

However, while formulating the response for this RAI, it was noted that 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> may elapse from the time the analog channel input is failed until the bistables are tripped, during which time use of the surrogate in EOOS is non-conservative. Additionally, it was noted that improved guidance is needed to ensure potential failures in RPS/ESFAS are appropriately addressed in EOOS. The VCSNS risk management procedure and EOOS program will be updated similar to the following regarding failures of RPS/ESFAS components:

  • If an analog channel that provides input to RPS/ESFAS is failed (transmitter, loop power supply, etc.), the impact on risk due to loss of that signal must be determined

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 62 of 69 by removing the affected component from service in EOOS. (For those inputs not explicitly modeled in EOOS, VCSNS will assign surrogate inputs and map them to those components. See the response to RAI 9iii for information on the surrogates.

This requires a change to EOOS.)

  • If more than one analog channel with inputs to RPS/ESFAS has failed, the configuration should be treated as an emergent Elevated Risk level until the protective bistables for all but one analog channel are placed in the 'tripped' condition. (The EOOS risk calculation for failed channels with bistables not in the

'tripped' condition may only be representative when a single channel is affected, depending on which multiple channels are failed.)

  • Once the affected bistables are placed in the tripped condition, the affected instrument entry in EOOS with 'tripped b/s' should be selected. (This requires a change to EOOS.)
  • If a subcomponent of the RPS/ESFAS Panel (Undervoltage Driver Card, Universal Logic Card, Safeguard Driver Card, etc.) is failed, that train's SSPS Panel should be removed from service in EOOS. Note the restrictions in Technical Specifications Bases 3/4.3.1 and 3/4.3.2 (Reactor Trip and Engineered Safety Feature Actuation System Instrumentation) from WCAP-14333-P-A and WCAP-15376-P-A that apply when a logic train or Reactor Trip Breaker train is unavailable.

Implementation of the above guidance will ensure the risk of failed RPS/ESFAS components is appropriately managed by the VCSNS CRMP.

9iii.

As noted above, VCSNS uses initiating event multipliers as surrogates when inputs to RPS/ESFAS are in their tripped condition. Additionally, VCSNS will assign surrogate events in EOOS for signals not modeled in the VCSNS PRA. (Alternately, VCSNS may choose to explicitly model the inputs in lieu of using surrogates.) For analog channels which provide input to Reactor Trip signals (and that are not already explicitly modeled), a Pressurizer Pressure channel will be used as the surrogate. This is conservative because the Pressurizer Pressure Reactor Trip signal occurs with a coincidence of 2 of 3, such that any other single input failure would be calculated in EOOS as failed reactor trip function. This treatment is also conservative from an EOOS calculation perspective in that the Pressurizer Pressure channels also feed Safety Injection logic, so the impact of a failed channel which only inputs to Reactor Trip will show higher than actual risk.

The following surrogate signals will be added to the VCSNS CRMP for analog channels which provide input into ESFAS functions:

  • The Safety Injection signal due to High Steam Line APressure (2/3 coincidence) is not modeled. A Pressurizer Pressure Channel will be used as a surrogate for this function. This signal is appropriate because it provides the 2/3 coincidence for Safety Injection, and will also conservatively include the effect of this channel on the Reactor Trip signal.
  • Main Steam Line Isolation is currently modeled for Low Steam Line Pressure (2/3 coincidence) but isolation on High Steam Flow in two steam lines coincident with

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 63 of 69 Low-Low Reactor Coolant System average Temperature is not modeled. To address this, a Steam Line Pressure channel will be assigned as a surrogate for the temperature and flow channels which input to Steam Line isolation. This treatment is conservative because, in addition to the Steam Line Isolation impact, the surrogate will also impact the Safety Injection input from Steam Pressure.

