LR-N17-0263, Response to Request for Additional Information, Salem Units 1 and 2 - Containment Fan Coil Unit Allowed Outage Time Extension Amendment Request

From kanterella
(Redirected from ML17257A439)
Jump to navigation Jump to search

Response to Request for Additional Information, Salem Units 1 and 2 - Containment Fan Coil Unit Allowed Outage Time Extension Amendment Request
ML17257A439
Person / Time
Site: Salem  PSEG icon.png
Issue date: 09/14/2017
From: David Mannai
Public Service Enterprise Group
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
LAR S16-04, LR-N17-0263
Download: ML17257A439 (70)
v  d  e


Text

LR-N17-0263 LAR S16-04 September 14, 2017 PSEG Nuclear LLC P.O. Box 236, Hancocks Bridge, NJ 08038-0236 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001 Salem Nuclear Generating Station Units 1 and 2 Renewed Facility Operating License Nos. DPR-70 and DPR-75 NRC Docket Nos. 50-272 and 50-311 OPSEG Nuclear LLC 10 CFR 50.90

Subject:

Response to Request for Additional Information - Salem Units 1 and 2 -

Containment Fan Coil Unit Allowed Outage Time Extension Amendment Request

References:

1. PSEG letter to NRC, "License Amendment Request: Salem Containment Fan Cooler Unit (CFCU) Allowed Outage Time (AOT) Extension," dated March 6, 2017 (ADAMS Accession No. ML17065A241)
2. NRC email to PSEG, "Request for Additional Information - Salem Units 1 and 2 - Containment Fan Coil Unit Allowed Outage Time Extension Amendment Request (CACs MF9364 and MF9365)," dated July 31,2017 (ADAMS Accession No. ML17212B115)

In the Reference 1 letter, PSEG Nuclear LLC (PSEG) submitted a license amendment request for Salem Nuclear Generating Station Units 1 and 2 (Salem). The proposed amendment would revise Technical Specification 3.6.2.3, "Containment Cooling System," to extend the containment fan coil unit (CFCU) allowed outage time from 7 days to 14 days for one or two inoperable CFCUs. In the Reference 2 email, the Nuclear Regulatory Commission (NRC) requested PSEG to provide additional information in order to complete its review. provides a detailed response to the request for additional information. PSEG has determined that the information provided in this submittal does not alter the conclusions reached in the 10 CFR 50.92 no significant hazards determination previously submitted. In addition, the information provided in this submittal does not affect the bases for concluding that neither an environmental impact statement nor an environmental assessment needs to be prepared in connection with the proposed amendment.

There are no regulatory commitments contained in this letter.

September 14, 2017 Page 2 LR-N17-0263 10 CFR 50.90 Should you have any questions regarding this submittal, please contact Mr. Paul Duke at 856-339-1466.

I declare under penalty of perjury that the foregoing is true and correct.

Executed on September 14, 2017 (Date)

Sincerely,

,(lV~

David J. Mannai Senior Director, Regulatory Operations

Attachment:

1. Response to Request for Additional Information cc:

Mr. D. Dorman, Administrator, Region I, NRC Mr. R. Ennis, Project Manager, NRC NRC Senior Resident Inspector, Salem Mr. P. Mulligan, Chief, NJBNE Salem Commitment Tracking Coordinator Corporate Commitment Tracking Coordinator

LR N17 0263 Response to Request for Additional Information

LR N17 0263

1

Response to Request for Additional Information Regarding Proposed License Amendment Containment Fan Coil Unit Allowed Outage Time Extension Salem Nuclear Generating Station, Unit Nos. 1 and 2 Docket Nos. 50 272 and 50 311 By application dated March 6, 2017, as supplemented by letter dated May 4, 2017 (Agencywide Documents Access and Management System (ADAMS) Accession Nos. ML17065A241 and ML17125A051, respectively), PSEG Nuclear LLC (PSEG, the licensee) submitted a license amendment request (LAR) for Salem Nuclear Generating Station (Salem), Unit Nos. 1 and 2.

The proposed amendment would revise Technical Specification (TS) 3.6.2.3, Containment Cooling System, to extend the containment fan coil unit (CFCU) allowed outage time (AOT) from 7 days to 14 days for one or two inoperable CFCUs.

The Nuclear Regulatory Commission (NRC) staff is reviewing your submittal and has determined that additional information is needed to complete its review. The specific information requested is addressed below.

BalanceofPlant Branch (SBPB)

RAISBPB1 PSEGs application stated that the proposed extended AOT is based on application of the Salem Probabilistic Risk Assessment (PRA) in support of a risk informed extension, and on additional considerations and compensatory actions. The licensee further stated that the risk evaluation and deterministic engineering analysis supporting the proposed change have been developed in accordance with the guidelines established in NRC Regulatory Guide (RG) 1.177, An Approach for Plant Specific Risk Informed Decisionmaking: Technical Specifications, dated May 2011 (ADAMS Accession No. ML100910008), and RG 1.174, An Approach for using Probabilistic Risk Assessment in Risk Informed Decisions on Plant Specific Changes to the Licensing Basis dated May 2011 (ADAMS Accession No. ML100910006).

PSEG provided, in Section 4.3 of Attachment 1 to the application, a deterministic assessment of the proposed CFCU AOT extension. However, in accordance with RG 1.177, Regulatory Position 2.2, Traditional Engineering Considerations, there are several engineering considerations that were not adequately addressed in the LAR and are necessary for a risk

informed licensing submittal that the licensee should assess. Provide an engineering evaluation (in accordance with RG 1.177 Regulatory Position 2.2) that addresses the following considerations:

1. Defense in depth (including the following):
a. A reasonable balance among prevention of damage of core damage, prevention of containment failure, and consequence mitigation is preserved.
b. Over reliance on programmatic activities as compensatory measures is avoided.
c. System redundancy, independence, and diversity are maintained.
d. Defenses against potential common cause failures (CCFs) are maintained and the potential for introduction of new CCF mechanisms is assessed.

LR N17 0263

2

e. Independence of physical barriers is not degraded.
f. Defenses against human errors are maintained.
g. The intent of the plants design criteria is maintained.
2. Safety margin (including the following):
a. Codes and standards or alternatives approved for use by the NRC are met.
b. Safety analysis acceptance criteria in the final safety analysis report are met or proposed revisions provide sufficient margin to account for analysis and data uncertainties.

PSEG Response:

1. Consistency with the defense in depth philosophy is maintained as discussed below:
a. A reasonable balance is preserved among prevention of core damage, prevention of containment failure, and consequence mitigation (i.e., the proposed change in a TS has not significantly changed the balance among these principles of prevention and mitigation) to the extent that such balance is needed to meet the acceptance criteria of the specific design basis accidents and transients.

The amendment requested will result in no change to the current balance of these critical functions. The safety functions of the CFCUs are to recirculate and cool the containment atmosphere in the event of a loss of coolant accident (LOCA). Each CFCU is capable, taking into consideration tube fouling, of removing at least 44 x 106 Btu/hr or a cumulative heat transfer rate of 132 x 106 Btu/hr. for three fan cooler units from the containment atmosphere under accident conditions. This heat transfer rate exceeds the analyzed value assumed in the design basis analysis of containment pressure response to a spectrum of Reactor Coolant System (RCS) and steam line breaks described in the Salem Updated Final Safety Analysis Report. Increasing the allowed outage time for one or two inoperable CFCUs from 7 to 14 days does not affect the ability of three CFCUs to meet the acceptance criteria of the specific design

basis accidents.

The proposed changes do not degrade core damage prevention, and do not have any effect upon containment failure. Consequence mitigation remains unchallenged; credit is taken for only two CFCUs in the mixing effect of the containment atmosphere in the Salem dose analyses.

No new accident or transients are introduced with the proposed changes; therefore, the likelihood of accidents or transients is not impacted. The balance between mitigation of core damage and containment failure is preserved by the implementation of this 14 day AOT for the CFCUs in that the overall equipment reliability is expected to be improved, and over the long term, PSEG expects fewer emergent issues as a result of increased flexibility in planning and performing maintenance activities.

LR N17 0263

3

b. Over reliance on programmatic activities as compensatory measures associated with the change in the licensing basis is avoided.

There are no changes to the design or operation of the CFCUs associated with the proposed change. Containment Fan Coil Units and their associated CFCU Motor Coolers are components that, when properly maintained, have proven to be reliable. The maintenance frequency for opening and cleaning for the Generic Letter 89 13 program is 5R (every fifth recycle outage) for the CFCUs and 4R for the motor coolers. The reliability of the CFCUs is not challenged by the proposed amendment; and no increase in programmatic activity is required to support the proposed change. Industry standard reliability parameters from NUREG/CR 6928 are used to quantify the reliability of CFCUs in the PRA. Since the CFCUs are and will continue to be operated on a rotating basis, these reliability parameters will continue to be appropriate.

c. System redundancy, independence, and diversity are preserved commensurate with the expected frequency and consequences of challenges to the system.

The redundancy, independence, and diversity of the Containment Fan Cooler Units remain unchallenged as a result of the proposed licensing action.

During the Condition IV accidents of LOCA or main steam line break, the CFCUs and Containment Spray act in concert to ensure that the Containment pressure remains below the design pressure of 47 psig. Each CFCU is capable, taking into consideration tube fouling, of removing at least 44 x 106 Btu/hr or a cumulative heat transfer rate of 132 x 106 Btu/hr. for three fan cooler units from the containment atmosphere under accident conditions. This heat transfer rate exceeds the analyzed value assumed in the design basis analysis of containment pressure response to a spectrum of Reactor Coolant System (RCS) and steam line breaks described in the Salem Updated Final Safety Analysis Report. No additional compensatory actions would be taken upon the removal from service of one or two CFCUs beyond those taken for the current allowed outage time.

Because of the robustness of the design with regard to the accident analysis, such actions are not necessary. The defense in depth remains unchallenged by the proposed licensing action.

PSEG's protected equipment program provides appropriate restrictions to preclude simultaneous equipment outages that would erode the principles of redundancy and diversity. PSEG's on line work management process requires the risk of the scheduled on line maintenance activity to be continuously evaluated based upon conditions, such as the power grid stability, the weather forecast, and the current plant status. This includes information obtained from day ahead forecasts. Severe weather (high wind, severe thunderstorm warning, tornado watch/warning) or conditions that are potential high risk evolutions for loss of offsite power are considered.

The risk impact of the proposed increase in the allowed outage time was explicitly modeled and determined to be small and consistent with regulatory guidance. The long term effect of the proposed change on the reliability of the CFCUs is expected to be positive.

LR N17 0263

4

d. Defenses against potential common cause failures are maintained, and the potential for introduction of new common cause failure mechanisms is assessed.

No common cause failure mechanisms are identified for the CFCUs, and defenses against common cause failures are preserved. The operating environment and operating parameters for the CFCUs are unaffected; and no new common cause failure modes are created by the proposed TS changes.

There are no changes to the design or operation of the CFCUs associated with the proposed change. Existing measures to ensure the potential for CCF is minimized include periodic cleaning and inspection, routine preventive maintenance and corrective action measures to evaluate extent of condition.

e. Independence of physical barriers is not degraded.

The physical barriers (fuel cladding, reactor coolant system, and containment) and their independence are maintained. The proposed change maintains the required containment heat removal capacity and does not affect the integrity of the CFCUs as a barrier to limit leakage to the environment. Increasing the AOT for 1 or 2 CFCUs removed from service does not affect the independence of the fuel cladding, reactor coolant system, or containment.

f. Defenses against human errors are preserved.

The proposed extension to the AOT does not require any new operator actions for the existing plant equipment or introduce the potential for new human errors.

Operators and maintenance personnel are in the practice of utilizing Human Error Prevention tools, and will use existing plant procedures to remove CFCUs from service, to effect repairs, and then return them to service. This AOT extension is requested for Modes of operation 1 through 4, exactly as for the current TS 3.6.2.3; therefore, the methods and precautions required, which could affect human performance, are unaffected by the proposed license change.

g. The intent of the plant's design criteria is maintained.

The intent of the Salem design criteria is maintained. The proposed change does not involve any physical changes to the design of the CFCUs or supporting systems. The operation of the CFCUs is not altered by the proposed extension to the AOT. The ability of the remaining TS required CFCUs to mitigate the effects and consequences of an accident is not affected because no additional single failures are postulated while equipment is inoperable within the TS AOT.

As demonstrated by the discussion of the deterministic issues above, the length of the AOT for inoperability of one or two CFCUs is appropriately a risk informed decision.

2. The impact of the proposed change is consistent with the principle that sufficient safety margins are maintained.

For the extended AOT associated with one or two CFCUs inoperable while the unit is in Mode 1, 2, 3, or 4, the plant remains in a condition for which it has already been analyzed; therefore, from a deterministic perspective, these changes are acceptable.

LR N17 0263

5

Both the current seven day AOT and the proposed 14 day AOT are based on a plant specific analyses discussed in Section 3.1 to Attachment 1 of LR N16 0173. To ensure proper CFCU thermal performance, the CFCUs are periodically inspected and cleaned.

Per TS Surveillance Requirement 4.6.2.3, water flows and air dampers are periodically tested to ensure that the design basis Service Water flow is achieved and that the necessary air dampers open or close as required.

a. Codes and Standards or alternatives approved for use by the NRC are met.

The design and operation of the CFCUs are not changed by the proposed increase in allowed outage time for one or two inoperable CFCUs. The proposed change does not affect conformance with applicable codes and standards.

b. Safety analysis acceptance criteria in the FSAR are met or proposed revisions provide sufficient margin to account for analysis and data uncertainties The safety analyses acceptance criteria stated in the Salem UFSAR are unaffected by the proposed changes. Three CFCUs are sufficient for the mitigation of the design basis accident. Only three CFCUs are utilized in the Chapter 15 accident analyses, and this minimum heat transfer capability is not diminished by the proposed license amendment. The proposed change will not cause the plant to be operated outside its designed configuration. Both Service Water flow and air flow are confirmed as a matter of normal routine surveillance.

Safety margins are not impacted by the proposed change of AOT for one or two CFCUs out of service.

RAISBPB2 The licensee stated, in Section 4.4.1 of Attachment 1 to the application, that maintenance practices involve protecting other equipment coincident with maintenance being performed on the CFCUs. If two CFCUs are unavailable, PSEG procedures require the other CFCUs and one containment spray pump to be protected to prevent concurrent unavailability. In addition, procedures direct the plant personnel to routinely monitor various maintenance configurations and protect equipment that could lead to an elevated risk condition (e.g., red risk condition) if it were to become unavailable due to unplanned or emergent conditions. The licensee stated that this is normally accomplished using a predictive PRA software tool based on the PRA model of record (i.e., equipment out of service configuration risk monitor program from the Electric Power Research Institute). The licensee stated that, based on the very small risk increase involving the configuration analyzed in this LAR, there is no further need for additional compensatory measures or quantification other than the existing programs stated above.

As noted above, given the condition that two CFCUs are unavailable, PSEG plans to protect the other three CFCUs and one containment spray pump. However, support systems for the CFCUs and containment spray pump are not specifically stated as being protected. Provide a complete list of protected equipment which may include the CFCU and containment spray system support systems, such as cooling water, cooling water accumulators, essential room cooling and or chillers, alternating current and/or direct current electrical buses, on site emergency diesel generators, and switchyard components/breakers, etc..

LR N17 0263

6

PSEG Response The on line risk assessment is a blended approach using qualitative or defense in depth considerations and quantifiable PRA risk insights when available to complement the qualitative assessment. Salem communicates on line plant risk using three risk tiers (GREEN, YELLOW, and RED).

As discussed in Section 3.4 of LR N16 0173, the on line risk level for both Salem Units will remain GREEN when two CFCUs are unavailable. In order to ensure the continued containment cooling capacity provided by three CFCUs, the primary compensatory measure for two CFCUs unavailable is to protect the remaining three CFCUs and a Containment Spray pump. Protection of the CFCUs includes CFCU breakers and the 78 Mechanical Penetration area, which contains the valves controlling service water flow to the CFCUs.

Additionally, the PSEG protected equipment program requires redundant equipment to be protected prior to removal of SSCs from service if plant configuration is such that a single piece of redundant equipment unavailability or manipulation would cause an entry into Technical Specification 3.0.3 or a Technical Specification required action to be in Hot Shutdown in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> or less. This necessarily causes the identification of Emergency Diesel Generators (EDGs), which are subsequently protected. For example, if 11CFCU is removed from service, the 1B and 1C EDG would be protected to ensure the continued availability of at least three CFCUs if a loss of offsite power (LOOP) occurs.

Protecting equipment requires posting of signs and robust barriers in order to alert personnel not to approach the protected equipment. The protected equipment postings are walked down each shift by the duty operators. Work on protected equipment is generally disallowed. Minor exceptions exist for activities such as Operator rounds, security patrols, or emergency operations. Other exceptions must be authorized by the station shift manager in writing.

