LR-N18-0032, License Amendment Request: Inverter Allowed Outage Time (AOT) Extension

From kanterella
(Redirected from ML18103A218)
Jump to navigation Jump to search

License Amendment Request: Inverter Allowed Outage Time (AOT) Extension
ML18103A218
Person / Time
Site: Hope Creek PSEG icon.png
Issue date: 04/13/2018
From: Carr E
Public Service Enterprise Group
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
LAR H18-02, LR-N18-0032
Download: ML18103A218 (104)
v  d  e


Text

PSEG Nuclear LLC P.O. Box 236, Hancocks Bridge, New Jersey 08038-0236 0PSEG Nuclear LLC LR-N 18-0032 LAR H18-02 APR 13 2018 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, D.C. 20555-0001 Hope Creek Generating Station Renewed Facility Operating License No. NPF-57 NRC Docket No. 50-354 10 CFR 50.90

Subject:

License Amendment Request: Inverter Allowed Outage Time (AOT)

Extension In accordance with 10 CFR 50.90, PSEG Nuclear LLC (PSEG) hereby requests an amendment to Renewed Facility Operating License No. NPF-57 for Hope Creek Generating Station.

This license amendment request proposes changes to Technical Specification (TS) 3.8.3.1, "Distribution - Operating." The proposed change would increase the Alternating Current (AC)

Inverters allowed outage time (AOD from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 7 days. The proposed extended AOT is based on application of the Hope Creek Generating Station (HCGS) Probabilistic Risk Assessment (PRA), and on additional considerations and compensatory actions. The risk evaluation and deterministic engineering analysis supporting the proposed change have been developed in accordance with the guidelines established in NRC Regulatory Guide 1.177, "An Approach for Plant-Specific Risk-Informed Decisionmaking: Technical Specifications," and NRC Regulatory Guide 1.17 4, "An Approach for Using Probabilistic Risk Assessment in Risk Informed Decisions on Plant-Specific Changes to the Licensing Basis."

The proposed change will allow increased flexibility in the scheduling and performance of corrective maintenance, allow better control and allocation of resources, and avert unnecessary plant shutdowns.

95-2168 REV. 7/99

APR 13 2rniB Page 2 LR-N18-0032 10 CFR 50.90 PSEG's technical and regulatory evaluation of this LAR and the TS change are provided in an enclosure to this letter which includes the supporting risk-informed evaluation of the proposed change.

The proposed change has been evaluated in accordance with 10 CFR 50.91 (a)(1 ), using the criteria in 10 CFR 50.92(c), and it has been determined that this request involves no significant hazards considerations.

There are no regulatory commitments contained in this letter.

PSEG requests NRC approval of the proposed License Amendment within one year of submittal acceptance, to be implemented within 60 days of issuance.

In accordance with 10 CFR 50.91(b)(1), a copy of this request for amendment has been sent to the State of New Jersey.

If you have any questions or require additional information, please contact Mr. Lee Marabella at (856) 339-1208.

I declare under penalty of perjury that the foregoing is true and correct.

Executed on __ Cf-;_....-!L-1-r....:;

J"--/;---!.

/___:?:::.__

(Date)

Eric Carr Site Vice President Hope Creek Generating Station

Enclosure:

Evaluation of the Proposed Change C.

Administrator, Region I, NRC Project Manager, NRC NRC Senior Resident Inspector, Hope Creek Mr. P. Mulligan, Chief, NJBNE Mr. L. Marabella, Corporate Commitment Tracking Coordinator Mr. T. MacEwen, Hope Creek Commitment Tracking Coordinator

APR 1.3 2018 Page 3 LR-N18-0032 10 CFR 50.90 (The bee list should not be submitted as part of the EIE submittal. The bee shall be on a new page.)

bee:

PresidenUChief Nuclear Officer Senior Director, Regulatory Operations and Nuclear Oversight Director, Site Regulatory Compliance Hope Creek Plant Manager Manager, Licensing Records Management

LR-N 1 8-0032 LAR H 1 8-02 Enclosure Evaluation of the Proposed Change

LR-N 1 8-0032 Enclosure HOPE CREEK NUCLEAR GENERATI NG STATION RENEWED FACI LITY OPERATING LICENSE NO. NPF-57 DOCKET NO. 50-354 LAR H 1 8-02 L icense Amend ment Request: Inverter Allowed Outage Time (AOT) Extension Table of Contents 1.0

SUMMARY

DESCRI PTION............................................................................................ 3 2.0 DETAI LED DESCRI PTION............................................................................................. 3

2. 1 SYSTEM DESIGN AND OPERATION................................................................ 3 2.2 CURRENT TECHNICAL SPECIFICATION REQUIREMENTS........................... 1 2 2.3 REASON FOR THE PROPOSED CHANGE...................................................... 1 3 2.4 DESCRI PTION OF THE PROPOSED CHANGE............................................... 1 5

3.0 TECHNICAL EVALUATION

........................................................................................... 1 5

3. 1 DETERMI NISTIC ASSESSMENT...................................................................... 1 5
3. 1. 1 Defense-In-Depth............................................................................. 1 6
3. 1.2 Safety Margin................................................................................... 1 9 3.2 RISK ASSESSMENT......................................................................................... 1 9 3.2. 1 PRA Quality and Technical Adequacy.............................................. 22 3.2.2 Probabilistic Risk Assessment Results............................................. 22 3.2.3 External Event Considerations.......................................................... 39 3.2.4 Uncertainty Evaluation...................................................................... 49 3.2.5 Tier 2 - Avoidance of Risk-Significant Plant Configurations.............. 57 3.2.6 Tier 3 - Risk-Informed Configuration Management........................... 58 3.2.7 Risk Summary and Conclusion......................................................... 60

4.0 REGULATORY EVALUATION

...................................................................................... 61

4. 1 APPLICABLE REGU LATORY REQUIREMENTS AND CRITERIA.................... 61 4.2 PRECEDENT..................................................................................................... 62 4.2. 1 License Amendments....................................................................... 62 4.2.2 Notice of Enforcement Discretion (NOED)........................................ 63 4.3 NO SIGNIFICANT HAZARDS CONSI DERATION.............................................. 63

4.4 CONCLUSION

................................................................................................... 65 5.0 ENVI RONMENTAL CONSI DERATION......................................................................... 65

6.0 REFERENCES

.............................................................................................................. 66 1

LR-N 1 8-0032 Enclosure ATTACHMENTS:

1. Technical Specification Page Markups

2. Technical Adequacy of the PRA Models
3. Parametric Uncertainty Methodology
4. Single Line Drawing of Typical Inverter LAR H 1 8-02 2

LR-N 1 8-0032 Enclosure 1.0

SUMMARY

DESCRIPTION LAR H 1 8-02 This license amendment request proposes a change which would revise Hope Creek Technical Specification (TS) ACTION 3.8.3. 1.d concerning inoperable Alternating Current (AC) Inverters.

The proposed change would increase the AC Inverters allowed outage time (AOT) for one or both inverters inoperable in one channel from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 7 days. The proposed change is based on application of the Hope Creek Generating Station (HCGS) Probabilistic Risk Assessment (PRA) in support of a risk-informed extension, and on additional considerations and compensatory actions.

2.0 DETAIL ED DESCRIPTION

2. 1 System Design and Operation The Class 1 E AC power system is designed to provide a reliable source of power to all Class 1 E loads in the plant. The system is divided into 4 channels (A, B, C, and D). These loads are essential for safe and orderly shutdown of the plant, maintaining the plant in a safe condition, and mitigating the consequences of an accident. The loads are divided into 4 groups such that any combination of 3 out of the 4 groups has the ability to supply the minimum required safety loads to perform the above functions. The channels do not have load sharing ability. Each of these channels has two associated Class 1 E 1 20V AC uninterruptable power supply (UPS) units. UPS panels supply loads such as diesel generator control panels, 4. 1 6 KV switchgear, Emergency Core Cooling System (ECCS) and Reactor Core Isolation Cooling (RCIC) system instrumentation and control, and the remote shutdown panel.

Each UPS is comprised of a static rectifier, a static inverter, a static switch assembly, and a regulated power supply. The static rectifier provides regulated Direct Current (DC) power to the inverter. The normal AC supply from a Class 1 E 480V AC motor control center (MCC) is rectified and auctioneered with the alternate DC supply. The static inverter converts the DC input from the static rectifier to 1 20V AC for application to system loads via the static switch assembly. The output of the static inverter is a single phase, 60 Hz, 1 20V AC The static switch monitors the output of the static inverter, and shifts to the backup AC power supply (Class 1 E 480V AC MCC powered from an MCC different than the one powering the UPS static rectifier), if a loss of inverter output is indicated. A single line drawing of a typical inverter is provided in.

Loss of Power Effects for 1 20 Volt AC Distribution panels With the [A-D]481 UPS inverter inoperable, the associated 1 20 VAC distribution panel is energized from the associated backup Class 1 E 480 VAC MCC via the voltage regulator. In the event of a loss of offsite power (LOP) the affected distribution panel will experience a momentary loss of power until the associated emergency diesel generator (EDG) re-energizes the backup 480 VAC MCC. With the [A-D]482 UPS inverter inoperable, the associated 1 20VAC distribution panel is energized from the associated backup Class 1 E 480 VAC MCC via the voltage regulator. In the event of a LOP the affected distribution panel will experience a loss of power. The associated EDG would not automatically re-energize the backup 480 VAC MCC.

The abnormal operating procedure for station blackout, LOP, and EDG malfunctions provides operational direction to start the EDG from the remote panel or the local control panel if needed.

A detailed description of the plant response to the loss of power to each 1 20V AC distribution panel is provided below. Abnormal operating procedure HC.OP-AB.ZZ-01 36(0), Loss of 1 20 3

LR-N 1 8-0032 Enclosure LAR H 1 8-02 VAC I nverter, is the primary governing procedure for addressing this abnormal condition.

Additional abnormal operating procedures provide operator guidance for actions required to support stable plant operation, reset isolations and restore system functions. These actions focus on mitigating the transient effects, entering the applicable Technical Specification Action Statements and subsequently coordinating with Maintenance on the restoration of the inverter.

Depending on which inverter was lost as described below, operator actions would be required to ensure that:

Turbine Auxiliary Cooling System (TACS) transfer is completed in accordance with HC.OP-AB.ZZ-0001, Transient Plant Conditions Reactor Water Cleanup (RWCU) system operation is restored in accordance with HC.OP-AB.CONT-0002, Primary Containment Fuel Pool Cooling and Cleanup (FPCC) system operation is restored in accordance with HC.OP-AB.COOL-0004, Fuel Pool Cooling Primary Containment Instrument Gas (PCIG) system operation is restored in accordance with HC.OP-AB.COMP-0002, Primary Containment Instrument Gas Reactor Building ventilation differential pressure is restored in accordance with HC.OP-AB.CONT-0003, Reactor Building The principal loss of power impacts for each distribution panel are listed in the following tables.

Equipment/Function Affected by Loss of [A-D]J481 Panel A

B c

D TACS transfer (conditional)

X X X X

RWCU isolation and pump trip X

X FPCC pump trip X

X Loss of Reactor Building ventilation X

X Control Area Ventilation train trip/auto start X

X Associated Primary Containment Isolation System (PCIS)

X X X X

initiation/actuation Associated loss-of-coolant accident/loss of offsite power X

X X X

(LOCA/LOP) sequencer Associated Core Spray automatic initiations/actuations X

X X X

Associated low pressure coolant injection (LPCI) automatic X X X X

initiations/actuations Associated high pressure coolant injection (HPCI)

X X

automatic initiations/actuations Associated reactor core isolation cooling (RCIC) automatic X

X initiations/actuations Associated automatic depressurization system (ADS)

X X

automatic operation Associated Safety/Relief Valve low-low set function X

X HPCI manual and auto flow controller X

RCIC manual and auto flow controller X

Associated Filtration, Recirculation. and Ventilation X

X X X

System (FRVS) recirculation fans Associated FRVS ventilation fans X

X 4

LR-N 1 8-0032 Enclosure Equipment/Function Affected by Loss of [A-D]J482 TAGS transfer (conditional)

RWCU isolation and pump trip FPCC filter/demineralizer (F/D) isolation, FPCC pump trip Loss of Reactor Building ventilation Associated EDG LOCA, LOP and control room manual start A

X X

X X

LAR H 1 8-02 Panel B

c D

X X X

X X

X X

X X X

Attachments 1 through 8 of HC.OP-AB.ZZ-01 36(0) provide a description of the effects of inverter failures on plant controls and indication and are summarized below:

1 AJ481 DISTRIBUTION PANEL Automatic Plant Response 1. TAGS Loop A inboard supply valve EG-HV-2522A fails closed. If TAGS is being supplied by the "A" Loop, it will automatically swap to "B" Loop.

2. RWCU pump suction inboard containment isolation valve BG-HV-F001 closes due to a false Standby Liquid Control (SLC) Pump Operating Signal. This causes RWCU system isolation and RWCU pump trip.
3. The running FPCC pumps trip due to low flow due to closure of fuel pool cleanup filter/demineralizer valves.
4. "A" Channel Primary Containment Isolation System (PCIS) initiation/actuation signals as a result of loss of power to Refueling Floor Exhaust (RFE) and Reactor Building Exhaust (RBE) radiation monitors.
5. High Pressure Coolant Injection (HPCI) suction swaps from the condensate storage tank (CST) to the Torus due to loss of power to the CST Low Level Trip Units.

Control and Indication Failures General 1. Channel "A" LOCAILOP Sequencer is inoperative.

2. Loss of Division I (Channels "A" and "E") Emergency Core Cooling System (ECCS) Auto Trip Units and Start Relays - in general, process signal transmitter failures affecting initiation signals, pump minimum flow valves and pressure permissives.
3. "A" and "E" Filtration, Filtration Recirculation and Ventilation System (FRVS) recirculation fans and "A" FRVS ventilation fan_ receive trip signals due to false Deluge Activation signals.
4. Loss of Channel "A" RBE and RFE Radiation Monitors.
5. Loss of Channel "A" Remote Shutdown Panel (RSP) controls.
6. Loss of power to "A" Primary Containment Hydrogen/Oxygen Analyzer Panel.
7. Loss of 1 AJ481 1 20V AC power to 1 0C601 Redundant Reactivity Control System (RRCS) Panel affects indications and Self-Test Circuits only.
8. Loss of voltage and ampere transducers for 1 AD41 3 and 1 AD41 4 Battery Chargers.

EDG A 1. Loss of power to "A" EDG Remote Engine Panel.

2. Diesel control and indication transmitters failed.
3. Electronic Governor is powered by 1 25 VDC and not affected. Mechanical Governor not affected.
4. The "A" EDG will start and breaker will close during a LOP.

5

LR-N 1 8-0032 Enclosure Core Spray LAR H 1 8-02 1. Channei "A" will not automatically initiate on High Drywell Pressure or Low Reactor Pressure Vessel (RPV) Level.

2. Outboard and inboard injection valves HV-F004A and F005A will not automatically open when RPV pressure drops below the permissive setpoint with a LOCA Level 1 signal present.
3. "A" subsystem minimum flow valve will not automatically close.
4. PCIS Channei "A" LOCA Level 2 functions do not occur.

RHR 1. Channel "A" will not automatically initiate on High Drywell Pressure or Low RPV Level.

2. Low Pressure Coolant Injection (LPCI) system injection valve F01 7A will not automatically open when RPV pressure drops below the permissive setpoint with a LOCA Level 1 signal present.
3. F01 7 A cannot be opened manually below the low pressure permissive setpoint.
4. "A" pump minimum flow valve does not automatically close.

HPCI 1. HPCI will not automatically initiate on High Drywell Pressure or Low RPV Level from Channei "A" or "E".

2. Failure of HPCI Manual and Auto Flow Controllers. Loss of setpoint and flow indications.
3. Pump minimum flow valve will not automatically operate.
4. HPCI will not automatically trip on the following trip conditions:
a. RPV Level 8 from channels "A" or "E".
b. Low pump suction pressure.
c. High Turbine exhaust pressure.
d. Division 1 Isolation Signals.
5. Division 3 Outboard Steam Line Isolation Valve F003 and Pump Torus Suction Valve F042 do not close on the following signals:
a. Low Steam Line pressure.
b. High Turbine Exhaust Diaphragm pressure.
c. High Steam Line flow.
6. Vacuum Breaker Isolation Valve F075 will not isolate with High Drywell Pressure and Low Steam Line Pressure.
7. Loss of power to trip units which control HPCI suction swap from the CST to the Suppression Pool.

1 BJ481 DISTRIBUTION PANEL Automatic Plant Response 1. TAGS Loop 8 inboard supply valve EG-HV-25228 fails closed. If TAGS is being supplied by the "8" Loop, it will automatically swap to "A" Loop.

2. The running FPCC pumps trip due to low flow due to closure of fuel pool cleanup filter/demineralizer valves.
3. "8" Channel PCIS initiation/actuation signals as a result of loss of power to RFE and RBE radiation monitors.
4. RCIC suction swaps from the CST to the Torus due to loss of power to level switches.

6

LR-N 1 8-0032 Enclosure Control and Ind ication Failures General 1. Channei "B" LOCA/LOP Sequencer is inoperative.

LAR H 1 8-02

2. Loss of Division II (Channels "B" and "F") ECCS Auto Trip Units and Start Relays - in general, process signal transmitter failures affecting initiation signals, pump minimum flow valves and pressure permissives.
3. "B" and "F" FRVS recirculation fans and "B" FRVS ventilation fan receive trip signals due to false Deluge Activation signals.
4. Loss of Channel "B" RSP controls.
5. Loss of Channei "B" RBE and RFE Radiation Monitors.
6. Loss of power to "B" Primary Containment Hydrogen/Oxygen Analyzer Panel.
7. Loss of 1 BJ481 1 20V AC power to 1 OC602 RRCS Panel affects indications and Self Test Circuits only.
8. Loss of voltage and ampere transducers for 1 BD41 3 and 1 BD4 1 4 Battery Chargers.

EDG 8 1. Loss of power to "B" EDG Remote Engine Panel.

2. Diesel control and indication transmitters failed.
3. Electronic Governor is powered by 1 25 VDC and not affected. Mechanical Governor not affected.
4. The "B" EDG will start and breaker will close during a LOP.

CORE SPRAY 1. Channei "B" will not automatically initiate on High Drywell Pressure or Low RPV Level.

2. Outboard and inboard injection valves HV-F004B and HV-F005B will not automatically open when RPV pressure decreases below the permissive setpoint with a LOCA Level 1 signal present.
3. "B" subsystem minimum flow valve F031 B will not automatically close.
4. PCIS Channei "B" LOCA Level 2 isolations do not occur.

RHR 1. Channei "B" will not automatically initiate on High Drywell Pressure or Low RPV Level.

2. LPCI system injection valve F01 7B will not automatically open when RPV pressure drops below the permissive setpoint with a LOCA Level 1 signal present.
3. F01 7B cannot be opened manually below the low pressure permissive setpoint.
4. "B" pump minimum flow valve will not automatically close.

ADS 1. Channel "B" Automatic Depressurization System (ADS) automatic operation will be inoperable.

2. Safety/Relief Valve (SRV) "H" will not perform LO-LO Set Function.

RCIC 1. RCIC will not automatically initiate on low RPV level from channels "B" or "F"

2. Auto and manual control of the RCIC Flow Controller will be failed to the low flow position, along with setpoint and flow indications.
3. Pump minimum flow valve F01 9 will not automatically open or close.
4. RCIC will not automatically trip on the following trip conditions:
a. RPV Level 8 from Channei "B" or "F" Trip Units.
b. Low pump suction pressure.

7

LR-N 1 8-0032 Enclosure

c. High Turbine exhaust pressure.
d. Division 2 Isolation Signals.

LAR H 1 8-02

5. RCIC steam line Outboard Isolation Valve F008 will not close on the following signals:
a. Low Steam Line pressure.
b. High Turbine Exhaust Diaphragm pressure.
c. High Steam Line flow.
6. Vacuum Breaker Isolation Valve F062 will not isolate with High Drywell Pressure and Low Steam Line Pressure.
7. Loss of power to level switches which control RCIC suction swap from the CST to the Suppression Pool.

1 CJ481 DISTRIBUTION PANEL Automatic Plant Response 1. TACS Loop A outboard supply valve EG-HV-2522C fails closed. IF TACS is on the "A" Loop, it will automatically swap to "B" Loop.

2. Control Area Circulating Water Pump AP400 trips, if running, causing a trip of Control Area Chiller AK400 and Control Room Ventilation Train "A". Control Room Ventilation Train "B" automatically starts.
3. Loss of Reactor Building Ventilation due to closure of Supply and Exhaust Dampers.
4. "C" Channel PC IS initiation/actuation signals as a result of loss of power to RFE/RBE radiation monitors.

Control and Ind ication Failures General 1. Channei "C" LOP/LOCA Sequencer is inoperative. Automatic PCIS Isolations will not occur.

2. Loss of Division Ill (Channels "C" and "G") ECCS Auto Trip Units and Start Relays. - in general, process signal transmitter failures affecting initiation signals, minimum flow valves, and pressure permissives.
3. "C" FRVS Recirculation Fan receives a trip signal due to false Deluge Activation input.
4. RSP Channei "C" controls become inoperative.
5. Loss of voltage and ampere transducers for 1 CD41 3 and 1 CD4 1 4 Battery Chargers.

EDGC 1. Loss of power to "C" EDG Remote Engine Panel.

2. Diesel control and indication transmitters failed.
3. Electronic Governor will not operate. Mechanical Governor not affected.
4. The "C" EDG will start and breaker will close during a LOP.

Core Spray 1. Channel "C" will not automatically initiate on High Drywell Pressure or Low RPV Level.

2. PCIS Channei "C" LOCA Level 2 isolations do not occur.

RHR 1. Channei "C" will not automatically initiate on High Drywell Pressure or Low RPV Level.

2. LPCI system injection valve F01 7C will not automatically open when RPV pressure drops below the permissive setpoint with a LOCA Level 1 signal.
3. F01 7C cannot be opened manually below the permissive setpoint.
4. "C" pump minimum flow valve will not automatically close.

8

LR-N 1 8-0032 Enclosure HPCI LAR H 1 8-02 1. HPCI will not automatically initiate from High Drywell Pressure or Low RPV Level from Channels "C" or "G".

2. HPCI will not automatically trip on the following trip conditions:
a. RPV Level 8 from Channel "C" or "G"
b. Division 3 Isolation Signals.
3. Division 3 1nboard Steam Line Isolation Valve F002 and Warmup Valve F 1 00 do not close on the following signals:
a. Low Steam Line pressure
b. High Turbine exhaust diaphragm pressures.
c. High Steam Line flow.
4. Vacuum Breaker Isolation Valve F079 does not isolate with High Drywell Pressure and Low Steam Pressure.

1 DJ481 DISTRIBUTION PANEL Automatic Plant Response 1. TAGS Loop B outboard supply valve EG-HV-2522D fails closed. I F TAGS is on the "B" Loop, it will automatically swap to the "A" Loop.

2. RWCU pump suction outboard containment isolation valve HV-F004 fails closed due to a false SLC Pump Start Signal. This causes RWCU isolation and pump trip.
3. Control Area Circulating Water Pump BP400 trips, if running, causing a trip of Control Area Chiller BK400 and Control Room Ventilation Train "B". Control Room Ventilation Train "A" automatically starts.
4. Loss of Reactor Building Ventilation due to closure of Supply and Exhaust Dampers..
5. "D" Channel PCIS initiation/actuation signals as a result of loss of power to RFE/RBE radiation monitors.

Control and Ind ication Failures General 1. Channel "D" LOCA/LOP Sequencer is inoperative. Channel "D" PCIS Isolations will not occur.

2. Loss of Division IV (Channels "D" and "H") ECCS/RCIC Auto Trip Units and Start Relays

- in general, process signal transmitter failures affecting initiation signals, minimum flow valves, and pressure permissives.

3. "D" FRVS Recirculation Fan receives trip signal due to false Deluge Actuation Signal input.
4. Loss of control for "D" Channel at RSP.
5. Loss of voltage and ampere transducers for 1 DD41 3 and 1 DD4 1 4 Battery Chargers.
6. Channel "D" and "H" Trip Unit Output failures.

EDG D 1. Loss of power to "D" EDG Remote Engine Panel.

2. Diesel control and indication transmitters failed.
3. Electronic Governor is powered by 1 25 VDC and not affected. Mechanical Governor is not affected.
4. The "D" EDG will start and breaker will close during a LOP.

9

LR-N 1 8-0032 Enclosure Core Spray LAR H 1 8-02 1. Channel "D" will not automatically initiate on High Drywell Pressure or Low RPV Level.

2. PCIS Channel "D" LOCA Level 2 Isolations do not occur.

RHR 1. Channel "D" will not automatically initiate on High Drywell Pressure or Low RPV Level.

2. LPCI system injection valve F01 7D will not automatically open when RPV pressure drops below the permissive setpoint with a LOCA Level 1 signal present.
3. F01 7D cannot be opened manually below the permissive setpoint.
4. "D" pump minimum flow valve will not automatically close.

ADS 1. Channel "D" will not automatically initiate.

2. SRV "P" will not perform LO-LO Set Function.

RCIC 1. RCI C will not automatically initiate on low RPV Level from a Channel "D" Level Transmitter.

2. RCI C does not automatically trip on the following trip conditions:
a. RPV Level 8 from Channel "D" Level.
b. Division 4 Isolation Signals.
3. RCIC steam line Inboard Isolation Valve F007 and Warmup Valve F076 do not close on the following signals:
a. Low Steam Line pressure.
b. High Turbine exhaust diaphragm pressure.
c. High Steam Line flow.
4. Vacuum Breaker Isolation Valve F084 does not isolate with High Drywell Pressure and Low Steam Line Pressure.

1 AJ482 DISTRIBUTION PANEL Automatic Plant Response 1. TACS Loop A inboard supply valve EG-HV-2522A closes. I F TACS was on the A Safety Auxiliaries Cooling System (SACS) Loop, the standby SACS pump starts and the B and D TACS Supply and Return valves open. Water sluices from B SACS Loop to A SACS Loop due to TACS Loop A inboard return valve HV-2496A failing as is (open). B and D TACS Supply and Return valves isolate when 'B' SACS Loop Expansion Tank reaches Lo-Lo-Lo Setpoint.

