LR-N17-0135, License Amendment Request for Implementation of WCAP-14333 and WCAP-15376, Reactor Trip System Instrumentation and Engineered Safety Feature Actuation System Instrumentation Test Times and Completion Times

From kanterella
(Redirected from ML17352A502)
Jump to navigation Jump to search

License Amendment Request for Implementation of WCAP-14333 and WCAP-15376, Reactor Trip System Instrumentation and Engineered Safety Feature Actuation System Instrumentation Test Times and Completion Times
ML17352A502
Person / Time
Site: Salem  PSEG icon.png
Issue date: 12/18/2017
From: Mcfeaters C
Public Service Enterprise Group
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
LAR S17-05, LR-N17-0135
Download: ML17352A502 (170)
v  d  e


Text

{{#Wiki_filter:DEC 18 2017 LR-N17 -0135 LAR S17-05 PSEG Nuclear LLC P.O. Box 236, Hancocks Bridge, New.JersHy 08038-0236 PSEG Nuclea-rLLC 10 CFR 50.90 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001

Subject:

Salem Generating Station, Units 1 and 2 Renewed Facility Operating License Nos. DPR-70 and DPR-75 NRC Docket Nos. 50-272 and 50-311 License Amendment Request for Implementation of WCAP-14333 and WCAP-15376, Reactor Trip System Instrumentation and Engineered Safety Feature Actuation System Instrumentation Test Times and Completion Times In accordance with the provisions of 10 CFR 50.90, PSEG Nuclear LLC (PSEG) is submitting a request for an amendment to the Technical Specifications (TS) for Salem Generating Station (Salem) Units 1 and 2. The proposed changes will revise Salem Units 1 and 2 TS 3/4.3.1, "Reactor Trip System Instrumentation," and TS 3/4.3.2, "Engineered Safety Feature Actuation System Instrumentation." These changes are based on Westinghouse topical reports WCAP-14333-P A, Revision 1, "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times," and WCAP-15376-P-A, Revision 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times." These proposed changes are consistent with the NRC-approved Technical Specification Task Force (TSTF) Travelers TSTF-411, Revision 1, "Surveillance Test Interval Extension for Components of the Reactor Protection System (WCAP-15376-P)" and TSTF-418, Revision 2, "RPS and ESFAS Test Times and Completion Times (WCAP-14333)," or are supported by plant-specific analysis for those changes which are plant specific and therefore not evaluated in these WCAPs. provides an evaluation supporting the proposed changes. Attachment 2 provides the existing TS pages marked up to show the proposed changes. Attachment 3 provides existing TS Bases pages marked up to show the proposed changes and are being provided for information only. PSEG requests approval of this license amendment request (LAR) in accordance with standard NRC approval process and schedule. Once approved, the amendment will be implemented within 90 days from the date of issuance.

LR-N17 -0135 Page 2 10 CFR 50.90 In accordance with 10 CFR 50.91, a copy of this application, with attachments, is being provided to the designated State of New Jersey Official. There are no regulatory commitments contained in this letter. If you have any questions or require additional information, please contact Ms. Tanya Timberman at 856-339-1426. I declare under penalty of perjury that the foregoing is true and correct. Executed on _ _,_f-==-Z----'/-'-=1=-3---'-/...,-- 1-'-- 7-- (Date) Charles V. McFeaters Site Vice President Salem Generating Station Attachments:

1. Evaluation of Proposed Changes
2. Mark-up of Proposed Technical Specification Pages
3. Mark-up of Proposed Technical Specification Bases Pages cc:

Mr. D. Dorman, Administrator, Region I, NRC Ms. C. Parker, Project Manager, NRC NRC Senior Resident Inspector, Salem Mr. P. Mulligan, Chief, NJBNE Corporate Commitment Tracking Coordinator Salem Commitment Tracking Coordinator

LR-N17-0135 LAR S17-05 Evaluation of Proposed Changes Table of Contents

1.0 DESCRIPTION

................................................................................................................ 1

2.0 PROPOSED CHANGE

.................................................................................................... 1

3.0 BACKGROUND

............................................................................................................... 7

4.0 TECHNICAL ANALYSIS

.................................................................................................. 8 4.1 Deterministic Assessment....................................................................................... 8 4.1.1 Defense in Depth......................................................................................... 8 4.1.2 Safety Margin............................................................................................. 10 4.2 SER Conditions and Limitations............................................................................ 10 4.2.1 WCAP-14333............................................................................................. 10 4.2.2 WCAP-15376............................................................................................. 16 4.2.3 Plant Specific Evaluations for Functions not Evaluated Generically........... 26 4.3 Risk Assessment................................................................................................... 27 4.3.1 PRA Quality............................................................................................... 28 4.3.2 External Events Consideration................................................................. 109 4.3.3 Technical Adequacy Summary................................................................. 112 4.3.4 Tier 1. Probabilistic Risk Assessment..................................................... 113 4.3.5 Uncertainty Discussion............................................................................. 127 4.3.6 Tier 2. Avoidance of Risk Significant Plant Configurations...................... 139 4.3.7 Tier 3. Risk-Informed Configuration Management................................... 140 4.3.8 Summary and Conclusion........................................................................ 142

5.0 REGULATORY ANALYSIS

......................................................................................... 147 5.1 No Significant Hazards Consideration................................................................. 147 5.2 Applicable Regulatory Requirements/Criteria....................................................... 149

6.0 ENVIRONMENTAL CONSIDERATION

....................................................................... 150

7.0 REFERENCES

............................................................................................................ 150

LR-N17-0135 LAR S17-05

1.0 DESCRIPTION

The license amendment request (LAR) revises Salem Units 1 and 2 Technical Specification (TS) 3/4.3.1, "Reactor Trip System Instrumentation," and TS 3/4.3.2, "Engineered Safety Feature Actuation System Instrumentation." These changes are based on Westinghouse topical reports WCAP-14333-P-A, Revision 1, "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times (Reference 1)," and WCAP-15376-P-A, Revision 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times (Reference 2)." Changes are proposed to TS Table 3.3-1, Actions 1, 2, 6, 10, and 11, and to Table 3.3-3, Actions 13, 14, 16, 19, and 20. In general, the changes include increasing the completion times (CT) and bypass test times. These proposed changes are consistent with the NRC-approved Technical Specification Task Force (TSTF) Travelers TSTF-411, Revision 1, "Surveillance Test Interval Extension for Components of the Reactor Protection System (WCAP-15376-P) (Reference 3)" and TSTF-418, Revision 2, "RPS and ESFAS Test Times and Completion Times (WCAP-14333) (Reference 4)," or are supported by plant-specific analysis for those changes which are plant specific and therefore not evaluated in these WCAPs.

2.0 PROPOSED CHANGE

The proposed changes revise the Salem Units 1 and 2 TS Table 3.3-1, Reactor Trip System Instrumentation, Actions 1, 2, 6, 10, and 11 and Table 3.3-3, Engineered Safety Feature Actuation System Instrumentation, Actions 13, 14, 16, 19, and 20. In general, the changes include increasing the completion times and bypass test times. TS 3/4.3.1 Reactor Trip System Instrumentation Specifically, the proposed changes would revise the following functions in TS Table 3.3-1, consistent with the generic evaluations approved in either WCAP-10271, as supplemented, or WCAP-14333, or WCAP-15376: Instruments associated with TS Table 3.3-1, Reactor Trip System Instrumentation: Function System Action Proposed Technical Specification Change 2 Power Range, Neutron Flux 2 Increase completion time from 6 hours to 72 hours and bypass time from 4 hours to 12 hours 3 Power Range, Neutron Flux High Positive Rate 2 Increase completion time from 6 hours to 72 hours and bypass time from 4 hours to 12 hours 7 Overtemperature T 6 Increase completion time from 6 hours to 72 hours and bypass time from 4 hours to 12 hours 8 Overpower T 6 Increase completion time from 6 hours to 72 hours and bypass time from 4 hours to 12 hours 9 Pressurizer Pressure - Low 6 Increase completion time from 6 hours to 72 hours and bypass time from 4 hours to 12 hours 10 Pressurizer Pressure - High 6 Increase completion time from 6 hours to 72 hours and bypass time from 4 hours to 12 hours 1

LR-N17-0135 LAR S17-05 Function System Action Proposed Technical Specification Change 11 Pressurizer Water Level - High 6 Increase completion time from 6 hours to 72 hours and bypass time from 4 hours to 12 hours 12 Loss of Flow - Single Loop (Above P-8) 6 Increase completion time from 6 hours to 72 hours and bypass time from 4 hours to 12 hours 13 Loss of Flow - Two Loops (Above P-7 and Below P-8) 6 Increase completion time from 6 hours to 72 hours and bypass time from 4 hours to 12 hours 14 Steam Generator Water Level - Low-Low 6 Increase completion time from 6 hours to 72 hours and bypass time from 4 hours to 12 hours 16 Undervoltage - Reactor Coolant Pumps 6 Increase completion time from 6 hours to 72 hours and bypass time from 4 hours to 12 hours 17 Underfrequency - Reactor Coolant Pumps 6 Increase completion time from 6 hours to 72 hours and bypass time from 4 hours to 12 hours 18.a/b Turbine Trip

a. Low Autostop Oil Pressure
b. Turbine Stop Valve Closure 6

Increase completion time from 6 hours to 72 hours and bypass time from 4 hours to 12 hours 19 Safety Injection Input from ESF 10 Increase completion time from 6 hours to 24 hours 20 Reactor Coolant Pump Breaker Position Trip (Above P-7) 11 Increase completion time from 6 hours to 72 hours 21 Reactor Trip Breakers 1 Increase completion time to 24 hours and bypass time from 2 hours to 4 hours 22 Automatic Trip Logic 10 Increase completion time from 6 hours to 24 hours The following TS Table 3.3-1 Actions are revised: Action 1 With the number of OPERABLE one less than required by the Minimum Channels OPERABLE requirement, restore the inoperable channel (RTB) to OPERABLE within 24 hours or be in HOT STANDBY within the next 6 hours; however, one channel may be bypassed for up to 4 hours for surveillance testing per Specification 4.3.1.1.1 provided the other channel is OPERABLE. Action 2 With the number of OPERABLE channels one less than the Total Number of Channels, STARTUP and/or POWER OPERATION may proceed provided the following conditions are satisfied.

a. The inoperable channel is placed in the tripped condition within 72 hours.
b. The Minimum Channels OPERABLE requirement is met; however, one channel may be bypassed for up to 12 hours for surveillance testing per Specification 4.3.1.1.1.
c. Either, THERMAL POWER is restricted to 75% of RATED THERMAL POWER and the Power Range, Neutron Flux trip setpoint is reduced to 85% of RATED 2

LR-N17-0135 LAR S17-05 THERMAL POWER within 4 hours; or, the QUADRANT POWER TILT RATIO is monitored at least once per 12 hours. Action 6 With the number of OPERABLE channels one less than the Total Number of Channels, STARTUP and/or POWER OPERATION may proceed provided the following conditions are satisfied:

a. The inoperable channel is placed in the tripped condition within 72 hours.
b. The Minimum Channels OPERABLE requirement is met; however, the inoperable channel may be bypassed for up to 12 hours for surveillance testing of other channels per Specification 4.3.1.1.1.

Action 10 With the number of OPERABLE Channels one less than the Minimum Channels OPERABLE requirement, restore the inoperable channel to OPERABLE status within 24 hours or be in at least HOT STANDBY in the next 6 hours; however, one channel may be bypassed for up to 4 hours for surveillance testing per Specification 4.3.1.1.1, provided the other channel is OPERABLE. The following function in TS Table 3.3-1 was not included in the generic evaluations approved in either WCAP-10271, "Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System," and supplements to that report, or WCAP-14333. In order to apply the WCAP-10271, as supplemented, or WCAP-14333 TS relaxations to plant specific functions not evaluated generically, the proposed change is supported by a plant specific evaluation described in Section 4.2.3. Instruments associated with TS Table 3.3-1, Reactor Trip System Instrumentation: Function System Action Proposed Technical Specification Change 20 Reactor Coolant Pump Breaker Position Trip (above P-7) 11 Increase completion time from 6 hours to 72 hours TS Table 3.3-1, Action 11 is revised as follows: With less than the Minimum Number of Channels OPERABLE, operation may continue provided the inoperable channel is placed in the tripped condition within 72 hours. TS 3/4.3.2 Engineered Safety Feature Actuation System Instrumentation The following functions in TS Table 3.3-3 would be revised, consistent with the generic evaluations approved in either WCAP-10271, as supplemented, or WCAP-14333: 3

LR-N17-0135 LAR S17-05 Instruments associated with TS Table 3.3-3, Engineered Safety Feature Actuation System Instrumentation: Function System Action Proposed Technical Specification Change 1.b Safety Injection, Turbine Trip and Feedwater Isolation

b. Automatic Actuation Logic 13 Increase completion time from 6 hours to 24 hours 1.c/d/e/f Safety Injection, Turbine Trip and Feedwater Isolation
c. Containment Pressure
- High
d. Pressurizer Pressure -

Low

e. Differential Pressure Between Steam Lines -

High

f. Steam Flow in Two Steam Lines - High 19 Increase completion time from 6 hours to 72 hours and bypass time from 4 hours to 12 hours 2.b Containment Spray
b. Automatic Actuation Logic 13 Increase completion time from 6 hours to 24 hours 2.c Containment Spray
c. Containment Pressure
- High-High 16 Increase completion time from 6 hours to 72 hours and bypass time from 4 hours to 12 hours 3.a.2 Containment Isolation, Phase A a.2) From Safety Injection Automatic Actuation Logic 13 Increase completion time from 6 hours to 24 hours 3.b.2 Containment Isolation, Phase B b.2) Automatic Actuation Logic 13 Increase completion time from 6 hours to 24 hours 3.b.3 Containment Isolation, Phase B b.3) Containment Pressure - High-High 16 Increase completion time from 6 hours to 72 hours and bypass time from 4 hours to 12 hours 4.b Steam Line Isolation
b. Automatic Actuation Logic 20 Increase completion time from 6 hours to 24 hours 4.c Steam Line Isolation c Containment Pressure -

High-High 16 Increase completion time from 6 hours to 72 hours and bypass time from 4 hours to 12 hours 4.d Steam Line Isolation

d. Steam Flow in Two Steam Lines - High 19 Increase completion time from 6 hours to 72 hours and bypass time from 4 hours to 12 hours 5.a Turbine Trip & Feedwater Isolation 19 Increase completion time from 6 hours to 72 hours and bypass time from 4 hours to 12 hours 4

LR-N17-0135 LAR S17-05 Function System Action Proposed Technical Specification Change 8.a Auxiliary Feedwater

a. Automatic Actuation Logic 20 Increase completion time from 6 hours to 24 hours 8.c/d Auxiliary Feedwater c Stm. Gen. Water Level-Low-Low d Undervoltage-RCP Start Turbine - Driven Pump 19 Increase completion time from 6 hours to 72 hours and bypass time from 4 hours to 12 hours The following TS Table 3.3-3 Actions are revised:

Action 13 With the number of OPERABLE Channels one less than the Total Number of Channels, restore the inoperable channel to OPERABLE status within 24 hours or, be in HOT STANDBY within the next 6 hours and in COLD SHUTDOWN within the following 30 hours; however, one channel may be bypassed for up to 4 hours for surveillance testing per Specification 4.3.2.1.1 provided the other channel is OPERABLE. Action 16 With the number of OPERABLE Channels one less than the Total Number of Channels, operation may proceed provided the inoperable channel is placed in the bypassed condition and the Minimum Channels OPERABLE requirement is demonstrated by CHANNEL CHECK within 72 hours; one additional channel may be bypassed for up to 12 hours for surveillance testing per Specification 4.3.2.1.1. Action 19 With the number of OPERABLE Channels one less than the Total Number of Channels, STARTUP and/or POWER OPERATION may proceed provided the following conditions are satisfied:

a. The inoperable channel is placed in the tripped condition within 72 hours.
b. The Minimum Channels OPERABLE requirements is met; however, the inoperable channel may be bypassed for up to 12 hours for surveillance testing of other channels per Specification 4.3.2.1.1.

Action 20 With the number of OPERABLE channels one less than the Total Number of Channels, restore the inoperable channel to OPERABLE status within 24 hours or, be in at least HOT STANDBY within the next 6 hours and in at least HOT SHUTDOWN within the following 6 hours; however, one channel may be bypassed for up to 4 hours for surveillance testing per Specification 4.3.2.1.1 provided the other channel is OPERABLE. The following functions in TS Table 3.3-3 were not included in the generic evaluations approved in either WCAP-10271 (Reference 5), as supplemented, or WCAP-14333. In order to apply the WCAP-10271, as supplemented, or WCAP-14333 TS relaxations to plant specific functions not 5

LR-N17-0135 LAR S17-05 evaluated generically, the proposed changes are supported by plant specific evaluations described in Section 4.2.3. In Table, 3.3-3, Functions 7.a and 7.b, loss of power, were not included in the generic evaluations approved in either WCAP-10271, as supplemented, or WCAP-14333. TSTF-418, Insert 19, reviewers note states, in order to apply the WCAP-10271, as supplemented, or WCAP-14333 TS relaxations to plant specific Functions not evaluated generically, licensees must submit plant specific evaluations for NRC review and approval. In Table, 3.3-3, Function 9.a (Semiautomatic Transfer to Recirculation (SA), Unit 2 Only for RWST Level Low) was not included in the generic evaluations approved in either WCAP-10271, as supplemented, or WCAP-14333. TSTF-418, Insert 14, reviewers note states, in order to apply the WCAP-10271, as supplemented, and WCAP-14333 TS relaxations to plant specific Functions not evaluated generically, licensees must submit plant specific evaluations for NRC review and approval. In Table, 3.3-3, Functions 3.c.2, 6, and 9.b were not included in the generic evaluations approved in either WCAP-10271, as supplemented, or WCAP-14333. In order to apply the various relaxations justified in WCAP-10271 and WCAP-14333 to plant specific Functions not evaluated generically, a plant specific evaluation of those Functions has been performed. Plant specific evaluations for functions not evaluated generically with WCAP-14333 include: Instruments associated with TS Table 3.3-3, Engineered Safety Feature Actuation System Instrumentation: Function System Action Proposed Technical Specification Change 3.c.2 Containment Isolation (CI) c.2) Automatic Actuation Logic 13 Increase completion time from 6 hours to 24 hours 6 Safeguards Equipment Control System (SEC) 13 Increase completion time from 6 hours to 24 hours 7.a/b Vital Bus Undervoltage (UV)

a. Loss of Voltage
b. Sustained Degraded Voltage 14 Increase completion time from 1 hours to 72 hours 9.a/b Semiautomatic Transfer to Recirculation (SA) (Unit 2 Only)
a. RWST Level Low
b. Automatic Actuation Logic 16 9.a Increase completion time from 6 hours to 72 hours Increase bypass time from 4 hours to 12 hours 20 9.b Increase completion time from 6 hours to 24 hours The following TS Table 3.3-3 Action is revised:

Action 14 With the number of OPERABLE Channels one less than the Total Number of Channels, operation may proceed until performance of the next required CHANNEL FUNCTIONAL TEST, provided the inoperable channel is placed in the tripped condition within 72 hours. 6

LR-N17-0135 LAR S17-05 Finally, proposed changes to the TS Bases are provided in Attachment 3 for information only. Changes to the affected TS Bases pages will be incorporated per TS 6.17 (Unit 1) and TS 6.16 (Unit 2), Technical Specifications (TS) Bases Control Program.

3.0 BACKGROUND

WCAP-15376-P-A, Revision 1, Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times, provides the justification for the following changes to the Improved Standard Technical Specifications for the Reactor Trip System (RTS) Instrumentation (3.3.1) and Engineered Safety Features Actuation System (ESFAS) Instrumentation (3.3.2): Increase the completion time and the bypass test time for the reactor trip breakers. Increase the Surveillance Test Intervals (STI) for the reactor trip breakers, master relays, logic cabinets, and analog channels. WCAP-15376-P considers both the Solid State Protection System and the Relay Protection System. Salem uses a Solid State Protection System (SSPS) for RTS and ESFAS. The proposed changes to surveillance test intervals described in TSTF-411 are not included in this license amendment request. The Salem STIs are controlled under the Surveillance Frequency Control Program. Amendment Nos. 299 and 282 (Reference 6) modified the TSs by relocating specific surveillance frequencies to a licensee-controlled program based on TSTF-425, Revision 3, Relocate Surveillance Frequencies to Licensee Control - RISTSTF [Risk-Informed TSTF] Initiative 5b. WCAP-14333-P-A, Revision 1, Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times, provides the justification for the following changes to the Improved Standard Technical Specifications for increasing the bypass times for testing and the Completion Times in the Reactor Protection System (RPS) Instrumentation (3.3.1) and Engineered Safety Features Actuation System (ESFAS) Instrumentation (3.3.2) Technical Specifications: Completion times of 72 hours for inoperable instruments Bypass times of 12 hours for surveillance testing Completion Times of 24 hours for an inoperable logic cabinet or master and slave relays These improvements will allow additional time to perform maintenance and test activities, enhance safety, provide additional operational flexibility, and reduce the potential for forced outages related to compliance with the RPS and ESFAS instrumentation Technical Specifications. Industry information has shown that a significant number of trips that have occurred are related to instrumentation test and maintenance activities, indicating that these activities should be completed with caution and sufficient time should be available to complete these activities in an orderly and effective manner. 7

LR-N17-0135 LAR S17-05 The current Salem maintenance outage and test bypass times have been determined in accordance with WCAP-10271, "Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System," and supplements to that report. Amendment Nos. 142 and 121 (Reference 7) modified the TSs to adopt WCAP-10271. Out of service times were determined based on maintaining an appropriate level of reliability of the Reactor Protection System and Engineered Safety Features instrumentation. Changes also modifed the Unit 2 Semiautomatic Transfer to Recirculation on Refueling Water Storage Tank (RWST) Low Level. This function, which was not part of the program covered in the WCAP, was analyzed on a plant-specific basis.

4.0 TECHNICAL ANALYSIS

4.1 Deterministic Assessment The proposed changes increase the completion times and bypass test times for the Reactor Trip System Instrumentation and the Engineered Safety Feature Actuation System Instrumentation functions. The traditional engineering considerations need to be addressed. These include defense-in-depth and safety margins. The fundamental safety principles on which the plant design is based cannot be compromised. Design basis accidents are used to develop the plant design. These are a combination of postulated challenges and failure events that are used in the plant design to demonstrate safe plant response. Defense-in-depth, the single failure criterion, and adequate safety margins may be impacted by the proposed change and consideration needs to be given to these elements. 4.1.1 Defense-in-Depth Consistency with the defense-in-depth philosophy is maintained as discussed below: a) A reasonable balance is preserved among prevention of core damage, prevention of containment failure, and consequence mitigation (i.e., the proposed change in a TS has not significantly changed the balance among these principles of prevention and mitigation) to the extent that such balance is needed to meet the acceptance criteria of the specific design-basis accidents and transients. The proposed increases in the allowed outage times and test bypass times do not affect the design or operation of the Reactor Trip System Instrumentation or the Engineered Safety Feature Actuation System Instrumentation. The RTS and ESFAS will remain capable of performing their required functions. The proposed changes do not degrade core damage prevention and compensate with improved containment integrity, nor do these changes degrade containment integrity and compensate with improved core damage prevention. Therefore, the balance among prevention of core damage and prevention of containment failure is maintained. Consequence mitigation remains unaffected by the proposed changes. No new accidents or transients are introduced with the proposed changes; therefore, the likelihood of accidents or transients is not impacted. No new activities on the RTS or ESFAS will be performed at power that could lead to potentially new transient events. 8

LR-N17-0135 LAR S17-05 b) Over-reliance on programmatic activities as compensatory measures is avoided. The plant design will not be changed with these proposed changes. All safety systems will still function in the same manner with the same signals available to trip the reactor and initiate ESFAS functions, and there will be no additional reliance on additional systems, procedures, or operator actions. The calculated risk increase for these changes is very small and additional control processes are not required to be put into place to compensate for any risk increase. c) System redundancy, independence, and diversity are preserved commensurate with the expected frequency and consequences of challenges to the system. There is no impact on the redundancy, independence, or diversity of the RTS and ESFAS or the ability of the plant to respond to events with diverse systems. The RTS and ESFAS are diverse and redundant systems and will remain so. There will be no change to the signals available to trip the reactor or initiate ESFAS functions. The RTS and ESFAS are reliable systems and are backed up by the plant operators who will still be available to perform actions in the event of RTS failure. In addition, the RTS is backed up by ATWS (Anticipated Transient Without Scram) mitigating system actuation circuitry (AMSAC) signal to start auxiliary feedwater and trip the turbine in conjunction with RCS pressure mitigation via the pressurizer safety valves and relief valves. The proposed changes have no impact on this alternate approach to ATWS mitigation. d) Defenses against potential common cause failures are maintained, and the potential for introduction of new common cause failure mechanisms is assessed. The extensions requested are not sufficiently long to expect new common cause failure mechanisms to arise. In addition, the operating environment for these components remains the same, so new common cause failure modes are not anticipated. Also, backup systems and operator actions are not impacted by these changes; and there are no new common cause links between primary and backup systems. Therefore, no new potential common cause failure mechanisms have been introduced. e) Independence of physical barriers is not degraded. The physical barriers (fuel cladding, reactor coolant system, and containment) and their independence are maintained. The proposed changes do not affect the integrity of physical barriers to limit leakage to the environment. Increasing the completion times and bypass test times to the RTS and ESFAS systems does not affect the independence of the fuel cladding, reactor coolant system, or containment. f) Defenses against human errors are preserved. No new operator actions related to the CT and bypass time extensions are required. No additional operating, maintenance, or test procedures are required due to these changes, and no new at-power tests or maintenance activities are expected to occur as a result of these changes. The plant will continue to be operated and maintained as before. 9

LR-N17-0135 LAR S17-05 g) The intent of the plant's design criteria is maintained. The intent of the Salem design criteria is maintained. The plants will continue to be operated and maintained as before. The proposed changes do not involve any physical changes to the design of the RTS or ESFAS or supporting systems. The ability of the RTS and ESFAS to perform their required functions is maintained during the extended completion times and test bypass times. As demonstrated by the discussion of the deterministic issues above, increasing the completion times and bypass test times to the RTS and ESFAS systems is appropriately a risk-informed decision. 4.1.2 Safety Margin The impact of the proposed change is consistent with the principle that sufficient safety margins are maintained. a) Codes and Standards or alternatives approved for use by the NRC are met. The design and operation of the RTS and ESFAS systems are not changed by the proposed increase of the completion times and bypass test times. The proposed change does not affect conformance with applicable codes and standards. b) Safety analysis acceptance criteria in the FSAR are met or proposed revisions provide sufficient margin to account for analysis and data uncertainties. The safety analysis acceptance criteria, as stated in the Salem UFSAR, are not impacted by these changes. Redundant RPS trains will be maintained. Diversity with regard to signals to provide reactor trip and actuation of engineered safety features will also be maintained. The proposed changes will not allow plant operation in a configuration outside the design basis. All signals credited as primary or secondary and all operator actions credited in the accident analysis will remain the same. 4.2 SER Conditions and Limitations 4.2.1 WCAP-14333 NRC approval of WCAP-14333 was subject to the following conditions requiring plant-specific information: 4.2.1.1 WCAP-1433 Condition 1 Confirm the applicability of the WCAP-14333-P analyses for the plant. The implementation guidelines for WCAP-14333 were used to show that the analysis, results, and conclusions in WCAP-14333 are applicable to Salem. The NRC indicated during their review of the WCAP that providing the information in the guidelines will assist in their review of plant specific submittals for implementing the allowed outage time (AOT) changes in WCAP-14333. The plant specific information in Tables 4-1 through 4-3 demonstrates the applicability of the generic WCAP-14333 analysis to Salem. 10

LR-N17-0135 LAR S17-05 TABLE 4-1 WCAP-14333 IMPLEMENTATION GUIDELINES: APPLICABILITY OF THE ANALYSIS GENERAL PARAMETERS Parameter WCAP-14333 Analysis Assumptions Plant Specific Parameter Logic Cabinet Type (1) Relay and SSPS SSPS Component Test Intervals (2) Analog channels 3 months 3 months Logic cabinets (SSPS) 2 months 6 months Logic cabinets (Relay) 1 month NA Master Relays (SSPS) 2 months 6 months (refueling) Master Relays (Relay) 1 month NA Slave Relays 3 months 18 months (refueling) Reactor trip breakers 2 months 6 or 18 months* Analog Channel Calibrations (3) Done at-power Yes Yes Interval 18 months 18 months Typical At-Power Maintenance Intervals (4) Analog channels 24 months equal to or greater than** Logic cabinets (SSPS) 18 months equal to or greater than** Logic cabinets (Relay) 12 months NA Master relays (SSPS) infrequent (5) infrequent Master relays (Relay) infrequent (5) NA Slave relays infrequent (5) infrequent Reactor trip breakers 12 months equal to or greater than** AMSAC (6) Credited for AFW pump start Yes Total Transient Event Frequency (7) 3.6 0.9/yr ATWS Contribution to CDF (current PRA model) (8) 8.4E-06 2.7E-07/yr Total CDF from Internal Events (current PRA model) (9) 5.8E-05 8.4E-06/yr Total CDF from Internal Events (IPE) (10) Not Applicable N/A

  • The RTBs are under two different frequency controls (at 6 months and 18 months) for different parts of the channel functional test. The 6 month controls are related to verifying operability of the undervoltage and shunt trip mechanisms and to verify the function of a local pushbutton to manually trip at the breaker location. The 18 month controls are related to testing the breaker on an SSPS signal.
    • No at-power maintenance is scheduled on these components 11

LR-N17-0135 LAR S17-05 Notes for Table 4-1

1. Indicate type of logic cabinet; SSPS or Relay (both are included in WCAP-14333).
2. Fill in applicable test intervals. If the test intervals are equal to or greater than those used in WCAP-14333, the analysis is applicable to your plant.
3. Indicate if channel calibration is done at-power and, if so, fill in the interval. If channel calibrations are not done at-power or if the calibration interval is equal to or greater than that used in WCAP-14333, the analysis is applicable to your plant.
4. Fill in the applicable typical maintenance intervals or fill in equal to or greater than or less than. If the maintenance intervals are equal to or greater than those used in WCAP-14333, the analysis is applicable to your plant.
5. Only corrective maintenance is done on the master and slave relays. The maintenance interval on typical relays is relatively long, that is, experience has shown they do not typically completely fail. Failure of slave relays usually involve failure of individual contacts. Fill in infrequent if this is consistent with your plant experience. If not, fill in the typical maintenance interval. If infrequent slave relay failures are the norm, then the WCAP-14333 analysis is applicable to your plant.
6. Indicate if AMSAC will initiate Auxiliary Feedwater (AFW) pump start. If yes, then the WCAP-14333 analysis is applicable to your plant.
7. Include total frequency for initiators requiring a reactor trip signal to be generated for event mitigation. This is required to assess the importance of ATWS events to core damage frequency (CDF). Do not include events initiated by a reactor trip.
8. Fill in the ATWS contribution to core damage frequency (from at-power, internal events).

This is required to determine if the ATWS event is a large contributor to CDF.

9. Fill in the total CDF from internal events (including internal flooding) for the most recent PRA model update. This is required for comparison to the NRCs risk-informed CDF acceptance guidelines.
10. Fill in the total CDF from internal events from the IPE model (submitted to the NRC in response to Generic Letter 88-20). If this value differs from the most recent PRA model update CDF provide a concise list of reasons, in bulletized form, describing the differences between the models that account for the change in CDF.

12

LR-N17-0135 LAR S17-05 TABLE 4-2 WCAP-14333 IMPLEMENTATION GUIDELINES: APPLICABILITY OF ANALYSIS (CONTD) REACTOR TRIP ACTUATION SIGNAL Event WCAP-14333 Analysis Assumption Plant Specific Parameter (1) Large LOCA Not Required Agree Medium LOCA Not Required Agree Small LOCA Nondiverse (2) w/OA (3) Agree Steam Generator Tube Rupture Nondiverse w/OA Agree Interfacing System LOCA Not Required Agree Reactor Vessel Rupture Not Required Agree Secondary Side Breaks Nondiverse w/OA Agree Transient Events, such as: - Positive Reactivity Insertion - Loss of Reactor Coolant Flow - Total or Partial Loss of Main Feedwater - Loss of Condenser - Turbine Trip - Loss of DC Bus - Loss of Vital AC Bus - Loss of Instrument Air - Spurious Safety Injection - Inadvertent Opening of a Steam Valve Diverse (4) w/OA Agree Reactor Trip Generated by RPS Agree Loss of Offsite Power Not Required by RPS Agree Station Blackout Not Required by RPS Agree Loss of Service Water or Component Cooling Water Nondiverse w/OA Agree Notes for Table 4-2:

1. Fill in agree if your plant design and operation is consistent with this analysis, that is, the noted reactor trip signals are available at a minimum. If not, explain the difference. If agree is listed for each event, then the WCAP-14333 analysis is applicable to your plant.
2. Nondiverse means that (at least) one signal will be generated to initiate reactor trip for the event.
3. OA indicates that an operator could take action to initiate reactor trip for the event, that is, there is sufficient time for action and procedures are in place that will instruct the operator to take action.
4. Diverse means that (at least) two signals will be generated to initiate reactor trip for the event.

13

LR-N17-0135 LAR S17-05 TABLE 4-3 WCAP-14333 IMPLEMENTATION GUIDELINES: APPLICABILITY OF ANALYSIS (CONTD) ENGINEERED SAFETY FEATURES ACTUATION SIGNALS Safety Function Event WCAP-14333 Analysis Assumption Plant Specific Parameter (1) Safety Injection Large LOCA Nondiverse (2) Agree Medium LOCA Nondiverse, OA (3) by SI switch on main control board Agree Small LOCA Nondiverse, OA by SI switch on main control board, OA of individual components Agree Interfacing Systems LOCA Nondiverse, OA by SI switch on main control board, OA of individual components Agree SG Tube Rupture Nondiverse, OA by SI switch on main control board, OA of individual components Agree Secondary Side Breaks Nondiverse, OA by SI switch on main control board, OA of individual components Agree Auxiliary Feedwater Pump Start Events generating SI signal Transient events Pump actuation on SI signal Nondiverse, AMSAC, operator action Agree Main Feedwater Isolation Secondary Side Breaks Nondiverse Agree Steamline Isolation Secondary Side Breaks Nondiverse Agree Containment Spray Actuation All events Nondiverse signal Agree Containment Isolation All events From SI signal Agree Containment Cooling All events From SI signal Agree Notes for Table 4-3:

1. Fill in agree if your plant design and operation is consistent with this analysis, that is, the noted engineered safety features actuation signals are available at a minimum. If not, explain the difference. If agree is listed for each event, then the WCAP-14333 analysis is applicable to your plant.
2. Nondiverse means that (at least) one signal will be generated to initiate the engineered safety feature noted for the event.
3. Operator Action (OA) indicates that an operator could take action to initiate the engineered safety feature for the event, that is, there is sufficient time for action and procedures are in place that will instruct the operator to take action.

14

LR-N17-0135 LAR S17-05 4.2.1.2 WCAP-14333 SE Condition 2 Address the Tier 2 and 3 analyses including the Configuration Risk Management Program (CRMP) insights which confirm that these insights are incorporated into the decision making process before taking equipment out of service. Tier 2 is an identification of potentially high-risk configurations that could exist if equipment, in addition to that associated with the change, were to be taken out of service simultaneously or other risk-significant operational factors, such as concurrent system or equipment testing, were also involved. Application-specific contributors are fully discussed in Section 4.3.4.8 via examination of resulting cutsets and delete-term cutsets. The important contributors to the delta-risk metrics were identified as increases due to a few specific initiating events that are more impacted by the potentially increased unavailabilities. The overall increases were well below the regulatory thresholds, so no additional requirements are identified from the plant-specific evaluations. In support of Tier 2 limitations, Westinghouse performed an evaluation of equipment according to its contribution to plant risk while the equipment covered by the proposed Completion Time changes is out of service for test or maintenance. This evaluation was documented in the response to WCAP-14333 RAI Question 18 in Westinghouse letter OG-96-110 [Reference 37]. The evaluation concluded that the risk significant systems do not change for the configurations with an analog channel, master relay or slave relay out of service, with respect to the base case (no test or maintenance activities in progress). A relatively significant change in the ordering of risk significant systems occurs only when the logic cabinet is out of service for test or maintenance activities. The response to WCAP-14333 RAI Question 11 in Reference 37 documented ICCDP values for the various test and maintenance configurations that the plant may enter for the subject CT extensions. The same conclusion is drawn from the information presented in the response to RAI Question 11, i.e., the only configuration that significantly impacts core damage frequency is that with a logic train inoperable. Therefore, Tier 2 limitations are appropriate only when a logic train is inoperable. There are no Tier 2 limitations when a slave relay, master relay, or analog channel is inoperable. Consistent with the SE requirements to include Tier 2 insights into the decision making process before taking equipment out of service, restrictions on concurrent removal of certain equipment when a logic cabinet is unavailable will be established. These restrictions do not apply when a logic train is being tested under the 4-hour bypass of TS Table 3.3-1, Action 10, TS Table 3.3-3, Action 13, or TS Table 3.3-3 Action 20. Entry into these Actions is not a typical, pre-planned evolution during power operation, other than for surveillance testing. Since these TS Actions are typically entered due to equipment failure, it follows that some of the following Tier 2 restrictions may not be met at the time of TS Action entry. If this situation were to occur during the extended 24-hour CT, the Tier 3 CRMP will assess the emergent condition and direct activities to restore the inoperable logic train and exit the TS Action or fully implement the Tier 2 restrictions. Upon NRC approval, and before implementing the amendment, PSEG will establish administrative controls to implement the following restrictions during the mode of applicability for the specified equipment: 15

LR-N17-0135 LAR S17-05 To preserve ATWS mitigation capability, activities that degrade the ability of the AFW system, reactor coolant system (RCS) pressure relief systems (pressurizer power operated relief valves (PORVS) and safety valves), ATWS mitigating systems actuation circuitry (AMSAC), or turbine trip should not be scheduled when a logic train is inoperable. To preserve loss-of-coolant accident (LOCA) mitigation capability, one complete emergency core cooling system (ECCS) train that can be actuated automatically must be maintained when a logic train is inoperable. To preserve reactor trip and safeguards actuation capability, activities that cause master relays or slave relays in the available train to be unavailable and activities that cause analog channels to be unavailable should not be scheduled when a logic train is inoperable. Activities in electrical systems (e.g., AC and DC power) and cooling systems (e.g., service water and component cooling water) that support the systems or functions listed in the first three bullets should not be scheduled when a logic train is inoperable. That is, one complete train of a function that supports a complete train of a function noted above must be available. Tier 3 analysis is addressed in Section 4.3.7. 4.2.2 WCAP-15376 NRC approval of WCAP-14333 was subject to the following conditions requiring plant-specific information: WCAP-15376 is applicable to Salems SSPS, Master Relays, 7100 Analog channels and Reactor Trip Breakers. 4.2.2.1 WCAP-15376 Condition 1 A licensee is expected to confirm the applicability of the topical report to their plant, and to perform a plant-specific assessment of containment failures and address any design or performance differences that may affect the proposed changes. Similarly as for WCAP-14333, the implementation guidelines for WCAP-15376 were used to show that the analysis, results, and conclusions in WCAP-15376 are applicable to Salem. Licensees that implement WCAP-15376-P-A, Revision 1 need to address the safety evaluation report (SER) Conditions and Limitations, which requires demonstrating the applicability of the generic analysis performed to support the changes on a plant specific basis. The Implementation Guideline for WCAP-15376-P-A, Revision 1, contains the suggested approach for addressing each of the SER Conditions and Limitations, and a commitment made in an RAI response. This Condition is addressed in two parts. The first part confirms the applicability of the topical report to Salem and the second part addresses the containment failure assessment. 16

LR-N17-0135 LAR S17-05 Confirm Applicability: Two key areas need to be addressed to confirm the applicability of the WCAP results to a plant. These are 1) the applicability of the WCAP-15376 analysis and 2) the applicability of the component failure probabilities.

1. Applicability of the WCAP-15376 Analysis: To demonstrate the applicability of the WCAP-15376 analysis, a comparison between the key generic analysis parameters and assumptions, and plant specific parameters and design is necessary. Tables 4-4 through 4-6 provide a list of the key analysis parameters and assumptions along with the input used in the generic analysis to show that the analysis is applicable. The information is related to plant specific signals that are available to actuate reactor trip and engineered safety features, and test and maintenance information for the components of the reactor protection system. Information is also provided on the plants current calculated core damage frequency (CDF), large early release frequency (LERF),

and the contribution to CDF from ATWS events. The current plant CDF and LERF values are used to show that these values meet the Regulatory Guide 1.174 [Reference 8] criteria for determining that small increases in CDF and LERF are acceptable. The ATWS contribution to CDF is necessary to understand the importance of the ATWS event to the plants risk, since the proposed changes can impact reactor trip signal availability. The comparisons in Tables 4-4 through 4-6 between the key generic analysis parameters and assumptions, and plant specific parameters and design demonstrate the applicability of the WCAP-15376 analysis to Salem.