Inadvertent operation will be prevented by the protected equipment program.

Protection of a CFCU typically involves placing barriers on the CFCU bezel in the control room, and the CFCU breaker and control power breakers. Protecting the 78 Mechanical Penetration area, which contains the valves controlling service water flow to the CFCUs, typically includes placing a barrier, with signage across the stairs leading to the area. Protecting a Containment Spray pump typically includes placing retractable tape and signs on the perimeter of the CS Pump, and placing barriers on the CS Pump bezel in the control room, the control switch for the associated CS Room Cooler, the CS Pump Breaker door handle and control power breakers, and the CS Room Cooler Breaker. Protecting an EDG typically includes placing tape and signs across the entries to the EDG engine room and control room, and placing barriers on the EDG bezel in the control room, the EDG breaker and control power breakers.

PRA Licensing Branch (APLA)

The proposed extended AOT is based, in part, on application of the Salem PRA in support of a risk informed extension. The risk evaluation and deterministic engineering analysis supporting the proposed change have been developed in accordance with the guidelines established in RG 1.177. When a licensee requests an amendment to its license that involves a risk informed change to the TSs, RG 1.177 states that when the risk associated with a particular hazard group or operating mode would affect the decision being made, it is the Commissions policy that, if a staff endorsed PRA standard exists for that hazard group or operating mode, then the risk will be assessed using a PRA that meets that standard. Through RG 1.200, Revision 2, An

LR N17 0263

7

Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk Informed Activities, the NRC endorsed, with clarifications and qualifications, the industry standard ASME/ANS RA Sa 2009, Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications. In general, the staff anticipates that current good practice, i.e., Capability Category II of the ASME/ANS standard, is the level of detail that is adequate for the majority of applications.

The licensee peer reviewed its base PRA model against an earlier version of the industry standard (RA Sb 2005). In accordance with RG 1.200, Revision 2, the licensee identified and addressed differences in the supporting requirements (SRs) that were revised between the 2005 and the 2009 versions of the ASME PRA standard. In addition, the licensee performed a gap assessment, against the NRC clarifications in Appendix A of RG 1.200, Revision 2, in order to ensure the PRA meets the current standard. The peer review assesses the PRA model and all applicable supporting documentation against the applicable SRs in the standard. As part of its application, the licensee included tables indicating the Capability Category to which each applicable SR was met, a summary of the findings and observations (F&Os) for each SR that was not met to Capability Category II or higher, and the licensees resolutions of the F&Os.

APLARAI1 As part of the NRC staffs review of the technical acceptability of the licensees PRA, the staff reviewed all applicable open F&Os for satisfactory resolution. In F&O Tables 4 1 through 4 8 in of the LAR, many of the resolution statements for SRs that do not meet Capability Category II or higher indicate that the basis for resolution is contained in a separate document not submitted with the LAR. In addition, these resolution statements contain little or no further justification describing why the applicable SR is now met at a satisfactory level. The information supplied by the licensee in the F&O tables for these SRs is not sufficient for the staff to determine if the indicated resolution appropriately addresses the open F&Os. As a result, the staff cannot make a determination on the technical acceptability of the licensees PRA for use in risk informed applications.

Please provide one of the following:

1. A discussion justifying, including any applicable supporting documentation, why each of the following SRs (corresponding to the SR nomenclature from RA Sa 2009) are met at Capability Category II or higher given the stated resolution:

IE A1 IE A8 IE C6 IE C12 SC B4 SC B5 SY A6 SY B3 SY B4 SY B6 SY B10 HR F2 DA C4 DA C12

LR N17 0263

8

DA C13 DA C14 DA D3 QU B10 QU D3 QU D4 QU D6 QU D7 IFSN A1 IFSN A8 Or

2. A detailed justification discussing why not meeting the above SRs, or meeting the SRs at Capability Category I is sufficient for this application.

PSEG Response:

Additional explanation is added to the F&O Tables in section 4 of Enclosure 1 of the LAR for those Supporting Requirements (SRs) listed above to show further evidence how they were satisfactorily resolved:

LR N17 0263

9

Table 41 Assessment of Supporting Requirement Capability Categories for Initiating Events Analysis RASa

2009 SR #

RASb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary of Resolution IE A1 IE A1 SR Not Met IE A1 01 The plant specific search only addresses supporting systems. The listing is not encompassing of possible plant specific initiators found at other plants such as a loss of charging (impact on RCP seal cooling). Loss of charging would lead to a reactor trip and would decrease redundancy for RCP seal cooling.

Table 2 2 in the IE notebook (SA PRA 001), which was revised during the 2012 PRA model update, lists the basis for certain events not being a unique plant trip initiator. For the case in which the charging system is lost, this leads to a slowly developing transient that can be easily accommodated with high reliability using plant response procedures to avoid an unnecessary plant transient event.

In addition, the application for extending the CFCU Allowed Outage Time (AOT) extension is not sensitive to this SR, since the change in risk is more sensitive to large and medium LOCAs that involve failure to establish containment sump recirculation, which make up over 70% of the risk profile.

IE A8 IE A6 SR Met:

(CC I)

IA A6 01 SA PRA Initiating Events Notebook, SA PRA 001, Revision 0, Section 2.1.2 does not indicate that plant operations, maintenance, engineering, and safety analysis personnel were interviewed or included in the review process for the initiating events notebook to determine if potential initiating events have been overlooked.

A Maintenance Rule Expert Panel meeting was held on 10/5/2012 to review the updated Initiating Events Notebook with plant personnel representing plant operations, maintenance, engineering and safety analysis in order to determine if potential initiating events had been overlooked. Some of the items discussed during the interview included:

  • Grassing events were appropriately binned as %Tp initiators
  • Loss of non vital bus G needed to be added as a %Tt initiator
  • The plant shutdown in July 2011 that was related to the SJ10 cracked weld needed to be identified
  • The appropriateness of binning spurious SI trips with an existing initiator
  • Loss of a 4kV vital bus does not directly lead to a plant trip
  • Manual shutdowns should not be credited in the transient initiating event category In addition, the application for extending the CFCU AOT extension is not sensitive to this SR, since the change in risk is more sensitive to LOCAs.

IE C6 IE C4 SR Not Met IE A1 01 Quantitative screening does not appear to be performed, based on a review of the Salem SA PRA 001, Revision 0 notebook.

Therefore, subsection a) and b) of this SR are considered met.

However, subsection c) of this SR does not appear to be met as noted in the e review for SR IE A1, some events that require the plant to be shut down due to technical specifications were screened (e.g., loss of a 4KV bus).

Based on discussions with plant personnel (see response to IE A6

01), it was determined that loss of 4kV non vital buses affect the balance of plant operations and lead to an eventual turbine trip, which is accounted for in the event frequency for turbine trip (%Tt).

Loss of a 4kV vital bus can lead to unavailability of standby ECCS equipment, but it does not lead to an automatic plant trip. As such, this was not considered a possible transient event. This was documented in Table 2 2 of the Initiating Events Notebook (SA

PRA 001). In addition, the application for extending the CFCU AOT extension is not sensitive to this SR, since the change in risk is more sensitive to LOCAs.

LR N17 0263

10

Table 41 Assessment of Supporting Requirement Capability Categories for Initiating Events Analysis RASa

2009 SR #

RASb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary of Resolution IE C12 IE C10 SR Met IE C10 01 Tables 3 6 and 3 7 contain a comparison of the initiator frequencies used in the Salem model as compared with NUREG/CR 5750.

However, there is no comparison with other sources. Since many of the frequencies used in the Salem model use the same frequencies used in the Salem model as compared with NUREG/CR 5750.

However, there is no comparison with other sources. Since many of the frequencies used in the Salem model use the same frequencies from NUREG/CR 5750, such as the LOCAs, the tables should be updated with a comparison with other similar plants.

Tables 2 5, 2 6 and 2 7 in the Initiating Events Notebook (SA PRA

001) provide event types, along with their descriptions, for the South Texas Project, Watts Bar Project and Surry Project, respectively.

This data is given in order to provide the reader with other categorization schemes for similar plants to which the Salem plant may be compared. It was shown that these categorization schemes for initiating events are consistent with the Salem PRA model.

Additionally, most of the IEs now use the newer and frequently updated NRC work associated with NUREG/CR 6928.

Table 43 Assessment of Supporting Requirement Capability Categories for Success Criteria RA

Sa

2009 SR #

RA

Sb

2005 SR #

Capability Category Associated F&Os Summary Summary of Resolution SC

B4 SC

B4 SR Not Met SC B4 01 The MAAP Thermal Hydraulic Calculations Notebook (SA

PRA 007, Revision 1), Sections 1.2 and 1.3 provide a discussion of the codes available and the advantages associated with using MAAP, respectively. However, MAAP is used in establishing large LOCA success criteria, although the code is not suitable for analysis of this plant upset. A discussion of code limitations is not provided.

Section 1.3 of the Success Criteria Notebook (SA PRA 003) discusses the limitations of the MAAP computer code. Relative to the Salem Generating Station, this means that the minimum systems required to mitigate a large break LOCA should be based on a source other than MAAP. In this case, the success criteria was defined using analyses related to the plants licensing basis. Other code limitations were listed in Table 1 2 of this notebook.

Although there are limitations with MAAP regarding the initial phase of a large break LOCA due to issues with flow reversal, MAAP was not used for establishing the success criteria until after core reflood is complete. Since CFCUs are more important for long term heat removal during the sump recirculation phase of a LOCA scenario, MAAP is capable of modeling the mass and energy balance within containment during this phase of the accident scenario since the core would certainly have been reflooded by this time. As such, the use of MAAP is adequate for establishing the success criteria for long term containment heat removal.

SC

B5 SC

B5 SR Not Met SC B5 01 A check of the reasonableness and acceptability of the success criteria results is not documented.

Table 2 1 of SA PRA 003 provides a summary of the overall success criteria for the Salem Generating Station for In Vessel Core Cooling, RCS Integrity, and Containment Integrity. Table 2 2 of this notebook shows the general success criteria for the Byron and Braidwood nuclear stations, which reveals that Salems success criteria is consistent with other Westinghouse plants.

LR N17 0263

11

Table 44 Assessment of Supporting Requirement Capability Categories for Systems Analysis RA

Sa

2009 SR #

RA

Sb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary of Resolution SY A6 SY A6 SR Not Met SY A6 01 The system notebooks do not provide definitive explanation of boundary information and do not provide illustration of modeled components.

The System Model Notebooks (SA PRA 005.0001 .0020) were revised to more clearly define system boundaries of modeled systems using one line diagrams depicted in Section 2.3 of these notebooks. For example, for the Safety Injection (SI) system, the system boundary includes all of the components in the SI system whose failure could potentially prevent water from reaching the RCS, but the system boundaries do not branch into the other ECCS systems. Figure 2 1 in this system notebook shows a diagram of the SI system boundary, and various highlighted colors show the different modes of operation of SI. Not all of the components highlighted along the paths were modeled in the PRA. For example, many valves are not modeled because their failure does not prevent water from being injected into the core. In addition, the issue associated with this SR is not sensitive to this application in extending the CFCU Technical Specification AOT.

SY B3 SY B3 SR Not Met SY B3 01 For some cases the selection of CCF combinations are not complete and those selected are not the most limiting.

Industry common cause failure data is collected from the NRC/INL Common Cause Database [CCF Parameter Estimations, 2012 Update]. Due to the relative rarity of common cause events, generic data is used for the Salem PRA model. The Alpha

Factor Methodology was used for common cause modeling in the Salem PRA. Mean values for the alpha factors were obtained and used to determine the Common Cause Factor, which is input into the CAFTA BE database Factor field. A few CCF events were determined using sources other than the NRC/INL data.

In particular, to address the issue of completeness regarding various combination of failures, and due to the small probabilities and uncertainty that is involved with interim CCF combinations involving a population size of 6, it was deemed adequate in modeling the 2 of 6 (loss of one division), 4 of 6 (loss of two divisions), and 6 of 6 event combinations (loss of all three divisions) in estimating the total risk associated with DC battery charger common cause failures. The common cause modeling was limited to only those combinations that are consequential and important to risk. Refer to Appendix D of the Data Notebook (SA PRA 010) for further details. In general, this SR is not sensitive to this application in extending the CFCU Technical Specification AOT, especially since the common cause failure probability for failure of the other remaining three CFCUs was elevated to a probability of 0.82.

SY B4 SY B4 SR Not Met SY B3 01 Some combinations are absent which when using MGL can underestimate the CCF contribution.

The MGL parameter model was not used for common cause failure probabilities used in the Salem PRA model. Instead, the Alpha Factor Methodology was used. As stated in the response for SY B3 01, certain interim combinations for DC battery chargers involving a population size of 6 were omitted due to their small probabilities and inherent uncertainty, with only the important common cause combinations being retained, e.g., 2 of 6, 4 of 6, and 6 of 6. As stated in the response for SY B3 01, this SR is not sensitive to this application in extending the CFCU Technical Specification AOT, especially since the common cause failure probability for failure of the other remaining three CFCUs was elevated to a probability of 0.82.

LR N17 0263

12

Table 44 Assessment of Supporting Requirement Capability Categories for Systems Analysis RA

Sa

2009 SR #

RA

Sb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary of Resolution SY B6 SY B6 SR Not Met SY B6 01 No analysis documented.

No documentation provided related to analysis of support system requirements. There appears to be no analysis of support system requirements concurrent with their definition in the system notebooks. Perform the required engineering analysis.

As part of the 2012 PRA Update, all PRA System Notebooks were revised to follow a more consistent outline with information better organized to allow a more effective review and understanding of the documentation including sections on shared/required systems. In addressing this particular SR, section 4.4 in each PRA System Notebook (SA PRA 005.0001 .0020 series) documents the support system requirements and dependencies for all modeled system components in the PRA model. In addition, the issue associated with this SR is not sensitive to this application in extending the CFCU Technical Specification AOT because it is a documentation issue and not a modeling issue.

SY

B10 SY

B11 SR Not Met SY B11 01 Some AFW signals (SI, LOSP) are not defined and no justification for exclusion is provided.

This issue was addressed as part of the 2012 PRA Update. In particular, the AFW system and SI actuation logic and automatic initiation signals were reviewed and revisions made and additional logic added to the PRA model where appropriate.

Specifically, Section 2.6 of the AFW PRA System Notebooks (SA PRA 005.0001) documents the actuation signals that are modeled in the PRA for automatic system actuation.

Table 45 Assessment Of Supporting Requirement Capability Categories For Human Reliability Analysis RA

Sa

2009 SR #

RA

Sb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary of Resolution HR F2 HR F2 SR Not Met HR F2 01, HR

F2 02 The accident sequence specific timing of time window for successful completion for CCS XHE FO ISOLT is based on a calculation that does not address leakage. The calculation S CC

MDC 2111 is for loss of Service Water and does not address leakage of the Component Cooling Water System. The time window should account for leakage that would drain the CCW system and make it inoperable. This is the limiting time since the CCW system will continue to cool with the leak until the surge tank is drained. Other examples of problems with timing are the lack of documentation for the timing used. This is noted in HRAs:

CIS XHE FC XLCNT, AND MSS XHE FO MS10. It should be noted that only a sampling was performed and that this may involve many more HRA analysis.

The HRA Notebook (SA PRA 004) has been revised as part of the 2012 PRA update that resulted in the SA112A PRA model.

The notebook now describes the available system windows for operator intervention and use of cues for all the important and risk significant Human Error Probability (HEP) events. With regard to the specific comments made against this SR, event CCS XHE FO ISOLT is no longer being used in the PRA model, as it was a legacy event that no longer applies to the current treatment of internal flood mitigation. Events CIS XHE FC

XLCNT and MSS XHE FO MS10 were analyzed in detail with justification cited for the system time window that was used in developing the human error probability. In addition, the issue associated with this SR is not sensitive to this application in extending the CFCU Technical Specification AOT.

LR N17 0263

13

Table 46 Assessment Of Supporting Requirement Capability Categories For Data Analysis Ra

Sa

2009 SR #

Ra

Sb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary Of Resolution DA C4 DA C4 SR Not Met DA C4 01 Documentation describing the process of evaluating maintenance records was identified in a draft procedure. All failures must be reviewed for applicability to the PRA model and this process should be documented. All plant specific data came from MSPI or the Maintenance Rule, however there was no documentation provided that these failures were reviewed as PRA failures.

Formal procedures now currently exist that describe the PRA update process, including what data collection is required. Actual plant

specific failure and unavailability data were obtained from the Salem Maintenance Rule and MSPI programs. In accordance with ER AA

600 1015, plant specific updating of data should be considered for those events that satisfy either a Fussell Vesely (FV) value greater than 0.005 or a Risk Achievement Worth (RAW) greater than 2.0.