2. RWCU pump suction inboard containment isolation valve HV-F001 closes due to false "A" SLC Pump operating signal. Both RWCU Pumps trip.
3. FPCC Filter/Demin Outboard Inlet Isolation Valve HV-4676A closes. If the filter/demin is in service, then the B FPCC pump will trip if it was in service. The A FPCC pump will not trip due to loss of power to trip logic, and the pump will remain inservice with no flow path.

Control and Ind ication Failures 1. "A" EDG will not respond to LOCA, LOP, or Control Room Manual Start Signals.

2. Loss of 1 E Analog Logic Cabinet 1 AC655 will result in the loss of Division 1 /Channel "A" analog instrumentation. Analog indicators will fail in the mid-scale position. Digital Status Indicators (valve positions, pump status, etc.) will be lost.

1 0

LR-N 1 8-0032 Enclosure LAR H 1 8-02

3. Loss of 1 E Digital Logic Cabinet 1 AC652 will result in the loss of control and status indication for Non-ECCS Division 1 /Channei "A" components, including alarm and computer input.
4. Division 1 components of HPCI, RHR and Core Spray will lose status indication only. All Manual and Automatic Signals remain functional.
5. The "A" SLC Pump will not respond to a Control Room manual start command.
6. If FPCC filter/demin was in service, A Fuel Pool Cooling Pump will continue to run but will lose running indication. EC-HV-4689B, Filter Demin Bypass Valve must be opened to establish a flow path.

1 BJ482 DISTRIBUTION PANEL Automatic Plant Response 1. TACS inboard supply valve EG-HV-2522B closes. I F TACS was on the B Loop, the Standby SACS pump starts and the A and C TACS Supply and Return valves open.

Water sluices from A SACS Loop to B SACS Loop due to HV-2496B failing as is (open).

A and C TACS Supply and Return valves isolate when 'A' SACS Loop Expansion Tank reaches Lo-Lo-Lo Setpoint.

2. FPCC Filter/Demin Inboard Inlet Isolation Valve EC-HV-4676B and Outlet Isolation Valve EC-HV-4678 close (the running Fuel Pool Cooling pump will not have a discharge path)
3. RWCU pump suction outboard containment isolation HV-F004 closes due to false "B" SLC Pump operating signal. Both RWCU Pumps trip.

Control and Ind ication Failures 1. "B" EDG response to LOP, LOCA or Control Room Start Signals will be inhibited.

2. Loss of 1 E Analog Logic Cabinet 1 BC655 will result in the loss of Division 2/Channel "B" analog instrumentation. Analog indicators will fail in the mid-scale position. Digital status indicators (valve positions, pump status, etc.) will be lost.
3. Loss of 1 E Digital Logic Cabinet 1 BC652 will result in the loss of control and status indication for Non-ECCS Division 2/Channel "B" components, including alarm and Computer Input.
4. Division 2 components of RCIC, RHR and Core Spray will lose status indication only. All Manual and Automatic Signals remain functional.
5. The "B" SLC Pump will not respond to a Control Room manual start command.
6. IF FPCC filter/demin was in service, B Fuel Pool Cooling Pump will continue to run but will lose running indication. EC-HV-4689A, Filter Demin Bypass Valve must be opened to establish a flow path.

1 CJ482 DISTRIBUTION PANEL Automatic Plant Response 1. TACS Loop A outboard supply valve EG-HV-2522C closes. I F TACS was on the A SACS Loop, the Standby SACS pump starts and the B and D TACS Supply and Return valves open. Water sluices from B SACS Loop to A SACS Loop due to Loop A outboard return valve HV-2496C failing as is (open). B and D TACS Supply and Return valves isolate when 'B' SACS Loop Expansion Tank reaches Lo-Lo-Lo Setpoint.

2. Reactor building ventilation system (RBVS) exhaust outboard isolation damper GU-HD-941 4A fails closed, causing trips of RBVS.

1 1

LR-N 1 8-0032 Enclosure Control and Ind ication Failures LAR H 1 8-02 1. EDG "C" response to LOP, LOCA or Control Room Start Signals will be inhibited.

2. Loss of 1 E Analog Logic Cabinet 1 CC655 will result in the loss of Division 3/Channei "C" analog instrumentation. Analog indicators will fail in the mid-scale position. Digital status indicators (valve positions, pump status, etc.) will be lost.
3. Loss of 1 E Digital Logic Cabinet 1 CC652 will result in the loss of control and status indication for Non-ECCS Division 3/Channel "C" components, including alarm and computer input.
4. Division 3 components of HPCI, RHR and Core Spray will lose status indication only. All Manual and Automatic Signals remain functional.

1 DJ482 DISTRIBUTION PANEL Automatic Plant Response 1. TAGS Loop B Outboard Supply Valve EG-HV-2522D closes. I F TAGS was on the B SACS Loop, the Standby SACS pump starts and the A and C TAGS Supply and Return valves open. Water sluices from A SACS Loop to B SACS Loop due to TAGS Loop B outboard return valve HV-2496D failing as is (open). A and C TAGS Supply and Return valves isolate when 'A' SACS Loop Expansion Tank reaches Lo-Lo-Lo Setpoint.

2. Both RWCU Pumps trip due to a false, HV-F004 not 1 00% open, signal.

Control and Ind ication Failures 1. EDG "D" response to LOP, LOCA, or Control Room Start Signals will be inhibited.

2. Loss of 1 E Analog Logic Cabinet 1 DC655 will result in the loss of Division 4/Channel "D" analog instrumentation. Analog indicators will fail in the mid-scale position. Digital status indicators (valve positions, pump status, etc.) will be lost.
3. Loss of 1 E Digital Logic Cabinet 1 DC652 will result in the loss of control and status indication for Non-ECCS Division 4/Channei "D" components, including alarm and computer input.
4. Division 4 components of RCIC, RHR and Core Spray will lose status indication only. All Manual and Automatic Signals remain functional.

2.2 Current Technical Specification Requirements The current TS 3.8.3. 1, "Onsite Power Distribution Systems, Distribution - Operating", Limiting Condition for Operability (LCO) provides a list of AC power distribution system channels which shall be energized in OPERATIONAL CONDITIONS 1, 2 and 3. This list includes the following:

Channel A 1 20 volt AC distribution panels 1AJ481/1AJ482 and inverters AD481 /AD482 Channel B 1 20 volt AC distribution panels 1 BJ481/1 BJ482 and inverters BD481 /BD482 Channel C 1 20 volt AC distribution panels 1 CJ481/1 CJ482 and inverters CD481 /CD482 Channel D 1 20 volt AC distribution panels 1 DJ481 /1 DJ482 and inverters DD481 /DD482 TS 3.8.3. 1 ACTION d states, "With one or both inverters in one channel inoperable, energize the associated 1 20 volt AC distribution panel(s) within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, and restore the inverter(s) to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />; or be in at least HOT SHUTDOWN within the next 1 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> and in COLD SHUTDOWN within the following 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />."

SURVEILLANCE REQUI REMENT 4.8.3. 1 states, " Each of the above required power distribution system channels shall be determined energized in accordance with the Surveillance 1 2

LR-N 1 8-0032 Enclosure LAR H 1 8-02 Frequency Control Program by verifying correct breaker/switch alignment and voltage on the busses/MCCs/panels."

The OPERABI LITY of the AC and DC power sources and associated distribution systems during operation ensures that sufficient power will be available to supply the safety related equipment required for (1 ) the safe shutdown of the facility and (2) the mitigation and control of accident conditions within the facility. The minimum specified independent and redundant AC and DC power sources and distribution systems satisfy the requirements of General Design Criteria 1 7 of Appendix "A" to 1 0 CFR 50.

"Energized" 1 20V AC distribution panels [A-D]J48[1 /2] require the panels to be energized to their proper voltage from the associated inverter via inverted DC voltage, inverter using the normal AC source, or Class 1 E backup AC source via voltage regulator. OPERABLE inverters require the associated 1 20 VAC distribution panels ([A-D]J48[1 /2]) to be powered by the inverter with output voltage within tolerances, and power input to the inverter from the associated station battery. Alternatively, the power supply may be from an internal AC source via rectifier as long as the OPERABLE station battery is available as the uninterruptible power supply."

2.3 Reason for the Proposed Change Consistent with the objectives of the Nuclear Regulatory Commission's (NRC's) policy entitled "Use of Probabilistic Risk Assessment Methods in Nuclear Regulatory Activities; Final Policy Statement," (PRA Policy Statement; Reference 1 4), the proposed change provides (1 ) safety decision-making enhanced by the use of PRA insights, (2) more efficient use of resources, and (3) a reduction in unnecessary burden. The proposed inverter Allowed Outage Time (AOT) extension would provide these benefits by supporting the ability to complete on-line corrective or planned maintenance of an inoperable inverter. These benefits are described in the following table:

NRC PRA Policy Statement Objective Anticipated Benefits of Proposed Inverter AOT Enhanced Efficient Reduction I n Extension Decision-Use Of Unnecessal)i making Resources Burden Provide additional time to complete repairs following X

X an inverter malfunction; Avert unplanned unit shutdowns and minimize the X

X X

potential need for NOED; Increase the time to perform troubleshooting, repair, and testing following inverter equipment problems, X

X which will enhance the safety and reliability of equipment and personnel; Allow time to perform routine maintenance activities on the inverters in MODES 1 through 3, enhancing the ability to focus quality resources on the activity X

X X

and the availability of the inverters during refueling outage periods.

TS 3.8.3. 1 Action d currently allows only 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to troubleshoot and repair one or both inoperable AC inverters in one channel, perform post-maintenance testing, and return them to service. The 24-hour AOT was based on engineering judgment, taking into consideration the 1 3

LR-N 1 8-0032 Enclosure LAR H 1 8-02 time required to repair an inverter and the additional risk to which the unit is exposed because of the inverter inoperability.

Mitigating strategies have been implemented to address emergent issues within the current 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> AOT. These include prepared safety tag outs for inverter troubleshooting and repair, and maintaining stocks of capacitors and burned-in replacement circuit cards. However, as discussed below, the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> AOT can be insufficient in certain instances to support on-line troubleshooting, corrective maintenance, and post-maintenance testing in response to emergent issues. Hope Creek performs preventative maintenance on the safety related UPS units during each refueling outage. There are no current plans to perform routine preventive maintenance on a scheduled basis at power. Should the need for such maintenance be identified as a result of component performance, the necessary preventive maintenance would be planned and scheduled in accordance with PSEG procedures for on-line work management.

If an inverter becomes inoperable due to an emergent issue, the inverter troubleshooting and repair process requires proper electrical safety tagging to be established. The troubleshooting process begins with physical inspection of the UPS panels, and fuse and alarm checks. Upon completion of repairs, and depending on which circuit cards have been removed and replaced, adjustments are performed.

Post maintenance testing is required before returning the UPS to service. Depending on the corrective maintenance, an inverter functional test may also be required.

Experience both at HCGS and at other nuclear power plants has shown that the current 24-hour AOT for restoration of an inoperable inverter is insufficient in certain instances to support on-line troubleshooting, corrective maintenance, and post-maintenance testing while the unit is at power. In 2008, Class 1 E inverter CD482 was inoperable for 1 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> and 42 minutes due to a failure of a power supply board. HCGS has entered TS 3.8.3. 1 LCO due to an inoperable inverter 3 times since 201 0. The actual durations were 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> in 201 0, 1 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> and 1 5 minutes in 201 3, and 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> 35 minutes in 201 5. I n these instances, the causes of the failures were quickly diagnosed and there were already contingency work orders in place.

In the 201 3 event, the 00481 inverter automatically swapped, as designed, to the backup AC supply. Inspection and initial troubleshooting determined there was a blown fuse in the inverter input which led to the power loss. After the initial troubleshooting and replacement of the blown fuse, operators attempted to restore the normal power supply to the 00481 inverter but the fuse blew again. Additional troubleshooting determined the blown fuses were due to a failed inverter control circuit card. Six circuit cards were replaced to restore the inverter to OPERABLE status.

The replacement cards were removed from another plant inverter, not required by LCO 3.8.3. 1,

and installed in 00481.

I n each of the above instances, the inoperable inverter was returned to OPERABLE status within the allowed outage time. The emergent issues were quickly identified, replacement parts were readily available, and extensive post-maintenance testing and component tuning was not required. However, if the emergent issue had required complex troubleshooting or more extensive post-maintenance testing, or if backup, burnt in replacement components were not available on site, the process of returning the inverter to OPERABLE status could have taken more than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The recommended burn-in period for replacement circuit cards is 50 hours5.787037e-4 days <br />0.0139 hours <br />8.267196e-5 weeks <br />1.9025e-5 months <br /> to properly ensure the integrity of the card.

1 4

LR-N 1 8-0032 Enclosure LAR H 1 8-02 A review of 1 0 CFR 50.72 event notifications identified 3 instances since 2003 in which plant shutdowns were initiated as required by Technical Specifications when the time to complete inverter troubleshooting and repair exceeded the 24-hour allowed outage time. Other nuclear power plants have had similar instances of inverter failures prompting requests for enforcement discretion (NOED) and for License Amendments for inverter TS Completion Time extensions from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 7 days. Callaway was granted enforcement discretion in 201 2 for an additional period of 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> to restore an inverter to OPERABLE status. FPL Energy Seabrook, LLC received NRC approval of enforcement discretion for an additional 1 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> for an inoperable (i.e., failed) distribution panel inverter. The basis for the NOED was that the 24-hour AOT did not provide adequate time to troubleshoot the problem, complete the repair activities, and perform post-maintenance testing to return the inverter to operable status. The Nine Mile Point Unit 2 and Watts Bar Unit 1 nuclear stations received enforcement discretion in 2003 and 2001,

respectively, to extend the Completion Time for an inoperable distribution panel inverter. The NRC approvals of the above NOEDs and license amendments for the Clinton, North Anna, Braidwood, Byron and Palo Verde Stations are detailed in Section 4.2 of this evaluation. These approved amendments demonstrate that the current 24-hour Allowed Outage Time for restoration of an inoperable inverter can, in some cases, be insufficient to support on-line troubleshooting, corrective maintenance, and post-maintenance testing which could lead to unplanned unit shutdowns and the potential need for NOEDs.

Conclusion The proposed AOT increase does not increase the potential for a loss of required instrumentation. While operator actions are required in response to the inoperability of one or both inverters in a single channel, the proposed change will reduce the immediate demands on the operations staff preparing for a potential plant shutdown. Once approved, this LAR will better focus the operators on risk significant actions, as compared to actions that are based upon qualitative completion times.

2.4 Description of the Proposed Change TS 3.8.3. 1 ACTION d is being revised as shown below:

With one or both inverters in one channel inoperable, energize the associated 1 20 volt AC distribution panel(s) within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, and restore the inverter(s) to OPERABLE status within 24 7 days; or be in at least HOT SHUTDOWN within the next 1 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> and in COLD SHUTDOWN within the following 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

3.0 TECHNICAL EVAL UATION

3. 1 Deterministic Assessment The proposed change increases the allowed outage time for one or both inverters in one channel inoperable.

The traditional engineering considerations need to be addressed. These include defense-in depth and safety margins. The fundamental safety principles on which the plant design is based cannot be compromised. Design basis accidents are used to develop the plant design.

These are a combination of postulated challenges and failure events that are used in the plant design to demonstrate safe plant response. Defense-in-depth, the single failure criterion, and 1 5

LR-N 1 8-0032 Enclosure LAR H 1 8-02 adequate safety margins may be impacted by the proposed change and consideration needs to be given to these elements.

3. 1. 1 Defense-In-Depth
1) Preservation of a reasonable balance among the lay ers of defense The proposed licensing basis change does not significantly reduce the effectiveness of a layer of defense that exists in the plant design before the implementation of the proposed licensing basis change.

The defense in depth approach to designing and operating HCGS was and continues to be used in order to prevent and mitigate accidents that could release radiation or hazardous materials. This approach provides for multiple independent and redundant layers of defense to compensate for potential human and mechanical failures which ensures that no single layer, no matter how robust, is exclusively relied upon. Defense in depth includes the use of access controls, physical barriers, redundancy, diverse key safety functions, and emergency response measures.

The robust plant design to survive hazards and minimize challenges that could result in the occurrence of an event is not affected by the proposed change. The proposed extended AOT does not increase the likelihood of initiating events or create new significant initiating events. It simply provides a risk-informed basis for the completion time. There are a number of actions that are competed by the operations staff as required for the automatic response of the plant when there is a loss of vital instrumentation. This LAR has the effect of balancing some of the demands on the operations staff. Once approved, the LAR will permit more focused operator and maintenance technician attention upon risk significant actions, as compared to actions that are based upon qualitative AOTs.

The availability and reliability of Systems, Structures or Components (SSG) providing the safety functions that prevent plant challenges from progressing to core damage are not significantly impacted. The remaining OPERABLE 1 20 VAG inverters are capable of supplying the required loads to safely shutdown the plant.

The proposed extension of the AOT for one or both inverters in a channel from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 7 days does not significantly reduce the effectiveness of the emergency preparedness program, including the ability to detect and measure releases of radioactivity, notify offsite agencies and the public, and shelter or evacuate the public as necessary.

2) Preservation of adequate capability of design features without an overreliance on programmatic activities as compensatory measures The proposed licensing basis change does not substitute programmatic activities for design features to an extent that significantly reduces the reliability and availability of design features to perform their safety functions without overreliance on programmatic activities.

No programmatic activities are required as compensatory measures to preserve adequate capability of design features during the extended AOT. Only 3 inverter channels, as described in Section 2. 1, are necessary to supply the safety related equipment required for (1 ) the safe shutdown of the facility and (2) the mitigation and control of accident conditions 1 6

LR-N 1 8-0032 Enclosure LAR H 1 8-02 within the facility. Therefore, one or both inverters in a channel being inoperable do not impact the ability of the system to perform its required function.

HCGS uses abnormal operating procedures which provide direction for operator actions in response to a loss of a 1 20 VAC inverter. Restoration of power to the associated 1 20 VAC distribution panels and restoration of affected plant components to normal lineup are also controlled by plant procedures as referenced by the abnormal operating procedure. While timely actions are required when there is a loss of vital instrumentation, this LAR will reduce the immediate demands on the operations staff preparing for a potential plant shutdown.

Administrative controls consistent with other licensees that have received similar extensions of the inverter allowed out-of-service time, as described in Section 4.2 of this Enclosure will be implemented. The administrative controls described below are qualitative, prudent actions. Entry into the extended inverter AOT will not be planned concurrent with EDG maintenance, and entry into the extended inverter AOT will not be planned concurrent with planned maintenance on another ECCS/RCIC or isolation actuation instrumentation channel that could result in that channel being in a tripped condition.

These actions are taken because it is recognized that with an inverter inoperable and the distribution panel being powered by the backup AC distribution system, continued instrument power for that train is dependent on power from the associated EDG following a loss of power event.

3) Preservation of sy stem redundancy, independence, and diversity commensurate with the expected frequency and consequences of challenges to the sy stem, including consideration of uncertainty The proposed licensing basis change does not significantly reduce the redundancy, independence, or diversity of systems.

The proposed extended AOT makes no changes to the system operation or design and therefore has no effect on the expected frequency of challenges or result in a decrease in redundancy, independence, or diversity of the 1 20 VAC power system. Also, redundant power supplies and operator actions are not impacted by these changes. If a redundant channel should fail or be taken out of service during the extended AOT, Hope Creek would be in TS 3.0.3, requiring a plant shutdown. This requirement is unchanged by this LAR.

The proposed extended AOT is consistent with the assumptions in the plant's safety analysis, and does not result in a significant increase in risk.

4) Preservation of adequate defense against potential Common Cause Failures (CCFs)

The proposed licensing basis change does not significantly reduce defenses against CCFs that could defeat the redundancy, independence, or diversity of the layers of defense; fission product barriers; and the design, operational, or maintenance aspects of the plant.

The extension requested does not reduce defenses against CCF. In fact, these extensions allow more deliberate and thorough troubleshooting following an emerging failure, which can improve the causal evaluations performed for equipment issues. Better understanding of any emergent failure causes could lead to investigations or actions to improve the reliability of the unaffected inverters.

1 7

LR-N 1 8-0032 Enclosure LAR H 1 8-02 In addition, the operating environment for these components remains unchanged and there are no changes to the design or operation of the inverters associated with the proposed change, so new common cause failure modes are not introduced. There are no changes to the common environment, inverter or support system design, therefore there are no changes to existing coupling factors. The extended allowed outage time affects none of these factors. The extent of condition performed as a part of any failure of a safety-related piece of equipment will address these issues as required by plant administrative procedures.

Therefore, the defense against potential CCFs remains adequate.

5) Maintain multiple fission prod uct barriers The proposed licensing basis change does not significantly reduce the effectiveness of the multiple fission product barriers.

The fission product barriers (fuel cladding, reactor coolant system, and containment) and their effectiveness are maintained. The proposed changes do not affect the integrity of fission product barriers to limit leakage to the environment. Extending the AOT of the 1 20 VAC inverters does not result in a significant increase in the frequency of existing challenges to the integrity of the barriers, significantly increase the failure probability of any individual barrier, or introduce new or additional failure dependencies among barriers.

6) Preserve sufficient d efense against human errors The proposed licensing basis change does not significantly increase the potential for or create new human errors that might adversely impact one or more layers of defense.

The proposed extended AOT does not require any new operator actions for the existing plant equipment or introduce the potential for new human errors. Guidance will be added to existing procedures to incorporate compensatory measures which control what equipment or systems will not be allowed to be taken out of service concurrent with an inverter out of service for planned maintenance. This is considered a minor change to the Configuration Risk Management Program which will not significantly increase the potential for, or create new, human errors that might adversely impact one or more layers of defense. No new operating, maintenance, or test procedures are required due to these changes, and no new at-power tests or maintenance activities are expected to occur as a result of these changes.

The plant will continue to be operated and maintained as before.

7) Continue to meet the intent of the plant's d esign criteria The proposed licensing basis change does not affect the plant's ability to meet the intent of the design criteria referenced in the licensing basis.

The intent of the Hope Creek design criteria is maintained. The plant will continue to be operated and maintained as before. The proposed changes do not involve any physical changes to the design or operation of the 1 20 VAC Distribution system. The ability of the remaining TS required inverters to perform their required functions is maintained during the extended AOT.

1 8

LR-N 1 8-0032 Enclosure

8)

Integrated Evaluation of the Defense-in-Depth Considerations LAR H 1 8-02 There are no changes to the current plant design. The intent of each defense-in-depth consideration addressed above would still be met following implementation of the proposed extended AOT. Therefore, the proposed licensing basis change maintains consistency with the defense-in-depth philosophy.

3. 1.2 Safety Margin The impact of the proposed change is consistent with the principle that sufficient safety margins are maintained.

Codes and Standards or alternatives approved for use by the NRC are met. The design and operation of the 1 20 VAC distribution system is not changed by proposed increase of the AOT. The proposed change does not affect conformance with applicable codes and standards.

Safety analysis acceptance criteria in the UFSAR are met. The safety analysis acceptance criteria, as stated in the Hope Creek UFSAR, are not impacted by these changes. Redundant channels will be maintained. Diversity, with regard to ensuring that sufficient power will be available to supply the safety related equipment required for ( 1 )

the safe shutdown of the facility and (2) the mitigation and control of accident conditions within the facility will be maintained. The minimum specified independent and redundant AC and DC power sources and distribution systems will continue to satisfy the requirements of General Design Criteria 1 7 of Appendix A to 1 0 CFR 50. The proposed changes will not allow plant operation in a configuration outside the design basis.

3.2 Risk Assessment This risk assessment evaluates the proposed extension of the inverter Allowed Outage Times (AOT) from the current 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 7 days using the Hope Creek Full-Power Internal Events (FPIE) PRA and Fire PRA Models of Record - HC1 1 7A and HC1 1 4FO, respectively.

The proposed Technical Specification change is to increase the AOT for one or both inverters in one channel. Consequently, this assessment postulates the conservative case of both inverters associated with a single channel of AC power taken out of service simultaneously:

Channel A: inverters AD481 & AD482 Channel 8: inverters 8D481 & 8D482 Channel C: inverters CD481 & CD482 Channel D: inverters DD481 & DD482 This greatly simplifies the presentation of results and risk insights without loss of fidelity.

The justification for the inverter extended Allowed Outage Time (AOT) is based upon risk informed and deterministic evaluations consisting of three main elements as cited in Regulatory Guide 1. 1 77:

1. Tier 1 : Assessment of the impact of the proposed TS change using a valid and appropriate PRA model as compared with appropriate acceptance guidelines.

1 9

LR-N 1 8-0032 Enclosure LAR H 1 8-02

2. Tier 2: Evaluation of equipment relevant to plant risk while the inverter(s) are in the extended AOT. Combinations of out-of-service equipment can be evaluated for their risk significance to determine if additional compensatory measures may be required.
3. Tier 3: Implementation of the Configuration Risk Management Program (CRMP) while the inverter(s) is/are in the extended Allowed Outage Time. The CRMP is used for all work and helps ensure that there is no avoidable increase in plant risk while any inverter maintenance is performed. These programmatic measures provide additional assurance that critical plant safety functions are preserved during the extended inverter AOT.

This section addresses the Tier 1 risk assessment for the proposed extension of the inverter AOT. Tier 2, a discussion of risk-significant plant configurations, is addressed in Section 3.2.5.

Hope Creek's Maintenance Rule CRMP satisfies Tier 3 as described in Section 3.2.6.

The NRC has issued Regulatory Guides to specify the risk measures that should be calculated to provide input into the decision making process. These risk measures include the following:

The change in Core Damage Frequency (L\\CDF) (Reg.Guide 1. 1 74)

(Reference 1 )

The change in Large Early Release Frequency (L\\LERF) Reg.Guide 1. 1 7 4 The I ncremental Core Damage Probability (ICCDP) (Reg.Guide 1. 1 77 )

(Reference 2)

The I ncremental Large Early Release Probability (ICLERP)

(Reg.Guide 1. 1 77)

These values are all calculated with the latest Hope Creek Models of Record, as specified above.

