Text

License Amendment Request 17-06, Change to the Technical Specification Requirements for Reactor Trip System Instrumentation and Engineered Safety Features Actuation System Instrumentation to Implement WCAP-14333 and WCAP-15376
	ML19310D804
Person / Time
Site:	Seabrook
Issue date:	11/01/2019
From:	Mccartney E; NextEra Energy Seabrook
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	SBK-L-18089
	Download: ML19310D804 (122)
	v • d • e

November 1, 2019 ATIN: Document Control Desk U. S. Nuclear Regulatory Commission Washington, DC 20555-0001 Seabrook Station Docket No. 50-443 NEXTera ENERGY~

~

10 CFR 50.90 SBK-L-18089

Subject:

License Amendment Request 17-06, Change to the Technical Specification Requirements for Reactor Trip System Instrumentation and Engineered Safety Features Actuation System Instrumentation to Implement WCAP-14333 and WCAP-15376 Pursuant to 10 CFR 50.90, NextEra Energy Seabrook, LLC (NextEra) is submitting License Amendment Request (LAR) 17-06 to revise the Seabrook Station Technical Specifications (TS). The proposed change revises the TS requirement for the Reactor Trip System (RTS) Instrumentation and Engineered Safety Features Actuation System (ESFAS) Instrumentation to implement the Allowed Outage Times (AOTs) and bypass test times justified in WCAP-14333-P-A, "Probabilistic Risk Analysis of the RPS and ESp'AS Test Times and Completion Times," and WCAP-15376-P-A, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times." The proposed change incorporates changes contained in TS Task Force (TSTF) Standard Technical Specifications Change Travelers: TSTF-411, "Surveillance Test Interval Extensions for Components of the Reactor Protection System (WCAP-15376)," and TSTF-418, "RPS and ESFAS Test Times and Completion Times (WCAP-14333)."

The enclosure to this letter provides NextEra's evaluation of the proposed change. Attachment 1 to the enclosure provides markups of the TS showing the proposed changes, and Attachment 2 contains markups showing proposed changes to the TS Bases. The proposed changes to the TS Bases are provided for information only and will be implemented in accordance with the TS Bases Control Program upon implementation of the amendment. Retyped TS pages containing the proposed changes will be provided when requested by the NRC Project Manager.

As discussed in the evaluation, the proposed change does not involve a significant hazards consideration pursuant to 10 CFR 50.92, and there are no significant environmental impacts associated with the change.

The Station Onsite Review Group has reviewed the proposed license amendment. In accordance with 10 CFR 50.91(b) (1), a copy of this letter is being forwarded to the designee of the State of New Hampshire.

There are no new or revised commitments made in this submittal.

NextEra reqi.iests NRC review and approval of this license amendment request by December 1, 2020 and implementation within 90 days.

NextEra Energy Seabrook, LLC, P.O. Box 300, Lafayette Road, Seabrook, NH 03874

U.S. Nuclear Regulatory Commission SBK-L-18089 / Page 2 Should you have any questions regarding this letter, please contact Mr. Ken Browne, Safety Assurance and Learning Site Director, at (603) 773-7932.

I declare under penalty of perjury that the foregoing is true and correct.

Executed on November _,_, 2019.

Sincerely,

~A;Wj~~k "cMcCartney1J Site Director (VP)

NextEra Energy Seabrook, LLC

Enclosure:

Evaluation of the Proposed Change cc:

NRC Region I Administrator NRC Project Manager NRC Senior Resident Inspector Director Homeland Security and Emergency Management New Hampshire Department of Safety Division of Homeland Security and Emergency Management Bureau of Emergency Management 33 Hazen Drive Concord, NH 03305 Katharine Cederberg, Lead Nuclear Planner The Commonwealth of Massachusetts Emergency Management Agency 400 Worcester Road Framingham, MA 01702-5399

SBK-L-18089 Enclosure NextEra Energy Seabrook's Evaluation of the Proposed Change

Subject:

Change to the Technical Specification Requirements for the Reactor Trip System Instrumentation and Engineered Safety Features Actuation System Instrumentation to Implement WCAP-14333 and WCAP-15376 1.0

SUMMARY

DESCRIPTION 2.0 DETAILED DESCRIPTION 2.1 System Design and Operation 2.1.1 RTS Instrumentation 2.1.2 ESFAS Instrumentation 2.2 Current Technical Specification Requirements 2.3 Reason for the Proposed Change 2.4 Description of the Proposed Change

3.0 TECHNICAL EVALUATION

3.1 Background Information 3.1.1 Combined Risk Metric Results 3.2 Probabilistic Risk Analysis Evaluation 3.2.1 WCAP-14333-P-A Tier 1 Evaluation 3.2.2 WCAP-14333-P-A Tier 2 Requirements 3.2.3 WCAP-15376-P-A Tier 1 Evaluation 3.2.4 WCAP-15376-P-A Tier 2 Requirements 3.2.5 Tier 3, Risk-Informed Configuration Risk Management 3.2.6 External Events 3.3 Topical Report Safety Evaluation (SE) Conditions 3.3.1 WCAP-14333-P-A SE Conditions 3.3.2 WCAP-15376-P-A SE Conditions Page 1 of 100

3.4 PRA Quality 3.5 Monitoring Requirements Associated with the Implementation

4.0 REGULATORYEVALUATION

4.1 Applicable Regulatory Requirements/ Criteria 4.2 Precedent 4.3 No Significant Hazards Consideration 4.4 Conclusion

5.0 ENVIRONMENTAL CONSIDERATION

6.0 REFERENCES

Markup of the Technical Specifications Markup of the Technical Specification Bases Page 2 of 100 SBK-L-18089

1.0 SBK-L-18089 Evaluation of the Proposed Change SUMMMARY DESCRIPTION NextEra Energy Seabrook, LLC (NextEra) is submitting License Amendment Request (LAR) 17-06 to revise the Seabrook Station Technical Specifications (TS). The proposed change revises the TS requirement for the Reactor Trip System (RTS) Instrumentation and Engineered Safety Features Actuation System (ESFAS) Instrumentation to implement the Allowed Outage Times (AOTs) and bypass test times justified in WCAP-14333-P-A, "Probabilistic Risk Analysis of the RPS and ESP AS Test Times and Completion Times,"

October 1998 [Reference 1] and WCAP-15376-P-A, "Risk-Informed Assessment of the RTS and ESP AS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," March 2003 [Reference 2].

The proposed change incorporates changes contained in the following NRC-approved Technical Specification Task Force (TSTF) Standard Technical Specifications (STS) Change.

Travelers: TSTF-411, "Surveillance Test Interval Extensions for Components of the Reactor Protection System (WCAP-15376)," [Reference 3] and TSTF-418, "RPS and ESFAS Test Times and Completion Times (WCAP-14333)," [Reference 4].

Although WCAP-15376-P-A and TSTF-411 include changes associated with surveillance frequencies, the changes proposed in this LAR only include the AOT and bypass test time changes identified in the references above. The periodic surveillance frequencies in the Seabrook TS have been relocated to a Surveillance Frequency Control Program.

The AOT acronym applicable to the Seabrook Station TS and the term "Completion Time,"

which is utilized in NUREG-1431, "Standard Technical Specifications - Westinghouse Plants," [Reference 5] are synonymous and both terms are used in this LAR.

2.0 DETAILED DESCRIPTION 2.1 System Design and Operation 2.1.1 RTS Instrumentation The RTS automatically keeps the reactor operating within a safe region by shutting down the reactor whenever the limits of the region are approached. The safe operating region is defined by several considerations such as mechanical/hydraulic limitations on equipment, and heat transfer phenomena. Therefore, the RTS keeps surveillance on process variables which are directly related to equipment mechanical limitations, such as pressurizer pressure, pressurizer water level (to prevent water discharge through safety valves, and uncovering heaters), and also on variables which directly affect the heat transfer capability of the reactor (e.g., reactor coolant flow and reactor coolant temperatures). Still other parameters utilized in the RTS are calculated from various process variables. In any event, whenever a direct process or calculated variable exceeds a setpoint, the reactor will be shutdown to protect Page 3 of 100

SBK-L-18089 against either gross damage to fuel cladding or loss of system integrity that could lead to release of radioactive fission products into the containment.

The following systems and equipment make up the RTS:

a.

Process Instrumentation System,

b. Nuclear Instrumentation System,

c.

Solid-State Protection System,

d. Reactor Trip Switchgear, and

e.

Manual Actuation Circuit.

The RTS consists of sensors, connected to signal processing circuitry consisting of two to four redundant channels that monitor various plant parameters, and circuitry consisting of two redundant logic trains, which receive inputs from the signal processing channels to complete the logic necessary to automatically open the reactor trip breakers (RTBs).

Each logic train is capable of opening a separate and independent RTB. Two trip breakers in series connect three-phase AC power from the rod drive motor generator sets to the rod drive power cabinets. During plant power operation, a DC under voltage coil on each RTB holds a trip plunger out against its spring, allowing the power to be available at the rod control power supply cabinets. For reactor trip, removal of DC voltage to the under voltage trip attachment releases the trip plunger and trips open the breaker. In addition, removal of DC voltage de-energizes the shunt trip auxiliary relay, which causes the shunt trip coil to be energized to provide diverse tripping of the breaker. When either of the trip breakers opens, power is interrupted to the rod drive power supply, and the control rods fall, by gravity, into the core.

The various reactor trip circuits automatically open the RTBs whenever a condition monitored by the RTS reaches a preset level. In addition to redundant channels and trains, the RTS monitors numerous system variables and, therefore, provides functional diversity.

The extent of this diversity has been evaluated for a wide variety of postulated accidents.

2.1.2 ESFAS Instrumentation In addition to the requirements for a reactor trip for anticipated abnormal transients, the facility is provided with adequate instrumentation and controls to sense accident situations and initiate the operation of necessary Engineered Safety Features (ESF) equipment. The occurrence of a limiting fault, such as a loss-of-coolant accident or a steam line break, requires a reactor trip plus actuation of one or more of the ESF components to prevent or mitigate damage to the core and reactor coolant system components, and ensure containment integrity. To accomplish these design objectives, the ESF system has proper and timely initiating signals, which are supplied by the sensors, transmitters, and logic components making up the various instrumentation channels of the ESF AS.

Page 4 of 100

SBK-L-18089 The ESP AS uses selected plant parameters, determines whether or not predetermined safety limits are being exceeded and, if they are, combines the signals into logic matrices sensitive to combinations indicative of primary or secondary system boundary ruptures (Class III or IV faults). Once the required logic combination is completed, the system sends actuation signals to the appropriate ESP components.

The ESP AS equipment that provides the actuation functions is listed below:

Process Instrumentation System,

Radiation Monitoring System,

Solid-State Protection System (SSPS), and

Manual Actuation Circuits.

The ESP AS consists of sensors, connected to signal processing circuitry consisting of two to four redundant channels that monitor various plant parameters, and circuitry consisting of two redundant logic trains, which receive inputs from the signal processing channels to complete the logic needed to actuate the ESP equipment. Each of the two logic trains is capable of actuating the ESP equipment required. The intent is that any single failure within the ESP AS shall not prevent system action when required.

The redundant concept is applied to both the monitoring and logic portions of the system.

Separation of redundant monitoring channels begins at the process sensors and is maintained in the field wiring, containment vessel penetrations, and electronics terminating at the redundant safeguards logic racks.

2.2 Current Technical Specification Requirements The proposed change affects the Actions for the analog channel, actuation logic and actuation relay Functional Units specified in TS 3.3.1, "Reactor Trip System Instrumentation," Table 3.3-1 and TS 3.3.2, "Engineered Safety Features Actuation System Instrumentation," Table 3.3-3. The following tables ( one for the RTS instrumentation and one for the ESFAS instrumentation) summarize the Seabrook Station TS Functional Units and applicable Actions affected by the proposed change.

Table 2.2-1 TS 3.3.1, Reactor Trip System Instrumentation" Functional Unit From Applicable ACTION From TS Table 3.3-1 TS Table 3.3-1 2.a Power Range Neutron ACTION 2 -With the number of OPERABLE channels Flux - High Setpoint one less than the Total Number of Channels, 2.b Power Range Neutron STARTUP and/or POWER OPERATION Flux - Low Setpoint Page 5 of 100

SBK-L-18089 Table 2.2.,.1 TS 3.3.1, "Reactor Trip System Instrumentation'~.

Functional Unit From Applicable ACTION F.rom TS Table *3.3-1 TS Table 3.3-1 3

Power Range, may proceed provided the following Neutron Flux High conditions are satisfied:

Positive Rate

a. The inoperable Channel is placed in the tripped condition within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ,

b. The Minimum Channels OPERABLE requirement is met; however, the inoperable channel may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing of other channels per Specification 4.3.1.1, and C. Either, THERMAL POWER is restricted to less than or equal to 75% of RATED THERMAL POWER and the Power Range Neutron Flux Trip Setpoint is reduced to less than or equal to 85% of RATED THERMAL POWER within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months ; or, the QUADRANT POWER TILT RATIO is monitored at least once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months per Specification 4.2.4.2.

7 Overtemperature ~T ACTION 6 -With the number of OPERABLE channels 8

Overpower ~T one less than the Total Number of Channels, STARTUP and/ or POWER OPERATION 9

Pressurizer may proceed provided the following Pressure-Low conditions are satisfied:

10 Pressurizer

a. The inoperable channel is placed in the Pressure-High tripped condition within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , and 11 Pressurizer Water

b. The Minimum Channels OPERABLE Level-High requirement is met; however, the 12.a Reactor Coolant inoperable channel may be bypassed for Flow--Low, Single up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing of Loop (Above P-8) other channels per Specification 4.3.1.1.

12.b Reactor Coolant Flow--Low, Two Loops (Above P-7 and below P-8)

Page 6 of 100

SBK-L-18089 Table 2;2-1 TS 3.3.1, "Reactor Trip System Instrumentation" Functional Unit From AppJ.icable ACTION From TS Table 3.3.-J TS Table 3.3-1 13 Steam Generator Water Level--Low--

Low 14 Undervoltage--

Reactor Coolant Pumps 15 Underfrequency--

Reactor Coolant Pumps 16.a Turbine Trip, Low Fluid Oil Pressure 17 Safety Injection Input ACTI0N7 With the number of OPERABLE channels FromESF one less than the Minimum Channels 20 Automatic Trip and OPERABLE requirement, restore the Interlock Logic inoperable channel to OPERABLE status within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months or be in a least HOT STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ; however, one channel may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing per Specification 4.3.1.1, provided the other channel is OPERABLE.

19 Reactor Trip ACTION 9 With the number of OPERABLE channels Breakers one less than the Minimum Channels OPERABLE requirement, be in at least HOT STANDBY within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ; however, one channel may be bypassed for up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months for surveillance testing per Specification 4.3.1.1, provided the other channel is OPERABLE.

Page 7 of 100

SBK-L-18089 Table2.2-2

TS 3.3.2, "Engineered Safety *Features Attuation System Instru~entation".

Functional Unit From TS Applicable ACTION From TS Table J.3-3 Table 3.3:3 Safety Injection ACTION 13 With the number of OPERABLE channels 1.b Automatic Actuation one less than the Minimum Channels Logic and Actuation OPERABLE requirement, be in at least Relays HOT STANDBY within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in Containment SpraJ COLD SHUTDOWN within the following 2.b Automatic Actuation 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months ; however, one channel may be Logic and Actuation bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance Relays testing per Specification 4.3.2.1, provided Containment Isolation Phase the other channel is OPERABLE.

A 3.a.2 Automatic Actuation Logic and Actuation Relays Containment Isolation Phase B.

3.b.2 Automatic Actuation Logic and Actuation Relays Auto Switchover to Containment Sump 8.a Automatic Actuation Logic and Actuation Relays Containment Sprai ACTION 15 With the number of OPERABLE channels 2.c Containment Pressure -

one less than the Total Number of Hi-3 Channels, operation may proceed provided Phase B Isolation the inoperable channel is placed in the 3.b.3 Containment bypassed condition and the Minimum Pressure - Hi-3 Channels OPERABLE requirement is met.

One additional channel may be bypassed for Auto Switchover to up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing per Containment Sump Specification 4.3.2.1.

8.b RWST Level--Low-Low Page 8 of 100

SBK-L-18089 T~ble 2.2-2 TS 3.3.2~ "Engineered Safety Features Actuation System Instrumentation" Functional Unit From TS Applicable ACTION From TS Table 3.3-3 Tabk 3.3-3 Steam Line Isolation ACTION 20 With the number of OPERABLE channels 4.b Automatic Actuation one less than the Minimum Channels Logic and Actuation OPERABLE requirement, restore the Relays inoperable channel to OPERABLE status Emergenci Feedwater within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months or be in at least HOT 7.b Automatic Actuation STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in Logic and Actuation at least HOT SHUTDOWN within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ; however, one channel Relays may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing per Specification 4.3.2. i provided the other channel is OPERABLE.

Safe~ Injection ACTION 18 With the number of OPERABLE channels 1.c Containment one less than the Total Number of Pressure-Hi-1 Channels, STARTUP and/ or POWER 1.d Pressurizer Pressure -

OPERATION may proceed provided the Low followi_ng conditions are satisfied:

1.e Steam Line Pressure-

a. The inoperable channel is placed in the Low tripped condition within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , and Steam Line Isolation

b. The Minimum Channels OPERABLE 4.c Containment requirement is met; however, the Pressure-Hi-2 inoperable channel may be bypassed for 4.d Steam Line Pressure-up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing of Low other channels per Specification 4.3.2.1.

4.e SG Pressure-Negative Rate-High Turbine Trip 5.b SG Water Level-High-High (P-14)

Feedwater Isolation 6.a SG Water Level-High-High (P-14)

Emergenci F eedwater Page 9 of 100

SBK-L-18089 Table 2.2-2

, TS 3.32, "Enginee'ted Safety Features Actuation Syste~ I:nstrumentatiop,"

Functional Unit From TS Applicable,ACTION From TS Table 3.3-3 Table 3.3-3 7.c SG Water Level--Low-Low Start Motor-Driven Pump and Start Turbine -Driven Pump ESF AS Interlocks 10.c SG Water Level, P-14 Turbine Trip ACTION 22 With the number of OPERABLE channels 5.a Automatic Actuation one less than the Minimum Channels Logic and Actuation Relays OPERABLE requirement, restore the inoperable channel to OPERABLE status within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ; however, one channel may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing per Specification 4.3.2.1 provided the other channel is OPERABLE.

2.3 Reason for the Proposed Change As stated in WCAP-14333-P-A, these improvements will allow additional time to perform maintenance and test activities, enhance safety, provide additional operational flexibility, and reduce the potential for forced outages related to compliance with the RTS and ESF AS instrumentation TS. Industry information has shown that trips have occurred during instrumentation test and maintenance activities, indicating that these activities should be completed with caution and sufficient time should be available to complete these activities in an orderly and effective manner.

2.4 Description of Proposed Change NRC-approved WCAP-14333-P-A contains the technical justification for changes to the Completion Time and bypass time for RTS and ESF AS analog channels, and the Completion Time for RTS and ESF AS logic trains and actuation relays. The AOT acronym applicable to the Seabrook Station Plant TS and the term "Completion,Time," which is utilized in NUREG-1431, "Standard Technical Specifications - Westinghouse Plants, Revision 4, April 2012, are synonymous. NRC-approved TSTF-418 contains the changes to NUREG-1431 required to implement the changes justified in WCAP-14333-P-A.

Page 10 of 100

SBK-L-18089 The following AOT and bypass test times are justified in WCAP-14333-P-A:

Table 2.4-1 WCAP-14333-P-A AOT and Bypass Test Time

.Comnonent AOT B~ass Test Time Analog Channels 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months 12 hours Logic Train & Actuation Relays 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months No change NRC-approved WCAP-15376-P-A contains the technical justification for extending Surveillance Frequencies for the RTS and ESP AS logic trains, master relays, analog channels, and RTBs. WCAP-15376-P-A also provides the technical justification to change the Completion Time and bypass time for the RTS RTBs. The NRC-approved TSTF-411 contains the changes to NUREG-1431 required to implement the changes justified in WCAP-15376-P-A.

Seabrook Station implemented a Surveillance Frequency Control Program approved by the NRC in Amendment No. 141. As such, the Seabrook RTS and ESP AS TS do not contain the periodic Surveillance Frequencies affected by the changes justified in WCAP-15376-P-A.

Therefore, the change proposed in this LAR only includes the WCAP-15376-P-A justified changes applicable to the AOT and bypass time for the RTBs.

WCAP-15376 justifies the following AOT and bypass time for the RTBs:

24hourAOT 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months bypass time The changes proposed to the TS and Bases are provided in the markups contained in Attachments 1 and 2.

The following tables (one for the RTS instrumentation and one for the ESFAS instrumentation) summarize the affected Seabrook Station TS Functional Units and show the proposed changes to the associated Actions necessary to implement the changes justified by WCAP-14333-P-A and WCAP-15376-P-A as discussed above. The proposed revision of the AOT and bypass time in the affected Actions is shown in bold text.

Page 11 of 100

SBK-L-18089 Table 2.4-2 TS 3.3.1, "Reactor Trip S~stem Instrumentation" Functional Unit From Applicable ACTION From TS Table 3.3-1 TS Table 3.3-1 2.a Power Range Neutron ACTION 2 -With the number of OPERABLE channels Flux - High Setpoint one less than the Total Number of Channels, 2.b Power Range Neutron STARTUP and/or POWER OPERATION Flux - Low Setpoint may proceed provided the following conditions are satisfied:

3 Power Range,

a. The inoperable Channel is placed in the Neutron Flux High Positive Rate tripped condition within(; 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months ,

b. The Minimum Channels OPERABLE requirement is met; however, the in.opefable one channel may be bypassed for up to 4 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing of othef chan.n.els per Specification 4.3.1.1, and

c. Either, THERMAL PO\\VER is restricted to less than or equal to 75% of RATED THERMAL POWER and the Power Range Neutron Flux Trip Setpoint is reduced to less than or equal to 85% of RATED THERMAL POWER within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months ; or, the QUADRANTPO\\VER TILT RATIO is monitored at least once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months per Specification 4.2.4.2.

7 Overtemperature L:i.T ACTION 6A With the number of OPERABLE channels 8

Overpower L:i. T one less than the Total Number of Channels, STARTUP and/ or POWER OPERATION 9

Pressurizer may proceed provided the following Pressure-Low conditions are satisfied:

10 Pressurizer

a. The inoperable channel is placed in the Pressure-High tripped condition within 6 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , and 11 Pressurizer Water

b. The Minimum Channels OPERABLE Level-High requirement is met; however, the 12.a Reactor Coolant inoperable one channel may be bypassed Flow--Low, Single for up to 4 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance Loop (Above P-8) testing of other ehannels per Specification 4.3.1.1.

Page 12 of 100

SBK-L-18089 Table 2.4-2 TS 3.3.1, "Reactor Trip S~~tem Instrumentation" Functional.Unit From*

AppHcable ACTION From TS Table 3.3'-1 TS Table 3.3-1 12.b Reactor Coolant Flow--Low, Two Loops (Above P-7 and below P-8) 13 Steam Generator Water Level--Low--

Low 14 U ndervoltage--

Reactor Coolant Pumps 15 Underfrequency--

Reactor Coolant Pumps 16.a Turbine Trip, Low ACTION 6B -With the number of OPERABLE channels Fluid Oil Pressure one less than the Total Number of Channels, STARTUP and/ or POWER OPERATION.

may proceed provided the following conditions are satisfied:

a. The inoperable channel is placed in the tripped condition within 6 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , and

b. The Minimum Channels OPERABLE requirement is met; however, the inoperable channel may be bypassed for up to 4 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing of other channels per Specification 4.3.1.1.

17 Safety Injection Input ACTION7 With the number of OPERABLE channels FromESF one less than the Minimum Channels 20 Automatic Trip and OPERABLE requirement, restore the Interlock Logic inoperable channel to OPERABLE status within 6 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or be in a least HOT STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ; however, one channel may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing per Specification 4.3.1.1, provided the other channel is OPERABLE.

Page 13 of 100

SBK-L-18089 Table 2.4-2 TS 3.3.1, "Reactor Trip S~stem Instrumentation" FunctfonaJUnit From Applicable ACTION From TS Table 3.3..,1 TS Table 3.3.. 1 19 Reactor Trip ACTION 9 With the number of OPERABLE channels Breakers one less than the Minimum Channels OPERABLE requirement, restore the inoperable channel to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ; however, one channel may be bypassed for up to ~ 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing per Specification 4.3.1.1, provided the other channel is OPERABLE.

Table 2.4-3 TS 3.3.2, "Engineered Safe:cy: Features Actuation S~stem Instrumentation" Functional Unit From TS Applicable ACTION From TS Table 3.3-3 Table 3.3-3 Safety Injection ACTION 13 With the number of OPERABLE channels 1.b Automatic Actuation one less than the Minimum Channels Logic and Actuation OPERABLE requirement, restore the Relays inoperable channel to OPERABLE Containment Sprai status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or be in at least Automatic Actuation HOT STANDBY within 12 the next 6 2.b hours and in COLD SHUTDOWN within Logic and Actuation Relays the following 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months ; however, one Containment Isolation Phase channel may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months A

for surveillance testing per Specification 3.a.2 Automatic Actuation 4.3.2.1, provided the other channel is Logic and Actuation

.OPERABLE.

Relays Containment Isolation Phase Ii 3.b.2 Automatic Actuation Logic and Actuation Relays Page 14 of 100

SBK-L-18089

. Table 2.4-:3 TS 3.3.2, "Engineer~d Safe:cy: Features Actuatioh S}'.steni. Instrumentation"

Functional Unit From TS Applicable ACTION From TS.Table 3.3-3 Table 3.3-3 Auto Switchover to Containment Sump (l) 8.a Automatic Actuation Logic and Actuation Relays Containment SpraJ ACTION 15 With the number of OPERABLE channels 2.c Containment Pressure -

one less than the Total Number of Hi-3 Channels, operation may proceed provided Phase B Isolation the inoperable channel is placed in the 3.b.3 Containment bypassed condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and Pressure - Hi-3 the Minimum Channels OPERABLE requirement is met. One additional channel Auto Switchover to may be bypassed for up to 4 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for Containment Sump (l) surveillance testing per Specification 4.3.2.1.

8.b RWST Level--Low-Low Steam Line Isolation ACTION 20 With the number of OPERABLE channels 4.b Automatic Actuation one less than the Minimum Channels Logic and Actuation OPERABLE requirement, restore the Relays inoperable channel to OPERABLE status EmergencJ Feedwater within, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or be in at least HOT 7.b Automatic Actuation STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months an.din Logic and Actuation at least HOT SHUTDOWN within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ; however, one channel Relays may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing per Specification 4.3.2.1 provided the other channel is OPERABLE.

Safe~ Injection ACTION 18 With the number of OPERABLE channels 1.c Containment one less than the Total Number of Pressure-Hi-1 Channels, STARTUP and/ or POWER 1.d Pressurizer Pressure -

OPERATION may proceed provided the Low following conditions are satisfied:

1.e Steam Line Pressure-Low Page 15 of 100

SBK-L-18089 Table 2.4-3 TS 3.3.2, "Engineered Safe:cy: Features Actuation S~stem Instrumentation" Fun~tfonal Unit From TS Applicable ACTiqN From TS Table 3.3-3 Table 3.3-3 Steam Line Isolation

a. The inoperable channel is placed in the 4.c Containment tripped condition within (J 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , and Pressure-Hi-2

b. The Minimum Channels OPERABLE 4.d Steam Line Pressure-requirement is met; however, the Low in.opefa-hle one channel may be 4.e SG Pressure-Negative bypassed for up to 4 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for Rate-High surveillance testing of othef ehannels Turbine Trip per Specification 4.3.2.1.

5.b SG Water Level-High-High (P-14)

Feedwater Isolation 6.a SG Water Level-High-High (P-14)

_ Emergenci Feedwater 7.c SG Water Level--Low-Low Start Motor-Driven Pump and Start Turbine -Driven Pump ESP AS Interlocks 10.c SG Water Level, P-14<2>

Turbine Trip ACTION 22 With the number of OPERABLE channels 5.a Automatic Actuation one less than the Minimum Channels Logic and Actuation Relays OPERABLE requirement, restore the inoperable channel to OPERABLE status within (J 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ; however, one channel may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing per Specification 4.3.2.1 provided the other channel is OPERABLE.