2. Applicability of the Component Failure Probabilities: It is necessary to indicate that component failure probabilities developed as part of WCAP-15376 are applicable to Salem. For SSPS plants this includes the master relay and safeguards driver card failure probabilities. The failure probabilities for these components are provided on Table 8.6 of the WCAP. The data that was used to develop these failure rates is provided on Tables 8.2, 8.3, and 8.4 of the WCAP. One approach for demonstrating the applicability of the failure probabilities is to collect plant specific data on the components and show that the number of failures experienced for the number of tests/actuations that have occurred would be expected. This can be done by engineering judgement, or by analysis based on binomial distribution analysis. Note that the plants that provided component failure data in support of the WCAP analysis as identified in Tables 8.2, 8.3, and 8.4, can use this information to address this Condition.

To confirm applicability of the WCAP component failure data to Salem, a review of the recent failure data was performed to identify any master relay and safeguards driver failure events that would invalidate the applicability of the WCAP. A recent search of both units covering six years (1/1/2007-8/15/2013, which covers a similar range as is typically covered by the PRA plant-specific data) revealed a total of seven issues that were identified during the performance of the SSPS Functional Surveillance. Six of the issues are related to erratic test switch or circuit card connector operation, and one test failure due to a bypass trip breaker auxiliary contact high resistance value. This search also revealed a total of 18 issues not associated with the SSPS Functional Surveillance. One issue was related to a cold solder joint and one involved shorting of two termi-points together likely due to a loose wire or metallic debris. Two instances were related to the opening of a SSPS input bay fuse, and three were caused by a power supply failures. Five of the issues were related to a delay relay out of specification, four were 17

LR-N17-0135 LAR S17-05 associated with erratic switch operation, one was due to erratic relay operation, and the last was due to a power supply load sharing value out of specification. None of these issues are directly related to master relay or safeguards failures. Therefore the WCAP-15376 analysis is considered applicable with regard to the plant-specific data on master relays and safeguards driver failure events. Containment Failure Assessment: Containment failure modes typically considered in PRA include containment isolation failure; containment bypasses from interfacing system loss of coolant accident (ISLOCA), steam generator tube rupture (SGTR), and steam generator (SG) tube creep rupture; and containment failure from steam explosion, hydrogen burns, direct containment heating, and containment steam over-pressurization. The significant contributors to LERF for large dry containment and sub-atmospheric designs are typically containment isolation failure and containment bypasses. The LERF analysis completed to support this program was based on a large dry containment with LERF contributions from containment isolation failure, and containment bypasses from ISLOCA and SGTR events, excluding SG tube creep rupture. Most large dry and sub-atmospheric containment plants (including Salem) should be consistent with the LERF analysis, therefore, the WCAP results should be applicable to these plants. Note that SG tube creep rupture is generally a small contributor to LERF, therefore, the signal unavailability changes will only have a small impact on LERF related to this contributor. Plants that have not addressed their PRA peer review findings with respect to containment issues may not be consistent with this LERF analysis. For these plants, it is recommended that the PRA peer review findings related to LERF contributors be considered when demonstrating consistency with the LERF analysis and the applicability of WCAP-15376. Salem has a large dry containment design and has performed a PRA technical adequacy review in Section 4.3.1.3. The technical adequacy review confirms that the Salem Level 2 analysis is technically adequate to support this application, and that WCAP-15376 is applicable to Salem. 18

LR-N17-0135 LAR S17-05 TABLE 4-4 WCAP-15376 IMPLEMENTATION GUIDELINES: APPLICABILITY OF THE ANALYSIS GENERAL PARAMETERS Parameter WCAP-15376 Analysis Assumption (Plant) Specific Parameter Logic Cabinet Type1 (SSPS or Relay) SSPS Component Bypass Test Time2 Analog channels 12 hours 4 hours Logic cabinets (SSPS or Relay Protection System) (4 hours for SSPS or 8 hours for Relay Protection System) 4 hours Master Relay (SSPS or Relay Protection System) (4 hours for SSPS or 8 hours for Relay Protection System) 4 hours Reactor trip breakers 2 hours 2 hours Component Test Interval3 Reactor trip breakers 2 months 6 or 18 months* Typical At-Power Maintenance Intervals4 Reactor trip breakers 12 months equal to or greater than** Plant procedures are in place for the following operator actions5 Reactor trip from the main control board switches Credited Yes Reactor trip by interrupting power to the motor-generator sets Credited Yes Insertion of the control rods via the rod control system Credited Yes Safety injection actuation from the main control board switches Credited Yes Safety injection by actuation of individual components Credited Yes Auxiliary feedwater pump start Credited Yes AMSAC6 Credited for AFW pump start Yes Total Transient Event Frequency7 3.6 0.9/yr ATWS Contribution to CDF (current PRA model)8 1.06E-06/yr 2.7E-07/yr Total CDF from Internal Events (current PRA model)9 8.4E-06/yr Total LERF from Internal Events (current PRA model) 9 4.7E-07/yr

  • The RTBs are under two different frequency controls (at 6 months and 18 months) for different parts of the channel functional test. The 6 month controls are related to verifying operability of the undervoltage and shunt trip mechanisms and to verify the function of a local pushbutton to manually trip at the breaker location. The 18 month controls are related to testing the breaker on an SSPS signal.
    • No at-power maintenance is scheduled on these components 19

LR-N17-0135 LAR S17-05 Notes for Table 4-4:

1. Indicate type of logic cabinet; SSPS or Relay (both are included in WCAP-15376).
2. Fill in the current Tech Spec bypass test times. If the current Tech Spec bypass test times are equal to or less than those used in WCAP-15376, the analysis is applicable to your plant.
3. Fill in the current Tech Spec test interval. If the current Tech Spec test interval is equal to or greater than that used in WCAP-15376, the analysis is applicable to your plant.
4. Fill in the typical maintenance intervals or fill in equal to or greater than or less than. If the maintenance intervals are equal to or greater than those used in WCAP-15376, the analysis is applicable to your plant.
5. Indicate if plant procedures are in place to perform these actions. If plant procedures are in place, the WCAP-15376 analysis is applicable to your plant.
6. Indicate if AMSAC will initiate AFW pump start. If AMSAC will initiate AFW pump start, then the WCAP-15376 analysis is applicable to your plant.
7. Include the total frequency for initiators requiring a reactor trip signal to be generated for event mitigation. This is required to assess the importance of ATWS events to CDF. Do not include events initiated by a reactor trip. If the plant specific value is less than the WCAP-15376 value, then this analysis is applicable to your plant.
8. Fill in the ATWS contribution to core damage frequency (from at-power, internal events).

This is required to determine if the ATWS event is a large contributor to CDF.

9. Fill in the total CDF and LERF from internal events (including internal flooding) for the most recent PRA model update. This is required for comparison to the NRCs risk-informed CDF and LERF acceptance guidelines in Regulatory Guide 1.174.

20

LR-N17-0135 LAR S17-05 TABLE 4-5 WCAP-15376 IMPLEMENTATION GUIDELINES: APPLICABILITY OF ANALYSIS REACTOR TRIP ACTUATION SIGNALS Event WCAP-15376 Analysis Assumption (Plant) Specific Parameter1 Large LOCA Not Required Agree Medium LOCA Not Required Agree Small LOCA Nondiverse2 w/OA3 Agree Steam Generator Tube Rupture Nondiverse w/OA Agree Interfacing System LOCA Not Required Agree Reactor Vessel Rupture Not Required Agree Secondary Side Breaks Nondiverse w/OA Agree Transient Events, such as: - Positive Reactivity Insertion - Loss of Reactor Coolant Flow - Total or Partial Loss of Main Feedwater - Loss of Condenser - Turbine Trip - Loss of DC Bus - Loss of Vital AC Bus - Loss of Instrument Air - Spurious Safety Injection - Inadvertent Opening of a Steam Valve Diverse4 w/OA Agree Reactor Trip Generated by RPS Agree Loss of Offsite Power Not Required by RPS Agree Station Blackout Not Required by RPS Agree Loss of Service Water or Component Cooling Water Nondiverse w/OA Agree Notes for Table 4-5:

1. Fill in agree if your plant design and operation is consistent with this analysis, that is, the noted reactor trip signals at a minimum, are available. If not, explain the difference. If agree is listed for each event, then the WCAP-15376 analysis is applicable to your plant.
2. Nondiverse means that (at least) one signal will be generated to initiate a reactor trip for the event.
3. OA indicates that an operator could take action to initiate a reactor trip for the event, that is, there is sufficient time for operator action and procedures are in place that will instruct the operator to take action.
4. Diverse means that (at least) two signals will be generated to initiate a reactor trip for the event.

21

LR-N17-0135 LAR S17-05 TABLE 4-6 WCAP-15376 IMPLEMENTATION GUIDELINES: APPLICABILITY OF ANALYSIS ENGINEERED SAFETY FEATURES ACTUATION SIGNALS Safety Function Event WCAP-15376 Analysis Assumption (Plant) Specific Parameter1 Safety Injection Large LOCA Nondiverse2 Agree Medium LOCA Nondiverse, OA3 by SI switch on main control board Agree Small LOCA Nondiverse, OA by SI switch on main control board, OA of individual components Agree Interfacing Systems LOCA Nondiverse, OA by SI switch on main control board, OA of individual components Agree SG Tube Rupture Nondiverse, OA by SI switch on main control board, OA of individual components Agree Secondary Side Breaks Nondiverse, OA by SI switch on main control board, OA of individual components Agree Auxiliary Feedwater Pump Start Events generating SI signal Transient events Pump actuation on SI signal Nondiverse, AMSAC, operator action Agree Main Feedwater Isolation Secondary Side Breaks Nondiverse Agree Steamline Isolation Secondary Side Breaks Nondiverse Agree Containment Spray Actuation All events Nondiverse Agree Containment Isolation All events From SI signal Agree Containment Cooling All events From SI signal Agree Notes for Table 4-6:

1. Fill in agree if your plant design and operation is consistent with this analysis, that is, the noted engineered safety features actuation signals at a minimum, are available. If not, explain the difference. If agree is listed for each event, then the WCAP-15376 analysis is applicable to your plant.
2. Nondiverse means that (at least) one signal will be generated to initiate the safety function noted for the event.
3. OA indicates that an operator could take action to initiate the safety function for the event, that is, there is sufficient time for operator action and procedures are in place that will instruct the operator to take action.

22

LR-N17-0135 LAR S17-05 4.2.2.2 WCAP-15376 SE Condition 2 Address the Tier 2 and Tier 3 analyses including risk significant configuration insights and confirm that these insights are incorporated into the plant-specific configuration risk management program. Application-specific contributors are fully discussed in Section 4.3.4.8 via examination of resulting cutsets and delete-term cutsets. The important contributors to the delta-risk metrics were identified as increases due to a few specific initiating events that are more impacted by the potentially increased unavailabilities. The overall increases were well below the regulatory thresholds so no additional requirements are identified from the plant-specific evaluations. Therefore, based on WCAP-15376, analyses by other similar plants, and these plant-specific evaluations, the following Tier 2 requirements are recommended. Tier 2 Requirements: Recommended Tier 2 requirements, or restrictions, are provided in Section 8.5 of the WCAP. These restrictions do not apply when a RTB train is being tested under the 4-hour bypass for proposed TS Table 3.3-1, Action 1. Entry into this TS Action is not a typical, pre-planned evolution during power operation, other than for surveillance testing. Since this Action may be entered due to equipment failure, some of the Tier 2 restrictions described below may not be met at the time of TS Action entry. In addition, it is possible that equipment failure may occur after the RTB train is removed from service for surveillance testing or planned maintenance, such that one or more of the required Tier 2 restrictions are no longer met. In cases of equipment failure, the Tier 3 configuration risk management program requires assessment of the emergent condition and appropriate actions are then taken. Depending on the specific situation, these actions could include restoring the inoperable RTB train and exiting the TS Action, or fully implementing the Tier 2 restrictions. Upon NRC approval, and before implementing the amendment, PSEG will establish administrative controls to implement the following Tier 2 restrictions will be implemented when an RTB train becomes inoperable when operating under the proposed allowed outage times: The probability of failing to trip the reactor on demand will increase when a RTB is removed from service, therefore, systems designed for mitigating an ATWS event should be maintained available. RCS pressure relief, auxiliary feedwater flow (for RCS heat removal), AMSAC, and turbine trip are important to alternate ATWS mitigation. Therefore, activities that degrade the availability of the auxiliary feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves), AMSAC, or turbine trip should not be scheduled when a RTB is out of service. Due to the increased dependence on the available reactor trip train when one logic cabinet is removed from service, activities that degrade other components of the RPS, including master relays or slave relays and activities that cause analog channels to be unavailable should not be scheduled when a logic cabinet is unavailable. Activities on electrical systems (e.g., AC and DC power) that support the systems or functions listed in the first two bullets should not be scheduled when a RTB is unavailable. Tier 3 analysis is addressed in Section 4.3.7. 23

LR-N17-0135 LAR S17-05 4.2.2.3 WCAP-15376 SE Condition 3 The risk impact of concurrent testing of one logic cabinet and associated reactor trip breaker needs to be evaluated on a plant-specific basis to ensure conformance with the WCAP-15376-P, evaluation, and RGs 1.174 and 1.177. The response to NRC RAI 4 [Reference 9] provided the incremental conditional core damage probability (ICCDP) for this configuration (both the logic cabinet and associated RTB out of service) for preventive maintenance for a total time of 30 hours, which is comprised of a Completion Time of 24 hours, plus 6 hours to reach Mode 3. The ICCDP for a duration of 30 hours in this configuration is 3.2E-07, which meets the Regulatory Guide 1.177 [Reference 10] acceptance guideline of 5E-07. Since this ICCDP value is based on the logic cabinet and RTB being out of service for 30 hours at the same time, bypassing one logic cabinet and associated RTB for 4 hours for testing will also meet the Regulatory Guide 1.177 ICCDP guideline. Condition 3 is addressed by demonstrating that the WCAP-15376 analysis is applicable to Salem. This shows that the generic analysis covers the Salem plant and the generic risk measures calculated are a good representation of Salem. Demonstrating the applicability of the WCAP-15376 analysis is discussed in detail in Condition 1. 4.2.2.4 WCAP-15376 SE Condition 4 To ensure consistency with the reference plant, the model assumptions for human reliability in WCAP-15376-P, Revision 0 should be confirmed to be applicable to the plant-specific configuration. Table 4-7 lists the operator actions credited in the WCAP-15376 analysis, and indicates if the operators have sufficient time to perform these actions, and if plant procedures are in place that will direct the operators to take these actions. This table shows that the WCAP-15376 analysis is applicable to the plant in this regard. 24

LR-N17-0135 LAR S17-05 TABLE 4-7 WCAP-15367 IMPLEMENTATION GUIDELINES: APPLICABILITY OF HUMAN RELIABILITY ANALYSIS Operator Action Is Sufficient Time Available for the Operators to Take the Action?1 Are Plant Procedures in Place for the Action?1 Reactor trip from the main control board switches Yes Yes Reactor trip by interrupting power to the motor-generator sets Yes Yes Insertion of the control rods via the rod control system Yes Yes Safety injection actuation from the main control board switches Yes Yes Safety injection by actuation of individual components Yes Yes Auxiliary feedwater pump start Yes Yes Note for Table 4-7:

1. Fill in yes or no. If yes is filled in for both questions, then the analysis is applicable to your plant with respect to that operator action.

25

LR-N17-0135 LAR S17-05 4.2.2.5 WCAP-15376 SE Condition 5 For future digital upgrades with increased scope, integration and architectural differences beyond that of Eagle 21, the staff finds the generic applicability of WCAP-15376-P, Revision 0 to future digital systems not clear and should be considered on a plant-specific basis. This Condition does not apply to Salem. 4.2.2.6 WCAP-15376 RAI Question 18 Plant specific RTS and ESFAS setpoint uncertainty calculations and assumptions, including instrument drift, will be reviewed to determine the impact of extending the Surveillance Frequency of the Channel Operational Test (COT) from 92 days to 184 days. The response to NRC RAI 18 requires plant specific RTS and ESFAS setpoint uncertainty calculations and assumptions to be reviewed, to determine the impact of extending the Surveillance Frequency of the Channel Operational Test (COT) from 92 days to 184 days. However, this license amendment request does not include surveillance frequency extensions, so discussion of this additional commitment is not necessary. 4.2.3 Plant Specific Evaluations for Functions not Evaluated Generically This section provides justification for the Technical Specification changes proposed that were not included in the generic analyses approved in WCAP-10271 (as supplemented), WCAP-14333, or WCAP-15376. The following Salem specific instrument functions that were not evaluated generically in WCAP-10271 (as supplemented) were evaluated for Salem in order to apply the Technical Specification relaxations justified in WCAP-10271, as supplemented, WCAP-14333, or WCAP-15376: TS Table 3.3-1, RTS Function 20, Reactor Coolant Pump Breaker Position Trip (above P-7). TS Table 3.3-3, ESFAS Function 3.c.2, Containment Ventilation Isolation, Automatic Actuation Logic. TS Table 3.3-3, ESFAS Function 6, Safeguards Equipment Control System (SEC) TS Table 3.3-3, ESFAS Function 7.a, Undervoltage, Vital Bus, Loss of Voltage. TS Table 3.3-3, ESFAS Function 7.b, Undervoltage, Vital Bus, Sustained Degraded Voltage. TS Table 3.3-3, ESFAS Function 9.a, Semiautomatic Transfer to Recirculation, RWST Level Low. TS Table 3.3-3, ESFAS Function 9.b, Semiautomatic Transfer to Recirculation, Automatic Actuation Logic. Several licensees completed plant-specific evaluations to demonstrate that the changes in WCAP-10271 and its supplements were applicable to functions not generically evaluated. The analyses performed in WCAP-14333 and WCAP-15376 covered representative RTS and ESFAS functions, a subset of the comprehensive set of functions included in WCAP-10271 and its supplements. Therefore, the changes approved in WCAP-14333 and WCAP-15376 are also applicable to those plant-specific functions with NRC-approved evaluations performed that demonstrate the applicability of the changes in WCAP-10271 and its supplements. As discussed in Section 11.0 of both WCAP-14333 and WCAP-15376, as well as in NRC-approved 26

LR-N17-0135 LAR S17-05 travelers TSTF-411, Revision 1 and TSTF-418 Revision 2, additional plant-specific evaluations are not required to implement the changes in WCAP-14333 and WCAP-15376, if they have been previously justified for the changes in WCAP-10271 and its supplements. The applicability of the changes justified in WCAP-10271 and it supplements to current Salem RTS Function 20, Reactor Coolant Pump Breaker Position was approved by the NRC in License Amendments 142 and 121 for Salem Units 1 and 2 respectively. These amendments extended the allowed outage time for Salem TS Table 3.3-1, RTS Function 20 from one hour to six hours. The acceptability of the proposed changes for this function was evaluated qualitatively as described in Section 4.3.4.2. The applicability of the changes justified in WCAP-10271 and it supplements to the following list of Functions was approved by the NRC in License Amendments 142 and 121 for Salem Units 1 and 2 respectively. TS Table 3.3-3, ESFAS Function 3.c.2, Containment Ventilation Isolation, Automatic Actuation Logic allowed outage time extension to six hours and test bypass extension to 4 hours. TS Table 3.3-3, ESFAS Function 6, Safeguards Equipment Control System (SEC) allowed outage time extension to six hours and test bypass extension to four hours. TS Table 3.3-3, ESFAS Function 9.a, Semiautomatic Transfer to Recirculation, RWST Level Low allowed outage time extension to six hours and test bypass time extension to four hours. TS Table 3.3-3, ESFAS Function 9.b, Semiautomatic Transfer to Recirculation, Automatic Isolation Logic allowed outage time extension to six hours and test bypass extension to 4 hours. The acceptability of the proposed changes for the above functions was evaluated quantitatively using an application specific model as discussed in Sections 4.3.1.5 and 4.3.4. The acceptability of extending the allowed outage time for TS Table 3.3-3, ESFAS Functions 7.a, Undervoltage, Vital Bus, Loss of Voltage, and 7.b, Undervoltage, Vital Bus, Sustained Degraded Voltage, from one hour to 72 hours was evaluated quantitatively using an application specific model as discussed in Sections 4.3.1.5 and 4.3.4. 4.3 Risk Assessment This section summarizes the following with respect to the Salem PRA and its technical adequacy: PRA Quality External Events Considerations Technical Adequacy Summary Tier 1 Risk Assessment Uncertainty Discussion Summary and Conclusion 27

LR-N17-0135 LAR S17-05 4.3.1 PRA Quality The SA115A version of the Salem PRA model is the most recent evaluation of the risk profile at Salem for internal event challenges. The Salem PRA modeling is highly detailed, including a wide variety of initiating events, modeled systems, operator actions, and common cause events. The PRA model quantification process used for the Salem PRA is based on the event tree and linked fault tree methodology, which is a well-known methodology in the industry. PSEG employs a multi-faceted approach to establishing and maintaining the technical adequacy and plant fidelity of the PRA models for all PSEG nuclear generation. This approach includes a proceduralized PRA maintenance and update process, which include consideration of peer review Findings and Observations (F&Os) and their subsequent resolution. PRA quality is assured for the Salem PRA model and documentation through a combination of the following: Confirmation of the fidelity of the model with the as-built, as-operated plant (see Section 4.3.1.1) Use of methods and approaches consistent with the ASME PRA Standard Use of an Updating Requirement Evaluation (URE) database to track PRA model issues and potential enhancements (see Section 4.3.1.4) Use of a PRA Peer Review (see Section 4.3.1.3) to identify areas for enhancement Use of highly qualified PRA practitioners qualified under the PSEG PRA Risk Management Program Use of internal reviews and interviews with system engineers and operating crew members 4.3.1.1 PRA Maintenance and Update The PSEG risk management process ensures that the applicable PRA model remains an accurate reflection of the as-built and as-operated plants. This process is defined in the PSEG Risk Management program, which consists of a governing procedure (ER-AA-600, "Risk Management") and subordinate implementation procedures. PSEG procedure ER-AA-600-1015 [Reference 11], "FPIE PRA Model Update" delineates the responsibilities and guidelines for updating the full power internal events PRA models at PSEG nuclear generation sites. The overall PSEG Risk Management program, including ER-AA-600-1015, defines the process for implementing regularly scheduled and interim PRA model updates, for tracking issues identified as potentially affecting the PRA models (e.g., due to changes in the plant, errors or limitations identified in the model, industry operating experience), and for controlling the model and associated computer files. To ensure that the current PRA model remains an accurate reflection of the as-built, as-operated plant, the Site Risk Management Engineer (SRME) reviews plant design modifications and any changes to plant procedures or calculations referenced in the PRA that could affect the risk profile and identifies any that need to be evaluated for consideration in future PRA updates per ER-AA-600-1015. No new plant modifications or revision to plant procedures and calculations referenced in the PRA have been identified since the creation of the SA115A PRA model that would warrant an interim PRA update or that would affect the outcome of this PRA analysis for the ESFAS/RTS AOT extension. 28

LR-N17-0135 LAR S17-05 In addition to these activities, PSEG risk management procedures provide the guidance for particular risk management and PRA quality and maintenance activities. This guidance includes: Documentation of the PRA model, PRA products, and bases documents The approach for controlling electronic storage of Risk Management (RM) products including PRA update information, PRA models, and PRA applications Guidelines for updating the full power, internal events PRA models Guidance in the use of quantitative and qualitative risk assessments in support of the on-line work control process for risk evaluations of maintenance tasks (corrective maintenance, preventive maintenance, minor maintenance, surveillance tests and modifications) on systems, structures, and components (SSCs) within the scope of the Maintenance Rule (10 CFR 50.65 (a)(4)) In accordance with this guidance, regularly scheduled PRA model updates occur approximately every three years, with longer intervals being justified if it can be shown that the PRA continues to adequately represent the as-built, as-operated plant. PSEG completed the SA115A PRA model in December 2016, which was the result of a regularly scheduled update of the PRA model. 4.3.1.2 Pending Changes Identified Against the PRA Model A PRA tracking database record is created for all issues that are identified that could impact the PRA model. This database, the Updating Requirement Evaluation (URE) database includes the identification of those plant changes that could impact the PRA model. The plant modifications, procedure changes, and other PRA model issues identified in the URE database have been reviewed as part of the preparation of the risk assessment for the ESFAS/RTS instrumentation AOT extension request. None have been identified that would significantly affect the SA115A PRA model or its quantification. See Section 4.3.1.4 for more information regarding the URE database review. 4.3.1.3 Applicability of Peer Review Findings and Observations A PRA Peer Review of the Salem Revision 4.1 PRA model was performed during November 2008. The peer review was performed against the ASME PRA Standard [Reference 12] using the process defined in Nuclear Energy Institute (NEI) 05-04 [Reference 13]. The PRA Peer Review resulted in a number of Findings and Observations (F&Os) that indicated that there were a number of supporting requirements (SRs) that were categorized as Not Met for Capability Category II. Since then, several subsequent model revisions were performed to address these F&Os. A summary of the disposition of the 2008 Industry PRA Peer Review facts and observations (F&Os) for the Salem PRA model was documented as part of the PRA Technical Adequacy for MSPI in the Salem Mitigating System Performance Index (MSPI) Basis Document [Reference 14]. Additionally, many of the F&Os not related to MSPI were also addressed as part of the PRA model update for both the SA112A and SA115A PRA models. This is documented in Appendix G of the PRA model Quantification Notebook [Reference 15]. Tables 4-8 through 4-17 summarize each of the F&Os identified during the peer review that was performed in November 2008 and reported in Reference 16 with a brief summary of the 29

LR-N17-0135 LAR S17-05 resolution for each. All changes made during the SA112A model update have been carried through to the SA115A model unless modified by later required changes. A listing of those Supporting Requirements (SRs) that were revised between the 2005 [Reference 12] and the 2009 [Reference 17] versions of the ASME PRA Standard (as endorsed by RG 1.200) with a description of the change and associated comments is provided in Table 4-18. In addition, a gap assessment was also performed against the NRC clarifications and qualifications in Appendix A of RG 1.200 Revision 2 [Reference 18] with regard to the ASME Standard [Reference 17] and the comments are tabulated in Table 4-19. This assessment evaluates changes in the clarifications and comments between Revision 1 and Revision 2 of RG 1.200 since those in Revision 1 are already covered by the peer review, which used Revision 1. Since the peer review already includes the RG 1.200 Revision 1 clarifications and qualifications when assessing the technical adequacy of the model, no additional tabulation is needed for those. Subsequent to the November 2008 peer review [Reference 16], the SA115A PRA model addressed and resolved those SRs not meeting Capability Category II. Based on the PRA Peer Review process and the updated PRA model (SA115A), the Salem PRA model is deemed satisfactory for use in PRA applications. 30

LR-N17-0135 LAR S17-05 TABLE 4-8 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR INITIATING EVENTS ANALYSIS RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION IE-A1 IE-A1 SR Not Met IE-A1-01 The plant-specific search only addresses supporting systems. The listing is not encompassing of possible plant-specific initiators found at other plants such as a loss of charging (impact on RCP seal cooling). Loss of charging would lead to a reactor trip and would decrease redundancy for RCP seal cooling. Table 2-2 in the IE notebook (SA-PRA-001), which was revised during the 2012 PRA model update, lists the basis for this event not being a unique plant trip initiator. For the case in which the charging system is lost, this leads to a slowly developing transient that can be easily accommodated with high reliability using plant response procedures to avoid an unnecessary plant transient event. Based on reviews of potential missing initiating events, it was concluded that no initiating events were missing and therefore the intent of this SR is met. IE-A2 IE-A2 SR Met Consideration of some initiating events may be required based on shutdown requirement. N/A IE-A3 IE-A3 SR Not Met IE-A3-001, IE-A3-002 The plant-specific history indicates that on 12/31/01 an event occurred resulting in SI. The categorization of initiating events does not account for this or the case of ESFAS actuation. Spurious SI was added to the SA112A model as initiating event Tsi. No further action required. IE-A4 IE-A3a SR Not Met IE-A3-001 The available documentation lists that past PRAs are examined. However, there appears to be no documentation of this evaluation with consideration of plants of similar design. Section 2.1 of the initiating events notebook indicates that comparisons were made to industry data and to other plants. Additional information was added to the IE notebook (SA-PRA-001, rev. 3) at the end of Section 2 to compare initiators from Watts Bar, South Texas Project, Surry, and Byron/Braidwood. No further action required. IE-A5 IE-A4 SR Met: (CC I) IE-A4-001 The analysis only addresses support systems and does not address the impact of other operating systems (such as charging) with regard to events resulting in a plant upset and subsequent trip signal. The observation associated with IE-A4 says, The analysis only addresses support systems and does not address the impact of other operating systems (such as charging) with regard to events resulting in a plant upset and subsequent trip signal. IE-A4 asks for a systematic review of plant systems to identify potential initiating events. A systematic review was performed in the IE notebook and documented in Table 2-2. Loss of charging was not included as a separate initiator based on screening criterion identified in the initiating events notebook. Also, see the response for SR IE-A1. No further action required. IE-A6 IE-A4a SR Not Met IE-A4-001 See supporting requirement IE-A4. Not all potential systems were addressed. N/A 31

LR-N17-0135 LAR S17-05 TABLE 4-8 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR INITIATING EVENTS ANALYSIS RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION IE-A7 IE-A5 SR Not Met IE-A5-01 SA PRA Initiating Events Notebook, SA-PRA-001, Revision 0, Section 2.2.1 and 2.2.2 describe the review of Salem Generating Station Experience and Trip Review. No mention is made of consideration of events that occurred at conditions other than at-power operation. Appropriate evidence exists that LERs were reviewed for other than "at-power" conditions to determine whether or not a new initiator should be added that was not already incorporated into the PRA model. The LERs reviewed are documented in the initiating events notebook (SA-PRA-001 revision 2). No further action required. IE-A8 IE-A6 SR Met: (CC I) IA-A6-01 SA PRA Initiating Events Notebook, SA-PRA-001, Revision 0, Section 2.1.2 does not indicate that plant operations, maintenance, engineering, and safety analysis personnel were interviewed or included in the review process for the initiating events notebook to determine if potential initiating events have been overlooked. A Maintenance Rule Expert Panel meeting was held on 10/5/2012 to review the updated Initiating Events Notebook with plant personnel representing plant operations, maintenance, engineering and safety analysis in order to determine if potential initiating events had been overlooked. Some of the items discussed during the interview included:

  • Grassing events were appropriately binned as %Tp initiators
  • Loss of non-vital bus G needed to be added as a %Tt initiator
  • The plant shutdown in July 2011 that was related to the SJ10 cracked weld needed to be identified
  • The appropriateness of binning spurious SI trips with an existing initiator
  • Loss of a 4kV vital bus does not directly lead to a plant trip
  • Manual shutdowns should not be credited in the transient initiating event category Based on this review, it was concluded that no initiating events were missing and therefore the intent of this SR is met.

IE-A9 IE-A7 SR Met: (CC I) IE-A7-01 SA PRA Initiating Events Notebook, SA-PRA-001, Revision 0, Section 2.1.2 does not indicate that a review of plant-specific or industry operating experience was performed for the purpose of identifying initiating event precursors. A list of LERs was previously reviewed for the existence of any initiating event precursors. A statement was added to the IE notebook documenting that this review was previously performed. Since industry information was also reviewed in addition to plant-specific information, this SR could actually be considered as being met at Capability Category III. No further action required. IE-A8 This SR was deleted in RA-Sb-2005. N/A IE-A9 This SR was deleted in RA-Sb-2005. N/A 32

LR-N17-0135 LAR S17-05 TABLE 4-8 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR INITIATING EVENTS ANALYSIS RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION IE-A10 IE-A10 SR Met SA PRA Initiating Events Notebook, SA-PRA-001, Revision 0, Section 2.1.3 describes the consideration of multi-unit site initiating events. Based on that analysis, dual unit initiating events for loss of service water, loss of control air, and loss of offsite power were included. N/A IE-B1 IE-B1 SR Met N/A IE-B2 IE-B2 SR Met A structured process was followed in the grouping of the initiating events. N/A IE-B3 IE-B3 SR Not Met IE-B3-001 The potential for SI actuation is placed in the general transient category with events such as reactor trip and considered to be no worse than the reactor trip. However, unmitigated SI events can challenge a PORV resulting in a consequential LOCA. These two events should not be grouped. Initiating events may be grouped reasonably in accordance with SR IE-B3 as long as the impacts are comparable to existing initiators and the grouping does not impact significant accident sequences. Spurious SI will generally be recovered (by resetting SI) and the event will be a transient. If SI is not reset prior to PORV operation, a logic change was added to the SA112A PRA model to transfer to the small LOCA event tree. See the Initiating Events Notebook for further details (SA-PRA-001). No further action required. IE-B4 IE-B4 SR Met Grouping of initiating events was performed. N/A IE-B5 IE-B5 SR Met SA PRA Initiating Events Notebook, SA-PRA-001, Revision 0, Section 2.1.3 describes the consideration of multi-unit site initiating events. Based on that analysis, dual unit initiating events for loss of service water, loss of control air, and loss of offsite power were included. There is no indication that these events were subsumed into other events. N/A 33

LR-N17-0135 LAR S17-05 TABLE 4-8 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR INITIATING EVENTS ANALYSIS RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION IE-C1 IE-C1 SR Met IE-C1-01 Based on a review of Sections 3.0 of Salem SA-PRA-001, Revision 0, "Initiating Events", initiating event frequencies have been calculated using relevant generic and plant-specific data. Generic data is from NUREG/CR-5750 Rates of Initiating Events at U.S. Nuclear Power Plants: 1987-1995. More recent industry sources of initiating event data such as from NUREG/CR-6928, "Industry-Average Performance for Components and Initiating Events at U.S. Commercial Nuclear Power Plants," should be used. For initiators when plant-specific data is available, the initiating event frequency is calculation by Bayesian updating the industry prior with the plant-specific data. As part of updating initiating event frequencies, use of newer loss of offsite power (LOOP) data was incorporated into the CAFTA model database as part of the 2012 PRA update, including dual-unit LOOP events. See the Initiating Events Notebook for further details (SA-PRA-003). The normal PRA update process (ER-AA-600-1015) ensures that this activity is routinely performed. No further action required. IE-C2 IE-C1a SR Met The most recent applicable plant specific data has been used to quantify the initiating event frequencies, based on a review of Section 3.1 of Salem SA-PRA-001, Revision. 0, "Initiating Events." The plant-specific data is from 10/1/2000 to 12/31/2006. N/A IE-C3 IE-C1b SR Met IE-C1b-01 Section 3.3 of the Salem SA-PRA-001, Revision 0 notebook has a brief discussion of the special initiators developed using fault trees. It references the applicable system model notebooks along with the basic event for the initiator in the fault tree. For the loss of SW initiator, notebook SA-PRA-005.13, Revision 0 was reviewed for the modeling of the initiator. There was no description of the how the loss of SW initiator is modeled as an initiator. Also, there did not appear to be documentation of the recoveries credited in the initiator fault trees and whether the actions are justified for preventing the initiator. This SR is considered met but SR IE-D2 will be considered not met for documentation. Support system initiators that were developed using fault trees were identified in the Initiating Events Notebook (SA-PRA-001 revision 2 Section 3.5) with reference made to the applicable system notebook for model development and details. No further action required. IE-C4 IE-C2 SR Met Based on a review of Section 3.2 of the Salem SA-PRA-001, Revision 0 notebook, Bayesian updating has been performed appropriately and complies with this SR. N/A IE-C5 IE-C3 SR Not Met IE-C3-01 The initiators that are fault trees, loss of SW, loss of Capability Category, loss of control area ventilation, and others, do not appear to be based on reactor year. For example, under gate IE-TSW, basic event SWS-PIP-RP-TBHDR has a mission time of 8760 hours. This was implemented in the CAFTA PRA model SA112A.CAF with the event AVAIL-FACTOR set to the value of 0.925 as determined in the Initiating Events Notebook (SA-PRA-001). No further action required. 34

LR-N17-0135 LAR S17-05 TABLE 4-8 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR INITIATING EVENTS ANALYSIS RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION IE-C6 IE-C4 SR Not Met IE-A1-01 Quantitative screening does not appear to be performed, based on a review of the Salem SA-PRA-001, Revision 0 notebook. Therefore, subsection a) and b) of this SR are considered met. However, subsection c) of this SR does not appear to be met as noted in the review for SR IE-A1, some events that require the plant to be shut down due to technical specifications were screened (e.g., loss of a 4KV bus). Based on discussions with plant personnel (see response to IE-A6-01), it was determined that loss of 4kV non-vital buses affect the balance of plant operations and lead to an eventual turbine trip, which is accounted for in the event frequency for turbine trip (%Tt). Loss of a 4kV vital bus can lead to unavailability of standby ECCS equipment, but it does not lead to an automatic plant trip. As such, this was not considered a possible transient event. This was documented in Table 2-2 of the Initiating Events Notebook (SA-PRA-001). Based on this review, it was concluded that no initiating events were missing and therefore the intent of this SR is met. IE-C7 IE-C5 SR N/A Time trend analysis is not required for a Capability Category II rating. N/A IE-C8 IE-C6 SR Met IE-C1b-01 Section 3.3 of the Salem SA-PRA-001 Revision 0 notebook provides some limited description of the initiators that are fault trees. Details of the modeling of the system fault tree are provided in the applicable system notebooks. Applicable systems-analysis requirements for fault-tree modeling appear to have been used. The initiating event modeling is performed to the same level of detail as the fault trees used for the modeling of post-initiator operation of mitigating systems and appears to be appropriate. The documentation of the development of the initiator fault trees could be enhanced. N/A IE-C9 IE-C7 SR Met Initiating events that rely upon fault tree modeling correctly produce failure frequencies rather than top event probabilities. N/A IE-C10 IE-C8 SR Met The logic under gates IE-TSW and IE-TCC were reviewed in fault tree SIR4.Caf. The fault tree models used to calculate initiating event frequencies appear to model all relevant combinations of events involving the annual frequency of one component failure combined with the unavailability (or failure during the repair time of the first component) of other components. N/A 35

LR-N17-0135 LAR S17-05 TABLE 4-8 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR INITIATING EVENTS ANALYSIS RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION IE-C11 IE-C9 SR Met The logic under gates IE-TSW and IE-TCC were reviewed in fault tree SIR4.Caf. A human reliability analysis was used to calculate the probability of failure of the operator actions credited under these gates as documented in Salem model notebook SA-PRA-004, Revision 0. N/A IE-C12 IE-C10 SR Met IE-C10-01 Tables 3-6 and 3-7 contain a comparison of the initiator frequencies used in the Salem model as compared with NUREG/CR-5750. However, there is no comparison with other sources.. Since many of the frequencies used in the Salem model use the same frequencies from NUREG/CR-5750, such as the LOCAs, the tables should be updated with a comparison with other similar plants. Tables 2-5, 2-6 and 2-7 in the Initiating Events Notebook (SA-PRA-001) provide event types, along with their descriptions, for the South Texas Project, Watts Bar Project and Surry Project, respectively. This data is given in order to provide the reader with other categorization schemes for similar plants to which the Salem plant may be compared. It was shown that these categorization schemes for initiating events are consistent with the Salem PRA model. Based on this updated comparison to other plants, it was concluded that the intent of this SR is met. F&O IE-C10-01 is a suggestion-level F&O. IE-C13 IE-C11 SR Met (CC I/II) Initiating event frequencies for rare events and extremely rare events are based on generic data. N/A IE-C14 IE-C12 SR Met (CC I/II) Section 3.5 of the Salem SA-PRA-001, Revision 0 notebook provides some description of the ISLOCA screening, quantification of the initiator frequency and the event tree development. The details of the ISLOCA analysis are contained in PLG Report Number PLG-0826, Containment Bypass Analysis. The analysis considers the requirements in this SR as appropriate. N/A IE-C15 IE-C13 SR Met Mean values and error factors are developed for the initiating event frequencies modeled as documented in Sections 3.2, 3.3 and 3.4 of the Salem SA-PRA-001, Revision 0. N/A 36

LR-N17-0135 LAR S17-05 TABLE 4-8 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR INITIATING EVENTS ANALYSIS RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION IE-D1 IE-D1 SR Met The initiating event analysis documentation is a logical format consistent with the major high level requirements for initiating event analysis. Improvements can be made to the notebook as noted by the F&Os in the other SRs. N/A IE-D2 IE-D2 SR Met The Salem initiating event notebook SA-PRA-001, Revision 0 provides good documentation of the identification, grouping, and evaluation of plant-specific data, screening and quantification of the frequencies. However, as noted in a number of the F&Os for HLR IE-A, B and C, the notebook lacks sufficient documentation for verifying the requirements of some SRs. N/A IE-D3 IE-D3 SR Not Met SC-C3-01, SC-C3-02 While assumptions are documented to some degree in the Salem SA-PRA-001, Revision 0 notebook, a systematic review/listing of assumptions and sources of uncertainty as defined by the Standard is not documented or referenced in the initiating events notebooks. This issue of uncertainty and key assumptions has been addressed with the creation of the PRA Uncertainty Notebook (SA-PRA-018) during the PRA model update that resulted in the PRA Model of Record SA112A. No further action required. 37