Hope Creek PRA Model and Its Attributes The Hope Creek Generating Station (HCGS) PRA internal events at-power model and documentation has been maintained current with the as-built, as-operated plant and is routinely updated to reflect the current plant configuration, as well as the accumulation of additional plant operating history and component failure data. The Level 1 and Level 2 HCGS PRA analyses were originally developed and submitted to the NRC as the Hope Creek Generating Station Individual Plant Examination (IPEEE) Submittal (Reference 9) in response to NRC Generic Letter 88-20 (Reference 1 0). The HCGS PRA has been updated many times since the original I PEEE. Table 3-1 summarizes these changes.

Table 3-1 H ISTORY OF HOPE CREEK GENERATING STATION PRA MODEL UPDATES MODEL INTERNAL FIRE TRUNCAT ION DESCRIPT ION EVENTS CDF DATE NAME CDF (N R)

(N R)

(N R)

I P E Originai i P E Submittal ( 1 994) 4.6E-511J Not Reported April 1 994 2000 N U P RA Model 8.89E-06 1 E-1 0 Dec. 2000 Full PRA u pg rade including Peer 2003A Review comments, ASM E PRA 3. 1 4 E-5 SE-1 1 August STD Gaps and conversion of 2003 model from N U P RA to CAFTA Rev. 2. 0A I ncludes PSE&G modifications

2. 78 E-5 SE-1 1 October 20

LR-N 1 8-0032 Enclosure LAR H 1 8-02 Table 3-1 HISTORY OF HOPE CREEK GENERATING STATION PRA MODEL UPDATES MODEL INTERNAL FIRE TRUNCATION NAME DESCRIPTION EVENTS CDF (IY R)

DATE CDF (IY R)

(IY R) on 480V AC dependencies, 2005 SACS, success criteria, and SACS-SW H EPs. (Also referred to as the "On the Spot Model" change.)

2005A Interim PRA model to address See 20058 See 20058 October conservatism in Rev. 2. 0A model.

2005 PRA model used as i n put for the EPU submittal. This model 2005 8 removes conservatism 1. 0 1 E-5 5E-1 1 November introduced in the Rev. 2. 0A 2005 model (e. g., SACS heat load manipulation H E Ps)

Mod ify 20058 EPU model to 2005C support online maintenance 9.76E-6 5E-1 1 February evaluations and MSPI 2006 calculations. <2>

Add plant modifications, u pdate Aug ust H C 1 08A H RA, u pdate internal flood,

7.60E-6 5 E-1 1 update data 2008 Add procedu re change to SSW/SACS heat exchanger discharge valve operation in H C 1 08B<3l AB. COOL-0002 and revision to

5. 1 1 E-6 1 E-1 2<3>

November internal flood frequencies based 2008 on latest EPRI Pipe Rupture Report, plus other model refinements.

H C 1 08BFO Initial issue of fire model.

3. 1 2 E-5 1 E-9 April 201 0 H C 1 1 1 A Updated to support the H C 1 1 1 A 4.20E-6 1 E-1 2 December model update.

201 1 H C 1 1 4AFO U pdated to resolve open F&Os 2. 1 8 E-5 1 E-1 1 December from 201 0 Peer Review.

201 5 H C 1 1 7A Updated to support the H C 1 1 7 A 5.91 E-6 1 E-1 2 December model update.

201 7

( 1 )

PSEG modified the success criteria for SACS/SSW and calculated a revised value of 1. 3E-05/yr.

(2)

The only P RA model change from the 20058 EPU PRA model to the 2005C Base PRA model is to reduce the Turbine Trip initiating event frequency from 1.25/yr to 1.03/yr to reflect plant specific operating h istory.

(3)

Note that the truncation limit has decreased from the 2000 N U PRA model to the current CAFTA model. This lower truncation limit is needed to meet the ASM E PRA Standard.

The at-power PRA models of the following hazards are considered:

Internal Events: Model developed in accordance with the ASME/ANS PRA Standard and Peer Reviewed 21

LR-N 1 8-0032 Enclosure Incremental conditional large early release probability (ICLERP)

These calculated conditional probabilities compared with the acceptance guidelines provide a perspective on the risk change during the proposed inverter extended AOT.

LAR H 1 8-02 An integrated assessment of the impact of the AOT extension is calculated assigning the "worst case" inverter unavailability. This calculation can then be used to calculate the change in CDF and LERF in comparison with the criteria set in Regulatory Guide 1. 1 7 4.

Regulatory Guide 1. 1 7 4 has acceptance guidelines which are described in SECY 99-246 (Reference 1 5) as "trigger points" at which questions are raised as to whether the proposed change provides reasonable assurance of adequate protection.

I n preparation for the AOT submittal, PSEG performed an extensive review of the PRA model, particularly those sequences that could be adversely impacted by inverter unavailability. In addition, external events with the possibility of affecting the PRA inputs were also examined for insights.

External events with potential quantitative influence on the results of the AOT assessment are incorporated in the model quantification.

Additionally, the PRA elements that may impact the inverters' function are also investigated to assess whether they may be influenced by the AOT extension. These include the following:

o Systems - no impact o

Operator Interactions - increases dependence on other channels of AC power during a loss of offsite power o

Success Criteria - no impact o

Accident Sequence progression - no impact o

Data - no impact o

Common Cause Failure - no impact o

Quantification - no impact The Hope Creek internal events PRA is a thorough and detailed PRA model that is robust and capable of supporting the risk-informed decision to increase the inverter AOT from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 7 days. See Section 3.2. 1 for a discussion of the PRA technical adequacy.

3.2.2. 1. 1 Assumptions The quantitative evaluation of the extended inverter AOT incorporates a number of assumptions, listed below. Refer to Section 3.2.4 for further discussion of assumptions and model uncertainty.

Common-cause failure events are treated using the latest INEEL common cause data base developed under the auspices of the NRC.

23

LR-N 1 8-0032 Enclosure LAR H 1 8-02 Each of the four channels of AC power supplies different loads of plant safety equipment; therefore, it is expected that the risk profiles of each are different.

One case for each channel is quantified with the relevant inverters' test-and maintenance basic events set to TRUE.

3.2.2. 1.2 Model Changes The Base PRA Model of Record (MOR}, HC1 1 7 A, has been reviewed for applicability for the HCGS AOT. To study the impact of the extended inverter AOT, five different cases are quantified - one base case with no changes, and one case for each of the four channels of AC power. As the Technical Specification change requested involves extended maintenance windows on the inverters (i.e., the 1 20 VAC distribution panels will remain energized by bypassing the inverters consistent with TS 3.8.3. 1 Action d), each case sets the channel's inverter test-and-maintenance (T&M) basic events to TRUE. These are specified in Table 3-2:

Table 3-2 I NVERTER BASIC EVENTS SET TO TRUE Case Basic Events Set to TRUE Base Case None

  • ACP-I NV-TM-AD481, I NVERTER 1AD481 U NAVAI LABLE DUE Channel A I nverters TO TEST AND MAI NT oos
  • ACP-I NV-TM-AD482, I NVERTER 1AD482 U NAVAI LABLE DUE TO TEST AND MAINT
  • ACP-INV-TM-BD481, I NVERTER 1 BD481 U NAVAILABLE DUE Channel B I nverters TO TEST AND MAINT oos
  • ACP-I NV-TM-BD482, I NVERTER 1 BD482 U NAVAI LABLE DUE TO TEST AND MAI NT
  • ACP-INV-TM-CD481, I NVERTER 1 CD481 U NAVAI LABLE DUE Channel C Inverters TO TEST AND MAINT oos
  • ACP-I NV-TM-CD482, I NVERTER 1 CD482 U NAVAI LABLE DUE TO TEST AND MAINT
  • ACP-INV-TM-DD481, I NVERTER 1 DD481 U NAVAILABLE DUE Channel D Inverters TO TEST AND MAI NT oos
  • ACP-I NV-TM-DD482, I NVERTER 1 DD482 U NAVAI LABLE DUE TO TEST AND MAINT Observations regarding model fidelity to the as-built, as-operated plant are tracked in the PSEG Update Requirement Evaluation (URE) database as a resource for potential model enhancement in the future. See Attachment 2 Section A. 1.5. No open observations or model discrepancies to be resolved regarding the inverters, AC power, or offsite power have been identified.

3.2.2. 1.3 I mpacted Power Loads Removing inverters from service impacts the reliability of the associated AC busses. Section

2. 1 of this describes some key Class 1 E loads supplied by each division of AC power that may be impacted (though not necessarily disabled) by the extended inverter AOT.

24

LR-N 1 8-0032 Enclosure LAR H 1 8-02 3.2.2. 1.4 Calculational Approach To determine the effect of the proposed 7 day AOT for restoration of an inoperable inverter, the guidance in Regulatory Guides 1. 1 7 4 and 1. 1 77 is used.

. Figure 3-1 can be used to conceptually describe the terms used in the risk metric calculation.

Thus, the following risk metrics are used to evaluate the risk impacts of extending the inverter AOT from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 7 days:

Regulatory Guide 1. 1 7 4 LiCDF AVE =

change in the annual average CDF due to any increased on-line maintenance unavailability of the inverter(s) that could result from the increased Allowed Outage Time. This risk metric is used to compare against the acceptance guidelines of Regulatory Guide 1. 1 7 4 to determine whether a change in CDF is regarded as risk significant. These criteria are a function of the baseline annual average core damage frequency, CDFsASE*

LiLERFAvE =

change in the annual average LERF due to any increased on-line maintenance unavailability of the inverter(s) that could result from the increased Allowed Outage Time. Regulatory Guide 1. 1 7 4 acceptance guidelines were also applied to judge the significance of changes in this risk metric.

Regulatory Guide 1. 1 77 ICCDP1Nv =

Incremental conditional core damage probability with the inverter(s) out-of service for an interval of time equal to the proposed new Allowed Outage Time (7 days). This risk metric is used as suggested in NUMARC 93-01 to determine whether a proposed increase in Allowed Outage Time has an acceptably low risk impact.

Incremental core damage probability is the difference in the "configuration specific" CDF and the baseline (or the zero maintenance) CDF. The configuration-specific CDF is the annualized risk rate with the unavailabilities of the out-of-service SSCs set to one. The configuration-specific CDF may also consider the zero maintenance model (i.e., the unavailability of the out..:of-service SSC(s) is set to one, and the maintenance unavailability of the remaining SSCs is set to zero). This more closely reflects the actual configuration of the plant during the maintenance activity.

Plants should consider factors of duration in setting the risk management thresholds. This may be either the duration of a particular out-of-service condition, or a specific defined work interval (e.g. shift, week, etc.). The product of the incremental CDF (or LERF) and duration is expressed as a probability (e.g., incremental core damage probability - ICCDP, incremental large early release probability - ICLERP).

25

LR-N 1 8-0032 Enclosure LAR H 1 8-02 ICLERP1Nv = Incremental conditional large early release probability with the inverter(s) out-of service for an interval of time equal to the proposed new Allowed Outage Time (7 days). This risk metric from RG 1. 1 77 is used to determine whether a proposed increase in Allowed Outage Time has an acceptably low risk impact.

The evaluation of the above risk metrics is performed as follows.

The change in the annual average CDF due to the extension of the inverter Allowed Outage Time, ACDFAvE is evaluated by computing the following:

CDFAVE

= (_!A_J CDFINV-OOS + (1 -_!A_J CDFBase TCYCLE TCYCLE

[Eq. 1]

where:

CDFaAsE

=

Baseline annual average CDF with average unavailability of the inverters consistent with the current inverter Allowed Outage Time.

CDF!Nv-oos =

CDF evaluated from the PRA model with the inverter(s) out-of-service and appropriate measures implemented. These measures include, for example, prohibiting concurrent maintenance or inoperable status of the remaining AC power channels in accordance with Technical Specifications.

T A

=

Total outage time proposed for the AOT required for the maintenance action and testing of the inverter(s) (i.e., 7 days).

T cycle

=

For this AOT extension, the cycle is assumed to be a calendar year, 1 2 months where:

ACDFAvE of operation (365 days) 7 days 358 days CDFAVE

=

CDFINV-OOS X

+ CDFBase X---

365 days 365 days iJCDFA vE = CDFA vE - CDFsAsE

[Eq. 2]

[Eq. 3]

=

Average CDF based on a 7 day inverter OOS and "cycle" of one calendar year.

=

Difference between CDFsAsE (i.e. the current Technical Specifications on the inverter(s)) and the CDF for an average 1 2-month cycle with the inverter Allowed Outage Time extended to 7 days.

Figure 3-1 provides a graphical display of the cycle evaluation for the RG 1. 1 74 risk evaluation.

26

LR-N 1 8-0032 Enclosure LAR H 1 8-02 A similar approach was used to evaluate the change in the average LERF due to the requested Allowed Outage Time, ilLERFAvE:

[Eq. 4]

where:

LERFsAsE

=

Baseline annual average LERF with an inverter unavailability consistent with the current Allowed Outage Time. This is the LERF result of the current baseline PRA. (See discussion under CDFsAsE above.)

LERF1Nv-oos=

LERF evaluated from the PRA model with the inverter(s) out-of-service and appropriate measures implemented. These measures include, for example, prohibiting concurrent maintenance or inoperable status of the remaining AC power channels in accordance with Technical Specifications.

&ERF

= LERFA vE -LERFBASE

[Eq. 5]

The evaluation was performed based on the assumption that the extended Allowed Outage Time would be applied once per year (for each channel), hence TA = 7 days. The cycle time is taken to be one year.

TcrcLE = 3 65 days The incremental conditional core damage probability (ICCDP) and incremental conditional large early release probability (ICLERP) are computed using their definitions from Regulatory Guide 1. 1 77. In terms of the above defined parameters, the definition of ICCDP is as follows:

ICCDP = (CDFINv-oos - CDFBAsE) TAor ICCDP = (CDFINv-oos - CDFBAsE) * (7 days) I (365 days/year)

ICCDP = (CDFINv-oos - CDFBAsE)

[Eq. 6]

[Eq. 7]

[Eq. 8]

Note that in the above formula 365 days/year is merely a conversion factor to provide the Allowed Outage Time units consistent with the CDF frequency units. The ICCDP values are dimensionless probabilities to evaluate the incremental probability of a core damage event over a period of time equal to the extended Allowed Outage Time.

Similarly, ICLERP is defined as follows:

ICLERP

= (LERFINv-oos - LERFBASE)

[Eq. 9]

Finally, it is noted that ilCDFAvE and ICCDP, as defined above, are in fact equal since TcvcLE is taken to be one year. The same is true of ilLERFAvE and ICLERP.

27

LR-N 1 8-0032 Enclosure BEFORE TECH SPEC CHANGE c

D F

AFTER TECH SPEC CHANGE c

D F

CDFeAsE CDFeAsE T

Tcycle CDFAvE T

Figure 3-1 :

Evaluation Used for Reg. Guide 1. 1 74 Calculation<1J 3.2.2.2 Results and Impacts 3.2.2.2. 1 Quantified Results LAR H 1 8-02 1'

Refuel 1'

Refuel The Hope Creek at-power Models of Record (HC1 1 7A and HC1 1 4FO) were quantified for five cases - one base case, and one for each channel's inverters set out-of-service (see Section 3.2.2. 1.2). Both models were truncated as prescribed in their respective Quantification Notebooks; FPI E to 1.00E-1 2/yr, and Fire to 1.00E-1 1 /yr (References 1 7 & 1 8). The resulting CDF and LERF metrics for each case studied are presented in Table 3-3 and Table 3-4 respectively.

<1>

Calculation assu mes the inverter outage occu rs with in one ( 1 ) calendar year and that the ACD F is for that calendar year.

28

LR-N 1 8-0032 Enclosure LAR H 1 8-02 Although the Fire model contributes larger absolute values to the totals, the risk metrics calculated in Section 3.2.2.2.2 depend on the deviation from the base case; therefore, the FPIE model is of much greater consequence.

Table 3-3

SUMMARY

OF QUANTIFIED CDF Case I nternal Events Fire Total CDF (/yr)

CDF(/yr)

CDF (/yr)

Base Case MOR 5.91 E-06 1.80E-05 I

2.39E-05 I

Channel A I nverters OOS 1.02E-05 1.92E-05 2.94E-05 Channel B I nverters OOS 1. 1 3E-05 1.99E-05

3. 1 3E-05 Channel C I nverters OOS 9.95E-06 1.88E-05 2.87E-05 Channel D I nverters OOS 1.02E-05 1.82E-05 2.85E-05 Table 3-4

SUMMARY

OF QUANTIFIED LERF Case Internal Events Fire Total LERF (/yr)

LERF (/yr)

LERF (/yr)

I Base Case MOR I

1.84E-07 I

2.25E-06 II 2.44E-06 I

Channel A I nverters OOS 4.43E-07 2.48E-06 2.92E-06 Channel B I nverters OOS 6.02E-07 2.28E-06 2.88E-06 Channel C I nverters OOS 4.54E-07 2.45E-06 2.90E-06 Channel D I nverters OOS 4.85E-07 2.28E-06 2.77E-06 3.2.2.2.2 Calculated CDF and LERF Metrics Table 3-5 summarizes the calculated values for the NRC-specified risk metrics (¿CDF, ¿LERF, ICCDP, and ICLERP) for the proposed change to the inverter AOT for each of the four inverter channels. These results, calculated from the data in Table 3-3 and Table 3-4 as defined in Section 3.2.2. 1.4, are produced as specified by the NRC in RG 1. 1 74, and RG 1. 1 77. Table 3-6 through Table 3-9 provide example calculations of these metrics.

29

LR-N1 8-0032 Enclosure LAR H 1 8-02 Table 3-5 COMPARISON OF QUANTITATIVE RESULTS WITH ACCEPTANCE GUIDELINES (TOTAL OF I NTERNAL AND EXTERNAL EVENTS)

L\\CDFAvE I ICCDP L\\LERFAvE I ICLERP Acceptance Criteria 1.00E-6 1.00E-7 Channel A Inverters OOS 1.06E-07 9.30E-09 Channel 8 I nverters OOS 1.41 E-07 8.54E-09 Channel C Inverters OOS

9. 1 9E-08 8.93E-09 Channel D I nverters OOS 8.65E-08 6.31 E-09 Table 3-6 SAMPLE ¿CDF CALCU LATION FOR HOPE CREEK - I NVERTERS OOS Average CDF after AOT Extension Included. Channel A COFAvE = 2. 94E-051yr * (7 days I 365 days) + 2.39E-051yr * (358 days I 365 days)

COFAvE = 2. 40E-051yr Change in CDF. Channel A L1COF = CDFAvE - CDFaASE L1CDF = 2. 40E-05/yr - 2. 39E-051yr1J L1CDF = 1. 06E-071yr Legend:

¬CDF =

Change in the annual average CDF due to any increased on-line maintenance u navailability of the inverters that could result from the increased Allowed O utage Time. Th is risk metric is used to com pare against the acceptance g uidelines of Regu latory Guide 1. 1 74 to determine whether a change in CDF is regarded as risk sig nificant. These criteria are a function of the baseline annual average core damage frequency, CDFeASE*

¬LERF =

Change in the annual average LERF due to any increased on-line maintenance u navailability of the inverters that could result from the increased Allowed O utage Time. Reg ulatory Guide 1. 1 7 4 acceptance g u ideline were also applied to judge the significance of changes in this risk metric.

CDFeAsE =

Application-specific CDF for average maintenance.

30

LR-N 1 8-0032 Enclosure LAR H 1 8-02 CDFAvE =

Average CDF incorporating a 7 day i nverter OOS and based on a one calendar year.

Table 3-7 SAMPLE ALERF CALCULATIONS FOR HOPE CREEK - I NVERTERS OOS Average LERF after AOT Extension Included. Channel A LERFAvE = LERF/Nv-oos * (TAl TcvcLEJ + LERFaASE * (1 - TAl TcvcLE)

LERFAvE = 2. 92E-061yr * (7 days I 365 days) + 2.44E-06 * (358 days I 365 days)

LERFAvE = 2. 45E-061yr Change in LERF. Channel A LJ.LERF = LERFAvE - LERFaAsE LJ.LERF = 2. 45E-061yr - 2. 44E-061yr LJ.LERF = 9. 30E-91yr Table 3-8 SAMPLE ICCDP CALCULATION - I NVERTERS OOS Channel A ICCOP = (COFINv-oos - CDFaAsEJ * (TA I TcvcLE)

/CCDP = (2. 94E-051yr - 2. 39E-051yr) * (7 days I 365 dayslyr)

JCCDP = 1.06E-07 Table 3-9 SAMPLE ICLERP CALCULATION - I NVERTERS OOS Channel A

/CLERP = (LERFINv-oos - LERFaAsE) * (TA I T cYCLE)

JCLERP = (2. 92E-061yr - 2. 44E-061yr) * (7 days I 365 dayslyr)

/CLERP = 9. 30E-07 3.2.2.3 Risk I nsights The risk insights described in this section are intended to be folded into the Hope Creek Configuration Risk Management Program (CRMP).

3.2.2.3. 1 Distribution of Risk Contributors The distribution of initiating event and accident class contributors for the results generated by the Hope Creek Application-Specific Model (ASM) have been reviewed. As the risk metrics depend on the difference between each case and the base case, the importance measures of interest are those of the delterm cutsets, i.e. the difference in the two cutset files. I n this 31

LR-N 1 8-0032 Enclosure LAR H 1 8-02 evaluation, the FPI E metrics are much more risk-significant to the overall result than Fire, so these importance measures are presented for FPIE only. Table 3-1 0 and Table 3-1 1 present the initiating events' importance measures for delterm FPIE CDF and LERF; Table 3-1 2 and Table 3-1 3 present the same for the various accident classes.

32

LR-N 1 8-0032 Enclosure I nitiator

%1 E-TE

% l E-TT

% FLTB-CW

%1 E-SORV2

% 1 E-SWS

%FLFPS-R BU

%I E-SACS

% 1 E-MLRHR

% 1 E-MLRECI RC

%I E-TC

%FLFPS-CD Table 3-1 0 I NITIATING EVENT CONTRIBUTORS TO DELTA FPIE CDF Channel A Channel S Description CDF CDF LOSS OF OFFSITE POWER I N ITIATING 4.36 E-06 95.0%

5.37E-06 95.4%

EVENT TURBI N E TRIP WITH BYPASS

6. 1 6 E-08 1.3%

9.36E-08 1.7%

TURBIN E B U I LD I N G FLOOD 3.36 E-08 0.7%

6.60E-08 1.2%

2 or More SORVs 2.05E-08 0.4%

4.00E-09

0. 1 %

LOSS OF SERVICE WATER I N ITIATI NG 1.94 E-08 0.4%

1. 59 E-08 0.3%

EVENT FPS R U PTURE IN RB U PPER LEVELS 1. 54 E-08 0.3%

2.01 E-08 0.4%

LOSS OF SACS I NITIATI NG EVENT 1. 07E-08 0.2%

8.78E-09 0.2%

Medium LOCA - R H R 9. 99E-09 0.2%

1. 35 E-09 0.0%

Medium LOCA - Reactor Recirculation 8.71 E-09 0.2%

1.69E-1 0 0.0%

LOSS O F CONDENSER VAC U U M 8. 1 1 E-09 0.2%

1.08 E-08 0.2%

FPS R U PTURE IN CONTROL DIESEL 6.79E-09

0. 1 %

1.00 E-08 0.2%

B U I L D I N G Other 3.30E-08 0.7%

3.07E-08 0.5%

Total 4.58E-06 1 00%

5.63E-06 1 00%

33 LAR H 1 8-02 Chan nei C Chan nei D CDF CDF

4. 1 4 E-06 96.8%

4.32 E-06

95. 3%

4.45E-08 1. 0%

4.89 E-08 1. 1 %

4.57E-09

0. 1 %

7.49 E-09 0.2%

3.59E-09 0. 1 %

4.09E-09

0. 1 %

O.OOE+OO 0.0%

1. 82E-1 0 0.0%

1. 57E-08 0.4%

1. 86 E-09 0.0%

O.OOE+OO 0.0%

9. 08E-1 1 0.0%
2. 1 4 E-1 0 0.0%
9. 08E-1 1 0.0%

4.27E-1 1 0.0%

O.OOE+OO 0.0%

5. 1 7 E-09
0. 1 %

5.72E-09

0. 1 %

5.25E-08 1.2%

1.35 E-07 3.0%

9.48 E-09 0.2%

1. 1 4 E-08 0.3%

4.27E-06 1 00%

4. 54E-06 1 00%

LR-N 1 8-0032 Enclosure I nitiator

%1 E-TE

%FLFPS-CD

% l E-TT

%1 E-SWS

%I E-MS

%FLTB-CW

%I E-SACS

%1 E-SORV2 Table 3-1 1 I NITIATING EVENT CONTRI BUTORS TO DELTA FPIE LERF Channel A Channel S Description LERF LERF LOSS OF OFFSITE POWER I NITIATING 2.59E-07 95.5%

4.09E-07

96. 1 %

EVENT FPS R U PTURE IN CONTROL DIESEL 2. 72 E-1 2 0.0%

5.23E-1 0

0. 1 %

B U I LDING TURB I N E TRIP WITH BYPASS 3.47E-09 1.3%

5.66 E-09 1. 3%

LOSS OF SERVI C E WATER I N ITIATING 1. 88 E-09 0.7%

1. 32 E-09 0.3%

EVENT MAN UAL SH UTDOWN I NITIATI NG EVENT 1. 79 E-09 0.7%

2.36 E-09 0.6%

TU RBI N E BUILDING FLOOD 1. 05E-09 0.4%

1. 7 1 E-09 0.4%

LOSS OF SACS I N ITIATI NG EVENT 1.00 E-09 0.4%

6.98E-1 0 0.2%

2 or More SORVs 6.65E-1 0 0.2%

1. 02 E-1 0 0.0%

Other 2.35E-09 0.9%

4. 1 3 E-09 1. 0%

Total 2.72 E-07 1 00%

4.26E-07 1 00%

34 LAR H 1 8-02 Channel C Channei D LERF LERF 2.67E-07 96.4%

2. 86E-07
93. 1 %
6. 96E-09 2.5%

1. 83 E-08 6.0%

1. 7 1 E-09 0.6%

1. 9 1 E-09 0.6%

O.OOE+OO 0.0%

O. OOE+OO 0.0%

3.68E-1 0

0. 1 %

4.60E-1 0 0.2%

1.66E-1 1 0.0%

3. 07E-1 1 0.0%

O.OOE+OO 0.0%

O.OOE+OO 0.0%

8.86 E-1 1 0.0%

9.81 E-1 1 0.0%

7. 8 1 E-1 0 0.3%

2.73E-1 0

0. 1 %

2.77E-07 1 00%

3.07E-07 1 00%

LR-N 1 8-0032 Enclosure Table 3-1 2 ACCI DENT CLASS CONTRIBUTORS TO DELTA FPIE CDF Channel A Channel S Channel C Class Description CDF CDF CDF lA Loss of inventory makeup at high reactor pressu re 1. 7 1 E-06 37.3%