  • Likewise, Main Steam Line Isolation is currently modeled for Low Steam Line Pressure (2/3 coincidence) but isolation on Reactor Building Pressure-High 2 (2/3 coincidence) is not modeled. To address this, a Steam Line Pressure channel) will be assigned as a surrogate for this function and mapped to the Reactor Building Pressure transmitters in EOOS. As such, the impact of a failed Reactor Building Pressure transmitter will be reflected for its impact on Main Steam Line Isolation (in addition to the other functions it feeds).
  • The Pressurizer Pressure (P-11) and Low-Low RCS Average Temperature (P-12) interlocks are not explicitly modeled in EOOS, but failure of their analog channel inputs (Pressurizer Pressure and Reactor Coolant System average temperature) will be conservatively modeled by using the surrogates noted above for the actual ESFSAS function impacted.

Use of surrogates as described above (along with the proposed new guidance described in response to RAI 9ii) will ensure the risk impact of unavailable signals in the RPS/ESFAS system is appropriately managed.

RAI 10

LAR Section 4.3 describes the CRMP procedural process. However, there is no discussion of the CRMP quality assurance process. Please describe how the quality of the CRMP model is assured for this application.

SCE&G Response As noted in the response to RAI 2i, VCSNS uses the EOOS model as the CRMP model.

EOOS uses the same fault trees and databases as the PRA model, and is therefore maintained and controlled as part of the PRA model. Therefore, the same procedures noted in response to RAI 2i are applicable to the CRMP model (NL-126, PSA-08, ES-412 and ES-110). Each of these procedures is controlled in accordance with the requirements of 10CFR50 Appendix B, "Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants." The controls specified in these procedures, which are subject to 10CFR50 Appendix B, ensures the quality of the EOOS model is assured.

Additionally, as noted in the response to RAI 8, the CRMP at VCSNS is implemented via SAP-157, SAP-208, OAP-102.1, and SSP-001. Each of these procedures is used to implement the Maintenance Rule (10CFR50.65), and the Maintenance Rule Program at VCSNS meets the guidance provided in Regulatory Guide 1.160, "Monitoring the Effectiveness of Maintenance at Nuclear Power Plants." Changes to each of these procedures is controlled in accordance with the requirements of 10CFR50 Appendix B,

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 64 of 69 "Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants." The controls specified in these procedures, subject to 10CFR50 Appendix B, ensures the quality of the CRMP is assured.

RAI 11

RG 1.177 follows a four-element approach to integrated decisionmaking for TS changes. Element 3 is related to an implementation and monitoring program. RG 1.174, Revision 2, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis" (ADAMS Accession No. ML100910006), states that the Maintenance Rule (MR) can be used when the monitoring performed under the MR is sufficient for the structures, systems, and components affected by the risk-informed application. Address the following regarding the implementation and monitoring program:

i. LAR Section 4.7 of Attachment 5 does not clearly state that the MR program will be used for the proposed TS changes. Rather, it indicates that there are programs that will be reviewed and revised as necessary. Clarify whether the VCSNS MR program will be used for implementation and monitoring. If the implementation and monitoring program is other than the MR program, describe it and discuss when the program will be in place to support these proposed TS changes.

ii.

The TSTF-411 and TSTF-418, "RPS and ESFAS Test Times and Completion Times (WCAP-14333)," programs were based on versions of MR guidance in Nuclear Management and Resources Council (NUMARC) 93-01 and RG 1.182, which have been superseded by NRC-endorsed NUMARC 93-01, Revision 4, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants," guidance and RG 1.160, Revision 3, "Monitoring the Effectiveness of Maintenance at Nuclear Power Plants" (ADAMS Accession No. ML113610098). Confirm that the VCSNS MR evaluations follow the current NRC-endorsed NUMARC 93-01, Revision 4, guidance and RG 1.160.

SCE&G Response:

11i.

VCSNS will use the station's Maintenance Rule program for monitoring and implementation.

11 ii.

Per FSAR, Chapter 3, Appendix 3A, the VCSNS Maintenance Rule program meets the guidance provided by RG 1.160, Rev 3 (May 2012), which endorses NUMARC 93-01, Rev.

4A.

