LR-N17-0263, Response to Request for Additional Information, Salem Units 1 and 2 - Containment Fan Coil Unit Allowed Outage Time Extension Amendment Request

From kanterella
(Redirected from ML17257A439)
Jump to navigation Jump to search

Response to Request for Additional Information, Salem Units 1 and 2 - Containment Fan Coil Unit Allowed Outage Time Extension Amendment Request
ML17257A439
Person / Time
Site: Salem  PSEG icon.png
Issue date: 09/14/2017
From: Mannai D
Public Service Enterprise Group
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
LAR S16-04, LR-N17-0263
Download: ML17257A439 (70)
v  d  e


Text

PSEG Nuclear LLC P.O. Box 236, Hancocks Bridge, NJ 08038-0236 OPSEG Nuclear LLC 10 CFR 50.90 LR-N17-0263 LAR S16-04 September 14, 2017 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001 Salem Nuclear Generating Station Units 1 and 2 Renewed Facility Operating License Nos. DPR-70 and DPR-75 NRC Docket Nos. 50-272 and 50-311

Subject:

Response to Request for Additional Information - Salem Units 1 and 2 -

Containment Fan Coil Unit Allowed Outage Time Extension Amendment Request

References:

1. PSEG letter to NRC, "License Amendment Request: Salem Containment Fan Cooler Unit (CFCU) Allowed Outage Time (AOT) Extension," dated March 6, 2017 (ADAMS Accession No. ML17065A241)
2. NRC email to PSEG, "Request for Additional Information - Salem Units 1 and 2 - Containment Fan Coil Unit Allowed Outage Time Extension Amendment Request (CACs MF9364 and MF9365)," dated July 31,2017 (ADAMS Accession No. ML17212B115)

In the Reference 1 letter, PSEG Nuclear LLC (PSEG) submitted a license amendment request for Salem Nuclear Generating Station Units 1 and 2 (Salem). The proposed amendment would revise Technical Specification 3.6.2.3, "Containment Cooling System," to extend the containment fan coil unit (CFCU) allowed outage time from 7 days to 14 days for one or two inoperable CFCUs. In the Reference 2 email, the Nuclear Regulatory Commission (NRC) requested PSEG to provide additional information in order to complete its review. provides a detailed response to the request for additional information. PSEG has determined that the information provided in this submittal does not alter the conclusions reached in the 10 CFR 50.92 no significant hazards determination previously submitted. In addition, the information provided in this submittal does not affect the bases for concluding that neither an environmental impact statement nor an environmental assessment needs to be prepared in connection with the proposed amendment.

There are no regulatory commitments contained in this letter.

September 14, 2017 10 CFR 50.90 Page 2 LR-N17-0263 Should you have any questions regarding this submittal, please contact Mr. Paul Duke at 856-339-1466.

I declare under penalty of perjury that the foregoing is true and correct.

Executed on September 14, 2017 (Date)

Sincerely,

,(lV~

David J. Mannai Senior Director, Regulatory Operations

Attachment:

1. Response to Request for Additional Information cc: Mr. D. Dorman, Administrator, Region I, NRC Mr. R. Ennis, Project Manager, NRC NRC Senior Resident Inspector, Salem Mr. P. Mulligan, Chief, NJBNE Salem Commitment Tracking Coordinator Corporate Commitment Tracking Coordinator

LR N17 0263 Attachment 1 Response to Request for Additional Information

LR N17 0263 Response to Request for Additional Information Regarding Proposed License Amendment Containment Fan Coil Unit Allowed Outage Time Extension Salem Nuclear Generating Station, Unit Nos. 1 and 2 Docket Nos. 50 272 and 50 311 By application dated March 6, 2017, as supplemented by letter dated May 4, 2017 (Agencywide Documents Access and Management System (ADAMS) Accession Nos. ML17065A241 and ML17125A051, respectively), PSEG Nuclear LLC (PSEG, the licensee) submitted a license amendment request (LAR) for Salem Nuclear Generating Station (Salem), Unit Nos. 1 and 2.

The proposed amendment would revise Technical Specification (TS) 3.6.2.3, Containment Cooling System, to extend the containment fan coil unit (CFCU) allowed outage time (AOT) from 7 days to 14 days for one or two inoperable CFCUs.

The Nuclear Regulatory Commission (NRC) staff is reviewing your submittal and has determined that additional information is needed to complete its review. The specific information requested is addressed below.

Balance of Plant Branch (SBPB)

RAI SBPB 1 PSEGs application stated that the proposed extended AOT is based on application of the Salem Probabilistic Risk Assessment (PRA) in support of a risk informed extension, and on additional considerations and compensatory actions. The licensee further stated that the risk evaluation and deterministic engineering analysis supporting the proposed change have been developed in accordance with the guidelines established in NRC Regulatory Guide (RG) 1.177, An Approach for Plant Specific Risk Informed Decisionmaking: Technical Specifications, dated May 2011 (ADAMS Accession No. ML100910008), and RG 1.174, An Approach for using Probabilistic Risk Assessment in Risk Informed Decisions on Plant Specific Changes to the Licensing Basis dated May 2011 (ADAMS Accession No. ML100910006).

PSEG provided, in Section 4.3 of Attachment 1 to the application, a deterministic assessment of the proposed CFCU AOT extension. However, in accordance with RG 1.177, Regulatory Position 2.2, Traditional Engineering Considerations, there are several engineering considerations that were not adequately addressed in the LAR and are necessary for a risk informed licensing submittal that the licensee should assess. Provide an engineering evaluation (in accordance with RG 1.177 Regulatory Position 2.2) that addresses the following considerations:

1. Defense in depth (including the following):
a. A reasonable balance among prevention of damage of core damage, prevention of containment failure, and consequence mitigation is preserved.
b. Over reliance on programmatic activities as compensatory measures is avoided.
c. System redundancy, independence, and diversity are maintained.
d. Defenses against potential common cause failures (CCFs) are maintained and the potential for introduction of new CCF mechanisms is assessed.

1

LR N17 0263

e. Independence of physical barriers is not degraded.
f. Defenses against human errors are maintained.
g. The intent of the plants design criteria is maintained.
2. Safety margin (including the following):
a. Codes and standards or alternatives approved for use by the NRC are met.
b. Safety analysis acceptance criteria in the final safety analysis report are met or proposed revisions provide sufficient margin to account for analysis and data uncertainties.

PSEG Response:

1. Consistency with the defense in depth philosophy is maintained as discussed below:
a. A reasonable balance is preserved among prevention of core damage, prevention of containment failure, and consequence mitigation (i.e., the proposed change in a TS has not significantly changed the balance among these principles of prevention and mitigation) to the extent that such balance is needed to meet the acceptance criteria of the specific design basis accidents and transients.

The amendment requested will result in no change to the current balance of these critical functions. The safety functions of the CFCUs are to recirculate and cool the containment atmosphere in the event of a loss of coolant accident (LOCA). Each CFCU is capable, taking into consideration tube fouling, of removing at least 44 x 106 Btu/hr or a cumulative heat transfer rate of 132 x 106 Btu/hr. for three fan cooler units from the containment atmosphere under accident conditions. This heat transfer rate exceeds the analyzed value assumed in the design basis analysis of containment pressure response to a spectrum of Reactor Coolant System (RCS) and steam line breaks described in the Salem Updated Final Safety Analysis Report. Increasing the allowed outage time for one or two inoperable CFCUs from 7 to 14 days does not affect the ability of three CFCUs to meet the acceptance criteria of the specific design basis accidents.

The proposed changes do not degrade core damage prevention, and do not have any effect upon containment failure. Consequence mitigation remains unchallenged; credit is taken for only two CFCUs in the mixing effect of the containment atmosphere in the Salem dose analyses.

No new accident or transients are introduced with the proposed changes; therefore, the likelihood of accidents or transients is not impacted. The balance between mitigation of core damage and containment failure is preserved by the implementation of this 14 day AOT for the CFCUs in that the overall equipment reliability is expected to be improved, and over the long term, PSEG expects fewer emergent issues as a result of increased flexibility in planning and performing maintenance activities.

2

LR N17 0263

b. Over reliance on programmatic activities as compensatory measures associated with the change in the licensing basis is avoided.

There are no changes to the design or operation of the CFCUs associated with the proposed change. Containment Fan Coil Units and their associated CFCU Motor Coolers are components that, when properly maintained, have proven to be reliable. The maintenance frequency for opening and cleaning for the Generic Letter 89 13 program is 5R (every fifth recycle outage) for the CFCUs and 4R for the motor coolers. The reliability of the CFCUs is not challenged by the proposed amendment; and no increase in programmatic activity is required to support the proposed change. Industry standard reliability parameters from NUREG/CR 6928 are used to quantify the reliability of CFCUs in the PRA. Since the CFCUs are and will continue to be operated on a rotating basis, these reliability parameters will continue to be appropriate.

c. System redundancy, independence, and diversity are preserved commensurate with the expected frequency and consequences of challenges to the system.

The redundancy, independence, and diversity of the Containment Fan Cooler Units remain unchallenged as a result of the proposed licensing action.

During the Condition IV accidents of LOCA or main steam line break, the CFCUs and Containment Spray act in concert to ensure that the Containment pressure remains below the design pressure of 47 psig. Each CFCU is capable, taking into consideration tube fouling, of removing at least 44 x 106 Btu/hr or a cumulative heat transfer rate of 132 x 106 Btu/hr. for three fan cooler units from the containment atmosphere under accident conditions. This heat transfer rate exceeds the analyzed value assumed in the design basis analysis of containment pressure response to a spectrum of Reactor Coolant System (RCS) and steam line breaks described in the Salem Updated Final Safety Analysis Report. No additional compensatory actions would be taken upon the removal from service of one or two CFCUs beyond those taken for the current allowed outage time.

Because of the robustness of the design with regard to the accident analysis, such actions are not necessary. The defense in depth remains unchallenged by the proposed licensing action.

PSEG's protected equipment program provides appropriate restrictions to preclude simultaneous equipment outages that would erode the principles of redundancy and diversity. PSEG's on line work management process requires the risk of the scheduled on line maintenance activity to be continuously evaluated based upon conditions, such as the power grid stability, the weather forecast, and the current plant status. This includes information obtained from day ahead forecasts. Severe weather (high wind, severe thunderstorm warning, tornado watch/warning) or conditions that are potential high risk evolutions for loss of offsite power are considered.

The risk impact of the proposed increase in the allowed outage time was explicitly modeled and determined to be small and consistent with regulatory guidance. The long term effect of the proposed change on the reliability of the CFCUs is expected to be positive.

3

LR N17 0263

d. Defenses against potential common cause failures are maintained, and the potential for introduction of new common cause failure mechanisms is assessed.

No common cause failure mechanisms are identified for the CFCUs, and defenses against common cause failures are preserved. The operating environment and operating parameters for the CFCUs are unaffected; and no new common cause failure modes are created by the proposed TS changes.

There are no changes to the design or operation of the CFCUs associated with the proposed change. Existing measures to ensure the potential for CCF is minimized include periodic cleaning and inspection, routine preventive maintenance and corrective action measures to evaluate extent of condition.

e. Independence of physical barriers is not degraded.

The physical barriers (fuel cladding, reactor coolant system, and containment) and their independence are maintained. The proposed change maintains the required containment heat removal capacity and does not affect the integrity of the CFCUs as a barrier to limit leakage to the environment. Increasing the AOT for 1 or 2 CFCUs removed from service does not affect the independence of the fuel cladding, reactor coolant system, or containment.

f. Defenses against human errors are preserved.

The proposed extension to the AOT does not require any new operator actions for the existing plant equipment or introduce the potential for new human errors.

Operators and maintenance personnel are in the practice of utilizing Human Error Prevention tools, and will use existing plant procedures to remove CFCUs from service, to effect repairs, and then return them to service. This AOT extension is requested for Modes of operation 1 through 4, exactly as for the current TS 3.6.2.3; therefore, the methods and precautions required, which could affect human performance, are unaffected by the proposed license change.

g. The intent of the plant's design criteria is maintained.

The intent of the Salem design criteria is maintained. The proposed change does not involve any physical changes to the design of the CFCUs or supporting systems. The operation of the CFCUs is not altered by the proposed extension to the AOT. The ability of the remaining TS required CFCUs to mitigate the effects and consequences of an accident is not affected because no additional single failures are postulated while equipment is inoperable within the TS AOT.

As demonstrated by the discussion of the deterministic issues above, the length of the AOT for inoperability of one or two CFCUs is appropriately a risk informed decision.

2. The impact of the proposed change is consistent with the principle that sufficient safety margins are maintained.

For the extended AOT associated with one or two CFCUs inoperable while the unit is in Mode 1, 2, 3, or 4, the plant remains in a condition for which it has already been analyzed; therefore, from a deterministic perspective, these changes are acceptable.

4

LR N17 0263 Both the current seven day AOT and the proposed 14 day AOT are based on a plant specific analyses discussed in Section 3.1 to Attachment 1 of LR N16 0173. To ensure proper CFCU thermal performance, the CFCUs are periodically inspected and cleaned.

Per TS Surveillance Requirement 4.6.2.3, water flows and air dampers are periodically tested to ensure that the design basis Service Water flow is achieved and that the necessary air dampers open or close as required.

a. Codes and Standards or alternatives approved for use by the NRC are met.

The design and operation of the CFCUs are not changed by the proposed increase in allowed outage time for one or two inoperable CFCUs. The proposed change does not affect conformance with applicable codes and standards.

b. Safety analysis acceptance criteria in the FSAR are met or proposed revisions provide sufficient margin to account for analysis and data uncertainties The safety analyses acceptance criteria stated in the Salem UFSAR are unaffected by the proposed changes. Three CFCUs are sufficient for the mitigation of the design basis accident. Only three CFCUs are utilized in the Chapter 15 accident analyses, and this minimum heat transfer capability is not diminished by the proposed license amendment. The proposed change will not cause the plant to be operated outside its designed configuration. Both Service Water flow and air flow are confirmed as a matter of normal routine surveillance.

Safety margins are not impacted by the proposed change of AOT for one or two CFCUs out of service.

RAI SBPB 2 The licensee stated, in Section 4.4.1 of Attachment 1 to the application, that maintenance practices involve protecting other equipment coincident with maintenance being performed on the CFCUs. If two CFCUs are unavailable, PSEG procedures require the other CFCUs and one containment spray pump to be protected to prevent concurrent unavailability. In addition, procedures direct the plant personnel to routinely monitor various maintenance configurations and protect equipment that could lead to an elevated risk condition (e.g., red risk condition) if it were to become unavailable due to unplanned or emergent conditions. The licensee stated that this is normally accomplished using a predictive PRA software tool based on the PRA model of record (i.e., equipment out of service configuration risk monitor program from the Electric Power Research Institute). The licensee stated that, based on the very small risk increase involving the configuration analyzed in this LAR, there is no further need for additional compensatory measures or quantification other than the existing programs stated above.

As noted above, given the condition that two CFCUs are unavailable, PSEG plans to protect the other three CFCUs and one containment spray pump. However, support systems for the CFCUs and containment spray pump are not specifically stated as being protected. Provide a complete list of protected equipment which may include the CFCU and containment spray system support systems, such as cooling water, cooling water accumulators, essential room cooling and or chillers, alternating current and/or direct current electrical buses, on site emergency diesel generators, and switchyard components/breakers, etc..

5

LR N17 0263 PSEG Response The on line risk assessment is a blended approach using qualitative or defense in depth considerations and quantifiable PRA risk insights when available to complement the qualitative assessment. Salem communicates on line plant risk using three risk tiers (GREEN, YELLOW, and RED).

As discussed in Section 3.4 of LR N16 0173, the on line risk level for both Salem Units will remain GREEN when two CFCUs are unavailable. In order to ensure the continued containment cooling capacity provided by three CFCUs, the primary compensatory measure for two CFCUs unavailable is to protect the remaining three CFCUs and a Containment Spray pump. Protection of the CFCUs includes CFCU breakers and the 78 Mechanical Penetration area, which contains the valves controlling service water flow to the CFCUs.

Additionally, the PSEG protected equipment program requires redundant equipment to be protected prior to removal of SSCs from service if plant configuration is such that a single piece of redundant equipment unavailability or manipulation would cause an entry into Technical Specification 3.0.3 or a Technical Specification required action to be in Hot Shutdown in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> or less. This necessarily causes the identification of Emergency Diesel Generators (EDGs), which are subsequently protected. For example, if 11CFCU is removed from service, the 1B and 1C EDG would be protected to ensure the continued availability of at least three CFCUs if a loss of offsite power (LOOP) occurs.

Protecting equipment requires posting of signs and robust barriers in order to alert personnel not to approach the protected equipment. The protected equipment postings are walked down each shift by the duty operators. Work on protected equipment is generally disallowed. Minor exceptions exist for activities such as Operator rounds, security patrols, or emergency operations. Other exceptions must be authorized by the station shift manager in writing.

Inadvertent operation will be prevented by the protected equipment program.