LR-N17-0135 LAR S17-05 TABLE 4-9 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR ACCIDENT SEQUENCE ANALYSIS RA-Sa-2009 SR RA-Sb-2005 SR Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION AS-A1 AS-A1 SR Met AS-A1-01 Accident Sequences and Event Tree Development Notebook, SA-PRA-002, Revision 0 describes the method used for development of the accident sequences and event trees covering all three required aspects. The graphical representation of the event trees is not included in the notebook, but is available through reference to the appropriate CAFTA event tree files. Event tree figures were included in the Accident Sequence - Event Tree (SA-PRA-002, revision 1) notebook as Appendix A. No further action required. AS-A2 AS-A2 SR Met Accident Sequences and Event Tree Development Notebook, SA-PRA-002, Revision 0 describes the method used for development of the accident sequences and event trees. Section 2.0 describes the key safety functions necessary to reach a safe, stable state and prevent core damage. N/A AS-A3 AS-A3 SR Met Accident Sequences and Event Tree Development Notebook, SA-PRA-002, Revision 0 describes the method used for development of the accident sequences and event trees. Sections 3 through 9 define systems that can be used to mitigate each modeled initiating event class. N/A AS-A4 AS-A4 SR Met Accident Sequences and Event Tree Development Notebook, SA-PRA-002, Revision 0 describes the method used for development of the accident sequences and event trees. Sections 3 through 9 describes the achievement of key safety functions for each initiating event. Operator actions are described in general terms. N/A AS-A5 AS-A5 SR Met IE-B3-01 Spurious SI is subsumed into the Turbine Trip initiating event and, therefore, into the General Transient event tree. However, the path through the EOPs would be different for the two events. Initiating events may be grouped reasonably in accordance with SR IE-B3 as long as the impacts are comparable to existing initiators and the grouping does not impact significant accident sequences. Spurious SI will generally be recovered (by resetting SI) and the event will be a transient. If SI is not reset prior to PORV operation, a logic change was added to the SA112A PRA model to transfer to the small LOCA event tree. See the Initiating Events Notebook for further details (SA-PRA-001). No further action required. AS-A6 AS-A6 SR Met Accident Sequences and Event Tree Development Notebook, SA-PRA-002, Revision 0 describes the accident sequences in accordance with the timing of the event to the extent practical. N/A 38

LR-N17-0135 LAR S17-05 TABLE 4-9 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR ACCIDENT SEQUENCE ANALYSIS RA-Sa-2009 SR RA-Sb-2005 SR Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION AS-A7 AS-A7 SR Met (CC I/II) AS-A7-01, AS-A7-02 Accident Sequences and Event Tree Development Notebook, SA-PRA-002, Revision 0 delineates the possible accident sequences for each modeled initiating event. However, some sequences are not explicitly modeled in the single-top fault tree (e.g., TT sequences S04 and S05 are combined into a single fault tree gate). No documentation was found to describe the basis of these combinations. In addition, SA-PRA-002, Revision 0, Section 3.3.4.5 states that the Te3 and Te4 event trees have sequences that were not modeled because they have "very low frequencies." No basis for this assessment was documented. The VS ISLOCA sequence with no piping failure is assumed to be terminated with operator isolation of the suction path using the pump suction isolation MOVs. However, isolation cannot be accomplished until primary pressure is reduced. The potential for flooding of adjacent areas by water lost through the RHR pump seals and/or RHR heat exchangers prior to isolation does not appear to have been evaluated. Sequence endstates that exhibit identical core damage characteristics were combined. The only reason that there are two different endstates identified is to distinguish between an isolated and non-isolated containment. A revision was made to the Accident Sequence Notebook (SA-PRA-002) to state that sequences were combined that exhibit identical core damage characteristics under a single gate in the fault tree logic for Level 1 sequences in order to conserve core damage numerical results. No further action required. 39

LR-N17-0135 LAR S17-05 TABLE 4-9 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR ACCIDENT SEQUENCE ANALYSIS RA-Sa-2009 SR RA-Sb-2005 SR Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION AS-A8 AS-A8 SR Met AS-A8-01 Accident Sequences and Event Tree Development Notebook, SA-PRA-002, Revision 0 and the associated CAFTA event trees define the end state of each sequence as success or core damage. However, the SBO sequences S08, S11, S14 and S17 are assumed to be successful based on offsite power recovery. Operator action to restore mitigating systems after power recovery is not addressed. In addition, given the fact that power recovery is only credible out to 4 hours, 20 hours of mitigating system operation and the potential failures of that equipment over a significant portion of the 24 hour mission time is not being addressed. This failure to address recovery of mitigating systems following power recovery does not ensure a safe, stable end state has been reached for some SBO sequences. There is also concern that the application of offsite power recovery is included twice in the modeling of the SBO event. Recovery is credited in the application of a diesel mission time of 6 hours and again through the application of offsite power recovery top event RBU. There is no "double-counting" of offsite power recovery being applied in the SA115A PRA model. The concept of a diesel-mission run time of 6.2 hours that was developed in Section 10.0 of the Data notebook was meant to estimate a "time-averaged" value for which the EDG would be required to run and supply AC power prior to recovery of an offsite power source. The RBU terms that are employed in the PRA model are not recovery terms but flags that are meant to delineate a particular set of circumstances during a particular accident sequence to allow the appropriate "recovery before uncovery" probability to be applied to the cutset in question. This is separate from the run time that was calculated in determining how long, on average, the EDG would be expected to run prior to recovery of offsite power, which was based on the worst set of conditions, i.e., weather-related causes. This approach is also consistent with other Westinghouse PWR PRA models. For the issue of mitigating systems that would be required to function following the possible recovery of offsite power, they are not explicitly modeled as being subject to "restart" failures due to the fact that system start failures are on the order of 1E-3. However, a sensitivity analysis was performed that estimated the frequency of LOOP events that result in successful recovery of offsite power, which was added to the initiating event frequency for transient events without PCS (%TP). The resultant CDF calculated with this adjusted %TP frequency resulted in a 0.5% increase in CDF and a 0.4% increase in LERF. Because of these small changes in CDF and LERF, there is no expected impact on MSPI results and the requisite change to PRA model logic for these additional sequences can be deferred until a future PRA update (see URE # 2015-028). For this URE, there is no further action required. AS-A9 AS-A9 SR Met: (CC II) Accident Sequences and Event Tree Development Notebook, SA-PRA-002, Revision 0 Section 2.0 indicates that success criteria was based on combination of generic, similar plant, and plant-specific sources. N/A 40

LR-N17-0135 LAR S17-05 TABLE 4-9 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR ACCIDENT SEQUENCE ANALYSIS RA-Sa-2009 SR RA-Sb-2005 SR Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION AS-A10 AS-A10 SR Met: (CC I) AS-A10-01 Systems and operator actions required to meet each key safety function are discussed in general terms in the Accident Sequences and Event Tree Development Notebook, SA-PRA-002, Revision 0 Sections 3 through 9. Operator actions and diverse systems to satisfy top events are included in the fault tree but are grouped under common top events in the accident sequence model (e.g., core decay heat removal includes AFS, operator action to depressurize, and condensate under a common top event). However, the modeling of offsite power recovery in the SBO event tree does not explicitly model the differences in recovery times or plant response associated with different RCP seal leakage rates. Instead, a single lumped recovery event is modeled. A weighted average analysis of the size of a RCP seal LOCA with various configurations of successful means of heat removal mitigation with offsite power non-recovery probabilities was performed and is consistent with other Westinghouse PWR models. This is described in Appendix C of SA-PRA-002 Revision 3. There is no further action required. AS-A11 AS-A11 SR Met AS-A11-01 Transfers between event trees are described in the Accident Sequences and Event Tree Development Notebook, SA-PRA-002, Revision 0 Sections 3 through 9. Transfer of certain sequences to other event trees is discussed for each event tree in the event tress construction section of the Accident Sequence - Event Tree notebook. No further action required. AS-B1 AS-B1 SR Met This requirement is met by Sections 3 and 9 of the Accident Sequence notebook. These sections identify the mitigating systems and how the accident progresses depending the equipment availability. The single-top fault tree model explicitly models initiator impacts on mitigating systems. N/A AS-B2 AS-B2 SR Met This requirement is met by Sections 3 and 9 of the Accident Sequence notebook. These sections identify the mitigating systems and how the accident progresses depending the equipment availability. N/A AS-B3 AS-B3 SR Met The environmental conditions are considered (Section 3.6) for recirculation. The clogging of the sumps is addressed in the system notebook. N/A AS-B4 AS-B4 SR N/A This model does not use the split fraction method. N/A AS-B5 AS-B5 SR Met This SR is geared towards other methodologies than CAFTA. The event trees and the fault trees are of sufficient detail to address intersystem dependencies and train level interfaces. In CAFTA these two requirements are done at the fault tree level. N/A 41

LR-N17-0135 LAR S17-05 TABLE 4-9 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR ACCIDENT SEQUENCE ANALYSIS RA-Sa-2009 SR RA-Sb-2005 SR Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION AS-B6 AS-B5a SR N/A This requirement is addressed in the system models. Therefore it will be address in the review of the System Notebook. N/A AS-B7 AS-B6 SR Not Met AS-A8-01 The SBO/LOOP, battery depletion, and room cooling are all addressed in the Accident Sequence notebook. However, the lumped treatment of offsite power recovery into both the diesel mission time calculation and the RBU recovery factor could overestimate the potential for recovery. See above response for SR AS-A8. In addition, SBO scenarios are relatively insignificant risk contributors within the context of this risk evaluation that supports the proposed ESFAS/RTB AOT extension. AS-C1 AS-C1 SR Met The accident sequences are analyzed in a manner that allows application, upgrades, and peer review to be accomplished in a timely. N/A AS-C2 AS-C2 SR Not Met AS-C2-01 The operator actions are not part of the event tree as required by this Supporting Requirement. The requirements of c, d and e are not met. The HRA and Level 2 notebooks now adequately address procedural guidance and important operator actions in sufficient detail to allow traceability of references used and description of how HEPs are being applied to their appropriate accident sequences. Since the Level 2 logic is explained in detail in Appendices A, B, and C of the Level 2 Notebook, it was not necessary to expand any of the event trees. The operator actions referred to in the above description are discussed in the Level 2 Notebook. At any event, there is no further action required. AS-C3 AS-C3 SR Not Met SC-C3-02 In Notice of Clarification to Revision 1 of Regulatory Guide 1.200, FRN July 27, 2007, Accession number: ML071170054, the NRC provided their clarification related to assumptions and sources of uncertainty. The NRC stated that Key assumptions and sources have meaning only within the scope of an application. For a base PRA, the plant needs to identify and characterize assumptions and sources of uncertainty. Characterization can be qualitative. ANO2 has documented the assumptions that they used for the accident sequence analyses. The uncertainty notebook is in draft form and therefore is not reviewable. The uncertainty portion of this requirement is not met. The assumption were in the notebook so this part of the requirement is met. A suggestion is that an assumption section be added to the notebook. This issue of uncertainty and key assumptions has been addressed with the creation of the PRA Uncertainty Notebook (SA-PRA-018) during the PRA model update that resulted in the PRA Model of Record SA112A. No further action required. 42

LR-N17-0135 LAR S17-05 TABLE 4-10 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR SUCCESS CRITERIA RA-Sa-2009 SR RA-Sb-2005 SR Capability Category Associated F&Os

SUMMARY

SUMMARY

OF RESOLUTION SC-A1 SC-A1 SR Not Met SC-A1-01 The ASME standard defines core damage as "uncovery and heatup of the reactor core to the point at which prolonged oxidation and severe fuel damage involving a large section of the core is anticipated." In the Salem PRA Success Criteria Notebook, SA-PRA-003, a "big picture" definition as described in the ASME PRA standard appears to missing. In the Salem PRA, core damage is defined as maintaining core temperature below 1200 degrees F which deals with heatup but not uncovery. The definition of core damage has been clarified as part of the 2012 PRA update and properly reflected in both the Success Criteria and Accident Sequence - Event Tree notebooks. No further action required. SC-A2 SC-A2 SR Not Met SC-A2-01 In the Salem PRA, core cooling was defined as successful if core exit temperatures do not exceed 1200 degrees F. This represents the temperature below which no core damage is expected to occur and the core exit thermocouple temperature at which the operators transfer to severe accident guidelines. The 1200 degrees F core temperature success criteria were interpreted to be the core hottest node temperature (TCRHOT) in MAAP. However, in the TH notebook a peak cladding temperature of 1800 degrees F was referenced. The MAAP code used 1800 degrees as TCRHOT. Also, there is no mention of core collapsed liquid level. This was a documentation issue that has since been resolved by revising the Level 1 Success Criteria Notebook (SA-PRA-003) to definitively state in Section 2.4 that core cooling is successful if the mass-averaged temperature of the hottest core node does not exceed 1800 deg. F. This is also consistent with the definition of core damage stated in Section 2.2.1 of the Thermal-Hydraulic MAAP PRA Notebook (SA-PRA-007) that references this same value of 1800 deg. F. No further action required. N/A SC-A3 This SR was deleted in RA-Sb-2005. N/A SC-A3 SC-A4 SR Met The success criteria for each of the key safety functions is specified in the success criteria notebook. N/A SC-A4 SC-A4a SR Met The only system that is shared is the VCA system. This system is identified as being shared and the common initiating event is discussed. N/A SC-A5 SC-A5 SR Met: (CC II/III) Accident sequences are terminated at 24 hours, except under two conditions:

1. The plant is brought to a condition where return to power operation is possible in less than 24 hours, or
2. Core damage or containment failure is predicted to occur within a few hours after the 24 hour limitation.

N/A SC-A6 SC-A6 SR Met Success criteria are based on plant-specific features, procedures and operation. N/A SC-B1 SC-B1 SR Met: (CC II) Plant-specific MAAP analyses have been performed to determine success criteria N/A 43

LR-N17-0135 LAR S17-05 TABLE 4-10 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR SUCCESS CRITERIA RA-Sa-2009 SR RA-Sb-2005 SR Capability Category Associated F&Os

SUMMARY

SUMMARY

OF RESOLUTION SC-B2 SC-B2 SR N/A Expert judgment is not used in the success criteria development. N/A SC-B3 SC-B3 SR Met T/H analyses are consistent with the initiating event groups and accident sequences. N/A SC-B4 SC-B4 SR Not Met SC-B4-01 The MAAP Thermal-Hydraulic Calculations Notebook (SA-PRA-007, Revision 1), Sections 1.2 and 1.3 provide a discussion of the codes available and the advantages associated with using MAAP, respectively. However, MAAP is used in establishing large LOCA success criteria, although the code is not suitable for analysis of this plant upset. A discussion of code limitations is not provided. Section 1.3 of the Success Criteria Notebook (SA-PRA-003) now discusses the limitations of the MAAP computer code. Relative to the Salem Generating Station, this means that the minimum systems required to mitigate a large break LOCA should be based on a source other than MAAP. In this case, the success criteria was defined using analyses related to the plants licensing basis. Other code limitations were listed in Table 1-2 of this notebook. Since this issue has been addressed through the use of the plants licensing basis, the issue associated with this SR has been adequately addressed. SC-B5 SC-B5 SR Not Met SC-B5-01 A check of the reasonableness and acceptability of the success criteria results is not documented. Table 2-1 of SA-PRA-003 provides a summary of the overall success criteria for the Salem Generating Station for In-Vessel Core Cooling, RCS Integrity, and Containment Integrity. Table 2-2 of the notebook shows the general success criteria for the Byron and Braidwood nuclear stations, which reveals that Salems success criteria is consistent with other Westinghouse plants. These comparisons confirm the reasonableness of the success criteria results, and meet the intent of this SR. SC-C1 SC-C1 SR Met SC-C1-01 The Level 1 Success Criteria Notebook (SA-PRA-003, Revision 0), MAAP4 Parameter File Notebook (SA-PRA-009, Revision 1), and MAAP Thermal-Hydraulic Calculations Notebook (SA-PRA-007, Revision 1) document the success criteria analyses. However, it would be helpful to provide a cross reference to the PRA Standard requirements to facilitate PRA applications, upgrades, and peer reviews. This issue has no impact on the quality of the PRA and was only meant to aid reviewers in identifying where each of the elements of the PRA Standard are being addressed. As such, this is only a documentation issue and may remain open for now. No further action required. SC-C2 SC-C2 SR Met The success criteria development process has been documented. N/A 44

LR-N17-0135 LAR S17-05 TABLE 4-10 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR SUCCESS CRITERIA RA-Sa-2009 SR RA-Sb-2005 SR Capability Category Associated F&Os

SUMMARY

SUMMARY

OF RESOLUTION SC-C3 SC-C3 SR Not Met SC-C3-01, SC-C3-02 Assumptions are embedded in the documentation rather than captured in a specific section. Sources of uncertainty are addressed in a draft evaluation using guidance from draft EPRI report, "Treatment of Parameter and Model Uncertainty for Probabilistic Risk Assessments." Each PRA System Notebook (SA-PRA-005.####) now has a section that lists assumptions that were made as part of the systems analysis. The Uncertainty Notebook (SA-PRA-018) was officially issued and includes a section on model uncertainty and references both EPRI 1026511, which addresses the use of PRA and the treatment of uncertainty, and EPRI 1016737, which addresses the treatment of parameter and model uncertainty. The results of the Salem Uncertainty analysis clarify the importance of assumptions that were made during development of the Success Criteria Notebook (SA-PRA-003). As such, there is no further action required. 45

LR-N17-0135 LAR S17-05 TABLE 4-11 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR SYSTEMS ANALYSIS RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION SY-A1 SY-A1 SR Met The system models are consistent with similar PWR PRAs and address system responses found in the accident sequence response. N/A SY-A2 SY-A2 SR Met The system model documentation includes references to drawings, control logic, procedures and technical specifications. Training drawings are included in the documentation. N/A SY-A3 SY-A3 SR Met Based on documentation for the system notebooks information was reviewed. N/A SY-A4 SY-A4 SR Not Met SY-A4-01 The system notebooks do not provide any walkdown information. A walkdown document was made available to the peer review but has not been reviewed and formally released. Plant walkdowns for the systems modeled in the PRA were documented in Appendix C of each of the Salem PRA System Notebooks (SA-PRA-005.#### series). No further action required. SY-A5 SY-A5 SR Met Modeling addresses plant configurations necessary to support success criteria. N/A SY-A6 SY-A6 SR Not Met SY-A6-01 The system notebooks do not provide definitive explanation of boundary information and do not provide illustration of modeled components. The System Model Notebooks (SA-PRA-005.#### series) were revised to more clearly define system boundaries of modeled systems using one-line diagrams depicted in Section 2.3 of these notebooks. For example, for the Safety Injection (SI) system, the system boundary includes all of the components in the SI system whose failure could potentially prevent water from reaching the RCS, but the system boundaries do not branch into the other ECCS systems. Figure 2-1 in this system notebook shows a diagram of the SI system boundary, and various highlighted colors show the different modes of operation of SI. Not all of the components highlighted along the paths were modeled in the PRA. For example, many valves are not modeled because their failure does not prevent water from being injected into the core. Also see SY-A8. SY-A7 SY-A7 SR Met: (CC III) N/A SY-A8 SY-A8 SR Not Met SY-A8-01 Boundaries not defined. Boundary definitions for plant systems were better defined in the PRA System Notebooks (SA-PRA-005.#### series) during the 2012 PRA Update by incorporating drawings with highlighted boundaries in order to help the reader better visualize the modeled system boundaries. The Data Notebook (SA-PRA-010, Rev. 2) has also been revised in order to explain how component boundaries were defined. N/A SY-A9 This SR was deleted in RA-Sb-2005. N/A 46

LR-N17-0135 LAR S17-05 TABLE 4-11 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR SYSTEMS ANALYSIS RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION SY-A9 SY-A10 SR Not Met SY-A10-01 Diesel generator modeling. Since the Emergency Diesel Generator (EDG) Day Tanks are modeled as being part of the component boundary for the EDGs, the failure probabilities used for the EDG events used in the SA115A PRA model inherently include the failure of Day Tanks to perform their function, e.g., rupture, plugged lines, etc. However, a failure mode that could cause failure of the fuel oil transfer pumps involves miscalibration of the day tank level instrumentation, which was included in the SA115A PRA model. The Vital AC system notebook now includes a discussion about the EDG day tanks being part of the component boundary definition used for the EDGs. SY-A10 SY-A11 SR Met N/A SY-A11 SY-A12 SR Not Met SY-A12-01 Some components listed in the standard supporting requirement are absent from some system models. Although the Emergency Diesel Generator (EDG) Day Tanks are considered to be within the component boundary of the EDGs (see response to SY-A9), the fuel oil transfer system was not, and as such, was explicitly modeled in the SA115A PRA model. Also, there are Human Error Probability (HEP) events included in the SA115A PRA model that model failure to realign ventilation dampers, e.g., see event RD3-XHE-MM (OPERATORS FAIL TO ALIGN CAV FOR MAINT MODE) in the HRA Notebook (SA-PRA-004). This and other HEPs that make use of AB.CAV procedures have been appropriately analyzed in the HRA notebook and included in the SA115A PRA model where appropriate. No further action required. SY-A12 SY-A12a SR Met N/A SY-A13 SY-A12b SR Met Modeling guidance included consideration of divergence paths. N/A SY-A14 SY-A13 SR Not Met SY-A13-01 Review of models identified several exclusions of failure modes on a global basis without justification. The probability of manual valves transferring shut was not generally modeled as the failure probability is exceedingly low and can be excluded via the use of the criteria found in ASME Supporting Requirement (SR) SY-A15: One or more failure modes for a component may be excluded from the systems model if the contribution of them to the total failure rate or probability is less than 1% of the total failure rate or probability for that component when the effects on system operation are the same. However, SR SY-A15 should be referred to in Section 3.1 (Generic Assumptions) of each PRA System Notebook to support the decision to exclude low probability events. Since this is only a documentation issue, there is no impact on either CDF or LERF due to the fact that the exclusion of manual valves spuriously changing state was appropriately addressed in the PRA model. As such, this issue has no impact on the results for this license amendment request. SY-A15 SY-A14 SR N/A No assessment performed. N/A 47

LR-N17-0135 LAR S17-05 TABLE 4-11 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR SYSTEMS ANALYSIS RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION SY-A16 SY-A15 SR Met: (CC III) N/A SY-A17 SY-A16 SR Met N/A SY-A18 SY-A17 SR Met N/A SY-A19 SY-A18 SR Met N/A SY-A20 SY-A18a SR Met N/A SY-A21 SY-A19 SR Not Met SY-A19-01 No documentation of assessment. All PRA System notebooks were revised to add generic assumptions on components not performing beyond their design operating conditions unless otherwise specified. No further action is required. SY-A22 SY-A20 SR Met: (CC I) SY-A20-01 No analyses provided. N/A SY-A23 SY-A21 SR Not Met SY-A21-01 Multiple type code descriptions are used for the same data such that the second part of the SR is not met. The state of knowledge correlation was addressed as part of the 2012 PRA update. See the Salem PRA Data Notebook (SA-PRA-010) for further details. No further action required. SY-A24 SY-A22 SR Met N/A SY-B1 SY-B1 SR Met: (CC II/III) N/A SY-B2 SY-B2 SR Met: (CC I/II) N/A 48

LR-N17-0135 LAR S17-05 TABLE 4-11 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR SYSTEMS ANALYSIS RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION SY-B3 SY-B3 SR Not Met SY-B3-01 For some cases the selection of CCF combinations are not complete and those selected are not the most limiting. Industry common cause failure data is collected from the NRC/INL Common Cause Database [CCF Parameter Estimations, 2012 Update]. Due to the relative rarity of common cause events, generic data is used for the Salem PRA model. The Alpha-Factor Methodology was used for common cause modeling in the Salem PRA. Mean values for the alpha factors were obtained and used to determine the Common Cause Factor, which is input into the CAFTA BE database Factor field. A few CCF events were determined using sources other than the NRC/INL data. In particular, to address the issue of completeness regarding various combination of failures, and due to the small probabilities and uncertainty that is involved with interim CCF combinations involving a population size of 6, it was deemed adequate in modeling the 2 of 6 (loss of one division), 4 of 6 (loss of two divisions), and 6 of 6 event combinations (loss of all three divisions) in estimating the total risk associated with DC battery charger common cause failures. The common cause modeling was limited to only those combinations that are consequential and important to risk. Refer to Appendix D of the Data Notebook (SA-PRA-010) for further details. SY-B4 SY-B4 SR Not Met SY-B3-01 Some combinations are absent which when using MGL can underestimate the CCF contribution. The MGL parameter model was not used for common cause failure probabilities used in the Salem PRA model. Instead, the Alpha-Factor Methodology was used. As stated in the response for SY-B3-01, certain interim combinations for DC battery chargers involving a population size of 6 were omitted due to their small probabilities and inherent uncertainty, with only the important common cause combinations being retained, e.g., 2 of 6, 4 of 6, and 6 of 6. Since MGL is not used for these events, the missing combinations do not significantly underestimate the CCF contributions. SY-B5 SY-B5 SR Not Met SY-B5-01 Documentation for several system notebooks (AFW, CVCS and RWST) indicated that the heated water circulating system was required to prevent freezing, but was not modeled. Since the heated water system was not required as an immediate support system for system success, it was not explicitly modeled due to the fact that freezing of water lines is a slowly developing event with ample time for procedural direction and any necessary repair. It was also explicitly stated in the system modeling documentation that the heating water system was not required during the PRA mission time of 24 hours, e.g., see Section 2.5.4 of the AFS and MFWS System Notebook (SA-PRA-005.0001). As such, no further action is required. 49

LR-N17-0135 LAR S17-05 TABLE 4-11 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR SYSTEMS ANALYSIS RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION SY-B6 SY-B6 SR Not Met SY-B6-01 No analysis documented No documentation provided related to analysis of support system requirements. There appears to be no analysis of support system requirements concurrent with their definition in the system notebooks. Perform the required engineering analysis. As part of the 2012 PRA Update, all PRA System Notebooks were revised to follow a more consistent outline with information better organized to allow a more effective review and understanding of the documentation including sections on shared/required systems. In addressing this particular SR, section 4.4 in each PRA System Notebook (SA-PRA-005.#### series) documents the support system requirements and dependencies for all modeled system components in the PRA model. SY-B7 SY-B7 SR Met: (CC I) SY-B7-01 The support system modeling is mostly based on conservative criteria. As part of the 2012 PRA Update, this information has been clarified and references provided for success criteria in the System Notebooks using a more consistent approach that will now make it much easier for the reviewer to identify such information. Also, fault tree modeling and operator actions were updated during the 2012 PRA update using the latest design calculations for the control room envelope. The results of the SA112A PRA model showed that loss of Control Area Ventilation (CAV) scenarios are now about a factor of ten less than what previously existed in the peer-reviewed PRA model (PRA Model, Rev. 4.1). Therefore, any conservatism that may exist in the design basis calculations for CAV is not important to the PRA results. As such, there is no further action required. SY-B8 SY-B8 SR Met SY-A4-01 Walkdowns are not formally complete N/A N/A SY-B9 This SR was deleted in RA-Sb-2005. N/A SY-B9 SY-B10 SR Not Met SY-B5-01 The need for heating of the RWST is not modeled although the system notebook indicates the need for heating. See above response for SR SY-B5. SY-B10 SY-B11 SR Not Met SY-B11-01 Some AFW signals (SI, LOSP) are not defined and no justification for exclusion is provided. This issue was addressed as part of the 2012 PRA Update. In particular, the AFW system and SI actuation logic and automatic initiation signals were reviewed and revisions made and additional logic added to the PRA model where appropriate. Specifically, Section 2.6 of the AFW PRA System Notebooks (SA-PRA-005.0001) documents the actuation signals that are modeled in the PRA for automatic system actuation. Necessary signals are now modeled, meeting the intent of this SR. 50

LR-N17-0135 LAR S17-05 TABLE 4-11 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR SYSTEMS ANALYSIS RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION SY-B11 SY-B12 SR Not Met SY-B12-01 Some identified mission times are less than required. An average value for the expected run-time of the Emergency Diesel Generators (EDGs) and their supporting components, such as the fuel oil transfer pumps, was derived based on a convolution involving non-recovery of offsite power data and EDG run-time failure probabilities. This analysis is documented in Section 10.0 of the Salem PRA Data Notebook (SA-PRA-010), which was performed during the PRA update that resulted in the SA112A model. This exercise resulted in an average run time of 6.2 hours for the EDGs, which was also used for the EDG fuel oil transfer pumps. However, the AFW turbine-driven pump was assigned a mission time of 24 hours. No further action required. SY-B12 SY-B13 SR Met N/A SY-B13 SY-B14 SR Met N/A SY-B14 SY-B15 SR Not Met No documentation of an evaluation for potential adverse environments. See above response for SR SY-A21. SY-B15 SY-B16 SR Not Met HR-C3-01 Operator starts for standby equipment not defined. No miscalibration of under voltage relays. The issue of instrument miscalibration was modeled using Human Error Probability (HEP) pre-initiator events that were included in the appropriate sections of the Salem SA112A PRA model to capture the unavailability of instruments due to miscalibration errors. These HEPs are documented in the Salem HRA Notebook (SA-PRA-004). No further action required. SY-C1 SY-C1 SR Met N/A SY-C2 SY-C2 SR Not Met SY-C2-01 System documentation does not provide some required documentation. The Salem PRA System Notebooks were revised and enhanced as part of the PRA model update that resulted in the SA112A PRA model, which occurred after the peer review was performed in 2008. Since this issue was a documentation issue, there would be no impact on the results for this license amendment request. SY-C3 SY-C3 SR Not Met SC-C3-02 Assumptions are not present The Salem PRA System Notebooks were revised and enhanced as part of the PRA model update that resulted in the SA112A PRA model, which occurred after the peer review was performed in 2008. In particular, Section 3 of the System Notebooks (SA-PRA-005.#### series) now lists both generic and system-specific PRA modeling assumptions. Since this issue was a documentation issue, there would be no impact on the results for this license amendment request. 51

LR-N17-0135 LAR S17-05 TABLE 4-12 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR HUMAN RELIABILITY ANALYSIS RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION HR-A1 HR-A1 SR Met This requirement is met by the process outlined in Section 2.2 of the HRA Notebook. N/A HR-A2 HR-A2 SR Met This requirement is met by the process outlined in Section 2.2 of the HRA Notebook. N/A HR-A3 HR-A3 SR Met This requirement is met by the process outlined in Section 2.3.4 of the HRA Notebook. N/A HR-B1 HR-B1 SR Met: (CC II/III) This requirement is met by the process outlined in Section 4.3.3.1 of the HRA Notebook. N/A HR-B2 HR-B2 SR Not Met HR-B2-01 This requirement is directly in violation of the first sentence of Section 4.3.3.1 which allows screening of actions that could simultaneously have an impact on multiple trains of a redundant system or diverse systems. The HRA notebook (SA-PRA-004) was revised to address this issue in order to clarify that screening of this nature was not performed. Therefore, this SR is now met and there is no further action required. HR-C1 HR-C1 SR Met This requirement is met by including the description of the HFE with each HFE analysis (see Tables 5.1.1, 5.1.2 and 5.1.3) N/A HR-C2 HR-C2 SR Met: (CC II/III) The HRA notebooks specified that the LARs were reviewed and the descriptions indicate modes of unavailability have been included. N/A HR-C3 HR-C3 SR Not Met HR-C3-01 There is no documentation showing that miscalibration as a mode of failure of initiation of standby systems was considered. An example of this is that there is no HFE for miscalibration of bus under voltage bus, RPS relays, etc. The issue of instrument miscalibration was modeled using Human Error Probability (HEP) pre-initiator events that were included in the appropriate sections of the Salem SA112A PRA model to capture the unavailability of instruments due to miscalibration errors. These HEPs are documented in the Salem HRA Notebook (SA-PRA-004). No further action required. HR-D1 HR-D1 SR Met Since the EPRI HRA Calculator was used this requirement is met. N/A HR-D2 HR-D2 SR Met: (CC II) This meets Capability Category II since there was one screening value used for pre-initiators. N/A 52

LR-N17-0135 LAR S17-05 TABLE 4-12 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR HUMAN RELIABILITY ANALYSIS RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION HR-D3 HR-D3 SR Met: (CC II/III) This requirement is met due to the fact that the EPRI HRA Calculator is used. The Calculator requires human shaping factors which includes these requirements. N/A HR-D4 HR-D4 SR Met This requirement is met due to the fact that the EPRI HRA Calculator is used. The Calculator requires human shaping factors which includes these requirements. N/A HR-D5 HR-D5 SR Met This requirement is met in Section 5.2.2. N/A HR-D6 HR-D6 SR Not Met SC-C3-02 The uncertainty analysis has not been done. The mean values were used since the HRA Calculator was used for this analysis. The Salem PRA Uncertainty Notebook (SA-PRA-018) was officially issued as part of the SA112A PRA model update and includes sources of uncertainties associated with Human Reliability Analysis (HRA). This document makes use of both EPRI 1026511, which addresses the use of PRA and the treatment of uncertainty, and EPRI 1016737, which addresses the treatment of parameter and model uncertainty. As such, there is no further action required. HR-D7 HR-D7 SR Met: (CC I/II) There was no requirement to check reasonableness of HEPs in light of the plants experience. N/A HR-E1 HR-E1 SR Met This requirement is met by the methodology section of the HRA Notebook. N/A HR-E2 HR-E2 SR Met This requirement is met by Section 2.1 of the HRA Notebook. N/A HR-E3 HR-E3 SR Met: (CC II/III) This requirement is met in Section 2.6 of the HRA Notebook. N/A HR-E4 HR-E4 SR Met: (CC II/III) This requirement is met in Section 2.6 of the HRA Notebook. N/A HR-F1 HR-F1 SR Met: (CC I/II) This requirement is met at the Capability Category I/II level because several HFEs included several responses which are grouped into one HFE. N/A 53

LR-N17-0135 LAR S17-05 TABLE 4-12 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR HUMAN RELIABILITY ANALYSIS RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION HR-F2 HR-F2 SR Not Met HR-F2-01, HR-F2-02 The accident sequence specific timing of time window for successful completion for CCS-XHE-FO-ISOLT is based on a calculation that does not address leakage. The calculation S-CC-MDC-2111 is for loss of Service Water and does not address leakage of the Component Cooling Water System. The time window should account for leakage that would drain the CCW system and make it inoperable. This is the limiting time since the CCW system will continue to cool with the leak until the surge tank is drained. Other examples of problems with timing are the lack of documentation for the timing used. This is noted in HRAs: CIS-XHE-FC-XLCNT, AND MSS-XHE-FO-MS10. It should be noted that only a sampling was performed and that this may involve many more HRA analysis. The HRA Notebook (SA-PRA-004) has been revised as part of the 2012 PRA update that resulted in the SA112A PRA model. The notebook now describes the available system windows for operator intervention and use of cues for all the important and risk-significant Human Error Probability (HEP) events. With regard to the specific comments made against this SR, event CCS-XHE-FO-ISOLT is no longer being used in the PRA model, as it was a legacy event that no longer applies to the current treatment of internal flood mitigation. Events CIS-XHE-FC-XLCNT and MSS-XHE-FO-MS10 were analyzed in detail with justification cited for the system time window that was used in developing the human error probability. HR-G1 HR-G1 SR Met: (CC I) HR-G1-01 The notebook does document which HEP's are risk significant and the ones that are not use screening values. The reason this does not meet Capability Category I is that the human action from the shutdown panel, RRS-XHE-FO-SDRSP, is risk significant but still uses a screening value. This requirement must have a detailed analysis for significant HFEs. While industry consensus has not been achieved in adopting a consistent methodology to appropriately analyze the many actions associated with remote shutdown activities, a detailed HEP calculation is no longer required for RRS-XHE-FO-SDRSP as it is not risk significant in the SA112A model. Per Category II of HR-G1, screening values may be assigned to HEPs for non-significant human failure basic events. No further action required. HR-G2 HR-G2 SR Met This requirement was met since the EPRI HRA Calculator was used for the analysis. N/A HR-G3 HR-G3 SR Met: (CC II/III) This requirement was met since the EPRI HRA Calculator was used for the analysis. N/A 54

LR-N17-0135 LAR S17-05 TABLE 4-12 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR HUMAN RELIABILITY ANALYSIS RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION HR-G4 HR-G4 SR Not Met HR-F2-01, HR-F2-02 The accident sequence specific timing of time window for successful completion for CCS-XHE-FO-ISOLT is based on a calculation that does not address leakage. The calculation S-CC-MDC-2111 is for loss of Service Water and does not address leakage of the Component Cooling Water System. The time window should account for leakage that would drain the CCW system and make it inoperable. This is the limiting time since the CCW system will continue to cool with the leak until the surge tank is drained. Other examples of problems with timing are the lack of documentation for the timing used. This is noted in HRAs: CIS-XHE-FC-XLCNT, and MSS-XHE-FO-MS10. It should be noted that only a sampling was performed and that this may involve many more HRA analysis. See above response for SR HR-F2. HR-G5 HR-G5 SR Met: (CC II/III) This requirement was met by Section 2.6 during plant visits. N/A HR-G6 HR-G6 SR Met This requirement was met by Section 2.6 during plant visits and operator interviews. N/A HR-G7 HR-G7 SR Met This requirement is met by Section 5.2 of the HRA Notebook, Dependent Operator Actions. N/A N/A HR-G8 This SR was deleted in RA-Sb-2005. N/A HR-G8 HR-G9 SR Not Met SC-C3-02 This requirement is not met. The Salem PRA Uncertainty Notebook (SA-PRA-018) was officially issued as part of the SA112A PRA model update and includes sources of uncertainties associated with Human Reliability Analysis (HRA). This document makes use of both EPRI 1026511, which addresses the use of PRA and the treatment of uncertainty, and EPRI 1016737, which addresses the treatment of parameter and model uncertainty. As such, there is no further action required. 55

LR-N17-0135 LAR S17-05 TABLE 4-12 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR HUMAN RELIABILITY ANALYSIS RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION HR-H1 HR-H1 SR Met: (CC II/III) This requirement was met because the EPRI HRA Calculator was used and this includes operator recovery actions. N/A HR-H2 HR-H2 SR Met This requirement was met because the EPRI HRA Calculator was used and this includes operator recovery actions. N/A HR-H3 HR-H3 SR Met This requirement is met by Section 5.2 of the HRA Notebook, Dependent Operator Actions. N/A HR-I1 HR-I1 SR Met The use of the EPRI HRA Calculator and the documentation in the HRA Notebook meets this requirement. N/A HR-I2 HR-I2 SR Met The use of the EPRI HRA Calculator and the documentation in the HRA Notebook meets this requirement. N/A HR-I3 HR-I3 SR Not Met SC-C3-02 This requirement is not met. See above response for SR HR-G8. 56

LR-N17-0135 LAR S17-05 TABLE 4-13 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR DATA ANALYSIS DA-A1 DA-A1 SR Met: (CC II/III) DA-A1-01 Need to develop Salem specific site procedures. Salem specific site procedures should be developed for maintenance of site specific PRAs. Recommendation is to develop Salem specific site procedures. The PSEG ER-AA-600 series of procedures exist to address this issue. Specifically ER-AA-600-1015 addresses maintenance and update of the internal events PRA model. They may be found and retrieved using the site's database known as DCRMS. There is no further action required. DA-A2 DA-A1a SR Not Met DA-A1a-01 No discussion of component boundary definition is provided in either the data or systems analysis. Boundaries for unavailability events are not established. Boundary definitions help assure that failures are attributed to the correct component and that calculated failure rates and unavailability values are appropriate. Some component boundaries are discussed in the notes to Appendix A, "Generic (Industry) Failure Data" of the Data Notebook. Note 32 states to "Assume that CCW/RHR HX failure rates apply to TDAFW Pump Bearing and governor jacket coolers", however unless the Salem TDAFW pump has unique features that require this to be modeled separately, cooling to the TDAFW pump is included in the component boundary to the pump in NUREG-6928. Boundary definitions for plant systems were better defined in the System Notebooks during the 2012 PRA Update by incorporating drawings with highlighted boundaries in order to help the reader better visualize the modeled system boundaries. The Data Notebook (SA-PRA-010) was also revised in order to explain how component boundaries were defined. This was done by referencing Section 5.1 of NUREG/CR-6928 which contains the definition used for component boundaries for generic industry data. Also, the TDAFW jacket coolers were removed from the SA112A PRA model since they are considered within the boundary of the TDAFW pump. No further action required. DA-A3 DA-A2 SR Not Met DA-A2-01 Mean values for failure rates appear in the model, however no uncertainty distributions could be found in the basic events checked. The PRA update for the Rev. 4.3 PRA model included adding uncertainty parameters to the type code database, and as part of the 2012 PRA model update, the CAFTA Access database file (SA112A.rr) was updated to include uncertainty parameters for all type codes and basic events used in the SA112A PRA model. No further action required. DA-A4 DA-A3 SR Met The data parameters used in the model appear to be appropriately identified. The units for Motor Operated Valves Fails to Close are demands. The units identified for Motor Operated Valves Fails to Remain Open or Closed are hours. Reference Data Analysis Notebook Section 2.1.1. N/A DA-B1 DA-B1 SR Met: (CC I) DA-B1-01 Components were grouped according to type such as motor-operated valve to meet Category 1 of the standard. Components were grouped according to mission type, (e.g., standby and operating) fails to meet Category II, however as stated in the Data Analysis Notebook Section 2.1.1.6, "there is no differentiation between systems (e.g., clean water vs. raw water". Therefore, a full Category II could not be met. The type codes used and listed in the Data Notebook (SA-PRA-010) do identify the different systems and type codes used as well as the basis for their failure probabilities. Type code failure rates now distinguish between clean and dirty water systems, e.g., pumps in the CCS and SWS PRA modeled systems. Also, the internal flood evaluation makes use of pipe rupture rates categorized by the type and quality of water contained within the various water pipes that were analyzed. No further action required. 57

LR-N17-0135 LAR S17-05 TABLE 4-13 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR DATA ANALYSIS DA-B2 DA-B2 SR Met There did not appear to be any outliers in the data reviewed. Reference Data Analysis Notebook, Section 2.2 and Appendix A and Appendix C. N/A DA-C1 DA-C1 SR Not Met DA-A1a-01, DA-C1-01 Generic parameter estimates are obtained from recognized sources (principally NUREG/CR-6928). However, no discussion of component boundary definition is provided other than a draft document. In addition, generic unavailability data is used for some SSCs without demonstrating that the data is consistent with the test and maintenance philosophies for the subject plant. As discussed in DA-A2, the Data Notebook (SA-PRA-010) was revised in order to explain how component boundaries were defined, which is consistent with NUREG/CR-6928, the source of the generic failure rate data. The most recent PRA update, SA115A, included plant-specific updates for all unavailability type codes using current or past plant specific maintenance rule data. No unavailability is based on generic sources. Past unavailability data from an older model revision is used only for components which show zero unavailability from maintenance rule data as noted in Appendix C of SA-PRA-010, so the impact on the model is slightly conservative and negligible. No further action required. DA-C2 DA-C2 SR Not Met DA-C2-01 Plant-specific data is only collected for MSPI components. The draft data procedure provided requires that plant specific data be supplied for SSCs with RAWs > 2 and F-V's > 0.005. In accordance with ER-AA-600-1015, plant specific updating of data should be considered for those events that satisfy either a Fussell-Vesely (FV) value greater than 0.005 or a Risk Achievement Worth (RAW) greater than 2.0. An importance measures report was generated from a CDF cutset listing and a review made of those non-MSPI applicable basic events that exceeded this criteria. The associated type codes for these basic events were then identified and are listed in Table 7-1 of the data notebook (SA-PRA-010) to determine the type of plant components for which plant specific updating was considered. A search of Salems SAP database was performed to identify any functional failures that may have occurred within the time period from July 2012 to September 2016. Any applicable failures for the identified equipment types were then recorded in Table 7-1 of the Data Notebook to support a Bayesian update of the generic data. This data update that was incorporated in SA115A now addresses all components with the identified importance values, thereby meeting the intent of this SR. DA-C3 DA-C3 SR Met Plant-specific data is collected consistent with design, operation and experience. N/A 58

LR-N17-0135 LAR S17-05 TABLE 4-13 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR DATA ANALYSIS DA-C4 DA-C4 SR Not Met DA-C4-01 Documentation describing the process of evaluating maintenance records was identified in a draft procedure. All failures must be reviewed for applicability to the PRA model and this process should be documented. All plant specific data came from MSPI or the Maintenance Rule, however there was no documentation provided that these failures were reviewed as PRA failures. Formal procedures now currently exist that describe the PRA update process, including what data collection is required. Actual plant-specific failure and unavailability data were obtained from the Salem Maintenance Rule and MSPI programs. In accordance with ER-AA-600-1015, plant specific updating of data should be considered for those events that satisfy either a Fussell-Vesely (FV) value greater than 0.005 or a Risk Achievement Worth (RAW) greater than 2.0. As a matter of practice, all MSPI monitored components, whether risk-significant or not, use plant-specific data to inform the generic industry data (i.e., Bayesian analysis). For other components deemed risk significant, an importance measures report was generated from a CDF cutset listing and a review made of those non-MSPI applicable basic events that exceeded this criteria. The associated type codes for these basic events were then identified and were listed in Table 7-1 of the PRA Data Notebook (SA-PRA-010) to determine the type of plant components for which plant specific updating was considered. A search of Salems SAP database was performed to identify any functional failures that may have occurred within the time period from July 2012 to September 2016. Any applicable failures for the identified equipment types were then recorded in Table 7-1 of the Data Notebook to support a Bayesian update of the generic data. For failure rates that are time-dependent, e.g., standby failure rates, it was also necessary to record the critical operating hours for Salem Unit 1 and Unit 2, which are listed in Table 7-2 of the Data Notebook for the time period from July 2012 to September 2016. Further details may be found in the PRA Data Notebook (SA-PRA-010). This process, now documented, meets the intent of the SR. 59

LR-N17-0135 LAR S17-05 TABLE 4-13 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR DATA ANALYSIS DA-C5 DA-C5 SR Not Met DA-C5-01 Documentation describing the process of evaluating failure records other than applying MSPI data directly could not be identified. All failures must be reviewed for applicability to the PRA model. Failure and unavailability data were obtained from the Salem Maintenance Rule and MSPI programs. The counting of component

failures, such as was done for MSPI components, was consistent with industry practice. Failures were obtained from the MSPI reporting process and were handled appropriately during the revision of the Data Notebook (SA-PRA-010) as part of the 2012 PRA model update. During the 2015 update, the Data notebook was updated to clarify failures occurring within a short time interval can be excluded so as not to skew the data for any one SSC modeled in the PRA. No further action required.