Page 16 of 100

SBK-L-18089 Table 2.4-3 Notes:

(1)

The Seabrook ESFAS Functional Units for Auto Switchover to Containment Sump 8.a, "Automatic Actuation Logic and Actuation Relays," and 8.b, "RWST Level--

Low-Low were not included in the generic analyses performed in WCAP-10271-P-A, "Evaluation of Surveillance Frequencies and out of Service Times for the Reactor Protection Instrumentation System," [Reference 6], WCAP-14333-P-A, and WCAP-15376-P-A. However, utilities have completed plant-specific evaluations to demonstrate that the changes in WCAP-10271-P-A and its supplements were applicable to functions not generically evaluated. The analyses performed in WCAP-14333-P-A and WCAP-15376-P-A covered representative RTS and ESFAS functions, a subset of the comprehensive set of functions included in WCAP-10271-P-A and its supplements. Therefore, the changes approved in WCAP-14333-P-A and WCAP-15376-P-A are also applicable to those plant-specific functions with NRC-approved evaluations performed that demonstrate the applicability of the changes in WCAP-10271-P-A and its supplements. As discussed in Section 11.0 of both WCAP-14333-P-A and WCAP-15376-P-A, additional plant-specific evaluations are not required to implement the changes in WCAP-14333-P-A and WCAP-15376-P-A, if they have been previously justified for the changes in WCAP-10271-P-A and its supplements.

The applicability of the changes justified in WCAP-10271-P-A and it supplements to the Seabrook ESP AS Functional Units 8.a, "Automatic Actuation Logic and Actuation Relays," and 8.b, "RWST Level--Low-Low was approved by the NRC in License Amendment No. 36 [Reference 7] issued April 1995. License Amendment 36 included the approval of changes in the Seabrook TS justified in WCAP-10271-P-A and its supplements. In Amendment 36, the NRC approved changes from WCAP-10271-P-A and its supplements that included revisions to the Action for Functional Unit 8.a (Action 13) and revisions to both the surveillance test interval (Analog Channel Operational Test) and Action for Functional Unit 8.b (Action 18).

The surveillance test interval for Seabrook Functional Unit 8.a, "Automatic Actuation Logic and Actuation Relays," was not revised as WCAP-10271-P-A and its supplements did not include changes for the surveillance test interval of Automatic Actuation Logic and Actuation Relays Functional Units. Based on the prior NRC approval of the applicability ofWCAP-10271-P-A and its supplements to the Seabrook ESF AS Functional Units 8.a, "Automatic Actuation Logic and Actuation Relays," and 8.b, "RWST Level--Low-Low," the changes approved in WCAP-14333-P-A and WCAP-15376-P-A are also applicable to these Seabrook Functional Units.

(2)

The Seabrook ESFAS Functional Unit 10.c, "SG Water Level, P-14," is not specifically identified in the TSTF-418 guidance for implementing the changes justified in WCAP-14333-P-A. However, the analog channels that comprise this ESP AS Interlock Function are the same SG Level - High-High analog channels used Page 17 of 100

SBK-L-18089 in the ESFAS Turbine Trip Functional Unit 5.b, "SG Water Level-High-High (P-14)" and ESFAS Feedwater Isolation Functional Unit 6.a, "SG Water Level-High-High (P-14)." In the NUREG-1431 STS, these two Functional Units are combined in the Turbine Trip and Feedwater Isolation Function 5.b) which is included in TSTF-418. Also, in Amendment 36, (discussed above) the NRC approved changes from WCAP-10271-P-A and its supplements that included revisions to both the surveillance test interval (Analog Channel Operational Test) and Action (Action 18) for Functional Unit 10.c, "SG Water Level, P-14." Based on the analog channels that comprise Functional Unit 10.c being addressed in TSTF-418 (as the Turbine Trip and Feedwater Isolation Function), and the prior NRC approval of the applicability ofWCAP-10271-P-A and its supplements to this ESFAS Functional Unit, the changes approved in WCAP-14333-P-A are also applicable to the Seabrook Functional Unit 10.c, "SG Water Level, P-14".

3.0 TECHNICAL EVALUATION

3.1 Background Information The Westinghouse Owners Group (WOG) (now called the Pressurized Water Reactor Owners Group or P"WROG) has completed a series of topical reports that document the relaxation of RTS and ESP AS bypass test times, Completion Times, and Surveillance Frequencies for the protection system instrumentation. The relaxations were justified by an analysis of the protection system reliability and the impact of that reliability on the overall plant risk. The original study was identified by the acronym TOP (taken from Technical Specification Optimization Program) as documented in the WCAP-10271-P-A series of topical reports. The changes contained in the WCAP-10271-P-A series of topical reports were implemented at Seabrook Station during initial Station licensing and in Amendment 36

[Reference 7] issued April 1995. As such, for the changes proposed in this LAR (to AOTs and bypass test times) the Seabrook Station's current licensing basis is that of a "TOP" plant.

A survey was provided to all WOG members to determine their needs with respect to instrumentation test times, maintenance times, and maintenance frequencies, in addition to information regarding plant operation such as reactor trip and spurious safety injection events. The TS changes evaluated in WCAP-14333-P-A and WCAP-15376-P-A were identified from the survey information. The probabilistic risk analysis, benefits of the program and conclusions, and the relationship of the TS changes to the analyses are discussed in WCAP-14333-P-A and WCAP-15376-P-A.

In order to model the Completion Times in the fault trees used to determine the impact of the changes on signal unavailability, several parameters were specified for component test and maintenance unavailability. These are the test frequencies and durations discussed in Section 5.1 ofWCAP-14333-P-A, the maintenance frequencies and durations discussed in Section 5.2 ofWCAP-14333-P-A, and the test and maintenance activities discussed in Section 7.2 ofWCAP-15376-P-A.

Page 18 of 100

SBK-L-18089 Fault tree models of the protection system instrumentation were used to calculate changes in signal unavailability resulting from changes to test and maintenance time allowances and frequencies. The changes in RTS and ESF AS signal unavailability were then used in a risk model to assess the risk impact as the test and maintenance rime allowances and frequencies were relaxed. Differences in analysis methods from the TOP WCAP-10271-P-A series of reports are discussed in Section 7.1 ofWCAP-14333-P-A, and in Section 8.3.3 ofWCAP-15376-P-A.

The approach used in WCAP-14333-P-A and WCAP-15376-P-A is consistent with the approach established in the TOP. This generally includes the fault tree models, signals, component reliability database, test and maintenance assumptions, and risk model. The methodology in WCAP-14333-P-A used a representative set ofRTS and ESFAS signals to determine the impact of the proposed changes on signal unavailability, and used a representative Probabilistic Risk Assessment (PRA) model to determine the impact on core damage frequency (CDF) and large early release frequency (LERF). Incremental conditional core damage probability (ICCDP) and incremental conditional large early release probability (ICLERP) evaluations were also completed, consistent with Regulatory Guides 1.17 4, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," [Reference 8] and 1.177, "An Approach for Plant-Specific, Risk-Informed Decision making: Technical Specification" [Reference 9]. In comparison to WCAP-10271-P-A, WCAP-14333-P-A used a different common cause failure modeling approach for analog channels and included more realistic assumptions related to the component unavailability due to maintenance activities based on a survey ofWOG plants. Operator actions to either manually trip the reactor or initiate safety injection were also modeled in WCAP-14333-P-A. In addition, credit for auxiliary feedwater pump start from the anticipated transient without scram (ATWS) mitigating system actuation circuitry (AMSAC) was taken. More discussion of these differences is contained in Sections 7 and 8 ofWCAP-14333-P-A.

The NRC issued a Safety Evaluation on July 15, 1998 approving WCAP-14333-P-A. The NRC issued a Safety Evaluation on December 20, 2002 approving WCAP-15376-P-A.

WCAP-15376-P-A expanded upon the groundwork laid by WCAP-14333-P-A, but used updated component failure probability data (WCAP-15376-P-A, Section 8.2) and made some changes to the fault tree models (WCAP-15376-P-A, Section 8.3). Using these modifications, the changes previously approved in WCAP-14333-P-A were quantified as the base case for WCAP-15376-P-A. Section 8.4 ofWCAP-15376-P-A provides the risk metrics for the changes and demonstrates that the acceptance criteria of Regulatory Guide 1.17 4 and Regulatory Guide 1.177 are satisfied.

Requests for Additional Information (RAis)

In the process of approving WCAP-14333-P-A and WCAP-15376-P-A and during an early plant specific implementation, the NRC issued various RAis. The response to these RAis resulted in additional information supporting the adoption of the changes justified in Page 19 of 100

SBK-L-18089 WCAP-14333-P-A and WCAP-15376-P-A. The responses to these RAis contain

,information that is important to understand the basis for approval of the changes proposed in WCAP-14333-P-A and to a lesser extent, WCAP-15376-P-A. NRC correspondence may be found after Appendix Eat the end ofWCAP-14333-P-A and in Appendix D ofWCAP-15376-P-A. The following discussion summarizes the pertinent RAis and responses.

WCAP-14333-P-A WCAP-14333 originally provided only the impact of the requested changes on core damage frequency (.6..CDF) for two-out-of-four (2/4) and two-out-of-three (2/3) actuation logic. In response to an NRC RAI letter (RAI questions 11 and 13), the WOG issued letter OG 110 lJteference 10], which provided the impact of the requested changes on incremental conditional core damage probability (ICCDP) for various components in maintenance for the proposed changes, and the change in large early release frequency (.6..LERF) for 2/ 4 and 2/3 actuation logic for the proposed changes. Additionally, an NRC RAI for an early plant specific LAR to implement the changes in WCAP-14333-P-A requested incremental conditional large early release probabilities (ICLERP) values for various components in maintenance. The requested ICCDP and ICLERP values are provided on Table 1.5 of TSTF-418. The ICCDP and ICLERP values are provided only for 2/3 logic; however, the results bound the 2/ 4 logic. The impact of the proposed changes on CDP and LERF are provided in TSTF-418, Table 1.3 (which is the same information as that contained in Table 8.4 ofWCAP-14333-P-A (which is the same information as that contained in the response to RAI Question 13 in OG 110). This information is summarized in Table 3.1-1 (below).

The CDP and LERF values are provided and referenced to the pre-TOP and TOP conditions. The results of a sensitivity analysis are also provided in Table 8.4 ofWCAP-14333-P-A that credits a 0.5/year reduction in reactor trip frequency due to fewer analog channel operational tests (COTs) (trip reduction originally postulated for the WCAP-1027-P-A analog channel operational test Frequency increase from monthly to quarterly). The

.6..CDF and.6..LERF values are also provided in Table 3.1-1 (below) for both a 2/4 and 2/3 logic.

WCAP-15376-P-A In response to an NRC RAI letter, (RAI questions 4 and 11), the WOG issued letter OG 002 lJteference 11], which provided the impact of the requested RTB Completion Time change (24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time plus 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to reach MODE 3, for a total of 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months ) on ICCDP and ICLERP for a RTB in preventive maintenance (PM) or in corrective maintenance (CM), with the associated logic train inoperable, for the bounding 2/3 logic.

Since these incremental risk metrics are met for a 30-hour maintenance time, they will also be met for a 4-hour bypass test time.

Page 20 of 100

SBK-L-18089 3.1.1 Combined Risk Metric Results Considering the proposed changes in this LAR for the AOTs and bypass test times, the Seabrook Station current licensing basis is that of a WCAP-10271-P-A (or TOP) plant and the instrumentation is predominately 2/ 4 logic.

Table 3.1-1 Summary of Risk Metrics Risk Metric Acceptance Change from WCAP-102'?1 Change from WCAP-14333 Criterion

To To*..

WCAP-14333 WCAP-15376 LlCDF

< lE-06 2/4 logic 2/3 logic 2/ 4 logic 2/3 logic per year 3.SE-07 6.lE-07 8.0E-07 8.SE-07 ICCDP

< SE-07 Ranges from 4.4E-07

RTB and associated logic cabinet in (logic train in maintenance) to 5.SE-PM = 3.2E-07*

10 RTB and associated logic cabinet in (SG level channel in test)*

CM = 3:2E-07*

&ERF

< lE-07 2/4 logic 2/3 logic 2/4 logic 2/3 logic per year 2.0E-08.

2.2E-08 3.lE-08 5.7E-08 ICLERP

< SE-08 Ranges from 3.0E-08 (logic train in RTB and associated logic cabinet in maintenance) to 1.lE-11 PM = 2.4E-08*

(SG level channel in test)*

RTB and associated logic cabinet in CM = 2.4E-08*

The ICCDP and ICLERP values are provided only for a 2/3 logic, however the results bound a 2/ 4 logic.

The ICCDP and ICLERP values are dependent on the particular component under test or maintenance. The acceptance criteria defined in Regulatory Guide 1.177 for these incremental risk metrics are satisfied. The LiCDF and &ERF values are from the current licensing basis (WCAP-10271-P-A) to the proposed state (WCAP-15376-P-A), and do not credit the Q.5/year reduction in reactor trip frequency identified in Table 8.4 ofWCAP-14333-P-A. The LiCDF and &ERF acceptance criteria are satisfied for the changes included in each WCAP.

Table 8.33 for WCAP-15376-P-A provides the cumulative impact of the Completion Time and Surveillance Frequency changes on core damage frequency from Pre-TOP to WCAP-15376-P-A. These values include credit for a trip reduction related to the reduced testing required with the extended Surveillance Frequencies. The calculated cumulative CDF impact is small.

Page 21 of 100

SBK-L-18089 3.1.2 Revision to Action 6 in TS Table 3.3-1 Action 6 in TS Table 3.3-1, "Reactor Trip System Instrumentation," which applies to 11 different functional units, requires:

With the number of OPERABLE channels one less than the Total Number of Channels, STARTUP and/ or POWER OPERATION may proceed provided the following conditions are satisfied:

a. The inoperable channel is placed in the tripped condition within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , and

b. The Minimum Channels OPERABLE requirement is met; however, the inoperable channel may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing of other channels per Specification 4.3.1.1 In addition to extending the time to trip the inoperable channel and the bypass time, this LAR replaces current Action 6 with Action 6A and Action 6B. Action 6B retains the wording currently in Action 6 but revises the trip and bypass times.

Action 6B is show below.

a. The inoperable channel is placed in the tripped condition within 6 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , and

b. The Minimum Channels OPERABLE requirement is met; however, the inoperable channel may be bypassed for up to 4 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing of other channels per Specification 4.3.1.1 New Action 6A is shown below.

a. The inoperable channel is placed in the tripped condition within 6 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , and

b. The Minimum Channels OPERABLE requirement is met; however, the inoperable one channel may be bypassed for up to 412 hours0.00477 days 0.114 hours 6.812169e-4 weeks 1.56766e-4 months for surveillance testing of other channels per Specification 4.3.1.1.

Action 6A allows placing one channel in bypass while performing routine surveillance testing. This provision applies to functions with installed bypass test instrumentation, which includes all functions associated with current Action 6 except for functional unit 16.a, Turbine Trip - low fluid oil pressure. Therefore, Action 6A applies to all functional units except functional unit 16a. Action 6B, which retains the text in current Action 6, applies only to functional unit 16.a, which does not have installed bypass test instrumentation.

Action 6B allows placing the inoperable channel in a bypassed condition for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months while performing routine surveillance testing of other channels.

The two Actions are necessary to accommodate the differences regarding test bypass instrumentation. The proposed change is consistent with the text provided in the Required Page 22 of 100

SBK-L-18089 Actions in NUREG-1431, "Standard Technical Specifications-Westinghouse Plants," based on whether installed bypass test capability exists.

3.2 Probabilistic Risk Analysis Evaluation The changes considered in these analyses were evaluated consistent with the three tiered approach currently defined in Regulatory Guide 1.177. The first tier addresses PRA insights and includes the risk analyses and sensitivity analyses to support the bypass test time, and AOT changes in this LAR. The second tier addresses avoidance of risk-significant plant configurations. The third tier addresses risk-informed plant configuration control and management.

Tier 2 requirements provide reasonable assurance that risk-significant plant equipment outage configurations will not occur when equipment is out of service. These requirements place limitations on additional equipment that can be removed from service when in one of the risk-informed AOTs. Tier 3 ensures that risk significant out-of-service equipment is evaluated prior to performing any maintenance activities. Tier 3 evaluations are addressed by the Seabrook Station's Configuration Risk Management Program used to comply with 10CFR50.65(a)(4).

3.2.1 WCAP-14333-P-A Tier 1 Evaluation The following demonstrates the applicability of the WCAP-14333-P-A analysis and results to the Seabrook Station.

Tables 3.2.1-1 through 3.2.1-3 demonstrate that the WCAP-14333-P-A analysis and results are applicable to Seabrook Station. Additional explanatory information is provided in the Notes and Explanations at the end of each table as necessary.

Based on the information contained in Tables 3.2.1-1 through 3.2.1.:3 the following is confirmed for Seabrook Station:

The signals available at Seabrook Station to actuate reactor trip for the various events are consistent with those credited in the WCAP-14333-P-A, analysis.

The signals available at Seabrook Station to actuate safeguards equipment for the various events are consistent with those credited in the WCAP-14333-P-A analysis.

The analog channel, logic cabinet, master and slave relay, and RTB maintenance intervals at Seabrook Station are consistent with those assumed in WCAP-14333-P-A.

From this comparison, it is concluded that the WCAP-14333-P-A, analysis is consistent with Seabrook plant design and operation, and the changes in WCAP-14333-P-A, consistent with the NRC's Safety Evaluation (SE) on this WCAP, are applicable to Seabrook.

Page 23 of 100

SBK-L-18089 The Seabrook Station Core Damage Frequency (CDF) for Modes 1, 2, and 3, all events, is 1.20E-OS/yr and Large Early Release Frequency (LERF) for Modes 1, 2, and 3, all events, is 1.SSE-07 / yr. This is consistent with the guidelines in Regulatory Guide 1.17 4 that allow small increases in CDF and LERF. Per this Regulatory Guide, for a total CDF of lE-04/yr, changes to CDF of lE-06/yr are acceptable; and for a total LERF of lE-05/yr, changes to LERF of lE-07 /yr are acceptable.

The calculated increase in CDF for the changes specified in WCAP-14333-P-A, as provided in Table 8.4 of the WCAP, is 3.SE-07 /yr for plants with predominately 2-of-4 logic requirements and 6.lE-07 /yr for plants with predominately 2-of-3 logic. The calculated increase in LERF due to the changes in WCAP-14333-P-A as provided in Table Q13.1 of the WCAP, is 2.0E-08/yr for plants with predominately 2-of-4 logic requirements and 2.2E-.

08/yr for plants with predominately 2-of-3 logic. The Seabrook Station instrumentation is predominately 2-of-4 logic.

From this, it is concluded that implementing the changes in WCAP-14333-P-A will have an impact on CDF ofless than 1.0E-06/yr and on LERF ofless than 1.0E-07 /yr, which meets the guidance in Regulatory Guide 1.174. The changes in WCAP-14333-P-A are applicable to all the reactor trip and engineered safety feature actuation functional units.

Page 24 of 100

SBK-L-18089 Table 3:2.1-1 WCAP-14333-P-A, Rev. 1 Implementation Guidelirtes Applicability of the An~lysis, General Parameters I*

Parameter WCAP-14333:..P-A; Rev. 1

.. Plant Specific Pa~anieter Analysis Assumptiorts Logic Cabinet Type (l)

Relay or SSPS SSPS Component Test Intervals C2l

Analog channels 3 months Equal to or greater than (a)

Logic cabinets (SSPS) 2 months Equal to or greater than (a)

Logic cabinets (Relay) 1 month Not Applicable

Master Relays (SSPS) 2months Equal to or greater than (a)

Master Relays (Relay) 1 month Not Applicable

Slave Relays 3 months Equal to or greater than (a)

Reactor trip breakers 2 months Equal to or greater than (a)

Analog Channel Calibrations C3l

Done at-power Yes Yes Cb)

Interval 18 months 18 months Typical At-Power Maintenance Intervals (4)

Analog channels 24months Greater than

Logic cabinets (SSPS) 18 months Greater than

Logic cabinets (Relay) 12 months Not Applicable Page 25 of 100

SBK-L-18089 Table 3.2.1-1 WCAP-14333-P..:.A,. Rev. 1 Implementation Guidelines Applicability of the Analysis, General Parafl}eters P.arameter

\\VCAP-14333-P-A, Rev. 1

'Plant Specific Parameter Analysis Assumptions

Master relays (SSPS)

Infrequent (5)

Infrequent

Master relays (Relay)

Infrequent (5)

Not Applicable

Slave relays Infrequent (5)

Infrequent

Reactor trip breakers 12 months Greater Than (d)

A TWS Mitigation System Actuation Circuitry Credited for AFW pump start Yes (AMSAC) (Gl Total Transient Event Frequency (J) 3.6/yr 2.54E-01/yr (cl ATWS Contribution to CDF (Internal Events 8.4E-06/yr 7.47E-08/yr (e)

ATWS), current PRA model) (Bl Total CDF from Internal Events (current PRA 5.8E-05/yr 6.6E-06/yr model) (9l Total CDF from Internal Events (IPE) (10)

Not Applicable 9.SE-05/yr (l)

Notes for Table 3.2.1-1:

1. Indicate type oflogic cabinet: SSPS or Relay (both are included in WCAP-14333-P-A).

2. Fill in applicable test intervals. If the test intervals are equal to or greater than those used in WCAP-14333-P-A, the analysis is applicable to your plant.

Page 26 of 100

SBK-L-18089

3. Indicate if channel calibration is done at-power and, if so, fill in the interval. If channel calibrations are not done at-power or if the calibration interval is equal to or greater than that used in WCAP-14333-P-A the analysis is applicable to your plant.

4. Fill in the applicable typical maintenance intervals or fill in "equal to or greater than" or "less than". If the maintenance intervals are equal to or greater than those used in WCAP-14333-P-A, the analysis is applicable to your plant.

5. Only corrective maintenance is done on the master and slave relays. The maintenance interval on typical relays is relatively long, that is, experience has shown they do not typically completely fail. Failure of slave relays usually involves failure of individual contacts.

Fill in "infrequent" if this is consistent with your plant experience. If not, fill in the typical maintenance interval. If "infrequent

slave relay failures are the norm, then the WCAP-14333-P-A analysis is applicable to your plant.

6. Indicate if AMSAC will initiate AFW pump start. If yes, then the WCAP-14333-P-A analysis is applicable to your plant.

7. Include total frequency for initiators requiring a reactor trip signal to be generated for event mitigation. This is required to assess the importance of ATWS events to CDP. Do not include events initiated by a reactor trip.

8. Fill in the A TWS contribution to core damage frequency (from at-power, internal events). This is required to determine if the A TWS event is a large contributor to CDP.

9. Fill in the total CDP from internal events (including internal flooding) for the most recent PRA model update. This is required for comparison to the NRC's risk-informed CDP acceptance guidelines.

10. Fill in the total CDP from internal events from the IPE model (submitted to the NRC in response to Generic Letter 88-20). If this value differs from the most recent PRA model update CDP provide a concise list of reasons, in bulletized form, describing the differences between the models that account for the change in CDP (See Note (f) below).

Plant Specific Parameter Additional Notes for Table 3.2.1-1:

a. The surveillance test interval changes for the analog channels, logic cabinets, master relays, and RTBs justified in WCAP-15376-P-A, (and WCAP-14333-P-A) have separately been implemented by Seabrook Station; therefore, the current Seabrook Station test intervals are equal to or greater than the WCAP values.

b. Seabrook Station does not typically send personnel in containment during at power operation. Based on this, those loops whose transmitters are located in containment, the loop calibration is done in two parts. The first part of the calibration is done on-line just prior to the outage. The first part of the calibration calibrates everything except the transmitter. The second part of the calibration calibrates the transmitter during the refueling outage. Credit ~ate for the activity is credited when the first portion was completed.

Page 27 of 100

SBK-L-18089

c. The transient initiating event frequency was determined by summing all the initiating event frequencies of all transient events. These include all internal and flooding events, except for excessive, large, medium LOCAs, LOSP, and Reactor Trip events because they do not need a signal to trip the reactor, and the A TWS events because they are special cases of other initiating events in the list (See following Table for calculation of total transient event frequency).

Table 3.2.1-:-1-c (Note c.above)

Events Considered for the Total Transient Event Frequency Initiator Initiating Event.Description Initiating Ev.ent

. Frequency (per year)

All flood initiating events 5.72E-03 ISI Inadvertent Safety Injection 2.04E-02 LACPA Loss of Train A Essential AC Power (4kV Bus ES) 4.40E-03 LACPB Loss of Train B Essential AC Power (4kV Bus E6) 4.40E-03 LDCPA Loss of Train A Essential DC Power (125V de Bus 11A) 5.86E-04 LDCPB Loss of Train B Essential DC Power (125V de Bus 11B) 5.86E-04 LMFW Loss of Main Feedwater 7.07E-02 LOC1SM Small LOCA - Modes 1, 2, 3 4.SSE-03 LOC1VI Interfacing Systems LOCA, RHR Injection Valves 3.67E-06 Failure - Modes 1, 2, 3 LOC1VS Interfacing Systems LOCA, RHR Suction Valves Failure 3.14E-08

- Modes 1, 2, 3 LPCCA Loss of Train A Primary Component Cooling System -

9.83E-03 Modes 1, 2, 3 LPCCB Loss of Train B Primary Component Cooling System -

9.76E-03 Modes 1, 2, 3 Page 28 ofl 00

SBK-L-18089 Table 3.2.1-1-c (Note c above)

Events Considered for the Total Transient Event Frequency Initiator Initiating Event Description.

Initiating Event Frequency (per year)

LRCPCS Loss of RCP Seal Injection - Modes 1, 2, 3 1.4SE-02 LSWSA Loss of Train A Service Water System - Ocean and 8.56E-04 Cooling Tower Loops - Modes 1, 2, 3 LSWSB Loss of Train B Service Water System - Ocean and 8.59E-04 Cooling Tower Loops - Modes 1, 2, 3 MFLBI Main Feed Line Break Inside Containment-Mode 1, 2, 3 3.40E-04 MSLBI Main Steam Line Break Inside Containment (Upstream 1.00E-03 ofMSIV) - Mode 1, 2, 3 MSLBO Main Steam Line Break Outside Containment 1.00E-02 (Downstream ofMSIV) - Mode 1, 2, 3 MSSVO Main Steam Safety Valve Stuck Open - Mode 1, 2, 3 1.00E-03 SGTR Steam Generator Tube Rupture - Mode 1, 2, 3 4.09E-03 SUFP3 Loss of Active DHR Through Failure of Startup Feed 9.0SE-02 Pump-Mode 3 SUM 2.54E-01 Plant Specific Parameter Additional Notes for Table 3.2.1-1 (continued):

d. Maintenance including breaker refurbishment is performed every 18 months during an outage.

e.

WCAP-14333-P-A implementation guidelines specify that ATWS contribution to CDF be small. The calculated ATWS contribution to CDF was determined to be 1.13% of the total CDF, which is smaller than 14.5% AT\\v'S contribution from the WCAP. This satisfies the requirement ofWCAP-14333-P-A.

Page 29 oflOO

SBK-L-18089

f.

A list of changes to the Seabrook Station model and how they impacted CDF is summarized as follows.

Table 3.2.1-1-f (Note f above)

Summary of Sig~ficant Model Changes and CDF Impacts Year Internal Event CDF Summary of Significant Model. Changes Update 2014 6.6E-06

- Update to the plant-specific data distributions.

- Update of the Internal Flooding initiating event data consistent with EPRI-2010.

- Assessment of Level 1 HRA Success Criteria with MAAP408.

- Updates to HRA with review of EOPs.

- Update of Reactor Coolant Pump (RCP) seal LOCA model.

2011 7.1E-06

- Complete revision of Internal Flood analysis.

- Complete revision of latent human failure event analysis.

2009 6.9E-06

- Data updates (plant specific data and generic data distributions)

- Electric power model updates (convolution, revised generic LOOP initiator and recovery data).

- Revisions of operator action modeling.

2005 9.3E-06

- Success Criteria updates.

- Operator timing updates.

- Supplemental Electric Power System design and modeling updates.

2004 1.7E-OS

- HRA analysis updates.

- Addition of the Supplemental Electric Power System diesel generator.

- Computer software change from Dos-based RISK11AN 9.2 to windows-based RISI<MAN 3.0.

1999 2.7E-OS

- LOCA initiator frequencies update.

- A TWS model update.

- RCP seal LOCA model and related electric power recovery models updates.

- Reduction of fuel cycle from 24 months to 18 months.