Protection of a CFCU typically involves placing barriers on the CFCU bezel in the control room, and the CFCU breaker and control power breakers. Protecting the 78 Mechanical Penetration area, which contains the valves controlling service water flow to the CFCUs, typically includes placing a barrier, with signage across the stairs leading to the area. Protecting a Containment Spray pump typically includes placing retractable tape and signs on the perimeter of the CS Pump, and placing barriers on the CS Pump bezel in the control room, the control switch for the associated CS Room Cooler, the CS Pump Breaker door handle and control power breakers, and the CS Room Cooler Breaker. Protecting an EDG typically includes placing tape and signs across the entries to the EDG engine room and control room, and placing barriers on the EDG bezel in the control room, the EDG breaker and control power breakers.

PRA Licensing Branch (APLA)

The proposed extended AOT is based, in part, on application of the Salem PRA in support of a risk informed extension. The risk evaluation and deterministic engineering analysis supporting the proposed change have been developed in accordance with the guidelines established in RG 1.177. When a licensee requests an amendment to its license that involves a risk informed change to the TSs, RG 1.177 states that when the risk associated with a particular hazard group or operating mode would affect the decision being made, it is the Commissions policy that, if a staff endorsed PRA standard exists for that hazard group or operating mode, then the risk will be assessed using a PRA that meets that standard. Through RG 1.200, Revision 2, An 6

LR N17 0263 Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk Informed Activities, the NRC endorsed, with clarifications and qualifications, the industry standard ASME/ANS RA Sa 2009, Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications. In general, the staff anticipates that current good practice, i.e., Capability Category II of the ASME/ANS standard, is the level of detail that is adequate for the majority of applications.

The licensee peer reviewed its base PRA model against an earlier version of the industry standard (RA Sb 2005). In accordance with RG 1.200, Revision 2, the licensee identified and addressed differences in the supporting requirements (SRs) that were revised between the 2005 and the 2009 versions of the ASME PRA standard. In addition, the licensee performed a gap assessment, against the NRC clarifications in Appendix A of RG 1.200, Revision 2, in order to ensure the PRA meets the current standard. The peer review assesses the PRA model and all applicable supporting documentation against the applicable SRs in the standard. As part of its application, the licensee included tables indicating the Capability Category to which each applicable SR was met, a summary of the findings and observations (F&Os) for each SR that was not met to Capability Category II or higher, and the licensees resolutions of the F&Os.

APLA RAI 1 As part of the NRC staffs review of the technical acceptability of the licensees PRA, the staff reviewed all applicable open F&Os for satisfactory resolution. In F&O Tables 4 1 through 4 8 in of the LAR, many of the resolution statements for SRs that do not meet Capability Category II or higher indicate that the basis for resolution is contained in a separate document not submitted with the LAR. In addition, these resolution statements contain little or no further justification describing why the applicable SR is now met at a satisfactory level. The information supplied by the licensee in the F&O tables for these SRs is not sufficient for the staff to determine if the indicated resolution appropriately addresses the open F&Os. As a result, the staff cannot make a determination on the technical acceptability of the licensees PRA for use in risk informed applications.

Please provide one of the following:

1. A discussion justifying, including any applicable supporting documentation, why each of the following SRs (corresponding to the SR nomenclature from RA Sa 2009) are met at Capability Category II or higher given the stated resolution:

IE A1 IE A8 IE C6 IE C12 SC B4 SC B5 SY A6 SY B3 SY B4 SY B6 SY B10 HR F2 DA C4 DA C12 7

LR N17 0263 DA C13 DA C14 DA D3 QU B10 QU D3 QU D4 QU D6 QU D7 IFSN A1 IFSN A8 Or

2. A detailed justification discussing why not meeting the above SRs, or meeting the SRs at Capability Category I is sufficient for this application.

PSEG Response:

Additional explanation is added to the F&O Tables in section 4 of Enclosure 1 of the LAR for those Supporting Requirements (SRs) listed above to show further evidence how they were satisfactorily resolved:

8

LR N17 0263 Table 4 1 Assessment of Supporting Requirement Capability Categories for Initiating Events Analysis RA Sa RA Sb Capability Associated 2009 2005 Summary of Assessment Summary of Resolution Category F&Os SR # SR #

Table 2 2 in the IE notebook (SA PRA 001), which was revised during the 2012 PRA model update, lists the basis for certain events not being a unique plant trip initiator. For the case in which the The plant specific search only addresses supporting systems. The charging system is lost, this leads to a slowly developing transient listing is not encompassing of possible plant specific initiators found that can be easily accommodated with high reliability using plant SR IE A1 IE A1 IE A1 01 at other plants such as a loss of charging (impact on RCP seal response procedures to avoid an unnecessary plant transient event.

Not Met cooling). Loss of charging would lead to a reactor trip and would In addition, the application for extending the CFCU Allowed Outage decrease redundancy for RCP seal cooling. Time (AOT) extension is not sensitive to this SR, since the change in risk is more sensitive to large and medium LOCAs that involve failure to establish containment sump recirculation, which make up over 70% of the risk profile.

A Maintenance Rule Expert Panel meeting was held on 10/5/2012 to review the updated Initiating Events Notebook with plant personnel representing plant operations, maintenance, engineering and safety analysis in order to determine if potential initiating events had been overlooked. Some of the items discussed during the interview included:

  • Loss of non vital bus G needed to be added as a %Tt initiator Section 2.1.2 does not indicate that plant operations, maintenance, SR Met:
  • The plant shutdown in July 2011 that was related to the SJ10 IE A8 IE A6 IA A6 01 engineering, and safety analysis personnel were interviewed or (CC I) cracked weld needed to be identified included in the review process for the initiating events notebook to
  • The appropriateness of binning spurious SI trips with an existing determine if potential initiating events have been overlooked.

initiator

  • Loss of a 4kV vital bus does not directly lead to a plant trip
  • Manual shutdowns should not be credited in the transient initiating event category In addition, the application for extending the CFCU AOT extension is not sensitive to this SR, since the change in risk is more sensitive to LOCAs.

Based on discussions with plant personnel (see response to IE A6 01), it was determined that loss of 4kV non vital buses affect the Quantitative screening does not appear to be performed, based on balance of plant operations and lead to an eventual turbine trip, a review of the Salem SA PRA 001, Revision 0 notebook. which is accounted for in the event frequency for turbine trip (%Tt).

Therefore, subsection a) and b) of this SR are considered met. Loss of a 4kV vital bus can lead to unavailability of standby ECCS SR IE C6 IE C4 IE A1 01 However, subsection c) of this SR does not appear to be met as equipment, but it does not lead to an automatic plant trip. As such, Not Met noted in the e review for SR IE A1, some events that require the this was not considered a possible transient event. This was plant to be shut down due to technical specifications were screened documented in Table 2 2 of the Initiating Events Notebook (SA (e.g., loss of a 4KV bus). PRA 001). In addition, the application for extending the CFCU AOT extension is not sensitive to this SR, since the change in risk is more sensitive to LOCAs.

9

LR N17 0263 Table 4 1 Assessment of Supporting Requirement Capability Categories for Initiating Events Analysis RA Sa RA Sb Capability Associated 2009 2005 Summary of Assessment Summary of Resolution Category F&Os SR # SR #

Tables 3 6 and 3 7 contain a comparison of the initiator frequencies Tables 2 5, 2 6 and 2 7 in the Initiating Events Notebook (SA PRA used in the Salem model as compared with NUREG/CR 5750. 001) provide event types, along with their descriptions, for the South However, there is no comparison with other sources. Since many of Texas Project, Watts Bar Project and Surry Project, respectively.

the frequencies used in the Salem model use the same frequencies This data is given in order to provide the reader with other IE C12 IE C10 SR Met IE C10 01 used in the Salem model as compared with NUREG/CR 5750. categorization schemes for similar plants to which the Salem plant However, there is no comparison with other sources. Since many of may be compared. It was shown that these categorization schemes the frequencies used in the Salem model use the same frequencies for initiating events are consistent with the Salem PRA model.

from NUREG/CR 5750, such as the LOCAs, the tables should be Additionally, most of the IEs now use the newer and frequently updated with a comparison with other similar plants. updated NRC work associated with NUREG/CR 6928.

Table 4 3 Assessment of Supporting Requirement Capability Categories for Success Criteria RA RA Sa Sb Capability Associated Summary Summary of Resolution 2009 2005 Category F&Os SR # SR #

Section 1.3 of the Success Criteria Notebook (SA PRA 003) discusses the limitations of the MAAP computer code. Relative to the Salem Generating Station, this means that the minimum systems required to mitigate a large break LOCA should be based on a source other than MAAP. In this case, the The MAAP Thermal Hydraulic Calculations Notebook (SA success criteria was defined using analyses related to the plants licensing PRA 007, Revision 1), Sections 1.2 and 1.3 provide a basis. Other code limitations were listed in Table 1 2 of this notebook.

discussion of the codes available and the advantages Although there are limitations with MAAP regarding the initial phase of a large SC SC SR SC B4 01 associated with using MAAP, respectively. However, MAAP break LOCA due to issues with flow reversal, MAAP was not used for B4 B4 Not Met is used in establishing large LOCA success criteria, although establishing the success criteria until after core reflood is complete. Since the code is not suitable for analysis of this plant upset. A CFCUs are more important for long term heat removal during the sump discussion of code limitations is not provided. recirculation phase of a LOCA scenario, MAAP is capable of modeling the mass and energy balance within containment during this phase of the accident scenario since the core would certainly have been reflooded by this time. As such, the use of MAAP is adequate for establishing the success criteria for long term containment heat removal.

Table 2 1 of SA PRA 003 provides a summary of the overall success criteria for the Salem Generating Station for In Vessel Core Cooling, RCS Integrity, SC SC SR A check of the reasonableness and acceptability of the SC B5 01 and Containment Integrity. Table 2 2 of this notebook shows the general B5 B5 Not Met success criteria results is not documented.

success criteria for the Byron and Braidwood nuclear stations, which reveals that Salems success criteria is consistent with other Westinghouse plants.

10

LR N17 0263 Table 4 4 Assessment of Supporting Requirement Capability Categories for Systems Analysis RA RA Sa Sb Capability Associated Summary of Assessment Summary of Resolution 2009 2005 Category F&Os SR # SR #

The System Model Notebooks (SA PRA 005.0001 .0020) were revised to more clearly define system boundaries of modeled systems using one line diagrams depicted in Section 2.3 of these notebooks. For example, for the Safety Injection (SI) system, the system boundary includes all of the components in the SI system whose failure could potentially prevent water from reaching the RCS, but the system The system notebooks do not provide definitive SR boundaries do not branch into the other ECCS systems. Figure 2 1 in this system SY A6 SY A6 SY A6 01 explanation of boundary information and do not Not Met notebook shows a diagram of the SI system boundary, and various highlighted colors provide illustration of modeled components.

show the different modes of operation of SI. Not all of the components highlighted along the paths were modeled in the PRA. For example, many valves are not modeled because their failure does not prevent water from being injected into the core. In addition, the issue associated with this SR is not sensitive to this application in extending the CFCU Technical Specification AOT.

Industry common cause failure data is collected from the NRC/INL Common Cause Database [CCF Parameter Estimations, 2012 Update]. Due to the relative rarity of common cause events, generic data is used for the Salem PRA model. The Alpha Factor Methodology was used for common cause modeling in the Salem PRA. Mean values for the alpha factors were obtained and used to determine the Common Cause Factor, which is input into the CAFTA BE database Factor field. A few CCF events were determined using sources other than the NRC/INL data.

In particular, to address the issue of completeness regarding various combination of For some cases the selection of CCF combinations SR failures, and due to the small probabilities and uncertainty that is involved with interim SY B3 SY B3 SY B3 01 are not complete and those selected are not the Not Met CCF combinations involving a population size of 6, it was deemed adequate in most limiting.

modeling the 2 of 6 (loss of one division), 4 of 6 (loss of two divisions), and 6 of 6 event combinations (loss of all three divisions) in estimating the total risk associated with DC battery charger common cause failures. The common cause modeling was limited to only those combinations that are consequential and important to risk. Refer to Appendix D of the Data Notebook (SA PRA 010) for further details. In general, this SR is not sensitive to this application in extending the CFCU Technical Specification AOT, especially since the common cause failure probability for failure of the other remaining three CFCUs was elevated to a probability of 0.82.

The MGL parameter model was not used for common cause failure probabilities used in the Salem PRA model. Instead, the Alpha Factor Methodology was used. As stated in the response for SY B3 01, certain interim combinations for DC battery chargers involving a population size of 6 were omitted due to their small probabilities SR Some combinations are absent which when using SY B4 SY B4 SY B3 01 and inherent uncertainty, with only the important common cause combinations being Not Met MGL can underestimate the CCF contribution.

retained, e.g., 2 of 6, 4 of 6, and 6 of 6. As stated in the response for SY B3 01, this SR is not sensitive to this application in extending the CFCU Technical Specification AOT, especially since the common cause failure probability for failure of the other remaining three CFCUs was elevated to a probability of 0.82.

11

LR N17 0263 Table 4 4 Assessment of Supporting Requirement Capability Categories for Systems Analysis RA RA Sa Sb Capability Associated Summary of Assessment Summary of Resolution 2009 2005 Category F&Os SR # SR #

As part of the 2012 PRA Update, all PRA System Notebooks were revised to follow a No analysis documented.

more consistent outline with information better organized to allow a more effective review and understanding of the documentation including sections on shared/required No documentation provided related to analysis of systems. In addressing this particular SR, section 4.4 in each PRA System Notebook SR support system requirements. There appears to be SY B6 SY B6 SY B6 01 (SA PRA 005.0001 .0020 series) documents the support system requirements and Not Met no analysis of support system requirements dependencies for all modeled system components in the PRA model. In addition, the concurrent with their definition in the system issue associated with this SR is not sensitive to this application in extending the notebooks. Perform the required engineering CFCU Technical Specification AOT because it is a documentation issue and not a analysis.

modeling issue.

This issue was addressed as part of the 2012 PRA Update. In particular, the AFW system and SI actuation logic and automatic initiation signals were reviewed and SY SY SR Some AFW signals (SI, LOSP) are not defined and revisions made and additional logic added to the PRA model where appropriate.

SY B11 01 B10 B11 Not Met no justification for exclusion is provided. Specifically, Section 2.6 of the AFW PRA System Notebooks (SA PRA 005.0001) documents the actuation signals that are modeled in the PRA for automatic system actuation.

Table 4 5 Assessment Of Supporting Requirement Capability Categories For Human Reliability Analysis RA RA Sa Sb Capability Associated Summary of Assessment Summary of Resolution 2009 2005 Category F&Os SR # SR #

The HRA Notebook (SA PRA 004) has been revised as part of The accident sequence specific timing of time window for the 2012 PRA update that resulted in the SA112A PRA model.

successful completion for CCS XHE FO ISOLT is based on a The notebook now describes the available system windows for calculation that does not address leakage. The calculation S CC operator intervention and use of cues for all the important and MDC 2111 is for loss of Service Water and does not address risk significant Human Error Probability (HEP) events. With leakage of the Component Cooling Water System. The time regard to the specific comments made against this SR, event window should account for leakage that would drain the CCW HR F2 01, HR CCS XHE FO ISOLT is no longer being used in the PRA model, HR F2 HR F2 SR Not Met system and make it inoperable. This is the limiting time since the F2 02 as it was a legacy event that no longer applies to the current CCW system will continue to cool with the leak until the surge treatment of internal flood mitigation. Events CIS XHE FC tank is drained. Other examples of problems with timing are the XLCNT and MSS XHE FO MS10 were analyzed in detail with lack of documentation for the timing used. This is noted in HRAs:

justification cited for the system time window that was used in CIS XHE FC XLCNT, AND MSS XHE FO MS10. It should be developing the human error probability. In addition, the issue noted that only a sampling was performed and that this may associated with this SR is not sensitive to this application in involve many more HRA analysis.

extending the CFCU Technical Specification AOT.

12

LR N17 0263 Table 4 6 Assessment Of Supporting Requirement Capability Categories For Data Analysis Ra Ra Sa Sb Capability Associated Summary of Assessment Summary Of Resolution 2009 2005 Category F&Os SR # SR #

Formal procedures now currently exist that describe the PRA update process, including what data collection is required. Actual plant specific failure and unavailability data were obtained from the Salem Maintenance Rule and MSPI programs. In accordance with ER AA 600 1015, plant specific updating of data should be considered for those events that satisfy either a Fussell Vesely (FV) value greater than 0.005 or a Risk Achievement Worth (RAW) greater than 2.0.

As a matter of practice, all MSPI monitored components, whether risk significant or not, use plant specific data to inform the generic industry data (i.e., Bayesian analysis). For other components Documentation describing the process of evaluating deemed risk significant, an importance measures report was maintenance records was identified in a draft procedure. All generated from a CDF cutset listing and a review made of those failures must be reviewed for applicability to the PRA model non MSPI applicable basic events that exceeded this criteria. The SR DA C4 DA C4 DA C4 01 and this process should be documented. All plant specific associated type codes for these basic events were then identified Not Met data came from MSPI or the Maintenance Rule, however and were listed in Table 7 1 of the PRA Data Notebook (SA PRA there was no documentation provided that these failures 010) to determine the type of plant components for which plant were reviewed as PRA failures. specific updating was considered. A search of Salems SAP database was performed to identify any functional failures that may have occurred within the time period from July 2012 to September 2016. Any applicable failures for the identified equipment types were then recorded in Table 7 1 to support a Bayesian update of the generic data. For failure rates that are time dependent, e.g.,

standby failure rates, it was also necessary to record the critical operating hours for Salem Unit 1 and Unit 2, which are listed in Table 7 2 of the Data Notebook for the time period from July 2012 to September 2016. Further details may be found in the PRA Data Notebook (SA PRA 010).