1.4 1 E-06 25.0%

8.64 E-07 20.2%

I B E Loss o f inventory makeup during an early station 8.01 E-07 1 7.5%

1.25E-06 22.2%

6.76E-08 1.6%

blackout I B L Loss o f inventory makeup during a late station 9.77E-08 2. 1 %

9.89E-08 1. 8%

1.42 E-07 3.3%

blackout IC Loss of inventory makeup induced by an A TWS; 8.30E-09 0.2%

5.69E-09

0. 1 %
2. 1 4 E-1 0 0.0%

containment intact I D Loss of i nventory makeup at low reactor

7. 73E-07 1 6. 9%

pressure

2. 1 4 E-06 38.0%

3.09E-06

72. 3 %

I I Loss o f containment heat removal 1. 1 2 E-06 24.4%

7. 1 3E-07 1 2. 7%

1. 07E-07 2.5%

l iT Loss of containment heat removal, core damage 4.58 E-1 0 0.0%

O.OOE+OO 0.0%

O.OOE+OO 0.0%

post -repressu rization I l i B Small or medium LOCA, reactor cannot 4. 85E-08 1. 1 %

5.63E-1 1 0.0%

4.27E-1 1 0.0%

depressurize IIIC Medium or large LOCA, reactor has no low-

4. 36E-09
0. 1 %

3.88E-09

0. 1 %

3.89E-09

0. 1 %

pressu re injection I l i D LOCA or RPV failure, vapor suppression i s 4.58 E-1 1 0.0%

5.63E-1 1 0.0%

O.OOE+OO 0.0%

i nadequate, loss of makeup IV Failure to scram 2.65E-08 0.6%

1. 35 E-08 0.2%

1.28E-1 0 0.0%

v U nisolated LOCA outside containment O. OOE+OO 0.0%

O.OOE+OO 0.0%

O.OOE+OO 0.0%

Total 4.58E-06 1 00%

5.63E-06 1 00%

4.27E-06 1 00%

35 LAR H 1 8-02 Chan nel D CDF

9. 1 4E-07
20. 1 %

1.23E-07 2.7%

1.47 E-07 3.2%

1. 82 E-1 0 0.0%

3.24E-06 7 1.3%

1. 1 5 E-07 2.5%

4.54 E-1 1 0.0%

O. OOE+OO 0.0%

4.36E-09

0. 1 %

O.OOE+OO 0.0%

9.08E-1 1 0.0%

O.OOE+OO 0.0%

4. 54E-06 1 00%

LR-N 1 8-0032 Enclosure Table 3-1 3 ACCI DENT CLASS CONTRI BUTORS TO DELTA FPIE LERF Channel A Chan nel S Chan nel C Class Description LERF LERF LERF lA Loss of inventory makeup at high reactor pressure 2. 1 2 E-08 7.8%

1. 52 E-08 3.6%

2.47E-08 8.9%

I B E Loss o f inventory makeup duri ng an early station 1.65 E-07 60.7%

2.85E-07 67.0%

1.23E-08 4.4%

blackout I B L Loss o f inventory makeup during a late station O.OO E+OO 0.0%

O.OOE+OO 0.0%

O.OOE+OO 0.0%

blackout IC Loss of inventory makeup induced by an A TWS; 6.79 E-1 1 0.0%

4.26 E-1 1 0.0%

O.OOE+OO 0.0%

containment intact I D Loss o f inventory makeup a t low reactor pressu re 6.72E-08 24.8%

1. 1 7 E-07 27.5%

2.40E-07 86.6%

I I Loss o f containment heat removal O. OOE+OO 0.0%

O. OOE+OO 0.0%

O.OOE+OO 0.0%

l iT Loss of containment heat removal, core damage O. OOE+OO 0.0%

O. OOE+OO 0.0%

O.OOE+OO 0.0%

post-repressurization 1118 Small or medium LOCA, reactor cannot 1. 75E-09 0.6%

O. OOE+OO 0.0%

O. OOE+OO 0.0%

depressurize I I IC Medium or large LOCA, reactor has no low-1. 03 E-1 0 0.0%

9.79E-1 1 0.0%

8.86 E-1 1 0.0%

pressu re injection I l i D LOCA or RPV failure, vapor suppression i s 2. 1 7 E-1 1 0.0%

2. 1 3 E-1 1 0.0%

O.OOE+OO 0.0%

inadequate, loss of makeup IV Failure to scram 1.62 E-08 6.0%

8.05E-09 1. 9%

3. 88E-1 1 0.0%

v U nisolated LOCA o utside containment O. OOE+OO 0.0%

O. OOE+OO 0.0%

O. OOE+OO 0.0%

Total 2. 72 E-07 1 00%

4.26E-07 1 00%

2.77E-07 1 00%

36 LAR H 1 8-02 Channei D LERF 2.62 E-08 8.6%

1.67E-08 5.5%

O.OOE+OO 0.0%

O.OO E+OO 0.0%

2.64E-07 86.0%

O.OOE+OO 0.0%

O. OOE+OO 0.0%

O. OOE+OO 0.0%

9.81 E-1 1 0.0%

O.OOE+OO 0.0%

3.68 E-1 1 0.0%

O.OOE+OO 0.0%

3. 07E-07 1 0

LR-N 1 8-0032 Enclosure 3.2.2.3.2 Observations from the Risk Metric Calculations LAR H 1 8-02 Several observations may be made from the results and importance measures presented in the previous subsections.

First, a loss of offsite power (LOOP) is overwhelmingly significant to the change in plant risk metrics due to the considered AOT change. This initiator accounts for about 95% of §CDF and

§LERF for all four inverter channels. Such a high importance comports with the inverters' sole, vital function as part of AC power distribution to Class 1 E equipment - any change in plant risk due to their maintenance must naturally proceed from a challenge to AC power. The other initiators contribute negligible amounts of risk.

Next, the difference in risk-significant accident classes between the four channels is attributed to the difference in AC power loads they supply.

All four channels serve their respective trains of several plant systems; it is assumed that these common systems do not give rise to the differences in risk-significance:

o Emergency Diesel Generators (EDGs) o Residual Heat Removal (RHR) o Core Spray (CS) o Service Water (SW) o Safety Auxiliary Cooling System (SACS)

Channel A:

This channel supplies the High Pressure Coolant I njection (HPCI) System and Suppression Pool Cooling Train A (SPC A). The CDF increase from taking these inverters out-of-service therefore results most often in a loss of inventory at high pressure (Class lA - 37%) and a loss of containment heat removal (Class I I - 24%). Loss of inventory at low pressure (Class I D

- 1 7%) i s less significant compared to other channels as core damage tends to occur before depressurization. A station blackout is significant in the early timeframe (Class I BE - 1 8%) as this is when injection is most critical. Early station blackout is also the most likely to lead to a large early release (Class I BE - 61 %) due to a reliance on either the RCIC turbine driven pump or prompt recovery of offsite AC power.

Channel B:

This channel supplies the Reactor Core Isolation Cooling (RCIC) System, as well as Suppression Pool Cooling Train B (SPC B) and the Automatic Depressurization System (ADS). It has a similar accident profile as Channel A, though core damage occurs less frequently due to loss of inventory at high pressure (Class lA - 25%) and more frequently at low pressure (Class I D - 38%). This is because the plant is more likely to successfully depressurize with the HPCI System (supplied by Channel A) in service. The successful operator action to inhibit ADS is a significant contributor to this (Fussei-Vesely 24%). Loss of containment heat removal is somewhat less important (Class I I - 1 3%). Early station blackout is similarly significant regarding core damage (Class IBE - 22%) and large early releases (Class IBE - 67%), again due to the importance of early injection, the HPCI turbine-driven pump, and prompt offsite AC power recovery.

37

LR-N1 8-0032 Enclosure LAR H 1 8-02 Channel C:

This channel supplies the Low Pressure Coolant I njection (LPCI) System.

A large majority of both the CDF and LERF increases when removing this channel from service is due to a loss of inventory at low pressure (Class I D

- 72% CDF, 87% LERF), which LPCI i s designed to mitigate. The remainder is mostly via loss of inventory at high pressure (Class lA -

20% CDF, 9% LERF). Considering station blackout, it is notable that the late timeframe (Class I BL - 3.3%) is relatively more important than the early (Class IBE - 1.6%), in contrast with Channels A and B. This re iterates the importance of low-pressure injection sources.

Channel D:

This channel also supplies the Low Pressure Coolant I njection (LPCI)

System, as well as the Automatic Depressurization System (ADS). Its accident profile is very similar to Channel C, with a large contribution coming from loss of inventory at low pressure (Class I D - 71 % CDF, 86% LERF) and most of the remainder from loss of inventory at high pressure (Class lA - 20% CDF, 9% LERF).

Turning to the Fire model, examination of the delterm cutsets reveals that the change in fire risk is overwhelmingly due to fires that damage the ADS logic trips, resulting in a spurious ADS actuation and subsequent Large LOCA. This ultimately leads to core damage through a variety of different accident sequences, depending on which channel's inverters are out-of-service. For Channel D, which shows the lowest increase in fire risk, this effect is less pronounced and is about equally significant with a loss-of-feedwater induced by Condensate System failures.

Overall, though, these changes in fire risk are significantly less important than those noted above for internal events risk.

The PRA model results were reviewed and it was determined that the individual failure of a -

482 inverter has a risk increase equivalent to about 80% of the risk increase for failure of two inverters on that channel. This approximation is fairly consistent for LlCDF / ICCDP and LlLERF

/ ICLERP results and for each channel. An individual failure of a -48 1 inverter results in a much lower risk increase compared to the risk increase for the failure of two inverters on that channel.

This result is consistent with the results described in 3-1 0 through 3-1 3 which attribute most of the risk increase to loss of offsite power (LOOP) scenarios. Following a LOOP with only the -

482 inverter aligned to the backup power, the associated EDG will not automatically start and the higher voltage busses on that channel will not be energized. Following a LOOP with only the -481 inverter aligned to the backup power, the unaffected -482 inverter will shift to battery supplied power and start the EDG. The 1 20 VAC buses powered by the -481 inverter will initially be de-energized and will be reenergized as the EDG comes on line. Therefore, the risk increase associated with only the -481 inverter is much lower than the risk increase with only the -482 inverter.

Finally, the values for LlCDF / ICCDP and LlLERF / ICLERP reported in Table 3-5 compare favorably to the acceptance guidelines established by the N RC in Regulatory Guides 1. 1 7 4 and 1. 1 77, standing about an order of magnitude below the limit across the board. Therefore, no matter which inverter is taken out-of-service for maintenance, there is generous margin in the risk metrics. Of the two metrics, LlCDF / ICCDP is the most limiting; of the four inverter channels, Channel B is the most limiting. Removing this channel from service impacts the most safety systems, including RCIC, SPC B, and ADS, plus the EDG, RHR, CS, SW, and SACS systems common to all channels. It should again be noted that the Technical Specification 38

LR-N 1 8-0032 Enclosure LAR H 1 8-02 the randomness of seismic capacity). Therefore, a given seismic event that fails one inverter is highly likely to fail all the others, as well. Qualitatively, the inverters are "all or nothing", and increasing the maintenance outage period of a single channel will have a minimal effect on plant seismic risk. Accordingly, the seismic t.CDF / ICCDP and t.LERF / ICLERP for this risk evaluation are expected to be negligible.

Additionally, a bounding estimate of the change in risk metrics due to seismic hazards may be made based on the FPI E Model of Record, which was developed to the standards set by Regulatory Guide 1.200 (Reference 3). The incremental change in seismic CDF (i.e., core damage due to a seismic initiating event) may be calculated by applying Bayes' Theorem to Equation 6:

ICCDP = (CDFINv-oos - CDFaAsEJ *TAoT

[from Eq. 6]

Seismic ICCDP = [(CDFJNv-oos AND Seismic IE) - {CDFaAsEAND Seismic IE)J*TAoT Seismic ICCDP = [P(Seismic IE)*CDFJNv-oosiSeismic IE

- P(Seismic IE)*CDFaAsEI Seismic IEJ*TAoT Seismic ICCDP = P(Seismic IE) *[CDFtNv-oosiSeismic IE - CDFaAsEISeismic IEJ*TAoT

[Eq. 1 0]

where P(Seismic IE) represents the probability of a seismic initiating event, CDFtNv oosi Seismic IE is the CDF given a seismic initiating event and the inverters out-of service, CDFaAsEISeismic IE is the CDF given a seismic initiating event for the base model, and TAoT represents the cycle fraction (i.e. 7 days divided by 365 days = 1.92E-02).

The equation above considers all seismic initiators; however, for the purposes of this risk evaluation, the scope can be limited to seismic loss of offsite power (LOOP) initiating events.

From Table 3-1 0 and Table 3-1 1, it can be seen that such accident sequences are overwhelmingly responsible for the change in CDF and LERF, contributing 95% of both risk metrics for all four channels. Given that the inverters' sole function is to protect the availability of AC power, it is assumed that any change in seismic risk metrics will similarly arise from a seismic LOOP event. Specifying Equation 1 0 therefore yields:

Seismic ICCDP c P(Seismic LOOP) *[CDFJNv-oosi Seismic LOOP

- CDFaAsEISeismic LOOPJ*TAoT

[Eq. 1 1]

A calculation for Seismic ICLERP is similarly developed:

Seismic ICLERP c P(Seismic LOOP) *[LERFJNv-oosiSeismic LOOP

- LERFaAsEISeismic LOOPJ*TAoT

[Eq. 12]

The frequency of a seismic LOOP can be calculated based on the peak ground acceleration exceedance curves from the most recent Seismic Hazard and Screening Report (Reference 23,, Table A-1 ). Conservatively taking the median fragility of offsite power components to be 0. 1 5 g Peak Ground Acceleration (compared to a determined value of 0.31 g in the I PEEE seismic assessment), this frequency has a mean of 6.67E-05 /yr and is considered bounding.

The CDF (or LERF) given a seismic LOOP may be estimated by quantifying the FPI E Model of Record (HC1 1 7A) with the LOOP initiator (%1E-TE) set to TRUE and all other initiators set to 40

LR-N 1 8-0032 Enclosure LAR H 1 8-02 FALSE. This consequently fails all equipment dependent on offsite power. It is conservatively assumed that offsite power recovery is not possible - these basic events are also set to TRUE.

Additionally taking an inverter channel out-of-service (as detailed in Section 3.2.2. 1.2) allows a bounding calculation of the change in seismic CDF or LERF due to the extended AOT.

This approach is conservative in two ways. First, in a seismic PRA developed per Regulatory Guide 1.200, similar equipment in similar plant locations would have highly correlated seismic failure probabilities (as noted above). A seismic event that fails one inverter is highly likely to fail all the others, as well; the fact that one may be out-of-service is irrelevant, and there would be no change in risk metrics due to the extended AOT. Second, assuming offsite power recovery is not possible conservatively discredits mitigating actions for seismic accident sequences with lower peak ground accelerations, which are exponentially more likely given the hazard curves.

Table 3-1 4 presents the estimated LOOP CDFs and LERFs resulting from these model quantifications:

Table 3-1 4 ESTIMATED LOOP CDF AND LERF Case CDF (/yr)

LERF (/yr)

Base Case MOR 2.25E-05 9.91 E-07 Channel A Inverters OOS 1.36E-04 2.53E-06 Channel B I nverters OOS 1.31 E-04 3.33E-06 Channel C I nverters OOS 8.64E-05 2.51 E-06 Channel D I nverters OOS 1. 1 1 E-04 3.42E-06 41

LR-N1 8-0032 Enclosure Flood Protection Features LAR H 1 8-02 HCGS relies on both passive and active incorporated flood protection features to establish its design basis flood protection.

Doors and penetrations in exterior walls of the Auxiliary and Reactor Buildings are protected against water inflow up to Elevation 1 27' for parts of the south exterior walls and up to Elevation 1 21 ' of other exterior walls.

Penetrations in exterior walls and slabs of the Station Service Water System intake structure are protected against water inflow up to Elevation 1 21 ' for the north and east exterior walls and up to Elevation 1 28.5' for other exterior walls and slabs.

These flood protection features include the buildings themselves, penetration seals, waterproofing, and watertight doors. These features are part of the design and licensing basis of the plant and have clearly defined hydraulic capability characteristics. During HCGS's response to the Fukushima Near-Term Task Force's Recommendation 2.3 (References 24, 25 and 26), HCGS's flood protection features were reviewed and demonstrated to show adequate margin above design basis flood elevations. The flooding walkdown report provides additional information on the flood protection features credited in the HCGS licensing basis. Performance of the walkdowns provided confirmation that flood protection features are in place, are in good condition, and will perform as credited in the current licensing basis. Minor issues were entered into the PSEG Corrective Action Program (CAP). No operability concerns were identified.

As shown in Table 2. 1 -3 of PSEG's response to the subsequent request for information (Reference 27), watertight door thresholds at HCGS are at Elevation 1 02'. The plant's design basis flood protection features are established to mitigate the effects of a hurricane storm surge event, with the flood protection elevations at Elevation 1 2 1 ' or higher.

HCGS flood protection features do not include any temporary elements that require proceduralized manual actions in order for the feature to perform its intended flood protection function. The watertight doors are the only active flood protection features at HCGS. The remaining flood protection features are passive and continually maintain their full hydraulic capability.

I PEEE Screening The HCGS IPEEE (Reference 1 9) considered plant performance versus the feasible maximum hurricane surge with a coincident ten-percent-exceedance high tide. This postulated condition results in a maximum wave run-up of 35.4 ft. Mean Sea Level (MSL) along the southeast face of the Reactor Building and a small corner face of the Auxiliary Building. Additionally, the Service Water Intake Structure may be subject to waves which could overtop the roof of the western portion at 39 feet above MSL.

The HC IPEEE also examined the NRC Probable Maximum Precipitation (PMP) requirements associated with Generic Letter 89-22 (Reference 28) concerning plant area flood runoff depth, finding that the requirements delineated therein are met. There are no new plant area flood runoff depths to evaluate.

All "other external events" identified in NUREG/CR-2300 have been screened out by bounding probabilistic analyses that demonstrate a core damage frequency of less than the IPEEE 43

LR-N 1 8-0032 Enclosure LAR H 1 8-02 screening criterion of 1 E-6/yr or by compliance with the 1 975 Standard Review Plan (SRP) criteria.

Re-evaluated Flood Hazard As discussed in the Flood Hazard Reevaluation Report (FHRR) (Reference 27), HCGS is susceptible to flooding above plant grade from Local Intense Precipitation (LIP) and storm surge based flooding events. Probable Maximum Flood events that address the effects of upstream riverine flooding only produce flood levels above plant grade when combined with storm surge events. Other flooding mechanisms postulated in NUREG/CR-7046 (Reference 30) do not produce sufficient water surface elevations in the Delaware River and Bay to cause flooding in excess of plant grade. Section 1.3 of the FHRR additionally notes there have been no changes to the flood protection features themselves since initial licensing. Finally, procedural actions have been enhanced to respond to potential flood threats.

3.2.3.3.2 Qualitative Discussion of External Flooding Risk This subsection provides a detailed qualitative assessment based on recent analyses and current procedures that indicate that the external flooding risk is very low. Acceptable margin to the risk evaluation acceptance criteria is preserved when accounting for flooding hazards, given the current state-of-knowledge.

Frequency of External Flooding Mechanisms LI P and storm surge based flooding events that produce water levels that challenge the plant's design basis flood protection features are very rare - the associated exceedance probabilities are 1 E-6 or less, as discussed in Section 2.4 of Reference 27, and further in References 31, 32, and 33. The annual exceedance probability of flood levels that could exceed the watertight door thresholds did not need to be calculated for the FHRR; however, PSEG did assess these levels during its development and subsequent activities (Reference 34).

Based on a representative analysis performed by EPRI (Reference 35), the rainfall rate used in Section 2. 1 of the FHRR to evaluate the LIP event is estimated to have an annual exceedance probability between 1 E-7 and 1 E-9. To support development of a trigger to implement watertight door closure for a LI P event, PSEG assessed the rate of rainfall required to exceed watertight door thresholds. Based on the same conservative modeling approaches described in the FHRR, Section 2. 1, approximately 6 inches of rain in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> could challenge the threshold.

Conservatively, a trigger of a predicted 6 inches of rain in the next 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is now used to prompt watertight door closure in advance of a heavy rainfall event (Reference 36). After the critical rainfall threshold was determined, a simplified rainfall frequency analysis was performed using historical gage data in the area to determine how often the critical threshold could be exceeded. The exercise was not intended to be a comprehensive statistical frequency analysis or exhaustive review of area rainfall records; rather, the intent of compiling rainfall data was to get a general understanding of how often the thresholds have been exceeded in the past. Five inches of rainfall was conservatively used as the threshold and the recurrence intervals were estimated to be approximately 25 years for a 24-hour storm and 50 years for the 6-hour storm.

In 201 3, the US Army Corps of Engineers (USAGE) completed a Storm Surge Study for Federal Emergency Management Agency (FEMA) Region Ill, which encompasses the Delaware River and Bay areas (Reference 37). This study estimated still water surface elevations of 1 0.7 ft.

44

LR-N 1 8-0032 Enclosure LAR H 1 8-02 and 1 2. 1 ft. above the North American Vertical Datum (NAVD) for recurrence intervals of 500 and 1 000 years, respectively. These elevations equate to approximately site grade and the watertight door threshold, respectively.

I mpact of External Flooding Mechanisms on Plant Operation and Structures. Including the Ability to Cope with Upset Conditions As discussed in the FHRR, the reevaluated flooding events could produce flood levels that are above the watertight door thresholds, but below the plant's minimum flood-protected elevation of 1 21 ft. The plant's design basis flood protection features are established to mitigate the effects of a hurricane storm surge event. Protection of safety related systems, structures, and components (SSCs) is ensured by implementing severe weather guidance document OP-AA-1 08-1 1 1 -1 00 1, "Severe Weather and Natural Disaster Guidelines" and abnormal operating procedure HC.OP-AB.MISC-0001, "Acts of Nature". Performance of the walkdowns provided confirmation that flood protection features are in place, are in good condition and will perform as credited in the current licensing basis. Minor issues were identified and entered in the PSEG corrective action program. No operability concerns were identified.

The overall strategy for protecting HCGS from a flooding event requires simple and straightforward actions. Response to a flood event begins with the Control Room Supervisor monitoring the National Weather Service for storm warnings once per shift per OP-HC-1 1 2-1 0 1 -

1 001 -F2, "Control Room Supervisor - Relief Checklist". Plant safety is then ensured by implementing severe weather guidance and an abnormal operating procedure instructing operators to close watertight doors. The FHRR provides additional discussion of the temporal characteristics of these hypothetical events in Section 2. 1 0.6. PSEG operators should be able to execute these procedures with no particular challenge.

Operating Experience Associated with Reliability of Flood Protection Measures Evaluation of the overall effectiveness of the HCGS flood protection features was performed and documented in the Hope Creek Generating Station Response to Recommendation 2.3:

Flooding Walkdown of the Near-Term Task Force Review of Insights from the Fukushima Daiichi Accident (Reference 24). The review of the flood protection features design and licensing documentation, and subsequent field inspection of the applicable physical flood protection features was implemented per the guidance provided within NEI 1 2-07(Reference 40). PSEG has implemented ER-AA-31 0-1 "Condition Monitoring of Maintenance Rule Structures" (Reference 41 }, for structures such as flood control features - concrete walls and slabs, water-control structure elements, penetration seals, etc. Specific instructions regarding the inspection of penetration seals are addressed in HC. FP-SV.ZZ-0026, "Flood and Fire Barrier Penetration Seal Inspection". I nstruction regarding the inspection and maintenance of the watertight doors is addressed in HC.MD-PM.ZZ-0007, "Missile Resistant and Watertight Door P.M.".

HCGS safe shutdown SSCs are currently protected by means of permanent passive and active features, i.e., watertight doors. Watertight door closure can be performed within the warning time provided by proceduralized triggers, as shown by HCGS operating experience (e.g., the flooding walkdown report in Reference 24 documents that closure can be performed within the required period of time following exceedance of a high river water level trigger). Therefore, the manual actions required to implement the flood response strategy (i.e., watertight door closure) are feasible and the overall implementation of the strategy is adequate.

45

LR-N 1 8-0032 Enclosure LAR H 1 8-02 Walkdowns provided confirmation that flood protection features are in place, are in good condition, and will perform as credited in the current licensing basis. Minor issues were identified and entered in the PSEG CAP. No operability concerns were identified.

Reliability of Operator Actions Operator actions required for flood protection actions are contained in HC.OP-AB.MISC-0001,

Acts of Nature. This procedure would be entered for the following conditions that could result in onsite flooding:

A hurricane or tropical storm watch for Salem County is issued A hurricane or tropical storm warning for Salem County is issued A coastal flood warning for Salem County is issued Observation of severe weather conditions Delaware River Water Level is anticipated to reach 96 feet.

The National Weather Service Probabilistic Quantitative Precipitation Forecast (PQPF) predicts Local Intense Precipitation (LIP) to exceed 6 inches over the next 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Notification of a failure of the Francis E. Walter Dam (White Haven, PA), the Cannonsville Dam (Delaware County, NY), or the Pepacton Dam (Delaware County, NY)

Notification of a tsunami to strike the New Jersey coast The abnormal procedure directs operators to increase monitoring of river levels and perform closure of water tight doors onsite. Operators have indication available in the control room to monitor river conditions and the actions to close water tight doors can be completed by the minimum shift complement. Entry into the abnormal operating procedure under the conditions described above provides sufficient time to ensure completion before water levels reach 1 02 ft.

and impact system operations. Periodic testing of the watertight doors ensures their continued flood protection capability and demonstrates operator proficiency at performing this task.

3.2.3.3.3 Quantitative Treatment of External Flooding Risk A highly conservative bounding estimate for the change in external flood risk may be inferred with an approach similar to that used for seismic risk in Section 3.2.3.2 above. There is not enough data to state the overall, absolute quantitative impact of external flooding events with certainty; however, this calculation demonstrates that flooding events are not a significant contributor to the change in risk affected by the proposed inverter AOT extension.