Page 30 of 100

SBK-L-18089 Table 3.2.1-1-f (Note f above)

Summary of Significant Model Changes and CDF Impacts Year Internal Event CDF Summary of Significant Model Changes Update 1996 2.1E-05

- Primary Component Cooling System model updates.

- Data update using plant-specific data.

1989 (IPE) 9.SE-05 Table 3:2.1-2 WCAP-14333-P-A, Rev. 1 & WCAP-15376-P-A, Rev. 1 Implementation Guidelines Applicability of Analysis, Reactor Trip Actuation Signals Event WCAP-14333-P-A & WCAP-15376-P-A Plant Specific Parameter <1>

Analyses Assumption LargeLOCA Not Required Agree MediumLOCA Not Required Agree SmallLOCA N ondiverse <2) w / OA C3)

Agree <*l Steam Generator Tube Rupture Nondiverse w/OA Agree <*l Interfacing System LOCA Not Required Agree (b)

Reactor Vessel Rupture Not Required Agree Secondary Side Breaks Nondiverse w/OA Agree (c)

Transient Events, such as:

Positive Reactivity Insertion Diverse (4) w / OA Agree (d)

Loss of Reactor Coolant Flow Page 31 oflOO

SBK-L-18089 Table 3.2.1-2 WCAP-14333-P-A, Rev. 1 & WCAP~15376-P-A, Rev. 1 Implementation Guidelines Applicability of Analysis, Reactor Trip Actuation Signals Event WCAP-14333-P-A & WCAP-15376--P-A.

Plant Specific Parameter <1>

Analyses Assumption Total or Partial Loss of Main Feedwater Loss of Condenser Turbine Trip Loss of DC Bus Loss of Vital AC Bus Loss of Instrument Air Spurious Safety Injection Inadvertent Opening of a Steam Valve Reactor Trip Generated by RPS Agree Loss of Offsite Power Not Required by RPS Agree Station Blackout Not Required by RPS Agree Loss of Service Water or Nondiverse w/OA Agree <

0J Component Cooling Water Notes for Table 3.2.1-2:

1.

Fill in "agree" if your plant design and operation is consistent with this analysis, that is, the noted reactor trip signals are available at a minimum. If not, explain the difference. If "agree" is listed for each event, then the WCAP-14333-P-A and WCAPP-15376-P-A, analyses are applicable to your plant.

2.

Nondiverse means that (at least) one signal will be generated to initiate reactor trip for the event.

Page 32 of 100

SBK-L-18089

3.

Operator Action (OA) indicates that an operator could take action to initiate reactor trip for the event, that is, there is sufficient time for action and procedures are in place that will instruct the operator to take action.

4.

Diverse means that (at least) two signals will be generated to initiate reactor trip for the event.

Plant Specific Parameter Additional Notes for Table 3.2.1-2:

a.

Small LOCA and Steam Generator Tube Rupture -A reactor trip will typically occur on pressurizer pressure low. Sufficient time is available for the operators to trip the reactor if necessary.

b. Interfacing System Loss of Coolant Accidents (ISLOCA) can range in size. The ISLOCAs considered in the WCAP-14333-P-A, analysis were sufficiently large enough to not require reactor trip for event mitigation. Smaller ISLOCAs that occur will be similar in size to small LOCA events. The small LOCA event Initiating Event (IE) frequency is approximately 4.6E-03/reactor year (LOC1S11). The total ISLOCA IE frequency for Seabrook Station is 3.7E-06/reactor year (LOC1VI + LOC1VS). If it is conservatively assumed that the total ISLOCA frequency is related to small events requiring reactor trip, then the initiating event frequency for small LOCA type events that require reactor trip will have a negligible increase. It is concluded that the impact of this difference on the WCAP analysis is negligible and the analysis is applicable.

c. For the Secondary Side Break events a reactor trip will occur on either a power range neutron flux, overpower delta T, or safety injection signal. Sufficient time is available for the operators to trip the reactor if necessary.

d. Seabrook Station is a typical Westinghouse 4-loop Nuclear Steam Supply System (NSSS) design. For the transients of interest, reactor trip signals can be developed from a number of different plant parameters, such as a pressurizer pressure signal or steam generator level signals. In addition, there is sufficient time for operators to trip the reactor if necessary.

e. Loss of service water and loss of primary component cooling water events do not specifically require or model reactor trip since the reactor will most likely be manually shutdown. If the event proceeds far enough along prior to operator intervention, a reactor coolant pump seal LOCA will develop which the plant will respond to as a small LOCA, if large enough. Signals for a small LOCA are consistent with the WCAP-14333-P-A analysis assumptions.

Page 33 of 100

SBK-L-18089 Table 3.2.1-3*

WCAP:.14333-P-A, Rev. 1 & WCAP-15376-P-A, Rev. 1 Implementation Guidelines Applicability of Analysis Engineered Safety Features Actuation Signals Sa(ety Function Event WCAP-14333-P-A & WCAP-15376~P-A Plant Specific "Parameter. (l)

Analyses Assumption Large Loss-of-N ondiverse (2)

Coolant Accident Agree(*>

(LOCA)

Medium LOCA Nondiverse, OA (3) by Safety Injection (SI)

Agree (a) switch on main control board SmallLOCA Nondiverse, OA by SI switch on main Agree C*>.

control board, OA of individual components Safety Injection (SI)

Interfacing Systems Nondiverse, OA by SI switch on main Agree(*>

LOCA control board, OA of individual components Steam Generator Nondiverse, OA by SI switch on main Agree (a)

Tube Rupture control board, OA of individual components (SGTR)

Secondary Side Nondiverse, OA by SI switch on main Agree(*>

Breaks control board, OA of individual components Auxiliary Feedwater Events generating Pump actuation on SI signal Agree (b)

Pump Start SI signal Transient events N ondiverse, AMSAC, operator action Main Feedwater Secondary Side Nondiverse Agree Cc)

Isolation Breaks Steamline Isolation Secondary Side Nondiverse Agree (d)

Breaks Containment Spray All events N ondiverse C 2>

Agree Ce)

Actuation Page 34 of 100

SBK-L-18089

'!'able 3;2.1-3 WCAP-14333;.P-A, Rev. 1 & WCAP'-15376-P'-A, Rev. 1 Implementation Guide),!nes, Applic,ability of Analysis ;Engineered,Sa:fety Features Actuation Signals Safety Function,

,Event WCAP-14333-P.:.A & WCAP-15376:..P-A Plant Specific>Parameter <1)

Analyses Assumption Containment All events From SI signal Agree Cf)

Isolation Containment All events From SI signal Agree (g)

Cooling Notes for Table 3.2.1-3:

1. Fill in "agree" if your plant design and operation is consistent with this analysis, that is, the noted ESF AS are available at a minimum.

If not, explain the difference. If "agree" is listed for each event, then the WCAP-14333-P-A and WCAP-15376-P-A analyses are applicable to your plant.

2. Nondiverse means that (at least) one signal will be generated to initiate the engineered safety feature (ESF) noted for the event.

3. OA indicates that an operator could take action to initiate ESF for the event. In the event automatic ESF does not occur, operator action can be taken that results in a success path (ESF actuation) prior to the action becoming ineffective to mitigate the event.

Procedures are in place that will instruct the operator to take action.

Plant Specific Parameter Additional Notes for Table 3.2.1-3:

a.

Seabrook Station is a typical Westinghouse 4-loop NSSS design. All the events that require safety injection will develop an SI signal on at least one signal (pressurizer pressure, for example). For most of these events, there is also sufficient time for the operator to manually actuate SI from the control room. In addition, for the more slowly developing events with regard to the need for safety injection (small LOCA, small interfacing system LOCAs, steam generator tube ruptures, and secondary side breaks) it is also possible for operators to manually actuate the individual components required for safety injection from the control room. There are procedures Page 35 oflOO

SBK-L-18089 in place to guide the operators through these actions. Therefore, Seabrook Station is operated consistent with WCAP-14333-P-A. The Seabrook Station TS Table 3.3-3 lists the signals that will actuate safety injection.

b. Seabrook Station is a typical Westinghouse 4-loop NSSS design. AFW will be actuated by an SI signal, if one is developed. It can also be actuated by several other signals, such as steam generator water level low-low and loss of offsite power, for events that do not generate an SI signal. AMSAC will also start the emergency feedwater pumps ( see Table 3.2.1-1 of this report). In addition, there is sufficient time for the operators to manually actuate the emergency feedwater pumps for all events that require decay heat removal.

The Seabrook Station TS Table 3.3-3 lists the signals that will actuate emergency feedwater.

c.

Seabrook Station is a typical Westinghouse 4-loop NSSS design. Main Feedwater isolation occurs on a steam generatot high-high water level or SI signal as shown in the Seabrook Station TS Table 3.3-3.

d. Seabrook Station is a typical Westinghouse 4-loop NSSS design. Steam line isolation can occur on a number of signals, such as steam line pressure low and containment pressure high-2. Seabrook Station TS Table 3.3-3 lists the signals that will initiate steam line isolation.

e.

Seabrook Station is a typical Westinghouse 4-loop NSSS design. Containment spray will actuate on containment pressure high-3 as shown in the Seabrook Station TS Table 3.3-3.

f.

Seabrook Station is a typical Westinghouse 4-loop NSSS design. Phase A isolation is provided by a safety injection signal. Phase Bis provided by a containment pressure high-3 signal (Seabrook Station TS Table 3.3-3). The WCAP-14333-P-A analysis took a conservative approach in using the safety injection signal for containment isolation. Modeling a separate containment isolation signal would not lead to containment isolation failure when the safety injection signal fails.

g. On rising containment pressure, the fan coolers will trip and isolate and containment spray will be actuated. The containment cooling function is provided by the containment spray system. Actuation of the containment spray system is addressed in a separate line item in the table. There is no separate safety-related containment cooling system such as fan coolers.

Page 36 oflOO

SBK-L-18089 3.2.2 WCAP-14333-P-A Tier 2 Requirements Tier 2 requires an examination of the need to impose additional restrictions when operating in the proposed AOTs in order to avoid risk-significant equipment outage configurations.

In support of Tier 2 lirnitations, analyses were completed in response to an NRC RAI on WCAP-14333-P-A and documented in the WOG response (Letter OG-96-110). RAI Question 18 asked for other risk significant systems or components for the proposed test or maintenance plant configuration. Analyses were completed in support of the response to RAI Question 18, that determined the system importance for plant configurations with no ongoing test and maintenance activities (all components available), and for plant configurations with ongoing test or maintenance activities individually on the analog channels, logic cabinets, master relays, and slave relays. With test or maintenance activities in progress, it was assumed that the corresponding component or train would be unavailable.

The system importance for these configurations is provided in Table Q18.1 in the response to RAI Question 18 in Letter OG-96-110. The importance values were compared between the cases with individual components unavailable and all components available. The following was concluded:

The importance rankings of risk significant systems do not change appreciably for the configurations with an analog channel, master relay, or slave relay out-of-service, or unavailable, compared to the configuration with no ongoing test or maintenance activities.

A relatively significant change in the importance rankings of risk significant systems occurs when a logic cabinet is out-of-service, or unavailable, compared to the configuration with no ongoing test or maintenance activities.

RAI Question 11 on WCAP-14333-P-A requested CDFs for the various test and maintenance configurations that the plant would enter for the subject AOT extensions.

Conditional core damage frequencies and core damage probabilities were calculated for each of the possible test and maintenance configurations. This information is provided in Table Q11.1 in the response to RAI Question 11 in Letter OG-96-110. It was concluded from the information contained in Table Q11.1 that the only configuration that significantly impacts CDF was with a logic cabinet unavailable.

Based on the information provided in Tables Q11.1 and Q18.1 in the responses to RAI Questions 11 and 18 on WCAP-14333-P-A, it was concluded that the only plant configuration with an appreciable impact on CDF or a significant impact on the relative importance of other systems is the configuration with one logic cabinet unavailable.

Therefore, Tier 2 lirnitations are only appropriate when a logic cabinet is out-of-service.

There are no Tier 2 lirnitations when a slave relay, master relay, or analog channel is out-of-service.

Page 12 in Section 3.0 of the NRC Safety Evaluation (SE) for WCAP14333 states:

"For Tiers 2 and 3, the staff finds that plant-specific information is needed because when entering the proposed AOTs, potentially risk significant configurations should be avoided. Therefore, licensees are expected to confirm that the necessary Page 37 of 100

L _____ _

SBK-L-18089 restrictions will be placed on concurrent equipment outages in order to avoid a risk significant configuration."

Entry into the Condition for an inoperable logic train is not a typical, pre-planned evolution during operation in the modes of Applicability for the logic trains, other than when necessary for surveillance testing. Since the Condition may be entered due to equipment failure, some of the following Tier 2 restrictions discussed below may not be met at the time of Condition entry. In addition, it is possible that equipment failure may occur after the logic train is removed from service for surveillance testing or planned maintenance, such that one or more of the required Tier 2 restrictions are no longer met. In cases of equipment failure, the programs and procedures discussed below in the Tier 3 configuration risk management program section require assessment of the emergent condition and appropriate actions are then taken. Depending on the specific situation, these actions could include restoring the inoperable logic train and exiting the Technical Specification Condition, or fully implementing the Tier 2 restrictions, or performing a unit shutdown, as appropriate from a risk management perspective.

Consistent with the NRC SE requirements for WCAP-14333-P-A to include Tier 2 insights into the decision making process before taking equipment out-of-service, the restrictions on concurrent removal of certain equipment when operating in the proposed AOT for an inoperable logic train are as follows:

To preserve ATWS mitigation capability, activities that degrade the availability of the AF\\V system, RCS pressure relief system (pressurizer PORVs and safety valves),

AMSAC, or turbine trip should not be scheduled when a logic train is unavailable.

To preserve LOCA mitigation capability, one complete ECCS train that can be actuated automatically must be maintained. Note that Seabrook Station TS 3.5.2, "ECCS Subsystems - Tavg Greater Than or Equal to 350°F", ensures that this restriction is met. Therefore, this restriction does not have to be implemented by a separate procedure or program.

To preserve reactor trip and safeguards actuation capability, activities that cause master relays or slave relays in the available train and activities that cause analog channels to be unavailable should not be scheduled when a logic train is unavailable.

Activities on electrical systems (e.g., AC and DC power) and cooling systems (e.g.,

Service Water System and Primary Component Cooling Water System) that support the systems or functions listed in the first three bullets should not be scheduled when a logic train is unavailable. That is, one complete train of a function that supports a complete train of a function noted above must be available.

The required restrictions listed above are proposed to be incorporated into the Seabrook Station TS Bases for the RTS and ESP AS instrumentation. Attachment 2 to this LAR contains a markup of the proposed Bases changes.

Page 38 of 100

SBK-L-18089 3.2.3 WCAP-15376-P-A Tier 1 Evaluation The risk analysis results for WCAP-15376-P-A are discussed in Section 8.4 of the WCAP.

Comparisons are presented in Tables 8.29 (.t.CDF) and 8.32 (&ERP) to a base case which represents the changes previously approved in WCAP-14333-P-A.

The following demonstrates the applicability of the WCAP-15376-P-A analysis and results to Seabrook Station.

Tables 3.2.1-2 and 3.2.1-3 from the WCAP-14333-P-A Tier 1 evaluation are applicable to the WCAP-15376-P-A Tier 1 evaluation and together with Table 3.2.3-1 (in this section) demonstrate that the WCAP-15376-P-A analysis and results are applicable to Seabrook Station.

Based on the information contained in Tables 3.2.1-2, 3.2.1-3, and 3.2.3-1 the following is confirmed for Seabrook Station:

The signals available to actuate reactor trip for the various events are consistent with those credited in the WCAP-15376-P-A analysis.

The signals available to actuate safeguards equipment for the various events are consistent with those credited in the WCAP-15376-P-A analysis.

As demonstrated in Tables 3.2.1-2, 3.2.1-3, and 3.2.3-1 the applicable analog channel, logic cabinet, and RTB test intervals, bypass test times, and completion times are consistent with the WCAP-15376-P-A analysis.

Plant procedures are in place for the relevant operator actions credited in the analysis.

From this, it is concluded that the WCAP-15376-P-A analysis is consistent with Seabrook Station design and operation, and the completion time and bypass test time changes for the RTB justified in WCAP-15376-P-A is applicable to Seabrook Station.

The Seabrook Station Core Damage Frequency (CDF) for Modes 1, 2, and 3, all events, is 1.20E-05/yr and Large Early Release Frequency (LERF) for Modes 1, 2, and 3, all events, is 1.SSE-07 /yr. This is consistent with the guidelines in Regulatory Guide 1.17 4 that allow small increases in CDF and LERF. Per this Regulatory Guide, for a total CDF. of 1E-04/yr, changes to CDF of 1E-06/yr are acceptable; and for a total LERF of 1E-05/yr, changes to LERF of 1E-07 /yr are acceptable.

The calculated increase in CDF for the changes in WCAP-15376-P-A, as provided in Table 8.29 of the WCAP, is 8.0E-07 /yr for plants with predominately a 2/ 4 logic and 8.SE-07 /yr for plants with predominately a 2/3 logic. The calculated increase in LERF due to the TS changes justified in WCAP-15376, as provided in Table 8.32 of the WCAP, is 3.1E-08/yr for plants with predominately a 2/ 4 logic and 5.7E-08/yr for plants with predominately a 2/3 logic. The Seabrook Station instrumentation is predominately a 2/ 4 logic plant.

Page 39 of 100

l_

SBK.-L-18089 Note that the CDP and LERF impact are expected to be less than the noted values from WCAP-15376-P-A since this specific assessment does not include the surveillance test interval changes.

From this, it is concluded that implementing the completion time and bypass test time changes for the RTB justified in WCAP-15376-P-A will have an impact on CDP ofless than 1.0E-06/yr and on LERF ofless than 1.0E-07 /yr, which meets the guidance in RG 1.174.

Therefore, the changes are applicable to Seabrook Station.

3.2.3.1 Reactor Trip Breaker Test Configuration: WCAP-15376-P-A Model vs.

Seabrook Station Approach WCAP-15376-P-A, Section 8.3.2.2 states, "Testing of the reactor trip breakers prohibits actuation of the breaker in test. The bypass breaker corresponding to the affected breaker is placed into service and will be actuated by the logic cabinet in the unaffected train."

Section 3.1.3 of the NRC Safety Evaluation for WCAP-15376-P-A states "The model assumed one RTB was out-of-service with the associated bypass breaker available. The operable RTB and the in-service bypass breaker provide the reactor trip. In this arrangement both breakers are controlled by the logic cabinet associated with the operable breaker."

This means that when RTB Train, RTB Train A for example, is tested, this test configuration results in Actuation Logic Train B controlling the RTB in Train B, and the Reactor Trip Bypass Breaker (RTBB) in Train A, either of which will trip the reactor. This RTB test configuration was modeled in the PRA analysis supporting the RTB bypass test time change from 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , and the RTB Surveillance Frequency change from 2 months to 4 months that were justified in WCAP-15376-P-A. This approach to RTB testing assumes that the RTB Train being tested is removed from service or in the open position during the test.

At Seabrook Station, the RTB under test can be in the open or closed position during the RTB testing. It is necessary to have the RTB closed to verify that the RTB will open when testing the RTB trip actuating devices. The time duration when the RTB is closed when the RTBB is in service is small compared to the allowed bypass test time and is estimated to be less than 30 minutes per RTB surveillance test.

The impact of this alternate test configuration, with the RTB being tested in the closed position, when compared to the WCAP-15376-P-A assumption on the acceptability of the RTB bypass test unavailability is evaluated below. Note that in this configuration, when the RTB being tested is closed, the associated RTBB will open upon receiving a reactor trip signal; however, for the short time the associated RTB is in test and closed, the protection train associated with the RTB being tested will not provide a reactor trip. However, the other protection train (that is not being tested) will provide the reactor trip function.

Page 40 of 100

SBK-L-18089 In either test configuration the RTB unavailability associated with the RTB bypass test time remains consistent with WCAP-15376-P-A as follows:

Base case conditions assumed in WCAP-15376-P-A:

RTB bypass test time = 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Surveillance test frequency= 2 months Yearly RTB test unavailability of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months per test x 6 tests per year is 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months per year.

Conditions assumed after implementing the RTB bypass time change in WCAP-15376-P-A:

RTB bypass test time = 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Surveillance test frequency:::; 6 months (Seabrook's surveillance test interval)

Yearly RTB test unavailability of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months per test x :::; 2 tests per year is ~ 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months per year.

The proposed RTB test unavailability is equal to or less than the RTB test unavailability assumed in WCAP-15376-P-A.

Page 41 ofl 00

SBK-L-18089 Table 3.2.3-1 WCAP~15376-P-A, Rev. 1 Implementation Guidelines Applicability of the Analysis General Pa~ameters.

Parameter WCAP-15376-P-A Plant-Specific Pat:J.meter

Analysis Assumption Logic Cabinet Type (l)

Relay or SSPS SSPS Component Bypass Test Time C2J

Analog channels 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months 6 hours 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for SSPS or 8 Logic cabinets (SSPS cir Relay Protection System) hours for Relay Protection 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months System 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for SSPS or 8 Master Relay (SSPS or Relay Protection System) hours for Relay Protection 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months System Reactor trip breakers 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months 2 hours Component Test Interval C3)

Reactor trip breakers 2 months Greater than (e)

Typical At-Power Maintenance Intervals C4J Reactor trip breakers 12 months Greater than (b)

Plant procedures are in place for the following operator actions C5J Reactor trip from the main control board switches Credited Yes Reactor trip by interrupting power to the motor-Credited Yes generator sets Insertion of the control rods via the rod control system Credited Yes Page 42 of 100

SBK-L-18089 Table 3.2.3-1 WCAP;.15376-P-A, Rev.1 Implenien.tationGuidelines Appli~ability of the Analysis General Parameters Parameter WCAP-15376-P-A.

Plant-Specific Parameter Analysis Assumption Safety injection actuation from the main control board switches Credited Yes Safety injection by actuation of individual components Credited Yes Emergency Feedwater (EFW) pump start Credited Yes ATWS Mitigation System Actuation Circuitry (AMSAC)C6Y Credited for EFW pump

- Yes start Total Transient Event Frequency (7) 3.6/yr 2.54E-01/yr C*>

ATWS Contribution to CDF (Internal Events ATWS),

1.06E-06/yr 7.47E-08/yr Cc) current PRA model) C3)

Total CDF from Internal Events (current PRA model) C

9) 6.6E-06/yr Total LERF from Internal Events ( current PRA model)C9}

1.SSE-07 /yr CdJ Notes for Table 3.2.3-1:

1. Indicate type of logic cabinet; SSPS or Relay (both are included in WCAP-15376-P-A).

2. Fill in the current TS bypass test times. If the current TS bypass test times are equal to or less than those used in WCAP-15376-P-A the analysis is applicable to your plant.

3. Fill in the current TS test interval. If the current TS test interval is equal to or greater than that used in WCAP-15376-P-A the analysis is applicable to your plant.

Page 43 of I 00

SBK-L-18089

4. Fill in the typical maintenance intervals or fill in "equal to or greater than" or "less than." If the maintenance intervals are equal to or greater than those used in WCAP-15376-P-A, the analysis is applicable to your plant.

5. Indicate if plant procedures are in place to perform these actions. If plant procedures are in place, the WCAP-15376-P-A analysis is applicable to your plant.

6. Indicate if AMSAC will initiate AFW pump start. If AMSAC will initiate AFW pump start, then the WCAP-15376-P-A analysis is applicable to your plant.

7. Include the total frequency for initiators requiring a reactor trip signal to be generated for event mitigation. This is required to assess the importance of ATWS events to CDF. Do not include events initiated by a reactor trip. If the plant specific value is less than the WCAP-15376-P-A value, then this analysis is applicable to your plant.

8. Fill in the ATWS contribution to core damage frequency (from at-power, internal events). This is required to determine if the ATWS event is a large contributor to CDF.

9. Fill in the total CDF and LERF from internal events (including internal flooding) for the most recent PRA model update. This is required for comparison to the NRC's risk-informed CDF and LERF acceptance guidelines in RG 1.174, Rev. 2.

Plant Specific Parameter Additional Notes for Table 3.2.3-1:

a. The transient initiating event frequency was determined by summing all the initiating event frequencies of all transient events. These include all internal and flooding events, except for excessive, large, medium LOCAs, LOSP, and Reactor Trip events because they do not need a signal to trip the reactor, and the ATWS events because they are special cases of other initiating events in the list (See Table 3.2.1-1-c for calculation of total transient event frequency).

b. The maintenance including breaker refurbishment is performed every 18 months during an outage.

c. The calculatedATWS contrtbution to CDF was determined to be 1.13% of the total CDF, which is a small contributor. This satisfies the requirement ofWCAP-15376-P-A.

d. LERF value conservatively includes some contributions from external events.

e. The surveillance test interval changes for the RTBs have separately been implemented by Seabrook Station per the Surveillance Frequency Control Program; therefore, the current Seabrook Station test intervals are equal to or greater than the WCAP values.

Page 44 of 100

SBK-L-18089 3.2.4 WCAP-15376-P-A Tier 2 Requirements Page 15 in Section 3.3 of the NRC SE for WCAP-15376-P-A states:

"The licensee should provide reasonable assurance that risk significant plant equipment outage configurations will not occur when specific plant equipment is out-of-service in accordance with the proposed TS change."

The recommended Tier 2 restrictions for WCAP-15376-P-A are provided in Section 8.5 of the WCAP. The restrictions are applicable when an RTB train is inoperable when operating under the proposed Completion Times. Entry into the AOT for an inoperable RTB train is not a typical, pre-planned evolution during operation in the modes of Applicability for the RTB train, other than when necessary for surveillance testing. Since the AOT may be entered due to equipment failure, some of the Tier 2 restrictions discussed below may not be met at the time of AOT entry. In addition, it is possible that equipment failure may occur after the RTB train is removed from service for surveillance testing or planned maintenance, such that one or more of the required Tier 2 restrictions are no longer met. In cases of equipment failure, the programs and procedures discussed below in the Tier 3 configuration risk management program section require assessment of the emergent condition and appropriate actions are then taken. Depending on the specific situation, these actions could include restoring the inoperable RTB train and exiting the TS AOT, or fully implementing the Tier 2 restrictions, or performing a unit shutdown, as appropriate from a risk management perspective.

The following Tier 2 restrictions will be implemented when an RTB train becomes inoperable when operating under the proposed AOT:

The probability of failing to trip the reactor on demand will increase when a RTB is removed from service, therefore, systems designed for mitigating an A TWS event should be maintained available. RCS pressure relief (pressurizer PORV s and safety valves), auxiliary feedwater flow (for RCS heat removal), AMSAC, and turbine trip are important to ATWS mitigation. Therefore, activities that degrade the availability of the auxiliary Feedwater system, RCS pressure relief system (pressurizer PORV s and safety valves), AMSAC, or turbine trip should not be scheduled when a RTB is inoperable.

Due to the increased dependence on the available reactor trip train when one logic train is unavailable, activities that degrade other components of the RTS, including master relays or slave relays, and activities that cause analog channels to be unavailable, should not be scheduled when a logic train is inoperable.

Activities on electrical systems (AC and DC power) that support the systems or functions listed in the first two bullets should not be scheduled when a RTB is inoperable.

Page 45 of I 00

SBK-L-18089 The required restrictions listed above are proposed to be incorporated into the Seabrook Station TS Bases for the RTS and ESFAS instrumentation. Attachment 2 to this LAR contains a markup of the proposed TS Bases changes.

3.2.5 Tier 3, Risk-Informed Configuration Risk Management Tier 3 requires a proceduralized process to assess the risk associated with both planned and unplanned work activities. The objective of the third tier is to ensure that the risk impact of out-of-service equipment is evaluated prior to performing any maintenance activity. As stated in Section 2.3 of Regulatory Guide 1.177, "a viable program would be one that is able to uncover risk-significant plant e_quipment outage configurations in a timely manner during normal plant operation." The third-tier requirement is an extension of the second-tier requirement, but addresses the limitation of not being able to identify all possible risk-significant plant configurations in the second-tier evaluation.

Paragraph (a)(4) of the Maintenance Rule (10CFR 50.65) requires that the overall effect on safety functions be considered when removing equipment from service for preventive maintenance or monitoring activities. In part, paragraph (a)(4) states that, "Before performing maintenance activities... the licensee shall assess and manage the increase in risk that may result from the proposed maintenance activities.... " Section 11.0 of NUMARC 93-01 provides guidance for implementing the requirements of paragraph (a)(4). NRC Regulatory Guide 1.182 endorsed the NUMARC 93-01, Section 11.0 as an acceptable method of implementing paragraph ( a) ( 4).