13

LR N17 0263 Table 4 6 Assessment Of Supporting Requirement Capability Categories For Data Analysis Ra Ra Sa Sb Capability Associated Summary of Assessment Summary Of Resolution 2009 2005 Category F&Os SR # SR #

As part of the enhancements made during the 2012 PRA update, the process used for counting maintenance unavailabilities was more clearly described in the Salem PRA Data Notebook (SA PRA 010). In particular, Section 8.0 of SA PRA 010 states that unavailability due to test and maintenance was collected from plant records. Specifically, Maintenance Rule and MSPI unavailability Documentation describing the process of how to count data was used to determine train and component unavailability for maintenance unavailability was not identified. Plant Specific use in the PRA. Generic industry unavailability data was only used unavailability was only documented for MSPI components when no other information was available. Salem MRule Manager DA DA C12 SR Not Met DA C11a 01 which identifies the unavailability for support and frontline software and MSPI Derivation Reports for Unavailability Index were C11a systems separately, however it could not be determined that used as the primary sources of plant specific component and/or train this was the case throughout the model without a specific unavailability. Because maintenance practices change over time, guidance document. the best representation of the current plant practices would be seen in the most current data. This being the case, unavailability data was only collected and analyzed for the last 3 years, March 2012 through February 2015. In addition, the issue associated with this SR is not sensitive to this application in extending the CFCU Technical Specification AOT because it is a documentation issue, not a quantification issue.

Maintenance unavailabilities for shared systems between the two units was addressed in Section 8.1 of the Salem Data Notebook (SA PRA 010). Specifically, since some of the Maintenance Rule data was for shared systems (e.g., ECAC, GTG), common critical hours were needed. Common critical hours (denoted as C Hours)

While a table of critical hours was provided and the were calculated by determining the time during which either unit was Maintenance Unavailability Table provided in Appendix C critical. With regard to outage durations, it was assumed that the DA C13 DA C12 SR Not Met DA C12 01 appears to address these hours there was no specific C critical hours were the greater of the two units critical hours for documentation or guidance document provided that any months during which both plants were not critical 100% of the discusses how maintenance was treated for shared systems.

time (e.g., April 2012). If both units were critical for the entire month, the C hours would be the number of hours in the month. In addition, the issue associated with this SR is not sensitive to this application in extending the CFCU Technical Specification AOT because it is a documentation issue, not a quantification issue.

14

LR N17 0263 Table 4 6 Assessment Of Supporting Requirement Capability Categories For Data Analysis Ra Ra Sa Sb Capability Associated Summary of Assessment Summary Of Resolution 2009 2005 Category F&Os SR # SR #

A paragraph was added to section 8.2 of the Data Notebook (SA PRA 010) to document the treatment of concurrent unavailability for SW. Also, Note 12 was added at the bottom of Table C 1 in Appendix C of SA PRA 010 to denote the actual unavailability values that were used. In general, for other plant systems, the plant Coincident unavailability for service water pumps was records that were reviewed revealed that coincident unavailability modeled as shown in Appendix C of the Data Analysis amongst safety related trains was non existent, but because of the DA C14 DA C13 SR Not Met DA C13 01 Notebook, however, no overall guidance document could be number of SW pumps that exist at Salem (a total of six), it would be found to ensure all systems were reviewed for coincident possible that a pair of SW pumps could be simultaneously taken out unavailability. for maintenance. However, since the time period of interest did not show any such occurrence, legacy values used in previous versions of the PRA for dual maintenance unavailabilities amongst the SW pumps were maintained. Future versions to the ASME PRA Standard allude to the fact that dual maintenance terms can be excluded if supporting data exists All parameters identified in Table A 1 of SA PRA 010 now have a reference provided to show traceability of information. Table A 1 is a listing of the generic failure rates and probabilities that were used in the Salem PRA model, and were obtained primarily from the 2010 Observations of SA PRA 010, Table A 1. Mean values were update to NUREG/CR 6928. For those components where DA D3 DA D3 SR Met: (CC I) DA D3 01 provided along with error factors for most distributions. NUREG/CR 6928 could not be used, other appropriate sources were used, such as NUCLARR, NUREG/CR 2728, NUREG/CR 5500, and legacy values from earlier Salem PRA models. In addition, the issue associated with this SR is not sensitive to this application in extending the CFCU Technical Specification AOT.

15

LR N17 0263 Table 4 7 Assessment of Supporting Requirement Capability Categories for Quantification RA RA Sa Sb Capability Associated Summary of Assessment Summary of Resolution 2009 2005 Category F&Os SR # SR #

Split fractions such as the ones mentioned in the summary description (MFI UNAVAILABLE and G2SW22) are listed in Table Split fractions and undeveloped events are included in the A 2 of the PRA Data Notebook (SA PRA 010) that was revised model. Examples include main Feedwater availability for during the 2012 PRA model update (SA112A) along with references ATWS (MFI UNAVAILABLE) and some Unit 2 systems to document the basis of their values. The split fraction for QU B10 QU B9 SR Not Met QU B9 01 credited for recovery of Unit 1 CAV failure (G2SW22). The unavailability of feedwater during an ATWS event was obtained from derivation of the values for these events is not documented WCAP 11992. The estimated value for event G2SW22, which to allow determination that consideration has been given to represents insufficient flow from the opposite unit Service Water the impact of shared events.

header, was obtained by quantifying a gate in the PRA model (G1CC324) that explicitly models unavailability of the 12 SW header.

Recovery events that were no longer applicable were removed from the recovery model logic during the 2012 PRA model update (SA112A). The use of recovery files is discussed in Section 5.3 of There is no discussion in the quantification notebook SA the Quantification notebook (SA PRA 014). The offsite power non QU D3 QU D1c SR Not Met QU A4 01 PRA 2008 01, Revision 4.1 that indicates this review was recoveries are discussed in Appendix D of the Accident Sequence completed.

Notebook (SA PRA 002). In addition, the issue associated with this SR is not sensitive to this application in extending the CFCU Technical Specification AOT.

In Tables 2 5 to 2 7 of Section 2.3 of the Initiating Events notebook (SA PRA 001) a comparison was made to the initiating events used for other PWR PRA models, i.e., South Texas Project, Watts Bar, and Surry to show that there were no applicable event categories This is a Capability Category I since there is no that would have been omitted from the Salem PRA model. Also, the QU D4 QU D3 SR Met: (CC I) QU D3 01 documentation to indicate that the Salem results were success criteria used for the Salem PRA model was benchmarked compared to the results of a similar plant. against the success criteria used for the Byron and Braidwood PRA models in Table 2 2 of the Success Criteria Notebook (SA PRA 003). Since this is a documentation issue, there is no impact on the results for this license amendment request in extending the CFCU AOT.

A description of top 25 cutsets related to CDF are discussed in Section 6 of the Quantification Notebook (SA PRA 014), which This requirement was not met because the importance of includes those SSCs and operator actions that contribute to event components and basic events was not performed. There is frequencies and mitigation. Also, Appendix D of SA PRA 014 QU D6 QU D5a SR Not Met QU F2 01 no definition of significant contributors to CDF. No discusses the dominant CDF and LERF accident sequences, documentation of an analysis for significant contributors to including a discussion of the type of initiating event and associated CDF. SSC failures and operator actions. Since this is a documentation issue, there is no impact on the results for this license amendment request in extending the CFCU AOT.

16

LR N17 0263 Table 4 7 Assessment of Supporting Requirement Capability Categories for Quantification RA RA Sa Sb Capability Associated Summary of Assessment Summary of Resolution 2009 2005 Category F&Os SR # SR #

A listing of the importance measures for CDF is presented in Section 7 of the Quantification Notebook (SA PRA 014), and an analysis of the baseline results for CDF and LERF for the SA115A PRA model are discussed in Appendix F of SA PRA 014. Appendix H discusses This requirement was not met because the importance of QU D7 QU D5b SR Not Met QU F2 01 the results for LERF as well as the other detailed Level 2 release components and basic events was not performed.

categories. The review of these results showed that they make logical sense. Also, since this is a documentation issue, there is no impact on the results for this license amendment request in extending the CFCU AOT.

Table 4 8 Assessment of Supporting Requirement Capability Categories for Internal Flood RA RA Sa Sb Capability Associated Summary of 2009 Summary of Resolution 2005 Category F&Os Assessment SR #

SR #

An independent assessment was performed to investigate the merit of this peer review finding that deals with propagation pathways and the possible existence of other scenarios that were not already considered or perhaps that were subsumed by other scenarios. The independent Propagation paths for areas study revealed that there were no other postulated scenarios that were not already considered, IFSN A1 IF C1 SR Not Met IF C1 01 are defined for highly risk or that were more severe than those currently being modeled in the internal flood PRA. The significant cases only. details and results of this analysis are documented in Risk Application SA MISC 005 (Resolution of Internal Flood Peer Review Comments). In addition, the issue associated with this SR is not sensitive to this application in extending the CFCU Technical Specification AOT because these scenarios are all transients and this particular application is more sensitive to LOCA scenarios.

Identification of propagation IFSN A8 IF C3b SR Met: (CC I) IF C3b 01 paths for each flood area is See response for F&O IF C1 01, since both F&Os are related to the same issue.

not present in documentation.

17

LR N17 0263 APLA RAI 2 Supporting requirement DA C2 of ASME/ANS RA Sa 2009 specifies that licensees collect plant specific data for the basic event/parameter grouping corresponding to that defined by supporting requirements DA A1, DA A3, DA A4, DA B1, and DA B2. The issue identified in the F&O corresponding to DA C2 in Table 4 6 of Enclosure 1 of the LAR states that the licensee only collected plant specific data for Mitigating Systems Performance Index (MSPI) components but that a draft licensee procedure provided during the peer review requires that plant specific data be supplied for all Systems, Structures, Components (SSCs) with Risk Achievement Worths (RAWs) > 2 and Fussell Vesely (F V's) > 0.005. It is not clear how the resolution provided by the licensee addresses the specific concern that plant specific data (as defined in the SRs) be supplied for all SSCs with RAWs > 2 and F V's > 0.005 as directed by plant procedure. The information supplied by the licensee in the F&O table for this SR is not sufficient for the staff to determine if the indicated resolution appropriately addresses the open F&O. As a result, the staff cannot make a determination on the technical acceptability of the licensees PRA for use in risk informed applications.

Please provide one of the following:

1. Clarification on whether the resolution indicated includes collecting plant specific data (for all basic event/parameter grouping corresponding to that defined by supporting requirements DA A1, DA A3, DA A4, DA B1, and DA B2) as indicated in the F&O and not just MSPI components, or
2. A detailed justification discussing why not meeting SR DA C2 is sufficient for this application.

PSEG Response:

Plant specific data for all basic event/parameter grouping corresponding to that defined by supporting requirements DA A1, DA A3, DA A4, DA B1, and DA B2 were collected. Using PSEG procedure ER AA 600 1015, and in accordance with Supporting Requirement DA D1 of the PRA Standard (ASME/ANS RA Sa 2009), plant specific updating of data should be considered for those events that satisfy either a Fussell Vesely (FV) value greater than 0.005 or a Risk Achievement Worth (RAW) greater than 2.0. An importance measures report was generated from a CDF cutset listing and a review made of those non MSPI applicable basic events that exceeded this criteria. The associated type codes for these basic events were then identified and are listed in Table RAI 2 1 to determine the type of plant components for which plant specific updating was considered. A search of Salems SAP database was performed to identify any functional failures that may have occurred within the time period from July 2012 to September 2016. Any applicable failures for the identified equipment types were then recorded in Table RAI 2 1 to support a Bayesian update of the generic data. For failure rates that are time dependent, e.g., standby failure rates, it was also necessary to record the critical operating hours for Salem Unit 1 and Unit 2, which are listed in Table RAI 2 2 for the time period from July 2012 to September 2016.

This process was performed in support of the update for the SA115A PRA model.

18

LR N17 0263 TABLE RAI 2 1 RISK SIGNIFICANT COMPONENTS AND FUNCTIONAL FAILURES

  1. Hours or Risk Functional Demands Significant Failure # Failures from July Description Comments SA115A Recorded? Recorded 2012 to Type Code (Y or N) September 2016 AC BUS LOSS OF AC1BACLP N POWER AC BUS LOSS OF AC2BACLP N POWER CIRCUIT BREAKER AC2BKRCO (GENERAL) FAILS TO N REMAIN CLOSED AC BUS LOSS OF AC4BACLP N POWER CIRCUIT BREAKER AC4BKRCC (GENERAL) FAILS TO N OPEN CIRCUIT BREAKER AC4BKRCO (GENERAL) FAILS TO N REMAIN CLOSED CHECK VALVE FAILS TO AC4CKVCC N OPEN MOTOR DRIVEN PUMP AC4MDPFR FAILS TO CONTINUE N OPERATING MOTOR DRIVEN PUMP AC4MDPFS N FAILS TO START TRANSFORMER LOSS AC4TFMLP N OF POWER AC5BACST AC BUS SHORT CIRCUIT N Salem Jet tested monthly; fail to start type GAS TURBINE code updated AC5GTSFS GENERATOR FAILS TO Y 5 51 even though START fail to run type code was significant.

AIR OPERATED VALVE AFSAOVCC N FAILS TO OPEN WATER/STEAM HEAT CCSHTXLK EXCHANGER EXTERNAL N LEAKAGE WATER/STEAM HEAT CCSHTXPG EXCHANGER PLUGGED N (DURING OPERATION) 19

LR N17 0263 TABLE RAI 2 1 RISK SIGNIFICANT COMPONENTS AND FUNCTIONAL FAILURES

  1. Hours or Risk Functional Demands Significant Failure # Failures from July Description Comments SA115A Recorded? Recorded 2012 to Type Code (Y or N) September 2016 WATER/STEAM HEAT CCSHTXPL EXCHANGER PLUGGED N (DURING STANDBY)

TEMP ELEMENT/

CCSTSTNO TRANSMITTER/ SWITCH N FAILURE MANUAL VALVE FAILS CCSXVMOO N TO CLOSE Exposure time based on AIR OPERATED VALVE CVSAOVOC Y 1 33015.6 critical FAILS TO REMAIN OPEN operation for Unit 2.

DIFFERENTIAL PRESSURE CVSDPTNO N SENSOR/TRANSMITTER NO OUTPUT BATTERY (GENERAL)

DCPBATNO N LOSS OF POWER DC BUS LOSS OF DCPBDCLP N POWER DC BUS IN TEST AND DCPBDCTM N MAINTENANCE CIRCUIT BREAKER DCPBKRCO (GENERAL) FAILS TO N REMAIN CLOSED DCPCHGFR 125 VDC Charger Failure N DCPFUSSA FUSE OPEN N Baldor DG tested quarterly; fail to BALDOR DIESEL start type code DGSDGBFS GENERATOR FAILS TO Y 1 17 updated even START though fail to run type code was significant.

ESFLOGFC LOGIC CIRCUIT FAILS N LOAD SEQUENCER ESFSEQFC N FAILS TO OPERATE AIR OPERATED VALVE MSSAOVOO N FAILS TO CLOSE 20

LR N17 0263 TABLE RAI 2 1 RISK SIGNIFICANT COMPONENTS AND FUNCTIONAL FAILURES

  1. Hours or Risk Functional Demands Significant Failure # Failures from July Description Comments SA115A Recorded? Recorded 2012 to Type Code (Y or N) September 2016 MOTOR OPERATED RHSMOVCC N VALVE FAILS TO OPEN CHECK VALVE FAILS TO SJSCKVCC N OPEN MOTOR OPERATED SJSMOVPL VALVE PLUGGED N (DURING STANDBY)

SJSTNKVF TANK FAILS N PORV VALVE FAILS TO SRVPRVOO CLOSE ON PRESSURE N RELIEF CHECK VALVE FAILS TO SWSCKVCC N OPEN CHECK VALVE FAILS TO SWSCKVOC N REMAIN OPEN MOTOR OPERATED SWSMOVOC VALVE FAILS TO REMAIN N OPEN STANDBY PUMP ROOM VASACXFR N COOLER FAILS TO RUN STANDBY PUMP ROOM VASACXFS COOLER FAILS TO N START STANDBY FAN OR VDGFNSFR BLOWER FAILS TO N CONTINUE OPERATING 4160 VAC EDGs are tested monthly; estimate at least 6 total demands per STANDBY FAN OR month since VDGFNSFS BLOWER FAILS TO Y 1 306 there are a START total of 6 ventilation fans; run failures assumed to be equivalent to start failures.