RA112:

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 65 of 69 LAR Table 1, "Combined Risk Metrics," provides a summary of the change in CDF (ACDF), incremental conditional core damage probability (ICCDP), change in LERF (ALERF), and incremental conditional large early release probability (ICLERP).

However, it appears to provide only the change-in-risk metrics from WCAP-14333-P-A to WCAP-15376-P-A. Since risk is cumulative, provide a similar table that shows the cumulative changes of ACDF and ALERF from pre-TOP to WCAP-10271-P-A, to WCAP-14333-P-A, and through the proposed changes for WCAP-15376-P-A, which accounts for the 2/3 and 2/4 logic. Account for all proposed TS changes, including signal functions 6.h and 8.a, in the table.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 66 of 69 SCE&G Response Table 12-1 Pre-TOP to WCAP-10271-P-A WCAP-10271-P-A to WCAP-14333-P-A WCAP-14333-P-A to WCAP-15376-P-A Pre-TOP to WCAP-15376-P-A ACDF/yr 2/4 logic 3.5E-07 8.0E-07 2/3 logic 6.1E-07 8.5E-07 EFW Suction ESFAS 6.h 0

8.7E-09 RWST level ESFAS 8.a 3.8E-08 2.42E-08 Total ACDF/yr1 0*

6.5E-07 8.83E-07 1.53E-06 ALERF/yr 2/4 logic 2.0E-08 3.1E-08 2/3 logic 2.2E-08 5.7E-08 EFW Suction ESFAS 6.h 0

0 (-8.9E-11)

RWST level ESFAS 8.a 4.0E-10 9.0E-11 Total ALERF/yr1 02 2.2E-08 5.71 E-08 7.91 E-08

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 67 of 69 Notes to Table 12-1:

(1) 2/3 logic are used for Total ACDF/yr and ALERF/yr calculations because VCSNS predominantly uses 2/3 logic and because this use is conservative (maximizes the total risk increase)

(2) The original Individual Plant Examination (IPE) and Individual Plant Examination for External Events (IPEEE) included incorporation of WCAP-10271-P-A, so this was not a risk-informed change for VCSNS.

The cumulative increase in LERF of 7.91E-08/yr meets the Regulatory Guide 1.174 threshold of less than 1.0E-07/yr. Because the cumulative increase in CDF exceeds 1.0E-06/yr, the following table is provided to show that the total VCSNS CDF is less than 1.0E-04/yr and therefore meets the application guidance in Regulator Guide 1.174. (The information below was provided in the original submittal as part of Table 8.)

Table 12-2 Hazard Group CDF (yr1)

Internal Events (including internal flooding)(1) 5.67E-06 Seismic 1.5E-05 Fire(2) 5.2E-05 Total 7.27E-05 Notes to Table 12-2:

(1) VCSNS has updated the internal events PRA model since the December 16, 2015 submittal, and the current CDF is lower than the value provided above. If this value was used in the table, the Total CDF would be lower.

(2) VCSNS has updated the Fire PRA model since the December 16, 2015 submittal, but the Fire CDF remains unchanged.

RAI 13

LAR Attachment 5, Section 3.3, states that the analysis supporting the changes in WCAP-15376-P-A, Revision 1, does not include external events. LAR Attachment 5, Section 3.3, discusses the external event risk assessments for fires and seismic events. The results are presented as a risk benefit. Table 1 in LAR Section 4.1, however, shows a risk increase in changing from WCAP-14333-P-A to WCAP-15376-P-A, which is based on internal events risk. It is not clear why the overall internal events risk is a risk increase, while the overall external events risk is a risk decrease. Explain this apparent discrepancy in the results for the application.

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 68 of 69 SCE&G Response Section 3.3 of the LAR states that external events are not included in the implementation requirements for WCAP-15376-P-A. However, an assessment was supplied to the NRC in response to a request for additional information for the external event impact.