Description of Seabrook-Specific Configuration Risk Management Program and Procedures Seabrook Station's configuration risk management procedure describes the process used for planning, scheduling, and implementing plant work activities. This procedure/process is used to develop the weekly work schedule and perform the on-line risk assessment. The risk management program is consistent with the requirements of 10 CFR 50.65(a)(4) and is based on guidance from_NUMARC 93-01, Revision 4A. The risk management process includes assessment of both planned maintenance configurations and emergent work. Planned and emergent activities are assessed quantitatively and qualitatively. Quantitative risk thresholds are established with consideration of the NUMARC/industry guidance and are based on configuration-specific CDF (CCDF) and consideration of Incremental Core Damage Probability (ICDP).

The lower bound for CCDF is the no-maintenance at-power CDFO with all SCCs available (approximately 9.77e-6 per year). The upper limit from NUMARC 93-01 is CCDF = 1.0e-3 per year. Four risk levels are used in the online risk management program: GREEN, YELLOW, and ORANGE, RED. Thus, with a CCDF range of approximately 100, the following factors are used to derive the risk thresholds:

GREEN / YELLOW threshold:

CCDF = CDFO x 5 = 5e-5 Page 46 of 100

YELLOW / ORANGE threshold: CCDF = CDFO x 5 x 4

= 2e-4 ORANGE/ RED threshold: CCDF = CDFO x 5 x 4 x 5 = le-3 SBK-L-18089 Risk management actions are implemented as necessary to ensure that plant risk is controlled and receives proper management oversight and attention. Seabrook Station's configuration risk management program is capable of performing an assessment of the overall plant risk to ensure that risk-significant plant configurations will not be entered and that appropriate actions and oversight will be taken when unplanned events put the plant in a risk-significant configuration.

The CRMP meets Regulatory Guide 1.177 key components as follows:

Key Component 1: Implementation of CRMP The scope of the structures, systems, and components included in the configuration risk management program is consistent with the plant PRA and Maintenance Rule program.

Seabrook Station uses the PHOENIX online risk monitor to quantitatively evaluate plant configuration risk.

As mentioned above, the Seabrook Station procedure for on-line maintenance describes the process used for scheduling, planning, removal of equipment from service and implementation. This process is used to develop the weekly work schedule and perform the on-line risk assessment. The procedure also provides the work management process for unplanned and emergent work, which is assessed quantitatively (using the PHOENIX risk monitor) or qualitatively using guidance in the manual. In addition, Operations personnel assess plant aggregate risk, including PRA risk, in accordance with a fleet procedure. Online aggregate risk analysis is performed once per shift and the risk analysis is updated as necessary throughout the shift. Plant conditions and activities are monitored that may adversely impact the aggregate risk and actions to reduce risk as necessary (such as rescheduling work or testing) to maintain an acceptable aggregate risk impact. In summary, the CRMP process is used to assess plant risk: (1) for preplanned entrance into the plant configuration described by a TS action with a risk-informed completion time, (2) for occurrence of an unplanned entrance into the plant configuration described by a TS action with a risk-informed completion time, and (3) when operating in the plant configuration described by a TS action with a risk-informed CT, additional SSCs become inoperable or nonfunctional.

Key Component 2: Control and Use of the CRMP Assessment Tool NextEra Energy Fleet PRA procedures include the requirements and process for PRA maintenance and update. PRA maintenance encompasses the identification and evaluation of new information, and the incorporation of this information into the PRA on an as-needed basis. PRA periodic updates are scheduled at a frequency of every three operating cycles.

These updates generally encompass a review of the entire model and its documentation. A model change data base (MCDB) is maintained to track the status of significant plant Page 47 of 100

SBK-L-18089 changes and to disposition their potential impact on the PRA models, including the PHOENIX risk monitor model. Information sources typically monitored by PRA personnel include (but are not limited to) operating experience, plant design changes, changes to emergency and abnormal operating procedures, etc. Changes to the PRA models and related documentation are controlled as quality-related under the Appendix B QA program. The software for the PRA model and PHOENIX online risk monitor is controlled via the software quality control program. The PHOENIX risk monitor model is controlled by PRA and used by work week managers (planned/ scheduled/ emergent work) and control room operators (emergent work). Work week managers and operations personnel are trained on the use of the risk monitor. Training typically occurs before rollout of a significant change in software, process or model change.

Key Component 3: Level 1 Risk-Informed Assessment Seabrook Station's configuration risk management program uses the PHOENIX software tool for the online risk monitor software tool to perform a quantitative risk assessment for planned evolutions. Emergent activities are.also evaluated quantitatively but can also be evaluated qualitatively. The PHOENIX risk model is based on the Level 1, at power PRA model. The scope of the Level 1 model includes internal events, internal flood events and external events (see key component 4 for external events). The risk metric provided by the risk monitor is configuration-specific core damage frequency. If a qualitative assessment is performed, it is based on guidance contained in the Seabrook Station on-line maintenance procedure, for example: assessment of impact on key safety functions, impact on safe shutdown capability, impact on capability to prevent and mitigate offsite release, consideration of redundancy, OOS duration, compensatory measures, external conditions, etc.

Key Component 4: Level 2 Issues and External Hazards Level 2 Issues - Large early release frequency (LERF) is not explicitly quantified as part of the on-line a( 4) risk assessment. In addition, it is noted that the contribution of LERF is dominated by containment by-pass events such as a steam generator tube rupture (SGTR),

of which, LERF is not sensitive to maintenance activities. However, the maintenance activities that can affect the core damage mitigation of SGTR events are captured in the CRMP via the CDF risk metric. The large early release probability (LERP) is not a significant maintenance concern for two reasons. First, the overall large early release frequency for Seabrook Station is extremely low. Second, the scenario is driven by an active failure (e.g., valve fails to close on demand). The only significant unavailability concern for LERP is due to the large containment online purge valves. These valves are normally closed and Operations limits the duration when these valves are open. In addition, containment isolation/integrity is strictly controlled through existing technical specifications, which manages the maintenance activity risk impact on the containment isolation function.

Page 48 of 100

SBK-L-18089 External Hazards - The CDF risk in the Seabrook PHOENIX model includes consideration of internal fire events and seismic events. These models provide a realistic, best estimate assessment of risk from these hazards. Environmental factors are used to assess the potential risk impact of other external events such as severe weather and/ or offsite power grid disturbances that could increase the probability of a loss of offsite power or reactor trip.

Description of Configuration Risk Management Model (PHOENIX Model)

As mentioned above, Seabrook uses the PHOENIX tool as the online quantitative risk monitor for the Configuration Risk Management Program. The PHOENIX model uses the Level 1 PRA model and data as input and is capable of evaluating the impact on CDF from the various plant configurations. The risk monitor model is a "no maintenance" model.

Planned and emergent component unavailability is input to the model by the user to determine the risk level of the plant's maintenance configuration.

The PHOENIX model is a fully integrated model including internal events, internal flooding events, internal fire events, and seismic events. Other external events, for example severe weather, high winds, etc., are accounted for by use of "environment factors" in the PHOENIX model. The environmental factors affect an increase in the likelihood of loss of offsite power or reactor trip and are used when conditions are present such as severe weather impact on offsite power or grid instability. Environmental factors are also used to capture the potential risk increase due to switchyard work and other activities that have the potential to challenge stable plant operations.

The SSPS system is modeled as two trains; either train can fail as a result of the train's logic cabinet failing (randomly or by loss of power) or from failure of a generic signal. Failure of the logic train (cabinet) results is a failure of the associated train of the RTS/RTB and ESF AS. The generic signal is modeled as four instrument channels with a 2-of-4 actuation logic (i.e., three of four channels must fail for the signal to fail to propagate). As noted earlier, Seabrook Station is predominantly a 2-of-4 logic plant and the 2-of-4 logic model is consistent with most of the signal logics. For most accident initiators, more than one plant parameter is generally available/ monitored to actuate the protection signal, thus the single 2-of-4 logic signal model in the PRA is a conservative representation of the overall signal failure probability. The PRA system success criteria is defined as at least one SSPS train sending an activating signal to the RTS and/ or ESF AS, to initiate protective actions when a plant upset condition exists.

Each SSPS signal loop is common to both SSPS trains and splits at the input to the individual logic cabinets. The components represented in each generic signal channel include the channel control cable, input relay to logic cabinet, signal comparator bistable, 7300 process channel modifier, and process transmitter. With a channel in bypass, the 2 of 4 actuation logic becomes a 2-of-3 logic, which continues to provide a reliable signal logic design. As a result, the configuration risk management practice does not include a quantitative assessment of the change in risk when an individual logic channel is in bypass.

Page 49 of 100

SBK-L-18089 The Tier 2 WCAP studies concluded that the importance rankings of risk significant systems do not change appreciably for the configurations with an analog channel, master relay, or

slave relay unavailable, compared to the configuration with no ongoing test or maintenance activities. In addition, the WCAP studies showed that a more significant change in the importance rankings of risk significant systems occurs when a logic cabinet is unavailable, compared to the configuration with no ongoing test or maintenance activities; hence the development of the Tier 2 restrictions. These WCAP insights are consistent with Seabrook Station plant-specific risk insights particularly given that Seabrook is a predominantly 2 of 4 logic plant. It is also noted that Seabrook Station does not routinely perform maintenance activities on the protection systems while the plant is at power and only performs testing of one signal channel ( or actuation logic) at any one time, and attempts to minimize the equipment out of service duration. Seabrook Station does not anticipate making any changes to this test/ maintenance practice and expects no significant change in equipment unavailability as a result of the proposed bypass and completion times. Therefore, the approach to configuration risk management as discussed above is sufficient to meet the Tier 2 and Tier 3 requirements with the following clarifications made to the Seabrook Station on-line maintenance procedure for managing plant activities during the risk-informed completion times:

Any planned or emergent test (or maintenance) activities that affect a single channel are assessed qualitatively for the existing and/ or anticipated plant configuration to determine if any additional risk management actions are needed. If the repair of a single channel requires that the associated logic cabinet be removed from service, this configuration will be assessed quantitatively using the online quantitative risk monitor by removing the train-associated SSPS cabinet from service.

Any planned or emergent test (or maintenance) activities that effect more than a single channel or device, i.e., actuation logic and actuation relays at the train level, will be assessed quantitatively using the online quantitative risk monitor by removing the train-associated SSPS cabinet from service for the existing and/ or anticipated plant configuration to determine if any additional risk management actions are needed.

Any planned or emergent test ( or maintenance) activities that effect an SSPS logic train Oogic cabinet) or RTB will be assessed quantitatively using the online quantitative risk monitor for the existing and/ or anticipated plant configuration to determine if any additional risk management actions are needed.

Emergent component failures that occur when the plant is operating in a risk-informed TS action will be assessed qualitatively or quantitatively. Quantitative assessment will use the online quantitative risk monitor as necessary to determine if any additional risk management actions are needed.

Implementation of Tier 2 restrictions for SSPS logic train or RTB out of service.

Page 50 of 100

SBK-L-18089 3.2.6 External Events The impacts of the WCAP-14333-P-A and WCAP-15376-P-A proposed changes are shown to be very low from an internal events risks perspective. The analyses supporting the changes in WCAP-14333-P-A and WCAP-15376-P-A do not explicitly include the risk impact from external events. Although addressing external event impacts is not an implementation requirement specified in the Limitations and Conditions of the Safety Evaluation, the impact of the proposed changes on external events is assessed below for seismic, fire, high winds, external flooding and transportation and nearby facility accident events. The risk from seismic and fire events is shown to be low based on a qualitative and quantitative assessment of seismic and fire events impacts. The risk from high wind, external flooding, and other external events is shown to be low based on external events screerung.

3.2.6.1 Seismic Events Assessment Seismic risk insights from NUREG-17 42 [Reference 13] and risk insights from the Seabrook Station internal events model are used in assessing the impact of seismic events on the WCAP risk assessment as related to the signal unavailability change for the proposed TS changes to completion and bypass times. Based on this assessment, the proposed changes to the RTS, ESP AS instrumentation and RTB completion and bypass times have negligible risk effect on the core damage/release mitigation capability from seismic events.

The approach followed to determine the impact of the proposed CT changes on seismic risk includes:

1 - Identify the systems of interest 2 - Identify the accidents that can result from a seismic event 3 - Identify how the system(s) is used to mitigate the seismic-induced events 4 - Assess impact of signal unavailability increase on CDP and LERF The seismic events that need to be considered are the lower-level events that only cause a loss of offsite power (LOSP) or a small break LOCA. Large (higher-level) seismic events can result in a larger plant damage state such as a large LOCA or secondary side break with seismic-induced failure of required mitigation and support equipment including the RPS.

Given this larger plant damage state, the small increase in the signal unavailability does not affect the seismic plant risk for these higher-level seismic events. Therefore, only the impact of the WCAP-assessed signal unavailability on lower-level seismically induced LOSP and small LOCA events is assessed below. It is noted that low level seismic event sequences that do not result in LOSP or SLOCA, are similar to internal event transient-type sequences, which can be considered as covered by the internal events WCAP assessment.

Page 51 of 100

L ___ _

SBK-L-18089 Seismic - LOSP In the seismic LOSP event, the ED Gs supply station emergency power and EPW is needed to supply SG inventory for decay heat removal. RCP seal injection and thermal barrier cooling are also needed to continue to function to support seal cooling. Note that the Seabrook Station RCPs are equipped with the low leakage shutdown seals; consequently a seal LOCA event is less likely to occur given a loss of RCP seal injection/ cooling.

Therefore, the importance of the seal cooling function is reduced. The important signal affected by the proposed TS change and needed for the LOSP-type sequences is the EFW pump start signal on low-low SG level. However, it is noted that EFW is also automatically initiated on a LOSP signal, the ATWS mitigation signal (AMSAC), and by manual action.

Note that EFW will also automatically start on an SI signal if conditions were to further degrade to the point of SI initiation. Based on WCAP-14333, Table 7.1, a conservative increase in signal unavailability of the ESP AS /EFW start signal is approximately 2.3E-05 for the 2/ 4 logic w / CCP for both signal trains available. Given the redundant and diverse signals for initiating EFW, this small increase in unavailability of the ESP AS /EFW start signal is judged to have negligible effect on the seismic risk as demonstrated by the sequence below:

Delta-CDP= (seismic LOSP IE frequency) x (delta-unavailability ofESPAS/EFW signal) x (AMSAC failure probability) x ( operator action failure probability)

Where:

- Seismic LOSP IE frequency= 8.0E-04/year (value assumes guaranteed LOSP for seismic events at approximately 0.1g. The annual frequency of 8.0E-04 reflects the sum of seismic bin frequencies for bins 0.05g to 0.15g using the Seabrook-specific EPRI 2013 GMRS from LCI report)

- Delta-unavailability ofESPAS/EFW start signal= 2.3E-05 (WCAP-14333, Table 7.1 for 2/4 logic w/CCP)

- AMSAC failure probability = 1.0E-01 (Seabrook Internal Events PRA, AMSAC failure probability assuming a failure of SSPS)

- Human error probability (HEP) for initiation of EFW = 3.SE-04 (Seabrook Internal Events PRA, HEP OSIG1, for manual action to start EFW pump given transient with auto-start failed)

- No further credit given for LOSP EFW start Delta-CDP = 8.0E-04/year x 2.3E-05 x 3.SE-04 x 1.0E-01 = 6.44E-13/year Seismic - Small LOCA Given a seismic-induced small break LOCA, the Emergency Core Cooling System (ECCS) is required to provide RCS inventory makeup. The signal affected by the proposed TS change and needed for small LOCA events is the Safety Injection (SI) signal. The SI signal is made Page 52 of 100

SBK-L-18089 up of redundant and diverse input parameters (low pressurizer pressure, high containment pressure, and low steam line pressure). SI can also be manually initiated from the main control board. In addition, individual SI pumps can be manually started and aligned from the main control board as a backup to the SI signal to maintain RCS inventory control.

Based on WCAP-14333, Table 7.1, a conservative increase in signal unavailability of the ESFAS/SI start signal is approximately 3.0E-05 for the 2/4 logic w/CCF for both signal trains available. Given the redundant and diverse signals for initiating SI and manual backup capability, this small increase in unavailability of the SI signal is judged to have negligible effect on seismic risk as demonstrated by the sequence below:

Delta-CDP= (seismic small LOCA IE frequency) x (delta-unavailability ofESFAS/SI signal) x ( operator action failure probability)

Where:

- Seismic small LOCA IE frequency =8.0E-04/year (assume as same as seismic-induced LOSP)

- Delta-unavailability ofESFAS/SI signal= 3.0E-05 (WCAP-14333, Table 7.1 for 2/ 4 logic w / CCF)

- Human error probability (HEP) for initiation of SI components = 4.3E-04 (Seabrook PRA model, HEP OSIG3, for manual action to start and align ECC injection given SLOCA with auto-signal failed)

Delta-CDP = 8.0E-04/year x 3.0E-05 x 4.3E-04 = 1.03E-11 /year Seismic - Reactor Trip Signal Seismic events that contribute to plant risk in general also cause a loss of offsite power.

Reactor trip signals do not provide an important mitigative function in the LOSP events.

This is because the LOSP event causes a loss of power to the RPS motor-generator sets, causing a loss of power to the control rod drive mechanisms and allowing insertion of control rods. Therefore, the small increase in the reactor trip signal and RTB unavailability does not have an impact on the risk of seismic events.

Seismic Events Conclusion Based on the above conservative estimates, the impact on seismic CDP is negligible. Also, if it is conservatively assumed that all of the seismic delta-CDP maps to a large early release, the LERF impact is also negligible from a seismic risk perspective 3.2.6.2 Internal Fire Events Assessment Fire risk insights from NUREG-17 42 [Reference 13] and risk insights from the Seabrook internal events model are used in assessing the impact of fire events on the WCAP risk assessment as related to the signal unavailability change for the proposed TS changes to Page 53 of 100

SBK-L-18089 completion and bypass times. Based on this assessment, the proposed changes to the RTS, ESP AS instrumentation and RTB completion and bypass times have negligible risk effect on the core damage/ release mitigation capability from fire events.

The approach followed to determine the impact of the proposed CT changes on internal fire events risk includes:

1 - Use of a plant-level fire initiating event frequency as a conservative total event frequency 2 - Assume total fire event frequency results in a plant transient event with the need for SG decay heat removal 3 - All transient events credit ESP AS and are subject to the WCAP-assessed change in signal unavailability 4 - Credit alternate signals and manual capability Two fire-impact cases were conservatively assessed; (1) a fire event assuming two ESFAS signal loops are available to start EFW and (2) a fire event assuming one ESP AS signal loop is available.

Fire - Transient Event The fire ignition frequencies for all Seabrook Station buildings/ areas are based on NUREG/CR-6850, Supplement 1 [Reference 14] guidance. The fire area frequencies are then summed to determine a site-level fire ignition frequency. The entire site-level fire frequency is then conservatively assumed to cause a fire-induced transient.

In general, mitigation of all fire-induced transient events requires decay heat removal via the SGs using EFW. EFW will automatically start on steam generator low-low level. If this signal fails and the event further degrades, other signals may become available to actuate EFW such as a LOSP signal or an SI signal. EFW is also automatically started on an AMSAC signal. EFW can also be started manually from the control room or remote safe shutdown panel. If EFW is not available, operators can initiate feed and bleed to achieve decay heat removal and mitigate core damage. Based on WCAP-14333, Table 7.1, a conservative increase in signal unavailability of the ESP AS/EFW start signal is approximately 2.3E-05 for the 2/ 4 logic w / CCF for both signal trains available. For the case where only one ?ignal train is available, as could be the case with a specific fire in a specific area, the change in signal unavailability is approximately 1.43E-03. The change in ESFAS/EFW sigo.al unavailability is taken from WCAP-14333, Table 7.1 because this reflects the unavailability associated with the change in completion time/bypass time (proposed LAR action), without the STI-associated unavailability ofWCAP-15376. Given the redundant and diverse signals for initiating EFW, the small increases in unavailability of the ESP AS /EFW start signal are judged to have negligible effect on the fire risk as demonstrated by the sequences below:

Page 54 of 100

SBK-L-18089 Two ESP AS /EFW logic trains available Delta-CDF = (plant-level fire IE frequency) x (delta-unavailability ofESFAS/EFW signal w/2 trains) x (operator fails to actuate EFW) x (AMSAC failure probability) x (operator fails to initiate feed and bleed)

Where:

- Fire IE frequency (plant level frequency from all buildings/ structures) = 1.41E-01/year (very conservative)

- Delta-unavailability ofESFAS/EFW start signal= 2.3E-05 (WCAP-14333, Table 7.1 for 2/ 4 logic, two trains w / CCF)

~ Human error probability (HEP) for initiation of EFW = 3.SE-04 (Seabrook PRA model, HEP OSIG1, for manual action to start EFW pump given transient with auto-start failed)

I

- AMSAC failure probability = 1.OE-01 (Seabrook Station PRA model, AMS failure probability assuming a failure of SSPS)

- Feed and bleed failure= 1.0E-01 (conservative assumption)

Delta-CDF = 1.41E-01/year x 2.3E-05 x 3.SE-04 x 1.0E-01 x 1.0E-01 = 1.14E-11/year One ESF AS /EFW logic train available Delta-CDF = (plant-levelfire IE frequency) x (delta-unavailability of ESFAS/EFW signal w/1 train) x (operator fails to actuate EFW) x (AMSAC failure probability) x (operator fails to initiate feed and bleed)

Where:

- Fire IE frequency (plant level frequency from all buildings/structures)= 1.41E-01/year (very conservative)

- Delta-unavailability ofESFAS/EFW start signal= 1.4E-03 (WCAP-14333, Table 7.1 for 2/ 4 logic, 1 train w/ CCF)

- Human error probability (HEP) for initiation ofEFW = 3.SE-04 (Seabrook PRA model, HEP OSIG 1, for manual action to start EFW pump given transient with auto-start failed)

- AMSAC failure probability = 1.OE-01 (Seabrook PRA model, AMS failure probability assuming a failure of SSPS)

- Feed and bleed failure= 1.0E-01 (conservative assumption)

Delta-CDF = 1.41E-01/year x 1.4E-03 x 3.SE-04 x 1.0E-01 x 1.0E-01 = 6.91E-10/year Fire - Reactor Trip Signal Page 55 of 100

SBK-L-18089 Reactor trip signals do not provide a significant mitigation function for postulated major fire events. The risk of fire events considers that the fire hazard is a direct cause of a reactor trip and has the potential to also adversely impact some mitigation equipment. If the fire event is determined to only impact mitigation equipment and not plant trip equipment, then the plant would continue to operate under the applicable TS action statements for the specific condition. Fire event sequences that cause a reactor trip and do not cause fire damage to mitigation equipment are similar to internal event transient-type sequences, which can be considered as covered by the internal events WCAP assessment. Therefore, the small increase in the reactor trip signal and RTB unavailability does not have an impact on the risk of fire events.

Fire Events Conclusion Based on the above conservative estimates, the impact on internal fire CDP is negligible.

Also, if it is conservatively assumed that all of the fire delta-CDP maps to a large early release, the LERF impact is also negligible from a fire risk perspective.

3.2.6.3 High Winds, External Flood, and Other External Events High winds, external flood and other external events were reviewed to identify any other external events whose risk could be influenced by the proposed TS changes. The review and assessment of these external hazards to NUREG-1407, NUREG/CR-2300, and ASME/ ANS Standard RA-Sa-2009 screened out all additional hazards not previously addressed.

3.2.6.4 External Events Conclusion This assessment demonstrates that actuation signal unavailability is a very small contributor to the CDP for external events. Therefore, the small increases in the signal unavailability proposed by the changes in WCAP-14333-P-A and WCAP-15376-P-A will have only a very small impact on the external event CDP and will not impact the acceptability of the proposed change. Therefore, it is concluded that the delta-CDP and delta-LERF meet the acceptance criteria in RG 1.17 4.

Page 56 of 100

SBK-L-18089 3.3 Topical Report Safety Evaluation (SE) Conditions The SEs for WCAP-14333-P-A and WCAP-15376-P-A have several conditions associated with their approval. The following subsections will document how each condition is met for each WCAP. Some of the SE conditions have already been addressed in this LAR and the appropriate LAR sections will be referenced for those Conditions.

3.3.1 WCAP-14333-P-A SE Conditions The NRC's approval ofWCAP-14333-P-A was subject to the following conditions requiring plant-specific information:

1.

Confirm the applicability of the WCAP-14333-P-A analyses for the plant.

2.

Address the Tier 2 and 3 analyses including the configuration risk management program insights which confirm that these insights are incorporated into the decision making process before taking equipment out of service.

Condition 1 In order to address SE Condition 1, Westinghouse issued implementation guidelines for licensees to confirm that the WCAP analysis is applicable to their plant. A plant specific assessment was performed to confirm the applicability ofWCAP-14333-P-A to the Seabrook Station. The results of this assessment are provided in Section 3.2.1 of this LAR, titled "WCAP 14333-P-A Tier1 Evaluation." The results documented in Section 3.2.1 of this LAR confirm that the WCAP-14333-P-A analyses are applicable to the Seabrook Station.

Condition 2 Section 3.2.2 of this LAR, titled "WCAP 14333-P-A Tier 2 Requirements," discusses the required Tier 2 restrictions applicable when operating with an inoperable logic train. The required Tier 2 restrictions are proposed to be incorporated into the Seabrook Station TS Bases for the RTS and ESP AS instrumentation. Attachment 2 to this LAR contains a markup of the proposed Bases changes.

Section 3.2.S of this LAR, titled "Tier 3, Risk-Informed Configuration Risk Management,"

discusses the configuration risk management program that incorporates risk insights into the decision making process before taking equipment out of service.

3.3.2 WCAP-15376-P-A SE Conditions The NRC's approval ofWCAP-15376-P-A was subject to the following conditions requiring plant-specific information:

1.

Confirm the applicability of the topical report to the plant and perform a plant-specific assessment of containment failures and address any design or performance differences that may affect the proposed changes.

Page 57 of 100

L SBK-L-18089

2.

Address the Tier 2 and Tier 3 analyses including risk significant configuration insights and confirm that these insights are incorporated into the plant-specific configuration risk management program.

3.

The risk impact of concurrent testing of one logic train and associated reactor trip breaker needs to be evaluated on a plant-specific basis to ensure conformance with the WCAP-153 7 6-P evaluation, and Regulatory Guides 1.17 4 and 1.177.

4.

To ensure consistency with the reference plant, the model assumptions for human reliability in WCAP-15376-P should be confirmed to be applicable to the plant-specific configuration.

5.

For future digital upgrades with increased scope, integration and architectural differences beyond that of Eagle 21, the staff finds the generic applicability of WCAP-15376-P to future digital systems not clear and should be considered on a plant-specific basis.

6.

An additional commitment from the response to NRC RAl Question 18 (OG 058) [Reference 12] requires each plant to review their setpoint calculation methodology to determine the impact of extending the Channel Operational Test (COT) Surveillance Frequency from 92 days to 184 days.

Condition 1 Applicability of WCAP-15376-P-A to Seabrook Station In order to address SE Condition 1 Westinghouse issued implementation guidelines for licensees to confirm that the WCAP analysis is applicable to their plant. A plant specific assessment was performed to confirm the applicability of the WCAP-15376-P-A to the Seabrook Station. The results of this assessment are provided in Section 3.2.3 of this LAR, titled WCAP 15376-P-A Tier 1 Evaluation." The results documented in Section 3.2.3 of this LAR confirm that the WCAP-15376-P-A analyses are applicable to the Seabrook Station.

Assessment of Containment Failures As stated in the WCAP-15376-P-A, Implementation Guideline, the results presented in WCAP-15376-P-A, are directly applicable to large dry containments. The containment failure assessment in these WCAPs considered interfacing systems LOCAs, SGTRs, and containment isolation failures. Plants that have ice condenser containments need to address the impact of the signal unavailability changes on additional failure modes. Since Seabrook Station is not an ice condenser plant, these additional failure modes are not addressed.

Table 3.3.2-1 shows the LERF contributors. The results show that the Seabrook Station evaluated the modes considered to be affected by WCAP-15376-P-A. No specific guidelines for LERF contribution were given in the implementation guidelines; however, it was stated Page 58 of 100

SBK-L-18089 that for large dry containments, the significant contributors to LERF are typically containment isolation failure and containment bypasses from ISLOCA and SGTR events, excluding SG tube creep rupture. Excluding the seismic events (external events) shows that containment bypass events are the dominant contributors for LERF at Seabrook Station; therefore, the WCAP-15376-P-A results are applicable to Seabrook Station.