As reported in Table 3-1 0, the change in plant CDF and LERF due to the AOT extension is almost entirely due to LOOP sequences - over 95% in all cases - comporting with the inverters' single, dedicated function in maintaining the availability of AC power. Therefore, it is assumed that any additional change in risk due to flood initiators must similarly involve a LOOP. That is, floods that do not cause a LOOP are taken to be negligible.

The extremely few documented cases of external floods in the operating history of the nuclear industry suggests that they are a remote possibility, though this is not taken as an evidentiary basis for this estimate. Instead, the severe weather LOOP frequency developed in the Hope Creek Initiating Events Notebook, which characterizes LOOPs resulting from storm surge, tornadoes, lightning strikes, etc., is considered. At Hope Creek, seasonal floods and dam breaks along the Delaware River are not credible, so external floods are a subset of severe 46

LR-N 1 8-0032 Enclosure LAR H 1 8-02 weather events. Because only LOOP sequences are relevant to this evaluation, the severe weather LOOP frequency appropriately bounds the contribution of external flood risk, as severe weather LOOPs are a superset of external flood LOOPs. This is visually illustrated in Figure 3-

2.

Figure 3-2: The set of external flood LOOPs (checked) is bounded by the set of severe weather LOOPs (striped) (not to scale).

Severe weather LOOP initiating events are one of the four sub-categories of LOOP events defined in the PRA. Split fractions for each are developed in the Hope Creek Initiating Events Notebook:

Grid-related (LOOP-I E-GR)

Plant-centered (LOOP-IE-PC)

Switchyard (LOOP-I E-SWYD)

Severe Weather (LOOP-I E-SW)

=

=

=

=

0.5866 0.0387 0.2778 0.0969 The external flood LOOP frequency is therefore simply the overall LOOP frequency

(%1 E-TE = 6. 1 7E-02 /yr) multiplied by the Severe Weather split fraction above (9.69%), yielding 5.98E-03 /yr.

Equations 1 1 and 1 2 were developed in Section 3.2.3.2 above to estimate the contribution of seismic LOOPs to ICCDP and ICLERP. They may be be similarly re-written here for the contribution of external flooding LOOP:

Ext. Flood ICCDP :::: f(Ext. Flood LOOP) *[CDF1Nv-oosiExt. Flood LOOP

- CDFaAsdExt. Flood LOOPJ*TAor

[Eq. 13]

Ext. Flood ICLERP :::: f(Ext. Flood LOOP) *[LERF1Nv-oos1Ext. Flood LOOP

- LERFaAsE!Ext. Flood LOOPJ*TAor

[Eq. 14]

The change in CDF and LERF for a generic LOOP event when the inverters are taken out-of-service is reported above in Table 3-1 4. These values were quantified conservatively assuming that LOOP recovery is not possible. Applying them, the external flood LOOP 47

LR-N 1 8-0032 Enclosure LAR H 1 8-02 frequency, and the cycle fraction ( TAor = 7 days / 365 days = 1.92E-02) to Equations 1 3 and 1 4 yields the estimates of flood ICCDP and ICLERP i n Table 3-1 6:

Table 3-1 6 ESTIMATED EXTERNAL FLOOD ICCDP AND ICLERP Case Ext. Flood ICCDP Ext. Flood ICLERP Channel A Inverters OOS 1.30E-08 1.77E-1 0 Channel 8 Inverters OOS 1.25E-08 2.69E-1 0 Channel C Inverters OOS 7.34E-09 1.74E-1 0 Channel D Inverters OOS 1.02E-08 2.79E-1 0 It m ust be noted that the risk figures developed above are considered to be a substantial overestimate of the result of a detailed external flood evaluation. For one, the set of severe weather events that can actually cause a flood is expected to be very small, so the use of the severe weather LOOP frequency is an overestimate of perhaps an order of magnitude or more.

Furthermore, no credit has been assigned for passive flood protections, such as penetration seals, and no consideration has been given to possible flood paths, affected elevations, storm drains, and other elements unique to external flooding.

While these figures lack realism, it can be stated with confidence that they represent an u pper bound on the impact of external flood scenarios. As they are approximately an order of magnitude smaller than the overall results presented in Table 3-5, this consideration of external flood risk does not change the conclusion of this risk evaluation.

3.2.3.4 Other External Hazards The IPEEE assessment either screened out or found a negligible impact from the remaining external events indicated in NUREG-1 407, those being:

Transportation and Nearby Facility Accidents Reduction of Secondary Heat Sink High Winds and Tornadoes Severe Weather Storms Severe Temperature Transients Avalanche, Landslide, and Volcanoes Lightning Release of On-Site Chemicals Soil Failure Turbine Missiles and Extraterrestrial Activity 48

LR-N 1 8-0032 Enclosure 3.2.4 Uncertainty Evaluation LAR H 1 8-02 The evaluation of the CDF and LERF risk metric changes for the AOT assessment has been supported by a detailed qualitative and quantitative uncertainty evaluation. Uncertainty is generally categorized into three types -- parametric, model, and completeness. These are each discussed in the following subsections.

3.2.4. 1 Parametric Uncertainty The parametric uncertainty study is developed with the Monte Carlo simulation utility UNCERT.

This software estimates the confidence bounds of the cutsets' total CDF or LERF by repeated re-samplings of the constituent basic event values. Attachment 3 documents this methodology in detail.

The parametric uncertainty analysis was performed for both the FPIE and Fire models' CDF and LERF for each of the four cases reported in Section 3.2.2.2. Each case's cutset file was re sampled 1 5,000 times with a uniform Monte Carlo method. Table 3-1 7, Table 3-1 8, Table 3-1 9 and Table 3-20 summarize the resulting descriptive statistics. These are:

Point Estimate - the result of quantifying the indicated case Estimated Mean - the mean of the re-samples' computed means

% Difference - the percent difference between the Estimated Mean and the Point Estimate 95% Confidence Interval - the interval estimate of the Estimated Mean at the 95%

confidence level Sample Standard Deviation - the mean of the resamples' computed standard deviations Standard Error of the Mean - the standard deviation of the Estimated Mean's sampling distribution; used to construct the 95% Confidence I nterval, and equal to the Sample Standard Deviation divided by the square root of the number of re-samples (1 5,000)

The point estimates used in the risk assessment are within the calculated 95% confidence intervals for all but the following cases:

Channel C Inverters Out-of-Service FPIE LERF Channel B Inverters Out-of-Service Fire CDF Channel C Inverters Out-of-Service Fire CDF However, even these cases' point estimates differ from the estimated mean by about only 2%,

indicating good agreement between the Monte Carlo simulation and the PRA models. This is true of all the other cases, as well. Due to the minimal difference between the point estimates and the Monte Carlo results, use of the point estimates for CDF and LERF are deemed acceptable for this risk assessment.

49

LR-N 1 8-0032 Enclosure LAR H 1 8-02 Table 3-1 7 PARAMETRIC UNCERTAI NTY OF THE FPI E CDF RESULTS E

FPIE CDF Estimated 95% Confidence Sample Standard Point Mean

%Difference I nterval Standard E rror of Estimate Deviation the Mean Channel A 1. 02 E-05 1. 03 E-05 1. 1 %

[9. 9E-06, 1. 1 E-05]

2. 82 E-05

2. 30E-07 I nverters OOS Channel S 1. 1 3 E-05 1. 1 5 E-05 1. 8%

[ 1. 1 E-05, 1.2 E-05]

1. 50 E-05 1.22 E-07 I nverters OOS Channel C 9.95E-06 9. 95E-06

-0. 1 %

[9.8E-06, 1. 0 E-05]

8. 80 E-06

7. 1 9e-08 I nverters OOS Channei D 1. 02 E-05 1. 0 1 E-05

-1.3%

[9. 9E-06, 1. 0 E-05]

9. 50 E-06

7. 76 E-08 I nverters OOS N = 1 5, 000 Table 3-1 8 PARAMETRIC UNCERTAI NTY OF THE FPI E LERF RESULTS c:J FPI E LERF Estimated 95% Confidence Sample Standard Point Mean

%Difference I nterval Standard Error of the Estimate Deviation Mean Channel A I nverters 4.43E-07 4.37E-07

-1.2%

[4. 3 E-07, 4.5 E-07]

6.85E-07 5. 59E-09 oos Channel S I nverters 6.02 E-07

6. 1 5 E-07 2.2%

[6. 0E-07, 6. 3E-07]

9.49E-07 7. 75E-09 oos Channel C I nverters 4.54E-07 4.65 E-07 2.3%

[4.6E-07, 4.7E-07]

6.20E-07 5. 06 E-09 oos Channei D I nverters 4.85E-07 4. 89 E-07 0.8%

[4. 8E-07, 5. 0 E-07]

5. 97E-07 4. 87E-09 oos N = 1 5, 000 50

LR-N 1 8-0032 Enclosure B

Channel A I nverters oos Channel S I nverters oos Channel C I nverters oos Channei D I nverters oos N = 1 5,000 Case Channel A I nverters oos Channel S I nverters oos Channel C I nverters oos Chan nei D I nverters oos N = 1 5, 000 LAR H 1 8-02 Table 3-1 9 PARAMETRIC UNCERTAI NTY OF THE FIRE CDF RESULTS Fire CDF Estimated 95% Confidence Sample Standard Point Mean

% Difference I nterval Standard Error of the Estimate Deviation Mean 1.92 E-05 1. 93 E-05 0.5%

[ 1.9E-05, 1. 9E-05]

1. 1 5 E-05 9. 39 E-08 1. 99 E-05 2.02 E-05 1.2%

[2. 0E-05, 2. 0 E-05]

1. 1 3 E-05 9.23 E-08 1. 88 E-05 1. 9 1 E-05 1. 5%

[1. 9 E-05, 1.9 E-05]

1.56 E-05 1.27 E-07 1.82 E-05 1. 82 E-05

-0.2%

[ 1. 8 E-05, 1. 8 E-05]

6.48E-06 5.29E-08 Table 3-20 PARAMETRIC UNCERTAI NTY OF THE FIRE LERF RESULTS Fire LERF Estimated 95% Confidence Sample Standard Point Mean

% Difference I nterval Standard Error of the Estimate Deviation Mean 2.48E-06 2.43 E-06

- 1. 9%

[2.4E-06, 2.4E-06]

8.28E-07 6. 76E-09 2.28E-06 2.23E-06

-2.0%

[2.2 E-06, 2.2 E-06]

7.64 E-07 6.24 E-09 2.45E-06 2.40E-06

- 1.9%

[2.4E-06, 2.4 E-06]

7.60E-07 6. 2 1 E-09 2.28E-06 2.23E-06

-2. 1 %

[2.2 E-06, 2.2E-06]

7.42 E-07 6. 06 E-09 5 1

LR-N 1 8-0032 Enclosure 3.2.4.2 Model Uncertainty LAR H 1 8-02 This evaluation uses the PRA Models of Record, without modification, to quantify the change in plant risk introduced by the inverter AOT extension. An extensive review of possible model uncertainties was performed in the FPIE Summary Notebook (Reference 45). Of these, only one item relevant to the inverters was determined to be a candidate for further consideration, that being the state-of-knowledge regarding localized power grid stability and loss of offsite power (LOOP) initiating event, conditional failure, and recovery frequencies. As LOOP sequences are of high significance to the change in risk metrics (see Section 3.2.2.3}, this is a potential source of model uncertainty for this risk evaluation.

The PRA Models of Record establish probabilities for these LOOP events with industry-wide data drawn from NUREG/CR-6890 (Reference 46) for four causal categories (plant-centered, switchyard-centered, weather-related, and grid-related). The initiating event and conditional failure probabilities are further developed via a Bayesian update using plant-specific data for each of the four categories, while the recovery probabilities are used directly. This overall approach incorporates local plant conditions and is considered an industry best practice; however, it is not yet a consensus approach, and the degree to which the condition of the immediate power grid infrastructure matters has not been established.

It is assumed that the industry-wide evidentiary basis for LOOP events is broadly reflective of Hope Creek, and that any specific deviation due to the localized grid is ultimately accounted for in the Bayesian update process.

3.2.4.3 Completeness Uncertainty This subsection reiterates the hazard groups that are treated quantitatively and the potential impact associated with not quantifying certain hazard groups.

The risk metric calculations performed to support the inverter AOT extension include the explicit quantification for the following hazard groups:

Internal Events Fire Internal Flood Potential changes in seismic risk are discussed in Section 3.2.3.2.

Other external events were previously screened from consideration in the IPEEE as having extremely low risk significance.

The risk analysis shows the risk increases associated with on-line inverter maintenance. The need for inverter maintenance could emerge while in Mode 3. The plant spends less time in Mode 3 than it does on line, thus the likelihood of needing maintenance is lower. The risk increases associated with on-line maintenance bound the risk increases associated with Mode 3 maintenance. Thus, the risk associated with shutdown maintenance is bounded and does not need to be quantified in this LAR.

52

LR-N 1 8-0032 Enclosure 3.2.4.4 Sensitivity Analyses 3.2.4.4. 1 Compensatory Measures Credited LAR H 1 8-02 Section 3.2.5, below, considers the effect of several Compensatory Measures. These Measures are not required to meet the acceptance criteria.

3.2.4.4.2 Common-Cause Failures Per Regulatory Guide 1. 1 77, common-cause failure (CCF) probabilities for equipment related to the subject of a risk evaluation should be adjusted appropriate to the change considered.

Because data for inverters was not available in the NRC/I NL database (Reference 47) used to develop the model's common-cause basic events, no inverter common-cause basic events exist in the model to manipulate. However, the effect of common-cause failures may be simulated with a sensitivity case using generic data and post-processing the cutset data with a recovery file.

It should be noted that incorporation of common-cause failures is considered to be very conservative for the purposes of this risk evaluation. The CCF calculation methodology is premised on the random, unannounced failure of a particular piece of equipment. If an inverter should fail or require emergent maintenance, the other inverters will be verified to be operable and monitored frequently during the outage, and any common-cause failure will be quickly discovered. The inverters are well-instrumented and monitored both locally and in the Control Room. If an additional inverter should become inoperable, Hope Creek enters into TS 3.0.3, which requires immediate shutdown actions.

There are eight inverters considered in this risk evaluation - two for each of the four channels of AC power. For each quantification run, both inverters of a single channel are taken out-of service (i.e. their maintenance basic events are set to TRUE), leaving the remaining six subject to random failures. These failures are independent in the base model; it is desired to quantify them as a CCF group of size six, where an incipient failure of one may induce common failure of the others.

The alpha factors reported in the N RC/I NL CCF database represent conditional probabilities of multiple failures in a CCF group, as measured from historical data. a1 represents the fraction of failures involving exactly one component in a group of a given size, a2 represents exactly two failures, a3 exactly three, etc. Because these factors will be applied to specific combinations of equipment failures instead of a single group-representative basic event, they m ust be divided by the number of possible dependent combinations (i.e., the "x of n" CCF group alpha factor must be divided by (n-1 ) choose (x-1 ) - the first equipment failure is given). Multiplying the result by the independent failure probability of an inverter (1.20E-04) then gives the joint CCF probabilities. Because the database does not specify alpha factors for inverters, the generic pooled data for rate failures was used. Table 3-21 calculates the appropriate joint CCF probabilities.

53

LR-N 1 8-0032 Enclosure Common-Cause Failu re of...

2 of 6 I nverters 3 of 6 I nverters 4 of 6 I nverters 5 of 6 I nverters 6 of 6 I nverters Table 3-21 COMMON-CAUSE FAI LURE PROBABILITIES APPLIED I ndependent

  1. of Alpha Factor Dependent I nverter Failure X

(Pooled Rate Failure)

I Combinations 1 P robability (lyr)

C(n-1, x-1 )

6. 34 E-03 5

6. 1 9E-03 1 0 1.20E-04 X

4.69E-03 I

1 0 2.58 E-03 5

1. 90 E-03 1

LAR H 1 8-02 Applied Joint CCF

=

Probability (lyr) 1.52E-07 7.43E-08

=

5.63E-08

6. 1 9E-08 2.28 E-07 1.

The alpha factors were developed based on the n u m ber of dependent combinations g iven an independent equipment failure, not the overall n u m ber of com binations. For example, in the case of 2 of 6 inverters failed, the initial one fails independently, and 1 of the 5 remaining fails dependently.

Therefore, there are 5 dependent combinations.

A modified version of the quantification recovery file was developed to incorporate the above CCF probabilities by replacing coincident sets of inverter failures with an appropriate CCF basic event. Re-quantifying the model with this adjusted recovery file effectively converts the formerly independent inverter failures into CCFs. Table 3-22 and Table 3-23 compare the results of this quantification with the FPI E Model of Record results (see Table 3-3 and Table 3-4):

54

LR-N 1 8-0032 Enclosure Table 3-22 LAR H 1 8-02 CDF COMPARISON OF COMMON-CAUSE SENSITIVITY AND MODEL OF RECORD Case Model of Record CCF Sensitivity Difference (/yr) (%)

CDF (/yr)

CDF(/yr)

Base Case 5.91 E-06 5. 9 1 E-06 1. 00E-1 1 (<0. 0 1 %)

Channel A I nverters OOS 1. 02 E-05 1. 02 E-05 3.00E-1 0 (<0. 0 1 %)

Channel B I nverters OOS 1. 1 3 E-05 1. 1 3 E-05 1. 1 0 E-09 (0. 0 1 %)

Channel C I nverters OOS

9. 95E-06 9. 95E-05 5.30E-1 0 (<0. 0 1 %)

Channel D I nverters OOS 1. 02 E-05 1. 02 E-05 7.00 E-1 0 (<0. 0 1 %)

Table 3-23 LERF COMPARISON OF COMMON-CAUSE SENSITIVITY AND MODEL OF RECORD Case Model of Record CCF Sensitivity Difference (/yr)

LERF (/yr)

LERF (/yr)

Base Case 1. 84 E-07 1.84 E-07 O.OO E-00 Channel A I nverters OOS 4.43E-07 4.43E-07 O.OOE-00 Chan nel B I nverters OOS 6.02 E-07 6. 02E-07 O.OOE-00 Channel C I nverters OOS 4.54 E-07 4.54 E-07 O. OOE-00 Channel D Inverters OOS 4.85 E-07 4. 85E-07 O.OOE-00 The difference in CDF when quantifying the model with the adjusted CCF probabilities is approximately four orders of magnitude below the CDF itself. For LERF, the cutsets affected by the change are all below the truncation limit of 1.00E-1 2, resulting in no change. Common cause failures affecting the inverters are therefore judged to be negligible.

3.2.4.4.3 Exclusion of FLEX Procedures and Equipment The base PRA Model of Record includes consideration of FLEX equipment and operator actions. To determine these elements' impact on the results, a sensitivity case was quantified with the following FLEX basic events set to TRUE in Table 3-24 to remove all credit:

55

LR-N 1 8-0032 Enclosure Basic Event POR-DGN-FR-FLEX POR-MDP-FR-1 OP00 1 POR-M DC-FR-FLEX POR-XH 1 -ELAP-DECL-Q Table 3-24 FLEX BASIC EVENTS Description FLEX DI ESEL G E N E RATOR FAI LS TO R U N FLEX ALT H EADER P U M P 1 0P001 FAI LS T O R U N FLEX COMPRESSOR FAI LS T O RUN LAR H 1 8-02 OPERATOR FAI LS TO DECLARE ELAP AND PERFORM LOAD S H E D When re-quantifying with these changes, CDF increases slightly, while LERF does not increase at all. Table 3-25 and Table 3-26 compare the sensitivity results to those presented in Table 3-3 and Table 3-4.

Table 3-25 CDF COMPARISON OF FLEX SENSITIVITY AND MODEL OF RECORD Case Model of Record FLEX Sensitivity Difference (/yr) (%)

CDF (/yr)

CDF(/yr)

Base Case 5.91 E-06 6.40E-06 I

4.9E-07 (+8%) I Channel A I nverters OOS 1. 02 E-05 1. 1 4 E-05 1.20E-06 (+1 2%)

Channel B I nverters OOS 1. 1 3 E-05 1.25E-05 1.20E-06 (+1 1 %)

Channel C I nverters OOS 9. 95E-06 1. 1 1 E-05 1. 1 5E-06 (+1 2%)

Channel D I nverters OOS 1. 02 E-05 1. 1 4 E-05 1.20E-06 (+1 2%)

56

LR-N 1 8-0032 Enclosure Table 3-26 LAR H 1 8-02 LERF COMPARISON OF FLEX SENSITIVITY AND MODEL OF RECORD Case Model of Record CCF Sensitivity LERF (/yr)

LERF (/yr)

Base Case 1. 84E-07 1. 84 E-07 Channel A I nverters OOS 4.43E-07 4.43E-07 Channel B I nverters OOS

6. 02E-07 6. 02E-07 Chan nel C I nverters OOS 4.54E-07 4.54 E-07 Channel D I nverters OOS 4.85E-07 4. 85E-07 3.2.5 Tier 2 - Avoidance of Risk-Significant Plant Configurations Difference (/yr)

O.OOE-00 O.OOE-00 O.OOE-00 O.OOE-00 O.OO E-00 The risk metrics calculated in Section 3.2.2.2 demonstrate that Hope Creek is well within the acceptance criteria for the proposed inverter AOT extension in its current configuration. The risk insights discussed in Section 3.2.2.3 did not identify any equipment outage or plant configuration with extremely high risk contributions while an inverter is out of service.

Therefore, no plant configuration or equipment outage would require enhancements to Technical Specifications or plant procedures. Nevertheless, PSEG has identified a set of Compensatory Measures that would improve the plant's defense-in-depth with one channel of inverters in maintenance and further increase the available margin to the acceptance guidelines, should it be judged necessary. These measures are presented below.

3.2.5. 1 Compensatory Measures Table 3-27 lists the identified Compensatory Measures. These administrative controls are qualitative, prudent actions, consistent with other licensees that have received similar extensions of the inverter allowed out-of-service time, as described in Section 4.2.

Table 3-27 COMPENSATORY MEASURES FOR USE DURING PLANED I NVERTER OUTAGES 1. Entry into the extended inverter AOT will not be planned concurrent with EDG maintenance.

2. Entry into the extended inverter AOT will not be planned concurrent with planned maintenance on another ECCS/RCIC or isolation actuation instrumentation channel that could result in that channel being in a tripped condition.

57

LR-N 1 8-0032 Enclosure LAR H 1 8-02 Compensatory Measure 1 is not credited. The current PRA models do not credit manually starting and loading an EDG without 1 20 VAC power, which is conservative.

This action will be taken because it is recognized that with an inverter inoperable and the distribution panel being powered by the regulating transformer, instrumentation for that channel is dependent on power from the associated EDG following a loss of offsite power event.

Compensatory Measure 2 is not credited. The current PRA models do not include test and-maintenance basic events for RPS or ECCS/RCIC actuation logic so no quantitative credit can be assigned. This is a conservative assumption.

3.2.6 Tier 3 - Risk-Informed Configuration Management Implementation of the Hope Creek Configuration Risk Management Program, which meets the requirements in Regulatory Guide 1. 1 77 Section 2.3.7.2, helps to ensure there is no significant risk increase while instrument maintenance is being performed. This consideration is important because all possible risk-significant configurations under Tier 2 cannot be predicted. Hope Creek implements the applicable portions of the Maintenance Rule by using the endorsed guidance of Section 1 1.0 of NUMARC 93-01.

Hope Creek uses the Equipment Out of Service (EOOS) Configuration Risk Monitor program from the Electric Power Research I nstitute (EPRI) to implement 1 0 CFR 50.65(a)(4) (Reference 8). In the spring of 201 8, Hope Creek will complete the transition to the Phoenix code, which is the EPRI replacement for EOOS. The following description generally applies to both codes.

Phoenix uses the same fault trees and database as the internal events PRA model, so it is fully capable of evaluating CDF and LERF for internal events. The loading and use of Phoenix is procedurally controlled by the PSEG PRA procedures. Hope Creek procedures recognize that there are limitations in Phoenix and specifically direct consideration of external events and site activities that can result in significant plant events. Some conditions are evaluated in Phoenix through multiplication factors; others procedurally lead to other actions, including plant color changes. Fire risk management actions, which are governed by the same set of procedures and implemented by the same staff, are determined from the deterministic fire safe shutdown procedures from 1 0 CFR 50 Appendix R.

When maintenance or testing is scheduled, the Operations, Work Week Management, and Site Risk Management staff perform and review weekly risk analyses using the Phoenix program.

For unplanned or emergent equipment failures, control room personnel will enter the configuration into Phoenix. In either case, the configuration will be evaluated to assess and manage the risk.

Risk associated with unavailable plant equipment is assessed at Hope Creek as required by 1 0 CFR 50.65(a)(4). PSEG work management administrative procedures govern on-line risk assessments, which feature a blended approach using qualitative or defense-in-depth considerations and quantifiable PRA risk insights when available to complement the qualitative assessment. Hope Creek communicates on-line plant risk using three risk tiers: Green, Yellow, and Red. The definitions of these tiers are as follows:

58

LR-N 1 8-0032 Enclosure Color Green Yellow Red LAR H 1 8-02 Table 3-28 CONFIGURATION RISK MANAGEMENT RISK TIERS Risk Threshold<1l ICCDP < 1 E-06 for 7 -day duration AND ICLERP < 1 E-07 for 7-day duration AND No LOOP High Risk Evolution (HRE) 1 E-06 < ICCDP < 1 E-05 for 7-day duration OR 1 E-07 < ICLERP < 1 E-06 for 7 -day duration OR LOOP High Risk Evolution (HRE) 1 E-05 < ICCDP for 7-day duration OR 1 E-06 < ICLERP for 7-day duration Required Action No specific actions are required Limit the unavailability time by establishing a continuous work schedule or provide justification.

Protect SSCs which would cause an unplanned entry into a Red risk condition if lost concurrent with those unavailable for maintenance.

It is unacceptable to voluntarily enter this condition.

!.E an emergent condition or degradation causes an unplanned entry into this condition, immediate actions shall be taken to restore and/or protect SSCs relied upon to mitigate events, and the station duty manager shall be contacted for direction and support.