As a matter of practice, all MSPI monitored components, whether risk significant or not, use plant specific data to inform the generic industry data (i.e., Bayesian analysis). For other components deemed risk significant, an importance measures report was generated from a CDF cutset listing and a review made of those non MSPI applicable basic events that exceeded this criteria. The associated type codes for these basic events were then identified and were listed in Table 7 1 of the PRA Data Notebook (SA PRA

010) to determine the type of plant components for which plant specific updating was considered. A search of Salems SAP database was performed to identify any functional failures that may have occurred within the time period from July 2012 to September 2016. Any applicable failures for the identified equipment types were then recorded in Table 7 1 to support a Bayesian update of the generic data. For failure rates that are time dependent, e.g.,

standby failure rates, it was also necessary to record the critical operating hours for Salem Unit 1 and Unit 2, which are listed in Table 7 2 of the Data Notebook for the time period from July 2012 to September 2016. Further details may be found in the PRA Data Notebook (SA PRA 010).

LR N17 0263

14

Table 46 Assessment Of Supporting Requirement Capability Categories For Data Analysis Ra

Sa

2009 SR #

Ra

Sb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary Of Resolution DA C12 DA

C11a SR Not Met DA C11a 01 Documentation describing the process of how to count maintenance unavailability was not identified. Plant Specific unavailability was only documented for MSPI components which identifies the unavailability for support and frontline systems separately, however it could not be determined that this was the case throughout the model without a specific guidance document.

As part of the enhancements made during the 2012 PRA update, the process used for counting maintenance unavailabilities was more clearly described in the Salem PRA Data Notebook (SA PRA

010). In particular, Section 8.0 of SA PRA 010 states that unavailability due to test and maintenance was collected from plant records. Specifically, Maintenance Rule and MSPI unavailability data was used to determine train and component unavailability for use in the PRA. Generic industry unavailability data was only used when no other information was available. Salem MRule Manager software and MSPI Derivation Reports for Unavailability Index were used as the primary sources of plant specific component and/or train unavailability. Because maintenance practices change over time, the best representation of the current plant practices would be seen in the most current data. This being the case, unavailability data was only collected and analyzed for the last 3 years, March 2012 through February 2015. In addition, the issue associated with this SR is not sensitive to this application in extending the CFCU Technical Specification AOT because it is a documentation issue, not a quantification issue.

DA C13 DA C12 SR Not Met DA C12 01 While a table of critical hours was provided and the Maintenance Unavailability Table provided in Appendix C appears to address these hours there was no specific documentation or guidance document provided that discusses how maintenance was treated for shared systems.

Maintenance unavailabilities for shared systems between the two units was addressed in Section 8.1 of the Salem Data Notebook (SA PRA 010). Specifically, since some of the Maintenance Rule data was for shared systems (e.g., ECAC, GTG), common critical hours were needed. Common critical hours (denoted as C Hours) were calculated by determining the time during which either unit was critical. With regard to outage durations, it was assumed that the C critical hours were the greater of the two units critical hours for any months during which both plants were not critical 100% of the time (e.g., April 2012). If both units were critical for the entire month, the C hours would be the number of hours in the month. In addition, the issue associated with this SR is not sensitive to this application in extending the CFCU Technical Specification AOT because it is a documentation issue, not a quantification issue.

LR N17 0263

15

Table 46 Assessment Of Supporting Requirement Capability Categories For Data Analysis Ra

Sa

2009 SR #

Ra

Sb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary Of Resolution DA C14 DA C13 SR Not Met DA C13 01 Coincident unavailability for service water pumps was modeled as shown in Appendix C of the Data Analysis Notebook, however, no overall guidance document could be found to ensure all systems were reviewed for coincident unavailability.

A paragraph was added to section 8.2 of the Data Notebook (SA

PRA 010) to document the treatment of concurrent unavailability for SW. Also, Note 12 was added at the bottom of Table C 1 in Appendix C of SA PRA 010 to denote the actual unavailability values that were used. In general, for other plant systems, the plant records that were reviewed revealed that coincident unavailability amongst safety related trains was non existent, but because of the number of SW pumps that exist at Salem (a total of six), it would be possible that a pair of SW pumps could be simultaneously taken out for maintenance. However, since the time period of interest did not show any such occurrence, legacy values used in previous versions of the PRA for dual maintenance unavailabilities amongst the SW pumps were maintained. Future versions to the ASME PRA Standard allude to the fact that dual maintenance terms can be excluded if supporting data exists DA D3 DA D3 SR Met: (CC I)

DA D3 01 Observations of SA PRA 010, Table A 1. Mean values were provided along with error factors for most distributions.

All parameters identified in Table A 1 of SA PRA 010 now have a reference provided to show traceability of information. Table A 1 is a listing of the generic failure rates and probabilities that were used in the Salem PRA model, and were obtained primarily from the 2010 update to NUREG/CR 6928. For those components where NUREG/CR 6928 could not be used, other appropriate sources were used, such as NUCLARR, NUREG/CR 2728, NUREG/CR

5500, and legacy values from earlier Salem PRA models. In addition, the issue associated with this SR is not sensitive to this application in extending the CFCU Technical Specification AOT.

LR N17 0263

16

Table 47 Assessment of Supporting Requirement Capability Categories for Quantification RA

Sa

2009 SR #

RA

Sb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary of Resolution QU B10 QU B9 SR Not Met QU B9 01 Split fractions and undeveloped events are included in the model. Examples include main Feedwater availability for ATWS (MFI UNAVAILABLE) and some Unit 2 systems credited for recovery of Unit 1 CAV failure (G2SW22). The derivation of the values for these events is not documented to allow determination that consideration has been given to the impact of shared events.

Split fractions such as the ones mentioned in the summary description (MFI UNAVAILABLE and G2SW22) are listed in Table A 2 of the PRA Data Notebook (SA PRA 010) that was revised during the 2012 PRA model update (SA112A) along with references to document the basis of their values. The split fraction for unavailability of feedwater during an ATWS event was obtained from WCAP 11992. The estimated value for event G2SW22, which represents insufficient flow from the opposite unit Service Water header, was obtained by quantifying a gate in the PRA model (G1CC324) that explicitly models unavailability of the 12 SW header.

QU D3 QU D1c SR Not Met QU A4 01 There is no discussion in the quantification notebook SA

PRA 2008 01, Revision 4.1 that indicates this review was completed.

Recovery events that were no longer applicable were removed from the recovery model logic during the 2012 PRA model update (SA112A). The use of recovery files is discussed in Section 5.3 of the Quantification notebook (SA PRA 014). The offsite power non

recoveries are discussed in Appendix D of the Accident Sequence Notebook (SA PRA 002). In addition, the issue associated with this SR is not sensitive to this application in extending the CFCU Technical Specification AOT.

QU D4 QU D3 SR Met: (CC I)

QU D3 01 This is a Capability Category I since there is no documentation to indicate that the Salem results were compared to the results of a similar plant.

In Tables 2 5 to 2 7 of Section 2.3 of the Initiating Events notebook (SA PRA 001) a comparison was made to the initiating events used for other PWR PRA models, i.e., South Texas Project, Watts Bar, and Surry to show that there were no applicable event categories that would have been omitted from the Salem PRA model. Also, the success criteria used for the Salem PRA model was benchmarked against the success criteria used for the Byron and Braidwood PRA models in Table 2 2 of the Success Criteria Notebook (SA PRA

003). Since this is a documentation issue, there is no impact on the results for this license amendment request in extending the CFCU AOT.

QU D6 QU D5a SR Not Met QU F2 01 This requirement was not met because the importance of components and basic events was not performed. There is no definition of significant contributors to CDF. No documentation of an analysis for significant contributors to CDF.

A description of top 25 cutsets related to CDF are discussed in Section 6 of the Quantification Notebook (SA PRA 014), which includes those SSCs and operator actions that contribute to event frequencies and mitigation. Also, Appendix D of SA PRA 014 discusses the dominant CDF and LERF accident sequences, including a discussion of the type of initiating event and associated SSC failures and operator actions. Since this is a documentation issue, there is no impact on the results for this license amendment request in extending the CFCU AOT.

LR N17 0263

17

Table 47 Assessment of Supporting Requirement Capability Categories for Quantification RA

Sa

2009 SR #

RA

Sb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary of Resolution QU D7 QU D5b SR Not Met QU F2 01 This requirement was not met because the importance of components and basic events was not performed.

A listing of the importance measures for CDF is presented in Section 7 of the Quantification Notebook (SA PRA 014), and an analysis of the baseline results for CDF and LERF for the SA115A PRA model are discussed in Appendix F of SA PRA 014. Appendix H discusses the results for LERF as well as the other detailed Level 2 release categories. The review of these results showed that they make logical sense. Also, since this is a documentation issue, there is no impact on the results for this license amendment request in extending the CFCU AOT.

Table 48 Assessment of Supporting Requirement Capability Categories for Internal Flood RASa

2009 SR #

RA

Sb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary of Resolution IFSN A1 IF C1 SR Not Met IF C1 01 Propagation paths for areas are defined for highly risk

significant cases only.

An independent assessment was performed to investigate the merit of this peer review finding that deals with propagation pathways and the possible existence of other scenarios that were not already considered or perhaps that were subsumed by other scenarios. The independent study revealed that there were no other postulated scenarios that were not already considered, or that were more severe than those currently being modeled in the internal flood PRA. The details and results of this analysis are documented in Risk Application SA MISC 005 (Resolution of Internal Flood Peer Review Comments). In addition, the issue associated with this SR is not sensitive to this application in extending the CFCU Technical Specification AOT because these scenarios are all transients and this particular application is more sensitive to LOCA scenarios.

IFSN A8 IF C3b SR Met: (CC I)

IF C3b 01 Identification of propagation paths for each flood area is not present in documentation.

See response for F&O IF C1 01, since both F&Os are related to the same issue.

LR N17 0263

18

APLARAI2 Supporting requirement DA C2 of ASME/ANS RA Sa 2009 specifies that licensees collect plant

specific data for the basic event/parameter grouping corresponding to that defined by supporting requirements DA A1, DA A3, DA A4, DA B1, and DA B2. The issue identified in the F&O corresponding to DA C2 in Table 4 6 of Enclosure 1 of the LAR states that the licensee only collected plant specific data for Mitigating Systems Performance Index (MSPI) components but that a draft licensee procedure provided during the peer review requires that plant specific data be supplied for all Systems, Structures, Components (SSCs) with Risk Achievement Worths (RAWs) > 2 and Fussell Vesely (F V's) > 0.005. It is not clear how the resolution provided by the licensee addresses the specific concern that plant specific data (as defined in the SRs) be supplied for all SSCs with RAWs > 2 and F V's > 0.005 as directed by plant procedure. The information supplied by the licensee in the F&O table for this SR is not sufficient for the staff to determine if the indicated resolution appropriately addresses the open F&O. As a result, the staff cannot make a determination on the technical acceptability of the licensees PRA for use in risk informed applications.

Please provide one of the following:

1. Clarification on whether the resolution indicated includes collecting plant specific data (for all basic event/parameter grouping corresponding to that defined by supporting requirements DA A1, DA A3, DA A4, DA B1, and DA B2) as indicated in the F&O and not just MSPI components, or
2. A detailed justification discussing why not meeting SR DA C2 is sufficient for this application.

PSEG Response:

Plant specific data for all basic event/parameter grouping corresponding to that defined by supporting requirements DA A1, DA A3, DA A4, DA B1, and DA B2 were collected. Using PSEG procedure ER AA 600 1015, and in accordance with Supporting Requirement DA D1 of the PRA Standard (ASME/ANS RA Sa 2009), plant specific updating of data should be considered for those events that satisfy either a Fussell Vesely (FV) value greater than 0.005 or a Risk Achievement Worth (RAW) greater than 2.0. An importance measures report was generated from a CDF cutset listing and a review made of those non MSPI applicable basic events that exceeded this criteria. The associated type codes for these basic events were then identified and are listed in Table RAI 2 1 to determine the type of plant components for which plant specific updating was considered. A search of Salems SAP database was performed to identify any functional failures that may have occurred within the time period from July 2012 to September 2016. Any applicable failures for the identified equipment types were then recorded in Table RAI 2 1 to support a Bayesian update of the generic data. For failure rates that are time dependent, e.g., standby failure rates, it was also necessary to record the critical operating hours for Salem Unit 1 and Unit 2, which are listed in Table RAI 2 2 for the time period from July 2012 to September 2016.

This process was performed in support of the update for the SA115A PRA model.

LR N17 0263

19

TABLE RAI21 RISK SIGNIFICANT COMPONENTS AND FUNCTIONAL FAILURES Risk Significant SA115A Type Code Description Functional Failure Recorded?

(Y or N)

  1. Failures Recorded
  1. Hours or Demands from July 2012 to September 2016 Comments AC1BACLP AC BUS LOSS OF POWER N

AC2BACLP AC BUS LOSS OF POWER N

AC2BKRCO CIRCUIT BREAKER (GENERAL) FAILS TO REMAIN CLOSED N

AC4BACLP AC BUS LOSS OF POWER N

AC4BKRCC CIRCUIT BREAKER (GENERAL) FAILS TO OPEN N

AC4BKRCO CIRCUIT BREAKER (GENERAL) FAILS TO REMAIN CLOSED N

AC4CKVCC CHECK VALVE FAILS TO OPEN N

AC4MDPFR MOTOR DRIVEN PUMP FAILS TO CONTINUE OPERATING N

AC4MDPFS MOTOR DRIVEN PUMP FAILS TO START N

AC4TFMLP TRANSFORMER LOSS OF POWER N

AC5BACST AC BUS SHORT CIRCUIT N

AC5GTSFS GAS TURBINE GENERATOR FAILS TO START Y

5 51 Salem Jet tested monthly; fail to start type code updated even though fail to run type code was significant.

AFSAOVCC AIR OPERATED VALVE FAILS TO OPEN N

CCSHTXLK WATER/STEAM HEAT EXCHANGER EXTERNAL LEAKAGE N

CCSHTXPG WATER/STEAM HEAT EXCHANGER PLUGGED (DURING OPERATION)

N

LR N17 0263

20

TABLE RAI21 RISK SIGNIFICANT COMPONENTS AND FUNCTIONAL FAILURES Risk Significant SA115A Type Code Description Functional Failure Recorded?

(Y or N)

  1. Failures Recorded
  1. Hours or Demands from July 2012 to September 2016 Comments CCSHTXPL WATER/STEAM HEAT EXCHANGER PLUGGED (DURING STANDBY)

N CCSTSTNO TEMP ELEMENT/

TRANSMITTER/ SWITCH FAILURE N

CCSXVMOO MANUAL VALVE FAILS TO CLOSE N

CVSAOVOC AIR OPERATED VALVE FAILS TO REMAIN OPEN Y

1 33015.6 Exposure time based on critical operation for Unit 2.

CVSDPTNO DIFFERENTIAL PRESSURE SENSOR/TRANSMITTER NO OUTPUT N

DCPBATNO BATTERY (GENERAL)

LOSS OF POWER N

DCPBDCLP DC BUS LOSS OF POWER N

DCPBDCTM DC BUS IN TEST AND MAINTENANCE N

DCPBKRCO CIRCUIT BREAKER (GENERAL) FAILS TO REMAIN CLOSED N

DCPCHGFR 125 VDC Charger Failure N

DCPFUSSA FUSE OPEN N

DGSDGBFS BALDOR DIESEL GENERATOR FAILS TO START Y

1 17 Baldor DG tested quarterly; fail to start type code updated even though fail to run type code was significant.

ESFLOGFC LOGIC CIRCUIT FAILS N

ESFSEQFC LOAD SEQUENCER FAILS TO OPERATE N

MSSAOVOO AIR OPERATED VALVE FAILS TO CLOSE N

LR N17 0263

21

TABLE RAI21 RISK SIGNIFICANT COMPONENTS AND FUNCTIONAL FAILURES Risk Significant SA115A Type Code Description Functional Failure Recorded?

(Y or N)

  1. Failures Recorded
  1. Hours or Demands from July 2012 to September 2016 Comments RHSMOVCC MOTOR OPERATED VALVE FAILS TO OPEN N

SJSCKVCC CHECK VALVE FAILS TO OPEN N

SJSMOVPL MOTOR OPERATED VALVE PLUGGED (DURING STANDBY)

N SJSTNKVF TANK FAILS N

SRVPRVOO PORV VALVE FAILS TO CLOSE ON PRESSURE RELIEF N

SWSCKVCC CHECK VALVE FAILS TO OPEN N

SWSCKVOC CHECK VALVE FAILS TO REMAIN OPEN N

SWSMOVOC MOTOR OPERATED VALVE FAILS TO REMAIN OPEN N

VASACXFR STANDBY PUMP ROOM COOLER FAILS TO RUN N

VASACXFS STANDBY PUMP ROOM COOLER FAILS TO START N

VDGFNSFR STANDBY FAN OR BLOWER FAILS TO CONTINUE OPERATING N

VDGFNSFS STANDBY FAN OR BLOWER FAILS TO START Y

1 306 4160 VAC EDGs are tested monthly; estimate at least 6 total demands per month since there are a total of 6 ventilation fans; run failures assumed to be equivalent to start failures.