Table. 3.J.2.,1 LERF Contributors - Modes 1, 2, 3

LERF Failure Modes LERF

.LERF (per yr)

Contribution Late Containment Over Pressure Failure ( extreme seismic events 9.20E-08 59.51%

with impaired evacuation) - External Events Containment bypass - SGTR-initiated or pressure-induced tube 4.36E-08 28.20%

ruptures Containment bypass - Thermally-induced SGTR 1.70E-12 0.0001%

Containment bypass - Interfacing Systems LOCA 1.81E-08 11.7%

Containment isolation failure (l) 8.59E-10 0.6%

LERFTotal 1.55E-07 100%

1. Containment isolation failure is not a significant contributor to LERF because of the reliability of the COP (containment online purge) valve penetrations (dual isolation valves designed to go closed on loss of instrument air) and the valves are opened only approximately 10% of the time.

Applicability of Master Relay and Safeguards Driver Card Failure Probabilities It is necessary to indicate that component failure probability of the master relays and safeguards driver card developed as part ofWCAP-15376-P-A are applicable to Seabrook Station. The failure probabilities for these components are based on data collected from a number of Westinghouse NSSS plants. The failure probabilities for these components provided in Table 8.6 of WCAP-15376-P-A are 1.10E-05 for SSPS Master Relays and 5.90E-04 for SSPS Safeguards Driver Cards.

The Seabrook Station plant-specific information on the master relays and safeguards driver card were collected from 2013 to 2017. It is conservatively estimated that over the five year period, there were 62 master relays actuations and 62 driver card actuations. Zero failures were recorded. A summary of the experience for the master relay and safeguard drivers card at Seabrook Station is provided below.

Page 59 of 100

SBK-L-18089 Tal:>le 3.3.2-2 Seabrook Station Master Relays and Safeguards Driver Card Reliability (2013 - 2017)

Paratneter Master Relays Safeguards Driver Card.

Actuations 62*

62*

Failures 0

0

Conservative estimate An analysis based on the binomial distribution was used to determine the number of expected failures for the given component failure probabilities and actuations. For both components, zero failures would be expected according to binomial distribution. Since the Seabrook Station recorded no component failures of the master relays or safeguards driver card for the same number of actuations, it is concluded that the failure probabilities used in the WCAP-15376-P-A analysis are applicable to Seabrook Station.

Condition 2 Address Tier 2 and 3 analyses Section 3.2.4 of this LAR, titled WCAP-15376-P-A Tier 2 Requirements," discusses the required Tier 2 restrictions applicable when operating with an inoperable RTB train. The required Tier 2 restrictions are proposed to be incorporated into the Seabrook Station TS Bases for the RTS and ESF AS instrumentation. Attachment 2 to this LAR contains a markup of the proposed Bases changes.

Section 3.2.5 of this LAR, titled "Tier 3, Risk-Informed Configuration Risk Management," discusses the configuration risk management program that incorporates risk insights into the decision making process before taking equipment out of service.

Condition 3 Address risk impact of concurrent testing of one logic train and associated RTB The response to NRC RAI 4 (in WOG Letter OG-02-002) provided the Incremental Conditional Core Damage Probability (ICCDP) for this configuration (both the logic cabinet and associated RTB out of service) for preventative maintenance for a total time of 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months , which is comprised of a Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , plus 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to reach Mode 3. The ICCDP for the duration of 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months in this configuration is 3.2E-07, which meets the RG 1.177 acceptance guideline of S.OE-07.

Since this ICCDP value is based on the logic cabinet and RTB being out of service for 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months at the same time, bypassing one logic cabinet and associated RTB for four hours of testing will also meet the RG 1.177 ICCDP guideline.

The response to NRC RAI 11 (in WOG Letter OG-02-002) provided the Incremental Conditional Large Early Release Probability (ICLERP) for this configuration (both the logic cabinet and associated RTB out of service) for preventative maintenance for a total time of 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months , which is Page 60 of I 00

SBK-L-18089 comprised of a Completion Time of24 hours, plus 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to reach Mode 3. The ICLERP for the duration of 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months in this configuration is 2.4E-08, which meets the RG 1.177 acceptance guideline of S.OE-08. Since this ICLERP value is based on the logic cabinet and RTB being out of service for 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months at the same time, bypassing one logic cabinet and associated RTB for four hours of testing will also meet the RG 1.177 ICLERP guideline.

As described above, the WCAP analysis assumes that if a RTB is out of service its associated logic train is also out of service. Therefore, the risk impact of concurrent testing of one logic train and the associated RTB is addressed by demonstrating that the WCAP-15376-P-A analysis is applicable to Seabrook Station. The results documented in Section 3.2.3 of this LAR confirm that the WCAP-15376-P-A analyses are applicable to the Seabrook Station.

Condition 4 Applicability of model assumptions for human reliability In order to address SE Condition 4 Westinghouse issued implementation guidelines for licensees to confirm that the model assumptions for human reliability in WCAP-15376-P-A are applicable to their plant. A plant specific assessment was performed to confirm the applicability of the model assumptions for human reliability in WCAP-15376-P-A to the Seabrook Station. Table 3.3.2-3 provides a summary of the operator actions credited in the WCAP-15376-P-A analysis and the ability of these actions to be successful at Seabrook Station. All actions are credited with plant procedures in place and all actions are effective.

Page61of100

SBK-L-18089 Tabi~ 3.3.2.:3 WCAP-15376-P-A, Rev. 1 Implementation Guidelines:

Applicability of the Human Reliability.Analysis Operator Action that results in a success path (backup to the automatic function) prior to the action becoming ineffective to

.Are Plant Procedures in Operator-Action mitigate die event?

Place for the Action? <1>

Reactor trip from the main control Yes Yes board switches Reactor trip by interrupting power Yes Yes to the motor-generator sets Insertion of the control rods via the Yes Yes rod control system Safety injection actuation from the Yes Yes main control board switches Safety injection by actuation of Yes Yes individual components Auxiliary feedwater pump start Yes Yes Notes for Table 3.3.2-3:

1. Fill in "yes" or "no". If "yes" is filled in for both questions, then the analysis is applicable to your plant with respect to that operator action.

All Operator Actions (OAs) listed in Table 3.3.2-1 have a Yes" answer for both questions; therefore, the WCAP-15376-P-A analysis assumptions are applicable to Seabrook Station.

Condition 5 Address future digital upgrades There are presently no plans to implement digital upgrades to the Reactor Protection or Engineered Safety Features Systems at the Seabrook Station.

Condition 6 Review setpoint calculation methodology to determine the impact of extending the Channel Operational Test (COT) Surveillance Frequency from 92 days to 184 days. Note that this is a commitment that resulted from a response to RAI Question 18 in WOG letter OG-01-058.

The changes included in this LAR do not involve extending any Surveillance Frequencies. As such, this Commitment is not applicable.

Page 62 of 100

SBK-L-18089 3.4 PRA Quality Although consistency of the Seabrook Station internal events PRA with Regulatory Guide 1.200 is not an implementation requirement specified in the Limitations and Conditions of the Safety Evaluation, the NRC has requested information on PRA quality in previous submittals.

The PRA model of record used in this risk-informed application is the Internal Events model (internal events and internal flooding), PRA model version SSPSS-2014, February 2015.

Sources of Model Uncertainty: The Seabrook Station evaluation of sources of model uncertainty and related assumptions was recently revised for the PRA model of internal events and internal flooding events. The revision used guidance contained in NUREG-1855, Guidance on the Treatment of Uncertainties Associated with PRAs in Risk-Informed Decision Making [Reference 15] and EPRI TR-1016737, Treatment of Parameter and Model Uncertainty for Probabilistic Risk Assessment [Reference 16] to identify potential sources of generic and plant-specific uncertainty that should be reviewed/ considered for possible impact on risk-informed applications. Based on a review of the identified generic and plant-specific sources of uncertainty, there are no sources of uncertainty that have an impact on the internal events and internal flooding quantitative risk model and thus there is no impact on the proposed application of the WCAP application to Seabrook Station in that implementation of the proposed technical specification changes will result in only a very small increase in plant risk Seabrook PRA Peer Review History The ASME / ANS PRA Standard (ASME/ ANS RA-Sa-2009) has eight "parts" with technical elements, high level requirements (HLRs), and detailed supporting requirements (SRs). These parts represent the major classes of hazards included in a PRA:

Part 1, introductory w/ configuration control Part 2;internal events Part 3, internal flood Part 4, internal fire Part 5, seismic events Parts 6 to 9, other external hazard events NRC Regulatory Guide 1.200 Rev 2 endorses this Standard with minor "clarifications." The EPRI ePSA database includes each supporting requirement from ASME/ ANS RA-Sa-2009 along with the clarifications from NRC Regulatory Guide 1.200 Rev 2.

The Seabrook PRA has undergone peer review against ASME PRA Standard Parts 1 ( configuration control), 2 (internal events) and 3 (internal flood events). Note that the Seabrook PRA currently includes a comprehensive assessment of internal fire, seismic, and other external events. However, Page 63 of 100

SBK-L-18089 these aspects of the PRA model and associated documentation have not undergone a formal peer review against the ASME PRA Standard or Reg. Guide 1.200.

Peer reviews have been conducted against internal event supporting requirements as follows:

In 1999, a review of all technical elements was performed using the industry PSA Certification process, the precursor to the PRA Standard.

In 2005, a focused peer review was performed for the elements AS, SC and HR as well as configuration control. This review was done to PRA Standard ASME RA-Sa-2003.

In 2009, a focused peer review was performed for all elements of Part 3, Internal Flooding.

This review was done to PRA Standard ASME/ ANS RA-Sa-2009.

In 2012, a focused peer review was performed for the element LE. This review was done to PRA Standard ASME/ ANS RA-Sa-2009.

Closed findings were reviewed and closed using the process documented in Appendix X to NEI 05-04, NEI 07-12 and NEI 12-13, "Close-out of Facts and Observations" (F&Os) [Reference 17] as accepted by NRC in the staff memorandum dated May 3, 2017 (ML17079A427) [Reference 18].

Table 3.4.1 provides a summary of the open findings subsequent to the independent review. None of the open findings have an impact on the results and conclusions of this LAR.

The documentation reviewed by the independent assessment team and the final report documenting the Appendix X review of resolved findings do not contain detailed evaluations documenting the bases for Maintenance Update determination for each finding. As such, Table 3.4.2 provides the closed findings, their resolution, and independent assessment for closure. Since all of the finding-level F&Os provided in the table below were assessed as closed by the independent assessment team, there is no impact on the results and conclusions of this LAR.

Table 3.4.1 Disposition a~d Resolution of Open Peei:Review FindingsJmd Self-AssessriierifOpen Items

,/

Capability.

',F°i11,dhig*

Supporting:.

Category Description Disposition for WCAP-1~333 and WCAP-No.

Req'mt C '(CC)

,,.15376LAR F&O HR-E3 Not Met While simulator exercises were observed, The action taken to address the original finding HR-E3-l there is no evidence of specific talk-included a comprehensive review of all post-throughs with Operations/Training.

initiator dynamic operator actions associated Interaction with Operations and/or Training with scenarios initiated at-power by a former is impo1iant regarding the assumptions used Seabrook Station operations shift manager and in the HRA, especially response times and training instructor. Each action was reviewed as performance shaping factors (PSFs), to.

documented in the HRA Calculator and revisions confirm that the interpretation and were incorporated based on his research and implementation of the procedures are knowledge and, where needed, the support of consistent with plant training and expected current operations and training personnel. The responses.

independent review identified that the action taken to address this finding does not fully meet the intent of the SR. Consequently, there is a need to conduct and document a talk-through, with plant operations and training personnel, of the procedures and sequences of events to confirm that interpretation of the procedures is Page 64 of 100

Finding No.

F&O 4-7 F&O 5-12 SBK-L-18089

~,,.. ',,

,Ta)ile 3.4.,J ;Dispositio,n and.Resolution. of Open Peer Revi~w Finding~'.and Self-Asses*s~ent Open Items.

Supporting Req'nii IFQU-BI IFSO-AI IFSN-A8 Capability Ca_tegory (Cq Not Met CC-III I CC-II Desci"iption Self-Assessment points out areas of improvement in reviewing results and identifying significant contributors to CDF (and LERF), such as initiating events, accident sequences, and basic events

( equipment unavailability and human failure events), shall be identified. In addition, the results shall be traceable to the inputs and assumptions made in the PRA.

Possible Resolution: Provide more details on the modeling inputs and assumptions as they relate to the results.

No review appears available relative to backflow through drains. Another plant recently had an NRC identified issue where a radwaste pipe tunnel floor drain emptied into an RHR Room Sump. This represented an identified pathway from one building to another. Consider a more detailed review of floor drain connections and interfaces.

The self-assessment also questioned floor capacity for cases with significant water accumulation (i.e., rngged doors prevent propagation to other areas). More explicit review of the potential for floor drain backflow, including the potential for check Page 65 of 100 Disposition for WCN.>~14333 and WCAP-15376 L~..

consistent with plant operations and training procedures.

Given the previous comprehensive review of all HEPs by a highly qualified operations individual, conducting further talk-throughs with additional operations/training personnel and documenting those talk-tlu*oughs is not expected to have an impact on the HEP models nor the overall PRA model results and insights.

==

Conclusion:==

A documentation change is needed to close this finding. The documentation of operator talk-throughs is not expected to have any impact on the HEPs or PRA results/conclusions and therefore no impact on this risk-informed application. This change is being tracked under MCDB item #997.

This item is related to internal flooding. The action taken to address the original finding included an IF sequence review and results review performed in an integrated fashion with all Level I results. IF dominating sequences were identified and described in the IF docmnentation, which also provided flood-specific results for flooding initiating events, flood basic events (doors) and human failure events contributions to CDF. The current documentation provides a comprehensive summary of the flood group sequences along with quantitative and qualitative insights for flood. The documentation improvement needed to close this finding involves adding a short discussion about the flood initiator relative importance and any specific assumptions. Also, include a statement on the benefit gained by the installation of the fire protection flow orifice, which significantly reduced flood risk.

==

Conclusion:==

A documentation change is needed to close this finding. The documentation change is judged to have no impact on the PRA results and conclusions and therefore no impact on this risk-informed application. The documentation change is being tracked under MCDB item #998.

This item is related to internal flooding. The action taken to address the original finding included an additional review of the floor drain systems in the major flooding areas of interest including postulating possible floor drain backup, waste tank backup and qualitative assessment of check valve failure in sump pump discharge systems. There are no valves (AOVs/MOVs/check) in the floor drain system itself. No vulnerabilities were identified based on the review. In patiicular, check valves exist in the RHR sump pump discharge lines to prevent backflow from one RHR vault to the other. It is also noted that the potential for floor drain

Finding No.

F&O LE-D6-0l SBK-L-18089

.. Table 3,.'4.1 J)ispositiop and Rt;solution ~f Opi;n Peer Review*FiniJings and Self~Assessment Operi'Jtems S~pf>ortir,ig Re<J'inf*

LE-D6

,, Capa!'>llity.,

Category.

cgq.

.Des;criptioli '*

Not Met valve failure, may yield some noteworthy insights. For example, there is currently no discussion of the potential for backt1ow from the RHR A sump to the RHR B sump.

The analysis does not consider an increased probability of thermally-induced steam generator tube rupture due to depressurized steam generators that may occur due to secondary side conditions as mentioned in item (b) of the SR. In addition, because thermally-induced tube rupture follows hot leg integrity in the event tree, proper consideration of the conditional probabilities should be re-addressed to ensure that it is not receiving a lower probability than it should. As the plant ages, the analysis should also be cognizant that at some point the tubes should no longer be considered 'pristine.'

Page 66 of 100 Disp<isitfon forWCAP~J4333 and WCAP0

153,76LAR propagation including postulated backt1ow is specifically included in the IF analysis, particularly for CSR and electrical tunnel interactions. The documentation improvement needed to close this finding includes adding a discussion of the sumps overflowing and adding further discussion on the potential for drain backflow, both of which have been addressed in the development of the IF model.

==

Conclusion:==

A documentation change is needed to close this finding. The documentation change is judged to have no impact on the PRA results and conclusions therefore no impact on this risk-informed application. This change is being tracked under MCDB item #999.

The action taken to address the original finding included a review ofEPRI TR-107623 Rev. 1 and NUREG-1570. Section 8 of the TR was reviewed for applicability and to ensure that the top event modeling ofSGTI (pressure-induced failure before core damage) and XSGTI (temperature-induced SG tube failure after core damage) is reasonably consistent with the EPRI report relative to LERF. It is noted that the EPRI Rep01i provides a detailed method to support a risk-inform application of an alternate repair criteria and/or operate with degraded tubing.

This risk methodology goes beyond the existing resolution of the Seabrook PRA for modeling of SGTI and XSGTI. However, the existing modeling of SGTI and XSGTI is judged to. be robust and adequate to account for all LERF contributors driven by tube failure during severe accident conditions. As a result of the above review and based on judgment, the baseline severe accident SG tube rupture probability for temperature-induced (XSGTI) was to be increased from 0.001 to 0.1. This is consistent with discussion in WCAP-16600, Table 15 regarding tube degradation over time and possible need to adjust the XSGTI failure probability. However, this change needs to be implemented in the model to close this finding.

Based on a sensitivity case, an increase in the XSGTI1 probability from le-3 to 0.1 will increase release category LE13A (thermally-induced SGTR subsequent to core damage from l.7E-012/yr to 2.3E-10/yr. Although the LE13A bin has increased by almost 2 orders of magnitude, it is still very small and contributes only approximately 0.15% to the total LERF.

==

Conclusion:==

A change to split fraction XSGTil (IE-03 to 0.1) is needed to completely close this finding. However, the sensitivity case indicates that this change will increase the overall LERF by less than 1 %, which is negligible. This

SBK-L-18089

'.,. QJ!p~6Hity.

. /Fiµdin{ : Siip"p'*6,rtiilg'.

.. l)isp* ositi~n,' Joi* wC,AP.~14333.* aiid.:WCA:P-;

Category J)escl"iptio1r

,No.

"' Req'Iiif,.

. :.(<fC( ~

_...

153;76 ItAl~ :

finding has negligible impact on this i-isk-informed application. This change is being tracked under MCDB item #1000.

'"~

~:*:,*

,-~

.~

~**

'Tab(tf:3.4~2, Di~posi!ioil :i,µd,Resol~tiol of 1,l.esoived*P!!erRevi~w Fhi!fings (Irtci, ~~.i~Ass'.~ssrileµ{Ii:e~s l

~.

..* :ca ability

, Findijig Supportmg

p. *

<'No.{.. ' Reql:mt' q:it~gpry ' '

,.,:, ". _Jcq..

F&O IE-2 IE-ClO NIA

./ -

~*,_

--~

,;;; ~.,,

-~

The frequencies of initiators L2CCA and L2CCB are under estimated due to the common cause model. The common cause term should include T=J year (rather than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ).

Page 67 of I 00

. Disposition '(or WCAP~l43.3.3 and WC:AP-153761.AR

Actions to Address Finding Changes were made to the CCF models in PCC and SWS initiators to use l year as the mission time. This was included in the 1999 PRA Update to quantify initiators Loss of PCCW (LPCCA/LPCCB) and Loss of Service Water (LSWSA/LSWSB). The capturing ofrelevant combinations of events is done internally in the RISKMAN quantification of system IEs. The 1 year mission time is assigned to the basic events related to fail-to-operate over time and applied appropriately to one basic event in each cutset.

Refer to SSPSS-2014 PRA documentation, Sections 10.3.5.4 (LPCCA/B) and 10.3.4.4 (LSWSA/B) for description of the CCF/mission time application. Also refer to RISKMAN model SB20I4Xl, systems initiating events, basic event equations for initiators LPCCA/B and LSWSA/B, which include mission time

@YR, which is the local variable for 8760 hours0.101 days 2.433 hours 0.0145 weeks 0.00333 months Acceptability Evaluation Document SSPSS-2014 was reviewed. Section 10.3.5.4 addresses the use of 1 year for the LPCC running pumps in the system initiator tree:

"The PCC initiator models change the equations of all time-based basic events ( except the standby basic events, *. *SB) from @MT= 24 hrs to @YR= 8760 hrs. Thus, the normally operating components use the 1 yr mission time and their related cutsets are expanded as follows AB --> A(I YR)B(24H) + A(24H)B(l YR)."

Finding No.

F&O IE-6 SBK-L-18089 Table 3.4.2 :I)isposition and Resoluti<<;in ofResoh:-ed Peer Revkw Findings and S~lf~Ass~ssm,elitHems

' Supporting Req'int IE-Cl4 Capabilfo,.

,Category

(~C)_

NIA The existing analyses for ISLOCA should be reviewed for consistency with a methodology for identification and quantification ofISLOCA pathways such as that provided in NUREG/CR-5744, and updated if appropriate.

Page 68 of 100 Disp~sition fo[ WCAP-14333 and W(:4P-15376 L~

Section 10.3.4.4 addresses the use 1 year for the LSWS running pumps in the system initiator tree:

"SWS initiator models change the equations of all time-based basic events ( except the basic events *. *SB) from @MT= 24 hrs to @YR=

8760 lu-s. Thus, the normally operating components use the l yr mission time and the expansion of cutsets AB--> A(l YR)B(24H) +

A(24H)B(l YR)."

The other system initiator trees were reviewed (LRCPS and LOSPP) were reviewed and there is a statement that operating components used a mission time of l year. This F&O is considered to be closed.

Actions to Address Finding Reviewed NUREG/CR-5744 for ISLOCA methodology and revised the ISLOCA assessment in the 2005 PRA Update. It is noted that the NUREG does not provide a "methodology" for identification of pathways

. that differed from the Seabrook SSPSA analysis.

No revision to ISLOCA analysis was necessary (ISLOCA pathways evaluated are consistent) however, the documentation of the ISLOCA assessment was improved. Refer to SSPSS-2014 Section 5.1.2.6 for a description of the ISLOCA initiating event model and Section 5. 7 for ISLOCA sequence model description. Note also that SSPSS Section 14.3.1 provides an assessment of containment penetrations relative to containment isolation capability, which identifies the specific penetrations assessed for containment bypass including ISLOCA.

Acceptability Evaluation Document SSPSS-2014 section 5.1.2.6 and Table 14.3.1-1 were reviewed. The criteria used to screen the ISLOCA pathways is consistent with NUREG/CR-5744. For the identified pathways, Section 5. l.2.6 discusses the calculation ofISLOCA initiator frequencies, including consideration of the state of knowledge correlation. This F&O is considered to be closed.

Finding No..

F&O DA-4 F&O DA-6 SBK-L-18089 Ta.hie 3.4.2 Disposition an*d Resolution of Resolved P~er Review Findings a.i14 Self-Assessment Jterns Supporting Req'int DA-DS DA-Cl5

.. ~: ~

'tap:ibmiy C~tegory

(CC)

NIA NIA Description The values for BETA2, GAMMA2, and DELTA2 are not derived as recommended in NUREG/CR-5485 as stated in the text. That document (p.76) recommends that "the values of a2, a3, and a4 in Table 5 11 be reduced by a factor of2 when applied to frequency of failure during operation." The effect ofreducing theses values (and adding the difference to

1) is to reduce only the Beta factor - the gamma factors and delta factors are unchanged since the factor of onehalf factors out. Contrary to this guidance, the MGL factors corresponding to the alpha factors in Table 5-11 were calculated, then the Beta factors were reduced by a factor of 2. Note these values were used in the PCC system and initiating event analyses, resulting in some factors being under-estimated by a factor of 4. The discussion in 6.3.3 regarding variable BETA! is in error - 5 CCFs and 100 independent failures provides a beta factor of 5/105 if staggered testing is used, not the.05 indicated. A lognormal distribution is not appropriate for the GAMMA! and DELTA!

- they should be modeled using beta distributions.

(1) The recovery model for the turbine driven EFW pump includes factors for "fraction of failure that are non recoverable within 1 hr" and "probability of operator failing to recover (recoverable failures) within I hr". The former is assigned a value of0.5 based on failure data from the original SSPSA. It does not appear that model has been updated in light of more recent plant data. The latter is based on a detailed evaluation of the time available for recovery actions given other operator commitments following loss of all ac power. The HEP is determined to be 5E-03 (i.e. insignificant compared with the fraction of failures that are non recoverable).(2) A potential concern with the operator e1Tor analysis is that it neglects to consider dependencies of this recovery action with other actions included in the plant model. Pmticular dependencies of concern m*e the initiation of feed and Page 69 of 100 Disposi(ion for WCAP-14333 and WCAP-

1537.6 i;,AR Actions to Address Finding The values for GAMMA2 and DELTA2 were recalculated using the correct equations. Also beta distributions were developed for these generic distributions.

With regard to the comment that BETA! should be 5/105 rnther than 0.05, these are essentially the same number. Refer to SSPSS Section 13.2.4 Generic CCF Factors: NUREG/CR-5485 for documentation of the MGL factors used in the systems analysis quantification.

Acceptability Evaluation Document SSPSS-2014 section 13.2.4 was reviewed. The comment about the gamma and delta factor being reduced by a factor of2 was addressed by the use of the correct equation.

The correct equation cancels out the reduction and therefore the gamma and delta factors are not reduced. The error of using 5/100 instead of 5/105 was not addressed. This is an isolated item, the numerical difference is small, and should not significantly affect the PRA results.

As recommended in the F&O, the BETA!,

GAMMA!, and DELTA! factors were recalculated using a beta distribution. This F&O is considered to be closed.

Actions to Address Finding (1) Addressed in the 1999 PRA model update.

Based on plant specific data for the TD-EFW pump, the TD-EFW recovery credit is no longer modeled. Only three systems are modeled for repair of hardware faults: Switchyard (ROSP),

EDGs (RDGLI), and PCC (RPCC). ROSP and RPCC are modeled using generic data for repair/restoration. These repair models are documented in SSPSS Section 11.7.(2) Operator dependencies were examined, resulting in changes made to the logic rules and HEP quantification. - Included in 1999 PRA Update -

operator dependence analysis was addressed underF&O HR-7 (HR-G7) (MC#l73, 165,180 and 184) This was subject to 2005 focused peer review. Refer below to item 12, F&O HR-G7-1.(3) SSPSS Section 11.7.2 presents operator actions that are grouped as recovery actions.

While most operator action analyses include some credit for recovery, these actions are

Finding No.

F&O QU-3 SBK-L-18089 Table 3.4,2 Disposition and.Resolution of Resolved Peer Review Findings a*nd Self-Assessment.items

.~

e

,~

... Capability

Supportmg * * *

*. Category

Req'mt (CC)

QU-B2 Met Description bleed and manually aligning the start up feed pump. (note: Appropriately, no credit has been taken for this recovery action following SGTR where demands on operators may be greater than the loss of all power case modeled. Further, common cause failures are appropriately not recovered.)(3) Examine dependencies ofHEPs embedded within recovery models with other human actions included in the plant model.( 4) Examine most recent component failure data to ensure recoverable failure fraction remains valid.

A discussion of the limitations of using the saved sequences as a PRA model of the plant was not located. Although a very low cutoff is used to generate saved sequences, it is important that all analysts understand where limitations may exist so that they can be evaluated for specific applications. Include a short discussion in the Tier 2 results or in the application that discusses the saved sequence limitations.

Page 70 of 100 Dispds_ition for WCAP-14333 arid WCAP-

15376LAR distinct in that the focus is on equipment more than on errors in human action. They are based on recoverability of components, where the human actions are included implicitly. Some also involve alternative hardware and actions outside the control room. These actions are typically not proceduralized to the extent of the EOPs, if at all. Generally, recovery actions are limited to scenarios in the plant model by event tree rules that specify when they should be credited.(4) Component failure data and recovery has been updated periodically and remains cunent. Refer above to Item 3 (DA-C 15).

Acceptability Evaluation Section 10.4.3.3 of the Tier 2 PRA documentation was checked to confirm that EFW recovery is no longer credited. Section

11. 7 was also reviewed to confirm that for the at-power PRA, only recovery of OSP, ED Gs and PCC are now considered and the approach used appears reasonable. Human action dependency analysis is performed, as documented in section 11.8. This F&O is considered to be closed.

Actions to Address Finding This issue of truncation has been addressed in the PRA documentation along with general guidance for setting the truncation level. Refer to SSPSS Section 2.1.4 Truncation Evaluation for CDF, for an explanation of the truncation limitations.