Specifically, Attachment 5 sections 3.3.1, 3.3.2, and 3.3.3 of the LAR describe the analysis for Seismic, Fire, high winds, external flood, and transportation and nearby facility accidents. For these assessments, equations were developed considering the systems credited, accident sequences specific to the external event models, mitigation methodology, and impact to CDF and LERF.

The CDF reduction cited for fire in LAR section 3.3.2 is due to the ESFAS signal unavailability reduction (availability improvement) for the single train emergency feed water pump start signal.

Specifically, the sum of the fire ignition frequencies in fire areas where one train could be affected by the change in STI was negative and 5 times greater in magnitude than the areas in which two trains could be affected. This results in a reliability improvement, especially for single trains where common cause failures do not dominate. Since the CDF is reduced, the LERF impact will also be very small and the ACDF and ALERF changes meet the acceptance criteria in Regulatory Guide 1.174.

Reactor trip signals were not important to fire events. This is because if a fire event only impacts mitigating equipment, then the plant will continue to operate and the applicable Technical Specification Action for the condition is followed. If the fire event causes a reactor trip and doesn't impact mitigation equipment, then this is addressed as a transient event. Since fire events cause a reactor trip, then reactor trip signals are not required to mitigate fire events and the proposed changes will have no impact on plant risk due to unreliability or unavailability of reactor trip signals.

Table 13-1 summarizes the internal event and external event model changes and shows the overall CDF and LERF increasing within the acceptance criteria.

Table 13-1 Risk Metric Acceptance Criteria VCS from I.E.

model (Sec 4.1 Table 1 of LAR)

Seismic,

Section 3.3.1 of LAR Fire,

Section 3.3.2 of LAR Combined ACDF per year

< 1E-06 8.5E-07 Impact on seismic CDF from increased signal unavailability (extremely small):

2.7E-12 Risk benefit:

-1.5E-08 8.4E-07 ALERF per year

<1E-07 5.7E-08 very small CDF was reduced, thus LERF is also reduced.

5.7E-08

Document Control Desk Attachment I CR-15-01424 RC-17-0019 Page 69 of 69

RAI 14

LAR Section 4.2 identifies three Tier 2 measures that have not been identified as regulatory commitments in LAR Attachment 6. Update the list of regulatory commitments to include these three Tier 2 measures, as well as any additional Tier 2 measures identified in PRA RAI 7.1.ii.

SCE&G Response See the revised listing of regulatory commitments listed in Attachment II of this submittal.

Document Control Desk Attachment II CR-15-01424 RC-17-0019 Page 1 of 4 VIRGIL C. SUMMER NUCLEAR STATION (VCSNS) UNIT 1 DOCKET NO. 50-395 OPERATING LICENSE NO. NPF-12 ATTACHMENT II LIST OF REGULATORY COMMITMENTS

Document Control Desk Attachment II CR-15-01424 RC-17-0019 Page 2 of 4 The following table identifies those actions committed to by the Virgil C. Summer Nuclear Station (VCSNS) in this document. Any other statements in this submittal are provided for information purposes and are not considered to be regulatory commitments. Please direct questions regarding these commitments to Mr. Bruce L. Thompson at (803) 931-5042.

COMMITMENT DUE DATE VCSNS will trend the "as found" and "as left" data for the three representative trip functions analyzed in WCAP-15376-P-A (Over temperature Delta-T, Steam Generator Level, and Pressurizer Pressure) for two years (four operational tests).

Two years and six months after implementation VCSNS will implement the following Tier 2 restrictions in its risk-significant plant configuration program when an RTB train becomes inoperable when operating under the proposed Completion Times:

The probability of failing to trip the reactor on demand will increase when a RTB is removed from service; therefore, systems designed for mitigating an ATWS event should be maintained available. RCS pressure relief (pressurizer PORVs and safety valves),

emergency feedwater flow (for RCS heat removal), AMSAC, and turbine trip are important to ATWS mitigation. Therefore, activities that degrade the availability of the emergency feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC, or turbine trip should not be scheduled when a RTB is inoperable.