DA-C6 DA-C6 SR Not Met DA-C6-01 Documentation describing the process of evaluating the number of plant specific demands for standby components could not be identified. Standby components were identified in Table 1 of the Data Analysis Notebook and plant specific demands for some of these components were listed in Appendix B, however the basis for this number of demands was not provided. The draft data procedure states that plant specific data should be estimated by actual counts of hours or demands from logs or counters, use of surveillance procedures to estimate the frequency of demands and run times, or estimates based upon input from the System Engineer. Plant-specific reliability data for MSPI monitored components was obtained from the Salem MSPI reporting process and provided in the Appendix B tables of the Data Notebook (SA-PRA-010) in order to facilitate the Bayesian updating process during the 2012 PRA Update. This process was documented in Section 7.2 of SA-PRA-010. A sensitivity analysis was performed using additional plant-specific data to address issues related to SRs DA-C1 and DA-C2. In all cases, failure rates and probabilities fall into one of two categories, i.e., they were either a part of the plant-specific data update that used MSPI data, which included plant-specific demands and run hours from the MSPI Derivation reports, or they made use of generic data from sources such as NUREG/CR-6928. For future updates, plant-specific data and Bayesian updating will be extended to include risk-significant components per ER-AA-600-1015. Since this is mainly a documentation issue, there is no impact on the results for this license amendment request. DA-C7 DA-C7 SR Not Met DA-C7-01 Documentation describing the process of collecting the number of surveillance tests and planned maintenance activities on plant requirements could not be identified. In Appendix C for example CCS MOVs in test and Maintenance were described. The source of the data was listed as Salem 3.2 PRA, however no specific breakdown of the surveillance tests included was provided. The draft data procedure identifies surveillance tests as a source of data. Existing performance monitoring programs, such as the Maintenance

Rule, already document testing and maintenance unavailability information for each of the more risk-significant systems modeled in the PRA. The testing and maintenance unavailability information used in the Salem PRA is a combined value, i.e., represented by a single basic event. As such, there is no further action required.

60

LR-N17-0135 LAR S17-05 TABLE 4-13 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR DATA ANALYSIS DA-C8 DA-C8 SR Met: (CC I) DA-C8-01 An estimate of times that some components were configured in their standby status is identified in Table 1 and its notes, however no documentation of how these estimates were derived was provided. No operational records were provided in order to meet Capability Category II. The table cited in the summary description is now labelled as Table A-1 in the Salem PRA Data Notebook (SA-PRA-010), which identifies the failure rates/probabilities to be used for various SSCs modeled in the PRA. The notes to this table help identify which components are considered either normally running or in a standby condition, and also what fraction of the time a component may be considered in either a running or standby condition, e.g., Note 25 for station air compressors. In addition, standby flags were employed in the SA112A PRA model to denote which components are configured in a standby condition so that the appropriate failure mode can be applied in the fault tree logic. Two significant updates to the 2010 NUREG/CR-6928 component reliability data sheets includes providing both the Fails to Start data for standby equipment and the Fails to Run <1 HR data with beta distribution. This allowed the data to be easily combined to determine the new Fails to Start failure rate for standby equipment. Therefore, there was no need to identify a specific number standby hours for equipment normally in a standby status, since the standby failure rate model is not applicable to the Salem SA115A PRA model. As such, there is no further action required. DA-C9 DA-C9 SR Not Met DA-C9-01 Documentation describing the process of estimating the operational time of standby components from testing was identified in draft procedure. Standby components were identified in Table 1 of the Data Analysis Notebook and operational times for some of these components were listed in the Data Analysis Notebook, however the source of the data was not provided. Further clarification was provided in the Salem Data Notebook (SA-PRA-010) during the 2012 PRA model update (SA112A) to help better explain how estimates for standby time were derived. As such, there is no further action required. 61

LR-N17-0135 LAR S17-05 TABLE 4-13 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR DATA ANALYSIS DA-C10 DA-C10 SR Not Met DA-C10-01 Documentation describing the process of reviewing test procedures to determine surveillance test data could not be identified. No specific surveillance tests were discussed in the Data Analysis Notebook. The Systems Analysis Notebooks for specific systems described various surveillance testing, but did not reference surveillance tests by name. The use surveillance tests and their frequency was used to determine the number of demands for determining plant-specific operating experience for updating generic data that was used for risk significant components modeled in the PRA. For capability category II to be met for PRA Standard Supporting Requirement DA-D1, it requires that realistic parameter estimates be made for significant basic events based on relevant plant-specific evidence. It is the number of surveillance tests that is a part of this exercise in determining more realistic parameter estimates. Specifically, the response to APLA-RAI-2 shows that the number of demands were determined based on the number of functional tests for the component of interest (see Table RAI-2-3), which were determined based on configuration risk management schedules in support of 10 CFR 50.65(a)(4) planning and interviews with work control personnel at the Salem plant. This information was necessary for the Bayesian updating process in which the denominator of for the generic demand failure probability is updated with this plant-specific information. Therefore, this F&O has been addressed and Supporting Requirement DA-C10 is considered to be met at Capability Category II. DA-C11 DA-C11 SR Not Met DA-C11-01 Documentation describing the process of using maintenance and testing durations to determine plant specific durations was identified in a draft document. No specific surveillance tests were discussed in the Data Analysis Notebook but MSPI/Maintenance Rule sources were identified. Consistent with industry

practice, the failure and unavailability data were obtained from the Salem Maintenance Rule and MSPI programs. The Maintenance Rule data and MSPI data are traceable to individual occurrences. Therefore, the documentation does exist and it was not necessary to repeat the information in the Data Notebook (SA-PRA-010). No further action required.

62

LR-N17-0135 LAR S17-05 TABLE 4-13 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR DATA ANALYSIS DA-C12 DA-C11a SR Not Met DA-C11a-01 Documentation describing the process of how to count maintenance unavailability was not identified. Plant Specific unavailability was only documented for MSPI components which identifies the unavailability for support and frontline systems separately, however it could not be determined that this was the case throughout the model without a specific guidance document. As part of the enhancements made during the 2012 PRA update, the process used for counting maintenance unavailabilities was more clearly described in the Salem PRA Data Notebook (SA-PRA-010). In particular, Section 8.0 of SA-PRA-010 states that unavailability due to test and maintenance was collected from plant records. Specifically, Maintenance Rule and MSPI unavailability data was used to determine train and component unavailability for use in the PRA. Generic industry unavailability data was only used when no other information was available. Salem MRule Manager software and MSPI Derivation Reports for Unavailability Index were used as the primary sources of plant specific component and/or train unavailability. Because maintenance practices change over time, the best representation of the current plant practices would be seen in the most current data. This being the case, unavailability data was only collected and analyzed from March 2012 through February 2015. DA-C13 DA-C12 SR Not Met DA-C12-01 While a table of critical hours was provided and the Maintenance Unavailability Table provided in Appendix C appears to address these hours there was no specific documentation or guidance document provided that discusses how maintenance was treated for shared systems. Maintenance unavailabilities for shared systems between the two units is addressed in Section 8.1 of the Salem Data Notebook (SA-PRA-010). Specifically, since some of the Maintenance Rule data was for shared systems (e.g., ECAC, GTG), common critical hours were needed. Common critical hours (denoted as C Hours) were calculated by determining the time during which either unit was critical. With regard to outage durations, it was assumed that the C critical hours were the greater of the two units critical hours for any months during which both plants were not critical 100% of the time (e.g., April 2012). If both units were critical for the entire month, the C hours would be the number of hours in the month. 63

LR-N17-0135 LAR S17-05 TABLE 4-13 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR DATA ANALYSIS DA-C14 DA-C13 SR Not Met DA-C13-01 Coincident unavailability for service water pumps was modeled as shown in Appendix C of the Data Analysis Notebook, however, no overall guidance document could be found to ensure all systems were reviewed for coincident unavailability. A paragraph was added to section 8.2 of the Data Notebook (SA-PRA-010) to document the treatment of concurrent unavailability for SW. Also, Note 12 was added at the bottom of Table C-1 in Appendix C of SA-PRA-010 to denote the actual unavailability values that were used. In general, for other plant systems, the plant records that were reviewed revealed that coincident unavailability amongst safety related trains was non-existent, but because of the number of SW pumps that exist at Salem (a total of six), it would be possible that a pair of SW pumps could be simultaneously taken out for maintenance. However, since the time period of interest did not show any such occurrence, legacy values used in previous versions of the PRA for dual maintenance unavailabilities amongst the SW pumps were maintained. Future versions to the ASME PRA Standard allude to the fact that dual maintenance terms can be excluded if supporting data exists. DA-C15 DA-C14 SR Not Applicable SSC repair is not modeled. N/A DA-C16 DA-C15 SR Not Applicable System recovery is not modeled. N/A DA-D1 DA-D1 SR Met: (CC II) Plant specific evidence was provided for significant basic events. A Bayesian update of generic prior was performed as shown in Appendix B of the Data Analysis Notebook. N/A DA-D2 DA-D2 SR Met DA-D2-01 Evaluation of diesel-driven compressor provides example of evaluating plant-specific consideration using similar components. See Data Analysis notebook Section 2.1.3. Use of Monte Carlo simulation techniques using the @RISK Excel add-in was used to derive failure distributions for the diesel-driven air compressor with documentation provided in Section 6.3 of the Salem PRA Data Notebook (SA-PRA-010) during the 2012 PRA model update. No further action required. 64

LR-N17-0135 LAR S17-05 TABLE 4-13 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR DATA ANALYSIS DA-D3 DA-D3 SR Met: (CC I) DA-D3-01 Observations of SA PRA-010, Table A-1. Mean values were provided along with error factors for most distributions. Several items listed in Table A-1 do not contain any reference information for either error factor or basic input parameters from which an error factor can be derived. All parameters identified in Table A-1 of SA-PRA-010 now have a reference provided to show traceability of information. Table A-1 is a listing of the generic failure rates and probabilities that were used in the Salem PRA model, and were obtained primarily from the 2010 update to NUREG/CR-6928. For those components where NUREG/CR-6928 could not be used, other appropriate sources were used, such as NUCLARR, NUREG/CR-2728, NUREG/CR-5500, and legacy values from earlier Salem PRA models. DA-D4 DA-D4 SR Met: (CC I) DA-D4-01 No documentation is present that substantiates that the analysis was performed. This is sufficient for Category I. A paragraph was added to Section 7.2 of the Salem PRA Data Notebook (SA-PRA-010) to document the comparison of updated results with the generic data during the Salem 2012 PRA model update. Because no abnormalities were identified, no further action is required. DA-D5 DA-D5 SR Met: (CC II) Values provided for Alpha and MGL methods for significant events in the Data Analysis Notebook. N/A DA-D6 DA-D6 SR Met: (CC I) DA-D6-01 No apparent comparison of common cause failures to plant experience was provided in the Data Analysis Notebook. During the Salem 2012 PRA model update, a paragraph was added to Section 6.1 of the Data Notebook (SA-PRA-010) to document a comparison of the NUREG/CR-6928 values with other generic data sources, such as NUCLARR and EPRI. No large discrepancies were identified. As such, NUREG/CR-6928 was deemed acceptable for use. No further action required. DA-D7 DA-D6a SR Not Applicable No generic data was screened. N/A DA-D8 DA-D7 SR Not Applicable No modifications are known that would impact data. N/A DA-E1 DA-E1 SR Met DA-E1-01 The analysis is documented in a manner that could facilitate applications, upgrades, and PEER reviews. The notebook could be improved by providing direct references to actual failure numbers in EPIX or CDE numbers in Appendix A. See suggestion. This URE is a suggestion that has no impact on the quality of the PRA and was only meant to aid reviewers in the traceability of data sources. The current data notebook is now traceable to ISIS (replacement for EPIX) and/or CDE. As such, there is no further action required. 65

LR-N17-0135 LAR S17-05 TABLE 4-13 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR DATA ANALYSIS DA-E2 DA-E2 SR Not Met DA-E2-01 A draft document was provided that documented how to establish component boundaries, how to establish failure probabilities, sources of generic data, etc. This procedure needs to be formalized. NUREG/CR-6928, which was used in gathering the generic data for updating the Salem Data Notebook (SA-PRA-010), provides a definition of the component boundaries for the modeled components of interest. No formal procedure needs to be developed when the data source used for the SA115A PRA model already defines the component boundaries of modeled components. Because this is a documentation issue, there is no impact on the results for this license amendment request. DA-E3 DA-E3 SR Not Met SC-C3-02 Assumptions were noted in various sections of the Data Analysis Notebook. These need to be gathered into an assumptions section in the notebook. Sources of uncertainty were not discussed in the analysis. Assumptions are appropriately documented throughout the Data Analysis Notebook (SA-PRA-010) where appropriate in order to be consistent with the context of each section. In general, most assumptions may be found within footnotes to the data tables in order to explain the basis for derivation of the data. Additionally, the Uncertainty Notebook (SA-PRA-018) was officially issued and includes a section on model uncertainty and references both EPRI 1026511, which addresses the use of PRA and the treatment of uncertainty, and EPRI 1016737, which addresses the treatment of parameter and model uncertainty. As such, there is no further action required. 66

LR-N17-0135 LAR S17-05 TABLE 4-14 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR QUANTIFICATION RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION QU-A1 QU-A1 SR Met The single-top fault tree (S1R4.CAF) integrates the model in a manner that supports quantification and treatment of dependencies. N/A QU-A2 QU-A2a SR Met Fault tree linking is used in constructing the S1R4.CAF model. N/A QU-A3 QU-A2b SR Met: (CC I) QU-A2b-01 Parametric uncertainty is not performed on the quantification results. In addition, it is not clear that the same type code is used for multiple events based upon the same underlying data. The parametric uncertainty analysis was performed and documented in the newly issued Salem PRA Uncertainty Notebook (SA-PRA-018). The uncertainty analysis also correctly accounted for the "state-of-knowledge" correlation by making the necessary adjustments to the type codes in the CAFTA database file (SA112A.rr). No further action required. QU-A4 QU-A3 SR Met The model is quantified using CAFTA software which is capable of reporting contributors to CDF by initiating event, or at the individual sequence level if desired. N/A QU-A5 QU-A4 SR Met QU-A4-01 Recovery events NRAC-12H, NRAC-OSP, and NREDG-4H are included in the S1R4REC.CAF file, but their application is not discussed in the Accident Sequences and Event Tree notebook or in the AC Power System Notebook. Recovery events that have no basis or discussion of applicability were removed from the recovery model logic during the 2012 PRA model update (SA112A). The recovery files are discussed in the Quantification notebook (SA-PRA-014). The offiste power non-recoveries are discussed in Appendix D of the Accident Sequence Notebook (SA-PRA-002). As such, there is no further action required. QU-B1 QU-B1 SR Met The CAFTA software suite and the Forte quantification engine are used in the quantification. These are standard software products which have been shown to produce appropriate results in industry usage. N/A QU-B2 QU-B2 SR Met Salem Quantification Notebook SA PRA-2008-01 Attachment E documents the convergence analysis performed to set an appropriate truncation value. N/A 67

LR-N17-0135 LAR S17-05 TABLE 4-14 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR QUANTIFICATION RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION QU-B3 QU-B3 SR Met QU-B3-01 Salem Quantification Notebook SA PRA-2008-01 Attachment E documents the convergence analysis performed to set an appropriate truncation value. The truncation level for both CDF and LERF was set at 1.0E-11. The percentage change between 1.0E-10 and 1.0E-11 was 2.2% for CDF, but 6.1% for LERF. Therefore, this SR was not satisfied for LERF. Attachment E of the Salem Quantification Notebook (SA-PRA-014) for the SA115A PRA model documents the process used to ensure that convergence was achieved for quantification of CDF and LERF cutsets. There was less than a 5% change in CDF in going from a truncation limit of 1E-11 to 1E-12, and less than a 5% change in LERF when going from a truncation of 1E-12 to 1E-13. Therefore, the official truncation limits used were 1E-11 for CDF and 1E-12 for LERF. No further action required. QU-B4 QU-B4 SR Met Forte uses the minimal cutset upper bound quantification method to produce the mean value. N/A QU-B5 QU-B5 SR Not Met QU-B5-01 Creation of different fault tree tops to break circular logic is discussed in the system notebooks; however the documentation is not sufficient to determine whether the logic was broken at the appropriate level to ensure unnecessary conservatisms or non-conservatisms. A new vital AC power PRA system notebook (SA-PRA-005.0020) was created during the 2012 PRA model update. Section 6.8 of this notebook contains an explanation of how circular logic loops were broken for the diesel generator support dependencies, and also lists the affected gates with a description of the modification. The documented review of this PRA system notebook provides evidence that the logic was broken at the appropriate level to avoid any unnecessary conservatisms or non-conservatisms. No further action required. QU-B6 QU-B6 SR Met Complementary logic is used where needed to account for system successes in transfers to the LERF model from the Level 1 model. N/A QU-B7 QU-B7a SR Met Mutually exclusive logic is included in the linked fault tree under gate DAM-GDAM100 and combined with the core damage or LERF logic in an "A and not B" gate. N/A 68

LR-N17-0135 LAR S17-05 TABLE 4-14 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR QUANTIFICATION RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION QU-B8 QU-B7b SR Met Mutually exclusive logic is included in the linked fault tree under gate DAM-GDAM100 and combined with the core damage or LERF logic in an "A and not B" gate to remove mutually exclusive combinations during quantification. N/A QU-B9 QU-B8 SR Met Flag file S1R4IFL.CAF contains the flag settings as TRUE or FALSE. The quantification process using PRAQUANT merges the flag file with the PRA model prior to quantification. N/A QU-B10 QU-B9 SR Not Met QU-B9-01 Split fractions and undeveloped events are included in the model. Examples include main Feedwater availability for ATWS (MFI-UNAVAILABLE) and some Unit 2 systems credited for recovery of Unit 1 CAV failure (G2SW22). The derivation of the values for these events is not documented to allow determination that consideration has been given to the impact of shared events. Split fractions such as the ones mentioned in the summary description (MFI-UNAVAILABLE and G2SW22) are listed in Table A-2 of the PRA Data Notebook (SA-PRA-010) that was revised during the 2012 PRA model update (SA112A) along with references to document the basis of their values. The split fraction for unavailability of feedwater during an ATWS event was obtained from WCAP-11992. The estimated value for event G2SW22, which represents insufficient flow from the opposite unit Service Water header, was obtained by quantifying a gate in the PRA model (G1CC324) that explicitly models unavailability of the 12 SW header. QU-C1 QU-C1 SR Met The dependency analysis for multiple HFEs is described in the HRA Notebook. The process included a requantification of the model with HEPs set to 0.1 to capture combinations which could be below normal truncation levels. The final application of dependency correction factors is done through post-processing of the cutsets. N/A QU-C2 QU-C2 SR Met The dependency analysis for multiple HFEs is described in the HRA Notebook. N/A QU-C3 QU-C3 SR N/A The linked event tree methodology is not used for the Salem model. N/A 69

LR-N17-0135 LAR S17-05 TABLE 4-14 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR QUANTIFICATION RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION QU-D1 QU-D1a SR Met QU-D1a-01 Section 6 of the quantification notebook SA-PRA-2008-01, Revision 4.1 includes a discussion of the top cutsets. The discussion provides good detail of the core damage scenarios. Some of the cutsets appear to be conservative, which are discussed more in the F&O. The current system window for the RRS-XHE-FO-SDRSP action (FAILURE OF REMOTE SHUTDOWN UPON LOSS OF CAV) is 4 hours as OP-AB.CAV-0001 reports that the electrical equipment room temperature will exceed 145F in 4.2 hours if no operator action is taken. Use of a joint human error probability (HEP) floor value (1E-6 for the SGS HRA) is the current industry expectation as discussed in NUREG-1792, Good Practices for Implementing HRA. The system window length has no impact on the application of the joint HEP floor value. It is acknowledged that the time reported for MFW-XHE-FO-COND did reflect that actions base case (LOFW at time zero) rather than a loss of feedwater upon depletion of the AFWST, which is more representative of the combination. The Salem Dependency Analysis for the 2012 PRA model update was completely revised using the HRA Calculator, which allows the manipulation of timing within a combination. Still, there are no joint HEPs in the Salem HRA with values less than 1E-6 due to the floor value requirement. No further action required. QU-D2 QU-D1b SR Not Met QU-D1b-01 There is no discussion in the quantification notebook that indicates a review of the results was performed for the purpose of assessing modeling and operational consistency. Also, since the sequences were not quantified, it is difficult to perform this verification. Section 6 of the Quantification Notebook (SA-PRA-014) for the 2015 PRA model update discusses the top 25 cutsets that lead to core damage and also addresses the fact that a cutset review was conducted with PSEG personnel in November 2016 to ensure modeling and operational consistency. No further action required. 70

LR-N17-0135 LAR S17-05 TABLE 4-14 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR QUANTIFICATION RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION QU-D3 QU-D1c SR Not Met QU-A4-01 There is no discussion in the quantification notebook SA-PRA-2008-01, Revision 4.1 that indicates this review was completed. Review the recovery file to ensure only those events intended to be applied are included. Provision of a listing of all recovery events and their intended application in the Quantification Notebook could facilitate this review for future model revisions. Recovery events that were no longer applicable were removed from the recovery model logic during the 2012 PRA model update (SA112A). The use of recovery files is discussed in Section 5.3 of the Quantification notebook (SA-PRA-014). The offsite power non-recoveries are discussed in Appendix D of the Accident Sequence Notebook (SA-PRA-002). N/A QU-D2 This SR was deleted in RA-Sb-2005 N/A QU-D4 QU-D3 SR Met: (CC I) QU-D3-01 This is a Capability Category I since there is no documentation to indicate that the Salem results were compared to the results of a similar plant. In Tables 2-5 to 2-7 of Section 2.3 of the Initiating Events notebook (SA-PRA-001) a comparison was made to the initiating events used for other PWR PRA models, i.e., South Texas Project, Watts Bar, and Surry to show that there were no applicable event categories that would have been omitted from the Salem PRA model. Also, the success criteria used for the Salem PRA model was benchmarked against the success criteria used for the Byron and Braidwood PRA models in Table 2-2 of the Success Criteria Notebook (SA-PRA-003). Since this is a documentation issue, there is no impact on the results for this license amendment request in extending the ESFAS/RTS instrumentation AOT. QU-D5 QU-D4 SR Not Met QU-D4-01 There is no documentation indicating that a sampling of non-significant accident cutsets or sequences were reviewed to determine they are reasonable and have physical meaning. A sampling of non-significant accident cutsets that lead to core damage near the truncation threshold of 1E-11 were inspected to determine the presence of any illogical cutsets. This review was documented in Section 6 of the Quantification Notebook (SA-PRA-014) for the 2015 PRA model update (SA115A). The review determined that the cutsets did appear to be reasonable and had physical meaning. No further action required. 71

LR-N17-0135 LAR S17-05 TABLE 4-14 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR QUANTIFICATION RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION QU-D6 QU-D5a SR Not Met QU-F2-01 This requirement was not met because the importance of components and basic events was not performed. There is no definition of significant contributors to CDF. No documentation of an analysis for significant contributors to CDF. A description of top 25 cutsets related to CDF are discussed in Section 6 of the Quantification Notebook (SA-PRA-014), which includes those SSCs and operator actions that contribute to event frequencies and mitigation. Also, Appendix D of SA-PRA-014 discusses the dominant CDF and LERF accident sequences, including a discussion of the type of initiating event and associated SSC failures and operator actions. Since this is a documentation issue, there is no impact on the results for this license amendment request in extending the ESFAS/RTS instrumentation AOT. QU-D7 QU-D5b SR Not Met QU-F2-01 This requirement was not met because the importance of components and basic events was not performed. A listing of the importance measures for CDF is presented in Section 7 of the Quantification Notebook (SA-PRA-014), and an analysis of the baseline results for CDF and LERF for the SA115A PRA model are discussed in Appendix F of SA-PRA-014. Appendix H discusses the results for LERF as well as the other detailed Level 2 release categories. The review of these results showed that they make logical sense. Also, since this is a documentation issue, there is no impact on the results for this license amendment request in extending the ESFAS/RTS instrumentation AOT. QU-E1 QU-E1 SR Not Met SC-C3-02 The uncertainty notebook was produced but is not finalized. See response for SR QU-F4. QU-E2 QU-E2 SR Met The quantification assumption is that the model been correct analyzed. So that the assumptions are in the other notebooks and will be documented in the SR for those areas. N/A QU-E3 QU-E3 SR Not Met SC-C3-02 The uncertainty notebook was produced but is not finalized. See response for SR QU-F4. 72

LR-N17-0135 LAR S17-05 TABLE 4-14 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR QUANTIFICATION RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION QU-E4 QU-E4 SR Not Met SC-C3-02 The uncertainty notebook was produced but is not finalized. See response for SR QU-F4. QU-F1 QU-F1 SR Met This requirement is met by the Quantification Notebook. N/A QU-F2 QU-F2 SR Not Met QU-B3-01, QU-F2-01 This requirement was only partially met as described below: (a) This requirement is met by the system and HRA notebooks. (b) There is a cutset review process description. (c) There is no description of how the success systems are accounted for. Since a one top tree is used the software already accounts for this. A statement stating would be satisfactory. The truncation values and how they were determined were documented. The method for applying recovery and how post initiator HFE's are applied was not described. (d) This requirement was met. (e) This requirement was met. (f) This requirement was not met since the cutsets per accident sequence were not discussed. (g) This requirement was not met since equipment or human actions that are the key factors in causing the accidents sequences to be non-dominant are not discussed. (h) This requirement was not met since sensitivities were not documented. (i) This requirement was not met since the uncertainty notebook was not finalized. (j) This requirement is not met since there is no discussion of importance. (k) This requirement is not met because there is not list of mutually exclusive events and there justification. (l) This requirement is not met because there is no discussion of asymmetries in quantitative modeling to provide application users the necessary understanding regarding why such asymmetries are present in the model. (m) This requirement is met since CAFTA and Forte are being used. Both of these pieces of software are industry standards and therefore no further testing is required. The following discussion addresses only those sub-parts that were considered "not met": c) the method of applying recovery events and adjustment for joint HEPs is now described in Section 5 of the Quantification Notebook (SA-PRA-014); (f) descripton of top 25 cutsets and dominant sequences were discussed in the Quantification Notebook (see Section 6 of SA-PRA-014); (g) Human Error Probabilities (HEPs) that were identified as being "time sensitive" are now discussed in the HRA Notebook (SA-PRA-004); (h) sensitivity calculations were documented and discussed in the Uncertainty Notebook (SA-PRA-018); (i) the Uncertainty Notebook (SA-PRA-018) was prepared and issued as part of the work scope involved with the Salem 2012 PRA Update Project (SA112A); (j) importance measures are utilized as a part of the process used to document Maintenance Rule products per the ER-AA-310 series of procedures. Also, the risk poster, which is produced as part of the rollout process (Risk Application: SA-MISC-002), will also satisfy this requirement; (k) a discussion of how mutually exclusive events were treated was provided in Section 5 of the Quantification Notebook (SA-PRA-014); (l) model asymmetries were mainly limited to the fact that the SA115A PRA model is a Unit 1 model that relies on Unit 2 equipment for certain support functions, e.g., Demineralized Water and Main Control Room ventilation, which are not developed to the full level of detail as would be required if a dual-unit PRA model was adopted. Based on the above discussion, there is no further action required. 73

LR-N17-0135 LAR S17-05 TABLE 4-14 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR QUANTIFICATION RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION QU-F3 QU-F3 SR Met: (CC I) QU-F2-01 The reason this is a Capability Category I is that there is not documentation of significant contributors such as accident sequences and basic events being reviewed. Also there is no definition of significant contributors. See response for SR QU-F2. QU-F4 QU-F4 SR Not Met SC-C3-02 The uncertainty notebook has not been approved. the Uncertainty Notebook (SA-PRA-018) was officially issued and includes a section on model uncertainty and references both EPRI 1026511, which addresses the use of PRA and the treatment of uncertainty, and EPRI 1016737, which addresses the treatment of parameter and model uncertainty. As such, there is no further action required. QU-F5 QU-F5 SR Met This requirement is met by the statement about caution when using FV values of less than 0.1% and RAW values of less than 1E-04. N/A QU-F6 QU-F6 SR Not Met QU-F2-01 This requirement was not met since there is no definition for significant basic event, significant cutset, significant accident sequence. See response for SR QU-F2. 74

LR-N17-0135 LAR S17-05 TABLE 4-15 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR INTERNAL FLOOD RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION IFPP-A1 IF-A1 SR Met Salem internal flooding notebook SA-PRA-012, Revision 0 Appendix B contains a description of the flood areas. N/A IFPP-A2 IF-A1a SR Met: (CC II/III) IF-A1a-01 Salem internal flooding notebook SA-PRA-012, Revision 0 Appendices B and D contain a description of the flood areas. The flood areas were generally aligned with the fire areas as discussed in Section B.3. Even though the documentation that shows the flood areas/zones could be more descriptive, this SR is considered to be met. The F&O is for improving the documentation of the flood areas and zones. Appendix D of the Internal Flood Walkdown Notebook contains a list of plant drawings that define the rooms and areas within the plant and how they form the scenario boundaries. Appendix I has the embedded PDF drawings listed in Appendix D. It is unnecessary to outline the flood area boundaries on a separate set of drawings when the information that was used to define the flood boundaries already exists for other programs, e.g., Fire Hazards Analysis. Since this is a documentation issue, there is no impact on the results for this license amendment request. IFPP-A3 IF-A1b SR Met The buildings and areas that share equipment (e.g., Auxiliary and Turbine buildings) are included in the flood area identifications. N/A N/A IF-A2 This SR was deleted in RA-Sb-2005. N/A IFPP-A4 IF-A3 SR Met The drawings used in the identification and definition of the flood areas appear to be current. Changes to the drawings used should be captured as part of the inputs monitoring in the model update program. N/A IFPP-A5 IF-A4 SR Not Met IF-A4-01 Salem internal flooding notebook SA-PRA-012, Revision 0 Appendix A contains a summary of the walkdowns that were performed. The summary includes some of the important flood features. But walkdown sheets containing the details of the walkdowns (spatial information, mitigating equipment such as drains, sumps, doors, wall penetrations, etc.) were not available. The raw handwritten notes from the plant walkdowns were scanned to PDF files (Salem PRA Events.pdf and Salem Water Sources.pdf) and are now included with the rest of the electronic documentation and associated files. No further action required. IFSO-A1 IF-B1 SR Met Flood sources are documented in the summary of walkdowns in Appendix A of the Salem internal flooding notebook SA-PRA-012, Revision 0, and also in the detailed analysis of the risk significant flood scenarios in Appendix E. Section 2.2.11 documents the assessment of in-leakage from other flood areas (e.g., back flow through drains). N/A 75

LR-N17-0135 LAR S17-05 TABLE 4-15 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR INTERNAL FLOOD RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION IFSO-A2 IF-B1a SR Not Met IF-B1a-01, IF-C4a-01 The buildings and areas that share equipment (e.g., Auxiliary and Turbine buildings) are included in the flood area identifications. However, there was no indication in the documentation that flood sources from Unit 2 can impact Unit 1 and vice versa. The assessment performed in Section 3.0 of Risk Application SA-MISC-005 (Resolution of Internal Flood Peer Review Comments) showed that there were no new multi-unit scenarios that require consideration due to the fact that they were either already postulated or were subsumed by existing scenarios. No further action required. IFSO-A3 IF-B1b SR Met Flooding areas were selected based on the presence of one or more potential flooding sources. Hence, plant areas not subject to flooding were screened as described in Appendix B of the Salem internal flooding notebook SA-PRA-012, Revision 0. N/A IFSO-A4 IF-B2 SR Met Three categories of flooding initiating events were evaluated for the potential flood sources identified: major floods (2000+ gpm), general floods (100 to 2000 gpm) and spray type floods (<100 gpm). The frequency calculation method used (Reference EPRI technical report TR-1013141) for these flood scenarios includes failure modes of components. Section 2.2.9.1.1 of SA-PRA-012, Revision 0 documents the assessment of human-induced flood mechanisms. This section concludes that human induced flood mechanism have a low enough frequency that they can be subsumed with the pipe failure frequencies. Considering the basis documented, this conclusion appears to be reasonable. N/A IFSO-A5 IF-B3 SR Met Three categories of flooding initiating events were evaluated for the potential flood sources identified: major floods (2000+ gpm), general floods (100 to 2000 gpm) and spray type floods. N/A IFSO-A6 IF-B3a SR Not Met IF-A4-01 Salem internal flooding notebook SA-PRA-012, Revision 0 Appendix A contains a summary of the walkdowns that were performed. The summary includes some of the important flood features. But walkdown sheets containing the details of the walkdowns were not available. See response for IFPP-A5. 76

LR-N17-0135 LAR S17-05 TABLE 4-15 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR INTERNAL FLOOD RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION N/A IF-B4 Relocated to IF-C2 N/A IFSN-A1 IF-C1 SR Not Met IF-C1-01 Propagation paths for areas are defined for highly risk-significant cases only. An independent assessment was performed to investigate the merit of this peer review finding that deals with propagation pathways and the possible existence of other scenarios that were not already considered or perhaps that were subsumed by other scenarios. The independent study revealed that there were no other postulated scenarios that were not already considered, or that were more severe than those currently being modeled in the internal flood PRA. The details and results of this analysis are documented in Risk Application SA-MISC-005 (Resolution of Internal Flood Peer Review Comments). 77

LR-N17-0135 LAR S17-05 TABLE 4-15 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR INTERNAL FLOOD RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION IFSN-A2 IF-C2 SR Not Met IF-C2-01 Plant design features that have the ability to terminate or contain the flood propagation are not documented for all defined flood areas. For those quantified scenarios, a conservative approach was initially used that considered all PRA-modeled SSCs to be damaged due to a flood originating or propagating into a particular flood area and a conditional core damage probability (CCDP) computed. This CCDP was then multiplied by the flood initiating frequency to estimate the core damage frequency (CDF). If the CDF for a given flood scenario was sufficiently low, e.g., less than about 0.1% of the nominal internal events CDF, then no further refinement was deemed necessary. However, if first estimates of the core damage frequencies for that compartment proved too pessimistic, the affected area of the plant was analyzed in greater detail to take into account spatial effects, specific flooding flow rates, operator actions, drainage pathways, etc. Hence, the justification for more detailed modeling of certain internal flood scenarios was aimed at removing some of the conservatism of the methodology, while at the same time providing a realistic basis for not assuming complete failure of all scenario-specific equipment due to a credible flooding event. The PRA model was updated in 2012 (SA112A) following the peer review to include all modeled internal flood scenarios and does not numerically screen any on a numerical basis. No further action required. IFSN-A3 IF-C2a SR Not Met IF-C2a-01 This is only addressed for the most risk-significant areas. In general, operator action for internal flood mitigation was only credited where needed to reduce the risk where failure of all PRA equipment was deemed too conservative. Also, automatic isolation and operation of sump pumps or other dewatering equipment were not credited, which was a conservative approach. No further action required. IFSN-A4 IF-C2b SR Not Met IF-C2b-01 No discussion of required information is provided for the majority of areas. See response for SR IFSN-A2. 78