Acceptability Evaluation Section 2.1.4 of the Tier2 PRA documentation presents the results of the truncation sensitivity study. Since BBD solution is used for the system-level analyses, truncation is not a concern. For the event" sequence truncation, a detailed study was performed to ensure that a sufficiently low truncation value (lE-14) was used. This F&O is considered to be closed.

SBK-L-18089

~.

. ?

~*

~

k

.. ' Tabl~cJ.4.2 Disposition and, llesolutfon :or Resolved Peer Review'Findings and Self-ASS!!SSment1teins

. :Find,lng.. :: Supporting

_No; Req_',mt F&O QU-4 AS-A7 Cap:tbillty ClJ:tegory (CC)

NIA Desetiption.,,

Following a reactor trip, loss of all DC, and success of offsite power, RCP seal integrity questions are asked without determining the probability of failure of the operating charging and PCCW pumps. Include hardware faults of the running pumps as part of the necessary logic for RCP seal LOCA.

This appears to lead to overestimating reactor trip contribution to CDF.)

Page 71 of 100 Disposition for WC;<\\P~i4333 and WCAP-.

1537!i'l,AR Actions to Address Finding

1. In the 2002 model, the sequence "reactor trip

-and-loss of all DC power" goes to MELT because EFW and SUFP require at least one train of DC power. Also, the PORVs are failed given loss of DC power. Thus, this sequence goes to MELT because both AFW and Feed &

Bleed cooling are unavailable (not the seal LOCA sequence).

2. While there is opportunity for recovery of an AFW pump (by locally starting either pump),

the probability ofloss of both DC buses is extremely small (3E-7). Also, this may cause other plant conditions that would confuse the operator. Thus, no operator recovery credit is taken.

Acceptability Evaluation Section 5.1.4.1 discusses losses of single DC buses as an initiating event and Table 5.1-2 notes that losses of the second DC bus is modeled as a top event in the loss of a single DC bus logic (i.e., a second bus fails following the initial bus failure leading to loss of all DC). The GDOC response states that a loss of all DC goes directly to core damage due to the failure of the EFW and SUFP and inability to perform feed and bleed cooling. So consideration of an RCP seal LOCA during this event is a moot point.

From the overall sequence of events, one can infer this from the support system event trees and the TRANS event tree logic rules described in section 4 of the Tier 4 documentation.

Random failure of the second DC bus is captured in the event tree analysis as stated in table 5.1-2. Loss of all DC power will result in core damage. These sequences are of very low frequency - LDCP A with DC-B failure is sequence #42 and LDCPB with failure of DC-A is sequence #43; each sequence contributes only 0.4% to the total "transient" group CDF. These are perhaps less important sequences than others and do not necessarily warrant special description beyond the description of the loss of a single DC bus, which is described in the special initiator section. This F &O is considered to be closed.

Fin.ding No.

F&O QU-9 F&O MU-2 SBK-L-18089 Tal;ile 3A:2* ~isp~sitiim and 'Resolution ofResol~ed**PeerReview Fiµdings a11d Self-Assessment Items,

~

I

,. Capability Supp.ortmg*.

c*,,.

ategory Req'mt

. (CC)

QU-E4 NIA SY-A2 NIA J'.>escriptlon At present no parametric uncertainty analysis exists based on the current plant model.

While such studies were performed for earlier versions of the SSPSA, the results have significantly changed (internals are far less dominant) and the unce1iainty distribution may no longer be valid. At present there is no formal analysis which addresses plant specific uncertainty or sensitivity issues. For example, cases where the1mal hydraulic analyses predict only small margins for success in terms of the number of trains required, or the time available for operator actions, are prime candidates. Other examples might be cases where unique success criteria or modeling have been applied such as for feed and bleed and for RWST make up following LOCA.

Perform a set of sensitivity runs and a qualitative or quantitative uncertainty analysis for the model. Risk achievement analyses may be used to focus the search for potentially significant cases.

During a review of plant design changes incorporated into the 1999 PRA models, it appeared that Design Change Request (DCR)89-061 had not been incorporated into the service water fault tree. This DCR deleted the cooling tower fan auto-start feature. Therefore, a human error basic event was to be added to the service water fault tree. The service water fault tree did not appear to have been modified. Also, the PRA documentation still includes the cooling tower fans being actuated by a TA signal. It is believed that this is an isolated occU1Tence.

However, the host utility should check for any others.

Page 72 of 100

..,Disposition fof:WCAP,-143.~3 and WCAP~. **

153761,AR Actions to Address Finding An analysis has been performed to address model unce1iainty, assumptions and sensitivities. As part of this analysis, all event tree top event split fractions were quantified using Monte Carlo to develop an uncertainty distribution. Also quantified the system initiating events with Monte Carlo. These unce1iainty distributions are updated periodically during the data update process.

Quantified uncertainty for dominant sequences for CDF and LERF. The model unce1iainty analysis is documented in report: "Uncertainties, Assumptions, & Sensitivity Analysis" as part of the PRA Tier 3 documentation. This report documents a number of sensitivity cases that address key model uncertainties and assumptions and addresses how the PRA model is affected by each uncertainty. Uncertainties and key assumptions for internal flood events are addressed in SSPS Section 12.1.10.4.

Acceptability Evaluation Parametric uncertainty analyses were performed for both CDF and LERF, as summarized in Section 2 of the Tier 2 PRA documentation. The "Uncertainties, Assumptions, and Sensitivity Analysis" Tier 3 documentation provides an extensive evaluation of key assumptions and sources of modeling uncertainty. The assumptions and source of uncertainty for the model as a whole was addressed. This F&O is considered to be closed.

Actions to Address Finding A review of the PRA documentation (Service Water Notebook) indicated that this DCR had indeed been incorporated in the PRA model. In fact, the system notebook describes the modeling of the cooling tower and indicates that the operator must manually initiate CT operation and provides a justification for why this action is not modeled. The Service Water notebook was updated to ensure completeness.

Also, a review ofDCRs for the 1999 update was performed to ensure that all DCRs that impact the PRA model were addressed (1999 PRA Update). Refer to the Service Water System Notebook, SSPSS Section 10.3.4.3(5), Operator Action Modeling.

Finding'*

No.

F&O AS-A9-I SBK-L-18089 Ta~i~ 3.4.2.. Disposition and:Resolutioit of Resolved P,eer Review Findings and. Self-Assessment Items r....

Supporting Req;,111t AS-A9

'c; a p:dii\\ity

Category,

(ccr..

Met

-Description Incorporate this DCR into the system fault tree/ notebook.

The ASME Category II capability for this SR requires the use ofrealistic, applicable T/H analyses for accident sequence parameters. Category III requires use of realistic, plant specific T/H analyses.

Although most of the SSPSS parameters have supporting calculations that are plant specific, it appears that some would benefit from more realistic analyses. In at least one case (i.e., CST depletion) more realistic analyses may impact sequence development (and are dependent on whether the EFW Page 73 of 100 Disposition :(or WC4,J.>;,14333 :ind WC~P-

.15376 LAR Acceptability Evaluation Document SSPSS-2014 section 10.3.4.3 was reviewed. The auto-start of the cooling tower fans was removed from the model. Section 10.3.4 (page 171), item "(5) Operator Action Modeling" describes the operator actions that are model to adequately reflect the SW system reliability. This section (on page 172) provides the following with regard to the action to start the cooling tower fans: "The operators also have to manually initiate cooling tower fan operation after a TA signal: This action is not explicitly modeled, but is part of the long term success of the cooling tower. If the air temperature is below freezing, the operators must monitor the return flow temperature to avoid ice buildup in the tower tile. It is assumed that, once the operators diagnose that they need to actuate the cooling tower, they can perform this action highly reliably based on the simple nature of the early actions and the long term nature of the ice buildup concern."

The above provides the basis for the human action model. A judgment was made and documented that the action is highly reliable and thus was not explicitly modeled. Discussions with SBK staff confirmed that have hours to take this action and *there wouldn't be any scenario in which cooling would be rapidly degraded if they didn't start the fans. There was no intention of building an explicit HEP basic event for this action. The human action required to operate the fans is, in fact, considered in the model as highly reliable, as documented in 10.3.4. Therefore, this F&O is considered to be closed.

Actions to Address Finding The 2005 update effort used MAAP to provide substantial additional plant-specific, realistic support. In some cases such as the CST example noted, hand calculations were considered to be appropriate and were reviewed to assure adequate realism. The actions below were taken to address realistic/plant specific success criteria: Listed all current Level I success criteria, including impact of power uprate, RCPs, IA, etc. Identified current basis for success criteria. Ran series ofMAAP runs

Finding No.

F&O

HR-G4-l SBK-L-18089

'Tabie.3.4.2 Disposition aitdJlesoluti<in of Resolveil' P~er Review Findings and Self~Assessm~nt Items

.

Supporting

~,

Req'mt-HR-G4 Capability C.atigory

... (fC)

Met

,

B,esc.-ip:tion pump or SUFP is running). Expectation for future applications is more extensive use of realistic codes (e.g., MAAP), as applicable.

In general, the time available to complete actions is based on either generic T/H analyses for similar Westinghouse 4-loop plants or plant-specific analyses. Several issues were identified that may point to the need for establishing a more thorough and realistic basis. For example: The write-up for the operator action ODEP 1 for SBO events states that 8.8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months are available to perf01m this action, which is based on 9.8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months to core damage from WCAP-16141, less one hour to restore equipment. However, WCAP-16141 states that without depressurization, core damage can occur as early as 2. 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months . Therefore, the time available to perform this action should not exceed the time to core damage without credit for the action. It should be noted that WCAP-16141 does not specifically mention when depressurization must begin, but it seems to be assumed that depressurization will typically begin within 30 - 45 minutes.

Since this action has a low F-V and RAW Page 74 of 100 Dispo*sitio~;forWC4)>~14333 anil, WCAP-*.

1s376LAR where needed to provide basis. Refer to the SSPSS Section 5.2.5 Bases for Success Criteria for the most recent summary of the MAA.P cases. This section presents the plant-specific MAAP cases that support a number of success criteria. The more recent MAAP cases include assessment of CST invento1y depletion and the timing for refill actions, described in SSPSS Section 11.3.14 (action OCSTM).

Acceptability Evaluation SSPSS Section 5.2.4 identifies the bases for the sequence success criteria and SSPS Section 5.2.5 provides the details of the MAA.P runs cited in Section 5.2.4. MAAP cases are used to support all of the sequence success criteria for which MAAP can be used. SSPSS Section 11.3.14 provides a MAAP case reference that is used to establish the time to CST depletion.

These actions address the general concern that some SSPSS parameters would benefit from more realistic analyses as well as the specific concern identified regarding the use of hand calculations to estimate CST depletion timing.

This resolution addresses the concern of the F&O.

Actions to Address Finding Revised the HRA Calculator quantification using time windows from Seabrook Station-specific MAAP runs. The time windows are based on the success criteria analysis using a number ofMAAP runs documented in SSPSS Section 5.2.5 or on hand calculations documented in SSPSS Section 16. The at-power HRA is documented in SSPSS Section 11.0. The basis for the time available is documented for each human action. For example, the time window for sump recirc actions (see Section 11.3.5) is based on calculations in Section 16.1.5. The timing of the cue is factored into the HRA through the delay time, as required for each action. For example, Feed & Bleed action (Section 11.3.8) includes a delay of ;..,28 min to account for the time to boil off to the SG level cue for a general transient and a delay of -8 min for a LMFW transient.

Acceptability Evaluation Document SSPSS-2014 section 11.3.8 was reviewed. Review of the F&O resolution

importance, SR HR-G4 is judged to be satisfied. WCAP-16141, which is used as a basis, assumes that the turbine-driven AFW pump supplies 1145 gpm, which seems to exceed.the capacity of the Seabrook Station TD AFWP. The basis of the time available for operator action ODEP3 does not appear to be realistic. SSPSS-2004 credits post-LOCA cooldown and depressurization for MLOCA with high head injection (HHI) success.

Operator Action timing (3.8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months ) is based on a small LOCA, not MLOCA. The success criteria indicates that only 42.8 minutes are available before reaching low-low level for MLOCA. While it is trne that MLOCAs at the high end of the spectrnm should not require this action and MLOCAs on the low end of the spectrum behave more like a small LOCA, the majority ofMLOCAs will be in between. Using the average timing between the high end (42.8 minutes) and low end (3.8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months ) would not leave enough time to successfully establish low pressure recirculation prior to reaching the RWST low-low level switchover set point. The time assumed to be available for feed and bleed using the Safety Injection (SI) pumps, which is based on the time until SG dryout, may not be realistic. It would seem that establishing feed and bleed with the charging pumps would have different timing than establishing feed and bleed with the SI pumps due to the lower shutqffhead of the SI pumps. In particular, while waiting until SG dryout could allow successful feed and bleed cooling using the charging pumps, it isn't clear that waiting until SG d.ryout would allow successful feed and bleed cooling using the SI pumps.

The.time available for operator action HH.ORSGC2.FL is 2.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months , which is based on time to core damage. However, restoring secondary cooling at the time of core damage will not prevent core damage.

In order to prevent core damage, secondary Page 75 of 100 SBK-L-18089

-, -~

. J)j~~o~jt1~~t'.orWeriLi43.~3. inciWCM-*

153'76-tAR'.. *. Y*

indicated that time windows used in the HRA that had been based on generic T/H analyses for similar Westinghouse plants had been revised to be based on plant-specific MAAP runs. The specific HEPs identified in the Description of Finding were reviewed and were confirmed to now be based on plant-specific MAAP analyses.

Additional spot checks confirmed that many additional HEPs also had time windows based on plant-specific MAAP runs. This resolution addresses the concern of the F&O.

. finding

- No.

F&O HR-G7-1 SBK-L-18089 1

-Tabie 3.4.2 Disposition and Resolution of Resolve~,Peer Review Findings and Self-Assessment Items

.,' Supporting Req'mf _

HR-G7 Capa}?ility Categ6ry

_(9C)_

Met

/ bescriptiqn cooling must be completed earlier (e.g., core uncovery). With respect to the items identified: Reevaluate the time available to perform RCS cooldown and depressurization following an SBO. Also evaluate the applicability of WCAP-14161 assumptions regarding flow from the turbine-driven AFW pump. Re-evaluate the time available used to quantify operator actions for depressurization and feed and bleed by perfmming sequence-specific MAAP ( or other) thermal-hydraulic rnns.

In the case of operator action to perfo1m depressurization for MLOCA sequences, T/H runs may need to be performed for an "average_" MLOCA break size. Use MAAP or some other calculations to determine the latest time at which secondary cooling can be restored and still prevent core damage.

More generally, complete the ongoing effort to establish appropriate timeframes using realistic codes (e.g. MAAP).

Dependency between multiple human actions was considered, and the process for quantifying dependencies is described in SSPSS-2002. This appears to be a good approach. However, there is no guidance as to how to identify sequences with multiple operator actions for inclusion in the dependency analysis. Also, while the matrix showing dependency between two operator actions is good, it does not include new actions since the 2002 update. The review discovered at least two examples where dependencies appear to be inadequately addressed: (1) The dependency between operator actions ORSGC and OFB does not appear to be modeled, other than time consumed associated with responding to feed and bleed criteria. There is also some dependency in diagnosing the loss of secondary heat sink for these two actions. (2)

The procedural guidance in Functional Restoration Procedure FR-H. l for aligning fire water is contained in the RNO column of Step 14, which is predicated on not being Page 76 of 100

-Dispositloµ for WGAF714333 an:d WCAP-

, --- - '15376 tiR Actions to Address Finding The following actions were taken to address the F&O:l. Identified all dynamic actions embedded in hardware top events. 2. Created new Operator Action top events, separate from hardware where appropriate. 3. For PCCW, redefined System split fractions to be conditional on Operator Action OPCC and added house events. 4. Added new top events to event trees 5. Modified logic rules to account for operator action dependency to system. A detailed dependency analysis was conducted of all operator actions that may appear in the same accident sequence group. This accounts for time resources as well as other cognitive-related factors impacting one HFE on another. This analysis is documented in SSPSS Section 11.8.

In addition, the dependency analysis process is documented in instruction PRA-106, Section E.4.

The HEP dependency analysis was originally developed in response to Findings MC# 173 &

MC#184 (PR-1999). The analysis was expanded

Finding' Nq.

F&O 4-6 SBK-L-18089 Table 3.4.2 Disposition and ~e~olptio~ of Resolved I!eer ReviJ:w Findings aJ!.d S~lf-Assess~ent)tem~

.Supporting Reqi'~t*

IFQU-A7 Cap~Jiiiity *,

Category

{CC)

J)escription Not Met able to open the PORVs. However, if the PORVs are opened too late, the procedure will not direct the operator to establish fire.

water to the SGs. This dependency is not modeled. Although significant progress has been made in this area since the 1999 peer review, it appears that there remains a need to develop an overall process for identifying multiple operator actions that need to be addressed in the dependency analysis.

Appendix 12.lH describes assumptions and uncertainties. However, the level of detail with respect to sequence reviews and results, including integration are not judged to be of sufficient detail (e.g., QU-A3, DI, DS, D6, D7, E3). Integration into internal event QU notebook will resolve some of this. Possible Resolution: Review the analysis results and identify additional risk insights or areas for enhancement.

Page 77 of 100 Disposition for WCAP~14333 and \\VCAP*

15376LAR.

in Section 11.8 in response to Finding MC#538 (PR-2005).

Acceptability Evaluation Document SSPSS-2014 Section 11. 7.2 was reviewed. The dependency analysis is discussed in detail in section 11.8. The methodology and the analysis are reasonable. The combination of more than two operator actions per scenario is discussed and the methodology for analyzing the dependency is discussed. RISKMAN rules are used to capture dependencies as necessary.

This section satisfies the F&O and the SR. This F &O is considered closed.

Actions to Address Finding IF analysis sequence review and results review were performed collectively, in an integrated fashion with all Level 1 results. No issues were identified with IF sequences. IF dominating sequences are described in SSPSS Section 12.1.10 and are reasonable and as expected for the model inputs. It is noted that the initial review of sequences identified the potential need to reduce flooding risk in the Control Building.

This led to the proposed modification to install the flow reducing orifice in the FP piping upstream of the CB.

Acceptability Evaluation The internal flooding results are discussed as paii of the overall Level I results in section 2.2.3 of the Tier 2 PRA documentation. As part of that integrated documentation, most of the various QU requirements are addressed (e.g.,

truncation sensitivity, significant and non-significant cutset/sequence reviews, imp01iant basic events, etc.) The specific flooding results are also separately discussed in Section 12 and in Appendix 12.lK. The flooding results spreadsheets in Appendix 12.lK include impo1iant flood initiators, doors, human errors, etc. The combined documentation in these sections address the QU SRs that were specifically noted in the F&O. See also F&O 4-

7. This F&O is considered to be closed.

Findi~g

" No;*

F&O 4-9 F&O 5-2 SBK-L-18089 Table 3.4.2 Disposition* and :Resolution of Resolved,Peer*Review Fi~dings and Self-Assessinent Items A,

Supporting Req'mf, IFQU-B3 IFSO-B3

, Category (CC)

Not Met CCIII

. Description The completeness of assumptions and sources of uncertainty in the pipe failure data

( e.g., error factor, applicability of data),

failure probability of doors, generic data and modeling choices needs to be reviewed against other industry studies. Possible Resolution: Review all the inputs to quantification and identify additional assumptions to ensure all sources of uncertainties and assumptions are included.

Appendix 12. lH acknowledges uncertainty in break flow rate. Need to expand uncertainty review to discuss other source related uncertainties such as maintenance-induced events and potential, if any, source pressure or temperature impacts. Also, discuss potential for breaks or human induced events greater than assigned (i.e.,

catastrophic CW expansion joint failure could far exceed 56,000 gpm). Potential for larger floods can represent key insights.

Specifically, CW flood rates greater than 56,000 gpm could represent a more significant threat to the Essential Switchgear rooms due to the configuration at Seabrook. Possible Resolution: A small enhancement to the uncertainty notebook should identify the potential for CW flood rates higher than 56,000 gpm. Combined.

with any uncertainty in the capacity of Door Cl02, this can be a major insight regarding overall plant risk.

Page 78 of 100

. Disposition for WCAP0 14333.and WC{\\P-1.5376 LAR Actions to Address Finding A check of the data and assumptions used in the internal flooding study was performed for reasonableness and for identification of additional uncertainties. Appendix 12. lH, Uncertainties was revised to clarify/ensure areas of uncertainty and important assumptions are adequately captured and characterized. Refer to SSPSS Section 12.1.10.4 for the latest flood analysis list of uncertainty and assumptions.

Acceptability Evaluation Additional uncertainties and assumptions were identified and documented in Section 12.1.10.4 of the SSPSS 2014 Update (specifically Table 12.1.10-4) and Appendix 12. lH. The Tier 3 PRA documentation provides a review of sources of uncertainties and key assun1ptions in each of the internal flooding technical areas. The

evaluation in this appendix addresses the issues noted in the F&O. This F&O is considered to be closed.

Actions to Address Finding Tier 3 Appendix 12.lH identifies assumptions and uncertainties. No major uncertainties or assumptions were associated with identification of sources. Other assumptions and uncertainties are associated with assumed flow rates ( e.g.,

tendency to assume highest flow rate) and completeness of human induced events (lack of data). To specifically address the CW flood rate, a sensitivity evaluation was performed to conservatively determine the risk significance of a postulated maximum CW flood event. The maximum CW break flow was estimated at approximately 300,000 gpm. A door failure evaluation was performed to estimate the capacity of the various door configurations at Seabrook. Doors Cl 02, CI01 and ClOO provide an interface between the TB and ESWGR-A.

The door evaluation indicates that the capacity of these types of doors loaded against the jam/frame is in excess of any credible flood height in the TB. In addition, other doors in the Turbine Building are expected to fail at considerably less water height - approximately 10 feet (or less) and there is an unlatched door on the east side near condensate polishing that opens out. The benefit of this door was not

L Findiiig No;

. :.Capal)ility ;

Supporting Category

~~q'~t.. -

. Jcq

.... Desniption Page 79 of 100 SBK-L-18089

' Di~position f~rWcAP:14333 and WCAP-15376 LAR credited. Once a flood height of -10 ft or less is achieved, failure of these other doors (which includes the rollup doors, glass sliding door, misc. double doors) is expected to vent the flood water to outdoors and result in a steady-state water level in the TB of -4 feet. It is noted that this TB flooding scenario is likely to cause a loss of offsite power or fail non-essential electrical buses, resulting in a trip of the flooding source -

the CW pumps long before there is propagation impact in the essential switchgear rooms. Based on the above, a conservative flood scenario was developed as sensitivity case FOTCWS. Based on this sensitivity case, the CDF from a postulated maximum CW break event in the TB is approximately lE-09/yr. This scenario is screened from further detailed evaluation using*

criterion QN4a - Specific flood source in a flood area with CDF < -le-9 per yr based on flood-initiated accident sequences from a specific flood source in the flood area. This assessment is conservative. Realistic modeling would eliminate conservatisms and further reduce the impacts. The max CW flooding sensitivity case is documented in Tier 3 IF Appendix 12.IF Section 19.

Acceptability Evaluation Appendix 12.IH discusses the sources of uncertainty. The F&O specifically concerns possible worst-case CW flood scenarios with subsequent door failures i:hat allow water to flow into vital areas. Based on additional evaluations, the PRA still notes that there are no specific sources of uncertainty pertaining for flood areas and sources. However, human-induced flooding is noted as a source of uncertainty separately in Table 12.1.10.1. To support the conclusion that a worst case CW break is not a significant contributor, an additional sensitivity case was developed for this CW pipe break. Structural evaluations for the key doors were also performed to show that these door would not fail during a CW flood event. Beneficial failures in the turbine building were neglected, other than crediting a 90% likelihood of a LOSP occurring (which would trip the CW pumps to end the flood event). The results of the sensitivity case demonstrate that the worst-case CW break can

SBK-L-18089

.*\\

--~

-~ -

-r

~, *

., '.J.)i~I~ 3:4.i 'Disposition a_nd.Resoiutiin ~t R~~olv¢d *p~~r R~vie~ Findings '.l(m(s~ii,Assessifi~ntlten,s. p

* *l** ****.

r.

' f Capllbility Fi.rJ..ding

S.gppo("tin~.

i Dispiisitfo)!. fo)"\\Y~,'.\\:1'~143}3_:uidWC;AP-

.. Cate_gory. *

<<DesJtiptioil

No.

R,eq!int.

15376 LAR

. ***" :,i,,.. r~,, *.. ;...

{CC)_.

.;,.-.~*... r:.:*'.

F&O 5-3 IFSN-A2 CCIII be screened on the basis of very low probability.

On the basis of the sensitivity study and the fact that significant source of uncertainty are not generally associated with PRA technical areas IFPP and IFSO, this F&O is considered to be closed.

The assessment indicates that there are some*

Actions to Address Finding "rugged" doors capable of withstanding a water-height of 6-7 feet. These were walked-down for the peer review and they are indeed rugged in appearance. However, there is limited basis for door capacity other than "Industry Sources" which include a PWR OG email. The EPRI Flood Guideline says the following: If there are doors within the boundaries of the area then the following guidance can be applied: Water tight doors should be considered as failing only through human actions. If the door is alarmed its failure probability can be considered to be zero. If the door is not alarmed then assume the normal egress failure condition of a door opening out of the flood area if the water tight door opens out of the area. If the water tight door opens into the area then consider the failure probability to be zero. Normal egress and fire doors should be considered failed after 3 foot of flood level if the door opens into the area. Normal egress and fire doors should be considered failed after 1 foot of flood level if the door opens out of the flood area. The 1 and 3 foot EPRI Guideline should be used unless a higher value can be justified. While the doors are clearly rugged, some more detailed justification should be presented. Possible Resolution: The plant has design information for HELB doors which are rated for 6 psid (13 feet of water).

Perhaps a comparison between these doors and the "rugged" doors could demonstrate equivalency. Alternately, there may be some engineering inputs that could better quantify and justify "ruggedness".

Page 80 of 100 A structural evaluation of typical doors at Seabrook Station was performed and documented in a calculation, "Structural Evaluation of Door Capacity Under.Flooding Loading Conditions". The evaluation was performed for 3 "typical"-type doors including:

(1) rugged security door, (2) industrial 3-hour rated fire door, and (3) double-wide industrial door with and without a center locking pin. The evaluation addressed the difference in potential failure when each type of door is loaded against its frame/jamb (stronger door configuration) verses being loaded against its latch and hinges (weaker door configuration). It is noted that the door frames at Seabrook are embedded into the adjacent concrete and are not supported by installed anchor bolts. This represents a much stronger configuration than a conventionally installed frame with anchor bolts. Door capacity/failure insights from the structural evaluation are included in IF Tier 3 Appendix 12.IA, Methodology. Door failures and the resultant propagation are assessed on an individual door/scenario basis. If the scenario's floodwater height does not exceed the door's capacity, the door is not expected to fail, is assumed to remain intact with only gap leakage contributing to propagation. On.the contrary, if the scenario's floodwater height exceeds the door capacity, door failure is assumed and the resulting propagation is via the failed ( open) door. No credit is given for failure of a barrier to limit the flood consequence without some assessment of the door failure potential.

Acceptability Evaluation IF Tier 3 Appendix 12. IA section 5.1, Door Failures, was reviewed. This section references a structural evaluation, Calculation C-S 100146, Structural Evaluation of Door Capacity under Flooding Loading Conditions, Revision 0.

finding*

. ':No.

F&O 5-5 SBK-L-18089 Table 3,4.2 Djsposition an*d *Resolution.cof'R~solved Peef Review Findings and Self-Assessrilentlterils Supporting Rcq'mt

IFSN-A9 C:tpability

.ca:t~gory:

.ccq CCIII Description Flood calculations are available in spreadsheets linked to the master summary for each area. However, these are dynamic and direct identification of key parameters can be difficult. For example, a key time for TB flood response is l l minutes. In the spreadsheet related to this parameter (Turbine Buidling.xls) the flow rate was set to 15000 gpm versus the defined source value of 56,000 gpm. Therefore, the 11 minute time estimate was not depicted by the spreadsheet. In addition, some spreadsheet worksheets and tables are not nsed in the analysis and have confusing negative signs.

This is all an unnecessary distraction in an already complicated analysis. Tractability between the flood area definition and HRA is required to justify the analysis.

Page 81 ofl 00 Disposition for WCAP~l4333 and WCAP-.

i:53,76LAR This calculation satisfies the F&O and provides justification for the door heights used in the flooding analysis. This F&O is considered to be closed.

Actions to Address Finding Internal flooding F&O 5-5 (IFSN-A9) identified a potential documentation issue and there were no discrepancies in the assumed flooding flow rates used to develop the associated scenarios.