21

LR N17 0263 TABLE RAI 2 1 RISK SIGNIFICANT COMPONENTS AND FUNCTIONAL FAILURES

  1. Hours or Risk Functional Demands Significant Failure # Failures from July Description Comments SA115A Recorded? Recorded 2012 to Type Code (Y or N) September 2016 AIR OPERATED DAMPER VDGPNDCC N FAILS TO OPEN TABLE RAI 2 2 CRITICAL HOURS FOR PLANT SPECIFIC DATA Common Month U1 Crit Hrs U2 Crit Hrs Crit Hrs 3/1/2012 743 658.85 743 4/1/2012 706.05 720 720 5/1/2012 602.25 744 744 6/1/2012 720 720 720 7/1/2012 744 744 744 8/1/2012 744 744 744 9/1/2012 720 720 720 10/1/2012 697.15 332 697.15 11/1/2012 693.72 297.37 693.72 12/1/2012 725.63 744 744 1/1/2013 744 744 744 2/1/2013 672 672 672 3/1/2013 743 743 743 4/1/2013 332 720 720 5/1/2013 229.57 744 744 6/1/2013 720 720 720 7/1/2013 744 744 744 8/1/2013 709.5 744 744 9/1/2013 720 720 720 10/1/2013 744 744 744 11/1/2013 721 721 721 12/1/2013 744 744 744 1/1/2014 744 730.02 744 2/1/2014 672 648.87 672 3/1/2014 743 743 743 4/1/2014 608.5 284 608.5 22

LR N17 0263 TABLE RAI 2 2 CRITICAL HOURS FOR PLANT SPECIFIC DATA Common Month U1 Crit Hrs U2 Crit Hrs Crit Hrs 5/1/2014 661.18 0 661.18 6/1/2014 720 0 720 7/1/2014 744 449.78 744 8/1/2014 744 744 744 9/1/2014 720 720 720 10/1/2014 452.85 744 744 11/1/2014 225.22 721 721 12/1/2014 744 744 744 1/1/2015 744 744 744 2/1/2015 672 672 672 3/1/2015 590.4 743 743 4/1/2015 565.42 720 720 5/1/2015 744 744 744 6/1/2015 720 720 720 7/1/2015 744 744 744 8/1/2015 744 672.33 744 9/1/2015 720 720 720 10/1/2015 744 524 744 11/1/2015 721 78.58 721 12/1/2015 744 744 744 1/1/2016 744 744 744 2/1/2016 696 644.45 696 3/1/2016 743 743 743 4/1/2016 332 720 720 5/1/2016 0 744 744 6/1/2016 0 652.38 652.38 7/1/2016 67.57 734.27 734.27 8/1/2016 744 735.2 744 9/1/2016 720 602.32 720 Total 24113.62 23128.89 26011.55 Since most of the risk significant equipment type codes did not experience any applicable failures, they were not required to be updated, and generic industry data was considered sufficient. While this approach is slightly conservative, since it does not account for small periods of successful operation, it is still consistent with DA A1, Capability Category II.

However, there were four equipment type codes against which failures were recorded, and these type codes were updated using Bayesian techniques. The results are shown in Table RAI 2 3:

23

LR N17 0263 Table RAI 2 3 Plant Specific Data Update for Risk Significant Type Codes NUREG/CR 6928 (2010 # Hours or Update) Demands from Type of # Failures Posterior Posterior Posterior Description Type Code Mean Failure Prior Prior July 2012 to Variance Comments Dist. Experienced Mean Rate (per September year or per 2016 demand)

Combustion Turbine Fails to Start (NUREG/CR 6928, 2010 Update) CTG FTS 1.56E 02 Beta 10.5 6.629E+02 5 51 15.5 7.139E+02 2.13E 02 2.85E 05 Combustion Turbine Fails to Load/Run Salem Jet tested (NUREG/CR 6928, monthly; fail to start 2010 Update) CTG FTLR 1.60E 05 Beta 2.5 1.563E+05 None Same as Prior Distribution type code updated Combustion Turbine even though fail to Fails to Start run type code was (Combined) AC5GTSFS Beta 2.13E 02 2.86E 05 significant.

Air Operated Valve Spurious Operation (NUREG/CR 6928, 2010 Update) AOV SOP 1.31E 07 Gamma 0.680 5.211E+06 1 33015.6 1.68 5.244E+06 3.20E 07 6.11E 14 Exposure time based Air Operated Valve on critical operation Fails to Remain Open CVSAOVOC Gamma 3.20E 07 6.11E 14 for Unit 2.

EDG Station Blackout Fails to Start Baldor DG tested (NUREG/CR 6928, quarterly; fail to start 2010 Update) EDG SBO FTS 4.32E 02 Beta 1.094 2.423E+01 1 17 2.094 4.123E+01 4.83E 02 1.04E 03 type code updated BALDOR Diesel even though fail to Generator Fails to run type code was Start DGSDGBFS Beta 4.83E 02 1.04E 03 significant.

24

LR N17 0263 Table RAI 2 3 Plant Specific Data Update for Risk Significant Type Codes NUREG/CR 6928 (2010 # Hours or Update) Demands from Type of # Failures Posterior Posterior Posterior Description Type Code Mean Failure Prior Prior July 2012 to Variance Comments Dist. Experienced Mean Rate (per September year or per 2016 demand)

Standby Fan Fails to 4160 VAC EDGs are Start (NUREG/CR tested monthly; 6928, 2010 Update) FAN SBY FTS 8.42E 04 Beta 34.5 4.093E+04 1 306 35.5 4.124E+04 8.60E 04 2.08E 08 estimate at least 6 Standby Fan Fails to total demands per Run < 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> month since there (NUREG/CR 6928, FAN SBY are a total of 6 2010 Update) FTR<1H 1.07E 03 Beta 33.5 3.125E+04 None Same as Prior Distribution ventilation fans; run Standby Fan or Blower failures assumed to Fails to Start be equivalent to start (Combined) VDGFNSFS Beta 1.93E 03 5.51E 08 failures.

25

LR N17 0263 APLA RAI 3 Supporting requirement DA C8 of ASME/ANS RA Sa 2009 specifies that for Capability Category II/III to be met, licensees should use plant specific operational records to determine the time that components were configured in their standby status. The corresponding F&O for SR DA C8 in Table 4 6 of Enclosure 1 of the LAR indicates that the licensee did not provide a basis for the estimated times that applicable components were in their standby configuration.

The licensees resolution does not indicate whether the times used for equipment configured in their standby status are derived from plant specific operational records. The information supplied by the licensee in the F&O table for this SR is not sufficient for the staff to determine if the indicated resolution appropriately addresses the open F&O. As a result, the staff cannot make a determination on the technical acceptability of the licensees PRA for use in risk informed applications.

Please provide one of the following:

1. Clarification on whether the equipment standby times are taken from plant specific operational records, or
2. A justification discussing why not meeting SR DA C8, or meeting SR DA C8 at Capability Category I, is sufficient for this application.

PSEG Response:

Two significant updates to the 2010 NUREG/CR 6928 [Reference 2] component reliability data sheets includes providing both the Fails to Start data for standby equipment and the Fails to Run <1 HR data with beta distribution. This allowed the data to be easily combined to determine the new Fails to Start failure rate for standby equipment. Therefore, there was no need to identify a specific number standby hours for equipment normally in a standby status, since the standby failure rate model is not used in the Salem SA112A or SA115A PRA models.

Note that Supporting Requirement DA C8 starts with the phrase: When requiredU. PSEGs use of industry standard NUREG/CR 6928 data significantly reduces this requirement.

APLA RAI 4 Supporting requirement DA C10 of ASME/ANS RA Sa 2009 specifies that for Capability Category II to be met, licensees should review the test procedure to determine whether a test should be credited for each possible failure mode. In addition, the licensee should count only completed tests or unplanned operational demands as success for component operation. If the component failure mode is decomposed into sub elements (or causes) that are fully tested, then the licensee should use tests that exercise specific sub elements in their evaluation. The peer review found that the SR was not met, stating in the F&O for SR DA C10 that:

Documentation describing the process of reviewing test procedures to determine surveillance test data could not be identified. No specific surveillance tests were discussed in the Data Analysis Notebook. The Systems Analysis Notebooks for specific systems described various surveillance testing, but did not reference surveillance tests by name.

26

LR N17 0263 As a resolution to the F&O, the licensee stated that:

Initiating event category tables were provided in the revised Initiating Events Notebook (SA PRA 001) to provide a benchmark comparison to ensure that Salem initiating event categories were adequate in capturing the necessary PRA initiating events. The plants compared were South Texas, Surry, and Watts Bar. No further action required.

It appears that the licensees response is not related to the issue identified in the F&O. The information supplied by the licensee in the F&O table for this SR is not sufficient for the staff to determine if the indicated resolution appropriately addresses the open F&O. As a result, the staff cannot make a determination on the technical acceptability of the licensees PRA for use in risk informed applications.

Please provide one of the following:

1. A discussion describing how, in relation to the issues indicated in the F&O, the licensee meets SR DA C10 to Capability Category II or higher, or
2. A justification discussing why not meeting SR DA C10, or meeting SR DA C10 at Capability Category I, is sufficient for this application.

PSEG Response:

The initial response that was provided was in error, since it dealt with a response to a different F&O.

Surveillance tests and their frequency were used to determine the number of demands for determining plant specific operating experience for updating generic data that was used for risk significant components modeled in the PRA. For capability category II to be met for PRA Standard Supporting Requirement DA D1, it requires that realistic parameter estimates be made for significant basic events based on relevant plant specific evidence. It is the number of surveillance tests that is a part of this exercise in determining more realistic parameter estimates. Specifically, the response to APLA RAI 2 shows that the number of demands were determined based on the number of functional tests for the component of interest (see Table RAI 2 3), which were determined based on configuration risk management schedules in support of 10 CFR 50.65(a)(4) planning and interviews with work control personnel at the Salem plant.

This information was necessary for the Bayesian updating process in which the denominator of for the generic demand failure probability is updated with this plant specific information.

Therefore, this F&O has been addressed and Supporting Requirement DA C10 is considered to be met at Capability Category II. In addition, this particular issue does not have a noticeable impact on this application associated with extending the CFCU Technical Specification AOT.

APLA RAI 5 Section 2.3.2 of RG 1.177 states that, as a minimum, the licensee should perform evaluations of core damage frequency (CDF) and large early release frequency (LERF) to support any risk informed changes to the TSs. The licensee used its base PRA to evaluate the change in CDF (i.e., Level 1 PRA) and LERF associated with the AOT extension. As part of its application, the licensee included F&O tables indicating the Capability Category and any associated F&Os for each applicable SR. However, these tables only included applicable SRs associated with the Level I portion of the PRA. These tables did not include a disposition of SRs associated with 27

LR N17 0263 LERF. Specifically, SRs LE A1 through LE G6. As a result, the staff cannot make a determination on the technical acceptability of the licensees PRA for use in risk informed applications.

Please provide one of the following:

1. Provide all F&Os characterized as findings from the peer review of the internal events, Level 2 PRA. For each F&O, include details of its disposition or why not meeting the corresponding Capability Category II requirements has no impact on the application.

Specifically, SRs LE A1 through LE G6, or

2. A detailed justification discussing why no peer review of the SRs associated with LERF is acceptable for this application.

PSEG Response:

The table of LERF F&Os was inadvertently omitted and is provided below in Table RAI 5 1:

28

LR N17 0263 Table RAI 5 1 Assessment Of Supporting Requirement Capability Categories For LERF RA Sa RA Sb Capability Associated 2009 2005 Summary of Assessment Summary of Resolution Category F&Os SR # SR #

Level 2 Analysis notebook, SA PRA 015, Section LE A1 LE A1 SR Met 2 addresses those physical characteristics at the N/A time of core damage that can influence LERF.

Level 2 Analysis notebook, SA PRA 015, Appendix A addresses accident sequence LE A2 LE A2 SR Met N/A characteristics at the time of core damage that can influence LERF.

Level 2 Analysis notebook, SA PRA 015, Appendix A addresses those adjustments LE A3 LE A3 SR Met N/A needed between the Level 1 event trees and the containment event trees.

Level 2 Analysis notebook, SA PRA 015, Appendix A addresses those adjustments LE A4 LE A4 SR Met N/A needed between the Level 1 event trees and the containment event trees.

Level 2 Analysis notebook, SA PRA 015, LE A5 LE A5 SR Met Appendix A defines the plant damage state N/A groupings in Section 3.

Level 2 Analysis notebook, SA PRA 015, Sections 1 and 2 discuss unique plant issues and SR Met:

LE B1 LE B1 LERF contributors. The issues identified in Table N/A (CC II) 4.5.9 3 are addressed with the exception of in vessel recovery which is not credited.

29

LR N17 0263 Table RAI 5 1 Assessment Of Supporting Requirement Capability Categories For LERF RA Sa RA Sb Capability Associated 2009 2005 Summary of Assessment Summary of Resolution Category F&Os SR # SR #

Category II for LE B2 says "using applicable generic or plant specific analyses for significant containment challenges", while conservative analyses can be used for non significant challenges. Conservative analyses were not used for significant challenges, though they were used for initial categorization. MAAP analyses and plant specific analyses were used to support the final LERF contributors. Use of plant specific parameters, such as containment fragility, are documented in the Level 2 Analysis Notebook (SA PRA 015). Section 2.0 of SA PRA 015 states that Analysis does address challenges, but plant in order to assess the accident progression SR Met:

LE B2 LE B2 LE B2 01 specific analyses are treated in a conservative following a core damage event, the Level 2 (CC I) manner. analysis used a containment event tree shown in Figure 2 1 of SA PRA 015 to determine the type of release, if any. Each node in the event tree is based on plant specific Salem parameters, recent accident progression research, and other Salem specific analyses. Where applicable, the documentation was updated to emphasize realistic, plant specific analyses. In addition, since the functional loss of CFCUs can only lead to LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O.

MAAP analyses using plant specific inputs SR Met:

LE B3 LE B3 performed, but utilized in a somewhat N/A (CC II) conservative manner.

30

LR N17 0263 Table RAI 5 1 Assessment Of Supporting Requirement Capability Categories For LERF RA Sa RA Sb Capability Associated 2009 2005 Summary of Assessment Summary of Resolution Category F&Os SR # SR #

A discussion of LERF and its definition were added to the Level 2 Notebook (SA PRA 015) in order to explain how LERF and non LERF designations were developed and assigned. Specifically, Section 5.0 of this notebook defines the major release categories that were evaluated:

INTACT - Containment structure and function succeed and prevent a large or late release of fission products.

LATE - Containment failure occurs, but is SR Met: Analysis of non LERF or analysis of factors considered late because of a significant time delay LE C1 LE C1 LE C1 01 (CC I) contributing to non LERF was not addressed. between core damage and containment failure.

LERF - Containment failure occurs early in the scenario. Early releases are defined as those releases that occur within a short time following core damage, such that adequate evacuation time is not available to protect the public from prompt health effects.

SERF - Containment is bypassed, such as due to an initiating steam generator tube rupture, but successful filling of the steam generator scrubs the release to reduce it to a small magnitude.

31

LR N17 0263 Table RAI 5 1 Assessment Of Supporting Requirement Capability Categories For LERF RA Sa RA Sb Capability Associated 2009 2005 Summary of Assessment Summary of Resolution Category F&Os SR # SR #

Of the human error probabilities (HEPs) that were associated with containment isolation actions, only SJS XHE FO MANAC (Operator fails to open or close valves per EOPs) was found to exceed the criteria for risk significance, and the failure probability was evaluated in detail (not a screening value) in the SA115A PRA model. There were only two HEPs that were found to be risk significant in the SA115A model, i.e., time critical operator Screening values appear to have been used for actions. They were AFS XHE FO REC1 (Operator SR Met: containment isolation actions. No operator LE C2 LE C2a LE C2a 01 failure to close AFW discharge valves locally) and (CC I) actions are directly called out in the containment ISL XHE VD1 (Operator fails to isolate RHR to event tree.

avoid ISLOCA). These HEPs are both documented in Appendix F of the HRA Notebook (SA PRA 004) and will require a detailed evaluation as part of a future scheduled PRA update. In addition, since the functional loss of CFCUs can only lead to LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O.

32

LR N17 0263 Table RAI 5 1 Assessment Of Supporting Requirement Capability Categories For LERF RA Sa RA Sb Capability Associated 2009 2005 Summary of Assessment Summary of Resolution Category F&Os SR # SR #

The Quantification Notebook (SA PRA 014) discussed some of the dominant initiators that lead to LERF in Appendix H where pre emptive actions could be taken to reduce the impact to LERF, e.g.,

installation of door sweeps to reduce the flow of water into the 230/460 VAC switchgear rooms due to internal floods. In general, it was decided that no credit for repair of failed equipment was SR Met: Repair of failed equipment is not addressed in necessary for LERF scenarios. That is, other than LE C3 LE C2b LE C2b 01 (CC I) the Level 2 Analysis notebook, SA PRA 015. the possibility for recovery of offsite power for station blackout events, no repair of failed equipment was directly credited or modeled in the SA115A model for mitigation of LERF sequences.