LR N17 0263

22

TABLE RAI21 RISK SIGNIFICANT COMPONENTS AND FUNCTIONAL FAILURES Risk Significant SA115A Type Code Description Functional Failure Recorded?

(Y or N)

  1. Failures Recorded
  1. Hours or Demands from July 2012 to September 2016 Comments VDGPNDCC AIR OPERATED DAMPER FAILS TO OPEN N

TABLE RAI22 CRITICAL HOURS FOR PLANT SPECIFIC DATA Month U1 Crit Hrs U2 Crit Hrs Common Crit Hrs 3/1/2012 743 658.85 743 4/1/2012 706.05 720 720 5/1/2012 602.25 744 744 6/1/2012 720 720 720 7/1/2012 744 744 744 8/1/2012 744 744 744 9/1/2012 720 720 720 10/1/2012 697.15 332 697.15 11/1/2012 693.72 297.37 693.72 12/1/2012 725.63 744 744 1/1/2013 744 744 744 2/1/2013 672 672 672 3/1/2013 743 743 743 4/1/2013 332 720 720 5/1/2013 229.57 744 744 6/1/2013 720 720 720 7/1/2013 744 744 744 8/1/2013 709.5 744 744 9/1/2013 720 720 720 10/1/2013 744 744 744 11/1/2013 721 721 721 12/1/2013 744 744 744 1/1/2014 744 730.02 744 2/1/2014 672 648.87 672 3/1/2014 743 743 743 4/1/2014 608.5 284 608.5

LR N17 0263

23

TABLE RAI22 CRITICAL HOURS FOR PLANT SPECIFIC DATA Month U1 Crit Hrs U2 Crit Hrs Common Crit Hrs 5/1/2014 661.18 0

661.18 6/1/2014 720 0

720 7/1/2014 744 449.78 744 8/1/2014 744 744 744 9/1/2014 720 720 720 10/1/2014 452.85 744 744 11/1/2014 225.22 721 721 12/1/2014 744 744 744 1/1/2015 744 744 744 2/1/2015 672 672 672 3/1/2015 590.4 743 743 4/1/2015 565.42 720 720 5/1/2015 744 744 744 6/1/2015 720 720 720 7/1/2015 744 744 744 8/1/2015 744 672.33 744 9/1/2015 720 720 720 10/1/2015 744 524 744 11/1/2015 721 78.58 721 12/1/2015 744 744 744 1/1/2016 744 744 744 2/1/2016 696 644.45 696 3/1/2016 743 743 743 4/1/2016 332 720 720 5/1/2016 0

744 744 6/1/2016 0

652.38 652.38 7/1/2016 67.57 734.27 734.27 8/1/2016 744 735.2 744 9/1/2016 720 602.32 720 Total 24113.62 23128.89 26011.55 Since most of the risk significant equipment type codes did not experience any applicable failures, they were not required to be updated, and generic industry data was considered sufficient. While this approach is slightly conservative, since it does not account for small periods of successful operation, it is still consistent with DA A1, Capability Category II.

However, there were four equipment type codes against which failures were recorded, and these type codes were updated using Bayesian techniques. The results are shown in Table RAI 2 3:

LR N17 0263

24

Table RAI23 Plant Specific Data Update for Risk Significant Type Codes Description Type Code NUREG/CR

6928 (2010 Update)

Mean Failure Rate (per year or per demand)

Type of Dist.

Prior Prior

  1. Failures Experienced
  1. Hours or Demands from July 2012 to September 2016 Posterior Posterior Posterior Mean Variance Comments Combustion Turbine Fails to Start (NUREG/CR 6928, 2010 Update)

CTG FTS 1.56E 02 Beta 10.5 6.629E+02 5

51 15.5 7.139E+02 2.13E 02 2.85E 05 Salem Jet tested monthly; fail to start type code updated even though fail to run type code was significant.

Combustion Turbine Fails to Load/Run (NUREG/CR 6928, 2010 Update)

CTG FTLR 1.60E 05 Beta 2.5 1.563E+05 None Same as Prior Distribution Combustion Turbine Fails to Start (Combined)

AC5GTSFS Beta 2.13E02 2.86E05 Air Operated Valve Spurious Operation (NUREG/CR 6928, 2010 Update)

AOV SOP 1.31E 07 Gamma 0.680 5.211E+06 1

33015.6 1.68 5.244E+06 3.20E 07 6.11E 14 Exposure time based on critical operation for Unit 2.

Air Operated Valve Fails to Remain Open CVSAOVOC Gamma 3.20E07 6.11E14 EDG Station Blackout Fails to Start (NUREG/CR 6928, 2010 Update)

EDG SBO FTS 4.32E 02 Beta 1.094 2.423E+01 1

17 2.094 4.123E+01 4.83E 02 1.04E 03 Baldor DG tested quarterly; fail to start type code updated even though fail to run type code was significant.

BALDOR Diesel Generator Fails to Start DGSDGBFS Beta 4.83E02 1.04E03

LR N17 0263

25

Table RAI23 Plant Specific Data Update for Risk Significant Type Codes Description Type Code NUREG/CR

6928 (2010 Update)

Mean Failure Rate (per year or per demand)

Type of Dist.

Prior Prior

  1. Failures Experienced
  1. Hours or Demands from July 2012 to September 2016 Posterior Posterior Posterior Mean Variance Comments Standby Fan Fails to Start (NUREG/CR

6928, 2010 Update)

FAN SBY FTS 8.42E 04 Beta 34.5 4.093E+04 1

306 35.5 4.124E+04 8.60E 04 2.08E 08 4160 VAC EDGs are tested monthly; estimate at least 6 total demands per month since there are a total of 6 ventilation fans; run failures assumed to be equivalent to start failures.

Standby Fan Fails to Run < 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (NUREG/CR 6928, 2010 Update)

FAN SBY FTR<1H 1.07E 03 Beta 33.5 3.125E+04 None Same as Prior Distribution Standby Fan or Blower Fails to Start (Combined)

VDGFNSFS Beta 1.93E03 5.51E08

LR N17 0263

26

APLARAI3 Supporting requirement DA C8 of ASME/ANS RA Sa 2009 specifies that for Capability Category II/III to be met, licensees should use plant specific operational records to determine the time that components were configured in their standby status. The corresponding F&O for SR DA C8 in Table 4 6 of Enclosure 1 of the LAR indicates that the licensee did not provide a basis for the estimated times that applicable components were in their standby configuration.

The licensees resolution does not indicate whether the times used for equipment configured in their standby status are derived from plant specific operational records. The information supplied by the licensee in the F&O table for this SR is not sufficient for the staff to determine if the indicated resolution appropriately addresses the open F&O. As a result, the staff cannot make a determination on the technical acceptability of the licensees PRA for use in risk

informed applications.

Please provide one of the following:

1. Clarification on whether the equipment standby times are taken from plant specific operational records, or
2. A justification discussing why not meeting SR DA C8, or meeting SR DA C8 at Capability Category I, is sufficient for this application.

PSEG Response:

Two significant updates to the 2010 NUREG/CR 6928 [Reference 2] component reliability data sheets includes providing both the Fails to Start data for standby equipment and the Fails to Run <1 HR data with beta distribution. This allowed the data to be easily combined to determine the new Fails to Start failure rate for standby equipment. Therefore, there was no need to identify a specific number standby hours for equipment normally in a standby status, since the standby failure rate model is not used in the Salem SA112A or SA115A PRA models.

Note that Supporting Requirement DA C8 starts with the phrase: When requiredU. PSEGs use of industry standard NUREG/CR 6928 data significantly reduces this requirement.

APLARAI4 Supporting requirement DA C10 of ASME/ANS RA Sa 2009 specifies that for Capability Category II to be met, licensees should review the test procedure to determine whether a test should be credited for each possible failure mode. In addition, the licensee should count only completed tests or unplanned operational demands as success for component operation. If the component failure mode is decomposed into sub elements (or causes) that are fully tested, then the licensee should use tests that exercise specific sub elements in their evaluation. The peer review found that the SR was not met, stating in the F&O for SR DA C10 that:

Documentation describing the process of reviewing test procedures to determine surveillance test data could not be identified. No specific surveillance tests were discussed in the Data Analysis Notebook. The Systems Analysis Notebooks for specific systems described various surveillance testing, but did not reference surveillance tests by name.

LR N17 0263

27

As a resolution to the F&O, the licensee stated that:

Initiating event category tables were provided in the revised Initiating Events Notebook (SA PRA 001) to provide a benchmark comparison to ensure that Salem initiating event categories were adequate in capturing the necessary PRA initiating events. The plants compared were South Texas, Surry, and Watts Bar. No further action required.

It appears that the licensees response is not related to the issue identified in the F&O. The information supplied by the licensee in the F&O table for this SR is not sufficient for the staff to determine if the indicated resolution appropriately addresses the open F&O. As a result, the staff cannot make a determination on the technical acceptability of the licensees PRA for use in risk informed applications.

Please provide one of the following:

1. A discussion describing how, in relation to the issues indicated in the F&O, the licensee meets SR DA C10 to Capability Category II or higher, or
2. A justification discussing why not meeting SR DA C10, or meeting SR DA C10 at Capability Category I, is sufficient for this application.

PSEG Response:

The initial response that was provided was in error, since it dealt with a response to a different F&O.

Surveillance tests and their frequency were used to determine the number of demands for determining plant specific operating experience for updating generic data that was used for risk significant components modeled in the PRA. For capability category II to be met for PRA Standard Supporting Requirement DA D1, it requires that realistic parameter estimates be made for significant basic events based on relevant plant specific evidence. It is the number of surveillance tests that is a part of this exercise in determining more realistic parameter estimates. Specifically, the response to APLA RAI 2 shows that the number of demands were determined based on the number of functional tests for the component of interest (see Table RAI 2 3), which were determined based on configuration risk management schedules in support of 10 CFR 50.65(a)(4) planning and interviews with work control personnel at the Salem plant.

This information was necessary for the Bayesian updating process in which the denominator of for the generic demand failure probability is updated with this plant specific information.

Therefore, this F&O has been addressed and Supporting Requirement DA C10 is considered to be met at Capability Category II. In addition, this particular issue does not have a noticeable impact on this application associated with extending the CFCU Technical Specification AOT.

APLARAI5 Section 2.3.2 of RG 1.177 states that, as a minimum, the licensee should perform evaluations of core damage frequency (CDF) and large early release frequency (LERF) to support any risk

informed changes to the TSs. The licensee used its base PRA to evaluate the change in CDF (i.e., Level 1 PRA) and LERF associated with the AOT extension. As part of its application, the licensee included F&O tables indicating the Capability Category and any associated F&Os for each applicable SR. However, these tables only included applicable SRs associated with the Level I portion of the PRA. These tables did not include a disposition of SRs associated with

LR N17 0263

28

LERF. Specifically, SRs LE A1 through LE G6. As a result, the staff cannot make a determination on the technical acceptability of the licensees PRA for use in risk informed applications.

Please provide one of the following:

1. Provide all F&Os characterized as findings from the peer review of the internal events, Level 2 PRA. For each F&O, include details of its disposition or why not meeting the corresponding Capability Category II requirements has no impact on the application.

Specifically, SRs LE A1 through LE G6, or

2. A detailed justification discussing why no peer review of the SRs associated with LERF is acceptable for this application.

PSEG Response:

The table of LERF F&Os was inadvertently omitted and is provided below in Table RAI 5 1:

LR N17 0263

29

Table RAI51 Assessment Of Supporting Requirement Capability Categories For LERF RASa

2009 SR #

RASb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE A1 LE A1 SR Met Level 2 Analysis notebook, SA PRA 015, Section 2 addresses those physical characteristics at the time of core damage that can influence LERF.

N/A LE A2 LE A2 SR Met Level 2 Analysis notebook, SA PRA 015, Appendix A addresses accident sequence characteristics at the time of core damage that can influence LERF.

N/A LE A3 LE A3 SR Met Level 2 Analysis notebook, SA PRA 015, Appendix A addresses those adjustments needed between the Level 1 event trees and the containment event trees.

N/A LE A4 LE A4 SR Met Level 2 Analysis notebook, SA PRA 015, Appendix A addresses those adjustments needed between the Level 1 event trees and the containment event trees.

N/A LE A5 LE A5 SR Met Level 2 Analysis notebook, SA PRA 015, Appendix A defines the plant damage state groupings in Section 3.

N/A LE B1 LE B1 SR Met:

(CC II)

Level 2 Analysis notebook, SA PRA 015, Sections 1 and 2 discuss unique plant issues and LERF contributors. The issues identified in Table 4.5.9 3 are addressed with the exception of in

vessel recovery which is not credited.

N/A

LR N17 0263

30

Table RAI51 Assessment Of Supporting Requirement Capability Categories For LERF RASa

2009 SR #

RASb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE B2 LE B2 SR Met:

(CC I)

LE B2 01 Analysis does address challenges, but plant

specific analyses are treated in a conservative manner.

Category II for LE B2 says "using applicable generic or plant specific analyses for significant containment challenges", while conservative analyses can be used for non significant challenges. Conservative analyses were not used for significant challenges, though they were used for initial categorization. MAAP analyses and plant specific analyses were used to support the final LERF contributors. Use of plant specific parameters, such as containment fragility, are documented in the Level 2 Analysis Notebook (SA

PRA 015). Section 2.0 of SA PRA 015 states that in order to assess the accident progression following a core damage event, the Level 2 analysis used a containment event tree shown in Figure 2 1 of SA PRA 015 to determine the type of release, if any. Each node in the event tree is based on plant specific Salem parameters, recent accident progression research, and other Salem

specific analyses. Where applicable, the documentation was updated to emphasize realistic, plant specific analyses. In addition, since the functional loss of CFCUs can only lead to LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O.

LE B3 LE B3 SR Met:

(CC II)

MAAP analyses using plant specific inputs performed, but utilized in a somewhat conservative manner.

N/A

LR N17 0263

31

Table RAI51 Assessment Of Supporting Requirement Capability Categories For LERF RASa

2009 SR #

RASb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE C1 LE C1 SR Met:

(CC I)

LE C1 01 Analysis of non LERF or analysis of factors contributing to non LERF was not addressed.

A discussion of LERF and its definition were added to the Level 2 Notebook (SA PRA 015) in order to explain how LERF and non LERF designations were developed and assigned. Specifically, Section 5.0 of this notebook defines the major release categories that were evaluated:

INTACT - Containment structure and function succeed and prevent a large or late release of fission products.

LATE - Containment failure occurs, but is considered late because of a significant time delay between core damage and containment failure.

LERF - Containment failure occurs early in the scenario. Early releases are defined as those releases that occur within a short time following core damage, such that adequate evacuation time is not available to protect the public from prompt health effects.

SERF - Containment is bypassed, such as due to an initiating steam generator tube rupture, but successful filling of the steam generator scrubs the release to reduce it to a small magnitude.

LR N17 0263

32

Table RAI51 Assessment Of Supporting Requirement Capability Categories For LERF RASa

2009 SR #

RASb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE C2 LE C2a SR Met:

(CC I)

LE C2a 01 Screening values appear to have been used for containment isolation actions. No operator actions are directly called out in the containment event tree.

Of the human error probabilities (HEPs) that were associated with containment isolation actions, only SJS XHE FO MANAC (Operator fails to open or close valves per EOPs) was found to exceed the criteria for risk significance, and the failure probability was evaluated in detail (not a screening value) in the SA115A PRA model. There were only two HEPs that were found to be risk significant in the SA115A model, i.e., time critical operator actions. They were AFS XHE FO REC1 (Operator failure to close AFW discharge valves locally) and ISL XHE VD1 (Operator fails to isolate RHR to avoid ISLOCA). These HEPs are both documented in Appendix F of the HRA Notebook (SA PRA 004) and will require a detailed evaluation as part of a future scheduled PRA update. In addition, since the functional loss of CFCUs can only lead to LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O.

LR N17 0263

33

Table RAI51 Assessment Of Supporting Requirement Capability Categories For LERF RASa

2009 SR #

RASb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE C3 LE C2b SR Met:

(CC I)

LE C2b 01 Repair of failed equipment is not addressed in the Level 2 Analysis notebook, SA PRA 015.

The Quantification Notebook (SA PRA 014) discussed some of the dominant initiators that lead to LERF in Appendix H where pre emptive actions could be taken to reduce the impact to LERF, e.g.,

installation of door sweeps to reduce the flow of water into the 230/460 VAC switchgear rooms due to internal floods. In general, it was decided that no credit for repair of failed equipment was necessary for LERF scenarios. That is, other than the possibility for recovery of offsite power for station blackout events, no repair of failed equipment was directly credited or modeled in the SA115A model for mitigation of LERF sequences.