The on-line risk level Hope Creek will remain Green for an outage of one or both inverters in one channel affected by this proposed change. At this level, risk is considered close to baseline, and compliance with Technical Specification requirements would be considered adequate risk management. Nevertheless, PSEG maintenance practices involve protecting other equipment during a maintenance outage on an inverter per OP-AA-1 08-1 1 6, Protected Equipment Program (Reference 48). The PRA Model of Record directly accounts for this maintenance practice and reflects it in the quantitative analysis by excluding cutsets that contain unallowed maintenance combinations.

Equipment protection requires posted signs and robust barriers to alert personnel not to approach the affected equipment. Work on such equipment is generally disallowed. Minor exceptions exist for activities such as inspections, security patrols, or emergency operations.

Other exceptions may be authorized by the station shift manager in writing. If additional unplanned equipment unavailability occurs, station procedures direct that the risk be re-59

LR-N 1 8-0032 Enclosure LAR H 1 8-02 evaluated, and if found to be unacceptable, compensatory actions are taken until such a time that the risk is reduced to an acceptable level.

In addition, OP-AA-1 08-1 1 6 directs Operations and Work Management personnel to routinely monitor various maintenance configurations and protect equipment that could lead to an elevated risk condition (e.g., "Red") if it were to become unavailable due to unplanned or emergent conditions. This is normally accomplished using the Phoenix PRA software tool, supplemented by operations and work management procedures.

3.2. 7 Risk Summary and Conclusion 3.2.7. 1 Regulatory Guidelines This risk evaluation demonstrates with reasonable assurance that the proposed Technical Specification change for the inverters' Allowed Outage Times are within the acceptance guidelines established in Regulatory Guides 1. 1 74 and 1. 1 77. Compensatory Measures have been identified to increase the margin to the acceptance limits; however, they are not required.

3.2.7.2 PRA Model The results of this risk evaluation are based on quantification of the Hope Creek Full-Power Internal Events (FPI E) and Fire PRA Models of Record, HC1 1 7A and HC1 1 4FO, respectively.

These models are highly detailed, accurately reflect the as-built, as-operated plant, and are supported by an extensive pedigree of self-assessment and peer review. Both have undergone successful peer review against the ASME/ANS PRA Standard. There are no open Facts and Observations (F&Os) for the FPI E model. Open F&Os for the Fire model have been dispositioned in Attachment 2 Section A.2.

3.2.7.3 Quantitative PRA Results The risk metrics calculated are presented in Section 3.2.2.2.2. Depending which channel the affected inverter serves, the requested Technical Specification change will result in a

§CDF / I CCDP of at most 1.41 E-07, compared to an acceptance limit of 1.00E-06. The

§LERF / ICLERP will be at most 9.30E-09, compared to an acceptance limit of 1.00E-07.

3.2.7.4 External Hazard Considerations The model adequately addresses external hazards. A peer-reviewed Fire PRA model was used to quantify the risk due to internal fires. The change in risk metrics for seismic initiators is judged to be negligible. Internal flooding is considered in the FPIE model. The qualitative assessment found no plant vulnerability to any other hazards, including fire and external flood.

3.2.7.5 Conclusion The proposed change to Hope Creek's Technical Specifications to extend the inverter Allowed Outage Time from 1 day to 7 days is found to be well within the acceptance criteria established in Regulatory Guides 1. 1 74 and 1. 1 77.

60

LR-N 1 8-0032 Enclosure 4.0 REGUL ATORY EVAL UATION

4. 1 Applicable Regulatory Requirements and Criteria LAR H 1 8-02 1 0 CFR 50.36, "Technical Specifications," identifies the requirements for the Technical Specification categories for operating power plants: ( 1 ) Safety limits, limiting safety system settings, and limiting control settings, (2) Limiting conditions for operation, (3) Surveillance requirements, (4) Design features, (5) Administrative controls, (6) Decommissioning and (7)

Initial notification, and (8) Written Reports. For Limiting conditions for operation, 1 0 CFR 50.36 states: Limiting conditions for operation are the lowest functional capability or performance levels of equipment required for safe operation of the facility. When a limiting condition for operation of a nuclear reactor is not met, the licensee shall shut down the reactor or follow any remedial action permitted by the technical specifications until the condition can be met.

The OPERABILITY of the inverters is consistent with the initial assumptions of the accident analyses and is based on meeting the design basis of the unit. The inverters are a part of the distribution -system and, as such, satisfy Criterion 3 of 1 0 CFR 50.36(d)(2)(ii).

1 0 CFR 50 Appendix A, GDC 1 7, "Electric Power Systems," requires the onsite electric power supplies, including the batteries, and the onsite electric distribution system, to have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure. Since no physical changes are being made, and current design bases are not being affected, there is no impact on compliance with GDC 1 7.

1 0 CFR 50, Appendix A, GDC 1 8, "Inspection and testing of electric power systems," requires that electric power systems that are important to safety must be designed to permit appropriate periodic inspection and testing. The proposed change does not make changes to inverter inspections or testing. Therefore, implementation of the proposed Allowed Outage Time extension will have no significant effect on the continued conformance with G DC 1 8.

1 0 CFR 50.65, "Requirements for monitoring the effectiveness of maintenance at nuclear power plants," requires that preventive maintenance activities must be sufficient to provide reasonable assurance that SSCs are capable of fulfilling their intended functions. As it relates to the proposed inverter Allowed Outage Time extension, 1 0 CFR 50.65(a)(4) requires the assessment and management of the increase in risk that may result from proposed maintenance activities. As discussed previously, the HCGS Maintenance Rule program monitors the reliability and availability of the AC inverters and ensures that appropriate management attention and goal setting are applied based on pre-established performance criteria. The AC inverters are all currently in the 1 0 CFR 50.65(a)(2) Maintenance Rule category (i.e., the AC inverters are meeting established performance criteria). The HCGS CRMP is consistent with 1 0 CFR 50.65(a)(4), and is managed to ensure that risk-significant plant configurations will not be entered for planned maintenance activities, and that appropriate actions will be taken should unforeseen events place the plant in a risk significant configuration during the proposed extended AC inverter Allowed Outage Time. Therefore, the proposed extension of the AC inverter Allowed Outage Time from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 7 days are not anticipated to result in exceeding the current established Maintenance Rule criteria for the AC inverters.

1 0 CFR 50.63, "Loss of all alternating current power," requires that nuclear power plants must be able to withstand a loss of all AC power for an established period of time and 61

LR-N 1 8-0032 Enclosure LAR H 1 8-02 recover from a station blackout. The proposed extension of the AC inverter Completion Time from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 7 days has no significant effect on the ability to withstand a loss of all AC power and recover from a station blackout.

In conclusion, based on the considerations discussed above, ( 1 ) there is a reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the NRC's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

4.2 Precedent 4.2. 1 License Amendments The changes proposed herein to the Allowed Outage Time for restoration of an inoperable inverter are similar to those previously approved by the NRC for the Clinton Power Station, North Anna Power Station, Byron and Braidwood Stations, and Palo Verde Station. These previous approvals are discussed below.

Palo Verde Nuclear Generating Station By letter dated September 28, 2009 (ADAMS accession ML092810227}, as supplemented by letters dated June 24, 201 0 (ML101880263}, September 3, 201 0 (ML102571398}, and September 24, 201 0 (ML102720481 ), Arizona Public Service requested NRC approval of a Palo Verde Nuclear Generating Station TS change to extend the inverter Allowed Outage Time. The NRC approved the change in License Amendment Nos. 1 80 for Palo Verde, Units 1, 2 and 3, issued September 29, 201 0 (ML102670352). The amendment issued for the Palo Verde Nuclear Generating Station was substantively equivalent to the amendment requested herein for the HCGS, in that it revised TS 3.8.7, "Inverters - Operating," to change the Allowed Outage Time for restoration of an inoperable inverter from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 7 days.

Clinton Power Station By letter dated April 26, 2004 (ADAMS Accession ML041210913), as supplemented by letters dated April 1 8, 2005 (ML051080395}, October 1 1, 2005 (ML052910184), and May 1 9, 2006 (ML061500124}, AmerGen Energy Company, LLC (AmerGen) requested NRC approval of a Clinton Power Station TS change to extend the Completion Time for Nuclear System Protection System Inverters. The NRC approved the change in License Amendment No. 1 7 4 for the Clinton Power Station, Unit 1, issued May 26, 2006 (ML061160181 ). The amendment issued for the Clinton Power Station was substantively equivalent to the amendment requested herein for the HCGS, in that it revised TS 3.8.7, "Inverters - Operating," to change the Completion Time for restoration of an inoperable inverter from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 7 days.

North Anna Power Station By letter dated December 1 3, 2002 (ADAMS accession ML023600217}, as supplemented by letters dated May 8, 2003 (ML031400019}, December 1 7, 2003 (ML033580639}, February 1 2, 2004 (ML040550548), and March 9, 2004 (ML040700512), Virginia Electric and Power Company (VEPC) requested NRC approval of a North Anna Power Station TS change to extend the inverter Allowed Outage Time. The NRC approved the change in License Amendment Nos.

62

LR-N 1 8-0032 Enclosure LAR H 1 8-02 235 and 2 1 7 for the North Anna Power Station, Units 1 and 2, respectively, issued May 1 2, 2004 (ML041380438). The amendment issued for the North Anna Power Station was substantively equivalent to the amendment requested herein for the HCGS, in that it revised TS 3.8.7, "Inverters - Operating," to change the Allowed Outage Time for restoration of an inoperable inverter from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 7 days.

Byron and Braidwood Power Stations By letter dated October 1 6, 2002 (ADAMS accession ML023020061 ), as supplemented by letters dated June 20, 2003, October 1 4, 2003 (ML032900989), and November 7, 2003 (ML033160196), Exelon Generation Co., LLC (Exelon) requested N RC approval of TS changes to extend the inverter Completion Time for the Byron and Braidwood Stations. The NRC approved the changes in License Amendment Nos. 1 35 for the Byron Station, Units 1 and 2, and Amendment Nos. 1 29 for the Braidwood Station, Units 1 and 2, issued November 1 9, 2003 (ML032830455). The amendments issued for the Byron and Braidwood Stations were substantively equivalent to the amendment requested herein for the HCGS, in that they revised TS.3.8.7, "Inverters - Operating," to change the Completion Time for restoration of an inoperable inverter from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 7 days.

4.2.2 Notice of Enforcement Discretion (NOED)

Nuclear power plants with instances of inverter failures prompting requests for NOEDs to extend the Completion Time for an inoperable distribution panel inverter.

NRC Letter to U nion Electric Company, "Notice of Enforcement Discretion for Union Electric Company Regarding Callaway Plant Unit 1 [TAG NO. ME9277, NOED No. 1 2 002]," dated August 23, 201 2 (ADAMS Accession No. ML12237A010). This NOED granted enforcement discretion for an additional 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.

N RC Letter to FPL Energy Seabrook, LLC, "Notice of Enforcement Discretion for FPL Energy Seabrook, LLC, Regarding Seabrook Station, NOED No. 2005-01 -01," dated December 5, 2005 (ADAMS Accession No. ML053400372). This NOED granted enforcement discretion for an additional 1 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.

N RC Letter to Nine Mile Point Nuclear Station, LLC, "Notice of Enforcement Discretion Regarding Nine Mile Point Unit 2, NOED No. 2003-03-01 -002," dated August 1 8, 2003 (ADAMS Accession No. ML032310080). This NOED granted enforcement discretion for an additional 1 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.

N RC Letter to Tennessee Valley Authority, "Notice of Enforcement Discretion for Tennessee Valley Authority Regarding Watts Bar Nuclear Plant Unit 1, NOED No. 2001 -

2-001," dated March 8, 2001 (ADAMS Accession No. ML010680211 ). This NOED granted enforcement discretion for an additional 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

4.3 No Significant Hazards Consideration PSEG Nuclear LLC (PSEG) requests approval of a change to the Hope Creek Generating Station (HCGS) Technical Specifications (TS) concerning Alternating Current (AC) Inverters.

The proposed change would extend the Allowed Outage Time (AOT) for an inoperable inverter from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 7 days. The proposed new allowed outage time (AOT) is based on application of the Hope Creek Probabilistic Risk Assessment (PRA) in support of a risk-informed extension, and on additional considerations and compensatory actions. The risk evaluation and deterministic engineering analysis supporting the proposed change were developed in 63

LR-N 1 8-0032 Enclosure LAR H 1 8-02 accordance with the guidelines established in Regulatory Guide 1. 1 77, "An Approach for Plant Specific Risk-informed Decision-making: Technical Specifiqations," and Regulatory Guide 1. 1 7 4, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis."

PSEG has evaluated whether or not a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 1 0 CFR 50.92, "Issuance of amendment," as discussed below:

1.

Does the proposed amend ment involve a significant increase in the probability or consequences of an accid ent previously evaluated?

Response: No.

The proposed TS amendment does not affect the design of the AC inverters, the operational characteristics or function of the inverters, the interfaces between the inverters and other plant systems, or the reliability of the inverters. An inoperable AC inverter is not considered an initiator of an analyzed event. I n addition, TS Actions and the associated Allowed Outage Times are not initiators of previously evaluated accidents. Extending the Allowed Outage Time for an inoperable AC inverter would not have a significant impact on the frequency of occurrence of an accident previously evaluated. The proposed amendment will not result in modifications to plant activities associated with inverter maintenance, but rather, provides operational flexibility by allowing additional time to perform inverter troubleshooting, corrective maintenance, and post-maintenance testing on-line.

The proposed extension of the Completion Time for an inoperable AC inverter will not significantly affect the capability of the inverters to perform their safety function, which is to ensure an uninterruptible supply of 1 20-volt AC electrical power to the associated power distribution subsystems. An evaluation, using PRA methods, confirmed that the increase in plant risk associated with implementation of the proposed Allowed Outage Time extension is consistent with the NRC's Safety Goal Policy Statement, as further described in RG 1. 1 74 and RG 1. 1 77. In addition, a deterministic evaluation concluded that plant defense-in-depth philosophy will be maintained with the proposed Allowed Outage Time extension.

There will be no impact on the source term or pathways assumed in accidents previously evaluated. No analysis assumptions will be changed and there will be no adverse effects on onsite or offsite doses as the result of an accident.

Therefore, the proposed change does not involve a significant increase in the probability or consequences of an accident previously evaluated.

2.

Does the proposed amend ment create the possibility of a new or d iff erent k ind of accid ent from any accid ent previously evaluated?

Response: No.

The proposed amendment does not involve physical alteration of the HCGS. No new equipment is being introduced, and installed equipment is not being operated in a new or 64

LR-N 1 8-0032 Enclosure LAR H 1 8-02 different manner. There is no change being made to the parameters within which the HCGS is operated. There are no setpoints at which protective or mitigating actions are initiated that are affected by this proposed action. The use of the alternate Class 1 E power source for the AC distribution panel is consistent with the HCGS plant design. The change does not alter assumptions made in the safety analysis. This proposed action will not alter the manner in which equipment operation is initiated, nor will the functional demands on credited equipment be changed. No alteration is proposed to the procedures that ensure the HCGS remains within analyzed limits, and no change is being made to procedures relied upon to respond to an off-normal event. As such, no new failure modes are being introduced.

Therefore, the proposed changes do not create the possibility of a new or different kind of accident from any previously evaluated.

3.

Does the proposed amend ment involve a significant red uction in a margin of safety?

Response: No.

Margin of safety is related to the confidence in the ability of the fission product barriers to perform their design functions during and following an accident. These barriers include the fuel cladding, the reactor coolant system, and the containment system. The proposed change, which would increase the AOT from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 7 days for one inoperable inverter, does not exceed or alter a setpoint, design basis or safety limit.

Therefore, the proposed amendment does not involve a significant reduction in a margin of safety.

Based upon the above, PSEG Nuclear concludes that the proposed amendment presents no significant hazards consideration under the standards set forth in 1 0 CFR 50.92 (c), and, accordingly, a finding of "no significant hazards consideration" is justified.

4.4 Conclusion In conclusion, based on the considerations discussed above, ( 1 ) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

5.0 ENVIRONMENTAL CONSIDERATION

A review has determined that the proposed amendment would change a requirement with respect to installation or use of a facility component located within the restricted area, as defined in 1 0 CFR 20, or would change an inspection or surveillance requirement. However, the proposed amendment does not involve (i) a significant hazards consideration, (ii) a significant change in the types or significant increase in the amounts of any effluent that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure.

Accordingly, the proposed amendment meets the eligibility criterion for categorical exclusion set forth in 1 0 CFR 51.22(c)(9). Therefore, pursuant to 1 0 CFR 51.22(b), no environmental impact 65

LR-N 1 8-0032 Enclosure LAR H 1 8-02 statement or environmental assessment need be prepared in connection with the proposed amendment.

6.0 REFERENCES

[1 ]

US NRC, "Regulatory Guide 1. 1 7 4: An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, Revision 3,"

January 201 8.

[2]

USNRC, "Regulatory Guide 1. 1 77: An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications, Rev. 1," May 201 1.

[3]

USNRC, "Regulatory Guide 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Ris-lnformed Activities, Revision 2," March 2009.

[4]

USNRC, "Industry Guidelines for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants, NUMARC 93-0 1, Revision 4D," June 201 5.

[5]

USNRC, "SECY-93-067, FI NAL POLICY STATEMENT ON TECHNICAL SPECIFICATIONS IMPROVEMENTS," March 1 993.

[6]

USNRC, "1 0 CFR 50.36, Technical specifications".

[7]

ASME/American Nuclear Society, "ASME/ANS RA-Sa-2009, Standard for Level 1 /Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications," March 2009.

[8]

US N RC, "1 0 CFR 50.65, Requirements for monitoring the effectiveness of maintenance at nuclear power plants," July 1 991.

[9]

PSEG, Hope Creek Generating Station, "Individual Plant Examination (IPE}," April 1 994.

[1 0] USNRC, "Generic Letter 88-20, Individual Plant Examination for Severe Accident Vulnerabilities - 1 0 CFR 50.54(f)," November 23, 1 988.

[1 1 ] PSEG, "Hope Creek Generating Station Unit 1 PRA Facts and Observations (F&Os)

Independent Assessment Report Using NEI 05-04/07-1 2/1 2-06, Appendix X," August 201 7.

[1 2] PSEG, "HC-PSA-1 04, Hope Creek Fire Probabilistic Risk Assessment Summary and Quantification Notebook, Rev. 2," December 201 5.

[1 3] PSEG, "Hope Creek Generating Station Fire PRA Peer Review Report Using ASME/ANS PRA Standard Requirements," November 201 0.

[1 4] US N RC, "Use of Probabilistic Risk Assessment Methods in Nuclar Regulatory Activities; Final Policy Statement," August 1 6, 1 995.

[1 5] USNRC, "SECY-99-246, Proposed Guidelines for Applying Risk-Informed Decisionmaking in License Amendment Reviews," October 1 2, 1 999.

[1 6] PSEG, "HC-005.020, AC Power System Notebook, Revision 3," December 201 1.

[1 7] PSEG, "HC-014, Hope Creek Generating Station Probabilistic Risk Assessment Quantification Notebook, Model HC1 1 7A, Rev. 4," December 201 7.

[1 8] PSEG, "HC-PSA-1 04, Hope Creek Fire Probabilistic Risk Assessment Summary and Quantification Notebook, Rev. 2," December 201 5.

[1 9] PSEG, "Hope Creek Generating Station Individual Plant Examination for External Events,"

July 1 997.

[20] USNRC, "Generic Letter 88 Individual Plant Examination of External Events (I PEE E) for Severe Accident Vulnerabilities - 1 0 CFR 50.54(f), Supplement 4," June 1 991.

66

LR-N 1 8-0032 Enclosure LAR H 1 8-02

[21 ] USNRC, "NUREG-1 407, Procedural and Submittal Guidance for the Individual Plant Examination of External Events (IPEEE) for Severe Accident Vulnerabilities," June 1 99 1.

[22] USNRC, "NRC Staff Evaluation Report (SER) of Individual Plant Examination for External Events (IPEEE) Submittal for Hope Creek Generating Station," July 1 999.

[23] PSEG, "LR-N 1 4-0035, PSEG Nuclear LLC's Seismic Hazard and Screening Report (CEUS Sites) Response to N RC Request for Information Pursuant to 1 0 CFR 50.54(f) Regarding Recommendation 2. 1 of the Near-Term Task Force Review of I nsights from the Fukushima Dai-ichi Accident - Hope Creek Generating Station" March 28, 201 4.

[24] PSEG, "LR-N 1 2-0369, Hope Creek Generating Station Response to Recommendation 2.3:

Flooding Walkdown of the Near-Term Task Force Review of I nsights from the Fukushima Dai-ichi Accident," November 26, 201 2.

[25] US NRC, "Hope Creek Generating Station - Audit Report Regarding Flooding Walkdowns to Support Implementation of Near-Term Task Force Recommendation 2.3 Related to the Fukushima Dai-ichi Nuclear Power Plant Accident (TAC No. MF0236}," November 1 8, 201 3.

[26] USNRC, "Hope Creek Generating Station - Staff Assessment of Flooding Walkdown Report Supporting Implementation of Near-Term Task Force Recommendation 2.3 Related to the Fukushima Dai-ichi Nuclear Power Plant Accident (TAC No. MF0236}," June 1 6, 201 4.

[27] PSEG, "LR-N 1 4-0041, PSEG Nuclear LLC's Response to Request for Information Regarding Flooding Aspects of Recommendation 2. 1 of the Near-Term Task Force Review of Insights from the Fukushima Dai-ichi Accident - Hope Creek Generating Station Flood Hazard Reevaluation," March 1 2, 201 4.

[28] USNRC, "Generic Letter 89-22, Potential for Increased Roof Loads and Plant Area Flood Runoff Depth at Licensed Nuclear Power Plants due to Recent Change in Probable Maximum Precipitation Criteria Developed by the National Weather Service," October 1 9, 1 989.

[29] USNRC, "NUREG/CR-2300, NUREG/CR-2300, PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants," January 1 983.

[30] USNRC, "NUREG/CR-7046, Design-Basis Flood Estimation for Site Characterization at Nuclear Power Plants in the United States of America," November 201 1.

[31 ] PSEG, "LR-N 1 4-01 70, PSEG Nuclear LLC's 30-day Response to Request for Additional Information Regarding Flooding Aspects of Recommendation 2. 1 of the Near-Term Task Force Review of Insights from the Fukushima Dai-ichi Accident," July 28, 201 4.

[32] PSEG, "LR-N 1 4-0207, PSEG Nuclear LLC's 90-day Response to Request for Additional Information Regarding Flooding Aspects of Recommendation 2. 1 of the Near-Term Task Force Review of I nsights from the Fukushima Dai-ichi Accident," September 23, 201 4.

[33] PSEG, "LR-N 1 5-01 00, Hope Creek Generating Station's Response to Request for Additional Information Regarding Flooding Aspects of Recommendation 2. 1 of the Near Term Task Force Review of Insights from the Fukushima Dai-ichi Accident," May 7, 201 5.

[34] PSEG, "LR-N 1 6-0 1 1 2, Hope Creek Generating Station's Flood Hazards Mitigating Strategies Assessment (MSA) Report Submittal," December 29, 201 6.

[35] EPRI, "Report 3002004400, Local Precipitation-Frequency Studies, Development of 1 -

Hour/1 -Square Mile Precipitation-Frequency Relationships for Two Example Nuclear Power Plant Sites," 201 4.

[36] PSEG, "PSEG Document HC.OP-AB.MISC-0001, "Acts of Nature", Rev. 30".

67

LR-N 1 8-0032 Enclosure LAR H 1 8-02

[37] USACE, "Report ERDC/CHL TR-1 1 -1, Report 5, Coastal Storm Surge Analysis: Storm Surge Results, " November 201 3.

[38] PSEG, "PSEG Document OP-AA-1 08-1 1 1 -1 001, Severe Weather and Natural Disaster Guideline, Rev. 1 4".

[39] PSEG, "PSEG Document OP-HC-1 1 2-1 0 1 -1 001 -F2, Control Room Supervisor - Relief Checklist, Rev. 1 ".

[40] NEI, "NEI 1 2-07, Guidelines for Performing Verification Walkdowns of Plant Flood Protection Features, Rev. 0-A," May 201 2.

[41 ] PSEG, "PSEG Document ER-AA-31 0-1 01, Condition Monitoring of Maintenance Rule Structures, Rev. 0".

[42] PSEG, "PSEG Document HC. FP-SV.ZZ-0026, Flood and Fire Barrier Penetration Seal Inspection, Rev. 7".

[43] PSEG, "PSEG Document HC.MD-PM.ZZ-0007, Missile Resistant and Watertight Doors P.M.".

[44] PSEG, "HC-001, Hope Creek Generating Station (HCGS) Probabilistic Risk Assessment Initiating Events Notebook, Rev. 4," December 201 7.

[45] PSEG, "HC-0 1 3, Hope Creek Generating Station Probabilistic Risk Assessment Summary Notebook, Rev. 3," December 201 7.

[46] USNRC, "NUREG/CR-6890, Reevaluation of Station Blackout Risk at Nuclear Power Plants, Analysis of Loss of Offsite Power Events, " November 2005.

[47] USNRC, "CCF Parameter Estimations, 201 5 Update," October 201 6.

[48] PSEG, "PSEG Document OP-AA-1 08-1 1 6, Protected Equipment Program, Revision 1 2,"

May 201 6.

[49] PSEG, "HC-004, Hope Creek Generating Station Probabilistic Risk Assessment Human Reliability Analysis (HRA) Notebook, Rev. 5," December 201 7.

[50] PSEG, "HC-000, Hope Creek Generating Station Probabilistic Risk Assessment Documentation and Roadmap Notebook, Rev. 3," December 201 7.

[51 ] PSEG, "HC-0 1 6, Hope Creek Generating Station Probabilistic Risk Assessment Self Assessment Notebook, Rev. 2," December 201 7.

[52] NEI, "NEI 00-02, Probabilistic Risk Assessment (PRA) Peer Review Process Guide, Rev.

A3," March 2000.

[53] BWR Owner's Group, "Hope Creek PRA Peer Review Certification, " October 2000.

[54] NEI, "NEI 00-02 Appendix D, Self Assessment Process for Addressing ASME PRA Standard RA-Sb-2005, as endorsed by NRC Regulatory Guide 1.200," October 2006.

[55] US N RC, "NUREG-1 855, Guidance on the Treatment of Uncertainties Associated with PRAs in Risk-Informed Decision Making, Rev. 1," March 201 7.