In addition, since the functional loss of CFCUs can only lead to LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O.

33

LR N17 0263 Table RAI 5 1 Assessment Of Supporting Requirement Capability Categories For LERF RA Sa RA Sb Capability Associated 2009 2005 Summary of Assessment Summary of Resolution Category F&Os SR # SR #

Since the time of the peer review, potential scrubbing of SGTR releases was added to the PRA model. In addition, text was added to the Level 2 Analysis Notebook (SA PRA 015) to describe mitigating actions and beneficial failures that are modeled. Even without operator action, some scrubbing does occur in the thermal hydraulic modeling of SGTRs, if applicable, such SR Met: Fission product scrubbing and mitigating actions LE C4 LE C3 LE C3 01 as in release category LERF SGTR AFW, which (CC I) by plant staff are not addressed.

represents sequences caused by a steam generator tube rupture that have successful operation of auxiliary feedwater. In addition, since the functional loss of CFCUs can only lead to LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O.

SR Met: Realistic generic success criteria appear to have LE C5 LE C4 N/A (CC II) been used.

LE C6 LE C5 SR Met N/A LE C7 LE C6 SR Met N/A LE C8 LE C7 SR Met One top model. N/A Since there was no credit given in the SA115A PRA model for equipment survivability or human actions under adverse environments, there was no need to justify any type of credit. In addition, since SR Not No discussion provided in the documentation LE C9 LE C8a LE C8a 01 the functional loss of CFCUs can only lead to Met related to environment.

LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O.

34

LR N17 0263 Table RAI 5 1 Assessment Of Supporting Requirement Capability Categories For LERF RA Sa RA Sb Capability Associated 2009 2005 Summary of Assessment Summary of Resolution Category F&Os SR # SR #

SR Met:

LE C10 LE C8b LE C8a 01 No analysis provided. N/A (CC I)

SR Met:

LE C11 LE C9a LE C8a 01 No credit taken. N/A (CC I)

SR Met:

LE C12 LE C9b LE C8a 01 N/A (CC I)

SR Met: Section 2 notes that credit is not taken for LE C13 LE C10 LE C3 01 N/A (CC I) scrubbing of SGTR damage scenarios.

The Cat II SR requires "a realistic containment capacity analysis for the significant containment challenges" and "a conservative or a combination of conservative and realistic evaluation of containment capacity for nonsignificant containment challenges." In the Salem Level 2 analysis, early containment failure is not a significant contributor, therefore conservative or a combination of realistic and conservative evaluations are acceptable. The early containment failure probabilities from the NUREGs are based SR Met: Early containment loads are addressed using on plant specific analysis or generic analysis that LE D1 LE D1a LE D1a 01 (CC I) NUREG information. is adjusted to be applicable to Salem. Also, a Salem specific containment structural evaluation and failure characterization that had been performed for a previous revision of the PRA was used in the SA115A Level 2 analysis due still being applicable. Therefore, no further work is necessary to comply with Category II of LE D1. In addition, since the functional loss of CFCUs can only lead to LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O.

35

LR N17 0263 Table RAI 5 1 Assessment Of Supporting Requirement Capability Categories For LERF RA Sa RA Sb Capability Associated 2009 2005 Summary of Assessment Summary of Resolution Category F&Os SR # SR #

Section 2.2 of the Success Criteria Notebook (SA PRA 003) now references the evaluation of penetrations, hatches and seals for containment, which is documented in calculation S C.ZZ NEE 0686, Probabilistic Engineering Evaluation of Salem Units 1 and 2 Containment Performance for Beyond Design Basis Conditions. This calculation determined that hatches and seals were evaluated SR Not LE D2 LE D1b LE D1b 01 No analysis for penetrations, hatches, seals and found to have a higher pressure capacity than Met the meridional membrane capacity of the dome that proved to be the limiting failure location of the containment vessel. In addition, since the functional loss of CFCUs can only lead to LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O.

SR Not LE D3 LE D2 N/A Applicable SR Met:

LE D4 LE D3 N/A (CC II)

SR Met:

LE D5 LE D4 N/A (CC II)

SR Met:

LE D6 LE D5 N/A (CC II) 36

LR N17 0263 Table RAI 5 1 Assessment Of Supporting Requirement Capability Categories For LERF RA Sa RA Sb Capability Associated 2009 2005 Summary of Assessment Summary of Resolution Category F&Os SR # SR #

The Containment Isolation System Notebook (SA PRA 005.0007) now provides a set of criteria to determine whether containment penetrations should be modeled for their safety significance in the PRA, such as size of line, number of valve isolations, etc. The Success Criteria Notebook (SA PRA 003) in Section 2.2 states that containment penetrations, hatches and seals were also evaluated and found to have a higher The CI model (SA PRA 005.07) does not provide pressure capacity than the meridional membrane SR Not sufficient information and does not address LE D7 LE D6 LE D6 01 capacity of the dome that proved to be the limiting Met potential failures due to air locks or other failure location. The basis for this statement is locations.

found in PSEG document S C ZZ NEE 0686 (Probabilistic Engineering Evaluation of Salem Units 1 and 2 Containment Performance for Beyond Design Basis Conditions). In addition, since the functional loss of CFCUs can only lead to LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O.

LE E1 LE E1 SR Met Appropriate SSC and HFE values are utilized. N/A SR Met: The LERF analysis makes heavy use of the See the F&O response for the 2009 SR LE D1, LE E2 LE E2 LE D1a 01 (CC I) NUREG documents. since both F&Os are related to the same issue.

37

LR N17 0263 Table RAI 5 1 Assessment Of Supporting Requirement Capability Categories For LERF RA Sa RA Sb Capability Associated 2009 2005 Summary of Assessment Summary of Resolution Category F&Os SR # SR #

The Level 2 Analysis Notebook (SA PRA 015) explains in detail those accident sequences that satisfy the definition for LERF, and are listed in Table 7 1, which defines the type of accident sequence and initiating event that is involved. To Early containment failures, bypass sequences, satisfy this F&O, more detail was given in this SR Met:

LE E3 LE E3 LE D1a 01 and isolation failures are designated as LERF section of SA PRA 015 that better explains what (CC I) contributors. accident progression sequences can lead to LERF.

In addition, since the functional loss of CFCUs can only lead to LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O.

LERF is quantified consistent with the applicable LE E4 LE E4 SR Met QU B3 01 requirements. A minor issue related to truncation N/A limit is identified in QU B3 01.

Table 8 2 of the Salem PRA Level 2 Analysis SR Met:

LE F1 LE F1a Notebook shows the calculated results for the N/A (CC II/III) detailed release categories.

38

LR N17 0263 Table RAI 5 1 Assessment Of Supporting Requirement Capability Categories For LERF RA Sa RA Sb Capability Associated 2009 2005 Summary of Assessment Summary of Resolution Category F&Os SR # SR #

A summary of the Level 2 results is provided in Appendix H of the Quantification Notebook (SA PRA 014). The comparison to the value for CDF was discussed, in which it was noted that the direct sum of the four major Level 2 endstates (INTACT, LERF, SERF, and LATE), which was 9.5E 06/yr, is a little more than the calculation of CDF at 8.4E Other than verifying that the sum of the three end 6/yr for the SA115A PRA model. This is due to states (INTACT, LATE and LERF) is SR Not summation of low probability sequences below the LE F2 LE F1b LE F1b 01 approximately equal to the core damage Met truncation threshold used for the quantification of frequency, no checks on the reasonableness of CDF and the inclusion of non minimal Level 1 the LERF contributors is documented.

sequences in the summation of the Level 2 release categories. In addition, since the functional loss of CFCUs can only lead to LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O..

Bounding assumptions are identified in the documentation. Sources of uncertainty are addressed in a draft evaluation using guidance SR Met: See the F&O response for the 2009 SR LE G4, N/A LE F2 SC C3 02 from draft EPRI report, "Treatment of Parameter (CC I) since both F&Os are related to the same issue.

and Model Uncertainty for Probabilistic Risk Assessments." No documentation of sensitivity studies was found.

The uncertainty associated with LERF was addressed in the Salem PRA Uncertainty Notebook (SA PRA 018), with the results being LERF uncertainties are not characterized presented in Section 5.1.2.1 In addition, since the SR Not LE F3 LE F3 LE F3 01 consistent with the requirements in Tables 4.5.8 functional loss of CFCUs can only lead to LATE Met 2(d) and 4.5.8 2(e). sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O.

39

LR N17 0263 Table RAI 5 1 Assessment Of Supporting Requirement Capability Categories For LERF RA Sa RA Sb Capability Associated 2009 2005 Summary of Assessment Summary of Resolution Category F&Os SR # SR #

The LERF analysis documentation appears to be LE G1 LE G1 SR Met adequate for supporting PRA applications, N/A upgrades, and peer review.

The LERF notebook documents the process LE G2 LE G2 SR Met N/A used to arrive at the LERF estimates.

Table 8 2 of the Salem PRA Level 2 Analysis SR Met:

LE G3 LE G3 Notebook shows the calculated results for the N/A (CC II/III) detailed release categories.

This issue has no impact on the quality of the PRA and is only meant to aid reviewers in identifying what assumptions were made during development of the Success Criteria Notebook (SA PRA 003).

Each PRA System Notebook (SA PRA 005.0001 Assumptions are embedded in the .0020) now has a section that lists assumptions documentation rather than captured in a specific that were made as part of the systems analysis.

section. Sources of uncertainty are addressed in Also, the Uncertainty Notebook (SA PRA 018) was SR Not SC C3 01, a draft evaluation using guidance from draft EPRI officially issued and includes a section on model LE G4 LE G4 Met SC C3 02 report, "Treatment of Parameter and Model uncertainty and references both EPRI 1026511, Uncertainty for Probabilistic Risk Assessments." which addresses the use of PRA and the treatment No documentation of sensitivity studies was of uncertainty, and EPRI 1016737, which found. addresses the treatment of parameter and model uncertainty In addition, since the functional loss of CFCUs can only lead to LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O.

40

LR N17 0263 Table RAI 5 1 Assessment Of Supporting Requirement Capability Categories For LERF RA Sa RA Sb Capability Associated 2009 2005 Summary of Assessment Summary of Resolution Category F&Os SR # SR #

Appendix A of the Uncertainty Notebook (SA PRA 018) discusses model uncertainty issues and plant specific issue characterizations that can be extended to identification of impacts on various risk applications. For example, the treatment of core melt arrest in vessel has been limited. However, recent NRC work has indicated that there may be more potential than previously credited. For this particular issue, Salem has taken the approach SR Not Limitations in the LERF analysis that would LE G5 LE G5 LE G5 01 that no credit will be given for recovery of core Met impact applications are not documented.

cooling following core damage and prior to reactor vessel failures. In other words, all core damage sequences proceed to vessel failure. Although this issue could provide an impact to certain applications related to Level 2 release categories, this particular LAR dealing with extending the Technical Specification AOT for CFCU unavailability is relatively unimportant with regard to LERF.

41

LR N17 0263 Table RAI 5 1 Assessment Of Supporting Requirement Capability Categories For LERF RA Sa RA Sb Capability Associated 2009 2005 Summary of Assessment Summary of Resolution Category F&Os SR # SR #

A significant accident progression sequence is one of the set of accident sequences contributing to large early release frequency resulting from the analysis of a specific hazard group that, when rank ordered by decreasing frequency, sum to a specified percentage of the large early release frequency, or that individually contribute more than a specified percentage of large early release frequency for that hazard group. Specifically, the SR Not A definition for significant accident progression summed percentage is 95% and the individual LE G6 LE G6 LE G6 01 Met sequence is not documented. percentage is 1% of the applicable hazard group.

The dominant accident sequences that contribute to LERF are listed and described in Section D of the Quantification Notebook (SA PRA 014), and the relative contribution to LERF for each of the modeled initiating events is listed in Appendix F of SA PRA 014. Since this is a documentation issue, it has no impact on the results for this LAR dealing with extending the Technical Specification AOT for CFCU unavailability.

42

LR N17 0263 APLA RAI 6 Supporting requirement IFSN A7 of ASME/ANS RA Sa 2009 specifies that for the SR to be met, the licensee, in applying SR IFSN A6 to determine susceptibility of SSCs to flood induced failure mechanisms, should credit the operability of SSCs identified in SR IFSN A5 with respect to internal flood impacts only if supported by an appropriate combination of: (a) test or operational data; (b) engineering analysis; and (c) expert judgment. The associated F&O in Table 4 8 of Enclosure 1 of the LAR indicated that the licensees basis that walkdown observations revealed air operated valves (AOVs) and motor operated valves (MOVs) were of a robust design that would exclude them from being susceptible to water damage for spray scenarios was insufficient for determining susceptibility of these components to flood induced failure mechanisms per this SR. The licensees resolution stated that the robustness of AOVs and MOVs with regard to spray scenarios was an informed judgment based on empirical observation and reinforced by a paper presented at the PSA 2008 ANS conference by J. Lin, and that water spray does not generally prevent AOVs and MOVs from operating, and although it may remotely be possible, the most likely result is that it will not. The licensees resolution still does not present an adequate justification supported by an appropriate combination of test or operational data, engineering analysis, and expert judgment. The information supplied by the licensee in the F&O table for this SR is not sufficient for the staff to determine if the indicated resolution appropriately addresses the open F&O. As a result, the staff cannot make a determination on the technical acceptability of the licensees PRA for use in risk informed applications.

Please provide one of the following:

1. An adequate justification, including any supporting documentation, that describes clearly the link between the observed robustness of the valves and the empirical information from test or operational data and/or engineering analysis that would lead expert judgment to conclude that the observed robustness is sufficient to preclude failure from spray flooding, or
2. A justification discussing why not meeting SR IFSN A7 is acceptable for this application.

PSEG Response:

PSEG did a supplemental analysis of the PRA results to determine which valves could potentially affect the decision in this LAR. The Containment Spray recirculation valves (CS36 -

one per train) were identified as the most important valves, so a quantitative bounding risk analysis was performed. These and other potentially important valves were walked down to evaluate the potential effects of spray. No potential vulnerabilities to spray events were found, resulting in no additional increase in risk.

The supplemental analysis is an expansion of the analysis described in Section 5.2 of the LAR risk analysis, focusing on spray scenarios. Potentially significant AOVs and MOVs were identified by looking at the cutsets that contribute to the risk increase associated with the AOT extension for CFCUs. As described in the LAR, the CAFTA DELTERM function was used.

Valves that fail to the required position to support recirculation were eliminated from further analysis.

In addition to the above bounding risk analysis, PSEG did a supplemental internal flood walkdown to analyze the vulnerabilities to spray events that could affect the conclusions of this LAR. As expected, the most important valves were the containment spray valves (CS36), which 43

LR N17 0263 were analyzed above in this response. Additionally, the next echelon of potentially important valves were identified by inspecting the cutsets and importance measures.

Risk Analysis of the CS36 Valves in Spray Scenarios A walkdown was performed by station personnel for the CS36 valves, which support operation of containment sprays during the recirculation phase of operation in which water collected in the reactor containment sump is sent through the Residual Heat Removal (RHR) pumps and heat exchangers before being discharged to the spray nozzles inside containment. Containment sprays can be used to mitigate the increase in containment pressure during a LOCA event.

Because the Containment Spray System (CSS) is another means of containment pressure control and is redundant to CFCUs, these motor operated valves (MOVs) become risk significant when two CFCUs are made unavailable due to maintenance. With regard to spray scenarios, there was no evidence found that a single spray scenario from any one source of water would be able to disable both valves. This is due to the physical separation between the two valves and the presence of walls and other barriers that would prevent damage to both MOVs from any single spray source. Figure RAI 6 1 shows a photograph of one of these CS36 valves, illustrating the robust design of MOV motor operators that employ threaded electrical connections, which would resist any water intrusion from a spray of water. In addition, these particular valves were identified to be Environmentally Qualified (EQ) to withstand any harsh environmental conditions that might be encountered from a design basis event. Internal flood scenarios typically involve moderate energy line break scenarios, such that the environmental conditions during a spray event would be less severe than for a design basis event that would result in higher humidity and temperatures.

FIGURE RAI 6 1 PICTURE OF MOV 11CS36 - CONTAINMENT SPRAY DISCHARGE VALVE FROM RHR PUMPS 44

LR N17 0263 However, in an effort to show the sensitivity associated with failing air operated valves (AOVs) and motor operated valves (MOVs) for spray scenarios, the risk significant flood area of interest (flood area MP 078) was analyzed assuming that all water sources in this area were responsible for causing spray damage to the AOVs and MOVs contained within this area. Figure 3 1 of risk application SA LAR 010, which was part of the supplemental information submitted in May 2017, showed that internal flood submergence scenarios were responsible for about 7.6% of the change in risk associated with the CFCU AOT extension.