In addition, since the functional loss of CFCUs can only lead to LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O.

LR N17 0263

34

Table RAI51 Assessment Of Supporting Requirement Capability Categories For LERF RASa

2009 SR #

RASb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE C4 LE C3 SR Met:

(CC I)

LE C3 01 Fission product scrubbing and mitigating actions by plant staff are not addressed.

Since the time of the peer review, potential scrubbing of SGTR releases was added to the PRA model. In addition, text was added to the Level 2 Analysis Notebook (SA PRA 015) to describe mitigating actions and beneficial failures that are modeled. Even without operator action, some scrubbing does occur in the thermal

hydraulic modeling of SGTRs, if applicable, such as in release category LERF SGTR AFW, which represents sequences caused by a steam generator tube rupture that have successful operation of auxiliary feedwater. In addition, since the functional loss of CFCUs can only lead to LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O.

LE C5 LE C4 SR Met:

(CC II)

Realistic generic success criteria appear to have been used.

N/A LE C6 LE C5 SR Met N/A LE C7 LE C6 SR Met N/A LE C8 LE C7 SR Met One top model.

N/A LE C9 LE C8a SR Not Met LE C8a 01 No discussion provided in the documentation related to environment.

Since there was no credit given in the SA115A PRA model for equipment survivability or human actions under adverse environments, there was no need to justify any type of credit. In addition, since the functional loss of CFCUs can only lead to LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O.

LR N17 0263

35

Table RAI51 Assessment Of Supporting Requirement Capability Categories For LERF RASa

2009 SR #

RASb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE C10 LE C8b SR Met:

(CC I)

LE C8a 01 No analysis provided.

N/A LE C11 LE C9a SR Met:

(CC I)

LE C8a 01 No credit taken.

N/A LE C12 LE C9b SR Met:

(CC I)

LE C8a 01 N/A LE C13 LE C10 SR Met:

(CC I)

LE C3 01 Section 2 notes that credit is not taken for scrubbing of SGTR damage scenarios.

N/A LE D1 LE D1a SR Met:

(CC I)

LE D1a 01 Early containment loads are addressed using NUREG information.

The Cat II SR requires "a realistic containment capacity analysis for the significant containment challenges" and "a conservative or a combination of conservative and realistic evaluation of containment capacity for nonsignificant containment challenges." In the Salem Level 2 analysis, early containment failure is not a significant contributor, therefore conservative or a combination of realistic and conservative evaluations are acceptable. The early containment failure probabilities from the NUREGs are based on plant specific analysis or generic analysis that is adjusted to be applicable to Salem. Also, a Salem specific containment structural evaluation and failure characterization that had been performed for a previous revision of the PRA was used in the SA115A Level 2 analysis due still being applicable. Therefore, no further work is necessary to comply with Category II of LE D1. In addition, since the functional loss of CFCUs can only lead to LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O.

LR N17 0263

36

Table RAI51 Assessment Of Supporting Requirement Capability Categories For LERF RASa

2009 SR #

RASb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE D2 LE D1b SR Not Met LE D1b 01 No analysis for penetrations, hatches, seals Section 2.2 of the Success Criteria Notebook (SA

PRA 003) now references the evaluation of penetrations, hatches and seals for containment, which is documented in calculation S C.ZZ NEE

0686, Probabilistic Engineering Evaluation of Salem Units 1 and 2 Containment Performance for Beyond Design Basis Conditions. This calculation determined that hatches and seals were evaluated and found to have a higher pressure capacity than the meridional membrane capacity of the dome that proved to be the limiting failure location of the containment vessel. In addition, since the functional loss of CFCUs can only lead to LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O.

LE D3 LE D2 SR Not Applicable N/A LE D4 LE D3 SR Met:

(CC II)

N/A LE D5 LE D4 SR Met:

(CC II)

N/A LE D6 LE D5 SR Met:

(CC II)

N/A

LR N17 0263

37

Table RAI51 Assessment Of Supporting Requirement Capability Categories For LERF RASa

2009 SR #

RASb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE D7 LE D6 SR Not Met LE D6 01 The CI model (SA PRA 005.07) does not provide sufficient information and does not address potential failures due to air locks or other locations.

The Containment Isolation System Notebook (SA

PRA 005.0007) now provides a set of criteria to determine whether containment penetrations should be modeled for their safety significance in the PRA, such as size of line, number of valve isolations, etc. The Success Criteria Notebook (SA PRA 003) in Section 2.2 states that containment penetrations, hatches and seals were also evaluated and found to have a higher pressure capacity than the meridional membrane capacity of the dome that proved to be the limiting failure location. The basis for this statement is found in PSEG document S C ZZ NEE 0686 (Probabilistic Engineering Evaluation of Salem Units 1 and 2 Containment Performance for Beyond Design Basis Conditions). In addition, since the functional loss of CFCUs can only lead to LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O.

LE E1 LE E1 SR Met Appropriate SSC and HFE values are utilized.

N/A LE E2 LE E2 SR Met:

(CC I)

LE D1a 01 The LERF analysis makes heavy use of the NUREG documents.

See the F&O response for the 2009 SR LE D1, since both F&Os are related to the same issue.

LR N17 0263

38

Table RAI51 Assessment Of Supporting Requirement Capability Categories For LERF RASa

2009 SR #

RASb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE E3 LE E3 SR Met:

(CC I)

LE D1a 01 Early containment failures, bypass sequences, and isolation failures are designated as LERF contributors.

The Level 2 Analysis Notebook (SA PRA 015) explains in detail those accident sequences that satisfy the definition for LERF, and are listed in Table 7 1, which defines the type of accident sequence and initiating event that is involved. To satisfy this F&O, more detail was given in this section of SA PRA 015 that better explains what accident progression sequences can lead to LERF.

In addition, since the functional loss of CFCUs can only lead to LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O.

LE E4 LE E4 SR Met QU B3 01 LERF is quantified consistent with the applicable requirements. A minor issue related to truncation limit is identified in QU B3 01.

N/A LE F1 LE F1a SR Met:

(CC II/III)

Table 8 2 of the Salem PRA Level 2 Analysis Notebook shows the calculated results for the detailed release categories.

N/A

LR N17 0263

39

Table RAI51 Assessment Of Supporting Requirement Capability Categories For LERF RASa

2009 SR #

RASb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE F2 LE F1b SR Not Met LE F1b 01 Other than verifying that the sum of the three end states (INTACT, LATE and LERF) is approximately equal to the core damage frequency, no checks on the reasonableness of the LERF contributors is documented.

A summary of the Level 2 results is provided in Appendix H of the Quantification Notebook (SA

PRA 014). The comparison to the value for CDF was discussed, in which it was noted that the direct sum of the four major Level 2 endstates (INTACT, LERF, SERF, and LATE), which was 9.5E 06/yr, is a little more than the calculation of CDF at 8.4E

6/yr for the SA115A PRA model. This is due to summation of low probability sequences below the truncation threshold used for the quantification of CDF and the inclusion of non minimal Level 1 sequences in the summation of the Level 2 release categories. In addition, since the functional loss of CFCUs can only lead to LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O..

N/A LE F2 SR Met:

(CC I)

SC C3 02 Bounding assumptions are identified in the documentation. Sources of uncertainty are addressed in a draft evaluation using guidance from draft EPRI report, "Treatment of Parameter and Model Uncertainty for Probabilistic Risk Assessments." No documentation of sensitivity studies was found.

See the F&O response for the 2009 SR LE G4, since both F&Os are related to the same issue.

LE F3 LE F3 SR Not Met LE F3 01 LERF uncertainties are not characterized consistent with the requirements in Tables 4.5.8

2(d) and 4.5.8 2(e).

The uncertainty associated with LERF was addressed in the Salem PRA Uncertainty Notebook (SA PRA 018), with the results being presented in Section 5.1.2.1 In addition, since the functional loss of CFCUs can only lead to LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O.

LR N17 0263

40

Table RAI51 Assessment Of Supporting Requirement Capability Categories For LERF RASa

2009 SR #

RASb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE G1 LE G1 SR Met The LERF analysis documentation appears to be adequate for supporting PRA applications, upgrades, and peer review.

N/A LE G2 LE G2 SR Met The LERF notebook documents the process used to arrive at the LERF estimates.

N/A LE G3 LE G3 SR Met:

(CC II/III)

Table 8 2 of the Salem PRA Level 2 Analysis Notebook shows the calculated results for the detailed release categories.

N/A LE G4 LE G4 SR Not Met SC C3 01, SC C3 02 Assumptions are embedded in the documentation rather than captured in a specific section. Sources of uncertainty are addressed in a draft evaluation using guidance from draft EPRI report, "Treatment of Parameter and Model Uncertainty for Probabilistic Risk Assessments."

No documentation of sensitivity studies was found.

This issue has no impact on the quality of the PRA and is only meant to aid reviewers in identifying what assumptions were made during development of the Success Criteria Notebook (SA PRA 003).

Each PRA System Notebook (SA PRA 005.0001

.0020) now has a section that lists assumptions that were made as part of the systems analysis.

Also, the Uncertainty Notebook (SA PRA 018) was officially issued and includes a section on model uncertainty and references both EPRI 1026511, which addresses the use of PRA and the treatment of uncertainty, and EPRI 1016737, which addresses the treatment of parameter and model uncertainty In addition, since the functional loss of CFCUs can only lead to LATE sequences rather than LERF, the results of this application associated with extending the CFCU Technical Specification AOT are not sensitive to this F&O.

LR N17 0263

41

Table RAI51 Assessment Of Supporting Requirement Capability Categories For LERF RASa

2009 SR #

RASb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE G5 LE G5 SR Not Met LE G5 01 Limitations in the LERF analysis that would impact applications are not documented.

Appendix A of the Uncertainty Notebook (SA PRA

018) discusses model uncertainty issues and plant specific issue characterizations that can be extended to identification of impacts on various risk applications. For example, the treatment of core melt arrest in vessel has been limited. However, recent NRC work has indicated that there may be more potential than previously credited. For this particular issue, Salem has taken the approach that no credit will be given for recovery of core cooling following core damage and prior to reactor vessel failures. In other words, all core damage sequences proceed to vessel failure. Although this issue could provide an impact to certain applications related to Level 2 release categories, this particular LAR dealing with extending the Technical Specification AOT for CFCU unavailability is relatively unimportant with regard to LERF.

LR N17 0263

42

Table RAI51 Assessment Of Supporting Requirement Capability Categories For LERF RASa

2009 SR #

RASb

2005 SR #

Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE G6 LE G6 SR Not Met LE G6 01 A definition for significant accident progression sequence is not documented.

A significant accident progression sequence is one of the set of accident sequences contributing to large early release frequency resulting from the analysis of a specific hazard group that, when rank ordered by decreasing frequency, sum to a specified percentage of the large early release frequency, or that individually contribute more than a specified percentage of large early release frequency for that hazard group. Specifically, the summed percentage is 95% and the individual percentage is 1% of the applicable hazard group.

The dominant accident sequences that contribute to LERF are listed and described in Section D of the Quantification Notebook (SA PRA 014), and the relative contribution to LERF for each of the modeled initiating events is listed in Appendix F of SA PRA 014. Since this is a documentation issue, it has no impact on the results for this LAR dealing with extending the Technical Specification AOT for CFCU unavailability.

LR N17 0263

43

APLARAI6 Supporting requirement IFSN A7 of ASME/ANS RA Sa 2009 specifies that for the SR to be met, the licensee, in applying SR IFSN A6 to determine susceptibility of SSCs to flood induced failure mechanisms, should credit the operability of SSCs identified in SR IFSN A5 with respect to internal flood impacts only if supported by an appropriate combination of: (a) test or operational data; (b) engineering analysis; and (c) expert judgment. The associated F&O in Table 4 8 of Enclosure 1 of the LAR indicated that the licensees basis that walkdown observations revealed air operated valves (AOVs) and motor operated valves (MOVs) were of a robust design that would exclude them from being susceptible to water damage for spray scenarios was insufficient for determining susceptibility of these components to flood induced failure mechanisms per this SR. The licensees resolution stated that the robustness of AOVs and MOVs with regard to spray scenarios was an informed judgment based on empirical observation and reinforced by a paper presented at the PSA 2008 ANS conference by J. Lin, and that water spray does not generally prevent AOVs and MOVs from operating, and although it may remotely be possible, the most likely result is that it will not. The licensees resolution still does not present an adequate justification supported by an appropriate combination of test or operational data, engineering analysis, and expert judgment. The information supplied by the licensee in the F&O table for this SR is not sufficient for the staff to determine if the indicated resolution appropriately addresses the open F&O. As a result, the staff cannot make a determination on the technical acceptability of the licensees PRA for use in risk informed applications.

Please provide one of the following:

1. An adequate justification, including any supporting documentation, that describes clearly the link between the observed robustness of the valves and the empirical information from test or operational data and/or engineering analysis that would lead expert judgment to conclude that the observed robustness is sufficient to preclude failure from spray flooding, or
2. A justification discussing why not meeting SR IFSN A7 is acceptable for this application.

PSEG Response:

PSEG did a supplemental analysis of the PRA results to determine which valves could potentially affect the decision in this LAR. The Containment Spray recirculation valves (CS36 -

one per train) were identified as the most important valves, so a quantitative bounding risk analysis was performed. These and other potentially important valves were walked down to evaluate the potential effects of spray. No potential vulnerabilities to spray events were found, resulting in no additional increase in risk.

The supplemental analysis is an expansion of the analysis described in Section 5.2 of the LAR risk analysis, focusing on spray scenarios. Potentially significant AOVs and MOVs were identified by looking at the cutsets that contribute to the risk increase associated with the AOT extension for CFCUs. As described in the LAR, the CAFTA DELTERM function was used.

Valves that fail to the required position to support recirculation were eliminated from further analysis.

In addition to the above bounding risk analysis, PSEG did a supplemental internal flood walkdown to analyze the vulnerabilities to spray events that could affect the conclusions of this LAR. As expected, the most important valves were the containment spray valves (CS36), which

LR N17 0263

44

were analyzed above in this response. Additionally, the next echelon of potentially important valves were identified by inspecting the cutsets and importance measures.

Risk Analysis of the CS36 Valves in Spray Scenarios A walkdown was performed by station personnel for the CS36 valves, which support operation of containment sprays during the recirculation phase of operation in which water collected in the reactor containment sump is sent through the Residual Heat Removal (RHR) pumps and heat exchangers before being discharged to the spray nozzles inside containment. Containment sprays can be used to mitigate the increase in containment pressure during a LOCA event.

Because the Containment Spray System (CSS) is another means of containment pressure control and is redundant to CFCUs, these motor operated valves (MOVs) become risk

significant when two CFCUs are made unavailable due to maintenance. With regard to spray scenarios, there was no evidence found that a single spray scenario from any one source of water would be able to disable both valves. This is due to the physical separation between the two valves and the presence of walls and other barriers that would prevent damage to both MOVs from any single spray source. Figure RAI 6 1 shows a photograph of one of these CS36 valves, illustrating the robust design of MOV motor operators that employ threaded electrical connections, which would resist any water intrusion from a spray of water. In addition, these particular valves were identified to be Environmentally Qualified (EQ) to withstand any harsh environmental conditions that might be encountered from a design basis event. Internal flood scenarios typically involve moderate energy line break scenarios, such that the environmental conditions during a spray event would be less severe than for a design basis event that would result in higher humidity and temperatures.

FIGURE RAI61 PICTURE OF MOV 11CS36 - CONTAINMENT SPRAY DISCHARGE VALVE FROM RHR PUMPS

LR N17 0263

45

However, in an effort to show the sensitivity associated with failing air operated valves (AOVs) and motor operated valves (MOVs) for spray scenarios, the risk significant flood area of interest (flood area MP 078) was analyzed assuming that all water sources in this area were responsible for causing spray damage to the AOVs and MOVs contained within this area. Figure 3 1 of risk application SA LAR 010, which was part of the supplemental information submitted in May 2017, showed that internal flood submergence scenarios were responsible for about 7.6% of the change in risk associated with the CFCU AOT extension.