The proper internal flooding flow rates estimated for the various flood sources in the plant, including the Turbine Building, are used in the development of the associated flooding scenarios. A snapshot of.spreadsheet calculations has not been provided. However, all spreadsheets have been cleaned up and all superfluous spreadsheets and information have been eliminated.

Spreadsheets are also referenced in the text and master tables to improve retrieveability. Refer to IF Tier 3 Appendix 12. IF for IF scenario descriptions and referenced spreadsheets used to calculate flooding flow rates and propagation rates.

Acceptability Evaluation As noted in the GDOC, a review of all of the flood documentation and calculations was performed to remove extraneous information and to ensure that all values shown in the reports and the supporting tables and spreadsheets are consistent. References to the supporting documentation were added to the Appendix

12. IF report. In addition, to support future updating, data that is likely to change (e.g.,

flooding initiating event frequencies) are highlighted in red. Spot checks of data in various places did not identify any inconsistencies. This F&O is considered to be closed.

SBK-L-18089 Table.3.4.2,Disposition arid Re~ohition of Resolvetl".Peer Review.Findings and Self-Assessment ltems C

x a

'x Fin.ding

Supporting No:.

lleq'mt*

F&O 5-9 F&O 5-13 IFPP-A2 IFSO-A4, IFSN-Al2

<;:iipability.

Category l>t!scription (CC).

CCI Not Met Specific rooms are discussed in the detailed analysis but there appears to be no specific definition at the room ( or combined room level). There is no definition of what specifically constitutes a flood area other than the Building Level definitions presented in Appendix 12. IB Summary Table. Room level definition is left to be inferred based on discussions within the detailed analysis.

Possible Resolution: Provide a table, or equivalent, that provides a link between the High LeveJ,Areas discussed in Table 12.IB and the detailed discussion of individual rooms in Appendix 12. lF. This could focus on the Fire Zone identifiers, which is a common approach for this issue at other plants, or could involve some other defined grouping.

Limited evidence of review of potential for maintenance or operationally induced flooding events. Review of potential for maintenance induced floods is a specific requirement.

Page 82 of 100 Disposition for WCAP-14333 ~nil WCAP-1,5376. LAR Actions to Address Finding A new table is developed to define the Seabrook flood areas within the various buildings. The new table "Flood Area Definition" is contained in IF Tier 3 Appendix 12.IB and is discussed in Section 3.0 of Appendix 12.lA, Internal Flooding Methodology. The flood areas are defined using the fire areas/rooms identified on the Seabrook Pre-Fire Strategy drawings.

Acceptability Evaluation Section 3.0 of Tier 3 IF Appendix 12.lA was added and Tablel2.1B (in spreadsheet format) was developed that identifies the rooms/areas that are grouped to define flood areas for each building. This table also includes propagation paths associated with each defined flood area.

This F&O is considered to be closed.

Actions to Address Finding IF Tier 3 Appendix 12.lA, Section 4 Flood Mechanisms and Maintenance-Induced Flood Events documents the review ofmaintenance-induced flooding events. A review of the potential for maintenance-induced flooding events is performed for the major flood source systems. These systems included: CW, SW, FP and PCCW. The potential for maintenance-induced flood events from other sources, for example DW, PW, RW are judged to be less limiting because of their lower flooding flow rates. Development of maintenance-induced flooding events included performing a review of industly and plant-specific flood OE, performing a general survey of all Seabrook Work Orders (WO) performed on these systems between 1990 and 2009 to identify any potential flood related maintenance events, an assessment of water hammer potential, and a discussion with the respective system engineer. Based on the overall review performed, maintenance-induced actuation of fire protection deluge systems (inadvertent FP actuation) in the CSR, DG Fuel Tank Rooms and TB is specifically accounted for in the flooding risk assessment.

Other maintenance activities including water hammer phenomena are judged not to have a significant potential to initiate flooding events; their likelihood to cause a flooding event is very

Finding.-

No.

F&O 5-14 J

SBK-L-18089

. ],'able 3.4.2 Disposition and Resolutiort'ofResol~ed feei, Review, Findings and Self-Asscssmentitems s

S~ppbrting: '

Ca11abilify Category Req'mt (CC)

IFSO-A5 CC III Dcsciiption Basis for flow rates is not specified ( e.g.,

Page 31, Appendix 12.lF, says 24" SW discharge pipe is -12,000gpm. No apparent basis for the 12,000gpm value is presented.

The assignment of break flow rates is a key analysis input and specific, traceable basis for the values is required. Values reviewed seem reasonable but slightly more than just a documentation issue in that basis is not specified.

Page 83 of 100 Disposition for.WCAP 014333 and *WCAP-.

15376LAR low and judged to be adequately accounted for in the random flood initiating event frequencies.

Acceptability Evaluation A detailed discussion of the maintenance-

.induced flood events is provided in Section 4 of Tier 3 IF Appendix 12. lA. This discussion bins flood events into a number of categories (tank overfill events, flow diversion events, inadve1ient FP actuation events, etc.) and evaluates each category's impact at Seabrook.

Section 4 also identifies a number of systems (CW, SW, FP and PCC systems) that are

considered major flood sources and evaluates each one to qualitatively determine if it is a candidate for inclusion in the model as maintenance-induced flooding event. Ultimately it was judged that the only maintenance-induced flooding event applicable to Seabrook is inadvertent fire protection deluge system during testing/maintenance. No other maintenance-induced flooding events were expected to be significant contributors to risk at Seabrook. This F&O is considered to be closed.

Actions to Address Finding Additional flow calculations were performed to improve the basis for the selected scenario-specific break flow rates. Application of these flooding flow rates is described in IF Tier 3 Appendix 12.lA, Section 3.0, Scope, and is summarized here. SW Maximum Break Flow Rate: Maximum SW pipe break flow rates were developed by specific calculations using the plant's SW flow model and ProtoFlow software.

Specific SW calculations were performed for scenario development in the P AB, TB and yard.

Maximum SW break flow rates at other locations (SWPH and CT) are based on inspection of the SW break calculations performed for P AB and discussion with the SW system design engineer. Other System Flood Scenario Maximum Break Flow Rate: The flood source maximum break flow rates used in this analysis for other systems (primarily for FP, CW, DM, PW and tank gravity drain) are based on either: ( 1) a specific break flow spreadsheet calculation based on actual/conservative system characteristics using flow equations/methodology in Crane Technical

Fi~ding No.

F&O 5-16 SBK-L-18089 Tab~e 3.4.2' Disp~sition and Resolution o'{ Resolve/I* Peer Revie,v Findings ~ild.Self~A,ssessment lteins Suppor.ting

Req'mt AFSO-A5 Capability.

Cate*gory

. (CC)

CCIII

'Description Some additional, clarifying discussion would be beneficial within the master table.

Consider the following example and address this and similar cases appropriately. Item 6 in the Control Building master table addresses Initiator FlCFPS. The master table indicates that propagation to ESWGRB (correct to be ESWGRA) is screened based on highly reliable mitigation. A separate column provides a time window of 145 Page 84 of 100 Disposition for W¢AP-1433~ and WCAP~

15376 i.AR Paper 410 or, (2) the maximum break flow rate for the specific pipe size and pressure conditions as suggested in the Appendix C of the EPRI methodology. The maximum break flood scenarios developed in the master tables identify the scenario's maximum estimated break flow and its source reference ( either specific spreadsheet calculation or EPRI). Flood Scenario Flow Rates Other Than Maximum:

The flood source flow rates for scenarios other than maximum are based on the EPRI methodology for categorizing spray, lai*ge and major flood events depending on the flood source capacity. Spray-type events are assumed to be in the flow range of O to - I 00gpm; large flood events are in the flow range of IOO to

-2000gpm and major flood events are in the range of2000gpm to the maximum capacity.

The flow rates used in the scenarios ( other than the maximum flow rate) are also identified in the master tables with its EPRI source reference.

It is noted that although a flow range is specified, the timing for each scenario (time to equipment damage, time for operator mitigative actions, etc) is conservatively based on the upper bound of each flow rate range.

Acceptability Evaluation Additional flow calculations were performed using the plant's SW flow model and ProtoFlow software as discussed in Section 3 of Tier 3 IF Appendix 12.IA Items (c) and (d). Item (e) specifies the maximum break flow rates and where the values were obtained from. The flow rates and their associated references are now documented in the Master Tables for the various flood areas as described in Section 3 of Tier 3 IF Appendix 12.lA. This F&O is considered to be closed.

Actions to Address Finding The timing basis for highly reliable operator actions was reviewed, and each is consistent with the screening criteria. Refer to IF Tier 3 Appendix 12.lF (Scenario Detailed Screening) and Appendix 12.lD (HRA). The scenario screening description includes the timing basis for all operator actions including those credited as highly reliable actions. It is noted that the IF flooding documentation was reviewed and

Finding No.

F&O LE-C3-01 SBK-L-18089 Tablb 3.4.2

Disposition and Resolu;tion ofResoJv,ed Peer Revi~w Findings al}d Self-Assessment Items

~'

Suppor'ting Req'm.t LE-C3

. *c~pability.

Cat~gory *

'.,(cq.

CCI Descdptioh minutes. The reviewer infers from this that mitigation is highly reliable for this case because a long time is available for operator action (i.e.,> 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months ). However, this is not clearly stated. Clearly identifying not only the screening criteria but specific attributes that allow criteria to be met provides the most comprehensive and reviewable screening summary.

Disposition for WCAl'-14333 and'WCAP-J$37.6 LAR revised as needed to clarify the scenarios and timing for operator actions. In addition, many scenarios in the Control Building were revised/replaced due to the installation of the FP flow reducing orifice, which was a PRA-identified plant enhancement to reduce internal flood risk. Because of this revision, initiator FlCFPS (mentioned by the reviewer) no longer exists.

Acceptability Evaluation A detailed evaluation of"highly reliable actions" is provided in section 6.1 of Appendix 12.1.D of the PRA. The scenario screening description includes the timing basis for all operator actions including those credited as highly reliable actions. As noted in the GDOC response, the master flooding scenario tables for each flood area were also updated and revised to provide additional clarification of timing, where needed, to show the basis for screening various scenarios. Inspection of Section 6.1 of the HRA document (Tier 3 IF Appendix 12.lD) verified that the attributes comprising highly reliable actions ( cue location, cue clarity, procedure clarity, complexity, stress, time, etc.) are clearly documented for various flood sizes. This F&O is considered to be closed.

No credit for repair was taken in the analysis Actions to Address Finding other than recovery of AC power. There was flnding LE-C3-01 addresses the lack of no review of the accident progression sequences for opportunities to credit equipment repair.

Page 85 of I 00 documentation regarding the review ofLERF accident progression sequences for possible credit of equipment repair/recovery (beyond AC power recovery). This involved attempting to provide a realistic assessment of accident sequences that end as LERF by appropriately crediting equipment recovery in the Level 2 model. The resolution to this issue is documentation only, with no change to the LERF model. The MCDB provides the formal documentation. All LERF initiators and associated significant accident progression sequences were reviewed for possible additional credit of equipment repair/recovery that could be applied during the accident progression or after containment failure to further reduce the LERF contribution. This review concluded that no additional equipment repair/recovery should be credited/justified in the LERF model. This

Fi~ding N9.*

\\

F&O LE-C5-01 SBK-L-18089

~

Tab!~ J:4.i Disposition and Resolution ofR:esoived,.Peer Review Findings anif Self-Assessment Items OSs SuppQrting.

Req;.mt*

LE-C5 Capability*

Category (C~).

CCI

,;Description...

The only relevant system looked at for this SR was AFW (for SGTR scrnbbing). No basis for the AFW success criteria, as documented in the SSPSS, Sectionl0.4.3.3, is given. It is assumed that these success criteria are based on design calculations, not realistic analyses.

Page 86 of 100 J)ispositio~.for,WCAP-14333.ail.cl W.CAP-

.15376LAR conclusion applies to both significant and non-significant accident progression sequences. It is noted tbat non-significant sequences contribute minimally to LERF and therefore are less important when considering possible realistic/conservative measures to yet further reduce their already low LERF contribution.

Refer to MCDB #880 for the detailed description of this resolution.

Acceptability Evaluation MCDB #880 documents a review oftbe possibility of repair actions that could mitigate LERF for all significant contributors to LERF.

The review concludes that no additional repair actions are practical for the significant contributors to LERF. This conclusion is based on considerations of typical timing for the scenarios, the nature of the failures leading to the scenarios. The review is thorough and reasonable. This resolution addresses the concern of the F&O. To the extent tbat the MCDB is considered part oftbe PRA model documentation, tbis resolution meets CC II/III of the SR. This F&O is considered to be closed Actions to Address Finding All "small-early" and "large-late" release bins were reviewed to identify if success of a particular system (for example EFW) is credited in the Level 2 analysis, which then allows binning of the sequences as "small" instead of "large" or "late" instead of "early". Such system credit can be thought of as being significant to defining LERF /non-LERF sequences. Of all tbe release category bins, only bin SE! - "Small Early Containment Bypass - SGTR with Scrnbbed Release" credits a specific system (EFW) for release reduction (scrubbing). SE!

sequences are SGTR sequences that credit use of the EFW system to maintain/re-establish SG water level in tbe faulted SG tbus scrubbing (reducing) the release: SE-1 sequences are summarized below along with a realistic EFW "Level 2" success criterion. It is noted that SE2 (Interfacing LOCA) also credits scrubbing for release reduction. However, SE2 scenarios include success of Level 1 injection ofHPI until the RWST inventory is depleted. Break flow/HPI causes flooding/submergence of the

SBK-L-18089 Table3A.2 Pisposition*and Resolution 'MResolved Peer :Review Findings and Self-Assessment}tems

~ '"

C:apability tindirtg

. ~1;1pport_il1g

])ispo~ition' for WCAP-14333 arid WCAP-N'o.

lleq'mt:

,, Category

Bes~riptio11 15376LAR (C<:)

><~,

break (RHR pump seal) located in the lower elevation of the RHR vault. There are no specific systems credited in Level 2 for achieving the flood conditions needed for scrubbing/release reduction. There are no other systems specifically credited in the remaining "small" or "late" release bins that require established Level 2 success criteria. Sequences in these small and late bins are there because of the Level 1 plant damage state and/cir containment response. SEI - Small Early Containment Bypass - SGTR with Scrubbed Release The Level 2 PRA evaluates fission product scrubbing for SG tube rupture events that lead to core damage if water inventory can be maintained/re-established in the faulted SG.

With successful SG inventory and scrubbing, the sequence release is a "small" early release (MAAP case #103k). The small-early Level 2 sequences depend on success ofEFW/SUFP.

SAMG guidance in SAG-1 and SAG-5 provide the TSC and plant operators with guidance for restoring SG level (SAG-I) and reducing fission product release (SAG-5) post core damage.

SAG-1 guidance considers assessment and alignment (if necessary) of many system options to restore SG inventory including the use of EFW or SUFP pumps. The Level 2 EFW/SUFP success criteria for restoring SG level after core damage are the same as Level 1 sequences. That is, either one of the EFW pumps or the SUFP is capable to provide the required flow to restore level in the effected SG. This is consistent with SAG-1 guidance. This has been documented/summarized in SSPSS Section 10.4.3.3 (4).

Acceptability Evaluation SSPSS Section 10.4.3.3 describes the Level 2 /

LERF success criteria for long-term SG inventory maintenance by restoration of EFW/SUFP following core damage. Success of this function during SGTR sequences allows the sequence outcome to be characterized as a small release due to the radionuclide scrubbing obtained by the overlying water pool in the SGs.

"Section 14.6 Source Term Worksheet.xis" provides confirmatory details about the source term magnitudes, which are based on MAAP Page 87 of 100

}<'indi11g :

No.

F&O LE-CI0-01 SBK-L-18089 Table 3.4.2 Disposition and Resolutio11 of Resolved, Peer Review Findings and Sel.f-As~ess~enJit.ems.

Su~porti~g Req'nit LE-CIO, LE-CI2 C~paJiility,

Category (CC)

CCI Descriptioh I)isposition for WGA.{'~14333 and WCAP~

i5376LAR run #103k. The systems analysis write-up and spreadsheet documenting MAAP runs and predicted source terms represent a realistic, plant-specific Level 2 / LERF success criterion for EFW /SUFP. MCDB #881 also provides additional information concerning why other systems are not explicitly credited in the Level 2 accident sequences. This resolution addresses the concern of the F&O. This F&O is considered to be closed.

LE-CIO and Cl2 Category II/III require the Actions to Address Finding REVIEW of significant accident progression Finding LE-CI 0-01 address the lack of sequences to determine whether there is a documentation regarding the possibility of possibility of continued equipment operation crediting continued equipment operation or or operator actions in adverse environments of post containment failure. No documentation was found to address this requirement and it is acknowledged that meeting Category I is conservative.

Page 88 of 100 operator actions in adverse environments of post containment failure. This involves attempting to provide a realistic assessment of accident sequences that end as LERF by appropriately crediting systems and actions in the Level 2 model. The resolution to this issue is documentation only, with no change to the LERF model. All LERF initiators and associated significant accident progression sequences were reviewed for possible additional credit of equipment or operator actions that could be applied during the accident progression or after containment failure to further reduce the LERF contribution. This review concluded that no additional equipment or operator actions should be credited/justified in the LERF model. This conclusion applies to both significant and non-significant accident progression sequences. It is noted that non-significant sequences contribute minimally to LERF and therefore are less important when considering possible realistic/conservative measures to yet further reduce their already low LERF contribution.

Refer to MCDB #883 for the detailed description of this resolution.

Acceptability Evaluation MCDB #883 documents a review of the possibility of equipment use and/or operator actions that could be taken after adverse conditions or containment failure have occmTed to mitigate LERF for all significant contributors to LERF. The review identifies possible operator actions that could reduce LERF for the sequences of interest. The evaluation of the

Finding No.

F&O LE-E4-01 SBK-L-18089

.T~ble 3.4.2 Disposition and Re~Qlutiim of ~esolved Peer Review Findings and Seff-Asses~mentJtems Supporting Req'mt LE-E4, LE-El Capability Category

. (C::C)

Met

- '<'~"

FS' Description The LERF result rep01ied in Section 2.4.2 appears to be a point-estimate result rather than the mean of the uncertainty distribution.

Most Level 2 events do not have uncertainty distributions and therefore do not propagate through the uncertainty analysis. State of knowledge uncertainty does not appear to be addressed throughout the model. In order to meet the Capability Category II QU requirements, the mean result from the LERF uncertainty should be reported, including consideration of any state-of-knowledge correlation.

Page 89 of 100 Dispo~ition for WCAP~i4333 and WCAP-15376 I.iAR feasibility of these possible operator action is generally qualitative in nature and concludes that no additional operator actions are practical for the significant contributors to LERF. The review is thorough and reasonable. This resolution addresses the concern of the F&O. To the extent that the MCDB is considered part of the PRA model documentation, this resolution meets CC II/III of the SR. This F&O is considered to be closed.

Actions to Address Finding

( 1) Uncertainty distributions were developed for the remaining Level 2 basic events (split fractions). This was done by modifying the equations for the point estimate split fractions to include multiplication of the point estimate by a LOG No1mal data variable (LOGNlO).

LOGNlO provides a range factor of 10 between the 5th and the 95 and this range factor is judged reasonable for the point estimates, which range in value between approximately 0.5 to IE-03.

This range factor is also consistent with that used in the Level 2 HEP basic event modeling.

The Level 2 top events that did not already include uncertainty and were modified under this MCDB action include: XHLI, XNH2E, XNH2V, XRACE, XRACL, XRPV, XSGTI and XSUMP. The LERF uncertainty distribution and associated mean value are quantified using model SB20I4 as part of the 2014 PRA update process and final quantification. The LERF uncertainty results are provided in Section 2.4.2 of the SSPSS20I4 (Tier 2) report.(2) The Level 1 and Level 2 sequences were reviewed to identify where the state-of-knowledge correlation might be important. It is noted that the SOKC is explicitly accounted for in the ISLOCA evaluation when determining the mean failme rate and unce1iainty associated with failme of similar valves that use the same data variables. Based on review of the sequences, it is judged other sequences would not benefit from application ofSOKC corrections. The judgment that other sequences would not benefit from application of the state-of-knowledge correlation corrections was based on a review of sequences and associated group contributions.

This is further supported by a check of Monte

Page 90 of 100 SBK-L-18089 Carlo (MC) simulation uncertainty results for selected major top event frontline mitigation systems. The check did not identify significant differences between the split fraction MC-generated mean values and the point estimate mean values. This suggested that the key contributors to the selected top events are not paiiicularly sensitive to, or do not involve, multiple occurrences of the saine vai*iable.

Therefore, the SOKC was judged to be adequately addressed. Refer to MCDB #886 for additional detail on the SOKC assessment.

Acceptability Evaluation Review ofMCDB #886 identified that uncertainty distributions were developed for the top events that previously had not had uncertainty distributions. While the MCDB entry was reviewed and closed, the new uncertainty distributions could not be confirmed by this reviewer. However, review of SSPSS-2014 SECTION 2 Results and Review, Rev. 0 identified that the LERF value is now rep01ied as a m~an value of a distribution that is also presented graphically. The attachment to MCD

886 includes a thorough discussion of the sensitivity of the PRA model to State of Knowledge Correlation (SOKC). This discussion includes quantitative estimates of the possible effect of SOKC on important equipment top events in the Level 1 and Level 2 models. The results of the quantitative sensitivity studies showed that the possible effect of SOKC on CDF and LERF ai*e small (a few percent) and within the model unce1iainty.

The SOKC sensitivities were also reviewed to identify whether any of the LERF release categories were affected by SOKC; this review is reported to have shown that the LERF release categories ai*e not particulai*ly sensitive to SOKC. As a result of these eff01is, it was concluded that no particulai* modeling action was required to address SOKC. This conclusion is judged to be reasonable. This resolution addresses the concern of the F&O. This F&O is considered to be closed.

SBK-L-18089 Table ~*A.2 Disp<rsition and.Resolution ofResolved Peer Review Fin,dings and Self-AssessmentJtems Capa,bil,ity

.. :finding I

Supporiing Ca,t¢gory

,:" ' pescri~'tion

Dispositioll for WC~.+*333 aniJ WCAP~

No.

Req'mt f5376 <LAR

... *(CC)

F&O LE-G6 Not Met No documentation of the quantitative Actions to Address Finding LE-G6-0l definition used for a significant accident The definition of "significant accident progression sequence was fow1d. The progression sequences" used in the LERF Standard definition for a significant accident analysis is consistent with the definition progression sequence was used for the LERF provided in the ASME PRA Standard, Section results, but this fact was not documented.

1-2 (Definitions) and QU-F6 (Quantification).

Since d1is is an HLR-G SR which deals with Refer to SSPSS2014 Section 2.5 "Model documentation only, this lack of Review" and Section 2.5.3 "Review of documentatfon is categorized as a Finding.

Significant Contributors to LERF" for improved documentation of significant accident progression sequence.

Acceptability Evaluation Review of the F&O resolution indicated improved documentation of significant accident progression sequences is contained in SSPSS-2014 SECTION 2 Results and Review, Rev. 0.

Review of Section 2.5.3 of the preceding reference confomed that the ASME standard definition was explicitly cited and that the review was performed consistently with the cited definition of significant accident sequence.

This resolution addresses the concern of the F&O. This F&O is considered to be closed.

3.5 Monitoring Requirements Associated with the Implementation Regulatory Guide (RG) 1.17 4, Section 2.3 and RG 1.177, Section 3, as part of the key principles in implementing risk-informed decision making, establishes the need for an implementation and monitoring program to ensure that extensions to TS AOTs do not degrade operational safety over time and that no adverse degradation occurs due to changes in the licensing basis due to unanticipated degradation or common cause mechanisms. An implementation and monitoring program is intended to ensure that the impact of the proposed TS change continues to reflect the reliability and availability of structures, systems, and components impacted by the change.

Monitoring of system performance parameters is currently performed under Seabrook's Maintenance Rule Program. Seabrook's MR program meets RG-1.160 and NUMARC 93-01, Revision 4A. The current MR program establishes equipment reliability and unavailability monitoring requirements to provide confidence that SCC performance is consistent with performance assumptions.

The monitoring requirements under Seabrook's MR program will be reviewed with respect to the WCAP-14333 and WCAP-15376 proposed changes to ensure that RTS and ESFAS equipment availability continue to be within the applicable performance assumptions of the WCAPs.

Page91 of!OO

4.0 SBK-L-18089 REGULATORY EVALUATION 4.1 Applicable Regulatory Requirements/Criteria 10 CPR 50, Appendix A, "General Design Criteria for Nuclear Power Plants" (GDC) and the Regulatory Guides (RGs) were evaluated as follows:

GDC-2 requires that structures, systems, and components important to safety be designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches without the loss of the capability to perform their safety functions.

GDC-4 requires that structures, systems, and components important to safety be designed to accommodate the effects of, and to be compatible with, the environmental conditions associated with the normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents. These structures, systems, and components shall be appropriately protected against dynamic effects, including the effects of missiles, pipe whipping, discharging fluids that may result from equipment failures, and from events and conditions outside the nuclear power unit. However, dynamic effects associated with postulated pipe ruptures in nuclear power units may be excluded from the design basis when analyses reviewed and approved by the Commission demonstrate that the probability of fluid system piping rupture is extremely low under conditions consistent with the design basis for the piping.

GDC-13 requires that instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems.

GDC-20 requires that the protection system(s) shall be designed (1) to initiate automatically the operation of appropriate systems including the reactivity control systems, to assure that specified acceptable fuel design limits are not exceeded as a result of anticipated operational occurrences and (2) to sense accident conditions and to initiate the operation of systems and components important to safety.

GDC-21 requires that the protection system(s) shall be designed for high functional reliability and testability.

Page 92 of 100

SBK-L-18089 GDC-22 through GDC-25 and GDC-29 require various design attributes for the protection system(s), including independence, safe failure modes, separation from control systems, requirements for reactivity control malfunctions, and protection against anticipated operational occurrences.

RG 1.22, "Periodic Testing of Protection System Actuation Functions," discusses an acceptable method of satisfying GDC-20 and GDC-21 regarding the periodic testing of protection system actuation functions. These periodic tests should duplicate, as closely as practicable, the performance that is required of the actuation devices in the event of an accident.

10 CPR 50.55a(h)(2) requires that the protection systems are consistent with their licensing basis or IEEE 603-1991 for plants whose Construction Permit was issued before January 1, 1971, or that the protection systems meet IEEE 279-1971 or IEEE 603-1991 for plants whose Construction Permit was issued after January 1, 1971, but before May 13, 1999. As discussed in the Updated Final Safety Analysis Report, Section 7, "Instrumentation and Controls," the Seabrook Station protection systems licensing basis is IEEE Standard 279-1971 "Criteria for Protection System for Nuclear Power Generating Stations."

No change to the Seabrook Station Updated Final Safety Analysis Report description of conformance to the GDCs or the Regulatory Guides is required as a result of the changes proposed in this LAR.

4.2 Precedent

. The following list includes some of the plants that have made submittals proposing changes similar to those being proposed in this LAR:

Donald C. Cook, submitted on August 30, 2002, approved on May 23, 2003 as Amendments 277 (Unit 1) and 260 (Unit 2).

Wolf Creek, submitted on December 15, 2003, approved on January 31, 2005 as Amendment 156.

Callaway, submitted on December 17, 2003, approved on January 31, 2005 as Amendment 165.

Comanche Peak, submitted on January 21, 2004, approved on January 31, 2005 as Amendments 114 for both units.

Diablo Canyon, submitted on February 13, 2004, approved on January 31, 2005 as Amendments 179 (Unit 1) and 181 (Unit 2).

Page 93 of 100

SBK-L-18089 Vogtle, submitted on January 27, 2005, approved on September 1, 2006 as Amendments 145 (Unit 1) and 125 (Unit 2).

Virgil C. Summer, submitted on November 15, 2005 (WCAP-14333) approved on October 24, 2006 as Amendment 177.

Beaver Valley Power Station, submitted on December 21, 2007, approved on December 29, 2008 as Amendments 282 (Unit 1) and 166 (Unit 2).

Virgil C. Summer, submitted on December 16, 2015 (WCAP-15376) approved on October 4, 2017 as Amendment 209.

PSEG Nuclear LLC, Salem Station Unit 1 and Unit 2, submitted on December 18, 2017 approved on December 19, 2019 as Amendments 325 and 306.