The SA115A PRA model was chosen for this sensitivity analysis, which made use of the same configuration changes explained in Section 3.4.3 of the original risk application (SA LAR 007)

[Reference 4]. Table RAI 6 1 shows that when this spray scenario is included, the change in risk is still minimal:

Table RAI 6 1 Quantitative Results of the Risk Metrics for Concurrent Unavailability of Two CFCUS (INCLUDES SPRAY SCENARIO THAT FAILS ALL AOVS AND MOVS IN FLOOD AREA MP 078A)

Parameter Value Comments TCYCLE 547.5 days Based on 18 month refueling cycle TCFCU 14 days Number of days that two CFCUs are unavailable CDF based on application of flag file for two CDFCFCU 8.80E 06 unavailable CFCUs and adjusted CCF term LERF based on application of flag file for two LERFCFCU 4.66E 07 unavailable CFCUs and adjusted CCF term CDFBASE 8.38E 06 CDF for PRA MOR LERFBASE 4.66E 07 LERF for PRA MOR Average CDF over one 18 month refueling cycle for CDFAVE 8.41E 06 three instances of dual CFCU unavailability for 14 days at a time Average LERF over one 18 month refueling cycle LERFAVE 4.66E 07 for three instances of dual CFCU unavailability for 14 days at a time Difference between CDF with current technical specifications and the CDF for an average 18 CDF 3.17E 08 month cycle with three instances of concurrent unavailability of two CFCUs extended to 14 days This value is below Region III of RG 1.174 Difference between LERF with current technical specifications and the LERF for an average 18 LERF 3.62E 11 month cycle with three instances of concurrent unavailability of two CFCUs extended to 14 days This value is well below Region III of RG 1.174 ICCDPCFCU 1.58E 08 Below 1E 06 Acceptance Guideline of RG 1.177 ICLERPCFCU 1.81E 11 Below 1E 07 Acceptance Guideline of RG 1.177 45

LR N17 0263 Analysis of Other Valves Potentially Vulnerable to Spray:

The following valves modeled in the PRA that exhibited a Risk Achievement Worth (RAW) greater than 2.0 were included in the supplemental walkdowns, and are listed below in Table RAI 6 2:

Table RAI 6 2 AOVs and MOVS Identified for Supplemental Walkdowns Flood Valve Type Area CC16 MOV AB 055 CC16 MOV AB 055 DR6 AOV AB 084 C 1AF21 AOV AB 084 C 2AF21 AOV AB 084 C 3AF21 AOV AB 084 C 4AF21 AOV AB 084 C Plant walkdowns were conducted to identify the location and configuration of the valves listed in Table RAI 6 2. The walkdowns were conducted by experienced engineers and PRA internal flooding analysts, and the results will be added to the internal flooding PRA documentation during the next Salem PRA update.

46

LR N17 0263 The 21CC16 and 22CC16 MOVs were physically separated from each other such that any one spray scenario would not disable both valves. These are Component Cooling Water valves that are located on the discharge side of the Residual Heat Removal (RHR) heat exchangers.

Additionally, all piping within the vicinity of these valves was insulated and encapsulated with metal lagging, which serves to prevent a spray of water from wetting components located at a distance. Figure RAI 6 2 shows a photograph of valve 22CC16, which shows the robust design of the MOV with no opening for water ingress, and the surrounding lagged piping.

FIGURE RAI 6 2 PICTURE OF MOV 22CC16 - RHR HEAT EXCHANGER CCW OUTLET VALVE 47

LR N17 0263 The 1DR6 valve is the valve used to refill the Auxiliary Feedwater Storage Tank (AFWST) with water from the Demineralized Water storage tanks after approximately 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br /> of Auxiliary Feedwater (AFW) pump operation before it empties. Figure RAI 6 3 shows the robust design of this valve with no vulnerabilities that would allow a spray of water to disable the function of this valve. Additionally, the solenoid valve that ports the flow of air to the diaphragm of the valve operator is physically located in a separate location of the plant within a closed cabinet sealed with a gasket. The visible electrical connection on top of the valve provides for remote indication of valve position, and is a well sealed threaded connection that would protect against water intrusion from a nearby spray source.

FIGURE RAI 6 3 PICTURE OF AOV 1DR6 - REFILL VALVE FOR AFWST 48

LR N17 0263 The AF21 valves are the flow control valves on the discharge side of the motor driven AFW pumps. Figure RAI 6 4 shows a photograph of one of these valves (AOV 23AF21), which illustrates its robust design that would be impervious to a spray of water from a nearby pipe rupture. The threaded electrical connection on one of the AF21 valves that provides for remote valve position indication is more clearly seen in Figure RAI 6 5, which clearly shows its resistance to water ingress from a spray of water.

FIGURE RAI 6 4 PICTURE OF AOV 23AF21 - AFW DISCHARGE FLOW CONTROL VALVE 49

LR N17 0263 FIGURE RAI 6 5 PICTURE OF THREADED ELECTRICAL CONNECTION ON AF21 VALVE FOR REMOTE INDICATION OF VALVE POSITION Conclusion The analysis and walkdowns were performed in accordance with IFSN A7 of the PRA standard

[Reference 1], which allows an appropriate combination of test or operational data, engineering analysis and expert judgement. This analysis and walkdown validated the conclusions in the paper presented at the PSA 2008 ANS conference by J. Lin, and is applicable to the Salem plant. The observed AOVs and MOVs are not susceptible to internal flood spray effects, and even if they were, the risk increase would not be significant. Therefore, the Salem PRA adequately models internal flood spray scenarios with respect to their effect on CFCU related scenarios quantified in support of this LAR.

APLA RAI 7 Regulatory Position 2.1 of RG 1.200, Revision 2 states that if a licensee demonstrates that the parts of a PRA that are used to support an application comply with the ASME/ANS PRA standard, when supplemented to account for the staffs regulatory positions contained in Appendix A, the NRC would considered the PRA to be adequate to support the applicable risk informed regulatory application. In Section 4.1.3 of Enclosure 1 of the LAR, the licensee stated 50

LR N17 0263 that it performed a gap assessment against the NRC clarifications in Appendix A of RG 1.200, Revision 2 with regard to the ASME standard, RA Sa 2009. The licensee provides the results of the gap assessment in Table 4 11 of Enclosure 1. However, Table 4 11 only includes the assessment of NRC regulatory positions for three SRs. The information supplied by the licensee in Table 4 11 is not sufficient for the staff to determine if the licensee supplemented appropriately ASME/ANS RA Sa 2009 to account for the staffs regulatory positions contained in Appendix A of RG 1.200. As a result, the staff cannot make a determination on the technical acceptability of the licensees PRA for use in this risk informed application.

Please provide one of the following:

1. A gap assessment of all regulatory positions contained in Appendix A of RG 1.200 for the applicable hazards. The assessment should include a disposition of all clarifications and qualifications (i.e., not limited just to SRs) for the applicable hazards, or
2. A justification discussing why the requested gap assessment is not necessary.

PSEG Response:

A comparison table (Table RAI 7 1) was constructed to denote the differences between Revision 1 and 2 of NRC Regulatory Guide (RG) 1.200. In particular, this comparison focused on any new information that was contained in Revision 2 that was either changed or non existent in Revision 1. A disposition is offered in Table RAI 7 1 for each noted difference to explain how compliance with the ASME PRA Standard [Reference 1] was maintained in going from Revision 1 to Revision 2. By definition, if there was no difference with any of the clarifications or qualifications between Revision 1 and Revision 2 of RG 1.200, then the peer review of the PRA model [Reference 7] would have already addressed these items and not require any additional assessment for this RAI response. The yellow highlighting is provided as a visual aid to help the reader identify the differences noted between Revisions 1 and 2 of RG 1.200.

In performing this exercise, there were no instances found where differences in the clarifications between Rev. 1 and Rev. 2 of RG 1.200 would have necessitated a change to the PRA model or documentation. Additionally, there were no differences in any of the qualifications between Rev. 1 and Rev. 2 of RG 1.200. Because of this, only clarifications are listed in Table RAI 7 1.

51

LR N17 0263 Table RAI 7 1 Disposition of Clarifications between Revisions 1 and 2 of NRC Regulatory Guide 1.200 Updates RG 1.200 Issue Resolution from RG 1.200 PSEG Disposition

/Changes Index Rev 1 3.5 Use of the word significant 2nd paragraph: This is only a change in the definition for should match definitions If the PRA does not satisfy a SR for the significance for the sake of consistency and provided in Section 2.2. appropriate Capability Category, then has no impact on the conformance of the determine if the difference is relevant or SA115A PRA model to RG 1.200, Rev. 2.

significantU. Acceptable requirements for determining the significance of this difference differences include the following:

(a) The difference is not relevant if it is not applicable or does not affect the quantificationU.

(b) The difference is not significant if the mModeled accident sequences accounting for at least 90% of CDF/LERF, as applicableU.

These determinations Determination of significance will dependU.

If the difference is not relevant or significant, then the PRA is acceptable for the application. If the difference is relevant or significant, thenU.

Rev 2 1 3.5, 2nd Paragraph Use of the word (b) The difference is not significant if the significant should modeled accident sequences accounting match definitions for at least 90% 95% of CDF/LERF for provided in Section 2.2. the hazard group U.

Rev. 2 only Figure 1 3 1 See staff proposed See in Rev. 2, Resolution Column This was a change to the flowchart depicted resolution for Section 1 in Figure 1 3 1 in order to be consistent with 1.4.2, text in Box 4 of the descriptive text. There is no impact on Figure 1 3.1 1 needs to be the conformance of the PRA model to RG modified be consistent 1.200, Rev. 2.

with the text.

Rev 1 4.3.3 The use of the word should UThe PRA analysis team shall should use There is essentially no difference in the does not provide a minimum outside experts, even whenU. intent of this clarification between Rev. 1 and requirement. Rev. 2 of RG 1.200.

Rev 2 1 4.3.3, 2nd The intent of this UThe PRA analysis team shall should use Paragraph statement/requirement is outside experts, even whenU.

for the use of outside expert, as such the use of the word should does not provide a minimum requirement.

52

LR N17 0263 Table RAI 7 1 Disposition of Clarifications between Revisions 1 and 2 of NRC Regulatory Guide 1.200 Updates RG 1.200 Issue Resolution from RG 1.200 PSEG Disposition

/Changes Index Rev 1 6.1 The purpose, as written, UThe peer review shall assess the PRA to This clarification for RG 1.200, Rev. 2, implies that it is solely an audit against the the extent necessary to determine if the provides more specific guidance with regard requirements of methodology and its implementation meet to how the peer review team should conduct Section 4. A key objective of the requirements of this Standard to their review in order to ascertain the peer review is to ensure determine the strengths and weaknesses in conformance with the Supporting when evaluating the PRA the PRA. Therefore, the peer review shall Requirements of the Standard. There is no against the requirements in also assess the appropriateness of the impact on the conformance of the PRA Section 4, the quality (i.e., assumptions. The peer review need not model to RG 1.200, Rev. 2.

strengths and weaknesses) of assessU.

the PRA; this goal is to be clearly understood by the peer review team.

See the issue discussed on definition of Accident sequence, dominant.

Rev 2 1 6.1 The purpose, as written, Uanother purpose of the peer review is to implies that it is solely an determine the strengths and weaknesses in audit against the the PRA. Therefore, the peer review requirements of Section 4. shall also assess the appropriateness of A key objective of the the assumptions. The peer review need peer review is to ensure not assess all aspects of the PRA against when evaluating the PRA all requirements in the Technical against the technical Requirements Section of each respective requirements, the Part of this Standard; however, enough quality (i.e., strengths aspects of the PRA shall be reviewed for and weaknesses) of the the reviewers to achieve consensus on the PRA; this goal is to be assessment of each applicable clearly understood by the supporting requirement, as well as on peer review team. the adequacy of methodologies and their Further, the statement that implementation for each PRA Element.

the peer review need not assess all aspects of the PRA against all requirements could be taken to imply that some of the requirements could be skipped.

53

LR N17 0263 Table RAI 7 1 Disposition of Clarifications between Revisions 1 and 2 of NRC Regulatory Guide 1.200 Updates RG 1.200 Issue Resolution from RG 1.200 PSEG Disposition

/Changes Index Rev 1 IE A4a Initiating events from Cat II and III: This clarification provides a more specific common cause or from Uresulting from multiple failures; if the description of routine system alignments that both routine and non routine equipment failures result from a common can arise due to different plant maintenance system alignments cause, and from routine system configurations. There is no impact on the should be considered. alignments resulting from preventive conformance of the PRA model to RG 1.200, and corrective maintenance. Rev. 2.

Rev 2 IE A6 Initiating events from Cat II:

common cause or from Uresulting from multiple failures; if the both routine and non routine equipment failures result from a common system alignments cause, and or from routine system should be considered. alignments resulting from preventive and corrective maintenance.

Cat III:

Uresulting from multiple failures, including equipment failures resulting from random and common causes, and or from routine system alignments resulting from preventive and corrective maintenance.

Rev 1 IE C10 Providing a list of generic COMPARE results and EXPLAIN The additional clarification given in RG data sources would be differences in the initiating event analysis 1.200, Rev. 2, was merely meant to provide consistent with other SRs with generic data sources to provide a a suggested generic reference against which related to data. reasonable check of the results. PRA initiating events and their frequencies An example of an acceptable generic may be compared. This clarification has no data sources is NUREG/CR 5750 [Note impact on the conformance of the PRA (1)]. model to RG 1.200, Rev. 2.

Rev 2 IE C12 Providing a list of generic COMPARE results and EXPLAIN data sources would be differences in the initiating event analysis consistent with other SRs with generic data sources to provide a related to data. reasonable check of the results.

An example of an acceptable generic data sources is NUREG/CR 6928 [Note (1)].

54

LR N17 0263 Table RAI 7 1 Disposition of Clarifications between Revisions 1 and 2 of NRC Regulatory Guide 1.200 Updates RG 1.200 Issue Resolution from RG 1.200 PSEG Disposition

/Changes Index Rev 1 HR D3 Add examples for what is Cat II, III: This clarification is only meant to properly meant by quality in items (a) (a) the quality (including format, logical document the reference to Note 3. There is and (b) of Cat II, III. structure, ease of use, clarity, and no impact on the conformance of the comprehensiveness) of written procedures SA115A PRA model to RG 1.200, Rev. 2.

and the quality (e.g., configuration control process, technical review process, training processes, and management emphasis on adherence to procedures) of administrative controls (for independent review)

(b) the quality (e.g., adherence to human factors guidelines [Note (3)] and results of any quantitative evaluations of performance per functional requirements) of the human machine interface, including both the equipment configuration, and instrumentation and control layout Rev 2 HR D3 Add examples for what is Cat II, III:

meant by quality in items (a) the quality (e.g., format, logical (a) and (b) of Cat II, III. structure, ease of use, clarity, and comprehensiveness) of written procedures (for performing tasks) and the type of administrative controls that support independent review (e.g.,

configuration control process, technical review process, training processes, and management emphasis on adherence to procedures). of administrative controls (for independent review)

(b) the quality of the human machine interface (e.g., adherence to human factors guidelines [Note (3)] and results of any quantitative evaluations of performance per functional requirements), including both the equipment configuration, and instrumentation and control layout (3) NUREG 0700, Rev. 2, Human System Interface Design Review Guidelines; J.M. OHara, W.S. Brown, P.M. Lewis, and J.J. Persensky, May 2002.

55

LR N17 0263 Table RAI 7 1 Disposition of Clarifications between Revisions 1 and 2 of NRC Regulatory Guide 1.200 Updates RG 1.200 Issue Resolution from RG 1.200 PSEG Disposition

/Changes Index Rev 1 HR D4 thru HR D7 The SA115A PRA model does report HEP values based on their mean point estimates as provided by the HRA Calculator software.

As such, there is no impact on the conformance of the PRA model to RG 1.200, Rev. 2.

Rev 2 HR D6 This SR should be written PROVIDE an assessment of the similarly to HR G9 uncertainty in the U. point estimates of HEPs. CHARACTERIZE the uncertainty in the estimates of the HEPs consistent with the quantification approach, and PROVIDE mean values for use in the quantification of the PRA results.

Rev 1 QU A3, QU A4 The state of knowledge correlation is accounted for in the PRA model by grouping similar components, e.g., MOVs, pumps, etc., by their specific system, such that all components within that system would be Rev 2 QU A3 The state of knowledge Cat I: correlated during uncertainty calculations.

correlation should be ESTIMATE the point estimate CDF (and As such, there is no impact on the accounted for all event LERF) conformance of the PRA model to RG 1.200, probabilities. Left to the Cat II: Rev. 2.

analyst to determine the ESTIMATE the mean CDF (and LERF),

extent of the events to be accounting for the state of knowledge correlated. Need to also correlation between event probabilities acknowledge LERF when significant (see NOTE 1).

quantification Cat III:

CALCULATE the mean CDF (and LERF) by U Rev 1 QU B1 thru QU B9 Both CDF and LERF are quantified using the PRA model. There is no impact on the conformance of the PRA model to RG 1.200, Rev. 2.