The SA115A PRA model was chosen for this sensitivity analysis, which made use of the same configuration changes explained in Section 3.4.3 of the original risk application (SA LAR 007)

[Reference 4]. Table RAI 6 1 shows that when this spray scenario is included, the change in risk is still minimal:

Table RAI61 Quantitative Results of the Risk Metrics for Concurrent Unavailability of Two CFCUS (INCLUDES SPRAY SCENARIO THAT FAILS ALL AOVS AND MOVS IN FLOOD AREA MP078A)

Parameter Value Comments TCYCLE 547.5 days Based on 18 month refueling cycle TCFCU 14 days Number of days that two CFCUs are unavailable CDFCFCU 8.80E 06 CDF based on application of flag file for two unavailable CFCUs and adjusted CCF term LERFCFCU 4.66E 07 LERF based on application of flag file for two unavailable CFCUs and adjusted CCF term CDFBASE 8.38E 06 CDF for PRA MOR LERFBASE 4.66E 07 LERF for PRA MOR CDFAVE 8.41E 06 Average CDF over one 18 month refueling cycle for three instances of dual CFCU unavailability for 14 days at a time LERFAVE 4.66E 07 Average LERF over one 18 month refueling cycle for three instances of dual CFCU unavailability for 14 days at a time CDF 3.17E 08 Difference between CDF with current technical specifications and the CDF for an average 18 month cycle with three instances of concurrent unavailability of two CFCUs extended to 14 days This value is below Region III of RG 1.174 LERF 3.62E 11 Difference between LERF with current technical specifications and the LERF for an average 18 month cycle with three instances of concurrent unavailability of two CFCUs extended to 14 days This value is well below Region III of RG 1.174 ICCDPCFCU 1.58E 08 Below 1E 06 Acceptance Guideline of RG 1.177 ICLERPCFCU 1.81E 11 Below 1E 07 Acceptance Guideline of RG 1.177

LR N17 0263

46

Analysis of Other Valves Potentially Vulnerable to Spray:

The following valves modeled in the PRA that exhibited a Risk Achievement Worth (RAW) greater than 2.0 were included in the supplemental walkdowns, and are listed below in Table RAI 6 2:

Table RAI62 AOVs and MOVS Identified for Supplemental Walkdowns Valve Type Flood Area CC16 MOV AB 055 CC16 MOV AB 055 DR6 AOV AB 084 C 1AF21 AOV AB 084 C 2AF21 AOV AB 084 C 3AF21 AOV AB 084 C 4AF21 AOV AB 084 C Plant walkdowns were conducted to identify the location and configuration of the valves listed in Table RAI 6 2. The walkdowns were conducted by experienced engineers and PRA internal flooding analysts, and the results will be added to the internal flooding PRA documentation during the next Salem PRA update.

LR N17 0263

47

The 21CC16 and 22CC16 MOVs were physically separated from each other such that any one spray scenario would not disable both valves. These are Component Cooling Water valves that are located on the discharge side of the Residual Heat Removal (RHR) heat exchangers.

Additionally, all piping within the vicinity of these valves was insulated and encapsulated with metal lagging, which serves to prevent a spray of water from wetting components located at a distance. Figure RAI 6 2 shows a photograph of valve 22CC16, which shows the robust design of the MOV with no opening for water ingress, and the surrounding lagged piping.

FIGURE RAI62 PICTURE OF MOV 22CC16 - RHR HEAT EXCHANGER CCW OUTLET VALVE

LR N17 0263

48

The 1DR6 valve is the valve used to refill the Auxiliary Feedwater Storage Tank (AFWST) with water from the Demineralized Water storage tanks after approximately 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br /> of Auxiliary Feedwater (AFW) pump operation before it empties. Figure RAI 6 3 shows the robust design of this valve with no vulnerabilities that would allow a spray of water to disable the function of this valve. Additionally, the solenoid valve that ports the flow of air to the diaphragm of the valve operator is physically located in a separate location of the plant within a closed cabinet sealed with a gasket. The visible electrical connection on top of the valve provides for remote indication of valve position, and is a well sealed threaded connection that would protect against water intrusion from a nearby spray source.

FIGURE RAI63 PICTURE OF AOV 1DR6 - REFILL VALVE FOR AFWST

LR N17 0263

49

The AF21 valves are the flow control valves on the discharge side of the motor driven AFW pumps. Figure RAI 6 4 shows a photograph of one of these valves (AOV 23AF21), which illustrates its robust design that would be impervious to a spray of water from a nearby pipe rupture. The threaded electrical connection on one of the AF21 valves that provides for remote valve position indication is more clearly seen in Figure RAI 6 5, which clearly shows its resistance to water ingress from a spray of water.

FIGURE RAI64 PICTURE OF AOV 23AF21 - AFW DISCHARGE FLOW CONTROL VALVE

LR N17 0263

50

FIGURE RAI65 PICTURE OF THREADED ELECTRICAL CONNECTION ON AF21 VALVE FOR REMOTE INDICATION OF VALVE POSITION Conclusion The analysis and walkdowns were performed in accordance with IFSN A7 of the PRA standard

[Reference 1], which allows an appropriate combination of test or operational data, engineering analysis and expert judgement. This analysis and walkdown validated the conclusions in the paper presented at the PSA 2008 ANS conference by J. Lin, and is applicable to the Salem plant. The observed AOVs and MOVs are not susceptible to internal flood spray effects, and even if they were, the risk increase would not be significant. Therefore, the Salem PRA adequately models internal flood spray scenarios with respect to their effect on CFCU related scenarios quantified in support of this LAR.

APLARAI7 Regulatory Position 2.1 of RG 1.200, Revision 2 states that if a licensee demonstrates that the parts of a PRA that are used to support an application comply with the ASME/ANS PRA standard, when supplemented to account for the staffs regulatory positions contained in Appendix A, the NRC would considered the PRA to be adequate to support the applicable risk

informed regulatory application. In Section 4.1.3 of Enclosure 1 of the LAR, the licensee stated

LR N17 0263

51

that it performed a gap assessment against the NRC clarifications in Appendix A of RG 1.200, Revision 2 with regard to the ASME standard, RA Sa 2009. The licensee provides the results of the gap assessment in Table 4 11 of Enclosure 1. However, Table 4 11 only includes the assessment of NRC regulatory positions for three SRs. The information supplied by the licensee in Table 4 11 is not sufficient for the staff to determine if the licensee supplemented appropriately ASME/ANS RA Sa 2009 to account for the staffs regulatory positions contained in Appendix A of RG 1.200. As a result, the staff cannot make a determination on the technical acceptability of the licensees PRA for use in this risk informed application.

Please provide one of the following:

1. A gap assessment of all regulatory positions contained in Appendix A of RG 1.200 for the applicable hazards. The assessment should include a disposition of all clarifications and qualifications (i.e., not limited just to SRs) for the applicable hazards, or
2. A justification discussing why the requested gap assessment is not necessary.

PSEG Response:

A comparison table (Table RAI 7 1) was constructed to denote the differences between Revision 1 and 2 of NRC Regulatory Guide (RG) 1.200. In particular, this comparison focused on any new information that was contained in Revision 2 that was either changed or non

existent in Revision 1. A disposition is offered in Table RAI 7 1 for each noted difference to explain how compliance with the ASME PRA Standard [Reference 1] was maintained in going from Revision 1 to Revision 2. By definition, if there was no difference with any of the clarifications or qualifications between Revision 1 and Revision 2 of RG 1.200, then the peer review of the PRA model [Reference 7] would have already addressed these items and not require any additional assessment for this RAI response. The yellow highlighting is provided as a visual aid to help the reader identify the differences noted between Revisions 1 and 2 of RG 1.200.

In performing this exercise, there were no instances found where differences in the clarifications between Rev. 1 and Rev. 2 of RG 1.200 would have necessitated a change to the PRA model or documentation. Additionally, there were no differences in any of the qualifications between Rev. 1 and Rev. 2 of RG 1.200. Because of this, only clarifications are listed in Table RAI 7 1.

LR N17 0263

52

Table RAI71 Disposition of Clarifications between Revisions 1 and 2 of NRC Regulatory Guide 1.200 Updates

/Changes RG 1.200 Index Issue Resolution from RG 1.200 PSEG Disposition Rev 1 3.5 Use of the word significant should match definitions provided in Section 2.2.

2nd paragraph:

If the PRA does not satisfy a SR for the appropriate Capability Category, then determine if the difference is relevant or significantU. Acceptable requirements for determining the significance of this difference differences include the following:

(a) The difference is not relevant if it is not applicable or does not affect the quantificationU.

(b) The difference is not significant if the mModeled accident sequences accounting for at least 90% of CDF/LERF, as applicableU.

These determinations Determination of significance will dependU.

If the difference is not relevant or significant, then the PRA is acceptable for the application. If the difference is relevant or significant, thenU.

This is only a change in the definition for significance for the sake of consistency and has no impact on the conformance of the SA115A PRA model to RG 1.200, Rev. 2.

Rev 2 1 3.5, 2nd Paragraph Use of the word significant should match definitions provided in Section 2.2.

(b) The difference is not significant if the modeled accident sequences accounting for at least 90% 95% of CDF/LERF for the hazard group U.

Rev. 2 only Figure 1 3 1 See staff proposed resolution for Section 1

1.4.2, text in Box 4 of Figure 1 3.1 1 needs to be modified be consistent with the text.

See in Rev. 2, Resolution Column This was a change to the flowchart depicted in Figure 1 3 1 in order to be consistent with the descriptive text. There is no impact on the conformance of the PRA model to RG 1.200, Rev. 2.

Rev 1 4.3.3 The use of the word should does not provide a minimum requirement.

UThe PRA analysis team shall should use outside experts, even whenU.

There is essentially no difference in the intent of this clarification between Rev. 1 and Rev. 2 of RG 1.200.

Rev 2 1 4.3.3, 2nd Paragraph The intent of this statement/requirement is for the use of outside expert, as such the use of the word should does not provide a minimum requirement.

UThe PRA analysis team shall should use outside experts, even whenU.

LR N17 0263

53

Table RAI71 Disposition of Clarifications between Revisions 1 and 2 of NRC Regulatory Guide 1.200 Updates

/Changes RG 1.200 Index Issue Resolution from RG 1.200 PSEG Disposition Rev 1 6.1 The purpose, as written, implies that it is solely an audit against the requirements of Section 4. A key objective of the peer review is to ensure when evaluating the PRA against the requirements in Section 4, the quality (i.e.,

strengths and weaknesses) of the PRA; this goal is to be clearly understood by the peer review team.

See the issue discussed on definition of Accident sequence, dominant.

UThe peer review shall assess the PRA to the extent necessary to determine if the methodology and its implementation meet the requirements of this Standard to determine the strengths and weaknesses in the PRA. Therefore, the peer review shall also assess the appropriateness of the assumptions. The peer review need not assessU.

This clarification for RG 1.200, Rev. 2, provides more specific guidance with regard to how the peer review team should conduct their review in order to ascertain conformance with the Supporting Requirements of the Standard. There is no impact on the conformance of the PRA model to RG 1.200, Rev. 2.

Rev 2 1 6.1 The purpose, as written, implies that it is solely an audit against the requirements of Section 4.

A key objective of the peer review is to ensure when evaluating the PRA against the technical requirements, the quality (i.e., strengths and weaknesses) of the PRA; this goal is to be clearly understood by the peer review team.

Further, the statement that the peer review need not assess all aspects of the PRA against all requirements could be taken to imply that some of the requirements could be skipped.

Uanother purpose of the peer review is to determine the strengths and weaknesses in the PRA. Therefore, the peer review shall also assess the appropriateness of the assumptions. The peer review need not assess all aspects of the PRA against all requirements in the Technical Requirements Section of each respective Part of this Standard; however, enough aspects of the PRA shall be reviewed for the reviewers to achieve consensus on the assessment of each applicable supporting requirement, as well as on the adequacy of methodologies and their implementation for each PRA Element.

LR N17 0263

54

Table RAI71 Disposition of Clarifications between Revisions 1 and 2 of NRC Regulatory Guide 1.200 Updates

/Changes RG 1.200 Index Issue Resolution from RG 1.200 PSEG Disposition Rev 1 IE A4a Initiating events from common cause or from both routine and non routine system alignments should be considered.

Cat II and III:

Uresulting from multiple failures; if the equipment failures result from a common cause, and from routine system alignments resulting from preventive and corrective maintenance.

This clarification provides a more specific description of routine system alignments that can arise due to different plant maintenance configurations. There is no impact on the conformance of the PRA model to RG 1.200, Rev. 2.

Rev 2 IE A6 Initiating events from common cause or from both routine and non routine system alignments should be considered.

Cat II:

Uresulting from multiple failures; if the equipment failures result from a common cause, and or from routine system alignments resulting from preventive and corrective maintenance.

Cat III:

Uresulting from multiple failures, including equipment failures resulting from random and common causes, and or from routine system alignments resulting from preventive and corrective maintenance.

Rev 1 IE C10 Providing a list of generic data sources would be consistent with other SRs related to data.

COMPARE results and EXPLAIN differences in the initiating event analysis with generic data sources to provide a reasonable check of the results.

An example of an acceptable generic data sources is NUREG/CR5750 [Note (1)].

The additional clarification given in RG 1.200, Rev. 2, was merely meant to provide a suggested generic reference against which PRA initiating events and their frequencies may be compared. This clarification has no impact on the conformance of the PRA model to RG 1.200, Rev. 2.

Rev 2 IE C12 Providing a list of generic data sources would be consistent with other SRs related to data.

COMPARE results and EXPLAIN differences in the initiating event analysis with generic data sources to provide a reasonable check of the results.

An example of an acceptable generic data sources is NUREG/CR6928 [Note (1)].

LR N17 0263

55

Table RAI71 Disposition of Clarifications between Revisions 1 and 2 of NRC Regulatory Guide 1.200 Updates

/Changes RG 1.200 Index Issue Resolution from RG 1.200 PSEG Disposition Rev 1 HR D3 Add examples for what is meant by quality in items (a) and (b) of Cat II, III.

Cat II, III:

(a) the quality (including format, logical structure, ease of use, clarity, and comprehensiveness) of written procedures and the quality (e.g., configuration control process, technical review process, training processes, and management emphasis on adherence to procedures) of administrative controls (for independent review)

(b) the quality (e.g., adherence to human factors guidelines [Note (3)] and results of any quantitative evaluations of performance per functional requirements) of the human machine interface, including both the equipment configuration, and instrumentation and control layout This clarification is only meant to properly document the reference to Note 3. There is no impact on the conformance of the SA115A PRA model to RG 1.200, Rev. 2.

Rev 2 HR D3 Add examples for what is meant by quality in items (a) and (b) of Cat II, III.

Cat II, III:

(a) the quality (e.g., format, logical structure, ease of use, clarity, and comprehensiveness) of written procedures (for performing tasks) and the type of administrative controls that support independent review (e.g.,

configuration control process, technical review process, training processes, and management emphasis on adherence to procedures). of administrative controls (for independent review)

(b) the quality of the human machine interface (e.g., adherence to human factors guidelines [Note (3)] and results of any quantitative evaluations of performance per functional requirements), including both the equipment configuration, and instrumentation and control layout (3) NUREG0700, Rev. 2, Human

System Interface Design Review Guidelines; J.M. OHara, W.S. Brown, P.M. Lewis, and J.J. Persensky, May 2002.

LR N17 0263

56

Table RAI71 Disposition of Clarifications between Revisions 1 and 2 of NRC Regulatory Guide 1.200 Updates

/Changes RG 1.200 Index Issue Resolution from RG 1.200 PSEG Disposition Rev 1 HR D4 thru HR D7



The SA115A PRA model does report HEP values based on their mean point estimates as provided by the HRA Calculator software.

As such, there is no impact on the conformance of the PRA model to RG 1.200, Rev. 2.

Rev 2 HR D6 This SR should be written similarly to HR G9 PROVIDE an assessment of the uncertainty in the U. point estimates of HEPs. CHARACTERIZE the uncertainty in the estimates of the HEPs consistent with the quantification approach, and PROVIDE mean values for use in the quantification of the PRA results.

Rev 1 QU A3, QU A4



The state of knowledge correlation is accounted for in the PRA model by grouping similar components, e.g., MOVs, pumps, etc., by their specific system, such that all components within that system would be correlated during uncertainty calculations.

As such, there is no impact on the conformance of the PRA model to RG 1.200, Rev. 2.

Rev 2 QU A3 The state of knowledge correlation should be accounted for all event probabilities. Left to the analyst to determine the extent of the events to be correlated. Need to also acknowledge LERF quantification Cat I:

ESTIMATE the point estimate CDF (and LERF)

Cat II:

ESTIMATE the mean CDF (and LERF),

accounting for the state of knowledge correlation between event probabilities when significant (see NOTE 1).

Cat III:

CALCULATE the mean CDF (and LERF) by U Rev 1 QU B1 thru QU B9



Both CDF and LERF are quantified using the PRA model. There is no impact on the conformance of the PRA model to RG 1.200, Rev. 2.

Rev 2 QU B6 Need to acknowledge LERF quantification ACCOUNT for U realistic estimation of CDF or LERF. This accounting U

LR N17 0263

57

Table RAI71 Disposition of Clarifications between Revisions 1 and 2 of NRC Regulatory Guide 1.200 Updates

/Changes RG 1.200 Index Issue Resolution from RG 1.200 PSEG Disposition Rev 1 QU E4 Understanding of the model uncertainties and assumptions is an essential aspect of uncertainty analysis. In addition, all the sources of uncertainty and assumptions that can impact the risk profile of the base PRA need to be assessed; see definition of key source of uncertainty for definition of source of uncertainty.