LR-N17-0135 LAR S17-05 TABLE 4-15 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR INTERNAL FLOOD RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION IFSN-A5 IF-C2c SR Not Met IF-C2c-01 The documentation does not discuss spatial orientation for components in those areas not screened. See response for SR IFSN-A2. IFSN-A6 IF-C3 SR Met: (CC I/II) Component susceptibility to flood-induced failure is considered. N/A IFSN-A7 IF-C3a SR Not Met IF-C3a-01 Appendix D of the PRA Internal Flood Evaluation states that "For spray scenarios, however, walkdown observations revealed that Air-Operated Valves (AOVs) and Motor-Operated Valves (MOVs) were of a robust design that would exclude them from being susceptible to water damage. Hence, these components were not automatically failed (PRA event equal to TRUE) for quantification of the CCDP." This is not an adequate basis for determining the susceptibility of these components to flood-induced failure mechanisms per this SR. The robustness of AOVs and MOVs with regard to spray scenarios was an informed judgment based on empirical observation. Repeated walkdowns have confirmed these observations. This observation is also reinforced by a paper presented at the PSA 2008 ANS conference by J. Lin (Insights from the Updates of Internal Flooding PRAs), which has been added as a reference. Water spray does not generally prevent AOVs and MOVs from operating, and although it may remotely be possible, the most likely result is that it will not. Therefore, the basis for this assumption is deemed adequate and there is no further action required. A sensitivity evaluation assuming that all AOVs and MOVs are conservatively damaged in the risk-significant flood area of interest shows that the changes in risk metrics are very minor and would not impact the decision for this ESFAS/RTS AOT. IFSN-A8 IF-C3b SR Met: (CC I) IF-C3b-01 Identification of propagation paths for each flood area is not present in documentation. See response for SR IFSN-A1 (F&O IF-C1-01), since both F&Os are related to the same issue. IFSN-A9 IF-C3c SR Met However, only for most important sequences. N/A 79

LR-N17-0135 LAR S17-05 TABLE 4-15 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR INTERNAL FLOOD RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION IFSN-A10 IF-C4 SR Not Met IF-C4-01 The defined flooding scenarios were screened without development of flood rate, source, and operator actions. Detailed assessments were only provided for selected high frequency floods. In general, internal flood scenarios that were calculated using a conservative methodology that were found to contribute less than 0.1% to CDF were not subjected to any further scrutiny or refinement, since further refinement was deemed unnecessary for the purposes of the full-power internal events (FPIE) PRA model. It is unlikely that this particular issue involving internal floods with a relatively small contribution to CDF would have a measurable impact on the results for this license amendment request. The PRA model was updated in 2012 (SA112A) following the peer review to include all modeled internal flood scenarios and does not numerically screen any on a numerical basis. No further action required. IFSN-A11 IF-C4a SR Not Met IF-C4a-01, IF-B1a-01 Documentation of multi-unit scenarios could not be identified. Multi-unit scenarios were considered and analyzed, e.g., scenarios involving AB-084B found in Appendix E of the Internal Flood Summary Notebook. The assessment in Section 3.0 of Risk Application SA-MISC-005 (Resolution of Internal Flood Peer Review Comments) did not identify any new potential multi-unit scenarios. No further action required. IFSN-A12 IF-C5 SR N/A No flood areas were screened out. N/A IFSN-A13 IF-C5a SR N/A No flood areas were screened out. N/A IFSN-A14 IF-C6 SR N/A No floods were screened out based on human mitigative actions. N/A IFSN-A15 IF-C7 SR N/A Screening was not performed based on the criteria defined in this requirement. N/A IFSN-A16 IF-C8 SR N/A No flood sources were screened out based on human mitigative actions. N/A 80

LR-N17-0135 LAR S17-05 TABLE 4-15 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR INTERNAL FLOOD RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION IFSN-A17 IF-C9 SR Met IF-A4-01 Walkdowns were performed. However, walkdown sheets with the required information were not available for review. See response for SR IFPP-A5. IFEV-A1 IF-D1 SR Met This requirement has been met by Appendices C & D of the Flood Analysis Notebook. N/A N/A IF-D2 This SR was deleted in RA-Sb-2005. N/A IFEV-A2 IF-D3 SR Not Met IF-C4-01 This is an extension of F&O IF-C4-01. See response for SR IFSN-A10. IFEV-A3 IF-D3a SR N/A There was no grouping or subsuming of flood initiating scenarios with other plant initiating event group. N/A IFEV-A4 IF-D4 SR Not Met IF-C4a-01 There is no evidence that flooding in Unit 2 was considered for its effects on Unit 1. See response for SR IFSN-A11. IFEV-A5 IF-D5 SR Met This requirement is met in Appendix D of the Flooding Notebook. N/A IFEV-A6 IF-D5a SR Met: (CC II/III) This requirement is met in Appendix D of the Flooding Notebook. N/A IFEV-A7 IF-D6 SR Met: (CC I/II) Human-induced floods during maintenance were considered in Section 2.2.9.1.1 of the Internal Flood Evaluation. N/A IFEV-A8 IF-D7 SR N/A Flood scenarios were not screened out using these criteria. N/A IFQU-A1 IF-E1 SR Met The CCDPs for each of the scenarios were calculated by setting all initiating events in the PRA model to zero, with either the turbine trip event with PCS available (%TT) or PCS unavailable (%TP) set to a value of 1.0, depending on the nature of the components failed. N/A N/A IF-E2 Moved to IF-C3c N/A 81

LR-N17-0135 LAR S17-05 TABLE 4-15 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR INTERNAL FLOOD RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION IFQU-A2 IF-E3 SR Met All of the components modeled in the PRA that were assigned to the various scenario IDs based on their location in the plant and their susceptibility to water damage from the various modes of flooding, i.e., spray, general flooding, and major flooding. These components were utilized in flag files to set the appropriate basic events to TRUE, representing failure due to water damage, for the quantification of CCDPs for the analyzed scenarios. N/A IFQU-A3 IF-E3a SR MET: (CC II/III) Areas were screened if the product of the sum of the frequencies of the flood scenarios for the area and the bounding CCDP were less than 1E-9/reactor year. N/A IFQU-A4 IF-E4 SR N/A No additional analysis of SSC data was performed to support quantification of flood scenarios N/A IFQU-A5 IF-E5 SR Met Scenario-specific impacts on PSFs are included. N/A IFQU-A6 IF-E5a SR Met Scenario-specific impacts on PSFs are included. N/A IFQU-A7 IF-E6 SR Met Internal flood sequences are quantified in accordance with the QU SRs. N/A IFQU-A8 IF-E6a SR Met The combined effects of failures caused by flooding and due to causes independent of the flooding are included. N/A IFQU-A9 IF-E6b SR Met Both direct and indirect effects are included in the quantification. N/A IFQU-A10 IF-E7 SR Met Flood sequences are represented appropriately in the LERF analysis. N/A IFQU-A11 IF-E8 SR Not Met IF-A4-01 Walkdown documentation does not capture this information for all flood areas. See response for SR IFPP-A5. 82

LR-N17-0135 LAR S17-05 TABLE 4-15 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR INTERNAL FLOOD RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os

SUMMARY

OF ASSESSMENT

SUMMARY

OF RESOLUTION IFPP-B1, IFSO-B1, IFSN-B1, IFEV-B1, IFQU-B1 IF-F1 SR Met The internal flooding analysis documentation can support PRA applications, upgrades, and peer review. N/A IFPP-B2, IFSO-B2, IFSN-B2, IFEV-B2, IFQU-B2 IF-F2 SR Not Met See all IF F&Os Some documentation elements are missing, as noted in the Internal Flood F&Os. The Internal Flood documentation (SA-PRA-012) was revised to include missing information and provide clarification where necessary during the Salem 2012 PRA model update. Since this is a documentation issue, there is no impact on the results for this license amendment request. IFPP-B3, IFSO-B3, IFSN-B3, IFEV-B3, IFQU-B3 IF-F3 SR Not Met IF-F3-01 Assumptions are documented in the Flooding Notebook. Parametric uncertainty analysis was done but systemic uncertainty is not addressed. Sources of modeling uncertainty (systemic) associated with internal flooding is now addressed in the Salem PRA Uncertainty Notebook (SA-PRA-018), which was created during the Salem 2012 PRA model update. No further action required. 83

LR-N17-0135 LAR S17-05 TABLE 4-16 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR CONFIGURATION CONTROL MU-A1 MU-A1 SR Met MU-A1-01 Salem specific site procedures should be developed for Maintenance of site specific PRAs. Develop Salem specific site procedures. The Salem Generating Station has since developed site-specific procedures for maintenance and use of PRA models. They are officially controlled and accessed via DCRMS. No further action is required. MU-A2 MU-A2 SR Met This requirement is met in Section 4.1.2 of procedure ER-AA-600-1015, "FPIE PRA Model Update," Revision 6. N/A MU-B1 MU-B1 SR Met This requirement is met in Sections 4.1.3 and 4.2.2 of procedure ER-AA-600-1015, "FPIE PRA Model Update," Revision 6. Section 4.1.3 addresses how Updating Requirements (URE) puts are processed. Section 4.2.2 addresses review of UREs not dispositional into the next model update. N/A MU-B2 MU-B2 SR Met This requirement is met in Sections 4.1.3, and 4.2.1 of procedure ER-AA-600-1015, "FPIE PRA Model Update," Revision 6. This requirement is met for periodic updates in the project planning phase in Section 4.2.1 of the subject procedure and Section 4.1.3 for unscheduled updates. N/A MU-B3 MU-B3 SR Met Since the other Supporting Requirements are met this SR is met by default. N/A MU-B4 MU-B4 SR Not Met MU-B4-01 There is no reference to the requirement for a PRA peer review for upgrades. Step 4.5.5.3.A of ER-AA-600-1015 addresses this concern regarding PRA upgrades and the possibility for needing a limited peer review against the ASME PRA Standard. MU-C1 MU-C1 SR Not Met MU-C1-01 There is no reference to a review of the cumulative impact of pending changes. Step 4.3.1 of ER-AA-600-1015 addresses this concern regarding cumulative impact of pending PRA model changes. No further action is required. MU-D1 MU-D1 SR Met This requirement is met in Section 4.2.7 of procedure ER-AA-600-1015, "FPIE PRA Model Update," Revision 6. N/A MU-E1 MU-E1 SR Met This requirement is met in Sections 4.1 and 4.2 of procedure ER-AA-600-1014, "Risk Management Configuration Control," Revision 5. N/A MU-F1 MU-F1 SR Met All items are met except for item (f), the review of the cumulative impact of pending changes. See F & O MU-C1-

01.

N/A 84

LR-N17-0135 LAR S17-05 TABLE 4-17 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR LERF RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE-A1 LE-A1 SR Met Level 2 Analysis notebook, SA-PRA-015, Section 2 addresses those physical characteristics at the time of core damage that can influence LERF. N/A LE-A2 LE-A2 SR Met Level 2 Analysis notebook, SA-PRA-015, Appendix A addresses accident sequence characteristics at the time of core damage that can influence LERF. N/A LE-A3 LE-A3 SR Met Level 2 Analysis notebook, SA-PRA-015, Appendix A addresses those adjustments needed between the Level 1 event trees and the containment event trees. N/A LE-A4 LE-A4 SR Met Level 2 Analysis notebook, SA-PRA-015, Appendix A addresses those adjustments needed between the Level 1 event trees and the containment event trees. N/A LE-A5 LE-A5 SR Met Level 2 Analysis notebook, SA-PRA-015, Appendix A defines the plant damage state groupings in Section 3. N/A LE-B1 LE-B1 SR Met: (CC II) Level 2 Analysis notebook, SA-PRA-015, Sections 1 and 2 discuss unique plant issues and LERF contributors. The issues identified in Table 4.5.9-3 are addressed with the exception of in-vessel recovery which is not credited. N/A 85

LR-N17-0135 LAR S17-05 TABLE 4-17 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR LERF RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE-B2 LE-B2 SR Met: (CC I) LE-B2-01 Analysis does address challenges, but plant-specific analyses are treated in a conservative manner. Category II for LE-B2 says "using applicable generic or plant-specific analyses for significant containment challenges", while conservative analyses can be used for non-significant challenges. Conservative analyses were not used for significant challenges, though they were used for initial categorization. MAAP analyses and plant-specific analyses were used to support the final LERF contributors. Use of plant-specific parameters, such as containment fragility, are documented in the Level 2 Analysis Notebook (SA-PRA-015). Section 2.0 of SA-PRA-015 states that in order to assess the accident progression following a core damage event, the Level 2 analysis used a containment event tree shown in Figure 2-1 of SA-PRA-015 to determine the type of release, if any. Each node in the event tree is based on plant-specific Salem parameters, recent accident progression research, and other Salem-specific analyses. Where applicable, the documentation was updated to emphasize realistic, plant-specific analyses. LE-B3 LE-B3 SR Met: (CC II) MAAP analyses using plant-specific inputs performed, but utilized in a somewhat conservative manner. N/A 86

LR-N17-0135 LAR S17-05 TABLE 4-17 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR LERF RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE-C1 LE-C1 SR Met: (CC I) LE-C1-01 Analysis of non-LERF or analysis of factors contributing to non-LERF was not addressed. A discussion of LERF and its definition were added to the Level 2 Notebook (SA-PRA-015) in order to explain how LERF and non-LERF designations were developed and assigned. Specifically, Section 5.0 of this notebook defines the major release categories that were evaluated: INTACT - Containment structure and function succeed and prevent a large or late release of fission products. LATE - Containment failure occurs, but is considered late because of a significant time delay between core damage and containment failure. LERF - Containment failure occurs early in the scenario. Early releases are defined as those releases that occur within a short time following core damage, such that adequate evacuation time is not available to protect the public from prompt health effects. SERF - Containment is bypassed, such as due to an initiating steam generator tube rupture, but successful filling of the steam generator scrubs the release to reduce it to a small magnitude. 87

LR-N17-0135 LAR S17-05 TABLE 4-17 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR LERF RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE-C2 LE-C2a SR Met: (CC I) LE-C2a-01 Screening values appear to have been used for containment isolation actions. No operator actions are directly called out in the containment event tree. Of the human error probabilities (HEPs) that were associated with containment isolation actions, only SJS-XHE-FO-MANAC (Operator fails to open or close valves per EOPs) was found to exceed the criteria for risk significance, and the failure probability was evaluated in detail (not a screening value) in the SA115A PRA model. There were only two HEPs that were found to be risk-significant in the SA115A model, i.e., time-critical operator actions. They were AFS-XHE-FO-REC1 (Operator failure to close AFW discharge valves locally) and ISL-XHE-VD1 (Operator fails to isolate RHR to avoid ISLOCA). These HEPs are both documented in Appendix F of the HRA Notebook (SA-PRA-004) and will require a detailed evaluation as part of a future scheduled PRA update. LE-C3 LE-C2b SR Met: (CC I) LE-C2b-01 Repair of failed equipment is not addressed in the Level 2 Analysis notebook, SA-PRA-015. The Quantification Notebook (SA-PRA-014) discussed some of the dominant initiators that lead to LERF in Appendix H where pre-emptive actions could be taken to reduce the impact to LERF, e.g., installation of door sweeps to reduce the flow of water into the 230/460 VAC switchgear rooms due to internal floods, but no repair of failed equipment was directly credited or modeled in the SA115A model for mitigation of LERF sequences. 88

LR-N17-0135 LAR S17-05 TABLE 4-17 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR LERF RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE-C4 LE-C3 SR Met: (CC I) LE-C3-01 Fission product scrubbing and mitigating actions by plant staff are not addressed. Since the time of the peer review, potential scrubbing of SGTR releases was added to the PRA model. In addition, text was added to the Level 2 Analysis Notebook (SA-PRA-015) to describe mitigating actions and beneficial failures that are modeled. Even without operator action, some scrubbing does occur in the thermal-hydraulic modeling of SGTRs, if applicable, such as in release category LERF-SGTR-AFW, which represents sequences caused by a steam generator tube rupture that have successful operation of auxiliary feedwater. LE-C5 LE-C4 SR Met: (CC II) Realistic generic success criteria appear to have been used. N/A LE-C6 LE-C5 SR Met N/A LE-C7 LE-C6 SR Met N/A LE-C8 LE-C7 SR Met One top model. N/A LE-C9 LE-C8a SR Not Met LE-C8a-01 No discussion provided in the documentation related to environment. Since there was no credit given in the SA115A PRA model for equipment survivability or human actions under adverse environments, there was no need to justify any type of credit. LE-C10 LE-C8b SR Met: (CC I) LE-C8a-01 No analysis provided. N/A LE-C11 LE-C9a SR Met: (CC I) LE-C8a-01 No credit taken. N/A 89

LR-N17-0135 LAR S17-05 TABLE 4-17 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR LERF RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE-C12 LE-C9b SR Met: (CC I) LE-C8a-01 N/A LE-C13 LE-C10 SR Met: (CC I) LE-C3-01 Section 2 notes that credit is not taken for scrubbing of SGTR damage scenarios. N/A LE-D1 LE-D1a SR Met: (CC I) LE-D1a-01 Early containment loads are addressed using NUREG information. The Cat II SR requires "a realistic containment capacity analysis for the significant containment challenges" and "a conservative or a combination of conservative and realistic evaluation of containment capacity for nonsignificant containment challenges." In the Salem Level 2 analysis, early containment failure is not a significant contributor, therefore conservative or a combination of realistic and conservative evaluations are acceptable. The early containment failure probabilities from the NUREGs are based on plant-specific analysis or generic analysis that is adjusted to be applicable to Salem. Also, a Salem-specific containment structural evaluation and failure characterization that had been performed for a previous revision of the PRA was used in the SA115A Level 2 analysis due still being applicable. Therefore, no further work is necessary to comply with Category II of LE-D1. LE-D2 LE-D1b SR Not Met LE-D1b-01 No analysis for penetrations, hatches, seals Section 2.2 of the Success Criteria Notebook (SA-PRA-003) now references the evaluation of penetrations, hatches and seals for containment. LE-D3 LE-D2 SR Not Applicable N/A 90

LR-N17-0135 LAR S17-05 TABLE 4-17 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR LERF RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE-D4 LE-D3 SR Met: (CC II) N/A LE-D5 LE-D4 SR Met: (CC II) N/A LE-D6 LE-D5 SR Met: (CC II) N/A LE-D7 LE-D6 SR Not Met LE-D6-01 The CI model (SA-PRA-005.07) does not provide sufficient information and does not address potential failures due to air locks or other locations. The Containment Isolation System Notebook (SA-PRA-005.0007) now provides a set of criteria to determine whether containment penetrations should be modeled for their safety significance in the PRA, such as size of line, number of valve isolations, etc. The Success Criteria Notebook (SA-PRA-003) in Section 2.2 states that containment penetrations, hatches and seals were also evaluated and found to have a higher pressure capacity than the meridional membrane capacity of the dome that proved to be the limiting failure location. The basis for this statement may be found in PSEG document S-C.ZZ-NEE-0686 (Probabilistic Engineering Evaluation of Salem Units 1 and 2 Containment Performance for Beyond Design Basis Conditions). LE-E1 LE-E1 SR Met Appropriate SSC and HFE values are utilized. N/A LE-E2 LE-E2 SR Met: (CC I) LE-D1a-01 The LERF analysis makes heavy use of the NUREG documents. See the F&O response for the 2009 SR LE-D1, since both F&Os are related to the same issue. 91

LR-N17-0135 LAR S17-05 TABLE 4-17 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR LERF RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE-E3 LE-E3 SR Met: (CC I) LE-D1a-01 Early containment failures, bypass sequences, and isolation failures are designated as LERF contributors. The Level 2 Analysis Notebook (SA-PRA-015) explains in detail those accident sequences that satisfy the definition for LERF, and are listed in Table 7-1, which defines the type of accident sequence and initiating event that is involved. To satisfy this F&O, more detail was given in this section of SA-PRA-015 that better explains what accident progression sequences can lead to LERF. LE-E4 LE-E4 SR Met QU-B3-01 LERF is quantified consistent with the applicable requirements. A minor issue related to truncation limit is identified in QU-B3-01. N/A LE-F1 LE-F1a SR Met: (CC II/III) Table 8-2 of the Salem PRA Level 2 Analysis Notebook shows the calculated results for the detailed release categories. N/A LE-F2 LE-F1b SR Not Met LE-F1b-01 Other than verifying that the sum of the three end states (INTACT, LATE and LERF) is approximately equal to the core damage frequency, no checks on the reasonableness of the LERF contributors is documented. A summary of the Level 2 results is provided in Appendix H of the Quantification Notebook (SA-PRA-014). The comparison to the value for CDF was discussed, in which it was noted that the direct sum of the four major Level 2 endstates (INTACT, LERF, SERF, and LATE), which was 9.5E-06/yr, is a little more than the calculation of CDF at 8.4E-6/yr for the SA115A PRA model. This is due to summation of low probability sequences below the truncation threshold used for the quantification of CDF and the inclusion of non-minimal Level 1 sequences in the summation of the Level 2 release categories. N/A LE-F2 SR Met: (CC I) SC-C3-02 Bounding assumptions are identified in the documentation. Sources of uncertainty are addressed in a draft evaluation using guidance from draft EPRI report, "Treatment of Parameter and Model Uncertainty for Probabilistic Risk Assessments." No documentation of sensitivity studies was found. See the F&O response for the 2009 SR LE-G4, since both F&Os are related to the same issue. 92

LR-N17-0135 LAR S17-05 TABLE 4-17 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR LERF RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE-F3 LE-F3 SR Not Met LE-F3-01 LERF uncertainties are not characterized consistent with the requirements in Tables 4.5.8-2(d) and 4.5.8-2(e). The uncertainty associated with LERF was addressed in the Salem PRA Uncertainty Notebook (SA-PRA-018), with the results being presented in Section 5.1.2.1. LE-G1 LE-G1 SR Met The LERF analysis documentation appears to be adequate for supporting PRA applications, upgrades, and peer review. N/A LE-G2 LE-G2 SR Met The LERF notebook documents the process used to arrive at the LERF estimates. N/A LE-G3 LE-G3 SR Met: (CC II/III) Table 8-2 of the Salem PRA Level 2 Analysis Notebook shows the calculated results for the detailed release categories. N/A LE-G4 LE-G4 SR Not Met SC-C3-01, SC-C3-02 Assumptions are embedded in the documentation rather than captured in a specific section. Sources of uncertainty are addressed in a draft evaluation using guidance from draft EPRI report, "Treatment of Parameter and Model Uncertainty for Probabilistic Risk Assessments." No documentation of sensitivity studies was found. This issue has no impact on the quality of the PRA and is only meant to aid reviewers in identifying what assumptions were made during development of the Success Criteria Notebook (SA-PRA-003). Each PRA System Notebook (SA-PRA-005.####) now has a section that lists assumptions that were made as part of the systems analysis. Also, the Uncertainty Notebook (SA-PRA-018) was officially issued and includes a section on model uncertainty and references both EPRI 1026511, which addresses the use of PRA and the treatment of uncertainty, and EPRI 1016737, which addresses the treatment of parameter and model uncertainty. 93

LR-N17-0135 LAR S17-05 TABLE 4-17 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES FOR LERF RA-Sa-2009 SR # RA-Sb-2005 SR # Capability Category Associated F&Os Summary of Assessment Summary of Resolution LE-G5 LE-G5 SR Not Met LE-G5-01 Limitations in the LERF analysis that would impact applications are not documented. Appendix A of the Uncertainty Notebook (SA-PRA-018) discusses model uncertainty issues and plant-specific issue characterizations that can be extended to identification of impacts on various risk applications. For example, the treatment of core melt arrest in-vessel has been limited. However, recent NRC work has indicated that there may be more potential than previously credited. For this particular issue, Salem has taken the approach that no credit will be given for recovery of core cooling following core damage and prior to reactor vessel failures. In other words, all core damage sequences proceed to vessel failure. Although this issue could provide an impact to certain applications related to Level 2 release categories, this particular LAR dealing with extending the Technical Specification AOT for unavailability is relatively unimportant with regard to LERF. LE-G6 LE-G6 SR Not Met LE-G6-01 A definition for significant accident progression sequence is not documented. A significant accident progression sequence is one of the set of accident sequences contributing to large early release frequency resulting from the analysis of a specific hazard group that, when rank-ordered by decreasing frequency, sum to a specified percentage of the large early release frequency, or that individually contribute more than a specified percentage of large early release frequency for that hazard group. Specifically, the summed percentage is 95% and the individual percentage is 1% of the applicable hazard group. The dominant accident sequences that contribute to LERF are listed and described in Section D of the Quantification Notebook (SA-PRA-014), and the relative contribution to LERF for each of the modeled initiating events is listed in Appendix F of SA-PRA-014. Since this is a documentation issue, it has no impact on the results for this LAR. 94

LR-N17-0135 LAR S17-05 TABLE 4-18 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES WITH CONSIDERATION OF REVISED SUPPORTING REQUIREMENTS RA-Sa-2009 SR # RA-Sb-2005 SR # DESCRIPTION OF CHANGE COMMENTS DA-C14 DA-C13 Coincident unavailability due to maintenance for redundant equipment is now being based on the activity being the result of a planned, repetitive activity that is based on plant experience. This implies that maintenance terms used in the PRA model that represent multiple SSCs being unavailable should not be used unless the activity is a routine planned evolution. The SA112A PRA Model of Record (MOR) makes use of dual Service Water pump maintenance terms based on previous maintenance activities, which may not have been considered as being routine or repetitive evolutions. As such, the more recent version of this Supporting Requirement implies that these maintenance terms can be removed from the PRA model if the maintenance activity is not considered a planned and repetitive activity. The net effect is that this may result in a slight decrease in CDF and LERF if the SW pump dual maintenance terms are removed from the PRA model. An Updating Requirement Evaluation (URE) record has been recorded (SA2016-005) to capture this as part of the maintenance and update of the Salem PRA model. QU-B5 QU-B5 The newer version of the Supporting Requirement (SR) states that when resolving circular logic to NOT introduce any unnecessary conservatisms or non-conservatisms, whereas the previous version of the Standard used the work AVOID. This has no impact on the Salem PRA MOR as the resolution of circular logic was more clearly documented during the 2012 PRA model update in the PRA System Notebook for vital AC power (SA-PRA-005.0020). A review of this document in Section 6.8 provides evidence that unnecessary conservatisms or non-conservatisms were NOT introduced as a result of resolving circular logic issues. QU-E4 QU-E4 The newer version of this Supporting Requirement redefines the treatment of model uncertainty and related assumptions with the intent of IDENTIFYING how the PRA model is affected, whereas the older version was focused more on an EVALUATION of sensitivity studies as it related to model uncertainty and assumptions. During the 2012 PRA model update, the Uncertainty Notebook (SA-PRA-018) was officially issued and includes a comprehensive treatment on model uncertainty and assumptions for both CDF and LERF, using references that include EPRI 1026511, which addresses the use of PRA and the treatment of uncertainty, and EPRI 1016737, which addresses the treatment of parameter and model uncertainty. As such, the PRA model documentation is in compliance with the 2009 version of the ASME PRA Standard with regard to this Supporting Requirement. QU-F4 QU-F4 The newer version of this SR redefines the treatment of model uncertainty and related assumptions by referring to QU-E4, whereas the earlier requirement referenced an example listing of "key assumptions" and "key sources of uncertainty", such as success criteria, reliability data, modeling uncertainties, completeness of initiating events, spatical dependencies, etc. See response for SR QU-E4. LE-F3 LE-F3 The change for this SR involves the same change involving the treatment of uncertainty and assumptions as for CDF, except that the focus is on LERF. See response for SR QU-E4. 95

LR-N17-0135 LAR S17-05 TABLE 4-19 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES WITH CONSIDERATION OF REGULATORY POSITION CHANGES FROM RG 1.200 REV 1 TO REV 2 (APPENDIX A) RA-Sa-2009 SR # (RG 1.200 Rev 2) RA-Sb-2005 SR # (RG 1.200 Rev 1) DESCRIPTION OF RG 1.200, REV. 2, REGULATORY POSITION (CAT II) COMMENTS IE-A5 IE-A4 The search for initiators should go down to the subsystem/train level. Capability Category III should consider the use of other systematic processes. Cat I and II: PERFORM a systematic evaluation of each system and where necessary down to the subsystem or train level, including support systems. No change from RG 1.200 Rev 1 to Rev 2. IE-A6 IE-A4a Initiating events from common cause or from both routine and non-routine system alignments should be considered. Cat II: resulting from multiple failures, if the equipment failures result from a common cause, and or from routine system alignments resulting from preventive and corrective maintenance. Change from and to or in RG 1.200 Rev 2 does not change underlying purpose already addressed by Rev 1. IE-C12 IE-C10 Providing a list of generic data sources would be consistent with other SRs related to data. COMPARE results and EXPLAIN differences in the initiating event analysis with generic data sources to provide a reasonable check of the results. An example of an acceptable generic data sources is NUREG/CR-6928 [Note (1)]. Change to a different NUREG as an example does not change the evaluation already addressed by Rev 1. Footnote (1)(a) to Table 2-2.1-4(c) Footnote 3 to Table 4.5.1-2c) The first example makes an assumption that the hourly failure rate is applicable for all operating conditions.

Thus, fbus at power = 1x10-7/hr
  • 8760 hrs/yr
  • 0.90 = 7.9x10-4/reactor year.

In the above example, it is assumed the bus failure rate is applicable for at-power conditions. It should be noted that initiating event frequencies may be variable from one operating state to another due to various factors. In such cases, the contribution from events occurring only during at-power conditions should be utilized. No change from RG 1.200 Rev 1 to Rev 2. 96

LR-N17-0135 LAR S17-05 TABLE 4-19 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES WITH CONSIDERATION OF REGULATORY POSITION CHANGES FROM RG 1.200 REV 1 TO REV 2 (APPENDIX A) RA-Sa-2009 SR # (RG 1.200 Rev 2) RA-Sb-2005 SR # (RG 1.200 Rev 1) DESCRIPTION OF RG 1.200, REV. 2, REGULATORY POSITION (CAT II) COMMENTS 2-2.2.1 4.5.2.1 The HLR and associated SRs are written for CDF and not LERF; therefore, references to LERF are not appropriate. 2-2.2.1 Objectives. The objectives reflected in the assessment of CDF and LERF is such a way that. No change from RG 1.200 Rev 1 to Rev 2. AS-A9 AS-A9 The code requirements for acceptability need to be stated. Cat II and III: affect the operability of the mitigating systems. (See SC-B4.) No change from RG 1.200 Rev 1 to Rev 2. 2-2.3.1 4.5.3.1 The HLR and associated SRs are written for CDF and not LERF; therefore, references to LERF are not appropriate. (a) overall success criteria are defined (i.e., core damage and large early release) No change from RG 1.200 Rev 1 to Rev 2. SY-A24 SY-A22 There are no commonly used analysis methods for recovery in the sense of repair, other than use of actuarial data. is justified through an adequate analysis or examination of data collected in accordance with DA-C15 and estimated in accordance with DA-D9. (See DA-C15.) No change from RG 1.200 Rev 1 to Rev 2 (other than changing the numbering to DA-C15 and D9 from DA-C14 and D8 SY-B14 SY-B15 Containment vent and failure can cause more than NPSH problems (e.g., harsh environments). Examples of degraded environments include: (h) harsh environments induced by containment venting, failure of the containment venting ducts, or failure of the containment boundary that may occur prior to the onset of core damage Added detail about failure of the containment venting ducts, or failure of the containment boundary to the example does not significantly change the Salem response. See resolution in Table 3-4: All PRA System notebooks were revised to add generic assumptions on components not performing beyond their design operating conditions unless otherwise specified. 97

LR-N17-0135 LAR S17-05 TABLE 4-19 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES WITH CONSIDERATION OF REGULATORY POSITION CHANGES FROM RG 1.200 REV 1 TO REV 2 (APPENDIX A) RA-Sa-2009 SR # (RG 1.200 Rev 2) RA-Sb-2005 SR # (RG 1.200 Rev 1) DESCRIPTION OF RG 1.200, REV. 2, REGULATORY POSITION (CAT II) COMMENTS HR-D3 HR-D3 Add examples for what is meant by quality in items (a) and (b) of Cat II, III. Cat II, III: (a) the quality (e.g., format, logical structure, ease of use, clarity, and comprehensiveness) of written procedures (for performing tasks) and the type of administrative controls that support independent review (e.g., configuration control process, technical review process, training processes, and management emphasis on adherence to procedures). of administrative controls (for independent review) (b) the quality of the human-machine interface (e.g., adherence to human factors guidelines [Note (3)] and results of any quantitative evaluations of performance per functional requirements), including both the equipment configuration, and instrumentation and control layout (3) NUREG-0700, Rev. 2, Human-System Interface Design Review Guidelines; J.M. OHara, W.S. Brown, P.M. Lewis, and J.J. Persensky, May 2002. This change from Rev 1 to Rev 2 is only meant to properly document the reference to Note 3. There is no impact on the conformance of the SA115A PRA model to RG 1.200, Rev. 2. HR-D6 HR-D6 This SR should be written similarly to HR-G9 PROVIDE an assessment of the uncertainty in the. point estimates of HEPs. CHARACTERIZE the uncertainty in the estimates of the HEPs consistent with the quantification approach, and PROVIDE mean values for use in the quantification of the PRA results. New clarification. The SA115A PRA model does report HEP values based on their mean point estimates as provided by the HRA Calculator software. As such, there is no impact on the conformance of the SA115A PRA model to RG 1.200, Rev. 2. HR-G3 HR-G3 In item (d) of CC II, III, clarify that clarity refers the meaning of the cues, etc. In item (a) of CC I and item (g) of CC II, III, clarify that complexity refers to both determining the need for and executing the required response. Cat II, and III: (d) degree of clarity of the cues/indications in supporting the detection, diagnosis, and decision-making give the plant-specific and scenario-specific context of the event. (g) complexity of detection, diagnosis and decision-making, and executing the required response. Rev 2 separates Cat I from Cat II/III, and adds more detail to item (d) for Cat II. This added detail already exists in item (g) of Rev 1. The use of the HRA Calculator supports this level of detail in the Salem HRA, as was documented in the review against Rev 1, so there is no impact on the conformance of the SA115A PRA model to Rev 2. 98

LR-N17-0135 LAR S17-05 TABLE 4-19 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES WITH CONSIDERATION OF REGULATORY POSITION CHANGES FROM RG 1.200 REV 1 TO REV 2 (APPENDIX A) RA-Sa-2009 SR # (RG 1.200 Rev 2) RA-Sb-2005 SR # (RG 1.200 Rev 1) DESCRIPTION OF RG 1.200, REV. 2, REGULATORY POSITION (CAT II) COMMENTS HR-G4 HR-G4 Requirements concerning the use of thermal/hydraulic codes should be cross-referenced. Cat I, II, and III: BASE. (See SC-B4.) SPECIFY the point in time. No change from RG 1.200 Rev 1 to Rev 2. HR-G8 HR-G9 Action verb should be capitalized CHARACTERIZE Characterize the uncertainty.. This is a typographical correction only. DA-C15 DA-C14 This SR provides a justification for crediting equipment repair (SYA24). As written, it could be interpreted as allowing plant-specific data to be discounted in favor of industry data. In reality, for such components as pumps, plant-specific data is likely to be insufficient and a broader base is necessary. IDENTIFY instances of plant-specific experience or and, when that is insufficient to estimate failure to repair consistent with DA-D9, applicable industry experience and for each repair, COLLECT. This Supporting Requirement (SR) is not applicable for the Salem PRA model since no credit is being taken for repair of equipment following initial failure. DA-D1 DA-D1 Other approved statistical processes for combining plant-specific and generic data are not available. CC II and III: USE a Bayes update process or equivalent statistical process that assigns that assigns appropriate weight to the statistical significance of the generic and plant specific evidence and provides an appropriate characterization of the uncertainty. CHOOSE. No change from RG 1.200 Rev 1 to Rev 2. DA-D9 N/A New requirement needed, DA-C15 was incomplete, only provided for data collection, not quantification of repair. (See SY-A24.) Cat I, II, and III: For each SSC for which repair is to be modeled, ESTIMATE, based on the data collected in DA-C15, the probability of failure to repair the SSC in time to prevent core damage as a function of the accident sequence in which the SSC failure appears. See response for SR DA-C15. 99

LR-N17-0135 LAR S17-05 TABLE 4-19 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES WITH CONSIDERATION OF REGULATORY POSITION CHANGES FROM RG 1.200 REV 1 TO REV 2 (APPENDIX A) RA-Sa-2009 SR # (RG 1.200 Rev 2) RA-Sb-2005 SR # (RG 1.200 Rev 1) DESCRIPTION OF RG 1.200, REV. 2, REGULATORY POSITION (CAT II) COMMENTS 2-2.7.1 4.5.8.1 SRs for LERF quantification reference the SRs in 2-2.8, and therefore, need to be acknowledged in 2-2.8. The objectives of the quantification element are to provide an estimate of CDF (and support the quantification of LERF) based upon the plant-specific (b) significant contributors to CDF (and LERF) are identified such as initiating events No change from RG 1.200 Rev 1 to Rev 2. Table 2-2.7-1 HLR-QU-D Table 4.5.8-1 HLR-QU-D SRs for LERF quantification reference the SRs in 2-2.8 and, therefore, need to be acknowledged in 2-2.8. significant contributors to CDF (and LERF), such as initiating events, accident sequences No change from RG 1.200 Rev 1 to Rev 2. QU-A2 QU-A2a Need to acknowledge LERF quantification consistent with the estimation of total CDF (and LERF) to identify significant accident The addition of LERF is covered by the assessment of the LE supporting requirements. QU-A3 QU-A2b The state-of-knowledge correlation should be accounted for all event probabilities. Left to the analyst to determine the extent of the events to be correlated. Need to also acknowledge LERF quantification Cat II: ESTIMATE the mean CDF (and LERF), accounting for the state-of-knowledge correlation between event probabilities when significant (see NOTE 1). The addition of LERF is covered by the assessment of the LE supporting requirements. The when significant deletion was unchanged from Rev 1 to Rev 2. QU-B6 QU-B6 Need to acknowledge LERF quantification ACCOUNT for realistic estimation of CDF or LERF. This accounting The addition of LERF is covered by the assessment of the LE supporting requirements. 100

LR-N17-0135 LAR S17-05 TABLE 4-19 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES WITH CONSIDERATION OF REGULATORY POSITION CHANGES FROM RG 1.200 REV 1 TO REV 2 (APPENDIX A) RA-Sa-2009 SR # (RG 1.200 Rev 2) RA-Sb-2005 SR # (RG 1.200 Rev 1) DESCRIPTION OF RG 1.200, REV. 2, REGULATORY POSITION (CAT II) COMMENTS Table 2-2.7-5(d) Table 4.5.8-2(d) HLR-QU-D and Table 2-2.7-2(d) objective statement just before table need to agree; SRs for LERF quantification reference the SRs in 2-2.7 and, therefore, need to be acknowledged in 2-2.7. significant contributors to CDF (and LERF), such as initiating events, accident sequences No change from RG 1.200 Rev 1 to Rev 2. QU-E3 QU-E3 Need to acknowledge LERF quantification Cat I and II: ESTIMATE the uncertainty interval of the CDF (and LERF) results. The addition of LERF is covered by the assessment of the LE supporting requirements. QU-E4 QU-E4 The note has no relevance to the base model and could cause confusion; it should be deleted. For each source of model uncertainty introduction of a new initiating event) [Note (1)]. NOTE: For specific applications, And in logical combinations. Deletion of the note does not change the conformance of the SA115A PRA model to Rev 2. QU-F2 QU-F2 SR needs to use defined term significant instead of dominant. In addition, there is no requirement to perform sensitivity studies, and therefore, requirement is not needed for documentation. (g) equipment or human actions that are the key factors in causing the accidents sequences to be non-dominant nonsignificant. (h) the results of all sensitivity studies Changes to (g) are the same in Rev 1 and Rev 2. Deletion of (h) does not change the conformance of the SA115A PRA model to Rev 2. LE-G2 LE-G2 There is no requirement to perform sensitivity studies. (h) the model integration quantification including uncertainty and sensitivity analyses, as appropriate for the level of analysis Deletion of the requirement for sensitivity studies does not change the conformance of the SA115A PRA model to Rev 2. 101

LR-N17-0135 LAR S17-05 TABLE 4-19 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES WITH CONSIDERATION OF REGULATORY POSITION CHANGES FROM RG 1.200 REV 1 TO REV 2 (APPENDIX A) RA-Sa-2009 SR # (RG 1.200 Rev 2) RA-Sb-2005 SR # (RG 1.200 Rev 1) DESCRIPTION OF RG 1.200, REV. 2, REGULATORY POSITION (CAT II) COMMENTS IFSO-A1 IF-B1 The list of fluid systems should be expanded to include fire protection systems. For each flood area... INCLUDE: (a) equipment (e.g., piping, valves, pumps) located in the area that are connected to fluid systems (e.g., circulating water system, service water system, and reactor coolant system, and fire protection system) No change from RG 1.200 Rev 1 to Rev 2. IFSO-A5 IF-B3 It is necessary to consider a range of flow rates for identified flooding sources, each having a unique frequency of occurrence. For example, small leaks that only cause spray are more likely than large leaks that may cause equipment submergence. (b) range of flow rates No change from RG 1.200 Rev 1 to Rev 2. 102