Rev 2 QU B6 Need to acknowledge ACCOUNT for U realistic estimation of LERF quantification CDF or LERF. This accounting U 56

LR N17 0263 Table RAI 7 1 Disposition of Clarifications between Revisions 1 and 2 of NRC Regulatory Guide 1.200 Updates RG 1.200 Issue Resolution from RG 1.200 PSEG Disposition

/Changes Index Rev 1 QU E4 Understanding of the model Cat I: This is an editorial change that corrects a uncertainties and assumptions PROVIDE an assessment of the impact of reference to a note that is not applicable.

is an essential aspect of the key model uncertainties and There is no impact on the conformance of uncertainty analysis. In assumptions on the results of the PRA. the PRA model to RG 1.200, Rev. 2.

addition, all the sources of Cat II:

uncertainty and assumptions EVALUATE the sensitivity of the results to that can impact the risk profile key model uncertainties....

of the base PRA need to be Cat III:

assessed; see definition of key EVALUATE the sensitivity of the results to source of uncertainty for uncertain model boundary conditions and definition of source of other key assumptions using...

uncertainty.

Rev 2 QU E4 The note has no relevance For each source of model uncertainty U to the base model and introduction of a new initiating event) could cause confusion; it [Note (1)].

should be deleted. NOTE: For specific applications, U And in logical combinations.

Rev 1 LE G1 thru LE G3, Sensitivity studies are not required for LERF.

LE G5, LE G6 In addition, this specific LAR is not sensitive to LERF results since CFCUs are more likely to result in Late releases as opposed to large early releases.

57

LR N17 0263 APLA RAI 8 In accordance with RGs 1.174 and 1.177, the licensee provided a qualitative evaluation of the change in risk associated with the AOT extension for internal fires and seismic hazards using insights gained for the internal events and flooding PRA models. In its letter dated May 4, 2017 (ADAMS Accession No. ML17125A051), the licensee provided supplemental information about the qualitative evaluation to the NRC.

The licensees letter stated that the bases for the qualitative evaluations, described in the enclosure to the letter, rely in part on the Salem Full Power Internal Events (FPIE) PRA model of record (MOR). The licensee stated that the model of record used was developed and peer reviewed consistent with the ASME PRA Standard as endorsed by RG 1.200 and that the result of the FPIE PRA reviews, including the applicability of peer review F&Os, was provided in Section 4.1.3 and Tables 4 1 to 4 11 in Enclosure 1 to PSEG's March 6, 2017 submittal.

However, the enclosure to the supplemental letter seems to indicate that the licensee used FPIE PRA MOR SA115A as the basis for the qualitative evaluations. According to the licensees March 6, 2017 submittal, the licensee used MOR SA112A in support of the quantitative evaluation, and the F&O information contained in Tables 4 1 to 4 11 is from the peer review of SA112A. In addition, in the March 6, 2017 submittal, the licensee stated that CFCU extended AOT evaluation was completed before MOR SA115A was finalized in December 2016.

In accordance with RG 1.200, in order for a PRA to be considered sufficient for use in support of a risk informed licensing application, a licensee needs to demonstrate the technical acceptability of the PRA through peer review against an NRC endorsed industry standard. Because the licensee is using MOR SA115A in support of a risk informed licensing action as the basis for a qualitative evaluation, the licensee needs to demonstrate the technical acceptability of the PRA in accordance with RG 1.200. The licensee has not provided the staff any information regarding the technical acceptability of SA115A in accordance with RG 1.200. As a result, the staff cannot determine if the technical acceptability of SA115A is sufficient in support of this risk informed licensing application.

Please provide one of the following:

1. Clarification on which model of record the licensee used as a basis for the qualitative evaluation of the internal fires and seismic hazard risk. If the licensee used MOR SA115A as the basis for the qualitative evaluation, then
a. Describe the changes made to the internal events PRA since the SA112A PRA model.

This description should be of sufficient detail to assess whether these changes are PRA maintenance or PRA upgrades as defined in Section 1 5.4 of the PRA Standard. Since the following may indicate a PRA upgrade, include in your discussion: any new methodologies, changes in scope that impacts the significant accident sequences or the significant accident progression sequences, changes in capability that impacts the significant accident sequences or the significant accident progression sequences.

b. Indicate, and provide justification, whether the changes described in Part 1.a are PRA maintenance or PRA upgrades as defined in Section 1 5.4 of the PRA Standard.
c. Indicate whether a focused scope peer review(s) has been performed for those PRA upgrades identified in Part 1.b. As applicable, provide a list of the F&Os from the peer 58

LR N17 0263 review(s) that do not meet the appropriate Capability Category in accordance with RG 1.200, and explain how the F&Os were dispositioned for this application. If a focused scope peer review(s) was not performed for these PRA upgrades, then provide a qualitative or quantitative evaluation (e.g., sensitivity or bounding analysis) of its effect until a focused scope peer review can be completed, or

1) A justification describing why demonstrating the technical acceptability of MOR SA115A is not necessary for use in support of this risk informed licensing application, or
2) The results of the qualitative evaluations using the SA112A PRA as the bases.

PSEG Response:

The SA115A model was used for the qualitative supplemental analysis. None of the model changes that were made to the SA112A PRA model as part of the SA115A PRA update project constituted an upgrade as defined in the ASME PRA Standard [Reference 1]. SA115A contains no new methodologies, no changes in scope that impact the significant accident sequences and no significant accident progression sequences, no changes in capability that impact the significant accident sequences or the significant accident progression sequences. The changes were part of the normal PRA maintenance process whereby the PRA was updated to reflect plant changes, such as modifications, procedure changes, or plant performance (data).

Therefore, compliance with Regulatory Guide 1.200 [Reference 5] was maintained, and the Technical Adequacy described in Section 4 of risk application SA LAR 007 [Reference 4] is still applicable. No focused scope peer review was necessary.

The following list of major changes that were made to the SA112A model during the PRA update that resulted in the new SA115A PRA Model of Record (MOR) are listed below:

Incorporation of a plant modification that installed a fourth motor driven Auxiliary Feedwater pump that is independently powered by a separate diesel generator.

Further refinement was made to the station blackout event tree sequences to take into account use of FLEX equipment and updated loss of offsite power non recovery data from Idaho National Laboratory (INL) [Reference 3].

The minor changes that were made to the SA112A model during the SA115A Salem PRA update are listed below in Table RAI 8 1, which was taken from Appendix C of the PRA Quantification Notebook (SA PRA 014).

Table RAI 8 1 Changes that Were Made as Part of the Salem SA115A PRA Model Update For spray scenarios in the SW bays, only the pumps in the affected bay would be affected by a spray scenario in that bay. This was an adjustment to the target impacts for the spray initiators %FLD SW 1

100 A SPR (Bay 3 pumps 14, 15, and 16) and %FLD SW 100 B SPR (Bay 1 pumps 11, 12, and 12).

To eliminate the additional cutset associated with failure of the operator to switch to sump recirculation following depletion of the RWST during an intermediate LOCA scenario, the combination 2 of initiator %S1 with HEP event RHS XHE FO RECIR was added to the recovery text file (SA115AREC.TXT) to eliminate this cutset. The HEP event RHS XHE FO RECIR is only applicable to small LOCA scenarios.

59

LR N17 0263 Table RAI 8 1 Changes that Were Made as Part of the Salem SA115A PRA Model Update To eliminate the additional cutset associated with failure of the operator to switch to sump recirculation following depletion of the RWST during a large LOCA scenario, the HEP event RHS 3

XHE FO RECR2 (OPER FAILS TO REALIGN FOR RECIRC MLOCA) was removed as an input to gate WL G1RC100, which is part of the logic associated with large LOCA accident sequences.

Gate GVSW200 (EXHAUST DAMPERS ON 84' AND 64' FAIL) was removed from the model since 4 dampers CAV14 through CAV19 were all pinned open and are not subject to spurious closure. This is based on DCP 80089441 and Dwg. 228046.

To correct the dependency of room cooling for the AFW pumps outside the AFW turbine driven pump enclosure, gate GAMC121 (FAILURES ASSOCIATED WITH DAMPERS ABS2 AND ABS20) was removed as an input to gate GAMC120 (AFW COOLER FAN #11 (1VHE36). Gate GAMC110 5

(INADEQUATE COOLING BY AFW PUMP ROOM COOLER) and gate GAMC121 were placed under an OR gate (GAMC105 1) that is an input to gate GAMC105 (INADEQUATE COOLING OF 13 AFW PUMP AREA).

The gate G1AFWSTLVLINST (UNIT 1 AFWST LEVEL INSTRUMENTATION GROUP) was removed as an input for the logic associated with the following fire related HEPs due to the fact that 6 instrumentation is not required to support these actions: AFS XHE FO LATE1 F, AFS XHE FO REFILL F, and AFS XHE FO H2OLTL F. This logic change was implemented to support the Fire PRA.

Gate G1CTMTSUMPLVL (CONTAINMENT SUMP LEVEL INDICATION FAILS) was added under gate G I RHS XHE FO RECIR F (MODELING FOR RHS XHE FO RECIR F AND 7 INSTRUMENTATION) with supporting logic to provide a cue to the operator preparing to realign the suction source for the RHR pumps from the RWST to the containment sump. This logic change was implemented to support the Fire PRA.

Gate G1049 (CV139 and CV140 do not close when required) was removed from the PRA model since the minimum flow recirculation line was not considered capable of failing the functionality of the 8

CVC pumps to provide adequate injection capability. This was confirmed by Operations personnel during cutset reviews conducted in May 2014 at PSEG.

To correct a modeling deficiency associated with fire PRA logic, an OR gate (GAN1863 1) was added as an input under gate GAN1863 and gate ABFIRE002 37 was then deleted as an input under gate 9

GAN1863. The inputs to OR gate GAN1863 1 are basic event MSS XVM OC 1MS52 and gate ABFIRE002 37 (1MS52 CLOSED DUE TO FIRE). {Fire PRA}

Gate GXC1100 (POWER FAIL AT 115 VAC VITAL INST BUS 1C (CIRCULAR LOGIC)) was added as an input to OR gate GXEC110 (SEC C FAIL TO TRANSMIT SIGNAL) and also to OR gate 10 G1OC100 (NO BLACKOUT SIGNAL FROM SEC C TRAIN). Gate GXC1100 is an OR gate and is similar in logic to gate G1CB101, except that the logic used avoids circular logic associated with AC power and the emergency diesel generators.

The RECRBU non recovery probabilities were updated using the latest offsite power non recovery curves that were generated by Idaho National Labs (INL). The reference is: Analysis of Loss of 11 Offsite Power Events, 2012 Update, U.S. Nuclear Regulatory Commission Website:

http://nrcoe.inl.gov/resultsdb/LOSP/, September 2013. This change item resolves URE # SA2014 13.

The standby flags for the ventilation switchgear exhaust fans #11 and #12 were consistently named 12 XHOS STBY 1VE1012 and XHOS STBY 1VE1013, respectively.

Edited the mission time for the EDG ventilation fans to be 6.2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, which is consistent with the 13 mission time for the emergency diesel generators.

Gate TDES06 was added under the AND gate TDES06X, which is an input to OR gate TDEX, in 14 order to provide a logic pathway to the top event "CDF".

Annualized events within the CAFTA database were adjusted such that they are now being consistently calculated using "calculation type 3" with a mission time of 8760 hours0.101 days <br />2.433 hours <br />0.0145 weeks <br />0.00333 months <br />. This includes the 15 SW pump annualized failure probability for pump 13, which was revised to be consistent with how the failure probability for pump 15 was being calculated.

60

LR N17 0263 Table RAI 8 1 Changes that Were Made as Part of the Salem SA115A PRA Model Update Internal flood mitigating factors were revised for the following basic events:

FPS XHE AB 064 FLD FPS XHE AB 084 B FLD FPS XHE AB 084 B FLDD 16 FPS XHE AB 084 B MAJ FPS XHE AB 084 B MAJD OTH XHE AB 084 C MAJ SWS XHE AB 084 D MAJD The HRA notebook details the derivation of these revised values.

Operator cues were added that involve failure of air header pressure switches that provide a cue in support of operator action CAS XHE FO CAE63 F. An AND gate named G1LOWAIRPRESS 17 (FAILURE OF LOW AIR PRESSURE INDICATION) was placed under the OR gate G I CAS XHE FO CAE63 F (MODELING FOR CAS XHE FO CAE63 F AND INSTRUMENTATION). This model logic was added specifically for the fire PRA.

Based on information from site personnel, the logic associated with the offsite power was deemed no 18 longer necessary as a cue for HEP event CAS XHE FO CAE63 F. This involved removing gate DE GDT1100 as an input to gate G CAS XHE FO CAE63 F.

19 Equivalency gates were compressed using the CAFTA fault tree editor.

The input to NOT gate NOT RSC G1RS100 (SUCCESS OF RSC) was changed to be the gate G1RS110 (RCP SEAL COOLING FAILS TO ANY PUMP). This was done to prevent "double counting" of LERF cutsets in which both the transient and RCP seal LOCA sequences were being 20 tabulated for the same initiating event, even though it was a transient event that leads to a RCP Seal LOCA. That is, the transient event tree sequence logic should no longer be satisfied when it is determined that a RCP Seal LOCA has developed.

The wrong value in the "FACTOR" field for basic event AC5 BKR OO AB50 (Disconnect Switch AB50 21 Fails to Close) was replaced with the correct integer value of 1.

It appears that the 125 VDC power dependency for the DR6 AOV was erroneously removed from the SA112A PRA model during the PRA update based on discussions with site personnel that led the model owner to believe that the valve fails open on loss of all dependencies. However, the valve only 22 fails open on loss of air, but still remains closed if DC power is lost. Because of this, Gate G1A1100 (LOSS OF 125 VDC CONTROL BUS 1A) was restored as an input to gate GAN2100 (AOV 1DR6 FAILS TO OPEN).

The Aux. Building spray scenarios on the 84' el. (AB 084 C) were subdivided into 2 additional spray scenarios to reduce the overly conservative treatment of spray scenarios in this flood area. The two 23 additional spray scenarios are for separate treatment of the AFW room cooler (VHE36) and the #2 CCW room cooler (VHE34). The Internal Flood PRA notebook (SA PRA 012) has been updated to account for these additional spray scenarios.

The logic for batteries and battery chargers was changed from all components being under a single AND gate to one in which either the battery OR both chargers have to fail in order to represent a more accurate failure model. The logic would look similar to the following structure:

G001 OR (Battery) G002 G002 AND (Charger #1) (Charger #2) (BALDOR)

BALDOR OR (BALDOR HEP) (BALDOR MECH) 24 As a result, the following gates were modified to accommodate this logic structure:

G1VA110 (28VDC 1ADE)

G1VA110 (28VDC 1ADE)

G1A1110, G1X5110 (125VDC Bus 1A)

G1B1110, G1B5110 (125VDC Bus 1B)

G125110, Gx15110 (125VDC Bus 1C)

These changes would affect the description in the DC system notebook.

61

LR N17 0263 Table RAI 8 1 Changes that Were Made as Part of the Salem SA115A PRA Model Update The logic for room cooling of the TDAFW pump enclosure was updated to account for the operator being able to recover TDAFW room cooling for those non SBO scenarios in which the TDAFW room cooler was failed and the operator was prompted to recover room cooling via procedure S1.OP AB.SW 0001(Q) (LOSS OF SW HEADER PRESSURE). This human action was represented by the HEP event AFS XHE FO DOORT (OPERATOR FAILS TO OPEN TDAFW PUMP ROOM DOOR FOR NON SBO (SW HDR 1). For those non SBO scenarios where recovery of TDAFW room cooling could not be credited, the HEP event AFS XHE FO DOORF (OPER FAILS TO OPEN TDAFW PUMP ROOM DOOR FOR NON SBO (SW HDR 2 & OTHER)) was used. This affected the logic in the vicinity of gate GAMC105. In effect, a new level of logic was inserted above GAMC105 to account for 25 both SBO and non SBO cases that involve loss of TDAFW room cooling. A new OR gate (GAMC105 3) was created that is an input to gates GAN1732 and GASB732. The inputs to gate GAMC105 3 are GAMC105 (INADEQUATE COOLING OF 13 AFW PUMP AREA (LOOP SCENARIOS)) and GAMC105 5 (LOSS OF 13 AFW ROOM COOLING AND OPERATOR FAILURE TO OPEN DOOR (NON LOOP)). Cutsets containing combinations of AFS XHE FO DOORT, which credits recovery of TDAFW room cooling, and initiating events that would not provide an operator cue for recovery of TDAFW room cooling were deleted using commands in the recovery text file.

Likewise, cutsets containing the HEP event AFS XHE FO DOORF, which does not credit recovery of TDAFW room cooling, in combination with initiators that would provide a cue for recovery were also eliminated.

The 4th AFW pump (NSR pump) model logic was added to the model based on the work that 26 Enercon had performed in September 2015. The use of new generic industry data based on information from INL (2010 update) was implemented in the database file (.rr file).

The following SWS AOV fail to open basic events were correctly assigned the proper failure probability that is listed in Table B 5 of the Data Notebook:

27 SWS AOV CC 11ST6 SWS AOV CC 12ST6 SWS AOV CC 13ST6 The basic event AC4 CKV CC 2DF28 was replaced with the correct event AC4 CKV CC 2DF38 28 under gates G14B265 and G4BS265, as the former event was a typographical error. There was no change to either CDF or LERF as a result of this model correction.