Cat I:

PROVIDE an assessment of the impact of the key model uncertainties and assumptions on the results of the PRA.

Cat II:

EVALUATE the sensitivity of the results to key model uncertainties....

Cat III:

EVALUATE the sensitivity of the results to uncertain model boundary conditions and other key assumptions using...

This is an editorial change that corrects a reference to a note that is not applicable.

There is no impact on the conformance of the PRA model to RG 1.200, Rev. 2.

Rev 2 QU E4 The note has no relevance to the base model and could cause confusion; it should be deleted.

For each source of model uncertainty U introduction of a new initiating event)

[Note (1)].

NOTE: For specific applications, U And in logical combinations.

Rev 1 LE G1 thru LE G3, LE G5, LE G6



Sensitivity studies are not required for LERF.

In addition, this specific LAR is not sensitive to LERF results since CFCUs are more likely to result in Late releases as opposed to large early releases.

LR N17 0263

58

APLARAI8 In accordance with RGs 1.174 and 1.177, the licensee provided a qualitative evaluation of the change in risk associated with the AOT extension for internal fires and seismic hazards using insights gained for the internal events and flooding PRA models. In its letter dated May 4, 2017 (ADAMS Accession No. ML17125A051), the licensee provided supplemental information about the qualitative evaluation to the NRC.

The licensees letter stated that the bases for the qualitative evaluations, described in the enclosure to the letter, rely in part on the Salem Full Power Internal Events (FPIE) PRA model of record (MOR). The licensee stated that the model of record used was developed and peer reviewed consistent with the ASME PRA Standard as endorsed by RG 1.200 and that the result of the FPIE PRA reviews, including the applicability of peer review F&Os, was provided in Section 4.1.3 and Tables 4 1 to 4 11 in Enclosure 1 to PSEG's March 6, 2017 submittal.

However, the enclosure to the supplemental letter seems to indicate that the licensee used FPIE PRA MOR SA115A as the basis for the qualitative evaluations. According to the licensees March 6, 2017 submittal, the licensee used MOR SA112A in support of the quantitative evaluation, and the F&O information contained in Tables 4 1 to 4 11 is from the peer review of SA112A. In addition, in the March 6, 2017 submittal, the licensee stated that CFCU extended AOT evaluation was completed before MOR SA115A was finalized in December 2016.

In accordance with RG 1.200, in order for a PRA to be considered sufficient for use in support of a risk informed licensing application, a licensee needs to demonstrate the technical acceptability of the PRA through peer review against an NRC endorsed industry standard. Because the licensee is using MOR SA115A in support of a risk informed licensing action as the basis for a qualitative evaluation, the licensee needs to demonstrate the technical acceptability of the PRA in accordance with RG 1.200. The licensee has not provided the staff any information regarding the technical acceptability of SA115A in accordance with RG 1.200. As a result, the staff cannot determine if the technical acceptability of SA115A is sufficient in support of this risk informed licensing application.

Please provide one of the following:

1. Clarification on which model of record the licensee used as a basis for the qualitative evaluation of the internal fires and seismic hazard risk. If the licensee used MOR SA115A as the basis for the qualitative evaluation, then
a. Describe the changes made to the internal events PRA since the SA112A PRA model.

This description should be of sufficient detail to assess whether these changes are PRA maintenance or PRA upgrades as defined in Section 1 5.4 of the PRA Standard. Since the following may indicate a PRA upgrade, include in your discussion: any new methodologies, changes in scope that impacts the significant accident sequences or the significant accident progression sequences, changes in capability that impacts the significant accident sequences or the significant accident progression sequences.

b. Indicate, and provide justification, whether the changes described in Part 1.a are PRA maintenance or PRA upgrades as defined in Section 1 5.4 of the PRA Standard.
c. Indicate whether a focused scope peer review(s) has been performed for those PRA upgrades identified in Part 1.b. As applicable, provide a list of the F&Os from the peer

LR N17 0263

59

review(s) that do not meet the appropriate Capability Category in accordance with RG 1.200, and explain how the F&Os were dispositioned for this application. If a focused scope peer review(s) was not performed for these PRA upgrades, then provide a qualitative or quantitative evaluation (e.g., sensitivity or bounding analysis) of its effect until a focused scope peer review can be completed, or

1) A justification describing why demonstrating the technical acceptability of MOR SA115A is not necessary for use in support of this risk informed licensing application, or
2) The results of the qualitative evaluations using the SA112A PRA as the bases.

PSEG Response:

The SA115A model was used for the qualitative supplemental analysis. None of the model changes that were made to the SA112A PRA model as part of the SA115A PRA update project constituted an upgrade as defined in the ASME PRA Standard [Reference 1]. SA115A contains no new methodologies, no changes in scope that impact the significant accident sequences and no significant accident progression sequences, no changes in capability that impact the significant accident sequences or the significant accident progression sequences. The changes were part of the normal PRA maintenance process whereby the PRA was updated to reflect plant changes, such as modifications, procedure changes, or plant performance (data).

Therefore, compliance with Regulatory Guide 1.200 [Reference 5] was maintained, and the Technical Adequacy described in Section 4 of risk application SA LAR 007 [Reference 4] is still applicable. No focused scope peer review was necessary.

The following list of major changes that were made to the SA112A model during the PRA update that resulted in the new SA115A PRA Model of Record (MOR) are listed below:


Incorporation of a plant modification that installed a fourth motor driven Auxiliary Feedwater pump that is independently powered by a separate diesel generator.


Further refinement was made to the station blackout event tree sequences to take into account use of FLEX equipment and updated loss of offsite power non recovery data from Idaho National Laboratory (INL) [Reference 3].

The minor changes that were made to the SA112A model during the SA115A Salem PRA update are listed below in Table RAI 8 1, which was taken from Appendix C of the PRA Quantification Notebook (SA PRA 014).

Table RAI81 Changes that Were Made as Part of the Salem SA115A PRA Model Update 1

For spray scenarios in the SW bays, only the pumps in the affected bay would be affected by a spray scenario in that bay. This was an adjustment to the target impacts for the spray initiators %FLD SW

100 A SPR (Bay 3 pumps 14, 15, and 16) and %FLD SW 100 B SPR (Bay 1 pumps 11, 12, and 12).

2 To eliminate the additional cutset associated with failure of the operator to switch to sump recirculation following depletion of the RWST during an intermediate LOCA scenario, the combination of initiator %S1 with HEP event RHS XHE FO RECIR was added to the recovery text file (SA115AREC.TXT) to eliminate this cutset. The HEP event RHS XHE FO RECIR is only applicable to small LOCA scenarios.

LR N17 0263

60

Table RAI81 Changes that Were Made as Part of the Salem SA115A PRA Model Update 3

To eliminate the additional cutset associated with failure of the operator to switch to sump recirculation following depletion of the RWST during a large LOCA scenario, the HEP event RHS

XHE FO RECR2 (OPER FAILS TO REALIGN FOR RECIRC MLOCA) was removed as an input to gate WL G1RC100, which is part of the logic associated with large LOCA accident sequences.

4 Gate GVSW200 (EXHAUST DAMPERS ON 84' AND 64' FAIL) was removed from the model since dampers CAV14 through CAV19 were all pinned open and are not subject to spurious closure. This is based on DCP 80089441 and Dwg. 228046.

5 To correct the dependency of room cooling for the AFW pumps outside the AFW turbine driven pump enclosure, gate GAMC121 (FAILURES ASSOCIATED WITH DAMPERS ABS2 AND ABS20) was removed as an input to gate GAMC120 (AFW COOLER FAN #11 (1VHE36). Gate GAMC110 (INADEQUATE COOLING BY AFW PUMP ROOM COOLER) and gate GAMC121 were placed under an OR gate (GAMC105 1) that is an input to gate GAMC105 (INADEQUATE COOLING OF 13 AFW PUMP AREA).

6 The gate G1AFWSTLVLINST (UNIT 1 AFWST LEVEL INSTRUMENTATION GROUP) was removed as an input for the logic associated with the following fire related HEPs due to the fact that instrumentation is not required to support these actions: AFS XHE FO LATE1 F, AFS XHE FO

REFILL F, and AFS XHE FO H2OLTL F. This logic change was implemented to support the Fire PRA.

7 Gate G1CTMTSUMPLVL (CONTAINMENT SUMP LEVEL INDICATION FAILS) was added under gate G I RHS XHE FO RECIR F (MODELING FOR RHS XHE FO RECIR F AND INSTRUMENTATION) with supporting logic to provide a cue to the operator preparing to realign the suction source for the RHR pumps from the RWST to the containment sump. This logic change was implemented to support the Fire PRA.

8 Gate G1049 (CV139 and CV140 do not close when required) was removed from the PRA model since the minimum flow recirculation line was not considered capable of failing the functionality of the CVC pumps to provide adequate injection capability. This was confirmed by Operations personnel during cutset reviews conducted in May 2014 at PSEG.

9 To correct a modeling deficiency associated with fire PRA logic, an OR gate (GAN1863 1) was added as an input under gate GAN1863 and gate ABFIRE002 37 was then deleted as an input under gate GAN1863. The inputs to OR gate GAN1863 1 are basic event MSS XVM OC 1MS52 and gate ABFIRE002 37 (1MS52 CLOSED DUE TO FIRE). {Fire PRA}

10 Gate GXC1100 (POWER FAIL AT 115 VAC VITAL INST BUS 1C (CIRCULAR LOGIC)) was added as an input to OR gate GXEC110 (SEC C FAIL TO TRANSMIT SIGNAL) and also to OR gate G1OC100 (NO BLACKOUT SIGNAL FROM SEC C TRAIN). Gate GXC1100 is an OR gate and is similar in logic to gate G1CB101, except that the logic used avoids circular logic associated with AC power and the emergency diesel generators.

11 The RECRBU non recovery probabilities were updated using the latest offsite power non recovery curves that were generated by Idaho National Labs (INL). The reference is: Analysis of Loss of Offsite Power Events, 2012 Update, U.S. Nuclear Regulatory Commission Website:

http://nrcoe.inl.gov/resultsdb/LOSP/, September 2013. This change item resolves URE # SA2014 13.

12 The standby flags for the ventilation switchgear exhaust fans #11 and #12 were consistently named XHOS STBY 1VE1012 and XHOS STBY 1VE1013, respectively.

13 Edited the mission time for the EDG ventilation fans to be 6.2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, which is consistent with the mission time for the emergency diesel generators.

14 Gate TDES06 was added under the AND gate TDES06X, which is an input to OR gate TDEX, in order to provide a logic pathway to the top event "CDF".

15 Annualized events within the CAFTA database were adjusted such that they are now being consistently calculated using "calculation type 3" with a mission time of 8760 hours0.101 days <br />2.433 hours <br />0.0145 weeks <br />0.00333 months <br />. This includes the SW pump annualized failure probability for pump 13, which was revised to be consistent with how the failure probability for pump 15 was being calculated.

LR N17 0263

61

Table RAI81 Changes that Were Made as Part of the Salem SA115A PRA Model Update 16 Internal flood mitigating factors were revised for the following basic events:

FPS XHE AB 064 FLD FPS XHE AB 084 B FLD FPS XHE AB 084 B FLDD FPS XHE AB 084 B MAJ FPS XHE AB 084 B MAJD OTH XHE AB 084 C MAJ SWS XHE AB 084 D MAJD The HRA notebook details the derivation of these revised values.

17 Operator cues were added that involve failure of air header pressure switches that provide a cue in support of operator action CAS XHE FO CAE63 F. An AND gate named G1LOWAIRPRESS (FAILURE OF LOW AIR PRESSURE INDICATION) was placed under the OR gate G I CAS XHE

FO CAE63 F (MODELING FOR CAS XHE FO CAE63 F AND INSTRUMENTATION). This model logic was added specifically for the fire PRA.

18 Based on information from site personnel, the logic associated with the offsite power was deemed no longer necessary as a cue for HEP event CAS XHE FO CAE63 F. This involved removing gate DE

GDT1100 as an input to gate G CAS XHE FO CAE63 F.

19 Equivalency gates were compressed using the CAFTA fault tree editor.

20 The input to NOT gate NOT RSC G1RS100 (SUCCESS OF RSC) was changed to be the gate G1RS110 (RCP SEAL COOLING FAILS TO ANY PUMP). This was done to prevent "double

counting" of LERF cutsets in which both the transient and RCP seal LOCA sequences were being tabulated for the same initiating event, even though it was a transient event that leads to a RCP Seal LOCA. That is, the transient event tree sequence logic should no longer be satisfied when it is determined that a RCP Seal LOCA has developed.

21 The wrong value in the "FACTOR" field for basic event AC5 BKR OO AB50 (Disconnect Switch AB50 Fails to Close) was replaced with the correct integer value of 1.

22 It appears that the 125 VDC power dependency for the DR6 AOV was erroneously removed from the SA112A PRA model during the PRA update based on discussions with site personnel that led the model owner to believe that the valve fails open on loss of all dependencies. However, the valve only fails open on loss of air, but still remains closed if DC power is lost. Because of this, Gate G1A1100 (LOSS OF 125 VDC CONTROL BUS 1A) was restored as an input to gate GAN2100 (AOV 1DR6 FAILS TO OPEN).

23 The Aux. Building spray scenarios on the 84' el. (AB 084 C) were subdivided into 2 additional spray scenarios to reduce the overly conservative treatment of spray scenarios in this flood area. The two additional spray scenarios are for separate treatment of the AFW room cooler (VHE36) and the #2 CCW room cooler (VHE34). The Internal Flood PRA notebook (SA PRA 012) has been updated to account for these additional spray scenarios.

24 The logic for batteries and battery chargers was changed from all components being under a single AND gate to one in which either the battery OR both chargers have to fail in order to represent a more accurate failure model. The logic would look similar to the following structure:

G001 OR (Battery) G002 G002 AND (Charger #1) (Charger #2) (BALDOR)

BALDOR OR (BALDOR HEP) (BALDOR MECH)

As a result, the following gates were modified to accommodate this logic structure:

G1VA110 (28VDC 1ADE)

G1VA110 (28VDC 1ADE)

G1A1110, G1X5110 (125VDC Bus 1A)

G1B1110, G1B5110 (125VDC Bus 1B)

G125110, Gx15110 (125VDC Bus 1C)

These changes would affect the description in the DC system notebook.

LR N17 0263

62

Table RAI81 Changes that Were Made as Part of the Salem SA115A PRA Model Update 25 The logic for room cooling of the TDAFW pump enclosure was updated to account for the operator being able to recover TDAFW room cooling for those non SBO scenarios in which the TDAFW room cooler was failed and the operator was prompted to recover room cooling via procedure S1.OP

AB.SW 0001(Q) (LOSS OF SW HEADER PRESSURE). This human action was represented by the HEP event AFS XHE FO DOORT (OPERATOR FAILS TO OPEN TDAFW PUMP ROOM DOOR FOR NON SBO (SW HDR 1). For those non SBO scenarios where recovery of TDAFW room cooling could not be credited, the HEP event AFS XHE FO DOORF (OPER FAILS TO OPEN TDAFW PUMP ROOM DOOR FOR NON SBO (SW HDR 2 & OTHER)) was used. This affected the logic in the vicinity of gate GAMC105. In effect, a new level of logic was inserted above GAMC105 to account for both SBO and non SBO cases that involve loss of TDAFW room cooling. A new OR gate (GAMC105 3) was created that is an input to gates GAN1732 and GASB732. The inputs to gate GAMC105 3 are GAMC105 (INADEQUATE COOLING OF 13 AFW PUMP AREA (LOOP SCENARIOS)) and GAMC105 5 (LOSS OF 13 AFW ROOM COOLING AND OPERATOR FAILURE TO OPEN DOOR (NON LOOP)). Cutsets containing combinations of AFS XHE FO DOORT, which credits recovery of TDAFW room cooling, and initiating events that would not provide an operator cue for recovery of TDAFW room cooling were deleted using commands in the recovery text file.

Likewise, cutsets containing the HEP event AFS XHE FO DOORF, which does not credit recovery of TDAFW room cooling, in combination with initiators that would provide a cue for recovery were also eliminated.

26 The 4th AFW pump (NSR pump) model logic was added to the model based on the work that Enercon had performed in September 2015. The use of new generic industry data based on information from INL (2010 update) was implemented in the database file (.rr file).

27 The following SWS AOV fail to open basic events were correctly assigned the proper failure probability that is listed in Table B 5 of the Data Notebook:

SWS AOV CC 11ST6 SWS AOV CC 12ST6 SWS AOV CC 13ST6 28 The basic event AC4 CKV CC 2DF28 was replaced with the correct event AC4 CKV CC 2DF38 under gates G14B265 and G4BS265, as the former event was a typographical error. There was no change to either CDF or LERF as a result of this model correction.