LR-N17-0135 LAR S17-05 TABLE 4-19 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES WITH CONSIDERATION OF REGULATORY POSITION CHANGES FROM RG 1.200 REV 1 TO REV 2 (APPENDIX A) RA-Sa-2009 SR # (RG 1.200 Rev 2) RA-Sb-2005 SR # (RG 1.200 Rev 1) DESCRIPTION OF RG 1.200, REV. 2, REGULATORY POSITION (CAT II) COMMENTS IFSN-A6 IF-C3 For Cat II, it is not acceptable to just note that a flood-induced failure mechanism is not included in the scope of the internal flooding analysis. Some level of assessment is required. Cat II: For the SSCs identified in IFSN-A5, IDENTIFY the susceptibility of each SSC in a flood area to flood-induced failure mechanisms. INCLUDE failure by submergence and spray in the identification process. ASSESS qualitatively the impact of flood-induced mechanisms that are not formally addressed (e.g., using the mechanisms listed under Capability Category III of this requirement), by using conservative assumptions. Component susceptibility to flood damage due to either submergence or spray effects was identified for various types of SSCs in section 2.2.5 of the Internal Flood PRA Notebook (SA-PRA-012). Damage to SSCs due to jet impingement, pipe whip, elevated temperature, humidity, and excessive condensation are attributed to High Energy Line Break type of scenarios which are modeled using feedwater and steam line break initiating events that are already a part of the full power internal events (FPIE) PRA model. Also, these high energy line break (HELB) scenarios are covered under the Design and Licensing process where Equipment Qualification of safety related SSCs is required as part of the Design and Licensing basis. In addition, most high energy system piping is located in an outside environment at Salem since the Salem turbine deck is open to the atmosphere. Within the Auxiliary Building, high energy steam piping that supplies the motive force for the turbine-driven Auxiliary Feedwater (AFW) pump is contained within an enclosure designed for HELB scenarios. The water systems associated with internal flood hazards are typically below 200 deg. F and less than 275 psig, which are incapable of producing the flood-induced mechanisms associated with HELB scenarios. As such, the damage mechanisms associated with HELB scenarios (i.e., mechanisms listed under Capability Category III) are not applicable to the modeled internal flood scenarios in the Salem FPIE PRA model. IFQU-A8 IF-E6a The quantification also needs to include the effect of common-cause failure. INCLUDE, in the quantification, the combined effects of including equipment failures, unavailability due to maintenance, common-cause failures and other credible causes. Addition of common-cause failures was unchanged from Rev 1 to Rev 2. 103

LR-N17-0135 LAR S17-05 TABLE 4-19 ASSESSMENT OF SUPPORTING REQUIREMENT CAPABILITY CATEGORIES WITH CONSIDERATION OF REGULATORY POSITION CHANGES FROM RG 1.200 REV 1 TO REV 2 (APPENDIX A) RA-Sa-2009 SR # (RG 1.200 Rev 2) RA-Sb-2005 SR # (RG 1.200 Rev 1) DESCRIPTION OF RG 1.200, REV. 2, REGULATORY POSITION (CAT II) COMMENTS References (from both Table A-2 and A-3) Start of Table A-1 See global comment on references at start of Table A-1. Use of references: the various references, may be acceptable, in general; however, the staff has not reviewed the references, and there may be aspects that are not applicable or not acceptable. For every reference cited in the standard (except NEI 00-02): No staff position is provided on this reference. The staff neither approves nor disapproves of information contained in the referenced document. No change from RG 1.200 Rev 1 to Rev 2. 104

LR-N17-0135 LAR S17-05 4.3.1.4 URE Status The URE (Update Requirement Evaluation) database is a resource and working tool used by the Risk Management Team to ensure that the as-built, as-operated Salem plant configuration is reflected in the PRA. In addition, enhancements to the PRA quality are also identified, tracked, and resolved. The observations are recorded in the URE database. These observations identify potential areas of investigation for future model enhancement. This database was reviewed and recorded below in Table 4-20. There are no outstanding UREs that would invalidate the use of the SA115A PRA model for quantifying the risk implications involved with the proposed ESFAS/RTB AOT extension. There is one URE identified in Table 4-20 as a potential impact, SA2014-018. This URE identifies the need for re-evaluation of the surveillance test interval for the vital bus relay during PRA updates. Though the AOT extension and the surveillance test interval extension impact related components, this open URE will not impact the risk analyses done for this LAR. The URE exists to ensure that the surveillance test interval is rechecked against updated PRA models in accordance with industry procedures. TABLE 4-20 OPEN URE REVIEW URE # Date Comments Potential to affect the LAR? SA2005-019 1/12/2006 Unit 2 model needs to be developed No SA2010-027 N/A Suggestion to provide cross reference between PRA Standard and where in the document it is addressed No SA2012-002 1/30/2012 Modification of CVCS pumps; now have mechanical seals that do not require CCW cooling No SA2013-001 7/19/2013 Butterfly valves added to SW return lines No SA2013-002 10/23/2013 Chiller recirculation pump modeling needs to be refined No SA2014-001 12/12/2013 Advanced digital feedwater control system replaced-needs to be updated in model No SA2014-005 3/5/2014 Review FPRA impact from fire loading associated with new cables associated with FLEX strategies No SA2014-006 4/21/2014 Revise manipulation times applied in cold leg recirculation actions No SA2014-010 5/27/2014 Add in missing pre-initiators in HRA documentation No SA2014-012 6/6/2014 NSAL-14-1 produced preliminary results which warranted a change in RCP seal LOCA leakage. Once more guidance is released, the model may need to be updated again No SA2014-017 7/10/2014 RCP seal flow rate following loss of all AC power is underestimated in model No SA2014-018 7/21/2014 Incorporation of SA-STI-004 (surveillance test interval extension) analysis that was performed on the vital bus undervoltage relays Yes SA2014-021 9/9/2014 System notebook maintenance No SA2015-007 3/24/2015 Development of AFW alternate suction sources No SA2015-016 6/2/2015 EOOS asymmetry with ECACS between Unit 1 and Unit 2 No 105

LR-N17-0135 LAR S17-05 TABLE 4-20 OPEN URE REVIEW URE # Date Comments Potential to affect the LAR? SA2015-017 6/10/2015 Potential CCW dependency enhancement No SA2015-024 9/18/2015 Installation of SW return valves No SA2015-028 10/22/2015 New RCP seals No SA2015-032 12/18/2015 Modeling enhancement for EDG failure to load event No SA2015-033 12/18/2015 Recovery of Offsite power during first hour of event No SA2016-005 4/20/2016 Concurrent maintenance times No SA2016-007 6/27/2016 Chilled water inter-unit cross-tie No SA2016-011 12/13/2016 Risk significant actions without details HEP calculations No SA2017-001 1/3/2017 Basic Event AC5-BAC-ST-I-1153 needs to be renamed No SA2017-002 1/21/2017 Elimination of cutsets with both ELAP event and non-ELAP event flags No SA2017-003 2/2/2017 Revised JHEP analysis No SA2017-004 2/9/2017 SW AOVs for DG cooling support No SA2017-005 2/24/2017 Improved operator response in procedure for ISLOCA No SA2017-006 3/28/2017 Spray scenario refinement No SA2017-007 3/28/2017 Merging of EOOS model logic with MOR No SA2017-008 3/28/2017 Internal flooding mitigation in SW bays No SA2017-009 3/29/2017 Add CC3 valves to EOOS red pump list No SA2017-010 4/18/2017 Internal floods in electrical penetration area No SA2017-011 4/18/2017 Internal floods in SWIS bays No SA2017-012 4/26/2017 SA-PRA-003 footnote error regarding CFCUs No SA2017-013 5/24/2017 Non-generic values needed for 3 HEPs recently found to be risk significant No SA2017-014 6/7/2017 Logic modifications needed for 28 VDC chargers No SA2017-015 6/8/2017 SEC actuation for SW20 and SW26 valves No SA2017-016 6/9/2017 28 VDC battery modeling-output breakers not installed No SA2017-017 6/9/2017 Conditional LOOPs treated as grid-related LOOPs (possible under conservative probabilities being used) No SA2017-018 6/9/2017 SEC and 115 VAC vital instrument bus support dependencies No SA2017-019 6/21/2017 Basic Event CM reduced from 1.2E-06 to 1.2E-08 No SA2017-020 6/21/2017 Correction of fault tree logic for ATWS scenarios with LOOP initiators No 4.3.1.5 Review of PRA Model Specific to Application Sufficient modeling exists in the PRA to represent the changes for most of the components of interest. However, two changes were needed in order to add details to support the analysis of two of the specific functions. 106

LR-N17-0135 LAR S17-05

1. Undervoltage Relay Maintenance/ Testing Basic Events Added In order to calculate the change in CDF/LERF due to ESFAS/RTS AOT extensions, the testing and maintenance event probabilities associated with the instrumentation will be adjusted to reflect the extended AOT. Due to infrequent testing this basic event is not included in the SA115A model. Three new events, one for each UV relay, have been added to the Unit 1 application specific model, SA115B. The relays are currently tested quarterly, but the total unavailable time is kept to a minimum (hence its non-inclusion in the PRA).

Assuming a total of 1 hour of testing time per year, the unavailability for the new events was estimated as follows: () = = 1 365 x 24

= 1.1404 The new basic event names and their parent gates have been listed in Table 4-21. The degraded voltage relays are not modeled in the PRA. While they are connected differently to the 4kV vital buses, they are functionally similar in the PRA and bounded by the Undervoltage relays regarding their input to the SECs. TABLE 4-21 UV RELAY TESTING/MAINTENANCE EVENTS FOR MODEL SA115B Basic Event Description Value Parent Gate ESF-RLY-TM-UV1A UV RELAY 1A UNAVAILABLE DUE TO TEST/MAINTENANCE 1.14E-04 G49X120 G1NB120 ESF-RLY-TM-UV1B UV RELAY 1B UNAVAILABLE DUE TO TEST/MAINTENANCE 1.14E-04 G49X180 G1NB180 ESF-RLY-TM-UV1C UV RELAY 1C UNAVAILABLE DUE TO TEST/MAINTENANCE 1.14E-04 G49X150 G1NB150

2. Semiautomatic Transfer to Recirculation Logic Added Semiautomatic transfer to recirculation capability only exists for Salem Unit 2. The Salem MOR only models Unit 1, therefore an application-specific Unit 2 model, SA215B, had to be created in order to add semiautomatic transfer to recirculation logic. This Unit 2 specific model also includes the additional UV relay testing/maintenance events discussed above.

This logic is created by inserting a level above all Operator Fails to Align for Recirculation gates and combining them, through use of an AND gate, with a Failure of transfer to recirculation gate. Figures 4-1 and 4-2 below show one example of the old logic versus the new logic. 107

LR-N17-0136 INSLIFF REGIRG FLOW FROM' 1i'2 SJ PUMPS IGSJK100I nr OPEFI.ATOR FAILS TO ALIGN FOR RECI RGLILATION IGSJK1'9*11 FIGURE 4-1 LAR 517-06 SA115A LOGIC WITHOUT SEMIAUTOMATIC TRANSFER TO RECIRCULATION lNSUFF RECIRC FLOW FROM '112 SJ PUMPS FLOW OIVERSiot{ BACK TO RWSTTHROUGH MINI FLOW OF'ERATOR FAILS TO ALIGN' FOR RECIRCULATION SEMIA.UTOMATIC TRANSFER TO RECIRCULATION FLO'.V DIVERSION BACK TO RWSTTHROUGH PS-4 Failure. nf Automatic Actuatinn of Recirculation (U ft 2) FIGURE 4-2 SA215B LOGIC WITH SEMIAUTOMATIC TRANSFER TO RECIRCULATION The new "Failure of Automatic Actuation of Recirculation (Unit 2)" gate requires failure of both Train A and B of the RWST low level logic. Each train then includes a power dependency, common cause failure term, logic circuit failure term, testing/maintenance term, and sensor failure gate. Each train has four RWST low level sensors of which 2 are required in order for the train to be successful [Reference 19], [Reference 20]. Several SSPS basic events are shared with other ESFAS/RTS functions. This can be seen in Figure 4-3 below. 108

LR-N17-0135 LAR S17-05 FIGURE 4-3 FAILURE OF AUTOMATIC ACTUATION OF RECIRCULATION LOGIC IN SA215B In addition to the gate GSJK100 as shown in the example above, this same process is completed for gates for other recirculation functions G1JS100 (INSUFFICIENT FLOW FROM 1/2 CVCS PUMPS IN RECIRCULATION), WL-G1RC100 (INSUFF RECIRC FLOW FROM 1 OF 2 PUMPS W /COOLING), and YSR-G1YR100 (FAILURE OF CONTAINMENT SPRAY IN RECIRC MODE). Additionally the new gate, GSJK291, is added to gates XHOS-A and XHOS-S1-1, which feed into logic related to recirculation during Large or Intermediate LOCA. 4.3.2 External Events Considerations External hazards were evaluated in the Salem Individual Plant Examination for External Events (IPEEE) [Reference 21] submittal in response to the NRC IPEEE Program (Generic Letter 88-20, Supplement 4) [Reference 22]. The IPEEE Program was a one-time review of external hazard risk and was limited in its purpose to the identification of potential plant vulnerabilities and the understanding of associated severe accident risks. Failure of Automatic Actuation of Recirculation (Unit 2) GSJK291 FAILURE OF SIGNAL FROM TRAIN A RWST LOW LEVEL GSIR110TRA INSTRUMENTS FROM RWST LOW LEVEL SENSORS FAIL TRA GSIR220TRA RPS LOGIC CIRCUIT TRAIN A IN TEST OR MAINTENANCE RPS-LOG-TM-TRNA 8 3.80E-04 POWER FAILURE AT 115 VAC VITAL INSTRUMENT BUS 1A G1AB100 U1 FAILURE OF TRAIN A LOGIG CIRCUIT RPS-LOG-FC-TRNA 8 3.80E-04 CCF OF SSPS TRAINS A AND B (INCLUDING SSPS SLAVE RELAYS) RPS-LOG-FC-TRNAB 16 8.32E-06 FAILURE OF SIGNAL FROM TRAIN B RWST LOW LEVEL GSIR110TRB INSTRUMENTS FROM RWST LOW LEVEL SENSORS FAIL TRB GSIR220TRB RPS LOGIC CIRCUIT TRAIN B IN TEST OR MIANTENANCE RPS-LOG-TM-TRNB 8 3.80E-04 U1 FAILURE OF TRAIN B LOGIC CIRCUIT RPS-LOG-FC-TRNB 8 3.80E-04 CCF OF SSPS TRAINS A AND B (INCLUDING SSPS SLAVE RELAYS) RPS-LOG-FC-TRNAB 16 8.32E-06 POWER FAILURE AT 115 VAC VITAL INSTRUMENT BUS 1B G1BB100 109

LR-N17-0135 LAR S17-05 The results of the Salem IPEEE study are documented in the Salem IPEEE. Each of the Salem external event evaluations were reviewed as part of the submittal by the NRC and compared to the requirements of NUREG-1407 [Reference 23]. Consistent with Generic Letter 88-20, the Salem IPEEE Submittal does not screen out seismic or fire hazards, but provides quantitative analyses. The following sections provide a brief summary of the seismic and fire hazards probabilistic analysis. 4.3.2.1 Seismic PRA The seismic risk analysis provided in the Salem Individual Plant Examination for External Events is based on a detailed Seismic Probabilistic Risk Assessment. A Seismic Probabilistic Risk Assessment analysis approach was taken to identify any potential seismic vulnerabilities at Salem. The Seismic PRA method was deemed an acceptable methodology identified in NUREG-1407. This PRA technique included consideration of the following elements: Seismic hazard analysis Seismic fragility assessment Seismic systems analysis Quantification of the seismically induced core damage frequency The Salem Seismic PRA study is a detailed analysis that, like the internal fire analysis, uses quantification and model elements (e.g., system fault trees, event tree structures, random failure rates, common cause failures, etc.) consistent with those employed in the internal events portion of the Salem PRA. Some of the highlights of the Salem Seismic PRA methodology include the following: Seismic hazard curve is based on the EPRI site specific seismic hazard study. In addition, revised Lawrence Livermore National Laboratory (LLNL) seismic hazard estimates are used as input as a sensitivity case. A seismic event is not always assumed to result in a Loss of Offsite Power (LOOP). Seismic failure of offsite power is evaluated on a probabilistic basis according to component fragilities. The Salem IPEEE stated that no plant unique or new vulnerabilities associated with the Seismic Analysis were identified. The Seismic PRA for Salem, with its original IPEEE hazard curves and identified dependencies and fragilities, can be used to provide general quantitative and qualitative insights. See section 4.3.4.6 for the risk evaluation and insights. 4.3.2.2 Fire PRA The analysis of the impact of internal fires consisted of a screening of fire areas based on EPRI Fire Induced Vulnerability Evaluation (FIVE) methodology [Reference 24]. As prescribed by the FIVE methodology, detailed area-by-area equipment and cable inventories were developed from the Appendix R analysis, the Safe Shutdown Analysis (SSA), and the Fire Hazards Analysis (FHA) [Reference 25]. The fire evaluation was performed on the basis of fire areas, which are plant locations completely enclosed by rated fire barriers. The fire area boundaries were assumed to be effective in preventing a fire from spreading from the originating area to another area based on the implementation of a satisfactory fire barrier surveillance and 110

LR-N17-0135 LAR S17-05 maintenance program, and observation during the walkdown. The fire area boundaries recognized in this study are defined in Sections 3 through 5 of the Salem Generating Station FHA and in the SSA. Qualitatively, an area was screened out if the area neither contained safe shutdown equipment nor called for a manual or automatic plant trip, given the condition that all equipment in the area is damaged. Quantitatively, an area was screened out if the CDF could be shown to be less than 1E-06 per year, assuming a reactor trip and all equipment in the area failed and was unrecoverable. In theory, the contribution to core damage frequency from fires anywhere in the plant may be assessed in detail. However this was impractical due to the large number of possible scenarios and also unnecessary, since fires in many plant areas are incapable of causing significant damage regardless of how severe they become. Consequently, the first stage in performing a fire analysis was to perform a systematic screening of all fire areas in accordance with the FIVE methodology. Areas not screened quantitatively or qualitatively were retained for a further detailed PRA evaluation. The purpose of the qualitative screening was to identify the boundaries of the plant fire areas, together with the location of equipment and cables which, if damaged by fire, would cause a plant shutdown or degradation of shutdown paths identified in the plant's SSA or IPE. This information was then used to qualitatively screen fire areas from further consideration using the criteria developed in the FIVE methodology. The steps involved in qualitative screening included the following: Step 1 - Identification of Fire Areas Step 2 - Identification of Plant Safe Shutdown Systems Step 3 - Identification of Safe Shutdown Equipment in Each Fire Area Step 4 - Perform Fire Area Safe Shutdown Function Evaluation For the quantitative screening analysis, the FIVE methodology provided a method of screening based on a conservative estimation of the contribution to CDF. The equipment contained within an area was assumed to fail due to a fire. Using an event tree representative of the most significant failure, the contribution to CDF was then calculated. If this contribution was less than 1E-06 per year using the fault tree and event tree models from the IPE, the area or compartment was able to be screened out. As part of the IPEEE internal fire analysis, one potential plant vulnerability was identified, and a plant enhancement has been implemented as a result [Reference 26]. There are two sets of cables supplying offsite power to the 4kV vital buses and these are routed through one elevation of the turbine and service buildings before entering the auxiliary building. The two sets provide a redundant source of power to the vital 4kV buses. Thus, if one set is damaged by fire, the second set could provide power to all three buses. In the turbine and service buildings, the two redundant sets of cables are separated by less than 10 feet for a portion of the area. No significant fixed combustible sources are located within 30 feet of the cables and are therefore not considered to be risk significant. However, as a result of the fire IPEEE, transient combustible controls similar to those in place for the auxiliary building, penetration areas and service water intake structure have been put into effect for this area of the turbine and service buildings. The internal fire PRA model was credited with this enhancement and was reflected in the IPEEE results. 111

LR-N17-0135 LAR S17-05 4.3.2.3 Other External Hazards In addition to internal fires and seismic events, the Salem IPEEE analysis of high winds or tornados, external floods, transportation accidents, nearby facility accidents, release of onsite chemicals, detritus and other external hazards was accomplished by reviewing the plant environs against regulatory requirements regarding these hazards. The screening assessment took advantage of the fact that the site is co-located with the Hope Creek Generating Station (HCGS), which is a plant that meets the 1975 Standard Review Plan (SRP) criteria [Reference 27]. To the extent that the event assessment is based on location of the site, as opposed to plant specific features, information from Sections 2 and 3 of the latest revision of the HCGS Updated FSAR (UFSAR) [Reference 28] was used to supplement information from the Salem UFSAR [Reference 29]. The class of external events termed "other external events" were screened out either by compliance with the 1975 SRP criteria or by bounding probabilistic analyses that demonstrated a core damage frequency of less than the IPEEE screening criterion. The external flood assessment provided input to the now completed Penetration Improvement Program by recommending that a high priority be placed on penetrations through the Auxiliary Building/Service Building walls. The IPEEE provided confidence that no plant-unique external event is known that poses a significant threat of severe accidents and that the Salem units are not vulnerable to other external events. More recently, in response to NRC Order EA-12-049 [Reference 30], which was issued following the tsunami and plant consequences experienced at Fukushima-Daichi in March 2011, PSEG developed an Overall Integrated Plan (OIP) [Reference 31] to enhance the defense-in-depth countermeasures aimed at mitigating extreme external hazards. The OIP employed the use of Diverse and Flexible Coping Strategies (FLEX) in accordance with the guidance given in NEI 12-06 [Reference 32]. This resulted in the deployment of portable FLEX equipment that could be put into service when necessary to mitigate extreme external hazards. Although FLEX is not explicitly modeled in the current PRA model, qualitative insights suggest that the risk due to these other external hazards, as well as other beyond design basis events pursuant to Reference 32, would be even less than what was characterized by any historic evaluations performed in support of the IPEEE. See Section 4.3.4.7 for a bounding risk evaluation and insights of external flooding. 4.3.2.4 External Hazard PRA Summary Due to the fact that Salem does not have a current external events PRA model, the use of IPEEE results was deemed acceptable for use in providing insights into the risk contribution associated with the AOT extension. 4.3.3 Technical Adequacy Summary The Salem PRA model, maintenance and update process, and technical capability discussion described above provide a robust basis for concluding that the PRA is suitable for use in risk-informed processes. However, two application specific PRA models (SA115B and SA215B) were developed in order to more accurately assess the risk increase for this ESFAS/RTS AOT extension. Since this was the only change made to the current Salem PRA MOR (SA115A), the technical adequacy of the SA115A MOR also extends to these application specific PRA models (SA115B & SA215B). 112

LR-N17-0135 LAR S17-05 4.3.4 Tier 1. Probabilistic Risk Assessment This section addresses the Tier 1 risk assessment for the proposed extension of the ESFAS/RTS instrumentation AOT. The proposed changes associated with the extended ESFAS/RTS instrumentation AOT are evaluated using a PRA model closely based on the Salem PRA Model of Record (MOR) to determine that current regulations and applicable requirements continue to be met, that adequate defense-in-depth and sufficient safety margins are maintained, and that any increase in core damage frequency (CDF) and large early release frequency (LERF) is small and consistent with the acceptance guidelines in Reference 10. The modeling approach is consistent with the NRC guidance for the calculation of the requested risk measures. Regulatory Guide 1.177 is followed to calculate the change in risk measures ICCDP and ICLERP. These conditional probabilities are performed to calculate the risk change during the proposed ESFAS/RTS Instrumentation AOT by setting the appropriate components as failed. In addition, an assessment of the impact of the AOT extension on overall average risk is calculated by assigning an increased testing/maintenance probability to the ESFAS/RTS instrumentation. This increased probability is based on the factor of change of the AOT, thereby conservatively assuming that all existing unavailability will be increased by that same factor. An additional calculation was performed to assess the impact of all instrumentation unavailable simultaneously. Regulatory Guide 1.174 has acceptance guidelines that act as trigger points to address concerns as to whether the proposed change provides reasonable assurance of adequate protection. The Salem internal events PRA is a thorough and detailed PRA model that is robust and capable of supporting the risk-informed decision to increase the ESFAS/RTS Instrumentation Allowed Outage Time. See Section 4.3.3 for a discussion of the PRA technical adequacy. Assumptions The PRA quantitative evaluation of the extended ESFAS/RTS instrumentation AOT has a number of assumptions. This subsection lists some of the important assumptions. The external event analysis is based on a qualitative analysis using insights from the IPEEE study, insights gleaned from the WIP Fire PRA model, and hazard-specific stand-alone calculations of potential risk impacts. The base risk model has not increased the ESFAS/RTS instrumentation maintenance unavailabilities to account for future potential increases in the average unavailabilities. If this were to be included in the base risk model, it would result in improving the calculated risk metrics and showing an increase in the margin from the calculated risk metrics to their acceptance guidelines. Corrective and preventative maintenance outages have been combined to calculate a total maintenance unavailability. This is consistent with the ASME PRA Standard. Common cause failure events are treated using the INL common cause data base developed under the auspices of the NRC. The conditional probability of 113

LR-N17-0135 LAR S17-05 failure of additional instrumentation has been adjusted to account for the hypothetical case that all specified ESFAS/RTS instrumentation have suffered a failure. This is bounding; other more likely scenarios would lead to lower conditional probabilities and risk increases. Compensatory Measures PSEG maintenance practices involve protecting other equipment coincident with maintenance being performed on ESFAS/RTS instrumentation per OP-AA-108-116, Protected Equipment Program [Reference 33]. This procedure specifically states that if ESFAS/RTS instrumentation channels are unavailable as permitted by technical specifications, the remaining operable channels shall be protected. The PRA MOR directly accounts for this maintenance practice and is reflected in the quantitative analysis. In addition, OP-AA-108-116 directs the Operations and Work Management personnel to routinely monitor various maintenance configurations and protect equipment that could lead to an elevated risk condition (e.g., red risk condition) if it were to become unavailable due to unplanned or emergent conditions. This is normally accomplished using a predictive PRA software tool based on the PRA MOR, i.e., EOOS Configuration Risk Monitor program from the Electric Power Research Institute (EPRI). 4.3.4.1 Risk Metric Calculational Approach To determine the effect of the proposed Allowed Outage Time for unavailability of ESFAS/RTS instrumentation, the guidance provided in Regulatory Guides 1.174 and 1.177 is used. Thus, the following risk metrics are used to evaluate the risk impacts of extending the various ESFAS and RTS instrumentation AOT: Regulatory Guide 1.174 CDFAVE = change in the annual average CDF due to the increase in on-line maintenance unavailability for ESFAS/RTS instrumentation based on the increased Allowed Outage Time. This risk metric is used to compare against the criteria of Regulatory Guide 1.174 to determine whether a change in CDF is regarded as risk significant. These criteria are a function of the baseline annual average core damage frequency, CDFBASE. LERFAVE = change in the annual average LERF due to the increase in on-line maintenance unavailability for ESFAS/RTS instrumentation based on the increased Allowed Outage Time. Regulatory Guide 1.174 criteria were also applied to judge the significance of changes in this risk metric. Regulatory Guide 1.177 ICCDPINST = incremental conditional core damage probability with ESFAS/RTS instrumentation out-of-service for an interval of time equal to the proposed new Allowed Outage Time. This risk metric is used as suggested in Regulatory Guide 1.177 to determine whether a proposed increase in Allowed Outage Time has an acceptable risk impact. 114

LR-N17-0135 LAR S17-05 ICLERPINST = incremental conditional large early release probability with ESFAS/RTS instrumentation out-of-service for an interval of time equal to the proposed new Allowed Outage Time. Regulatory Guide 1.177 criteria were also applied to judge the significance of changes in this risk metric. The evaluation of the above risk metrics is performed as follows. New unavailability values were applied to the ESFAS/RTS instrumentation based on the change in Allowed Outage Time. The change in unavailability is proportional to the change in Allowed Outage Time. These new values can be seen in Table 4-22. The change in the annual average CDF due to the extension of the ESFAS/RTS instrumentation Allowed Outage Time for the specified unavailability, CDFAVE, is evaluated by computing the following: = where: CDFNEW = CDF evaluated from the PRA model with the new unavailability of ESFAS/RTS instrumentation and compensatory measures that include prohibiting concurrent maintenance on the remaining instrumentation channels. CDFBASE = baseline annual average CDF with average unavailability of ESFAS/RTS instrumentation consistent with the current Allowed Outage Time. CDF = Difference between CDF with current technical specifications and the CDF with increased unavailability of ESFAS/RTS instrumentation after the AOT has been extended. A similar approach was used to evaluate the change in the average LERF due to the requested Allowed Outage Time, LERFAVE: = where: LERFNEW = LERF evaluated from the PRA model with the new ESFAS/RTS instrumentation unavailability and compensatory measures that include prohibiting concurrent maintenance on the remaining instrumentation channels. LERFBASE = baseline annual average LERF with average unavailability of ESFAS/RTS instrumentation consistent with the current Allowed Outage Time. LERF = Difference between LERF with current technical specifications and the LERF with increased unavailability of ESFAS/RTS instrumentation after the AOT has been extended. 115

LR-N17-0135 LAR S17-05 TABLE 4-22 NEW ESFAS/RTS INSTRUMENTATION UNAVAILABILITIES System Basic Event Old UA New UA Factor of Change Containment Isolation RPS-LOG-TM-TRNA 3.80E-04 1.52E-03 4 RPS-LOG-TM-TRNB 3.80E-04 1.52E-03 4 Safeguards Equipment Control System ESF-LOG-TM-SEC-A 6.07E-04 2.43E-03 4 ESF-LOG-TM-SEC-B 6.07E-04 2.43E-03 4 ESF-LOG-TM-SEC-C 6.07E-04 2.43E-03 4 Vital Bus Undervoltage ESF-RLY-TM-UV1A 1.14E-04 8.20E-03 72 ESF-RLY-TM-UV1B 1.14E-04 8.20E-03 72 ESF-RLY-TM-UV1C 1.14E-04 8.20E-03 72 Semiautomatic Transfer to Recirculation RPS-LOG-TM-TRNA 3.80E-04 4.56E-03 12 RPS-LOG-TM-TRNB 3.80E-04 4.56E-03 12 For the ICCDP/ICLERP calculations, separate flag files were utilized for each system. Each flag file fails one channel or train of the instrumentation and adjusts the common cause failure probability, if it exists, to account for the channel or train failure. This was done by setting the independent failure term to 1.0 when calculating the common cause factor. The flag files can be seen in Table 4-23 below. TABLE 4-23 ICCDP/ICLERP CALCULATION FLAG FILES System Abbrev. Flag File Containment Isolation CI RPS-LOG-FC-TRNA EQU .T. RPS-LOG-FC-TRNAB PROB 2.19E-02 Safeguards Equipment Control System SEC ESF-LOG-FC-SECA EQU .T. ESF-LOG-FC-SECAC PROB 8.10E-03 ESF-LOG-FC-SECAB PROB 8.10E-03 ESF-LOG-FC-SEC3 PROB 7.26E-03 Vital Bus Undervoltage UV ESF-RLY-OO-UV1A EQU .T. Semiautomatic Transfer to Recirculation SA1 ESF-LST-FT-1A EQU .T. SA2 ESF-LST-FT-1A EQU .T. ESF-LST-FT-2A EQU .T. The incremental conditional core damage probability (ICCDP) and incremental conditional large early release probability (ICLERP) are computed using the definitions from Regulatory Guide 1.177. In terms of the above defined parameters, the definition of ICCDP for the unavailability of ESFAS/RTS instrumentation is as follows: 116

LR-N17-0135 LAR S17-05 ICCDPINST = (CDFINST - CDFBASE)TINST where: CDFINST = CDF evaluated from the PRA model with ESFAS/RTS instrumentation out-of-service and compensatory measures that include prohibiting concurrent maintenance on the remaining instrumentation channels. TINST = Total duration of extended Allowed Outage Time under consideration. The ICCDP values are dimensionless probabilities to evaluate the incremental probability of a core damage event over a period of time equal to the extended Allowed Outage Time. Similarly, ICLERP is calculated using the methodology described above: ICLERPINST = (LERFINST - LERFBASE )TINST 4.3.4.2 ESFAS/RTS AOT Extension PRA Analysis The Base PRA model of record (MOR) has been reviewed for applicability to the Salem ESFAS/RTS Instrumentation AOT extension and the changes described in Section 4.3.1.5 were included as part of the analysis used for this risk application. The model calculations were performed using the modified SA115A PRA model to develop the increase in risk associated with those configurations involving concurrent unavailability of ESFAS/RTS Instrumentation for extended AOTs. These calculations were used to develop the risk metrics for comparison with RG 1.174 and RG 1.177 acceptance guidelines. Note that because the base CDF for Unit 1 is slightly higher than that of Unit 2 due to the lack of semiautomatic transfer to recirculation capability, the individual CI, SEC, and UV instrumentation changes were performed on the Unit 1 model. For the Unit 2 SA calculations, the CDF/LERF results conservatively apply the more limiting condition (9.b) and the more limiting timing (72 hours from 9.a). The ICCDP/ICLERP reflects only the 9.a case since the 9.b calculation is already covered by the CI case since that level of SSPS component is common to both functions in the PRA model. An additional case (SA2) is included with two RWST level transmitters unavailable, which is appropriate only for the ICCDP/ICLERP calculation. The All run for Unit 1 includes the CI, SEC, and UV changes. The All run for Unit 2 includes the CI, SEC, UV, and SA changes. The RCP breaker position trip is not directly included in the risk calculations. The RCP bus breaker position provides logic to the reactor trip as 1 breaker in 2/4 loops, and only above permissive P-7. For a failure of the RCP bus breaker position indication, additional reactor trip inputs would be expected, such as Loss of Flow (items 12/13) and RCP Undervoltage (item 16). Additional parameters may also rapidly indicate the need for a reactor trip. The reliability of those other trip signals is high, and operator action is also available to manually trip the reactor during a disturbance. 117

LR-N17-0135 LAR S17-05 Due to this high level of redundancy among all the reactor trip signals, specific signals are not modeled in the Salem PRA. To check the potential impact of the failure of a single RCP breaker position indication, a simple, conservative assessment is shown here in a stand-alone calculation. If this indication were unavailable, the most likely path to a core damage accident would require at least failure of another indication (such as Loss of Flow) and failure of operators to manually trip the reactor and perform shutdown via boration. Based on this expected sequence of events, the risk impact related to the change in signal unavailability can be calculated as: CDF = f(transient) x change in signal unavailability x failure of diverse signal x HEP(manual trip and boration) The values used for each term are: f(transient) = 1/yr (bounding value based on Salem IEs) change in signal unavailability = 8.7E-5 for RT system with 2/4 logic and CCF (from WCAP-15376-P-A, Revision 1, Table 8.12) failure of diverse signal = 8.15E-4 (from flow transmitter in NUREG/CR-6928, 2010 update) HEP(manual trip and boration) = 1.4E-3 (from dependent human reliability event JHE-XHE-ATWS3-BORATE in the baseline PRA) Therefore, CDF (total) = 9.9E-11 /yr Therefore, the impact of an RCP bus breaker position signal being unavailable is considered negligible for all PRA sequences. 4.3.4.3 Calculated Risk Metrics Tables 4-24 through 4-27 summarize the calculated values for the NRC specified risk metrics (CDF, LERF, ICCDP, and ICLERP) for the proposed change to the AOT involving the unavailability of various ESFAS/RTS instrumentation. The process used to calculate the risk metrics complies with NRC Regulatory Guides 1.174 and 1.177. 118

LR-N17-0135 LAR S17-05 TABLE 4-24 UNIT 1 CDF/LERF RESULTS FOR UNAVAILABILITY OF ESFAS/RTS INTRUMENTATION Case CDFNEW % Change LERFNEW % Change Base 8.3822E-06 4.4693E-07 CI 8.3825E-06 0.00% 4.4711E-07 0.04% SEC 8.3827E-06 0.01% 4.4693E-07 0.00% UV 8.3829E-06 0.01% 4.4698E-07 0.01% All 8.3838E-06 0.02% 4.4716E-07 0.05% TABLE 4-25 UNIT 2 CDF/LERF RESULTS FOR UNAVAILABILITY OF ESFAS/RTS INTRUMENTATION Case CDFNEW % Change LERFNEW % Change Base 7.6818E-06 4.4246E-07 SA 7.6840E-06 0.03% 4.4306E-07 0.14% All 7.6854E-06 0.05% 4.4311E-07 0.15% TABLE 4-26 UNIT 1 ICCDP/ICLERP RESULTS FOR UNAVAILABILITY OF ESFAS/RTS INTRUMENTATION Case CDFINST TINST (hrs) ICCDPINST LERFINST TINST (hrs) ICLERPINST Base 8.3822E-06 4.4693E-07 CI 1.0588E-05 24 6.04E-09 8.6558E-07 24 1.15E-09 SEC 8.8435E-06 24 1.26E-09 4.6910E-07 24 6.07E-11 UV 8.3834E-06 72 9.64E-12 4.4702E-07 72 7.43E-13 All 1.1051E-05 24 7.32E-09 1.0862E-06 24 1.75E-09 119

LR-N17-0135 LAR S17-05 TABLE 4-27 UNIT 2 ICCDP/ICLERP RESULTS FOR UNAVAILABILITY OF ESFAS/RTS INTRUMENTATION Case CDFINST TINST (hrs) ICCDPINST LERFINST TINST (hrs) ICLERPINST Base 7.6818E-06 4.4246E-07 SA 7.6818E-06 72 0.00E+00 4.4246E-07 72 0.00E+00 SA 2 7.6818E-06 12 0.00E+00 4.4246E-07 12 0.00E+00 All 1.0365E-05 12 3.68E-09 1.0296E-06 12 8.04E-10 4.3.4.4 Discussion of Risk Due to External Events Salem does not have separate probabilistic risk assessments (PRA) for Fire, External Flood or Seismic events. An internal Fire PRA (FPRA) is currently under development. The FPRA was developed as part of the station license renewal project. However, the FPRA did not undergo an industry peer review as required by NRC Regulatory Guide 1.200 [Reference 18] for use in risk informed regulatory applications. PSEG is working to complete the FPRA. The current version, which follows the methodology of NUREG/CR-6850 with some incorporation of more recent data and methods can be used to provide valuable insights, but not quantitative information. The project is expected to culminate with an industry peer review. Seismic events are not currently included in the Model of Record (MOR). The Seismic PRA development for both Salem and Hope Creek is being considered as part of a PSEG Nuclear long-term planning strategy, which will determine the need for such an analysis using PRA methods. External Flood, Low Power/Shutdown, as well as other external events are also being considered as part of a long-term risk management program strategic plan. Like most nuclear power stations, Salem completed an Individual Plant Examination of External Events in 1996 [Reference 21]. Section 1.4 of the IPEEE summarizes the major findings and states that fire and seismic events were the only important contributors to external events core damage. The fire related CDF was 2.3E-05 per year. The seismic related CDF was 9.5E-06 per year using a more conservative hazard curve (LLNL) and 4.7E-06 per year using a curve described as more realistic (EPRI). Section 1.4.3 of the IPEEE explains how the risk of High Winds, External Flood and other external events were screened out as insignificant. The risk increases related to the plant changes in this application due to fire, seismic, and external flood events are discussed in the following sections. 4.3.4.5 Discussion of Fire Risk Section 1.4.2 of Salems IPEEE discusses the station fire risk. The total CDF from fire events was calculated to be 2.3E-05 per year. The top four scenarios are described as follows: 24% of the total CDF (5.5E-06 per year) caused by a fire in the relay room that damages more than one cabinet and requires control room abandonment. Core cooling by alternate shutdown methods is unsuccessful, leading to core damage. 120

LR-N17-0135 LAR S17-05 9.1% of the total CDF (2.1E-06 per year) caused by a fire in the control room which damages consoles 1, 2, or 3 and requires control room abandonment. Core cooling by alternate shutdown methods is unsuccessful, leading to core damage. 7.4% of the total CDF (1.7E-06 per year) caused by a relay room fire with damage limited to one electrical cabinet. Control room functions remain available but degraded. Core cooling is unsuccessful, leading to core damage. 4.6% of the total CDF (1.1E-06 per year) caused by a control room fire with damage limited to control console 3. Equipment damage requires control room abandonment. Core cooling by alternate shutdown methods is unsuccessful, leading to core damage. Another perspective of fire risk is the relative importance for a fire in each area. The top four areas are the relay room (31%), control room (30%), the 460VAC switchgear room (7%), and the 4kVAC switchgear room (7%). Core damage following a relay or control room fire arises primarily from failure to implement alternate shutdown methods following control room abandonment. Such fire scenarios may damage both trains of ESFAS equipment, so the status of a particular component being out-of-service would have a negligible impact since it would have been damaged anyway. The switchgear room fires cause loss of one vital bus. Additional equipment becomes unavailable if the fire is not suppressed. Random failures of equipment unaffected by fire then lead to core damage for these scenarios. The Work-in-Progress (WIP) Fire PRA was used to gain additional insights into the risk impact that would be expected with the specific ESFAS/RTS extensions calculated in Section 4.3.4.3 for the internal events PRA. The results from that evaluation showed a minimal increase in risk similar to that in the internal events model. As an additional set of stand-alone calculations, the potential impact of fire events on the risk assessment is considered. The steps to determine the potential impact of fire events for proposed extensions are:

1. Determine fire initiating event frequencies
2. Determine the actuation signals required for event mitigation
3. Determine the change in signal unavailability
4. Determine the impact on risk metrics The fire ignition frequencies used for this calculation are from the current work-in-progress fire PRA. The frequencies for all of the ignition sources are summed, accounting for severity factors and non-suppression probabilities.