[56] PSEG, "HC-01 0, Hope Creek Generating Station Probabilistic Risk Assessment Component Data Notebook, Rev. 4," December 201 7.

[57] USNRC, "NUREG/CR-1 278, Handbook of HRA," August 1 983.

[58] USNRC, "Regulatory Guide 1. 1 82, Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants, Revision 1," May 2000.

[59] Boiling Water Reactors Owners' Group (BWROG), "PSA Peer Review Certification Implementation Guidelines (DRAFT}, " July 1 997.

[60] EPRI, "NP-6395-D, Probabilistic Seismic Hazard Evaluation at Nuclear Power Plant Sites in the Central and Eastern United States," January 1 989.

68

LR-N 1 8-0032 Enclosure LAR H 1 8-02

[61 ] EPRI, " 1 01 6737, Treatment of Parameter and Modeling Uncertainty for Probabilistic Risk Assessments," December 1 9, 2008.

[62] USNRC, "CCF Parameter Estimations, 2009 Update," April 201 1.

[64] EPRI, " 1 009652, Guideline for the Treatment of Uncertainty in Risk-Informed Applications,"

December 2004.

69

LR-N 1 8-0032 Technical Specification Page with Proposed Changes

LR-N 1 8-0032 LAR H 1 8-02 TECHNICAL SPECIFICATION PAGES W ITH PROPOSED CHANGES The following Technical Specifications for Renewed Facility Operating License NPF-57 are affected by this change request:

Technical Sp ecification 3.8.3. 1 3/4 8-20

ELECTRICAL POWER SYSTEMS LIMITING CONDITION FOR OPERATION (Continued)

APPLICABI LITY:

OPERATIONAL CON DITIONS 1, 2 and 3.

ACTION:

a.

With one of the above required A. C. distribution system channels not energized, re-energize the channel within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> or be in at least HOT SHUTDOWN within the next 1 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> and in COLD SHUTDOWN within the following 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

b.

With one of the above required 1 25 volt D.C. distribution system channels not energized, re-energ ize the division within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> or be in at least HOT S H UTDOWN within the next 1 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> and in COLD S HUTDOWN within the following 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

c.

With any one of the above required 250 volt D.C. distribution systems not energized, declare the associated H PCI or RCIC system inoperable and apply the appropriate ACTION req uired by the applicable Specifications.

d.

With one or both inverters in one channel i noperable, energize the associated 1 20 volt A. C. distribution panel(s) within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, and restore the inverter(s) to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />; or be in at least HOT SHUTDOWN within the next 1 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> and in COl:.

SH UTDOWN within the following 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

SURVEILLANCE REQUI REMENTS 4.8.3. 1 Each of the above required power distribution system channels shall be determined energized in accordance with the Surveillance Frequency Control Program by verifying correct breaker/switch alignment and voltage on the busses/MCCs/panels.

HOPE CREEK 3/4 8-20 Amendment No. 1 87

LR-N 1 8-0032 LAR H 1 8-02 Technical Ad equacy of the PRA Mod els

LR-N 1 8-0032 A.1 Q UAL ITY OF THE PRA MODEL OF RECORD A. 1. 1 I NTRODUCTION LAR H 1 8-02 The Hope Creek FPIE model has the needed quality and scope to support this AOT extension.

It is highly detailed, including a wide variety of initiating events (e.g., transients, internal floods, LOCAs inside and outside containment, support system failure initiators), modeled systems, operator actions, and common-cause events. Furthermore, it is the end product of over 25 years of analysis effort. As part of its most recent revision in 201 7 (i.e., HC1 1 7 A), the model was reviewed against the American Society of Mechanical Engineers/American Nuclear Society (ASME/ANS) PRA Standard with the intent of meeting Capability Category I I.

PSEG's risk management procedures and best practices provide the details describing the use of the PRA model at Hope Creek to support Maintenance Rule activities. The model serves an invaluable role in establishing performance criteria, balancing unavailability and reliability for risk-significant SSCs, and provides input to the Expert Panel for the risk-significance determination process when revisions to the PRA take place.

Because the PRA is actively used at Hope Creek, a formal process is in place to evaluate and resolve PRA model-related issues as they are identified. This is referred to as the Update Requirements Evaluation (URE) process.

The HCGS PRA has been updated to ensure that the model's level of detail, its fidelity with the as-operated, as-built plant, and the technical quality of its results all are acceptable to support its use for risk-informed applications.

To ensure the PRA addresses fidelity and quality, the HC1 1 7 A model update included recent operating experience, plant modifications, changes to key plant procedures, changes in operator training, system success criteria, engineering analyses, updated industry and plant specific event and failure data, and more defensible success criteria based on enhanced MAAP calculations.

A significant amount of effort was expended to provide a fully-documented and traceable basis for all elements of the PRA. Overall, the Hope Creek PRA may be considered a major accomplishment for PSEG in bringing the quality of the model and supporting basis documents to the needed level of sophistication for support of PRA applications such as Extended Power Uprate (EPU) and Allowed Outage Time (AOT) extensions.

The quality of the HCGS PRA model used in performing risk assessment applications for the HCGS is evidenced by the following:

Sufficient scope and level of detail in PRA Active maintenance of the PRA models and inputs Comprehensive Critical Reviews PRA quality is assured for the Hope Creek model and its documentation through a combination of the following:

Confirmation of the fidelity of the model with the as-built, as-operated plant (see Section A. 1.2) 1

LR-N 1 8-0032 LAR H 1 8-02 Use of internal reviews, interviews with the system engineers and the operating crew members Use of experienced PRA practitioners qualified under the PSEG PRA Program A self-assessment of the PRA against the ASME/ANS PRA Standard (see Section A. 1.4.4)

The PRA Peer Review Process using the ASME/ANS PRA Standard. (see Section A. 1.4.5)

Use of an Update Requirement Evaluation (URE) database to track potential model enhancements (See Section A. 1.5)

PRA maintenance and update are governed by a set of PSEG procedures.

Update requirements are specifically listed in PSEG procedures for FPI E and Fire PRAs A. 1.2 ACCURACY OF THE MODEL The fidelity of the PRA model with the as-built, as-operated plant is assured by the following steps:

The Site Risk Management Engineer (SRME) has reviewed the plant design modifications that could affect the risk profile and has identified those modifications to be explicitly accounted for in the PRA. These modifications have been included.

The SRME has reviewed the procedure changes that could affect the risk profile and has identified those procedure changes to be explicitly accounted for in the PRA. These have been included.

Operating crews have been interviewed to assess their interpretation of procedures for key operator actions and the list of initiating events. These results are folded back into the Human Reliability Analysis (HRA), documented in the HRA Notebook (Reference 49), and then incorporated into the PRA model.

System Managers have been interviewed to assess any changes in the plant, the operating history, or system usage that would influence the PRA systems or initiating events. These results have been incorporated into the system models.

The latest plant-specific Maintenance Rule data has been examined and the results have been incorporated into the PRA data base using a Bayesian update process to calculate component failure data.

A. 1.3 MAI NTENANCE OF MODEL, I NPUTS, AND DOCUMENTATION The HCGS PRA model and documentation has been updated to reflect the current plant configuration and to incorporate the accumulated additional plant operating history and component failure data.

The 201 7 update made significant changes to the following PRA elements to respond to the PRA Peer Review and realize the ASME/ANS PRA Standard. These include the following:

Updated data (initiating events, component failure data, and unavailability data)

Modified system models Updated common-cause failures incorporating the latest NRC data Updated internal flood initiating frequencies and refinement of scenarios 2

LR-N 1 8-0032 LAR H 1 8-02 A. 1.4 PRA SELF-ASSESSMENT AND PEER REVIEWS Following the issuance of the 2009 ASME PRA Standard and its endorsement by the NRC in RG 1.200, Rev. 2, PSEG undertook a detailed review of the Hope Creek PRA model and documentation. This review was performed using the NEI recommended self-assessment process as endorsed by the NRC in RG 1.200.

The objective of the Hope Creek PRA maintenance program is to identify gaps in the PRA with respect to Capability Category I I for all supporting requirements and to correct any deficiencies.

The HCGS PRA Update process includes the self-assessment of the 201 7 PRA model (HC1 1 7A), data, and documentation using the 2009 ASME PRA Standard as endorsed by RG 1.200, Rev. 2. The identified items were then resolved as part of the update process. The HCGS Roadmap Document (Reference 50) provides the reference sections of the HCGS documentation that support the individual Supporting Requirements.

The Road map Document provides the link between the ASME PRA Standard Supporting Requirements and the HCGS PRA. The self-assessment developers then use their assessment of the PRA and its documentation to cite a Capability Category.

The results of the self-assessment and a summary and a disposition of the gaps from the 2008 update were documented in the PRA self-assessment notebook (Reference 5 1 ).

A. 1.4. 1 Inputs for PRA Self-Assessment The following information was compiled for review and use in the assessment:

201 7 Hope Creek PRA and associated documentation ASME/ANS PRA Standard - RA-Sa-2009 NEI Peer Review Guidelines, NEI 00-02 HCGS PRA Peer Review Report (Reference 53)

Appendix 1 of NEI Supplementary Guidance (Reference 54)

Appendix 2 of NEI Supplementary Guidance, Subtier Criteria for peer review process A. 1.4.2 Self-Assessment Standards It can be anticipated that the ease of application and confidence held in a PRA would be best served if the PRA can be consistently demonstrated to meet a minimum Capability Category of the ASME/ANS PRA Standard. Because Capability Category I I compares to the NEI 00-02 evaluated category of "Grade 3" and because HCGS meets at least Grade 3 for each sub element following the 201 7 PRA update, it makes sense to demonstrate the HCGS PRA capability relative to ASME/ANS PRA Standard Capability Category I I.

A. 1.4.3 Supporting Requirements Review Process Using Section 4.5 of the ASME/ANS PRA Standard, the following steps were performed relative to the HCGS HC1 1 1A PRA update document to provide input to the 201 7 model update:

3

LR-N 1 8-0032 LAR H 1 8-02 First, beginning with Initiating Events Analysis (Section 2-2. 1 of the ASME/ANS PRA Standard),

and using Appendix 1 of the NEI Supplementary Guidance, identify the Supporting Requirements of the ASME/ANS PRA Standard (corresponding to Capability Category I I) that are indicated as "partially addressed" or "not addressed" by the peer review process. For each requirement so identified, the fourth column of the table notes the specific action to be taken as part of the self-assessment process.

Next, for each Supporting Requirement so identified, review the above listed information, as appropriate, to make a determination as to whether the supporting requirement was addressed in the HCGS PRA. Document the basis for the determination that the supporting requirement is addressed, or not. This includes the update of the PRA in 201 1 to specifically address the supporting requirements.

Then, for Supporting Requirements identified in Appendix 1 as "addressed" by the peer review process, review the peer review report to determine if these sub elements were assigned a grade of 3 or higher. If a grade less than 3, or a conditional grade 3 was provided, or if significant facts and observations need to be reconciled, then a determination is made of which capability level in the ASME/ANS PRA Standard is met, and this determination should be documented. This includes consideration of the resolution of Facts and Observations (F&Os) which are incorporated in the 2008 PRA update. The resolution of F&Os from the PRA Peer Review includes all of the "A" and "B" F&Os.

Finally, following assessment of the Supporting Requirements, the information produced is reviewed and a determination is made whether the high-level objective for the initiating events analysis section is met. This determination is documented in a summary at the beginning of each element. Appendix A of the Peer Review document provides the resolution of the PRA Peer Review F&Os that have been included in the 2008 HCGS PRA Update. The resolution of F&Os from the PRA Peer Review include all of the "A" and "B" F&Os.

A repeat of the above process for Sections 2-2.2 (Accident Sequence Analysis) through 2-2.8 (LERF Analysis) of the ASME/ANS Standard is also performed to evaluate each of the nine areas.

4

LR-N 1 8-0032 A. 1.4.4 Conclusion of the 201 7 Self-Assessment LAR H 1 8-02 The ASME/ANS PRA Standard identifies 31 6 Technical Supporting Requirements plus 1 0 Maintenance and Update Supporting Requirements. The 201 7 self-assessment of the model against these requirements identified the following items to resolve:

Resolution Pend ing Pr ior ity

( Number of Supp or ting Req uir ements)

High 0

Medium 0

Low 0

There were 3 1 6 technical Supporting Requirements that were evaluated as part of the self-assessment. Of these 31 6 Supporting Requirements, the documentation and the model were judged to meet the ASME/ANS PRA Standard to support Capability Category I I for 3 1 4. Of the two (2) Supporting Requirements that did not meet Capability Category I I, both are considered low technical priority.

It is recognized that there are open questions about the scope and level of detail expected for the resolution of the model uncertainty treatment in each of the elements. However, the HCGS evaluation uses the approach developed by EPRI to examine and evaluate these uncertainties.

This approach is judged to be consistent with NRC guidance in N UREG/CR-1 855 (Reference 55).

The 201 7 Hope Creek PRA update (HC1 1 7A) incorporated all recent plant modifications, including those for the EPU, through the freeze date of 1 2/31 /201 6. As such, the HC1 1 7A Hope Creek PRA model is an accurate and realistic representation of the as-built, as-operated Hope Creek Generating Station for the risk profile from internal events occurring at-power.

The result of these activities is that the HCGS PRA is found suitable to support risk-informed PRA applications that require ASME/ANS PRA Capability Category I I.

A. 1.4.5 Peer Reviews There have been two peer reviews and one F&O closure review of the HCSG FPIE PRA:

A peer review in 1 999 by BWR Owner's Group (BWROG) using NEI 00-02, ultimately resulting in the HC2005C model A peer review in 2008 by BWROG using NEI 05-04 (Process for Performing Internal Events PRA Peer Reviews Using the ASME/ANS PRA Standard) and the 2007 ASME PRA Standard, resulting in the HC1 08A model An F&O closure review in 201 7 to resolve the open items of the 2008 peer review, resulting in the HC1 1 7A model 5

LR-N 1 8-0032 1 999 Peer Review LAR H 1 8-02 In 1 999, PSEG participated in a PRA Peer Review Certification of the Hope Creek PRA administered under the auspices of the BWROG Peer Certification Committee (Reference 53).

The purpose of the PRA peer review process is to establish a method of assessing the technical quality of the PRA for the spectrum of its potential applications.

The evaluation process utilized a tiered approach using standardized checklists allowing for a detailed review of the elements and the sub-elements of the Hope Creek PRA to identify strengths and areas that needed improvement. The review system used allowed the Peer Review team to focus on technical issues and to issue their assessment results in the form of a "grade" of 1 through 4 on a PRA sub-element level. To reasonably span the spectrum of potential PRA applications, the four grades of certification as defined by the BWROG document "Report to the I ndustry on PRA Peer Review Certification Process - Pilot Plant Results" were employed. All of the "A" and "B" priority comments were addressed by PSEG in the HCGS PRA 2005C model, as appropriate.

The overall conclusion of the 1 999 Hope Creek PRA Peer Review was positive, and the PRA Peer Review Team stated that the Hope Creek PRA can be effectively used to support applications involving risk-informed applications.

The F&Os for Hope Creek were evaluated and addressed by the Hope Creek PRA Program as part of previous PRA updates. There were no "A" Facts and Observations and 84 "B" Facts and Observations identified in the PRA Peer Review report. All 84 F&Os were resolved by model changes in the 2003 update. No outstanding "A" or "B" priority F&Os remained at this time.

2008A Peer Review Because of the significant changes in PRA methods (e.g., HRA, Internal Flooding, Common Cause, LOOP treatment, and Level 2}, a complete PRA Peer Review of the Hope Creek PRA HC1 08A model was requested by PSEG. The PRA Peer Review was performed in October 2008 using the 2007 ASM E PRA Standard as endorsed by the NRC in Reg. Guide 1.200, Rev. 1.

The PRA Peer Review process confirmed the adequacy of the Hope Creek PRA model for use in PRA applications based on both the exit interview and the Draft PRA Peer Review Report.

The PRA Peer Review using the ASME PRA Standard resulted in the identification of some minor numerical changes to basic events and several additions to model logic. These changes led to a re-quantification of the Hope Creek PRA model resulting in the HC1 08B model. I n addition, the HC1 08B model used the FTREX quantification engine which allowed efficient quantification at a lower truncation limit, i.e., 1 E-1 2/yr.

201 7 F&O Closure Review An F&O closure review was conducted in August 201 7 to resolve the open F&Os identified by the 2008 peer review. The review used the process described Appendix X to NEI 05-04, NEI 07-1 2 (Fire Probabilistic Risk Assessment (FPRA) Peer Review Process Guidelines}, NEI 1 2-06 (Diverse and Flexible Coping Strategies (FLEX) Implementation Guide}, and the ASME PRA 6

LR-N 1 8-0032 LAR H 1 8-02 Standard, with clarifications provided in Reg. Guide 1.200, Rev. 2 and NRC Staff Expectations for an Industry Facts and Observations (F&O) I ndependent Assessment Process.

This review compared the HC1 1 1 A model against the ASME PRA Standard and assessed the resolutions to fifteen Findings, as well as one Suggestion that the model had met only at Capability Category I. The peer reviewers concurred with all resolutions and closed out all sixteen F&Os. These resolutions are carried over into the HC1 1 7A model, which has no remaining open F&Os against it.

A. 1.4.6 Pedigree of the PRA Model The flowchart in Figure A-1 summarizes the history of HCGS self-assessments and peer reviews.

The HCGS PRA review process includes all of the steps identified in the NEI supplementary guidance and later, the ASME/ANS PRA Standard.

7

LR-N 1 8-0032 Peer Review Process 1 997 Peer Review Process 2000 Self Assessment Changes HC 1 08 A Model Update 1 999 PRA Model Application of Peer Review to PRA 1 999 PRA Peer Review Oct 2008

^

ASME PRA STD 2002 I



Self Assessment HC 1 08B Model Update NEI Self Assessment Process Guideline r--.

I Results of PRA Self Assessment ASME/ANS PRA STD 2009 Self Assessment Disposition of Changes HC l l l A Model Update Figure A-1 : HCGS PRA Self-Assessment History 8

Revised PRA 2003 A Model Self Assessment LAR H 1 8-02 Interim PRA 2005 c Model F&O Closure Review HC 1 1 7A Model Update

LR-N 1 8-0032 A 1.5 URE STATUS LAR H 1 8-02 In addition to the PRA self-assessment, a number of observations were also recorded in the PSEG Update Requirement Evaluation (URE) database to serve as a resource for potential model enhancement in the future. This allows the Risk Management team to ensure that the PRA accurately reflects the as-built, as-operated plant by identifying, tracking, and resolving these observations.

Approximately 1 68 UREs were addressed as part of the 201 7 update. Of these, -1 30 were resolved and closed out; leaving 39 UREs postponed or left open. None of these postponed UREs are considered to have the potential to significantly affect the resulting Model of Record (i.e. HC1 1 7 A) or any potential applications envisioned for the PRA.

Table A-1 presents a summary of model changes and UREs addressed in the update. Because some UREs had little or no effect on the quantification or did not apply to the PRA model, not all resolved U REs are listed in Table A-1. Detailed records regarding the status of UREs are tracked in the URE database.

Table A-1

SUMMARY

OF HOPE CREEK 201 7 MODEL (HC1 1 7A) URE CHANGES Change U R E Change or U R E Descri ption H C 1 1 1 A base model files 1

HC201 2-00 1 OSP gate 2

HC201 2-006 Cont Vent Rupture Disk duplicate B E 3

HC201 2-0 1 1 B E m isnamed 4

HC20 1 2-0 1 3 XVM-CO probability 5

HC20 1 2-0 1 4 Waste Evaporator 6

HC20 1 4-00 1 CW Valve change from HOV to MOV 7

HC201 5-005 MSIV gate error 8

HC20 1 2-0 1 2 OSP (HC-ASM-001 )

9 HC-ASM-002 UV Relays 1 0 HC20 1 2-0 1 0 SACS HX Bypass valves 1 1 HC201 6-022 SRV leakage B E 1 2 HC20 1 2-0 1 4 Waste Evaporator 1 3 HC201 7-008 CIS-AOV CCF name 1 4 HC20 1 2-0 1 0 SACS HX Bypass valves HC201 5-006 1 5 HC20 1 5-0 1 0 SWIS HVAC TM terms 1 6 HC20 1 5-0 1 0 SWI S HVAC TM terms adjustment in M UTEX 1 7 HC20 1 2-00 1 LOOP/S BO ET changes from Ed/Larry 1 8 N/A Add Class Tags 1 9 N/A Add Sequencer Tags 20 N/A Recovery file to set tags to TRUE and S U B S U M E 2 1 N/A Add L2 Release Tags 22 N/A Add ADS-XH 1 -VF-I N H I B to Recovery file 23 HC2008-02 1 Change SB0-006 to l iT 24 HC2009-027 SWS yard discharge U R E 25 HC20 1 5-0 1 2 SLC BEs deleted from HC-STI-007 9

LR-N 1 8-0032 LAR H 1 8-02 Table A-1

SUMMARY

OF HOPE CREEK 201 7 MODEL (HC1 1 7A) URE CHANGES Change URE Change or U R E Description 26 H C2009-028 Replace CST-TN K-FAI L with CST-TNK-RP-CST0 1 HC201 4-007 27 HC20 1 3-00 1 Add SWS-XH 1 -FO-HVAC HC2009-029 28 N/A U pdate plant availability factor BE 29 N/A Deleted % 1 E-FI R Exx in itiators and related gates from model and RR database.

30 H C-ASM-003 Revised SACS valve modeling to be consistent with ASM, UV relay modeling simplification, add FLEX power to A&B chargers 3 1 HC-ASM-003 Create new FLAG file to turn FLEX on/off and GTG on/off I n BE ADS-XHD-H P I, calc type is an equation : "0. 05*3.8E-4".

32 HC-ASM-003 Changed 3. 8 E-04 in this eq uation to 3.7E-04, which generates a calculated probability of 1. 85E-05.

Changed the followi ng basic events to calculation method 1 -

Multiply (exposure*rate), then changed the factor to 24:

33 HC-ASM-003 RCI-STR-PL-OF209, HPI-STR-PL-OF2 1 0, RHS-STR-PL-PC, RHS-STR-PL-PD, RHS-STR-PL-PA, RHS-STR-PL-PB, CSS-STR-PL-C, CSS-STR-PL-A, CSS-STR-PL-D, CSS-STR-PL-B 34 SLOCA-ST and SLOCA-WA ET revision 35 HC201 2-004 Add external inj node to LLOCA-WA ET.

36 HC2009-022 Add 2496 valve isolation to T ACS/SACS isolation gates.

37 Revise containment vent FT logic to make easier to read, delete duplicates, and simplify logic.

38 HC201 6-020 Revise RACS recovery and T ACS recovery con nections.

HC20 1 2-020 39 HC20 1 1 -006 Replace CRCS1 00 with GZCS 1 00.

40 HC20 1 6-006 Revise RRCS loQ ic to only have A, B,C, and D APRMs.

4 1 HC201 7-004 Revised u nder gate GGT based on HC.OP-AB.ZZ-0 1 35 and S 1. 0 P-AB. LOOP-000 1 42 HC201 6-028 U pdated normal and alternate OSP feeds gates to 4KV busses for consistency.

43 HC20 1 6-002 Deleted FW gate from u nder HPCI-INJ-LOCA.

Change SSW-XH 1 -0C-VLV1 to only be for SSW crosstie for 44 H C201 2-020 opposite SACS loop cooling (and renamed to SAC-XH 1 -FO-XTIE).

Make RAC-XH 1 -RS-24-0 1 and TAC-XH 1 -RS-24-0 1 the H E Ps for RACS and TACS cooling restoration after LOCA isolation.

45 Revise 6" containment vent path to be similar to 1 2" vent path 46 U pdate I E frequencies; updated LOOP recovery probabilities; rename recovery B Es to be more accurate with time period 47 Updated I SLOCA frequencies 48 Set DG-ABC D TM term to False in Flag file (later removed) 49 Add new conseq uential LOOP probability for manual scram initiator.

50 Revised DWV node to reflect procedu re; revised SWIS HVAC H EP prob; added X-GTR-TBV to GTR depress node.

5 1 Created new H PI-GTR tree for transient H P I. Contains RCI C/CRD combo and deletes HCPI min flow valve.

1 0

LR-N 1 8-0032 LAR H 1 8-02 Table A-1

SUMMARY

OF HOPE CREEK 201 7 MODEL (HC1 1 7 A) URE CHANGES Change U R E Change or U R E Description 52 S BO ET - add TDV-N L to OSP-L down branch to create new SBO-006 and SB0-007 53 U pdated trans and L consequential LOOP to 6928 data with Ed's comments 54 U n-do #34.

55 Create X-SLOCA-ST gate for S LOCA-ST depress node with SPC with new HEP for PSPL depressurization.

56 Recalculated ISLOCA frequencies.

57 SACS HX TM and leakage terms for A loop were swapped.

58 HC201 3-005 Delete Gate GVSS540, GVS P 1 60, GVSS543 from u nder GVSP1 50 and from u nder GVSS530.

59 HC201 3-008 Delete GCNS-XH 1 -RS-CO N DS from u nder GVSS200.

60 Revise S LOCA-ST ET to split i nto large and small 61 Revise S LOCA-WA ET to credit OW Sprays and delete RCIC.

62 Change the one Class IE sequence to Class lA per Ed and Larry.

63 HC20 1 7-0 1 1 Delete SWS Pre-I nitiators, remove DG-ABCD TM term from Flag file 64 U pdate I SLOCA frequencies based on final analysis; remove DGN-ABCD TM term from Flag file.

Change GSLC 1 50 to AN D gate; change SLC-C KV-CC-F006A and 65 B to SLC-SCV-CC-F006A and B ; Change Type Code to SCV-CC for both 66 HC201 7-009 Delete CSS-XH P-RE-XV001 and CSS-XH P-RE-XV005.

67 U pdated the P re-I nitiator H E P values in RR database to be consistent with Calculator 68 HC20 1 7-0 1 0 Deleted ACP-XH P-RE-GTS from model files H C 1 1 7A-L 1 -SYS.caf and H C 1 1 7 A.caf.