29 The fault tree logic to account for failure of the automatic start signal from SEC for the three EDG trains was added to the PRA model where circular logic breaks are being modeled. Specifically, the following fault tree changes were made:

1. For EDG Train A, a new gate (G4AS114X) was added as an input to existing gates G1AX120, G01X120, and G48X650. The new gate G4AS114X retains the logic that is found under existing gate G4AS114, but breaks the circular logic at gate G01X100 by removing gate G01X110 as an input.
2. For EDG Train B, a new gate (G4BS114X) was added as an input to existing gates G1BX120, G05X120, and G48X330. The new gate G4BS114X retains the logic that is found under existing gate G4BS114, but breaks the circular logic at gate G05X100 by removing gate G05X110 as an input.
3. For EDG Train C, a new gate (G4CS114X) was added as an input to existing gates G1CX120, G06X120, and G48X960. The new gate G4CS114X retains the logic that is found under existing gate G4BS114, but breaks the circular logic at gate G1CX100 by removing gate G1CX110 as an input.

30 Replaced basic event ESF LST FT L519 with existing event ESF LST FT 1L519 in order to eliminate duplicate events. For consistency, basic event ESF LST FT L518 was renamed as ESF LST FT

1L518.

31 The basic event AC4 CKV CC 2DF28 was replaced with the correct event AC4 CKV CC 2DF38 under gates G14B265 and G4BS265, as the former event was a typographical error. There was no change to either CDF or LERF as a result of this model correction.

32 A flag event was added to identify which cutsets are ATWS sequences. This was done by inserting new logic that combines the flag event ATWS FLAG under an AND gate with those ATWS scenarios under gates @ATWS, @ATWSX, PDS 123 D OPDEP, and PDS 3 ABC OPDEP.

LR N17 0263

63

Table RAI81 Changes that Were Made as Part of the Salem SA115A PRA Model Update 33 A review of Westinghouse document LTR RAM I 10 053 ("White Paper Westinghouse Reactor Coolant Pump Seal Behavior For Fire Scenarios, Rev. 2") revealed that if CCW cooling to the RCPs is lost, there is no expected impact on pump seal performance provided that seal injection is being maintained by the charging system. This particular case is described on page 16 in Table 1 of the white paper. The result is that HEP event for failure to trip RCPs upon a loss of CCW (CCS XHE FO

TRIP) is no longer relevant to the PRA model given the information found in the Westinghouse white paper (LTR RAM I 10 053). As a result, the SCR node in the event tree for loss of CCW may be removed. This makes endstate "S16" of this event tree no longer applicable, which was a transfer to the small LOCA event tree. To effect this change in the PRA model, the subtrees represented by gates TCCS60 and RSC2 TR were deleted. The reconfigured loss of CCW event tree is depicted in Figure A 33 of the Event Tree Notebook (SA PRA 002).

34 The event tree for station blackout (SBO) scenarios (Figure A 8 of SA PRA 002) was reconfigured to account for whether the SBO DG (BALDOR or FLEX) is available. This impacts the ability for continued operation of AFW. For further details regarding the description of these SBO scenarios, refer to the Event Tree Notebook (SA PRA 002).

35 The HEP event SWS XHE FO OVER2 was removed from the PRA model during the 2015 update (SA115A) as it was no longer deemed a relevant recovery action for EDG cooling. This was effected by deleting the gate GHRA SWS XHE FO OVER2 and underlying logic from the model. Other model changes that were made to the Service Water cooling logic for the EDGs included removing gate GIFM112310 as an input to gates G08X120, G09X120, G1X1120, and G1X2120 since the valves modeled under this gate are not in the flowpath to the EDGs. Additionally, basic event SWS MOV

OC 2SW22 was replaced with new event SWS MOV OC 2SW21 under gates G09X165, G08X130, G1X1130, and G1X2165 since valve 12SW21 is the correct valve for this flowpath. Likewise, event SWS MOV OC 1SW22 was replaced with new event SWS MOV OC 1SW21 under gates G1X2130, G1X1165, G08X165, and G09X130 to model the correct flowpath through valve 11SW21.

36 The NOT logic employed in the Level 2 sequences was replicated in the logic for the Level 1 sequences that lead to core damage events in the SA115A PRA model. In general, the logic changes involved replacing the Level 1 event tree nodal logic gates with the analogous Level 2 nodal logic gates, which typically end with the character "X". This provides for a consistent approach and similar logic for both Level 1 and Level 2 events that will produce non minimal cutsets. This change to the PRA model resolves URE # SA2014 025.

37 The early and late operator actions associated with AFW actions were deemed to be mutually exclusive, e.g., the early cognitive failure associated with recovery of Secondary Side Heat Removal (SSHR) implies that the late recovery failures are not necessary. The elimination of cutsets with concurrent early and late failures was accomplished via use of the recovery file SA115AREC.txt.

38 Two new type codes were added to the Type Code database (ACPDGNFS AND ACPDGNFR) in file SA115A.rr, which will be used to calculate the failure probabilities associated with the proposed use of the FLEX diesel generator for station blackout (SBO) scenarios.

39 The FLEX diesel generator (DG) and associated supporting logic was incorporated into the SA115A PRA model. The FLEX DG is activated when loss of offsite power events (LOOPs) exceed a length of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> or more with non recovery of offsite power. The Baldor DG is only available for those LOOP scenarios where offsite power is expected to be recovered within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> following the event.

For further details, see the Event Tree Notebook (SA PRA 002).

40 Gate G02X111 (NO POWER TO 230 VAC VITAL BUS 1B FOR SW26 LOGIC BREAK) was created as an input to gate G02X100 (POWER FAILURE AT 230VAC VITAL BUS 1B CIRCULAR LOGIC BRK) to break the circular logic with the 1B 4.16 kVAC bus providing power to the 230 VAC vital bus 1B, which is the power supply for MOV 1SW26.

LR N17 0263

64

Table RAI81 Changes that Were Made as Part of the Salem SA115A PRA Model Update 41 The spurious closure of the 11CC3 and 12CC3 valves was added to the model to credit each CCW pump being able to feed the opposite train CCW heat exchanger. To effect this change, new event CCS MOV OC 11CC3 was added under gate GCC1161, and new event CCS MOV OC 12CC3 was added under gate GCC2131. In addition, new gate GCC2132 was created as a new input to gate GCC2120 (FAILURE OF FLOW FROM PUMPS CCS11, CCS12 AND CCS13 TO HEADER 12) to credit CCS pump 11 being able to supply the CCS 12 heat exchanger, and new gate GCC1162 was added as an input to gate GCC1140 (FAILURE OF FLOW FROM PUMPS CCS11, CCS12 AND CCS13 TO HEADER 11) to credit CCS pump 12 being able to supply the CCS 11 heat exchanger.

42 Gate TT IE was removed from under gate SC TSISW since the correct logic is already under gate TTTP NOTLOP to represent the condition in which an SEC actuation signal is not required.

43 A new gate G10X111 was created to replace existing gate G10X110 under gate G10X100 to remove circular logic problems encountered with the 1A 4.16 kVAC bus providing power to the 230 VAC vital bus 1A, which is the power supply for MOV 13SW20. Likewise, for MOV 11SW20 and 230 VAC vital bus 1C, a new gate G31X111 was created to replace existing gate G31X110 under gate G31X100 for similar reasons.

44 Since the HEP event CIS XHE FC XLCNT requires failure of CCW in conjunction with the Excess Letdown line being in operation, the split fraction XLCNT INSERVICE (FRACTION OF TIME EXCESS LETDOWN IS IN SERVICE) was added as an input to gates G12P200 1 and GCI1223. Also, gate G1T1120 (LOSS OF CCS FLOW from Headers 11 & 12) was added as an additional input under gate GCI1223, but was not able to be added under gate G12P200 1 due to circular logic concerns.

45 Three new generic type codes were added to the CAFTA database file to support modeling of standby SBO diesel generators (_DGB_FS, _DGB_FL, and _DGB_FR), which lead to the development of 6 distinct type codes for the Baldor and FLEX diesel generators. The three type codes for the Baldor diesel generator are as follows:

DGSDGBFS BALDOR DIESEL GENERATOR FAILS TO START DGSDGBFL BALDOR DIESEL GENERATOR FAILS TO START & LOAD DGSDGBFR BALDOR DIESEL GENERATOR FAILS TO RUN The three new type codes for the FLEX diesel generator are as follows:

ACPDGBFS FLEX DIESEL GENERATOR FAILS TO START ACPDGBFL FLEX DIESEL GENERATOR FAILS TO START & LOAD ACPDGBFR FLEX DIESEL GENERATOR FAILS TO RUN Gate logic was added to the SA115A PRA model to disable use of the Salem Unit 3 gas turbine generator and SBO air compressor once an extended loss of AC power (ELAP) condition exists. This was done by adding the logic under gate ELAP CONDITION 2 as an input to gate G1XM2A0 for Salem Unit 3 and gate ELAP CONDITION 1 as an input to gate G1EA312 for the SBO air compressor. This logic can be disabled by setting flag event PROCEDURE FLAG to false if and when procedures are in place that allow use of these components in parallel with FLEX equipment.

46 Success logic was added to the sequences under gate @TSWX (Loss of SWS Events with Success Branches). Also, the logic for sequence endstates S05 and S06 was added under this gate since it appears that this logic was not previously modeled in accordance with the event tree depicted in Figure A 34 of the Event Tree Notebook.

47 Internal floods involving the Service Water (SW) system in the Turbine Building were mapped to fail the SW26 valve (SWS MOV OC 1SW26) rather than both nuclear headers that supply cooling water to loads in the Auxiliary Building. This was deemed more appropriate since the SW nuclear headers are not directly associated with any of the SW piping located in the Turbine Building. In addition, the SW floods involving the nuclear SW headers in the Auxiliary Building and adjacent areas were subdivided into separate scenarios to account for the fact that any given SW pipe rupture could only affect one header due to train separation. SW header #1 flood events are mapped to SWS MOV OC

2SW20 to simulate failure of the Unit 1 SW source from Bay #1, and SW header #2 events are mapped to SWS MOV OC 4SW20 to represent failure of the SW source from Bay #3.

48 Sequence tags were added to the SA115A PRA model with the prefix "1 SEQ" to help delineate what event tree sequence endstates were satisfied for those cutsets that lead to core damage.

LR N17 0263

65

Table RAI81 Changes that Were Made as Part of the Salem SA115A PRA Model Update 49 Two common cause events for failure of the undervoltage relays for the 4.16 kVAC vital buses were added to the model in order to conform to the analysis performed in support of SA STI 004, "Surveillance Test Interval (STI) Extension Evaluation of Vital Bus Under Voltage Relays." The two events are as follows:

ESF RLY OO UV2 COMMON CAUSE FAILURE FOR ANY 2 OF 3 RELAYS ESF RLY OO UV3 COMMON CAUSE FAILURE FOR 3 OF 3 RELAYS 50 A recovery event named REC EDGC was added as a new input under the gates listed below to represent failure to restore the ability to replenish the fuel oil day tank for EDG C with the FLEX diesel generator (DG). The value assigned to REC EDGC represents the human error probability (HEP) to align the FLEX DG to the appropriate motor control center (MCC) to repower a fuel oil transfer pump plus the overall unavailability of the FLEX DG. Failure to refill the EDG C day tank is a consequence of both EDG A and EDG B failing to operate, since they are the power supplies for the two fuel oil transfer pumps:

G48X102 LOSS OF FUEL SUPPLY TO DGN 1A/B/C GFOT102 LOSS OF FUEL SUPPLY TO DGN 1A/B/C DOES NOT TAKE CREDIT FOR GTG G4CS232 LOSS OF FUEL SUPPLY TO DGN 1C G14C232 LOSS OF FUEL SUPPLY TO DGN 1C 51 The combination of a battery charger being placed in maintenance (DCP CHG TM*) in combination with failure to place the alternate charger in service (DCP XHE ALTCHGR) would not physically occur due to plant maintenance practices and procedures. Because of this, these cutsets were eliminated via use of the recovery text file (SA115AREC.TXT).

52 To account for the fact that manual actions can be performed to transfer suction from the VCT to the RWST, the operator action CVS XHE FO SOVCT was added under two new AND gates (G1UB170 1 and G1RP132 1). Gate G1UB170 1 is an input to gate G1UB170 (FAILURE OF WATER SOURCES FOR EMERGENCY BORATION) and gate G1RP132 1 is an input to gate G1RP132 (INSUFFICIENT FLOW FROM RWST, VCT, AND BATS).

53 Basic events XHOS 1VC5 OPEN and XHOS 1VC6 OPEN were replaced with a single event XHOS

1VC5 6 OPEN (FRACTION OF TIME VC5 AND VC6 ARE OPEN) and assigned the probability of 8.3E 2 since these valves, on average, are opened for about an hour every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (once per shift).

Conversely, the basic events XHOS 1VC5 CLOSED and XHOS 1VC6 CLOSED were replaced with a single event XHOS 1VC5 6 CLOSED (FRACTION OF TIME VC5 AND VC6 ARE OPEN) and assigned the probability of 0.917.

54 Recovery logic was added to the recovery rules fault tree SA115AREC.CAF that involved excluding cutsets that contain events that satisfy the gate logic FLEXDG 1 (FAILURES INVOLVING FLEX DG) found in SA115A.CAF in addition to the recovery event REC EDGC (FAILURE TO RECOVER EDG C WITH FLEX DG WHEN EDG A AND EDG B FAIL) also being present in the cutset. The recovery event REC EDGC already takes into account the contribution from all failures related to the FLEX DG, both operator and hardware failure modes. In essence, this mutually exclusive recovery logic was necessary to eliminate non minimal cutsets.

APLARAI9 RG 1.177 outlines a three tiered approach for evaluating the risk associated with a proposed TS AOT change. Tier 2 identifies and evaluates any potential risk significant plant configurations that could result if equipment, in addition to that associated with the proposed license amendment, is taken out of service simultaneously, or if other risk significant operational factors, such as concurrent system or equipment testing, are involved. The purpose of this evaluation is to ensure that there are appropriate restrictions on dominant risk significant configurations associated with the change in place.

LR N17 0263

66

According to Section 6.3 in Enclosure 1 of the LAR, the Tier 2 assessment was addressed as part of the sensitivity cases investigated in Section 5.5 of Enclosure 1, in which other equipment other than the CFCUs is investigated for relative importance. However, based on the information presented in Section 5.5 of Enclosure 1, it is not clear what, if any, risk significant configurations the licensee identified or what, if any, measures the licensee is taking to avoid those risk significant configurations. As a result the staff cannot determine if the licensees Tier 2 evaluation is sufficient to ensure that the licensee will have appropriate restrictions on dominant risk significant configurations, associated with the change in CFCU AOT, in place.

Please provide a discussion describing clearly any potential risk significant plant configurations that could result if equipment, in addition to that associated with the proposed license amendment, is taken out of service simultaneously, or if other risk significant operational factors, such as concurrent system or equipment testing, are involved. Include a description of any restrictions that the licensee plans to implement in order to avoid any identified risk

significant configurations once the change in CFCU AOT is in place.

PSEG Response:

Based on the sensitivity analyses that were performed in Section 5 of SA LAR 007

[Reference 4], there were no new risk configurations identified that would warrant further measures to be implemented other than what have already been identified in Attachment 1 of OP AA 108 116 [Reference 6], which defines the sites protected equipment program.

Additionally, when the online maintenance EOOS model was configured with two CFCU fans as being out of service, the risk if removed from service equipment list was no different from the list generated for the zero maintenance case. This means that no new risk significant configurations have been created as a result of this CFCU AOT extension.

LR N17 0263

67

References

1. Addenda to ASME/ANS RA S 2008 Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, ASME/ANS RA Sa 2009, ASME/ANS, February 2009.
2. U.S. Nuclear Regulatory Commission, Industry Average Performance for Components and Initiating Events at U.S. Commercial Nuclear Power Plants, NUREG/CR 6928, 2010 Update.
3. Analysis of Loss of Offsite Power Events 1997 2014, Idaho National Laboratory, INL/EXT 16 37873, U.S. Nuclear Regulatory Commission Website:

http://nrcoe.inl.gov/resultsdb/LOSP/, February 2016.

4. PSEG, Salem PRA Analysis for CFCU AOT Extension, SA LAR 007, Revision 1, February 2017.
5. Nuclear Regulatory Commission (NRC), An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk Informed Activities, Regulatory Guide 1.200, Rev. 2, March 2009.
6. PSEG, Protected Equipment Program, OP AA 108 116, Revision 12.
7. RG 1.200 PRA Peer Review Against the ASME PRA Standard Requirements for the Salem Generating Station, Units 1 & 2 Probabilistic Risk Assessment, LTR RAM II 09

001, Westinghouse, June 2009.

Retrieved from "https://kanterella.com/w/index.php?title=LR-N17-0263,_Response_to_Request_for_Additional_Information,_Salem_Units_1_and_2_-_Containment_Fan_Coil_Unit_Allowed_Outage_Time_Extension_Amendment_Request&oldid=5109143"