Each fire scenario is assumed to not directly impact an ESFAS train to determine the change in unavailability for ESFAS systems. This is a conservative assumption, since WCAP-15376-P-A, Revision 1, Table 8.10 indicates that a system with only one train available would actually have a decreased unavailability due to an increased AOT. If any cases would exist that impact both ESFAS trains, there would be no change in risk due to additional unavailability. 121

LR-N17-0135 LAR S17-05 Fire events begin as transient-type events, so the primary means of mitigation is decay heat removal. This function can be accomplished by main feedwater, auxiliary feedwater (AFW), or feed-and-bleed operations. Main feedwater is not credited following fire events since there is a relatively large amount of equipment with unknown cable locations that could be damaged due to the fire. Therefore, AFW and feed-and-bleed are relied upon to mitigate a fire transient. Since this assessment is directed at the increased signal unavailabilities, alternative methods are required to start AFW and feed-and-bleed. For fire transient events, AFW normally starts automatically on low-low steam generator level. If that signal is unavailable or failed, then AFW pumps may be started by the operators or the AMSAC system. AMSAC is the ATWS Mitigation System Actuation Circuitry system, and actuates when steam generator level is low and SSPS has failed to actuate. An AMSAC actuation initiates turbine trip and starts all three AFW pumps using methods which are both independent and diverse from SSPS. If no AFW is actuated, operators will initiate feed-and-bleed for decay heat removal. The 4th AFW pump is not credited in this calculation, as it is assumed that failure to manually start the normal AFW pumps would also fail to start the 4th pump for this simple calculation. Based on this expected sequence of events, the risk impact related to the change in signal unavailability can be calculated as: CDF = f(Fire IE) x change in signal unavailability x HEP(AFW start) x AMSAC failure x HEP(Feed-and-bleed) The values used for each term are: f(Fire IE) = 4.62E-1 /yr change in signal unavailability = 2.73E-4 for two trains (from WCAP-15376-P-A, Revision 1, Table 8.10) HEP(AFW Start) = 9.7E-4 (from event AFS-XHE-FO-MDPS in PRA) AMSAC failure = 5.4E-2 (calculated from AMSAC gate in PRA) HEP(Feed-and-bleed) = 2.7E-3 (from event SRV-XHE-FO-FANDB in PRA; not treated as dependent with AFS-XHE-FO-MDPS in the baseline PRA model) Therefore, CDF (total) = 1.8E-11 /yr Since the change in CDF is negligible, the LERF impact will also be negligible and the CDF and LERF changes meet the acceptance criteria in RG 1.174. In summary, for scenarios that would damage both trains of ESFAS equipment, the status of a particular component being out-of-service would have a negligible impact since it would have been damaged anyway. For all other scenarios, the impact would be seen with the opposite train component out-of-service, and those impacts are estimated to be low based on the evaluations of the WIP Fire PRA model and the stand-alone calculations. 122

LR-N17-0135 LAR S17-05 4.3.4.6 Discussion of Seismic Risk Section 1.4.1 of Salems IPEEE [10] reports four significant contributors to seismic related CDF, all associated with station blackout (SBO). These four scenarios represent 78% of the total seismic related CDF based on the more conservative LLNL hazard curve: 31% of the total CDF (2.9E-06 per year) is caused by seismic damage to the switchyard ceramic insulators that leads to a loss of offsite power (LOOP). This is coupled with non-seismic failures of the emergency diesel generators (EDGs) or EDG support systems. 14% of the total CDF (1.3E-06 per year) is caused by seismic damage that causes both a LOOP and loss of service water (LOSW). Service water is required to support the EDGs. Therefore, the LOSW leads to a loss of EDGs. 21% of the total CDF (2.0E-06 per year) is caused by seismic damage that causes both a LOOP and a loss of battery trains A and B. DC power from the batteries is required to start the EDGs. Therefore, the A and B EDGs fail to start. The station has two diesel fuel oil transfer pumps (DFOTPs) powered from the A and B vital buses. The C EDG eventually fails when the associated fuel oil day tank is depleted. 12% of the total CDF (1.2E-06 per year) is caused by seismic damage that causes both a LOOP and failures of main control room instrumentation and control (I&C) caused by ceiling grid collapse. Relay chatter was not considered significant to safe shutdown, and no vulnerability to containment failure or containment bypass leading to early failure was identified. Because damage to equipment during seismic events is often correlated across trains, as shown with failures described above, extension of AOTs for ESFAS/RTS components will have a negligible impact on Seismic risk estimates. If a component is failed during a particular seismic event, its corresponding opposite train component is also likely to fail; therefore, whether it was out-of-service or not is irrelevant. If a component is not failed during a particular seismic event, it will then only contribute to Seismic risk when its corresponding opposite train component is out-of-service due to random failures, which are very low and bounded by the internal events analysis. As such, it can qualitatively be inferred that there would be no significant impact on seismic risk due to extending the AOT for these ESFAS/RTS components. As an additional set of stand-alone calculations, the potential impact of seismic events on the risk assessment is considered. The steps to determine the potential impact of seismic events for proposed extensions are:

1. Determine the accidents that can result from a seismic event
2. Determine the systems of interest
3. Determine how the system of interest is used to mitigate the seismically induced event
4. Determine the impact on risk metrics 123

LR-N17-0135 LAR S17-05 The primary seismic events of interest for this assessment are a LOOP or an induced Small LOCA. The largest seismic events are expected to cause Larger LOCAs and additional failures, making small changes in the availability of actuation signals a negligible impact as discussed above. For a Seismically-induced LOOP event, emergency diesel generators (EDGs) are required to start and run, AFW is required to provide secondary side heat removal, and RCP seal cooling (injection or thermal barrier cooling) must continue to prevent an RCP seal LOCA. This neglects the impact of any new RCP seals that may be installed currently or in the future. The only related signal for these functions that may be impacted by the AOT changes is the need to start AFW. As discussed in the Fire section above, AFW may also be started by operator action, or by the AMSAC. Upon failure to start AFW, feed-and-bleed may also be possible as well, but that is also neglected here for conservatism. Based on this expected sequence of events for a Seismically-induced LOOP, the risk impact related to the change in signal unavailability can be calculated as: CDF = f(Seismic LOOP) x change in signal unavailability x HEP(AFW start) x AMSAC failure The values used for each term are: f(Seismic LOOP) = 2.19E-5 /yr (sum of all Seismically-induced LOOPs from all categories of seismic events from LR-N14-00511) change in signal unavailability = 2.73E-4 for two trains impacted (from WCAP-15376-P-A, Revision 1, Table 8.10) HEP(AFW Start) = 9.7E-4 (from event AFW-XHE-FO-MDPS in PRA) AMSAC failure = 5.4E-2 (calculated from AMSAC gate in PRA) Therefore, CDF (Seismic LOOP) = 3.2E-13 /yr For a Seismically-induced Small LOCA, ECCS is required to provide injection to restore inventory and recirculation capability to maintain inventory and allow decay heat removal. A Small LOCA is more severe than a Seismically-induced LOOP, so a LOOP is assumed to also occur during a Seismically-induced Small LOCA, and it is common practice to assume a Very Small LOCA occurs in any Seismic event. However, in order for the AOT extensions to impact the Seismic risk, the event needs to be severe enough to create the Small LOCA but not so severe as to impact the ECCS. The risk impact would be calculated similar to that for Seismic LOOP, except a different operator action would be required to backup a failed actuation (SI) signal, with no additional backup actuation system such as AMSAC. Assuming that all Seismic events that cause a LOOP would also cause a Small LOCA, a similar approach is used: 1 Frequency based on calculation using values from U.S. NRC's Response to 10 CFR 50.54(f) Recommendation 2.1 of the Near-Term Task Force Review of the Fukushima Accident - Salem Generating Station, LR-N14-0051, March 2014. 124

LR-N17-0135 LAR S17-05 CDF = f(Seismic LOCA) x change in signal unavailability x HEP(ECCS start) The values used for each term are: f(Seismic LOCA) = 2.19E-5 /yr (same as above for Seismically-induced LOOPs) change in signal unavailability = 2.73E-4 for two trains impacted (from WCAP-15376-P-A, Revision 1, Table 8.10) HEP(ECCS Start) = 4.2E-3 (from event SJS-XHE-FO-SAFLO in PRA) Therefore, CDF (Seismic LOOP) = 2.5E-11 /yr Since the CDF increase is negligible, the LERF impact will also be negligible and the CDF and LERF changes meet the acceptance criteria in RG 1.174. In summary, for scenarios that would damage both trains of ESFAS equipment, the status of a particular component being out-of-service would have a negligible impact since it would have been damaged anyway. Where a seismic scenario only damages one component, the impact would be seen with the opposite train component out-of-service, and those impacts are estimated to be very low based on these stand-alone calculations. 4.3.4.7 Discussion of External Flooding Risk PSEG is providing a rough order of magnitude estimate of the total risk for external flooding, based on the full power internal events PRA. The steps to determine the potential impact of external flooding events for proposed extensions are:

1. Determine the surrogate initiating event that can be used to simulate an external flood
2. Determine the system response to the initiating event
3. Determine how the system of interest is used to mitigate the flood induced event
4. Determine the impact on risk metrics One way to ensure that these conclusions still apply is to perform a bounding analysis using the Salem full power, internal events (FPIE) PRA model. An upper bound estimate of other hazards was established assuming that external flooding events are likely to result in a loss of offsite power (LOOP). It is assumed that the frequency of these external flooding hazards is bounded by weather induced LOOP (frequency of 4.09 E-3 per year in the Salem PRA).

In the basic PRA, weather induced LOOP is modeled with a statistically determined recovery curve. While recoverable weather induced LOOPs have been observed with some frequency, unrecoverable events are rare. Thus, use of weather induced initiating event frequency to bound the non-recovered external event frequency is considered appropriate. The RG 1.200 FPIE PRA models the system responses to LOOP events, and Section 4.3.4.1 describes how the responses with the proposed extensions are modeled. The model includes mitigating equipment reliability and operator actions. Since a FPIE PRA initiating event is being used as the surrogate, the approach described in Section 4.3.4.1 applies directly to external flooding scenarios with a few changes. The use of the non-safety related auxiliary feedwater 125

LR-N17-0135 LAR S17-05 pump and the gas turbine were not credited in the calculations that simulate an external flooding situation because this equipment is not protected from external floods. TABLE 4-28 BOUNDING ESTIMATE Bounding Estimate: CDF and LERF Contribution for External Flooding CDF/yr LERF/yr Unit 1 Surrogate External Flood 5.62E-7 4.31E-8 Surrogate External Flood (w/actuation signal unavailability) 5.63E-7 4.32E-8 Risk Increase 1.1E-9 6.1E-11 Unit 2 Surrogate External Flood 5.58E-7 4.31E-8 Surrogate External Flood (w/actuation signal unavailability) 5.59E-7 4.32E-8 Risk Increase 1.5E-9 7.6E-11 Note that the core damage frequency calculations are a significant portion of the baseline PRA core damage risk while the delta-risk calculations are a much smaller relative portion of baseline. This is caused by a using a very conservative initiating event frequency to bound a much rarer event. Even using the bounding initiating event frequency, the actuation signals being treated in this LAR do not have a significant effect on external flood scenarios. A bounding calculation indicates that total risk is small enough that changes to extend Allowed Outage AOTs for RTS and ESFAS instrumentation do not have a significant effect on overall risk. The unavailability of the RTS and ESFAS instrumentation does not significantly affect this bounding calculation and could not affect a more realistic calculation. The risk increases are several orders of magnitude below the RG 1.174 decision criteria. Thus, changes to risk associated with weather induced LOOPs with no possibility of recovering off-site power, and thus with external floods cannot change the conclusion of the LAR. 4.3.4.8 Summary of Results Examining the results with all of the cases combined via examination of resulting cutsets and delete-term cutsets, the small increase in average CDF and LERF is partially due to a weather related LOOP or switchyard related LOOP following failure of the signal to automatically start the emergency diesel generator (EDG) in combination with failure of the operators to manually start the EDG. These cutsets which previously fell below truncation are now present due to the increased unavailability of UV relays. Additional important cutsets are related to a main steam line break inside containment followed by failure of SI signal in combination with failure of operators to manually recover. These cutsets have increased due to the increased unavailability of SSPS logic circuits. New cutsets seen in LERF are similar and also include events initiated by service water. 126

LR-N17-0135 LAR S17-05 Based on the results discussed above for fire, seismic and external flood hazards, it was deemed that any perceived risk increase would be negligible. The results presented in Tables 4-24 through 4-27 are well below the regulatory guidelines for a license amendment request: The CDF and LERF risk metrics are well below the RG 1.174 acceptance guidelines for Region III, i.e., very small risk change. The ICCDP for the ESFAS/RTS instrumentation AOT is well below the RG 1.177 acceptance guideline. The ICLERP for the ESFAS/RTS instrumentation AOT is well below the RG 1.177 acceptance guideline. 4.3.5 Uncertainty Discussion This section evaluates uncertainties that could impact the ESFAS/RTS instrumentation AOT extension assessment. Overall, this analysis contains all the elements of risk-informed decision-making process described in NUREG-1855 [Reference 34]. The structure used to present this information is shown in Figure 4-4, which is taken from the companion document to NUREG-1855 entitled EPRI-1026511, Practical Guidance on the Use of Probabilistic Risk Assessment in Risk-Informed Applications with a Focus on the Treatment of Uncertainty [Reference 35]. Table 4-29 provides a roadmap identifying the relevant sections of the uncertainty analysis. 127

LR-N17-0135 LAR 517-05 Step 1 2 3 4 5 6 TABLE 4-29 ROADMAP TO THE UNCERTAINTY ANALYSIS Step Summary Define the risk analysis application to be used to address RG 1.177 Assess the adequacy of the existing PRA models to support the analysis Perform the initial comparison with the acceptance guidelines. Identify significant contributors and role of affected function. Assess the adequacy of the scope of the PRA models Perform final comparison with acceptance guidelines - assessment of significance of parameter and model uncertainty Prepare input for the integrated decision-making process Step 3: 7erfann Initial c:-omJn8rf.. ron with a<::ceptancfJ'.gwide!itw8 Identify significant contributor:; and role of affect9d ftmt:t!on(s) Document Section Performed in Section 4.3. Performed in Section 4.3, Risk Assessment. Initial comparison is shown in the Summary and Tables in Section 4.3.8; significant contributors are identified in Section 4.3.4. Assessed in Sections 4.3.1, 4.3.2, and 4.3.3. Analyzed in Section 4.3.5. Presented in Section 4.3.8. Accoptaoco Gtlidelinas Excoodo<l {Section 5)? FIGURE 4-4 OVERVIEW OF PROCESS FOR PRA ANALYSIS TO SUPPORT A RISK INFORMED DECISION 128

LR-N17-0135 LAR S17-05 4.3.5.1 Parametric Uncertainty Evaluation The evaluation of the CDF for the ESFAS/RTS instrumentation extended AOT assessment has been supported by a detailed qualitative and quantitative uncertainty evaluation. The parametric uncertainty quantification is performed using the CAFTA utility, UNCERT, to identify the effect of the parametric correlation. The base model (SA115B & SA215B) uncertainty distributions for CDF of the application specific model are presented in Figures 4-5 and 4-9. The uncertainty distribution for CDF due to the condition in which all new unavailabilities have been applied are shown in Figures 4-6 and 4-10. Likewise, for LERF, the base model uncertainty distributions are presented in Figures 4-7 and 4-11, with the AOT extension uncertainty distribution for LERF shown in Figures 4-8 and 4-12. The mean results for each case show similar differences from the point estimates. In addition, the cutset results for the CDF/LERF assessments were reviewed to determine if an epistemic correlation could influence the mean value determination. From the review of the cutsets, it was determined that the dominant contributors do not involve basic events with epistemic correlations (i.e., the probabilities of multiple basic events within the same cutset for the dominant contributors are not determined from a common parameter value). Per Guideline 2b of EPRI 1016737 [Reference 36] it is acceptable to use the point estimate directly in the risk assessment. Therefore, the parameter uncertainty assessment indicates that the use of the point estimate results directly for this assessment is acceptable. 129

LR-N17-0135    s 08 0.6 0.4 0.2 0 1E{J6 0.8 0.6 0.4 / I I I J 1E-Q5 A l\\ l \\ l \\ 0.2 0 1E{J6 1m .. **-l 1E-Q5 Parameter Point Est Samples Mean 5th Percentile Median 95th Percentile StdDev Skewness Sampling Method Sample Size Cutset File(s) Selected Target(s) Database LAR 517-05 1E*04 1E-<l3 1E-Q2 1E*01 lE-1-00 1E-<J4 1E*03 1E-D2 1E-<J1 1E+OO Estimate Confidence Range 8.382E-06 50000 8.579E-06 [8.5E-06, 8.6E-06] 3.637E-06 [3.6E-06, 3.7E-06] 7.075E-06 [?.OE-06, 7.1 E-06] 1.781E-05 [1.SE-05, 1.8E-05] 6.687E-06 13.40618 Montecarlo 50000 CDF 1E-11.CUT CDF SA115B.rr FIGURE 4-5 PARAMETRIC UNCERTAINTY DISTRIBUTION FOR SALEM U1 BASE MODEL CDF (SA115B) FOR THE ESFAS/RTS AOT EXTENSION APPLICATION MODEL 130

LR-N17-0135 LAR 517-05 D8 0,6 0.4 0.2 0 1E-06 0.8 D.6 0.4 0.2 0 1E-D6 1/ I l I / 1E*05 l\\ l \\ l \\. Jk"'*"'"' w 1E-D5 Parameter Point Est Samples Mean 5th Percentile Median 95th Percentile StdDev Skewness Sampling Method Sample Size Cutset File(s) Selected Target(s) Database 1E.-{}3 1E-()2 1E*01 1E-D4 1E-o3 1E-<J2 1E-Q1 Estimate Confidence Range 8.384E-06 50000 8.564E-06 [8.5E-06, 8.6E-06] 3.637E-06 [3.6E-06, 3.7E-06] 7.096E-06 [7.1 E-06, 7.1 E-06] 1.781E-05 [1.8E-05, 1.8E-05] 6.306E-06 6.988329 Montecarlo 50000 CDF 1 E-11_ALL.CUT CDF SA 115B_AII.rr FIGURE 4-6 PARAMETRIC UNCERTAINTY DISTRIBUTION FOR SALEM U1 CDF REPRESENTING THE ESFAS/RTS AOT EXTENSION 131 1E-1-00 1E+OO

LR-N17-0135 0.8 0.6 0.4 0.2 0 1E-{)8 0.8 0.2 0 1E.OS I I I I J 1E-G7 1E-OS A 1\\ l \\ 11 \\ \\ MW""""""'*" *.".".W.".","/"1' 1E-o7 1E-D6 Parameter Point Est Samples Mean 5th Percentile Median 95th Percentile StdDev Skewness Sampling Method Sample Size Cutset File(s) Selected Target(s) Database LAR 517-05 1E-Q4 1E*03 1E-02 1E-D1 1E+OO 1E-o5 1E-04 lE-03 1E-Q2 1E-01 1E+OO Estimate Confidence Range 4.469E-07 50000 4.452E-07 [4.4E-07, 4.5E-07] 1.529E-07 [1.5E-07, 1.5E-07] 3.547E-07 [3.5E-07, 3.6E-07] 1.001 E-06 [9.9E-07, 1.0E-06] 3.997E-07 14.32663 Montecarlo 50000 LERF _1 E-12.CUT LERF SA115B.rr FIGURE 4-7 PARAMETRIC UNCERTAINTY DISTRIBUTION FOR SALEM U1 BASE MODEL LERF (SA115B) FOR THE ESFAS/RTS AOT EXTENSION APPLICATION MODEL 132

LR-N17-0135 LAR 517-05 3 '..  0.8 0.6 0.4 0.2 0 1E-Q8 0.8 0.6 0.4 0.2 1E-G8 I ).-"' I I I j 1E--o7 1E.fJB I \\ l \\ ll \\ _) \\ w.w,.v.w... ww*v 1E-07 lE-06 Parameter Point Est Samples Mean 5th Percentile Median 95th Percentile StdDev Skewness Sampling Method Sample Size Cutset File(s) Selected Target(s) Database 1E*OS lE-04 1E-03 1E*02 1E-D1 lE-06 1E-04 1E-ll3 1E-Q2 1E-<11 Estimate Confidence Range 4.472E-07 50000 4.497E-07 [4.5E-07, 4.5E-07] 1.531 E-07 [1.5E-07, 1.5E-07] 3.565E-07 [3.5E-07, 3.6E-07] 1.014E-06 [1.0E-06, 1.0E-06] 3.967E-07 8.152064 Montecarlo 50000 LERF 1E-12 ALL.CUT LERF SA 1158 All.rr FIGURE 4-8 PARAMETRIC UNCERTAINTY DISTRIBUTION FOR SALEM U1 LERF REPRESENTING THE ESFAS/RTS AOT EXTENSION 133 1E+OO 1E+OO

LR-N 17-0135 08 0.6 0.4 0.2 1E-06 0.8 0.6 0.4 / I I I / 1E-o5 l\\ l \\ l \\ 0,2 0 1E-ll6 1 i-+-l IE-ll5 [!:arameter Point Est Samples Mean 5th Percentile Median 95th Percentile StdDev Skewness Sampling Method Sample Size Cutset File(s) Selected Target(s) Database LAR 517-05 IE-04 1E-G3 1E-02 lE-D1 lE+-00 IE-04 1E-03 1E-o2 IE-{} I 1E+OO Estimate Confidence Range 7.682E-06 50000 7.842E-06 [7.8E-06 I 7.9E-06] 3.301E-06 [3.3E-06 I 3.3E-06] 6.497E-06 [6.5E-06 I 6.5E-06] 1.621E-05 [1.6E-05 I 1.6E-05] 6.165E-06 11.52656 Montecarlo 50000 CDF lE-11 U2.CUT CDF SA215B.rr FIGURE 4-9 PARAMETRIC UNCERTAINTY DISTRIBUTION FOR SALEM U2 BASE MODEL CDF (SA215B) FOR THE ESFAS/RTS AOT EXTENSION APPLICATION MODEL 134

LR-N17-0135 LAR 517-05 "'  '... j 7 0.8 0.6 0.4 0.2 0 1E-06 0.8 0.6 0,4 0.2 0 1EY v I I I / 1E.05 /\\. I\\ I \\ I \\ ) 8**9**'"'"'.. h 1E-o5 Parameter Point Est Samples Mean 5th Percentile Median 95th Percentile StdDev Skewness Sampling Method Sample Size Cutset File(s) Selected Target(s) Database 1E.o4 1EX3 1E-Q2 1E*01 1E-<l4 1E-03 1E-1l2 1E-G1 Estimate Confidence Range 7.685E-06 50000 7.866E-06 [7.8E-06, 7.9E-06] 3.328E-06 [3.3E-06, 3.3E-06] 6.522E-06 [6.5E-06, 6.6E-06] 1.619E-05 [1.6E-05, 1.6E-05] 6.203E-06 12.4752 Montecarlo 50000 CDF 1E-11 ALL.CUT CDF SA215B All.rr FIGURE 4-10 PARAMETRIC UNCERTAINTY DISTRIBUTION FOR SALEM U2 CDF REPRESENTING THE ESFAS/RTS AOT EXTENSION 135 1E+OO 1E+OO

LR-N17-0135 0.8 0.6 0.4 0.2 0 1E*08 0.8 0.6 0.4 0.2 0 1E-o8 I I/' I I I J 1E-07 1E-06 _A l\\ J \\ l \\ _) "g-"*'"_\\""' 1E-{l7 1E.-{}6 Parameter Point Est Samples Mean 5th Percentile Median 95th Percentile StdDev Skewness Sampling Method Sample Size Cutset File Selected Target Database LAR 517-05 1E.o4 1E*03 1E-02 1E-Q1 1E+00 1E-Q5 1E.W 1E-Q3 iE-Q2 1E-Q1 1E+OO Estimate Confidence Range 4.425E-07 50000 4.455E-07 [4.4E-07, 4.5E-07] 1.493E-07 [1.5E-07, 1.5E-07] 3.509E-07 [3.5E-07, 3.5E-07] 1.013E-06 [1.0E-06, 1.0E-06] 4.163E-07 12.30814 Montecarlo 50000 LERF 1E-12 U2.CUT LERF SA215B.rr FIGURE 4-11 PARAMETRIC UNCERTAINTY FOR SALEM U2 BASE MODEL LERF (SA215B) FOR THE ESFAS/RTS EXTENSION MODEL APPLICATION 136

LR-N17-0135 LAR S17-05 08 0,6 0.4 0.2 0 1E-D8 0.8 0.6 0.4 0.2 1E-08 I 1-- I I I J 1E-07 1E*06 /\\ I \\ 1/ \\ ./ w-*-m 1E-D7 lE-{)6 Parameter Point Est Samples Mean 5th Percentile Median 95th Percentile StdDev Skewness Sampling Method Sample Size Cutset File Selected Target Database 1E*05 1E-04 1E*OJ 1E*02 1E-{)1 1E-04 1E<l3 1E.01 Estimate Confidence Range 4.431 E-07 50000 4.459E-07 [4.4E-07, 4.5E-07] 1.500E-07 [1.5E-07, 1.5E-07] 3.526E-07 [3.5E-07, 3.5E-07] 1.008E-06 [9.9E-07, 1.0E-06] 4.053E-07 9.04121 Montecarlo 50000 LERF _1 E-12_ALL.CUT LERF SA215B_AII.rr FIGURE 4-12 PARAMETRIC UNCERTAINTY DISTRIBUTION FOR SALEM U2 LERF REPRESENTING THE ESFAS/RTS AOT EXTENSION 137 1E+OO 1E+OO

LR-N17-0135 LAR S17-05 4.3.5.2 Model Uncertainty The assessment of model uncertainty utilizes the guidance provided in EPRI 1016737 and in NUREG-1855 and considers the following:

1. Characterize the manner in which the PRA model is used in the application.

The manner in which the PRA model is used in this application is fully described in Section 4.3 and is not reproduced here.

2. Characterize modifications to the PRA model.

The minor changes made to the PRA model of record (MOR) are described in Section 4.3.1.5. These changes made to the model do not introduce any application-specific sources of model uncertainty for this analysis.

3. Identify application-specific contributors.

Application-specific contributors are fully discussed in Section 4.3.4.8 via examination of resulting cutsets and delete-term cutsets. The important contributors to the delta-risk metrics were identified as increases due to a few specific initiating events that are more impacted by the potentially increased unavailabilities. These initiating events are based on industry and plant-specific data and calculated using accepted realistic methods. Therefore, these application-specific contributors do not introduce any new sources of model uncertainty.

4. Assess sources of model uncertainty in the context of important contributors.
a. Also consider other sources of model uncertainty from the base PRA model assessment for the identification of candidate key sources of uncertainty.
b. Screen based on relevance to parts of PRA needed or based on relevance to the results.

A review of the identified sources of model uncertainty from the base model assessment as identified by implementing the process outlined in EPRI 1016737 for Salem was then performed to determine which of those items are potentially applicable for this assessment even though they did not appear as a dominant contributor in the base assessment for the application. Based on this review, some of the items were already identified and many do not warrant further analysis, but the following items were added for investigation since they were judged to be potentially applicable for this application. Treatment of CCFs when one component is failed Equipment in Test & Maintenance Based on the identified important contributors and the addition of applicable base PRA model sources of uncertainty identified above, the next step is to perform an assessment to determine if sources of uncertainty have been addressed in the PRA that affect the important contributors for the application. 138

LR-N17-0135 LAR S17-05 For the ICCDP/ICLERP calculations where selected components are set as failed, the approach conservatively adjusts the CCF failure probabilities for corresponding events. This is considered conservative since not all failures would be subject to common cause failure modes. Therefore, this is not identified as a model uncertainty that could impact the decision. The test and maintenance events in the model for ESFAS/RTS components are set based on plant data or on historical values that are considered conservative. In these risk evaluations, these unavailability terms are conservatively increased, and the results are still well below the acceptance criteria. Therefore, there is no unique model uncertainty related to these event probabilities that would impact the model to the extent to impact the decision. As identified in Section 4.3.4.8, the main contributors are related to a few specific scenarios that require the ESFAS components. These initiating events are based on industry data sources, and because the risk results are well below the acceptance criteria, there is no unique model uncertainty related to the main contributors that would impact the model to the extent to impact the decision.

5. Identify sources of model uncertainty and related assumptions relevant to the application.
a. This involves the formulation of sensitivity studies for those sources of uncertainty that may challenge the acceptance guidelines and an interpretation of the results.

Based on the evaluation of important contributors above, no items were identified as key sources of uncertainty that would impact the risk results to an extent to affect the decision. 4.3.5.3 Completeness Uncertainty As discussed in Sections 4.3.4.5-4.3.4.7, external hazards from fire and seismic events were qualitatively addressed as not having a significant contribution to any risk increases associated with these AOT extensions. Other external hazards, as discussed in the IPEEE, were screened out as being insignificant. Therefore, only two hazard groups (internal events and internal floods) were explicitly calculated for this risk assessment. Although a Salem peer-reviewed Fire PRA model does not currently exist, additional insight regarding fire hazards were investigated using a Work-in-Progress (WIP) Fire PRA model that did not reveal any significant risk impacts with respect to the configuration modeled for these AOT extensions. Therefore, there is no major form of completeness uncertainty that would impact the results of this assessment. 4.3.6 Tier 2. Avoidance of Risk Significant Plant Configurations The purpose of this section is to demonstrate that there are appropriate restrictions on dominant risk-significant configurations associated with the proposed changes. The Tier 1 evaluations show that ICCDP and ICLERP are far below acceptance criteria, thus it is unlikely that the plant will enter a risk-significant configuration while in the equipment covered in this LAR is out of service. Based on examination of results (such as described Section 4.3.4.8 and 4.3.8) to 139

LR-N17-0135 LAR S17-05 determine if any specific failures dominate the results, the compensatory measures discussed in Sections 4.2.1.2 and 4.2.2.2 are adequate to cover equipment addressed in this LAR. 4.3.7 Tier 3. Risk-Informed Configuration Management Implementation of the Salem Configuration Risk Management Program, which meets the requirements in Regulatory Guide 1.177 Section 2.3.7.2, helps to ensure there is no significant risk increase while instrument maintenance is being performed. This tier is important because all possible risk-significant configurations under Tier 2 cannot be predicted. Salem implements the applicable portions of the Maintenance Rule by using the endorsed guidance of Section 11.0 of NUMARC 93-01. Salem uses the Equipment Out of Service (EOOS) Configuration Risk Monitor program from the Electric Power Research Institute (EPRI) to implement 10 CFR 50.65(a)(4). EOOS uses the same fault trees and database as the internal events PRA model, so it is fully capable of evaluating CDF and LERF for internal events. The loading and use of EOOS is procedurally controlled by the PSEG PRA procedures. Salem procedures recognize there are limitations in EOOS and specifically direct consideration of external events and site activities that can result in significant plant events. Some conditions are evaluated in EOOS through multiplication factors; others procedurally lead to other actions including plant color changes. Fire risk management actions, which are governed by the same set of procedures and implemented by the same staff, are determined from the deterministic fire safe shutdown procedures from 10 CFR 50 Appendix R. When maintenance or testing is scheduled, the Operations, Work Week Management and Site Risk Management staff perform and review weekly risk analyses using the EOOS program. For unplanned or emerging equipment failures, control room personnel will enter the configuration into the EOOS. In either case, the configuration will be evaluated to assess and manage the risk. Risk associated with unavailable plant equipment is assessed at Salem as required by 10 CFR 50.65(a)(4). The PSEG work management administrative procedure governs on-line risk assessments. The on-line risk assessment is a blended approach using qualitative or defense-in-depth considerations and quantifiable PRA risk insights when available to complement the qualitative assessment. Salem communicates on-line plant risk using three risk tiers (GREEN, YELLOW, and RED). The criteria for these tiers are as follows: 140

LR-N17-0135 LAR 517-05 Configuration Risk Management Criteria Col or Green Yellow Reel Risk Threshold"' ICDPI'l < 1 E-6 for 7 da Kl duratic*n .A.ND Ib LO 0 P High Flsk 8iolution (H RE) .AND I LER pl"l < 1 E-7 for 7 da Ñduration ICDPJ'l > 1 E-6 i:!l':I.O. < 1 E-6 for 7 day duration Q8. LO 0 P High Risk E>roh.rtio n (H R E) OR I LEF: P1"l > 1 E-7.AND < 1 E-6 x:or 7 da*!l duratio:on ICDPI'l > 1 E-6 tor 7 day duration OR ILERPm,.IE-15 tH7 daydG FH (1l Incremental Core Damage Probability (Zl Incremental Large Early Release Probability Require:! Adion N*:J speciic a*:tions are required. Umit the unavailabilitojtime b' establishin! a oc*ntirnJous work :>)hedu l e or pro\\*ide justi1ioati on. Protect SS Cs \\hid't wc*'Jid cause an unplanned entry inro a Red ri: CO)ndition if lo::-:1: oc*n*::t.rrent H.lith otr.:!r S SCs bEing unavail<t*le t*r mairtenanoe. k is una*)Oej:table to \\I'C*Iuntaril y enterthis O*:ondition. !£an emergent co:ondition causes, or degradation may cause an unplanned enØ' inro this condition, immediate acti*:ons shall be taken to re stc*re andior protect S S Cs relied u pc*n tc* mitigate e*-ents, and to oc*rrtact the stati*:on dut'Ú manager for direotio n and support. The on-line risk level for both Salem units will remain GREEN during an outage of any single instrument scoped into this proposed change. At this level, risk is considered close to baseline, and compliance with technical specification requirements would be considered adequate risk management. Nevertheless, PSEG maintenance practices involve protecting other equipment coincident with maintenance being performed on ESFAS/RTS instrumentation per OP-AA-1 08-116, Protected Equipment Program [Reference 33]. The PRA MOR directly accounts for this maintenance practice and is reflected in the quantitative analysis. Protecting equipment requires posting of signs and robust barriers to alert personnel not to approach the protected equipment. Work on protected equipment is generally disallowed. Minor exceptions exist for activities such as inspections, security patrols, or emergency operations. Other exceptions may be authorized by the station shift manager in writing. If additional unplanned equipment unavailability occurs, station procedures direct that the risk be re-evaluated, and if found to be unacceptable, compensatory actions are taken until such a time that the risk is reduced to an acceptable level. In addition, OP-AA-1 08-116 directs the Operations and Work Management personnel to routinely monitor various maintenance configurations and protect equipment that could lead to an elevated risk condition (e.g., "red" risk condition) if it were to become unavailable due to unplanned or emergent conditions. This is normally accomplished using the EOOS PRA software tool, supplemented by operations and work management procedures. 141

LR-N17-0135 LAR S17-05 4.3.8 Summary and Conclusion Consistent with the NRCs approach to risk-informed regulation, PSEG has identified particular Technical Specification (TS) requirements that are restrictive in nature and, if relaxed, have a minimal impact on the safety of the plant. These Technical Specifications require that various Emergency Safeguard Actuation System (ESFAS) and Reactor Trip System (RTS) instrumentation Allowed Outage Times (AOT) (also referred to as Completion Times) be restricted to a specific number of hours. The proposed changes are to increase specific ESFAS/RTS instrumentation AOTs from the currently specified time. The analyses referenced by TSTF-411 and TSTF-418 can be applied to this license amendment for extended allowable outage times. The few remaining systems which are not covered in the TSTF documents are further discussed in this risk analysis. This section summarizes the risk metrics requested by the NRC Regulatory Guides, provides the calculated results using the SA115B/SA215B Salem PRA models, and presents the conclusion of this assessment for the extended ESFAS/RTS instrumentation AOT analysis. 4.3.8.1 Regulatory Guidelines As described earlier, the probabilistic risk assessment input to the decision making process has been defined in detail by the NRC in two Regulatory Guides, Regulatory Guides 1.174 and 1.177. The NRC has specified in Regulatory Guides the risk metrics that should be calculated to provide input into the decision making process. The risk metrics chosen by the NRC in their Regulatory Guides include the following: The change in Core Damage Frequency (CDF) (Regulatory Guide 1.174) The change in Large Early Release Frequency (LERF) (Regulatory Guide 1.174) The Incremental Conditional Core Damage Probability (ICCDP) (Regulatory Guide 1.177) The Incremental Conditional Large Early Release Probability (ICLERP) (Regulatory Guide 1.177) These risk metrics were all calculated using the SA115B/SA215B PRA models (see Section 3.1.5), which were developed as application specific models to more accurately assess the incremental increase in risk for these extended AOT analyses by adding undervoltage relay maintenance terms and semiautomatic transfer to recirculation capability. Quantitative guidelines are defined by the NRC in Regulatory Guides 1.174 and 1.177 for what is an acceptably small change in risk: The Salem calculated ICCDP and ICLERP for the ESFAS/RTS instrumentation AOT extensions are sufficiently below the guidelines of <1.0E-06 and <1.0E-07, respectively, to be able to call the risk change small. Hence, the guidelines of Reg. Guide 1.177 for the increased ESFAS/AOT instrumentation AOTs have been met. See Tables 4-30 and 4-31 for the quantitative results. 142

LR-N17-0135 LAR S17-05 Furthermore, the evaluation of changes in CDF and LERF due to the AOT extensions have been shown to be an order of magnitude below the displayed area for Region III as depicted in Regulatory Guide 1.174. See Tables 4-30 and 4-31 for numerical results. These calculations support the increase in the ESFAS/RTS instrumentation AOTs from a quantitative risk-informed perspective. 4.3.8.2 PRA Model The quantitative evaluation of the risk metrics for this application were performed using the SA115B and SA215B Salem PRA Application Specific Models (see Sections 4.3.4.3 and 4.3.1.5). This included the following changes to the SA115A PRA Model of Record: An addition of undervoltage relay testing and maintenance terms (SA115B & SA215B) Modeling of semiautomatic transfer to recirculation capabilities in Unit 2 (SA215B) 4.3.8.3 Quantitative PRA Results: Regulatory Guide 1.177 and 1.174 This subsection includes the quantitative PRA results using the SA115B and SA215B Salem PRA models. The calculated results using the application specific PRA model are shown in Tables 4-30 and 4-31. The results are compared with the acceptance guidelines that are specified by the NRC in Regulatory Guide 1.174 and Regulatory Guide 1.177. The comparison of the CDF and LERF risk metrics with Regulatory Guide 1.174 guidelines are graphically depicted in Figures 4-13 and 4-14, respectively. These results provide a good indication that the risk associated with this proposed extension of the specified ESFAS/RTS instrumentation AOTs is very small. These results are also reinforced by the Tier 2 and Tier 3 assessments. 4.3.8.4 External Hazards Consideration The evaluation of risk due to fire and seismic events was based on insights gleaned from the IPEEE. Within this analysis, Section 4.3.4.5 addresses fire risk. Section 4.3.4.6 discusses seismic risk and Section 4.3.4.7 discusses external flooding risk. For these particular instrumentation AOT extensions, there are no significant increases in risk due to these external hazards. With regard to fire hazards, since the specified ESFAS/RTS instrumentation and their support systems do not show a high dependence on the results of the fire model, it was qualitatively inferred in Section 4.3.4.5 that the risk increase would be negligible due to extending the AOTs. This qualitative insight was based on the fact that the unavailability of the specified ESFAS/RTS instrumentation does not have a high impact on the ability to mitigate any of the dominant fire risk contributors. Consistent with that assessment, the Work-in-Progress Fire PRA model did not reveal any significant risk increase for these AOT extensions. With regard to seismic hazards, because damage to equipment during seismic events is often correlated across trains, extension of AOTs for ESFAS/RTS components will have a negligible 143

LR-N17-0135 LAR S17-05 impact on Seismic risk estimates. As such, it can qualitatively be inferred that there would be no significant impact on seismic risk due to extending the AOT for these ESFAS/RTS components. With regard to external flood hazards, since the likely scenarios would proceed at a moderate rate, credit can be taken for manual actions to back-up the ESFAS/RTS components. Thus, the qualitative conclusion is that operators would recognize the scenario and take action to ensure that plant equipment was used to mitigate the scenario. Additionally, unquantified defense-in-depth measures are provided by the FLEX equipment. Other external hazards were screened as being insignificant, as documented in Section 1.4.3 of the Salem IPEEE, and as such, were not deemed applicable to this analysis for the AOT extension. Based on this assessment, it was concluded that the impact of the proposed changes on plant risk from external events is small and meets the acceptance criteria of RG 1.174. 4.3.8.5 Conclusion The risk change calculated with the SA115B and SA215B Salem PRA models for the proposed ESFAS/RTS instrumentation AOT extension is considered to be very small. The ICCDP and ICLERP for ESFAS/RTS instrumentation unavailability are sufficiently below the guidelines of <1.0E-06 and <1.0E-07, respectively, to be able to call the risk change small. Hence, the guidelines of Regulatory Guide 1.177 for the increased Allowed Outage Times have been met. Furthermore, the calculated changes in CDF and LERF due to the ESFAS/RTS instrumentation AOT extension have been shown to meet the risk significance criteria of Regulatory Guide 1.174 with substantial margin, i.e., Region III which represents very small risk changes. Tables 4-30 and 4-31 provide a listing of the numerical results, with Figures 4-13 and 4-14 showing a graphical depiction of the CDF and LERF results. These calculations support the increase in the ESFAS/RTS instrumentation AOT extension from a quantitative risk-informed perspective, which includes following established PSEG maintenance practices as discussed in Section 4.3.4. 144

LR-N17-0135 LAR S17-05 TABLE 4-30 UNIT 1 RESULTS OF RISK EVALUATION FOR SALEM CDFNEW CDF LERFNEW LERF ICCDPINST ICLERPINST CI 8.38E-06 2.87E-10 4.47E-07 1.81E-10 6.04E-09 1.15E-09 SEC 8.38E-06 5.57E-10 4.47E-07 4.00E-12 1.26E-09 6.07E-11 UV 8.38E-06 7.51E-10 4.47E-07 5.15E-11 9.64E-12 7.43E-13 All 8.38E-06 1.60E-09 4.47E-07 2.36E-10 7.31E-09 1.75E-09 Risk Significance Guideline RG 1.174 RG 1.174 < 1.0E-06 < 1.0E-07 Meets Guideline Yes(1) Yes(1) Yes Yes Table Note: Region III of RG 1.174 -- very small risk changes. TABLE 4-31 UNIT 2 RESULTS OF RISK EVALUATION FOR SALEM CDFINST CDF LERFINST LERF ICCDPINST ICLERPINST SA 7.68E-06 2.22E-09 4.43E-07 5.98E-10 0 0 SA2 N/A N/A N/A N/A 0 0 All 7.69E-06 3.53E-09 4.43E-07 6.53E-10 3.68E-09 8.04E-10 Risk Significance Guideline RG 1.174 RG 1.174 < 1.0E-06 < 1.0E-07 Meets Guideline Yes(1) Yes(1) Yes Yes Table Note:

1. Region III of RG 1.174 -- very small risk changes.

145

LR-N17-0135 t 'lL c ,U 10 .. 5 LAR 517-05 CDF'* lit FIGURE 4-13 ACCEPTANCE GUIDELINES FOR CORE DAMAGE FREQUENCY (CDF) LEAF.... . *,_, FIGURE 4-14 ACCEPTANCE GUIDELINES FOR LARGE EARLY RELEASE FREQUENCY (LERF) 146

LR-N17-0135 LAR S17-05

5.0 REGULATORY ANALYSIS

5.1 No Significant Hazards Consideration PSEG requests an amendment to the Salem Unit 1 and Unit 2 Operating Licenses. The proposed changes would modify Technical Specification (TS) 3/4.3.1, "Reactor Trip System Instrumentation," and TS 3/4.3.2, "Engineered Safety Feature Actuation System Instrumentation" to adopt the completion times (CT) and test bypass times, approved by NRC in WCAP-14333-P-A, Revision 1, "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times," and WCAP-15376-P-A, Revision 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times." The amendment application is consistent with the NRC-approved Technical Specification Task Force (TSTF) Travelers TSTF-411, Revision 1, "Surveillance Test Interval Extension for Components of the Reactor Protection System (WCAP-1 5376-P)" and TSTF-418, Revision 2, "RPS and ESFAS Test Times and Completion Times (WCAP-14333)" or is supported by plant-specific analysis for those changes which are plant specific and therefore not evaluated in these WCAPs. PSEG has evaluated the proposed changes to the TS using the criteria in 10 CFR 50.92, and determined that the proposed changes do not involve a significant hazards consideration. The following information is provided to support a finding of no significant hazards;

1. Does the proposed change involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No The proposed changes to the completion times and bypass test time reduce the potential for inadvertent reactor trips and spurious actuations, and therefore do not increase the probability of any accident previously evaluated. The proposed changes to the completion times and bypass test time do not change the response of the plant to any accidents and have an insignificant impact on the reliability of the reactor trip system and engineered safety feature actuation system (RTS and ESFAS) signals. The RTS and ESFAS will remain highly reliable and the proposed changes will not result in a significant increase in the risk of plant operation. This is demonstrated by showing that the impact on plant safety as measured by core damage frequency (CDF) is less than 1.0E-06 per year and the impact on large early release frequency (LERF) is less than 1.0E-07 per year. In addition, for the completion time change, the incremental conditional core damage probabilities (ICCDP) and incremental conditional large early release probabilities (ICLERP) are less than 5.0E-7 and 5.0E-08, respectively. These changes meet the acceptance criteria in Regulatory Guides 1.174 and 1.177. Therefore, since the RTS and ESFAS will continue to perform their functions with high reliability as originally assumed, and the increase in risk as measured by CDF, LERF, ICCDP, ICLERP is within the acceptance criteria of existing regulatory guidance, there will not be a significant increase in the consequences of any accidents. The proposed changes do not adversely affect accident initiators or precursors nor alter the design assumptions, conditions, or configuration of the facility or the manner in which the 147

LR-N17-0135 LAR S17-05 plant is operated and maintained. The proposed changes do not alter or prevent the ability of structures, systems, and components (SSCs) from performing their intended function to mitigate the consequences of an initiating event within the assumed acceptance limits. The proposed changes do not affect the source term, containment isolation, or radiological release assumptions used in evaluating the radiological consequences of an accident previously evaluated. The proposed changes are consistent with safety analysis assumptions and resultant consequences. Therefore, this change does not significantly increase the probability or consequences of an accident previously evaluated.