69 H C201 1 -003 Change gates SP1 and SP2 in SP.caf L2 nodal FT based o n Ed's markups.

70 U pdate OSPR BE's in L2 nodal FTs to be consistent with L 1 changes in BE names.

71 HC201 2-008 I ncorporate STI-004 manual EDG start into HC1 1 7A-SYS. caf H C201 2-009 72 HC201 2-007 Changed ACP-LOG-NO-* type code to RLY-FO in H C 1 1 7A. rr Added GZGA360 under GA4K1 33. Added LOOP-LOCA gate under GB4K1 30 and GB4K1 33 (same for C and D) to be similar to 73 STI-004 A. Changed C gate names to be consistent with other three for GC4K1 30 and GC4K1 33. Added UV common cause terms from STI-004 Rev 1.

74 STI-007 Add CCF terms and new B Es from STI-007, including RPT001 (excluded DC power dependencies to prevent circular logic).

75 U pdate M UAs in H C 1 1 7 A. rr based on 6/2/1 7 75 U pdate I F frequencies in H C 1 1 7A. rr based on 5/2/1 7 analysis data 1 1

LR-N 1 8-0032 LAR H 1 8-02 Table A-1

SUMMARY

OF HOPE CREEK 201 7 MODEL (HC1 1 7A) URE CHANGES Change U R E Change or URE Description Added VSLOCA IE (%1 E-VSLOCA) under G-I E-MS gate (now OR gate). Also changed %I E-MS under gate I E-LOOP-C N D-MANSCR to G-I E-MS instead of just MS initiator. VS LOCA below TAF should also fail CRD consistent with PB model. Added new gate 76 G-CRD-I NIT u nder CRD-EN H and put % 1 E-VSLOCA u nder new gate. Should also have split fraction such that only VS LOCA below TAF should fail CRD, but don't have split fractio n in model currently. Add 0.5 factor (NEED TO ADD TO DOCU M ENTATION)

. (XHOS-VSLOCA-BELOW-TAF) 77 Follow-u p to Item #60. Split %1 E-S2-ST-L and % 1 E-S2-ST-U into 50% each.

78 Added new H E P ACP-XH 1 -ELAP-DECL u nder new gate G-O PACT-FLEX-ACP with 0. 1 based on MOM and PB.

79 U pdate FLEX modeling for Batt Chg and FLEX Compressor; u pdate probabilities from H RAC.

80 HC20 1 1 -0 1 2 Delete room cooling requ i rements from SWGR rooms.

8 1 Req uant with old H C 1 1 1 A I F frequencies; put new I F frequencies into FLAG file but not used for this line entry.

82 I F changes for RACS room SW floods 83 C redit for R H R A for flood scenarios using RS P.

84 Quant with new I F frequencies for six RACS room floods o nly.

U pdate probability of MCR-PH E-DOO R to 0. 0 1 based on eng ineering judgement and Bob Wolfgang's paper. U pdated 85 H RAC for RSP-XH 1 -FC-SHTDN to adjust time to 78 min.

Recalculated to 1.5 E-2 (from 1.6E-2) based on H RAC noteboo k entry 3. 1 04; Quantify with all new flood frequencies.

86 Deleted sequences S LSTL-0 1 1 and -01 8.

87 U pdated TM term and TC probabilities 88 Changed all R R entries that were type 1 (mission*rate) and 24 h rs to type 3 and 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (same as PB2 1 4A model).

89 Review Appx G and update some values.

Revise CST swapover level indication failure type codes; add HC201 1 -008 500kV ring bus 62X breaker and 62X1 0 d iscon nect BEs; split RCI -

90 HC20 1 7-0 1 5 XH 1 -FO-XFER into H PCI and RCI C versions; added %FLTB-CW HC20 1 7-0 1 6 u nder gate LOOP2 and I E-LOOP; renamed % FL-FPS* to

% FLFPS* for consistency; put I F frequencies directly i n RR and deleted FLAG file for IF frequencies.

Add FLEX gate 1 E480VSWG RFLEX under BAT-CHG with AN D; 9 1 delete % 1 E-SWS from u nder transient conditional LOOP gate (I E-LOOP-CN D-TR) and keep only under LOCA cond itional LOOP gate (I E-LOOP-CN D-LOC).

92 Redo SBO ET for ELAP; add TDV-ELAP AN D B5B-FLEX-INJ F FTs 93 Update FLEX-I NJ FFT and SBO ET 94 U pdate Appx G. 1 1 for Vacuu m Breaker probabilities and u pdated RR database 95 U pdate H RA dependency_to modern {method 4) 1 2

LR-N 1 8-0032 LAR H 1 8-02 Table A-1

SUMMARY

OF HOPE CREEK 201 7 MODEL (HC1 1 7 A) URE CHANGES Change U RE Change or U RE Description Refine H RA dependency; revised SWS-XH 1 actions to be more 96 specific, incorporated the fact that SACS HX outlet valves a re normally open and open upon SW pump start; same for SACS inlet valves and SACS pumps.

97 Remove ZQQQQQ; use optimized seeds in FLAG file.

98 Add GFLEX-RPV-DDP under EXT-C N D-858, ZZ-VNT-EXT-A, and ZZ-VNT -EXT -A-CP; fix 407 fan power dependency to C&D trains 99 Add chiller and fan combos to Disallow.

1 00 Delete gate GZFD1 42 from u nder GZFD 1 30; also delete GZFD200 from under GZF D 1 33.

1 0 1 Redo dependency with 1 E-1 0 CDF truncation and 1 E-9 LERF truncation for D E P analysis.

1 02 Fix incorrect RCI-TDP-FR type code 1 03 Deleted CNS 1 786, V034 and V1 1 7 valves from condensate flow path. Can still inject throug h idle RFP and FWHs.

1 04 Update conditional LOOP for all three 8 Es.

1 05 Redo dependency Added FLEX-POWER-FLAG under only 3 gates: GFLEX-R PV-1 06 MOP, GFLEX-COM P-1 00, 1 E480VSWGRFLEX. These are all O R gates.

Change flag file to use ACP-GTS-FR as flag instead of TM term; delete FLEX-POWER-FLAG and just add FLEX components to 1 07 flag file; redo S80 ET to have ELAP and non-ELAP sequences.

Redo X-S80 node and ELAP-DECL nodes; fix error in DISALLOW for 8 chiller and C EDG (was D EDG) 1 08 Fix some H E Ps that did n't have J H EP flags, especially a few in L2 model. Redo dependency.

1 09 Fix condensate pump bypass logic for PRI and SEC 1 1 0 Adjust L2 dependencies in H RAC 1 1 1 Add GFLEX-RPV-DDP under ZZ-FAI L-I N-MU4-LP 1 1 2 Recalculate dependencies 1 1 3 Use FTREX 1. 8 1 1 4 Clean u p PCP and SCP logic, split out PCS and EXT I N J g ates separately.

1 1 5 Change EDG run time from 6 h rs. to 8 hrs.

Change FW flow path A and 8 gates to R PV into "already running" 1 1 6 gate which has fail to remain open valves, and "need to restart" which has fail to open valves GVSS360 and GVSS380 turned into GVSS360RU N/380 and GVSS360RST/380.

Delete gate G-N R-ECCS from u nder CRD-EN H. The ECCS H E Ps are for actuation of ECCS systems g iven automatic actuations have failed. CRD has no automatic actuation and is not an ECCS system. CRD has its own HEP (CRD-XH 1 -FO-CRDEN). Also 1 1 7 delete G-N R-ECCS-SET,GSET-250V, GWTLVL-SET, X-XH E-SET, GSET-CST, GSET-CV, GSET-CD-SEQS, GRH R IN IT-SET, GSACS-SSWS-SET, GCON-XH E-SET, GSET-SLOCA, GSET-LOOP-SLOCA, GSET-I ES, GSET-TRANS, GHVAC-XH E-S ET, GSET-LOOP (seismic gates).

1 3

LR-N 1 8-0032 LAR H 1 8-02 Table A-1

SUMMARY

OF HOPE CREEK 201 7 MODEL (HC1 1 7A) U RE CHANGES Change U R E Change or U R E Description 1 1 8 Change all LOCA ET node FFTs for EXT I N J to new EXT-****-

LOCA which require hotwel l refill from CST if condensate is used.

Delete GIAS 1 00 from u nder GCICS-IA-A and GCI CS-IA-8. 5029 1 1 9 and 503 1 valves fail closed on loss of air per P&I D. Redo L2 dependency and Flag/Recovery files.

Second cutset review: U pdated I E-SBO node with modified EDG failures to remove inverter room cooling and also use simplified 1 20 SACS failures; added 5302 flood initiator to PC-SCP node; fixed RCIC auto in itiation logic AN D/OR g ates; changes %1 E-SWS conditional LOO P to TR instead of LOCA; redo H RA dependency and update several CD to M D for L 1 and L2 1 2 1 Second cutset review redo dependency 1 22 Change LOP ET CRD FFT from HPI to H P I -CRD 1 23 l ncorQ_orate changes from the challenge review 1 4

LR-N 1 8-0032 A.2 RESOLUTION OF OPEN FACTS AND OBSERVATIONS A.2. 1 OPEN FULL-POWER I NTERNAL EVENTS PRA MODEL FACTS AND OBSERVATIONS No F&Os are considered open for the FPIE Model of Record.

A.2.2 OPEN FIRE PRA MODEL FACTS AND OBSERVATIONS LAR H 1 8-02 The open F&Os from the November 201 0 Fire PRA Peer Review (Reference 1 3) were reviewed for possible impacts to the results of this risk evaluation - in particular, items relating to risk significant SSCs (including the inverters and emergency diesel generators), the fault tree model, important accident sequences (i.e. LOOP), external events, human reliability, model quantification, and sources of model uncertainty. The F&Os falling into these categories are documented in Table A-2. Each has been addressed in the Fire PRA Model of Record (HC 1 1 4FO) used in this risk evaluation.

1 5

LR-N 1 8-0032 F&O Supporting Requirement(s)

QU-8 1 1 -20 Q U-F5 FQ-8 1 Q U-F2 1 -2 1 QU-83 FQ-8 1 LAR H 1 8-02 Table A-2 RESOLUTION OF RELEVANT FPRA PEER REVIEW F&Os F&O Description Resolution Software utilized in q uantification of the Fire PRA is FRANC, XI N IT, and CAFTA (as part of the R&R Software su ite). An overview of the use of these codes is provided in HC-PSA-2 1. 06 Section 3. 1 4.

These codes are accepted as PRA i ndustry standard codes for q uantification of Fire PRA.

In the 20 1 4 FPRA update, a discussion However, no discussion is provided as to the limitations or features regarding FRANX and its limitations and use of the codes that cou ld impact resu lts. In fact, Appendix E shows was added to the documentation. The that there are d ifferences in the use of FRANC vs. XI NIT for concerns raised apply to the older EPRI quantification, but no discussion is provided as to the reason for the codes FRANC and XI N IT, which FRANX q uantification d ifference. Some d ifferences are attributed to Min-Cut replaced. No important limitations were U pper bou nd approximation.

identified.

Examples of impacts due to the codes chosen include:

I mpacts of the M in-Cut-U pper bou nd quantification method and Rare Event Approximation when used i n quantifying high probability failures.

In the 20 1 4 FPRA u pdate, CDF and LERF HC-PSA-2 1. 06 Section 5.3 were req uantified with a new truncation A truncation sensitivity is performed to validate the reasonableness study to demonstrate convergence. This was included in the documentation. The of the chosen truncation limit. The change in CDF from the chosen truncation limit affects the absolute value of truncation level to the next h igher truncation level is less than 5%.

the CDFs and LERFs quantified; however, For LERF this is less than 1 % change.

the risk metrics developed for this risk However, only two points are q uantified which only provide one data evaluation depend on the change in these point for the change in CDF (LERF). No convergence of results is when the inverters are taken out-of-service.

demonstrated, which wou ld require quantification of at least three Any add itional relevant cutsets falling below successive truncations to provide more than one delta CDF (LERF) the tru ncation limit (1 E-1 22) wou ld be on the and thus demonstrate a trend in decreasing change in CDF (LERF).

order of 1 E-1 2, six orders of magnitude smaller than the risk metrics considered.

1 6

LR-N 1 8-0032 F&O Supporting Requirement(s) 3-8 SF-8 1 3-9 S F-A3 LAR H 1 8-02 Table A-2 RESOLUTION OF RELEVANT FPRA PEER REVIEW F&Os F&O Description Resolution Section 1.2.4 of the Hope Creek Fire Probabilistic Risk Assessment Summary and Quantification Notebook (HC-PSA-2 1. 06) documents I n the 20 1 4 FPRA u pdate, a discussion of the resu lts of the seismic fire interaction analysis included i n the seismic-fire interactions considering all 1 997 I P EEE. This d iscussion addresses the results and i nsig hts available g uidance was added to the gained from the I PE E E evaluation. However it is not considered docu mentation to meet the SR sufficient to facilitate Fire P RA applications, upgrades, and peer requirements. This does not affect review since the I P E E E does not document all of the required quantification or risk insight conclusions.

Seismic/Fire I nteractions required by the SF requirements.

Seismic-fire interactions are not Accordingly this SR is considered not met and an F&O has been exacerbated with inverter(s) out-of-service.

prepared.

Section 4.8. 1. 3 of the I PE E E documents an evaluation of the seismic deg radation of fire suppression systems. The evaluation In the 20 1 4 FPRA update, a discussion of performed was limited to fire suppression systems located in safety seismic-fire interactions considering all related areas, the fire water pumphouse, and water storage tan ks.

available g uidance was added to the This analysis acknowledges that the primary concern is failure of the docu mentation to meet the SR non-seismic fire water pumphouse and water storage tanks however requirements. This does not affect the assessment does not extend beyond development of this one quantification or risk insight conclusions.

common-cause failure. Due to the limited nature of this assessment Seismic-fire interactions a re not this SR is considered not met and a finding is generated to expand exacerbated with inverter(s) out-of-service.

the evaluation performed.

1 7

LR-N 1 8-0032 F&O Supporting Requirement(s) 5-1 2 SF-A4 SF-AS DA-M 5-1 7 PRM-8 1 3 PRM-C 1 LAR H 1 8-02 Table A-2 RESOLUTION OF RELEVANT FPRA PEER REVIEW F&Os F&O Description Resolution The Seismic Fire I nteractions study performed for the I PE E E did not look at the following:

1) REVI EW of the plant seismic response proced ures and Qualitatively ASSESS the potential that a seismically induced fire, or In the 20 1 4 FPRA u pdate, a discussion of the spurious operation of fire suppression systems, might seismic-fire interactions considering all compromise post-earthq uake plant response.

available g uidance was added to the

2) R EVI EW of a) plant fire brigade training procedures and ASS ESS docu mentation which addressed the two the extent to which training has prepared firefig hting person nel to specified items. Seismic-fire interactions respond to potential fire alarms and fires in the wake of an are not exacerbated with inverter(s) out-of-earthq uake and b) the storage and placement of firefighting support service.

equ ipment and fire brigade access routes, and c) ASSESS the potential that an earthquake might compromise one or more of these features.

Events added to the Fire PRA are included in Table 1-1 of the model In the 20 1 4 FPRA u pdate, a discussion of development calculation. However, the basis for the exposu re time or other parameters are not provided. For example, most of the basic event probabilities and failure rates events are MOV Fail to Remain Open/Closed. These events use the has been added to the documentation generic failure rate and a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> m ission time. This mission time is including justification for failure rates of new typically applied to a component that is verified available or alarmed basic events. Also the treatment of spurious prior to the event occurring. However, there is no documentation of operation was u pdated to the N U R EG-7 1 50 the verification of the M OV position or alarm. It may in fact be that cu rrent data. This risk evaluation does not the non-alarmed MOVs may have spuriously operated since the last manipulate basic event frequencies, other test, or since the last time the operator verified the position.

than in one of the sensitivity cases, and the Add itionally, event HPI-TDP-SS is set to 1 E-05, without reference or concerns raised are not affected by the basis provided.

inverters.

1 8

LR-N 1 8-0032 F&O Supporting Requirement(s) 5-22 SY-A24 PRM-89 5-24 SY-87 PRM-89 H R-E3 H R-E4 5-30 H R-G5 H RA-A2 H RA-A4 H RA-C 1 LAR H 1 8-02 Table A-2 RESOLUTION OF RELEVANT FPRA PEER REVIEW F&Os F&O Description Resolution Two hardware repair events were carried over from the internal In the 20 1 4 FPRA u pdate, a more detailed events PRA model: RHS-REPAI R-L and RHS-REPAI R-TR. These events have probabilities based u pon mean times to repair for discussion of these repair events and their normal random failures (for suppression pool cooling) and do not probability calculations were added to the account for the potentially damaging effects of fire events. These docu mentation. This was reviewed also recovery events appear in 8 of the top 1 0 fire CDF cutsets and are d uring the cutset reviews with plant among the most risk significant basic events in the fire PRA resu lts.

operations. These risk-significant repair I ncluding these events and the associated probabilities from the actions are necessary to include in this risk internal events model was not justified.

evaluation.

For the 201 4 FPRA u pdate, thermal MSOs were included in the FPRA model without consideration for hydraulic calculations using MAAP were actual flow rates or timing affecting CDF or core u ncovery.

performed to confirm spurious operation For example, MSO of the head vents was conservatively modeled,

plant response, such as spurious MSIV and may not lead to a core damage event in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. M u ltiple SRV opening, and spurious single or m u ltiple open ings was conservatively modeled (e. g., for 2 SRVs) as a Large SRV openings. The resu lts were LOCA, without d iscussion on the expected flow rates.

incorporated into the FPRA and this risk evaluation.

No operator I nterviews or talk throughs were performed for the H EPs identified as applicable to the Fire PRA.

No operator I nterviews or talk throughs were performed for I n the 20 1 4 FPRA u pdate, operator interpretation of the procedu res with plant operations or training interviews were performed and added to the personnel to confirm that interpretation is consistent with plant docu mentation. Plant operators were also operational and training practices.

involved with cutset reviews. Th is additional No simulator observations or talk-throughs with operators were docu mentation has no quantitative impact performed to confirm the response on this risk evaluation.

models for scenarios modeled 1 9

LR-N 1 8-0032 F&O Supporting Requirement(s) 5-40 H R-G8 H RA-C 1 LE-F2 Q U-D2 Q U-F2 5-5 1 QU-D5 U NC-A1 FQ-D 1 FQ-E 1 FQ-F1 QU-E1 LE-F3 LE-G4 5-52 LE-G5 U NC-A1 FQ-E 1 FQ-F1 LAR H 1 8-02 Table A-2 RESOLUTION OF RELEVANT FPRA PEER REVIEW F&Os F&O Description Resolution In the 20 1 4 FPRA update, detailed H E P calculations, including u ncertainty factors, have been developed with H RA Calcu lator Uncertainty factors for the J H EP values do not appear to have been for the 201 4 FPRA u pdate. The val ues of included in the FPRA. Add itionally, the new H E P added to the model J H E Ps were u pdated, but uncertainty (TWC-XH E-ISOL) did not have any u ncertainty values added.

factors were not calculated. Qualitative uncertainty was assessed and documented.

J H EPs are not risk-significant for the inverters or i n this risk evaluation.

I n the 20 1 4 FPRA u pdate, a consistency The Results of the FPRA CDF and LERF are presented in the review of insignificant seq uences and Summary and Quantification Notebook, along with the i mportance cutsets was performed d uring the cutset measures. Top Cutsets are also presented. However, a consistency reviews. This additional documentation has review and review of insignificant sequences or cutsets does not no quantitative impact on this risk appear to have been performed.

evaluation.

Section 3. 17 and 3. 18 of the FPRA Summary and Quantification Analysis provides a discussion of assumptions and sources of I n the 20 1 4 FPRA update, all identified uncertainty in the FPRA. However, the sources of uncertainty is not com plete, and not fully discussed. See Appendix V of N U R EG/Cr-sources of uncertainty were included in the 6850 for an example of potential sou rces of uncertainty to be documentation. Sources of uncertainty considered.

specific to the i nverters and this risk Add itionally, the limitations of the LERF analysis (as required by LE-evaluation are d iscussed in Section 3.2.4.

GS) are not identified in the FPRA resu lts.

20

LR-N 1 8-0032 F&O Supporting Requirement(s) 6-5 FSS-E4 U NC-A2 LAR H 1 8-02 Table A-2 RESOLUTION OF RELEVANT FPRA PEER REVIEW F&Os F&O Description Resolution The FPRA documents the results of a sensitivity on crediting (not damaging) the components whose cable locations are unknown (table 6. 1 ) -- However, a sensitivity case where components whose cable locations are u n known but are assumed to not be damaged in certain compartment scenarios are damaged (failed) is not documented.

References:

In the 20 1 4 FPRA u pdate, this sensitivity A qualitative discussion of the uncertainty associated with the case was performed and documented. The exclusion of Y3 cables is provided in Appendix D of HC-PSA-2 1. 06.

inverters' cable locations are known, so they Table 6-1 shows that if cable selection was performed for all credited are u naffected in this sensitivity case.

PRA eq uipment the CDF wou ld decrease by a maximum of approximately 1 7%. Crediting the components whose cable locations are unknown was found to have a moderate impact on CDF q uantitatively. This CDF reduction, however, is the maximum reduction achievable and it would be expected that the actual reduction would be less than this value since some unknown location cables would be expected to be impacted by fire events.

21

LR-N 1 8-0032 LAR H 1 8-02 Parametric Uncertainty Methodology

LR-N 1 8-0032 LAR H 1 8-02 The assessment documented in this section addresses quantitative parametric uncertainty analysis (i.e., Monte Carlo analysis of the core damage accident sequence cutset basic events).

The sources of uncertainty assessed include the following:

Initiating event frequencies Component failure probabilities Component maintenance unavailabilities Human error probabilities Common-cause failures Recovery failure probabilities (e.g., offsite power, main condenser, station air)

Phenomenological events (e.g., environmentally-induced equipment failure post containment failure)

Consistent with the ASME/ANS PRA Standard, parametric uncertainty is characterized using Monte Carlo simulation. For the results of this analysis, see Attachment 1 Section 3.2.4. 1.

The parametric uncertainty propagation for this risk evaluation is performed using the commercially available software UNCERT Version 4.0 (part of the R&R Workstation) developed by the Electric Power and Research Institute (EPRI). UNCERT Version 4.0 is a 32-bit Windows based program that uses CAFTA-generated cutset files and databases as inputs to quantify the uncertainty distribution of a group of cutsets.

CAFTA core damage accident sequence cutset information (cutset files and database files) from the developed configurations (see Attachment 1 Section 3.2.2. 1.2) of the CDF and LERF models are imported into UNCERT. Probability distribution types and associated variance parameters (e.g., Error Factors (EFs) in the case of lognormal distributions) are assigned to each of the basic events. These distributions and EFs are assigned in the CAFTA database.<1>

UNCERT randomly re-samples from each of the input distributions, based on the type code database, and uses the CAFTA cutset equations to re-compute the new CDF or LERF. The results are stored and the input distributions are again re-sampled many additional times. After all the re-samples are completed, the stored results are processed to form a probability distribution for the Hope Creek PRA CDF and LERF.

A Monte Carlo evaluation of PRA logic can be perforiT)ed using correlated or uncorrelated probability distributions to represent the inputs for the basic events. The probability density distribution describing the uncertainty in a component failure probability is characterized as a state-of-knowledge about an assumed fixed value; the same state-of-knowledge (that is., the same distribution) may in fact underlie many distinct basic events. For example, the knowledge of the failure rate of one particular motor operated valve (e.g., a LPCI injection valve) is typically based on experience with all MOVs. Therefore, the various basic events that involve the failure of an MOV are all in fact estimated from a single common distribution and are mapped to a the same data variable (type code) to ensure proper state-of-knowledge correlation in the Monte Carlo process. A type code is assigned to every unique basic event. For more information on the use of type codes, see the Hope Creek PRA FPIE Component Data Notebook (Reference 56).

<1>

Type code information (stored in TC table of the H C 1 1 1 A. R R file) is currently used to account for the state-of-knowledge dependence among correlated in put distributions.

1

LR-N 1 8-0032 LAR H 1 8-02 The uncertainty bounds for basic events are defined by the use of lognormal distribution Error Factors (EFs), which are defined as the square root of the ratio of the 951h and 51h percentiles.

They are assigned as follows:

Initiating Events:

When available, EFs obtained from the initiating event frequency Bayesian analysis results When such information is not available, the general EF guidelines below are used.

Random Component Failures:

When available, EFs obtained from the component failure data Bayesian analysis results When such information is not available, the general EF guidelines below are used.

Maintenance Unavailabilities:

The general EF guidelines below are used.

CCF Terms:

The general EF guidelines below are used.

Human Error Probabilities:

The following guidelines are based on information in Section 7 of NUREG/CR-1 278.

Pre-Initiator HEPs Estimated HEP < 0.001 Estimated HEP 0.001 to 0.01 Estimated HEP > 0.01 Post-Initiator HEPs Estimated HEP < 0.001 Estimated HEP > 0.001 Error Factor 1 0 3

5 1 0 5

For high probability HEPs (i.e., >0. 1 ), refer to general EF guidelines below.

2

LR-N 1 8-0032 General EF Guidelines:

LAR H 1 8-02 The following EF assignments are used unless other distribution information is available as described above:

Basic Event (BE) Value Error Factor BE 0.25 1

0. 1 0 BE < 0.25 2

1 E-4 BE < 0. 1 0 3

< 1 E-4 1 0 3

LR-N 1 8-0032 LAR H 1 8-02 Single L ine Drawing of Ty pical Inverter

LR-N 1 8-0032 1-2/C *2 ITYP,)

LINE VOLTAGE/

REGULATOR BACK-UP POWER SuPPLY 480V, 1¢ !TYP.)

LOW IMPEOANCE VOLTAGE REGULATOR CLASS lE INSTRUMENTAT ION Single L ine Drawing of Ty pical Invert er 1-3/C *4

<TYPJ NORMAL POWER SuPPLY 480V, 3¢ tTYP,) 4-1/C<T\\]CMIL

(

C6201

£ STATIC SW TRANSFER SWITCHES AC POWER SUPPLY 1A0481 20KVA [B).sLU.::fN 1

LAR H 1 8-02

Retrieved from "https://kanterella.com/w/index.php?title=LR-N18-0032,_License_Amendment_Request:_Inverter_Allowed_Outage_Time_(AOT)_Extension&oldid=5000410"