The fault tree logic to account for failure of the automatic start signal from SEC for the three EDG trains was added to the PRA model where circular logic breaks are being modeled. Specifically, the following fault tree changes were made:

1. For EDG Train A, a new gate (G4AS114X) was added as an input to existing gates G1AX120, G01X120, and G48X650. The new gate G4AS114X retains the logic that is found under existing gate G4AS114, but breaks the circular logic at gate G01X100 by removing gate G01X110 as an input.

29

2. For EDG Train B, a new gate (G4BS114X) was added as an input to existing gates G1BX120, G05X120, and G48X330. The new gate G4BS114X retains the logic that is found under existing gate G4BS114, but breaks the circular logic at gate G05X100 by removing gate G05X110 as an input.
3. For EDG Train C, a new gate (G4CS114X) was added as an input to existing gates G1CX120, G06X120, and G48X960. The new gate G4CS114X retains the logic that is found under existing gate G4BS114, but breaks the circular logic at gate G1CX100 by removing gate G1CX110 as an input.

Replaced basic event ESF LST FT L519 with existing event ESF LST FT 1L519 in order to eliminate 30 duplicate events. For consistency, basic event ESF LST FT L518 was renamed as ESF LST FT 1L518.

The basic event AC4 CKV CC 2DF28 was replaced with the correct event AC4 CKV CC 2DF38 31 under gates G14B265 and G4BS265, as the former event was a typographical error. There was no change to either CDF or LERF as a result of this model correction.

A flag event was added to identify which cutsets are ATWS sequences. This was done by inserting 32 new logic that combines the flag event ATWS FLAG under an AND gate with those ATWS scenarios under gates @ATWS, @ATWSX, PDS 123 D OPDEP, and PDS 3 ABC OPDEP.

62

LR N17 0263 Table RAI 8 1 Changes that Were Made as Part of the Salem SA115A PRA Model Update A review of Westinghouse document LTR RAM I 10 053 ("White Paper Westinghouse Reactor Coolant Pump Seal Behavior For Fire Scenarios, Rev. 2") revealed that if CCW cooling to the RCPs is lost, there is no expected impact on pump seal performance provided that seal injection is being maintained by the charging system. This particular case is described on page 16 in Table 1 of the white paper. The result is that HEP event for failure to trip RCPs upon a loss of CCW (CCS XHE FO 33 TRIP) is no longer relevant to the PRA model given the information found in the Westinghouse white paper (LTR RAM I 10 053). As a result, the SCR node in the event tree for loss of CCW may be removed. This makes endstate "S16" of this event tree no longer applicable, which was a transfer to the small LOCA event tree. To effect this change in the PRA model, the subtrees represented by gates TCCS60 and RSC2 TR were deleted. The reconfigured loss of CCW event tree is depicted in Figure A 33 of the Event Tree Notebook (SA PRA 002).

The event tree for station blackout (SBO) scenarios (Figure A 8 of SA PRA 002) was reconfigured to account for whether the SBO DG (BALDOR or FLEX) is available. This impacts the ability for 34 continued operation of AFW. For further details regarding the description of these SBO scenarios, refer to the Event Tree Notebook (SA PRA 002).

The HEP event SWS XHE FO OVER2 was removed from the PRA model during the 2015 update (SA115A) as it was no longer deemed a relevant recovery action for EDG cooling. This was effected by deleting the gate GHRA SWS XHE FO OVER2 and underlying logic from the model. Other model changes that were made to the Service Water cooling logic for the EDGs included removing gate GIFM112310 as an input to gates G08X120, G09X120, G1X1120, and G1X2120 since the valves 35 modeled under this gate are not in the flowpath to the EDGs. Additionally, basic event SWS MOV OC 2SW22 was replaced with new event SWS MOV OC 2SW21 under gates G09X165, G08X130, G1X1130, and G1X2165 since valve 12SW21 is the correct valve for this flowpath. Likewise, event SWS MOV OC 1SW22 was replaced with new event SWS MOV OC 1SW21 under gates G1X2130, G1X1165, G08X165, and G09X130 to model the correct flowpath through valve 11SW21.

The NOT logic employed in the Level 2 sequences was replicated in the logic for the Level 1 sequences that lead to core damage events in the SA115A PRA model. In general, the logic changes involved replacing the Level 1 event tree nodal logic gates with the analogous Level 2 nodal logic 36 gates, which typically end with the character "X". This provides for a consistent approach and similar logic for both Level 1 and Level 2 events that will produce non minimal cutsets. This change to the PRA model resolves URE # SA2014 025.

The early and late operator actions associated with AFW actions were deemed to be mutually exclusive, e.g., the early cognitive failure associated with recovery of Secondary Side Heat Removal 37 (SSHR) implies that the late recovery failures are not necessary. The elimination of cutsets with concurrent early and late failures was accomplished via use of the recovery file SA115AREC.txt.

Two new type codes were added to the Type Code database (ACPDGNFS AND ACPDGNFR) in file 38 SA115A.rr, which will be used to calculate the failure probabilities associated with the proposed use of the FLEX diesel generator for station blackout (SBO) scenarios.

The FLEX diesel generator (DG) and associated supporting logic was incorporated into the SA115A PRA model. The FLEX DG is activated when loss of offsite power events (LOOPs) exceed a length 39 of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> or more with non recovery of offsite power. The Baldor DG is only available for those LOOP scenarios where offsite power is expected to be recovered within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> following the event.

For further details, see the Event Tree Notebook (SA PRA 002).

Gate G02X111 (NO POWER TO 230 VAC VITAL BUS 1B FOR SW26 LOGIC BREAK) was created as an input to gate G02X100 (POWER FAILURE AT 230VAC VITAL BUS 1B CIRCULAR LOGIC 40 BRK) to break the circular logic with the 1B 4.16 kVAC bus providing power to the 230 VAC vital bus 1B, which is the power supply for MOV 1SW26.

63

LR N17 0263 Table RAI 8 1 Changes that Were Made as Part of the Salem SA115A PRA Model Update The spurious closure of the 11CC3 and 12CC3 valves was added to the model to credit each CCW pump being able to feed the opposite train CCW heat exchanger. To effect this change, new event CCS MOV OC 11CC3 was added under gate GCC1161, and new event CCS MOV OC 12CC3 was added under gate GCC2131. In addition, new gate GCC2132 was created as a new input to gate 41 GCC2120 (FAILURE OF FLOW FROM PUMPS CCS11, CCS12 AND CCS13 TO HEADER 12) to credit CCS pump 11 being able to supply the CCS 12 heat exchanger, and new gate GCC1162 was added as an input to gate GCC1140 (FAILURE OF FLOW FROM PUMPS CCS11, CCS12 AND CCS13 TO HEADER 11) to credit CCS pump 12 being able to supply the CCS 11 heat exchanger.

Gate TT IE was removed from under gate SC TSISW since the correct logic is already under gate 42 TTTP NOTLOP to represent the condition in which an SEC actuation signal is not required.

A new gate G10X111 was created to replace existing gate G10X110 under gate G10X100 to remove circular logic problems encountered with the 1A 4.16 kVAC bus providing power to the 230 VAC vital 43 bus 1A, which is the power supply for MOV 13SW20. Likewise, for MOV 11SW20 and 230 VAC vital bus 1C, a new gate G31X111 was created to replace existing gate G31X110 under gate G31X100 for similar reasons.

Since the HEP event CIS XHE FC XLCNT requires failure of CCW in conjunction with the Excess Letdown line being in operation, the split fraction XLCNT INSERVICE (FRACTION OF TIME EXCESS 44 LETDOWN IS IN SERVICE) was added as an input to gates G12P200 1 and GCI1223. Also, gate G1T1120 (LOSS OF CCS FLOW from Headers 11 & 12) was added as an additional input under gate GCI1223, but was not able to be added under gate G12P200 1 due to circular logic concerns.

Three new generic type codes were added to the CAFTA database file to support modeling of standby SBO diesel generators (_DGB_FS, _DGB_FL, and _DGB_FR), which lead to the development of 6 distinct type codes for the Baldor and FLEX diesel generators. The three type codes for the Baldor diesel generator are as follows:

DGSDGBFS BALDOR DIESEL GENERATOR FAILS TO START DGSDGBFL BALDOR DIESEL GENERATOR FAILS TO START & LOAD DGSDGBFR BALDOR DIESEL GENERATOR FAILS TO RUN The three new type codes for the FLEX diesel generator are as follows:

45 ACPDGBFS FLEX DIESEL GENERATOR FAILS TO START ACPDGBFL FLEX DIESEL GENERATOR FAILS TO START & LOAD ACPDGBFR FLEX DIESEL GENERATOR FAILS TO RUN Gate logic was added to the SA115A PRA model to disable use of the Salem Unit 3 gas turbine generator and SBO air compressor once an extended loss of AC power (ELAP) condition exists. This was done by adding the logic under gate ELAP CONDITION 2 as an input to gate G1XM2A0 for Salem Unit 3 and gate ELAP CONDITION 1 as an input to gate G1EA312 for the SBO air compressor. This logic can be disabled by setting flag event PROCEDURE FLAG to false if and when procedures are in place that allow use of these components in parallel with FLEX equipment.

Success logic was added to the sequences under gate @TSWX (Loss of SWS Events with Success Branches). Also, the logic for sequence endstates S05 and S06 was added under this gate since it 46 appears that this logic was not previously modeled in accordance with the event tree depicted in Figure A 34 of the Event Tree Notebook.

Internal floods involving the Service Water (SW) system in the Turbine Building were mapped to fail the SW26 valve (SWS MOV OC 1SW26) rather than both nuclear headers that supply cooling water to loads in the Auxiliary Building. This was deemed more appropriate since the SW nuclear headers are not directly associated with any of the SW piping located in the Turbine Building. In addition, the 47 SW floods involving the nuclear SW headers in the Auxiliary Building and adjacent areas were subdivided into separate scenarios to account for the fact that any given SW pipe rupture could only affect one header due to train separation. SW header #1 flood events are mapped to SWS MOV OC 2SW20 to simulate failure of the Unit 1 SW source from Bay #1, and SW header #2 events are mapped to SWS MOV OC 4SW20 to represent failure of the SW source from Bay #3.

Sequence tags were added to the SA115A PRA model with the prefix "1 SEQ" to help delineate what 48 event tree sequence endstates were satisfied for those cutsets that lead to core damage.

64

LR N17 0263 Table RAI 8 1 Changes that Were Made as Part of the Salem SA115A PRA Model Update Two common cause events for failure of the undervoltage relays for the 4.16 kVAC vital buses were added to the model in order to conform to the analysis performed in support of SA STI 004, "Surveillance Test Interval (STI) Extension Evaluation of Vital Bus Under Voltage Relays." The two 49 events are as follows:

ESF RLY OO UV2 COMMON CAUSE FAILURE FOR ANY 2 OF 3 RELAYS ESF RLY OO UV3 COMMON CAUSE FAILURE FOR 3 OF 3 RELAYS A recovery event named REC EDGC was added as a new input under the gates listed below to represent failure to restore the ability to replenish the fuel oil day tank for EDG C with the FLEX diesel generator (DG). The value assigned to REC EDGC represents the human error probability (HEP) to align the FLEX DG to the appropriate motor control center (MCC) to repower a fuel oil transfer pump plus the overall unavailability of the FLEX DG. Failure to refill the EDG C day tank is a consequence 50 of both EDG A and EDG B failing to operate, since they are the power supplies for the two fuel oil transfer pumps:

G48X102 LOSS OF FUEL SUPPLY TO DGN 1A/B/C GFOT102 LOSS OF FUEL SUPPLY TO DGN 1A/B/C DOES NOT TAKE CREDIT FOR GTG G4CS232 LOSS OF FUEL SUPPLY TO DGN 1C G14C232 LOSS OF FUEL SUPPLY TO DGN 1C The combination of a battery charger being placed in maintenance (DCP CHG TM*) in combination with failure to place the alternate charger in service (DCP XHE ALTCHGR) would not physically occur 51 due to plant maintenance practices and procedures. Because of this, these cutsets were eliminated via use of the recovery text file (SA115AREC.TXT).

To account for the fact that manual actions can be performed to transfer suction from the VCT to the RWST, the operator action CVS XHE FO SOVCT was added under two new AND gates (G1UB170 1 52 and G1RP132 1). Gate G1UB170 1 is an input to gate G1UB170 (FAILURE OF WATER SOURCES FOR EMERGENCY BORATION) and gate G1RP132 1 is an input to gate G1RP132 (INSUFFICIENT FLOW FROM RWST, VCT, AND BATS).

Basic events XHOS 1VC5 OPEN and XHOS 1VC6 OPEN were replaced with a single event XHOS 1VC5 6 OPEN (FRACTION OF TIME VC5 AND VC6 ARE OPEN) and assigned the probability of 8.3E 2 since these valves, on average, are opened for about an hour every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (once per shift).

53 Conversely, the basic events XHOS 1VC5 CLOSED and XHOS 1VC6 CLOSED were replaced with a single event XHOS 1VC5 6 CLOSED (FRACTION OF TIME VC5 AND VC6 ARE OPEN) and assigned the probability of 0.917.

Recovery logic was added to the recovery rules fault tree SA115AREC.CAF that involved excluding cutsets that contain events that satisfy the gate logic FLEXDG 1 (FAILURES INVOLVING FLEX DG) found in SA115A.CAF in addition to the recovery event REC EDGC (FAILURE TO RECOVER EDG C 54 WITH FLEX DG WHEN EDG A AND EDG B FAIL) also being present in the cutset. The recovery event REC EDGC already takes into account the contribution from all failures related to the FLEX DG, both operator and hardware failure modes. In essence, this mutually exclusive recovery logic was necessary to eliminate non minimal cutsets.

APLA RAI 9 RG 1.177 outlines a three tiered approach for evaluating the risk associated with a proposed TS AOT change. Tier 2 identifies and evaluates any potential risk significant plant configurations that could result if equipment, in addition to that associated with the proposed license amendment, is taken out of service simultaneously, or if other risk significant operational factors, such as concurrent system or equipment testing, are involved. The purpose of this evaluation is to ensure that there are appropriate restrictions on dominant risk significant configurations associated with the change in place.

65

LR N17 0263 According to Section 6.3 in Enclosure 1 of the LAR, the Tier 2 assessment was addressed as part of the sensitivity cases investigated in Section 5.5 of Enclosure 1, in which other equipment other than the CFCUs is investigated for relative importance. However, based on the information presented in Section 5.5 of Enclosure 1, it is not clear what, if any, risk significant configurations the licensee identified or what, if any, measures the licensee is taking to avoid those risk significant configurations. As a result the staff cannot determine if the licensees Tier 2 evaluation is sufficient to ensure that the licensee will have appropriate restrictions on dominant risk significant configurations, associated with the change in CFCU AOT, in place.

Please provide a discussion describing clearly any potential risk significant plant configurations that could result if equipment, in addition to that associated with the proposed license amendment, is taken out of service simultaneously, or if other risk significant operational factors, such as concurrent system or equipment testing, are involved. Include a description of any restrictions that the licensee plans to implement in order to avoid any identified risk significant configurations once the change in CFCU AOT is in place.

PSEG Response:

Based on the sensitivity analyses that were performed in Section 5 of SA LAR 007

[Reference 4], there were no new risk configurations identified that would warrant further measures to be implemented other than what have already been identified in Attachment 1 of OP AA 108 116 [Reference 6], which defines the sites protected equipment program.

Additionally, when the online maintenance EOOS model was configured with two CFCU fans as being out of service, the risk if removed from service equipment list was no different from the list generated for the zero maintenance case. This means that no new risk significant configurations have been created as a result of this CFCU AOT extension.

66

LR N17 0263 References

1. Addenda to ASME/ANS RA S 2008 Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, ASME/ANS RA Sa 2009, ASME/ANS, February 2009.
2. U.S. Nuclear Regulatory Commission, Industry Average Performance for Components and Initiating Events at U.S. Commercial Nuclear Power Plants, NUREG/CR 6928, 2010 Update.
3. Analysis of Loss of Offsite Power Events 1997 2014, Idaho National Laboratory, INL/EXT 16 37873, U.S. Nuclear Regulatory Commission Website:

http://nrcoe.inl.gov/resultsdb/LOSP/, February 2016.

4. PSEG, Salem PRA Analysis for CFCU AOT Extension, SA LAR 007, Revision 1, February 2017.
5. Nuclear Regulatory Commission (NRC), An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk Informed Activities, Regulatory Guide 1.200, Rev. 2, March 2009.
6. PSEG, Protected Equipment Program, OP AA 108 116, Revision 12.
7. RG 1.200 PRA Peer Review Against the ASME PRA Standard Requirements for the Salem Generating Station , Units 1 & 2 Probabilistic Risk Assessment, LTR RAM II 09 001, Westinghouse, June 2009.

67

Retrieved from "https://kanterella.com/w/index.php?title=LR-N17-0263,_Response_to_Request_for_Additional_Information,_Salem_Units_1_and_2_-_Containment_Fan_Coil_Unit_Allowed_Outage_Time_Extension_Amendment_Request&oldid=1998863"