Due to the increased dependence on the available reactor trip train when one logic train is unavailable, activities that degrade other components of the RPS, including master relays or slave relays, and activities that cause analog channels to be unavailable, should not be scheduled when a logic train is inoperable.

Activities on electrical systems (AC and DC power) that support the systems or functions listed in the first two bullets should not be scheduled when a RTB is inoperable.

60 Days after Issuance of Amendment

Document Control Desk Attachment II CR-15-01424 RC-17-0019 Page 3 of 4 COMMITMENT DUE DATE VCSNS will evaluate the resulting Facts and Observations from the Peer Review performed June 2016 and update the NRC concerning the impact on LAR-15-01424.

Upon receipt of the final Peer Review Report and evaluation by VCSNS staff VCSNS will update PSA-05, "Data Update Guideline with Emphasis on Bayesian Updating,"

to specify that repetitive problems that cause the same failure accumulated in a short time frame should be counted as one failure and one demand.

60 Days after Issuance of Amendment VCSNS will revise PSA-04, "Human Reliability Analysis," to provide guidance to consider confirmation testing, independent verification, written checklists and daily/shift checks in determining whether to apply recoveries.

60 Days after Issuance of Amendment VCSNS will revise PSA-08, "PRA Model Updates,"

by adding a list of meetings, conferences, and document sources to monitor technology changes.

60 Days after Issuance of Amendment VCSNS will revise the scheduling tool in the EOOS program to 'flag' the specific Tier 2 conditions to be avoided when an RTB train is unavailable and procedures will be revised to ensure such configurations are avoided.

60 Days after Issuance of Amendment VCSNS will revise the operations tool in the EOOS program to 'flag' the specific Tier 2 conditions to be avoided when an RTB train is unavailable and procedure(s) will be revised to ensure the configuration is managed as described in the proposed Technical Specification Bases 3/4.3.1 and 3/4.3.2, "Reactor Trip and Engineered Safety Feature Actuation System Instrumentation."

60 Days after Issuance of Amendment

Document Control Desk Attachment II CR-15-01424 RC-17-0019 Page 4 of 4 COMMITMENT DUE DATE The VCSNS risk management procedure and EOOS program will be updated to specify a method similar to the following for managing the risk of failures of RPS/ESFAS components:

  • If an analog channel that provides input to RPS/ESFAS is failed (transmitter, loop power supply, etc.), the impact on risk due to loss of that signal must be determined by removing the affected component from service in EOOS. (For those inputs not explicitly modeled in EOOS, VCSNS will assign surrogate inputs and map them to those components. See the response to RAI 9iii for information on the surrogates.

This requires a change to EOOS.)

  • If more than one analog channel with inputs to RPS/ESFAS has failed, the configuration should be treated as an emergent Elevated Risk level until the protective bistables for all but one analog channel are placed in the 'tripped' condition. (The EOOS risk calculation for failed channels with bistables not in the

'tripped' condition may only be representative when a single channel is affected, depending on which multiple channels are failed.)

  • Once the affected bistables are placed in the tripped condition, the affected instrument entry in EOOS with 'tripped b/s' should be selected.
  • If a subcomponent of the RPS/ESFAS Panel (Undervoltage Driver Card, Universal Logic Card, Safeguard Driver Card, etc.) is failed, that train's SSPS Panel should be removed from service in EOOS. Note the restrictions in Technical Specifications Bases 3/4.3.1 and 3/4.3.2 (Reactor Trip and Engineered Safety Feature Actuation System Instrumentation) from WCAP-14333-P-A and WCAP-15376-P-A that apply when a logic train or Reactor Trip Breaker train is unavailable.

60 Days after Issuance of Amendment

Retrieved from "https://kanterella.com/w/index.php?title=RC-17-0019,_Response_to_Request_for_Additional_Information_Regarding_License_Amendment_Request_LAR-15-01424,_Implementation_of_WCAP-15376-P-A,_Revision_1&oldid=5151484"