2. Does the proposed change create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No The proposed changes do not result in a change in the manner in which the RTS and ESFAS provide plant protection. The RTS and ESFAS will continue to have the same setpoints after the proposed changes are implemented. There are no design changes associated with the license amendment. The changes to completion times and bypass test time do not change any existing accident scenarios, nor create any new or different accident scenarios. The proposed changes do not involve a modification to the physical configuration of the plant or changes in the methods governing normal plant operation. The proposed changes will not impose any new or different requirement or introduce a new accident initiator, accident precursor, or malfunction mechanism. Therefore, the proposed changes do not create the possibility of a new or different kind of accident from any accident previously evaluated.

3. Do the proposed changes involve a significant reduction in a margin of safety?

Response: No The proposed changes do not alter the manner in which safety limits, limiting safety system settings or limiting conditions for operation are determined. The safety analysis acceptance criteria are not impacted by these changes. Redundant RTS and ESFAS trains are maintained, and diversity with regard to the signals that provide reactor trip and engineered safety features actuation is also maintained. All signals credited as primary or secondary, and all operator actions credited in the accident analyses will remain the same. The proposed changes will not result in plant operation in a configuration outside the design basis. The calculated impact on risk is insignificant and meets the acceptance criteria contained in Regulatory Guides 1.174 and 1.177. Therefore, since the proposed changes do not impact the response of the plant to a design basis accident, the proposed changes do not involve a significant reduction in a margin of safety. 148

LR-N17-0135 LAR S17-05 Based upon the above, PSEG concludes that the proposed amendment presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and, accordingly, a finding of no significant hazards consideration is justified. 5.2 Applicable Regulatory Requirements/Criteria The applicable General Design Criteria (GDC) criteria are GDC 13, 20, 21, and 22 through 25 and 29. Salem was designed and constructed in accordance with Atomic Energy Commission (AEC) proposed General Design Criteria published in July 1967. The applicable AEC proposed criteria, as document in Salem UFSAR Section 3.1, were compared to 10 CFR 50 Appendix A GDC as discussed below. GDC Criterion 13 - Instrument and Control requires that instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems. GDC Criterion 13 is similar to AEC Criterion 12. GDC Criterion 20 - Protection System Functions requires that the protection system(s) shall be designed (1) to initiate automatically the operation of appropriate systems including the reactivity control systems, to assure that specified acceptable fuel design limits are not exceeded as a result of anticipated operational occurrences and (2) to sense accident conditions and to initiate the operation of systems and components important to safety. GDC Criterion 20 is similar to AEC Criterion 14 and 26. GDC Criterion 21 - Protection System Reliability and Testability requires that the protection system(s) shall be designed for high functional reliability and testability. GDC Criterion 21 is similar to AEC Criterion 19. GDC Criterion 22 through GDC Criterion 25 and GDC Criterion 29 require various design attributes for the protection system(s), including independence, safe failure modes, separation from control systems, requirements for reactivity control malfunctions, and protection against anticipated operational occurrences. GDC Criterion 22 through GDC Criterion 25 and GDC Criterion 29 are similar to AEC Criterion 20, 21, 22, 23, 31, and 29. Regulatory Guide 1.22 discusses an acceptable method of satisfying GDC-20 and GDC-21 regarding the periodic testing of protection system actuation functions. These periodic tests should duplicate, as closely as practicable, the performance that is required of the actuation devices in the event of an accident. 149

LR-N17-0135 LAR S17-05 Following implementation of the proposed changes, Salem Units 1 and 2 will remain in compliance with proposed criterion 12, 14, 19, 20, 21, 22, 23, 26, 29, and 31. Therefore, based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commissions regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

6.0 ENVIRONMENTAL CONSIDERATION

A review has determined that the proposed amendment would change requirements with respect to installation or use of a facility component located within the restricted area, as defined in 10 CFR 20, or would change an inspection or surveillance requirement. However, the proposed amendment does not involve (i) a significant hazards consideration, (ii) a significant change in the types or significant increase in the amounts of any effluent that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure. Accordingly, the proposed amendment meets the eligibility criterion for categorical exclusion set forth in 10 CFR 51.22(c)(9). Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed amendment.

7.0 REFERENCES

1. WCAP-14333-P-A, Revision 1, "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times
2. WCAP-15376-P-A, Revision 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times
3. TSTF-411, Revision 1, "Surveillance Test Interval Extension for Components of the Reactor Protection System (WCAP-15376-P)
4. TSTF-418, Revision 2, "RPS and ESFAS Test Times and Completion Times (WCAP-14333)
5. WCAP-10271, "Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System," dated May 1985.
6. NRC approval letter regarding Amendment Nos. 299 and 282 to the TSs by relocating specific surveillance frequencies to a licensee-controlled program, dated March 21, 2011 (Adams Accession No. ML110410691)
7. NRC approval letter regarding Amendment Nos. 142 and 121 to the TSs by adopting WCAP-10271, dated August 4, 1993 (Adams Accession No. ML011700181)
8. Regulatory Guide 1.174: An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, 150

LR-N17-0135 LAR S17-05 USNRC, Revision 2, May 2011 (Adams Accession No. ML100910006)

9. Transmittal of Response to Request for Additional Information (RAI) Numbers 4 and 11 Regarding WCAP-15376-P, Rev. 0, Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times (MUHP-3046), OG-02-002, January 8, 2002
10. Regulatory Guide 1.177: An Approach for Plant-Specific, Risk-Informed Decision-Making: Technical Specifications, USNRC, Revision 1, May 2011 (Adams Accession No. ML100910008)
11. PSEG Procedure ER-AA-600-1015, FPIE PRA Model Update
12. American Society of Mechanical Engineers, Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications, (ASME RA-S-2002), Addenda RA-Sb-2005, December 2005
13. NEI 05-04, Revision 1 (Draft), Process for Performing Follow-On PRA Peer Reviews Using the ASME PRA Standard (Internal Events), Nuclear Energy Institute, November 2007
14. Salem Generating Station, Mitigating System Performance Index Basis Document, SC-MSPI-001, Revision 12, December 2016
15. Salem Generating Station, Quantification Notebook, SA-PRA-014, Revision 1, December 2016
16. Westinghouse, RG 1.200 PRA Peer Review Against the ASME PRA Standard Requirements for the Salem Generating Station, Units 1 and 2 PRA, LTR-RAM-II 001, June 2009
17. American Society of Mechanical Engineers, Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, Addenda to ASME/ANS RA-S-2008 (ASME/ANS RA-Sa-2009), February 2009
18. Regulatory Guide 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk Informed Activities, Revision 2, March 2009
19. PSEG Procedure S2.IC-ST.SSP-0008, Revision 39, Solid State Protection System Train A Functional Test
20. PSEG Procedure S2.IC-ST.SSP-0009, Revision 40, Solid State Protection System Train B Functional Test
21. PSEG, Salem Generating Station Individual Plant Examination of External Events, June 1997
22. NRC Generic Letter 88-20, Individual Plant Examination of External Events (IPEEE) for Severe Accident Vulnerabilities - 10 CFR 50.54(f), Supplement 4, June 28, 1991 151

LR-N17-0135 LAR S17-05

23. NUREG-1407, Procedural and Submittal Guidance for the Individual Plant Examination of External Events (IPEEE) for Severe Accident Vulnerabilities, June 1991
24. Professional Loss Control, Inc., Fire-Induced Vulnerability Evaluation (FIVE)

Methodology Plant Screening Guide, EPRI TR-100370, Electric Power Research Institute, April 1992

25. PSEG Procedure NC.DE-PS.ZZ-0001, Revision 1, Programmatic Standard Fire Protection
26. Public Service Electric and Gas, Action Request for Reducing Potential Risk to Cables Routed Through the Turbine and Service Buildings Which Supply Offsite Power to the 4kV Vital Buses, 1995
27. U.S. Nuclear Regulatory Commission, Standard Review Plan for Review of Safety Analysis Report for Nuclear Power Plants, NUREG-75/187, December 1975
28. PSEG Hope Creek Generating Station Updated Safety Analysis Report, Sections 2 and 3, Latest Revision
29. PSEG Salem Generating Station Updated Safety Analysis Report, Sections 2 and 3, Latest Revision
30. NRC Order Number EA-12-049, Order Modifying Licenses with Regard to Requirements for Mitigation Strategies for Beyond-Design-Basis External Events, March 12, 2012
31. PSEG Nuclear, PSEG Nuclear LLCs Overall Integrated Plan for the Salem Generating Station in Response to March 12, 2012 Commission Order Modifying Licenses with Regard to Requirements for Mitigation Strategies for Beyond-Design-Basis External Events (Order Number EA-12-049), LR-N13-0034, February 28, 2013
32. Nuclear Energy Institute (NEI) 12-06, Diverse and Flexible Coping Strategies (FLEX)

Implementation Guide, Revision 0, August 2012

33. PSEG Procedure OP-AA-108-116, Protected Equipment Program
34. U.S. Nuclear Regulatory Commission, Guidance on the Treatment of Uncertainties Associated with PRAs in Risk-Informed Decision-making, NUREG-1855, Revision 1 (ADAMS Accession No. ML15026A512)
35. Practical Guidance on the Use of Probabilistic Risk Assessment in Risk-Informed Applications with a Focus on the Treatment of Uncertainty, EPRI Report 1026511, Palo Alto, CA December 2012
36. Treatment of Parameter and Model Uncertainty for Probabilistic Risk Assessments, EPRI Report 1016737, Palo Alto, CA, December 2008 152

LR-N17-0135 LAR S17-05

37. Letter from N. J. Stringfellow (Westinghouse Owners Group) to NRC dated December 20, 1996, transmitting Westinghouse Owners Group letter OG-96-110, Response to Request for Additional Information Regarding WCAP-14333.

153

LR-N17-0135 LAR S17-05 Mark-up of Proposed Technical Specification Pages The following Technical Specifications pages for Renewed Facility Operating License DPR-70 are affected by this change request: Technical Specification Page Table 3.3-1, Reactor Trip Instrumentation 3/4 3-5 Table 3.3-1, Reactor Trip Instrumentation 3/4 3-6 Table 3.3-1, Reactor Trip Instrumentation 3/4 3-7 Table 3.3-3, Engineered Safety Feature Actuation System Instrumentation 3/4 3-21 Table 3.3-3, Engineered Safety Feature Actuation System Instrumentation 3/4 3-22 The following Technical Specifications pages for Renewed Facility Operating License DPR-75 are affected by this change request: Technical Specification Page Table 3.3-1, Reactor Trip Instrumentation 3/4 3-5 Table 3.3-1, Reactor Trip Instrumentation 3/4 3-6 Table 3.3-1, Reactor Trip Instrumentation 3/4 3-7 Table 3.3-3, Engineered Safety Feature Actuation System Instrumentation 3/4 3-22 Table 3.3-3, Engineered Safety Feature Actuation System Instrumentation 3/4 3-23

TABLE 3. 31 (Continued) TABLE NOTATION With the reactor trip system breakers in the closed position and the control rod drive system capable of rod withdrawal. If ACTION Statement 1 is entered as a result of Reactor Trip Breaker (RTB) or Reactor Trip Bypass Breakers (RTBB) maintenance testing results exceeding the following acceptance criteria, NRC reporting shall be made within 30 days in accordance with Specification 6.9.2:

1.

A RTB or RTBB trip failure during any surveillance test with less than or equal to 300 grams of weight added to the breaker trip bar.

2.

A RTB or RTBB time response failure that results in the overall reactor trip system time response exceeding the Technical Specification limit. r-M--NO----PQ----RST-- restore the inoperable channel (RTB) to OPERABLE within 24 hours or ACTION 1 - With the number of channels OPERA E one less than required by the Minimum Channels OPERABLE requirement, e in HOT STANDBY within 6 hours; however, one channel may be bypassed for up to i!-hours for su eillance testing per Specification 4. 3.1.1.1 provided the othe a el is OPERAS E ACTION 2 - With the number of OPERABLE channels one less than the Total Number of Channels, STARTUP and/or POWER OPERATION may proceed provided the following conditions are satisfied: 

a.

The inoperable channel is placed in the tripped condition within 6 hours.

b.

The Minimum Channels OPERABLE requirement is met; however, one channel may be bypassed for up to 4 hours for surveillance testing per Specification 4.3. 1. 1. 1. D.IJ-:11

c.

Either, THERMAL POWER is restricted to s; 75% of RATED THERMAL POWER and the Power Range, Neutron Flux trip setpoint is reduced to SALEM - UNIT 1 s; 85% of RATED THERMAL POWER within 4 hours; or, the QUADRANT POWER TILT RATIO is monitored at least once per 12 hours. 3/4 3-5 Amendment No. 313

TABLE 3.3-1 (Continued) ACTION 3 With the number of channels OPERABLE one less than required by the Minimum Channels OPERABLE requirement and with the THERMAL POWER level.: ACTION 4

a.

Below P-6, restore the inoperable channel to OPERABLE status p.dor to increasing THERMAL POWER above the.l?-6 Setpoint.

b.

Above P-6 but below 5% of RATED THERMAL POWER, res tore the inoperable channel to OPERABLE status prior to increasing THERMAL POWER above 5% of RATED THERMAL POWER.

c.

Above 5% of RATED THERMAL POWER, POWER OPERATION may continue. With the number of channels OPE.RABLE one less than required by the Minimum Channels OPERABLE requirement and with the THERMAL POWER level:

a.

Below P-6, restore the inoperable channel to OPERABLE status prior to increasing THERMAL POWER above the l?-6 Setpoint.

b.

Above P-6, operation may continue. ACTION 5 With.the number of channels OPERABLE one less than required by the Minimum Channels OPERABLE requirement, verify compiiance with the SHUTDOWN MARGIN requirements of Spe!=!ific0ation 3,1.1.1 ox 3,1.1.2, as applicable, within 1 hour and at least* once per 12 hours *thereafter. ACTION 6 - With the number of OPERABLE channels one less than the Total Number of Channels, STARTUP and/or POWER OPERATION may proceed provided the following conditions are satisfied:

a.

The inoperable channel is placed in the tripped condition. in 6 hours.

b.

The Minimum requirement is met;

however, the inoperable channel may be bypassed for up

4 hours for surveillance testing of other channels â p&r Specification 4.3.1.1.1. ACTION 7 - NOT USED ACTION 8 - NOT USED ACTION 9 - NOT USED SALEM - UNIT 1 3/4 3-6 Amendment No. 142

TABLE 3.3-1 (Continued) Wit the number of OPERABLE Channels one less than the Minimum Channels OPE BLE requirement, restore the inoperable channel to OPERABLE status within hours or be in at least HOT STANDBY in the next 6 hours; however, one channel may be bypassed for up to 4 hours for surveillance testing per Specification 4.3.1.1.1, provided the other channel is OPERABLE ACTION 11 With less than the Minimum Number of Channels OPERABLE, operation may continue provided the inoperable channel is placed in the tripped condition within e hours. ACTION 12 - With the number of channels OPERABLE one less than required by the Minimum Channels OPERABLE requirement, restore the inoperable channel to OPERABLE status within 48 hours or be in HOT STAND BY within the next 6 hours and/or open the reactor trip breakers. ACTION 13-With the number of OPERABLE channels one less than the Minimum Channels OPERABLE requirement, restore the inoperable channel to OPERABLE status within 48 hours or open the reactor trip breakers within the next hour. ACTION 14 - With one of the diverse trip features (Undervoltage or shunt trip attachment) inoperable, restore it to OPERABLE status within 48 hours or declare the breaker inoperable and be in at least HOT STANDBY within 6 hours. The breaker shall not be bypassed while one of the diverse trip features is inoperable except for the time required for performing maintenance to restore the breaker to OPERABLE status. DESIGNATION P-6 P-7 SALEM-UNIT 1 REACTOR TRIP SYSTEM INTERLOCKS CONDITION AND SETPOINT With 2 of 2 Intermediate Range Neutron Flux Channels < 4. 7x10*6% of RTP. With 2 of 4 Power Range Neutron Flux Channels ;,;,.; 11% of RATED THERMAL POWER or 1 of 2 Turbine steam line input pressure channels 2 a pressure equivalent to 11% of RATED THERMAL POWER. 3/4 3-7 FUNCTION P-6 prevents or defeats the manual block of source range reactor trip. P-7 prevents or defeats the automatic block of reactor trip on: Low flow in more than one primary coolant loop, reactor coolant pump undervoltage and under-frequency, pressurizer low pressure, pressurizer high level, and the opening of more than one reactor coolant pump breaker. Amendment No. 313

TABLE 3.3-3 (Continued) TABLE NOTATION Trip function may be bypasSed in this MOPE beJ.ow P-11. Trip function may be bypassed in this MODE below P-1.2. Applies to Functional Unit 8 items c and d. The automatic actuation logic includes two redundant solenoid operated vent valves for each Main Steam Isolation Valve. One vent valve on any one Main Steam Isola.tion Valve may be isolated without affecting the function of the automatic actuation logic provided the remaining seven solenoid vent valves remain OPERABLE. The isolated MSIV vent valve shall be returned to OPERABLE status upon the first entry into MODE 5 following determination that the vent valve is inoperable. For any condition w):lere more than one of the eight solenoid vent valves are inoperable, entry into ACTION 20 is required. ACTION 13 ACTION 14 - ACTION 15 ACTION 16 ACTION 17 ACTION 18 J:I.CTION STATEMENTS With the number of OPERABLE Channels one less than the Total Nurnber of

Channes, restore the inoperable channel to OPERABLE status within G hours or, be in HOT STANDEY within the next 6 hours and in COLD

  SHUTDOWN within the following 30 hours;

however, one channel may be 

bypassed for up to 4 hours for su,-veillance testing per Specification 4.3.2.1.1 provided the other channel is OPERABLE, With the number of OPERABLE Channels one less than the Total Number of

Channels, operation may proceed until performance of the next required CHANNEL FUNCTIONAL TEST, provided the inoperable channel is placed in the tripped condition within ".

NOT USED With the number of OPERABLE Channels one less than the Total Number of

Channels, operation may proceed provided the inoperable channel is placed in the bypassed condition and the Minimum Channels OPERABLE requirement is demonstrated by CHANNEL CHECK within G hoursi one additional channel may be bypassed for up to 4 hours or surveillance testing per Specification 4,3,2.1.1.

 With less than the Minimum Channels OPERABLE, opeions may continue provided the containment purge and exhaust valves are maintained closed. With the number of OPERABLE Channels one less than the.Total Number of

Channels, restore the inoperable channel to OPERABLE status.within 48 hours' or be in at least HOT STANDEY within the next 6 hours and in COLD.

SHUTPOWN*within the following 30 hours. SALEM UNIT 1 Amendment No. 276

TASLE 3.3-3 (Continued} ACTION 19 With the number of OPERABLE Channels one less than tbe Total Number of Channels, STARTUP and/or POWER OPERATION may proceed provided the following conditions are satisfied:

a.

The in e charme'l is placed in the tripped condition wthin 5 hours.

b.

The Minimum Channels OPERASx! requiraments is met; however, the inoperable channel may be bypassed for up 

=4 hours for surveillance testing of other channels per Aecifiaation 4.3.2.1.1.

ACTION 20 PERABLI channels one less than the Total Number ls, restore the inoperable channel to OPERABLE status within i hours or, be in at least HOT STANDBY within the next 6 hours and in at least HOT SHOTDOWN within the following 6 hours;

however, one channel =ay be bypassed for up to 4 hours for surveillance testing per Specification 4, 3.2. 1. 1 provided the other channel is OPERABLE.

ACTION 21 With the number of OPERABLE channels one less than the Minimum Number of Channels, operation may proceed provided that the inoperable channel is restored to OPERABLE withi 72 hours. ACTION 22  NOT OSBD ACTION 23 " With the number of OPERABLE channels one less than the Total Number of Channels, restore the inoperable ohannel to OPERABLE status within 48 hours or be in HOT STANDBY within 6 hours and in at least HOT SHUTDOWN within the following 6 hours. SALEM UNIT l 3/4 3*22 Amendment No.225 i-

TABLE 3. 3-1 (Continued) TABLE NOTATION With the reactor trip system breakers in the closed position and the control rod drive system capable of rod withdrawal. If ACTION Statement 1 is entered as a result of Reactor Trip Breaker (RTB) or Reactor Trip Bypass Breaker (RTBB) maintenance testing results exceeding the following acceptance criteria, NRC reporting shall be made within 30 days in accordance with Specification 6.9.2:

1.

A RTB or RTBB trip failure during any surveillance test with less than or equal to 300 grams of weight added to the breaker trip bar. 2. A RTB or RTBB time response failure that results in the overall reactor trip system time response exceeding the Technical Specification limit. r-E--FG----HI----JKL-, restore the inoperable channel (RTB) to OPERABLE within 24 hours or ACTION 1 - With the number of channels OPERA one less than required by the Minimum Channels OPERABLE requirement, in HOT STANDBY within 6 hours; however, one channel may be bypassed for up to hours for su illance testing per Specification 4.3.1. 1. 1 provided the otheel is OPERAS E. the next ACTION 2 - With the number of OPERABLE channels one less than the Total Number of Channels, STARTUP and/or POWER OPERATION may proceed provided the following conditions are satisfied:

a.

The inoperable channel is placed in the tripped condition within 6 hours.

b.

The Minimum Channels OPERABLE requirement is met; however, one channel may be bypassed for up to 4 hours for surveillance testing per Specification 4.3. 1. 1. 1. 

c.

Either, THERMAL POWER is restricted to::; 75% of RATED THERMAL POWER and the Power Range, Neutron Flux trip setpoint is reduced to

85% of RATED THERMAL POWER within 4 hours; or, the QUADRANT POWER TILT RATIO is monitored at least once per 12 hours.
d.

The QUADRANT POWER TILT RATIO, as indicated by the remaining three detectors, is verified consistent with the normalized symmetric power distribution obtained by using either the movable in**core detectors in the four pairs of symmetric thimble locations or the power distribution monitoring system at least once per 12 hours when THERMAL POWER is greater than 75% of RATED THERMAL POWER. SALEM - UNIT 2 3/4 3-5 Amendment No. 294

ACTION 3 ACTION 4 ACTION 5 ACTION 6 ACTION 7 ACTION 8 ACTION 9 SALEM - UNIT 2 !ABLE 3.3-1 (Contnudl With the nu/er of channel s OPERASLE one leas than reired by the Minimum Channels OPERABLE requirement and with the THERMAL POWER level:

a.

Below P*6, restore the inoperable channel to OPERABLE status pr ior to increasing THERMAL POWER a.bove the P-6 Setpoint

b.

Above P-6, but below S\\ of RATED THERMAL POWER, restore the inoperable channe l to OPERABLE status prior to increasing THERMAL POWE[ above 5\\ of RATED THERMAL POWER.

c.

Above 5% of RATED THERMAL POWER, POWEPl OPERATION may continue.

d.

Above lO% of RATED THERMAL POWER, the provisions of Specification 3.0.3 are not applicable, With the number of channels OPERABLE one leaa than required by the Minimum Channels OPERABLE requirement and with the THERMAL POWER level:

a.

.Below P-6, re&tore the inoperable channel to OPERABLE status prior to increasing THERMAL POwtR above the P-6 Setpoint.

b.

Above PU61 operation may continue. With the number of channels OPERABLE one le** than required by the Minimum Channell OPERABLE requirement, verify compliance with the SHUTDOWN MARGIN requirementa of specification 3.1.1.1 or 3.1.1.2, aa applicable, within 1 hour and at least once per 12 hours thereafter. With the number of OPERABLE channels one less than the Total Number of Channels, STARTUP and/or POWER OPERATION may proceed provided the following conditione are eatiafied:

a.

The inoperable channel is placed in the tripped condition wni houri.  *

b.

The Minimum Channel OPERABLE requirement ia met;

however, the inoperable channel may be bypassed for up t

4 hours for surveillance te1ting of other channel* per Specification 4.3.1.1.1.

  • NOT USED NOT USED NOT us:e:o 3/4 3-6

TABLE 3.31 (Continued) ACTION 10 - With the number of OPERABLE Channels one less than the Minimum Channels nAl OPE,RABLE requirement, restore the inoperable channel to OPERABLE status @hours or be in at least HOT STANDBY in the next 6 hours; however, one channel may be bypassed for up to 4 hours for surveillance testing per Specification 4.3.1.1.1 provided the other channel is OPERABLE. ACTION 11 - With less than the Minimum Number of Channels OPERABLE, operation may continue provided the inoperable channel is placed in the tripped condition within r----5> @ hours. ACTION 12 - With the number of channels OPERABLE one less than required by the Minimum Channels OPERABLE requirement, restore the inoperable channel to OPERABLE status within 48 hours or be in HOT STANDBY within the next 6 hours and/or open the reactor trip breakers. ACTION 13-With the number of OPERABLE channels one less than the Minimum Channels OPERABLE requirement, restore the inoperable channel to OPERABLE status within 48 hours or open the reactor trip breakers within the next hour. ACTION 14-With one of the diverse trip features (Undervoltage or shunt trip attachment) inoperable, restore it to OPERABLE status within 48 hours or declare the breaker inoperable and be in at least HOT STANDBY within 6 hours. The breaker shall not be bypassed while one of the diverse trip features is inoperable except for the time required for performing maintenance to restore the breaker to OPERABLE status. DESIGNATION P-6 SALEM - UNIT 2 REACTOR TRIP SYSTEM INTERLOCKS CONDITION AND SETPOINT With 2 of 2 Intermediate Range Neutron Flux Channels < 4. 7x1 0"6 % of RTP. With 2 of 4 Power Range Neutron Flux Channels 11% of RATED THERMAL POWER or 1 of 2 Turbine steam line inlet pressure channels a pressure equivalent to 11% of RATED THERMAL POWER. 3/4 3-7 FUNCTION P-6 prevents or defeats the manual block of source range reactor trip. I P-7 prevents or defeats the automatic block of reactor trip on: Low flow in more than one primary coolant loop, reactor coolant pump undervoltage and under-frequency, pressurizer low pressure, pressurizer high level, and the opening of more than one reactor coolant pump breaker. Amendment No. 294

TABLE 3,3-3 (Continued) TABLE NOTATION ir Trip function may be bypassed in this MODE below P-11. I# Trip function may be bypaBsed in this MODE below P-12. Applies to Functional UnH 8 items c and d. The automatic actuation logic includes two redundant solenoid operated vent

  • valves f6r each Main Steam Isolation Valve One vent valve on any one Main Steam Is61ation Valve may be isolated without affecting the function of the automatid actuation logic provided the remaining seven solenoid vent valve s
remain OPERABLE.

The isolated MSIV vent valve shall be returned to OPERABLE status uon the first entry into MODE 5 following determination that the vent . valve is :inoperable. For any condition where more than one of the eight solenoid vent valves are inoperable, entry into ACTION 20 is required. ACTION 13 - ACTION STATEMENTS With the number of OPERABI,E Channels one less than the Total Number of

Channels, restore the inoperable channel to OPERABLE status within & 

hours or, be in at least HOT STANDBY within the next 6 hours and in COLD SHUTDOWN within the following 30 hours;

however, one channel may be bypassed for up to 4 hours for surveillance testing per Specification 4.3.2.1.1 provided the other channel is OPERABLE.

ACTION 14 - With the number of OPERABLE Channels one less than the Total Number of

Channels, operation may proceed until performance of the next required CHANNEL FUNCTIONAL TEST, provided the inoperable channel is placed in the tripped condition within 1 heur.

R ACTTON 15 - NOT USED  ACTION 16 Wi t:h the number of OPERABLE Channels one less than the Total Number of

Channels, operation may proceed provided the inoperable channel is placed in the bypassed condition and the Minimum Channel s OPERABLE requirement is dElrnonstrated by CHANNEL CHECK within hours; one additional channel 1nay be bypa ssed for up to 4 hours for su eil ce testing per Spcification 4.3,2,1.1.

ACTION 17 With less than the Minimum Channels OPERABLE, operation may continue provided the containment purge and exhaust valves are maintained closed. ACTION 18 - With the number of OPERABLE Channels one less than the Total Number of

Channels, restore the inoperable channel to OPERABLE status within 48 hotirs or be in at least HOT STANDBY within the next 6 hours and in COLD SHU.TDOWN wi.thin the follow:l.ng 30 hours.

SALEM UNIT 2 3/4 3-22 Amendment No. 258

ACTION 19 - TABLE 3.3-3 (Continued) With the number of OPERABLE Channels one less than the Total Number of Channels, STARTUP and/or POWER OPERATION may proceed provided the following conditions are satisfied:

a.

The inophannel is placed in the tripped condition within G hours.

b.

The Minimum Channels OPERABLE requirements is met; However, the inoperable channel may be bypassed for up to 4 hours for surveillance.testing of other channels per Specification 2.1.1. ACTION 20 - ACTION 21 - ACTION 22 - ACTION 23 - SALEM - UNIT 2 With the number OPERABLE Channels one less than the Total Number of Chan ls, restore the inoperable channel to operable status within G hours or, be in at least HOT STANDBY within the next 6 hours and in at least HOT SHUTDOWN within the following 6 hours; however, one channel may be bypassed for up to 4 hours for surveillance testing per Specification 4.3.2.1.l>provided the other. channel in OPERABLE. With the number of OPERABLE channels one less than the Minimum Number of Channels, operation may proceed provided that the inoperable channel is restored to OPERABLE within 72 hours. NOT USED With the number of OPERABLE Channels one less than the Total Number of Channels, restore the inoperable channel to OPERABLE status wi thin 48 hours or be in at least HOT STANDBY within 6 hours and in HOT SHUTDOWN within the following 6 hours. 3/4 3-23 Amendment No. 174

LR-N17-0135 LAR S17-05 Mark-up of Proposed Technical Specification Bases Pages The following Technical Specifications pages for Renewed Facility Operating License DPR-70 are affected by this change request: Technical Specification Bases Page 3/4.3.1 and 3/4.3.2, Protective and Engineered System Features (ESF) Instrumentation B 3/4 3-1a The following Technical Specifications pages for Renewed Facility Operating License DPR-75 are affected by this change request: Technical Specification Bases Page 3/4.3.1 and 3/4.3.2, Protective and Engineered System Features (ESF) Instrumentation B 3/4 3-1a

BASES WCAP-14333-P-A, Revision 1, "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times," and WCAP-15376-P-A, Revision 1, 11Risk-lnformed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times" increased the completion times and bypass test times. the condition where the as-found setting for the channel setpoint is outside its as-found tolerance, but conservative with respect to the Allowable Value. The channel evaluation verifies that channel performance continues to satisfy safety analysis assumptions and channel performance assumptions within the setpoint methodology. The purpose of tho assessment is to ensure confidence in channel performance prior to returning the channel to service. For channels determined to be OPERABLE but degraded, after returning the channel to service the performance of these channels will be evaluated under the Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition. The second footnote requires that the as-left setting for the channel be returned to within the as-left tolerance of the nominal Trip Setpoint. This ensures that sufficient margin is maintained to the safety limit and/or analytical limit. If the as-left channel setting cannot be returned to within the as-left tolerance of the nominal Trip Setpoint, then the channel shall be declared inoperable. The as found tolerance for this function is calculated using the square root sum of the squares combination of uncertainty terms (rack calibration accuracy, rack measurement and test equipment accuracy, rack comparator setting accuracy, and rack drift). The as-left tolerance for this function is calculated using the square root sum of the squares combination of uncertainty terms (rack calibration accuracy, rack measurement and test equipment accuracy, and rack comparator setting accuracy). The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. Specified surveillance and maintenance outage times have been determined in accordance with WCAP-10271, "Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System," and Supplements to that report. Out of service times were determined based on maintaining an appropriate level of reliability of the Reactor Protection System and Engineered Safety Features instrumentation. The verification of response time provides assurance that the reactor trip and the engineered safety features actuation associated with each channel is completed within the time limit assumed in the safety analysis. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. Response Time acceptance criteria have been relocated to UFSAR Sections 7.2 and 7.3 tables. No credit is taken in the analysis for those channels with response times indicated as not applicable (i.e., N.A.). The FSAR tables 7.3-8 Note 8 response times for feedwater isolation are based on WCAP-16503, "Salem Unit 1 and Unit 2 Containment

Response

to LOCA and MSLB for Containment Fan Cooler Unit (CFCU) Margin Recovery Project," Revision 3, (LCR S06-10). SGFP trip and FIV closure are credited in the containment analyses for LOCA and MSLB in case an FRV fails open. Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from: (1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) inplace, onsite, or offsite (e.g. vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-13632 -P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements" provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP.

Response

time verification for other sensor types, and other components that do not have plant-specific NRC approval to use alternate means of verification, must be demonstrated by test. SALEM - UNIT 1 B 3/4 3-1a Amendment No. 313 (PSEG Issued)

WCAP-14333-P-A, Revision 1, "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times," and WCAP-15376-P-A, Revision 1, "Risk INSTRUMENTATION Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and BASES Reactor Trip Breaker Test and Completion Times" increased the completion times and bypass test times. CHANNEL FUNCTIONAL TEST and CHANNEL CALIBRATION for Functional Units 5 and 6 of Table 4.3-1. These footnotes are consistent with Technical Specification Task Force (TSTF) Change Traveler TSTF-493, "Clarify Application of Setpoint Methodology for LSSS Functions." The first footnote requires evaluation of channel performance for the condition where the as found setting for the channel setpoint is outside its as-found tolerance, but conservative with respect to the Allowable Value. The channel evaluation verifies that channel performance continues to satisfy analysis assumptions and channel performance assumptions within the setpoint methodology. The purpose of the assessment is to ensure confidence in channel performance prior to returning the channel to service. For channels determined to be OPERABLE but degraded, after returning the channel to service the performance of these channels will be evaluated under the Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition. The second footnote requires that the as-left setting for the channel be returned to within the as-left tolerance of the nominal Trip Setpoint. This ensures that sufficient margin is maintained to the safety limit and/or analytical limit. If the as-left channel setting cannot be returned to within the as-left tolerance of the nominal Trip Setpoint, then the channel shall be declared inoperable. The as-found tolerance for this function is calculated using the square root sum of the squares combination of uncertainty terms (rack calibration accuracy, rack measurement and test equipment accuracy, rack comparator setting accuracy, and rack drift). The as-left tolerance for this function is calculated using the square root sum of the squares combination of uncertainty terms (rack calibration accuracy, rack measurement and test equipment accuracy, and rack comparator setting accuracy). The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. Specified surveillance and maintenance outage times have been determined in accordance with WCAP-1 0271, "Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System," and Supplements to that report. Out of service times were determined based on maintaining an appropriate level of reliability';f the Reactor Protection System and Engineered Safety Features instrumentation. The verification of response time provides assurance that the reactor trip and the engineered safety features actuation associated with each channel is completed within the time limit assumed in the safety analysis. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. Response time acceptance criteria have been relocated to UFSAR Section 7.2 tables and 7.3 tables. No credit is taken in the analysis for those channels with response times indicated as not applicable (i.e., N.A.). The Note 8 response times for feedwater isolation are based on WCAP-16503, "Salem Unit 1 and Unit 2 Containment Response to LOCA and MSLB for Containment Fan Cooler Unit (CFCU) Margin Recovery Project," Revision 3, (LCR S06-1 0). SGFP trip and FIV closure are credited in the containment analyses for LOCA and MSLB in case an FRV fails open. Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by the summation of allocated sensor response times with actual response time tests on the remainder of the channel. Allocations for sensor response times may be obtained from: (1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) inplace, onsite, or offsite (e.g. vendor) test measurements, or (3) utilizing vendor engineering specifications. WCAP-13632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements" provides the basis SALEM - UNIT 2 B 3/4 3-1a Amendment No. 294 (PSEG Issued)}}

Retrieved from "https://kanterella.com/w/index.php?title=LR-N17-0135,_License_Amendment_Request_for_Implementation_of_WCAP-14333_and_WCAP-15376,_Reactor_Trip_System_Instrumentation_and_Engineered_Safety_Feature_Actuation_System_Instrumentation_Test_Times_and_Completion_Times&oldid=5053794"