The Wolf Creek, Callaway, Comanche Peak, Diablo Canyon, and Beaver Valley submittals proposed the changes justified by WCAP-14333-P-A and WCAP-15376-P-A.

The Donald C. Cook and Vogtle submittals proposed the changes justified by WCAP-15376-P-A.

The Virgil C. Summer submittals proposed the changes justified by WCAP-14333-P-A and WCAP-15376 in two separate submittals.

4.3 No Significant Hazards Consideration In this License Amendment Request (LAR), the Seabrook Station Technical Specifications for the Reactor Trip System (RTS) instrumentation apd the Engineered Safety Feature Actuation System (ESP AS) instrumentation are being revised to implement the bypass test time, and Allowed Outage Time (AOT) changes that were approved by the NRC in the following documents:

WCAP-14333-P-A, Revision 1, "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times," October 1998.

WCAP-15376-P-A, Revision 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times,"

March 2003.

TSTF-411, Revision 1, "Surveillance Test Interval Extensions for Components of the Reactor Protection System (WCAP-15376)."

TSTF-418, Revision 2, "RPS and ESP AS Test Times and Completion Times

(\\v'CAP-14333)."

Page 94 of 100

SBK-L-18089 The proposed changes in this LAR do not include any surveillance test interval extensions.

N extEra has evaluated whether or not a significant hazards consideration is involved with the proposed amendments by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of amendment," as discussed below:

1.

Do the proposed changes involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No.

The overall protection system performance will remain within the bounds of the previously performed accident analyses since no hardware changes are proposed.

The same RTS and ESF AS instrumentation will continue to be used. The protection systems will continue to function in a manner consistent with the plant design basis.

These changes to the Technical Specifications do not result in a condition where the design, material, and construction standards that were applicable prior to the change are altered.

The proposed changes will not modify any system interface. The proposed changes will not affect the probability of any event initiators. There will be no degradation in the performance of or an increase in the number of challenges imposed on safety-related equipment assumed to function during an accident situation. There will be no change to normal plant operating parameters or accident mitigation performance.

The proposed changes will not alter any assumptions or change any mitigation actions in the radiological consequence evaluations in the Updated Final Safety Analysis Report (UFSAR).

The determination that the results of the proposed changes are acceptable was established in the NRC Safety Evaluations prepared for WCAP-14333-P-A (issued by letter dated July 15, 1998) and for WCAP-15376-P-A (issued by letter dated December 20, 2002). Implementation of the proposed changes will result in an insignificant risk impact. Applicability of these conclusions has been verified through plant-specific reviews and implementation of the generic analysis results in accordance with the respective NRC Safety Evaluation conditions.

The proposed changes to the AOTs and bypass test times reduce the potential for inadvertent reactor trips and spurious engineered safety feature (ESF) actuations, and therefore do not increase the probability of any accident previously evaluated. The proposed changes do not change the response of the plant to any accidents and have an insignificant impact on the reliability of the RTS and ESF AS instrumentation.

Page 95 of 100

SBK-L-18089 The RTS and ESFAS instrumentation will remain highly reliable and the proposed changes will not result in a significant increase in the risk of plant operation. This is demonstrated by showing that the impact on plant safety as measured by the increase in core damage frequency (CDF) is less than 1.0E-06 per year and the increase in large early release frequency (LERF) is less than 1.0E-07 per year. In addition, for the AOT changes, the incremental conditional core damage probabilities (ICCDP) and incremental conditional large early release probabilities (ICLERP) are less than 5.0E-07 and 5.0E-08, respectively. As such, these changes meet the acceptance criteria in Regulatory Guides 1.17 4 and 1.177. Therefore, since the RTS and ESF AS instrumentation will continue to perform their functions with high reliability as originally assumed, and the risk impact as measured by the.6.CDF, &ERF, ICCDP, and ICLERP risk metrics is within the acceptance criteria of existing regulatory guidance, there will not be a significant increase in the probability of any accidents.

The proposed changes do not adversely affect accident initiators or precursors nor alter the design assumptions, conditions, or configuration of the facility or the manner in which the plant is operated and maintained. The proposed changes do not alter or prevent the ability of structures, systems, and components (SSCs) from performing their intended function to mitigate the consequences of an initiating event within the assumed acceptance limits. The proposed changes do not affect the source term, containment isolation, or radiological release assumptions used in evaluating the radiological consequences of an accident previously evaluated. The proposed changes are consistent with safety analysis assumptions and resultant consequences.

Therefore, the proposed changes do not involve a significant increase in the probability or consequences of an accident previously evaluated.

2.

Do the proposed changes create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No.

There are no hardware changes nor are there any changes in the method by which any safety-related plant system performs its safety function. The proposed changes will not affect the normal method of plant operation. No performance requirements will be affected or eliminated. The proposed changes will not result in physical alteration to any plant system nor will there be any change in the method by which any safety-related plant system performs its safety function. There will be no setpoint changes or changes to accident analysis assumptions.

Page 96 of l 00

SBK-L-18089 No new accident scenarios, transient precursors, failure mechanisms, or limiting single failures are introduced as a result of these changes. There will be no adverse effect or challenges imposed on any safety-related system as a result of these changes.

Therefore, the proposed changes do not create the possibility of a new or different kind of accident from any previously evaluated.

3. Do the proposed changes involve a significant reduction in a margin of safety?

Response: No.

The proposed changes do not affect the acceptance criteria for any analyzed event nor is there a change to any Safety Analysis Limit (SAL). There will be no effect on the manner in which safety limits, limiting safety system settings, or limiting conditions for operation are determined nor will there be any effect on those plant systems necessary to assure the accomplishment of protection functions.

The redundancy of the RTS and ESF AS instrumentation trains is maintained, and diversity with regard to the signals that provide reactor trip and ESF actuation is also maintained. All signals credited as primary or secondary, and all operator actions credited in the accident analyses will remain the same. The proposed changes will not result in plant operation in a configuration outside the design basis. The calculated impact on risk is insignificant and meets the acceptance criteria contained in Regulatory Guides 1.17 4 and 1.177. Although there was no attempt to quantify any positive human factors benefit due to increased AOTs and bypass test times, it is expected that there would be a net benefit due to a reduced potential for spurious reactor trips and actuations associated with testing.

Implementation of the proposed changes is expected to result in an overall improvement in safety, as follows:

a)

Improvements in the effectiveness of the operating staff in monitoring and.

controlling plant operation should be realized. This is due to less frequent distraction.of the operators and shift supervisor to attend to instrumentation Actions with short AOTs.

b)

The time provided by the proposed increase in AOTs and bypass test times should reduce the potential for human errors by the personnel performing Actions, corrective maintenance, and Surveillance Testing during these times.

Page 97 of I 00

SBK-L-18089 c)

The AOT extensions for the reactor trip breakers should provide additional time to complete test and maintenance activities while at power, potentially reducing the number of forced outages related to compliance with reactor trip breaker AOT, and provide consistency with the AOT for the logic trains.

Therefore, the proposed changes do not involve a significant reduction in a margin of safety.

Based on the above, NextEra concludes that the proposed amendment presents no significant hazards consideration under the standards set forth in 10 CPR 50.92(c), and, accordingly, a finding of "no significant hazards consideration" is justified.

4.4 Conclusion In conclusion, based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

5.0 ENVIRONMENTAL CONSIDERATION

NextEra has evaluated the proposed amendment for environmental considerations. The review has determined that the proposed amendment would change a requirement with respect to installation or use of a facility component located within the restricted area, as defined in 10 CPR 20, or would change an inspection or surveillance requirement. However, the proposed amendments do not involve (i) a significant hazards consideration, (ii) a significant change in the types or significant increase in the amounts of any effluent that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure. Accordingly, the proposed amendments meet the eligibility criterion for categorical exclusion set forth in 10 CPR 51.22(c)(9). Therefore, pursuant to 10 CPR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed amendments.

6.0 REFERENCES

1.

WCAP-14333-P-A, Revision 1, "Probabilistic Risk Analysis of the RPS and ESP AS Test Times and Completion Times," October 1998.

Page 98 of I 00

SBK-L-18089

2.

WCAP-15376-P-A, Revision 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times,"

March 2003.

3.

Technical Specification Task Force Traveler, TSTF-411, Revision 1, "Surveillance Test Interval Extensions for Components of the Reactor Protection System (WCAP-15376)."

4.

Technical Specification Task Force Traveler, TSTF-418, Revision 2, "RPS and ESFAS Test Times and Completion Times (WCAP-14333)."

5.

NUREG-1431, "Standard Technical Specifications - Westinghouse Plants," Revision 4, April 2012.

6.

WCAP-10271-P-A, Supplement 2, Revision 1, "Evaluation of Surveillance Frequencies and out of Service Times for the Reactor Protection Instrumentation System," June 1990.

7.

NRC Letter, "Amendment No. 36 to Facility Operating License NPF-86: Engineered Safety Features Actuation System Surveillance Intervals -License Amendment Request 93-04 (TAC M86155)," dated April 10, 1995, Accession No. MLOl 1910374.

8.

Regulatory Guide 1.17 4 "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," May 2011.

9.

Regulatory Guide 1.177, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specification," May 2011.

10.

Westinghouse Owners Group Letter OG 110, "Transmittal of Response to Request for Additional Information (RAI) Regarding WCAP-14333-P Entitled "Probabilistic Risk Analysis of the RPS and ESF AS Test Times and Completion Times," dated December 20, 1996.

11.

Westinghouse Owners Group Letter OG-02-002, "Transmittal of Response to Request for Additional Information (RAI) Numbers 4 and 11 Regarding WCAP-15376-P, Revision 0, 'Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times' (MUHP-3046)" dated January 8, 2002.

12.

Westinghouse Owners Group Letter OG-01-058, "Transmittal of Response to Request for Additional Information (RAI) Regarding WCAP-15376-P, Revision 0, 'Risk-Informed Assessment of the RTS and ESF AS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times' (MUHP-3046)", dated September 28, 2001.

13.

NUREG-17 42, Perspectives Gained from Individual Plant Examination External Events, Sections 2.3.1.3 (seismic) and 3.3.2.3 (fire)

Page 99 of 100

SBK-L-18089

14.

NUREG/CR-6850, Supplement 1, NUREG/CR-6850 Supplement 1 (EPRI 1019259),

Fire Probabilistic Risk Assessment Methods Enhancements, Electric Power Research Institute, Palo Alto, CA, and U.S. Nuclear Regulatory Commission, Office of Nuclear Regulatory Research, September 2010

15.

NUREG-1855, Guidance on the Treatment of Uncertainties Associated with PRAs in Risk-Informed Decision Making, March 2009

16.

EPRI TR-1016737, Treatment of Parameter and Model Uncertainty for Probabilistic Risk Assessments, December 2008

17.

NEI Appendix X to Guidance 05-04, 07-12, and 12-13, Close-out of Facts and Observations (F&Os), February 2017

18.

NRC Staff Memorandum, USNRC Staff Expectations for Industry Facts and Observations Independent Assessment Process, May 3, 2017 (ML17079A427)

Page 100 of 100

SBK-L-18089 Markup of the Technical Specifications

TABLE 3.3-1 REACTOR TRIP SYSTEM INSTRUMENTATION MINIMUM TOTAL NO.

CHANNELS CHANNELS FUNCTIONAL UNIT OF CHANNELS TO TRIP OPERABLE

1.

Manual Reactor Trip 2

1 2

2 1

2

2.

Power Range, Neutron Flux

a. High Setpoint 4

2 3

b. Low Setpoint 4

2 3

3.

Power Range, Neutron Flux 4

2 3

High Positive Rate

4.

(NOT USED)

5.

Intermediate Range, Neutron Flux 2

1 2

6.

Source Range, Neutron Flux

a. Startup 2

1 2

b. Shutdown 2

0 1

c. Shutdown 2

1 2

7.

Overtemperature ~ T 4

2 3

8.

Overpower ~ T 4

2 3

9.

Pressurizer Pressure-Low 4

2 3

10.

Pressurizer Pressure-High 4

2 3

11.

Pressurizer Water Level--High 3

2 2

SEABROOK-UNIT 1 3/4 3-2 APPLICABLE MODES ACTION 1, 2 1

3*, 4*, 5*

10 1, 2 2

1##, 2 2

1, 2 2

1##, 2 3

2#

4 3,4,5 5

3*, 4*, 5*

10 1, 2 e

1, 2 1**

e 1, 2 e

1**

e Amendment No. ~. 94-, 444 SBK-L-18089 Attachment 1 1 of 15

FUNCTIONAL UNIT

12.

Reactor Coolant Flow-Low

a. Single Loop (Above P-8)

b. Two Loops (Above P-7 and below P-8)

13.

Steam Generator Water Level--Low--Low

14.

Undervoltage--Reactor Coolant Pumps

15.

Underfrequency--Reactor Coolant Pumps

16.

Turbine Trip

a. Low Fluid Oil Pressure

b. Turbine Stop Valve Closure

17.

Safety Injection Input from ESF

18.

Reactor Trip System Interlocks

a. Intermediate Range Neutron Flux, P-6 SEABROOK-UNIT 1 TABLE 3.3-1 (Continued)

REACTOR TRIP SYSTEM INSTRUMENTATION MINIMUM TOTAL NO.

CHANNELS CHANNELS APPLICABLE OF CHANNELS TO TRIP 3/loop 2/loopin any oper-ating loop 3/loop 2/loop in two oper-ating loops 4/stm. gen.

2/stm. gen.

in any oper-ating stm.

gen.

4-2/bus 2-1/bus 4-2/bus 2-1/bus 3

2 4

4 2

1 2

1 3/4 3-3 OPERABLE 2/loop in each oper-ating loop 2/loop each oper-ating loop 3/stm. gen.

each oper-ating stm.

gen.

2 on one bus 2 on one bus 2

4 2

2 MODES ACTION 1

1 1, 2 1**

1**

1 ***

1, 2 2#

& ~

11 7

8 Amendment No. ~. 444 SBK-L-18089 Attachment 1 2 of 15 J

,{

This page contains no changes - provided for information only.

TABLE 3.3-1 (Continued)

REACTOR TRIP SYSTEM INSTRUMENTATION MINIMUM TOTAL NO.

CHANNELS CHANNELS APPLICABLE FUNCTIONAL UNIT OF CHANNELS TO TRIP OPERABLE MODES

18.

b. Low Power Reactor Trips Block, P-7 P-10 Input 4

2 3

1 or P-13 Input 2

1 2

1 C. Power Range Neutron Flux, P-8 4

2 3

1

d. Power Range Neutron 4

2 3

1 Flux, P-9

e. Power Range Neutron Flux, P-10 4

2 3

1

f.

Turbine Impulse Chamber Pressure, P-13 2

1 2

1

19. Reactor Trip Breakers 2

1 2

1, 2 2

1 2

3*, 4*, 5*

20. Automatic Trip and Interlock 2

1 2

1, 2 Logic 2

1 2

3*, 4*, 5*

SEABROOK - UNIT 1 3/4 3-4 ACTION 8

8 8

8 9, 12 10 7

10 Amendment No. 36 SBK-L-18089 Attachment 1 3 of 15

TABLE 3.3-1 (Continued)

TABLE NOTATIONS

when the Reactor Trip System breakers are in the closed position and the Control Rod Drive System is capable of rod withdrawal.

- Trip function automatically blocked or bypassed below the P-7 (At Power)

Setpoint.

- - Trip function automatically blocked below the P-9 (Reactor Trip/Turbine Trip Interlock) Setpoint.

Below the P-6 (Intermediate Range Neutron Flux Interlock) Setpoint.

1. Below Below the P-10 (Low Setpoint Power Range Neutron Flux Interlock) Setpoint.

ACTION STATEMENTS ACTION 1 - With the number of OPERABLE channels one less than the Minimum Channels OPERABLE requirement, restore the inoperable channel to OPERABLE status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months or be in HOT STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

ACTION 2 - With the number of OPERABLE channels one less than the Total Number of Channels, STARTUP and/or POWER OPERATION may proceed provided the following conditions are satisfied:

~

a. The inoperable Channel is placed in the tr~*

d condition within e-hou~

12 Jt ~

b. The Minimum Channels OPERABLE require nt is met; however, tRe inoperable channel may be bypassed for up to ~ hours for surveillance testing of other ohannels per Specification 4.3.1.1, and

c. Either, THERMAL POWER is restricted to less than or equal to 75% of RATED THERMAL POWER and the Power Range Neutron Flux Trip Setpoint is reduced to less than or equal to 85% of RATED THERMAL POWER within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months ; or, the QUADRANT POWER TILT RATIO is monitored at least once per 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months per Specification 4.2.4.2.

SEABROOK - UNIT 1 3/4 3-5 Amendment No. ~. 4-44 SBK-L-18089 Attachment 1 4 of 15

TABLE 3.3-1 (Continued)

ACTION STATEMENTS (Continued)

ACTION 3 - With the number of channels OPERABLE one less than the Minimum Channels OPERABLE requirement and with the THERMAL POWER level:

a. Below the P-6 (Intermediate Range Neutron Flux Interlock) Setpoint, restore the inoperable channel to OPERABLE status prior to increasing THERMAL POWER above the P-6 Setpoint, and

b. Above the P-6 (Intermediate Range Neutron Flux Interlock) Setpoint but below 10% of RATED THERMAL POWER, restore the inoperable channel to OPERABLE status prior to increasing THERMAL POWER above 10%

of RATED THERMAL POWER.

ACTION 4 - With the number of OPERABLE channels one less than the Minimum Channels OPERABLE requirement, suspend all operations involving positive reactivity changes.

ACTION 5-With the number of OPERABLE channels one less than the Minimum Channels OPERABLE requirement, restore the inoperable channel to

~IN_S_E_R_T_A_C_T_I_O_N_6A__, OPERABLE status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months or open the Reactor Trip System breakers, suspend all operations involving positive reactivity changes and verify that L-----------' valve RMW-V31 is closed and secured in position within the next hour.

ACTI~

With the number of OPERABLE channels one less than the Total Number of Channels, STARTUP and/or POWER OPERATION may proceed provided the following conditions are satisfied:

. ~

a. The inoperable channel is placed in the tripped condition within ifhou;-

and

b. The Minimum Channels OPERABLE requirement is met; however, the inoperable channel may be bypassed for up to 4-hours for surveillance testing of other channels per Specification 4.3. 1.~

ACTION 7 - With the number of OPERABLE channels one less than the Minimum Channels OPERABLE requirement, restore the inoperable channel to OPERABLE status within e hours or be in a least HOT STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ; however, on channel may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing per Sp cification 4.3.1.1, provided the other channel is OPERABLE.

ACTION 8 - With less than the Minimum Number of Channels OPERABLE, within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months determine by observation of the associated permissive annunciator window(s) that the interlock is in its required state for the existing plant condition, or apply Specification 3.0.3.

SEABROOK - UNIT 1 3/4 3-6 Amendment No. Je SBK-L-18089 Attachment 1 5 of 15

INSERT6A ACTION6A With the number of OPERABLE channels one less than the Total Number of Channels, STARTUP and/or POWER OPERATION may proceed provided the following conditions are satisfied:

a.

The inoperable channel is placed in the tripped condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , and

b. The Minimum Channels OPERABLE requirement is met; however, one channel may be bypassed for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing per Specification 4.3.1.1.

SBK-L-18089 Attachment 1 6 of 15

TABLE 3.3-1 (Continued) restore the inoperable channel to OPERABLE status within 24

~

hours or ACTION 9 - With the number of OPERA channels one less than the Minimu~.. J~

Channels OPERABLE requireme, be in at least HOT STANDBY within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ; however, one channel may be bypassed for up to ~ hours for surveillance testing per Specification 4.3.1.1, provided th e\\'Other channel is OPERABLE.

L@J ACTION 10 - With the number of OPERABLE channels one less than the Minimum Channels OPERABLE requirement, restore the inoperable channel to OPERABLE status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months or open the Reactor Trip System breakers within the next hour.

ACTION 11 - With the number of OPERABLE channels less than the Total Number of Channels, operation may continue provided the inoperable channels are placed in the tripped condition within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

ACTION 12 - With one of the diverse trip features (undervoltage or shunt trip attachment) inoperable, restore it to OPERABLE status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months or declare the breaker inoperable and apply ACTION 9. The breaker shall not be bypassed while one of the diverse trip features is inoperable except for the time required for performing maintenance to restore the breaker to OPERABLE status.

SEABROOK - UNIT 1 3/4 3-7 SBK-L-18089 Attachment 1 7 of 15

This page contains no changes - provided for information only.

TABLE 3.3-3 ENGINEERED SAFETY FEATURES ACTUATION SYSTEM INSTRUMENTATION TOTAL NO.

FUNCTIONAL UNIT OF CHANNELS

1.

Safety Injection (Reactor Trip, Feedwater Isolation, Start Diesel Generators, Phase "A" Isolation, Containment Ventilation Isolation, Emergency Feedwater, Service Water to Secondary Component Cooling Water Isolation, CBA Emergency Fan/Filter Actuation, and Latching Relay).

a. Manual Initiation 2

b. Automatic Actuation 2

Logic and Actuation Relays C. Containment 3

Pressure--Hi-1

d. Pressurizer 4

Pressu re--Low

e. Steam Line 3/steam line Pressu re--Low SEABROOK - UNIT 1 MINIMUM CHANNELS CHANNELS TO TRIP OPERABLE 1

2 1

2 2

3 2/steam line 2/steam line any steam line 3/4 3-16 APPLICABLE MODES ACTION 1,2,3,4 17 1, 2,3,4 13 1, 2, 3 18 1, 2, 3#

18 1, 2, 3#

18 Amendment No. ~. 114 SBK-L-18089 Attachment 1 8 of 15

This page contains no changes - provided for information only.

TABLE 3.3-3 (Continued)

ENGINEERED SAFETY FEATURES ACTUATION SYSTEM INSTRUMENTATION MINIMUM FUNCTIONAL UNIT

2.

Containment Spray

3.

a.

Manual Initiation

b.

Automatic Actuation Logic and Actuation Relays

c.

Containment Pressure--

Hi-3 Containment Isolation

a.

Phase "A" Isolation

1) Manual Initiation

2) Automatic Actuation Logic and Actuation Relays

3) Safety Injection

b.

Phase "B" Isolation

1) Manual Initiation SEABROOK - UNIT 1 TOTAL NO.

OF CHANNELS 2

2 4

2 2

CHANNELS CHANNELS APPLICABLE TO TRIP OPERABLE MODES 1 with 2 coincident switches 1

2 1

1 2

2 3

2 2

1, 2, 3, 4 1, 2,3,4 1, 2, 3 1, 2,3, 4 1, 2, 3, 4 ACTION 17 13 15 17 13 See Item 1. above for all Safety Injection initiating functions and requirements.

2 1 with 2 coincident switches 3/4 3-17 2

1, 2,3,4 17 SBK-L-18089 Attachment 1 9 of 15

This page contains no changes - provided for information only.

TABLE 3.3-3 (Continued)

ENGINEERED SAFETY FEATURES ACTUATION SYSTEM INSTRUMENTATION MINIMUM TOTAL NO.

CHANNELS CHANNELS APPLICABLE FUNCTIONAL UNIT OF CHANNELS TO TRIP OPERABLE MODES ACTION

3.

Containment Isolation (continued)

b.

Phase "B" Isolation (continued)

2)

Automatic Actuation Logic and Actuation Relays

3)

Containment Pressure-Hi-3

c.

Containment Ventilation Isolation

1)

Manual Initiation

2)

Automatic Actuation Logic and Actuation Relays

3)

Safety Injection

4)

Containment On Line Purge Radioactivity-High

4.

Steam Line Isolation

a.

Manual Initiation

1)

Individual

2)

System SEABROOK - UNIT 1 2

4 2

2 1

1 2

3 2

2 1, 2, 3, 4 1, 2, 3 1, 2,3,4 1, 2, 3, 4 13 15 16 16 See Item 1. above for all Safety Injection initiating functions and requirements.

2 1 /steam line 2

1 2

1,2,3,4 1/steam line 1/operating 1, 2, 3 steam line 1

2 1, 2, 3 3/4 3-18 16 23 21 SBK-L-18089 Attachment 1 10 of 15

!This page contains no changes - provided for information only.

TABLE 3.3-3 (Continued)

ENGINEERED SAFETY FEATURES ACTUATION SYSTEM INSTRUMENTATION MINIMUM TOTAL NO.

CHANNELS CHANNELS APPLICABLE FUNCTIONAL UNIT OF CHANNELS TO TRIP OPERABLE MODES ACTION

4.

Steam Line Isolation (continued)

b.

Automatic Actuation Logic and Actuation Relays

c.

Containment Pressure--

Hi-2

d.

Steam Line Pressure-Low

e.

Steam Generator Pressure - Negative Rate-High

5.

Turbine Trip

a.

Automatic Actuation Logic and Actuation Relays

b.

Steam Generator Water Level--

High-High (P-14)

6.

Feedwater Isolation

a.

Steam Generator Water Level--High-High (P-14)

b.

Safety Injection SEABROOK - UNIT 1 2

3 3/steam line 3/steam line 2

4/stm. gen.

1 2

1, 2, 3 2

2 1, 2, 3 2/steam line 2/steam line 1, 2, 3#

any steam line 2/steam line 2/steam line 3*

any steam line 1

2 1, 2 2/stm. gen.

3/stm. gen.

1, 2 2/stm. gen.

3/stm. gen. 1, 2 See Item 1. above for all Safety Injection initiating functions and requirements.

20 18 18 18 22 18 18 3/4 3-19 Amendment No. 4a, 114 SBK-L-18089 Attachment 1 11 of 15

!This page contains no changes - provided for information only.

TABLE 3.3-3 (Continued)

ENGINEERED SAFETY FEATURES ACTUATION SYSTEM INSTRUMENTATION FUNCTIONAL UNIT

7.

Emergency Feedwater

a.

Manual Initiation (1)

Motor driven pump (2)

Turbine driven pump

b.

Automatic Actuation Logic and Actuation Relays

c.

Stm. Gen. Water Level--

Low-Low Start Motor-Driven Pump and Start Turbine -

Driven Pump

d.

Safety Injection Start Motor-Driven Pump and Turbine-Driven Pump

e.

Loss-of-Offsite Power Start Motor-Driven Pump and Turbine-Driven Pump

8.

Automatic Switchover to Containment Sump

a.

Automatic Actuation Logic and Actuation Relays SEABROOK - UNIT 1 MINIMUM CHANNELS CHANNELS APPLICABLE TOTAL NO.

OF CHANNELS TO TRIP OPERABLE MODES ACTION 1

2 2

4/stm. gen.

1 1

1 2/stm. gen.

1 2

2 1, 2, 3 1, 2, 3 1, 2, 3 3/stm. gen. 1, 2, 3 21 21 20 18 See Item 1. above for all Safety Injection initiating functions and requirements.

See Item 9 for Loss-of-Offsite Power initiating functions and requirements.

2 1

2 1, 2, 3, 4 3/4 3-20 13 Amendment No. 45 SBK-L-18089 Attachment 1 12 of 15

!This page contains no changes - provided for information only.

TABLE 3.3-3 (Continued)

ENGINEERED SAFETY FEATURES ACTUATION SYSTEM INSTRUMENTATION FUNCTIONAL UNIT

b.

RWST Level--Low-Low Coincident With:

Safety Injection

9.

Loss of Power (Start Emergency Feedwater)

a.

4.1 6 kV Bus ES and E6-Loss of Voltage

b.

4.16 kV Bus ES and E6-Degraded Voltage Coincident with SI

10. Engineered Safety Features Actuation System Interlocks

a.

Pressurizer Pressure, P-11

b.

Reactor Trip, P-4

c.

Steam Generator Water Level, P-14 SEABROOK - UNIT 1 MINIMUM CHANNELS CHANNELS APPLICABLE TOTAL NO.

OF CHANNELS TO TRIP OPERABLE MODES ACTION 4

2 3

1, 2,3,4 See Item 1. above for all Safety Injection initiating functions and requirements.

2/bus 2/bus 1/bus 1, 2,3, 4 2/bus 2/bus 1/bus 1, 2, 3, 4 See Item 1. above for all Safety Injection initiating functions and requirements.

3 2

4/stm. gen.

2 2

2/stm. gen. 3/stm. gen.

1, 2, 3 1, 2, 3 1, 2, 3 15 14 14 19 21 18 3/4 3-21 Amendment No. 47, 140, 145 SBK-L-18089 Attachment 1 13 of 15

TABLE 3.3-3 (Continued)

TABLE NOTATIONS

Trip function may be blocked in this MODE below the P-11 (Pressurizer Pressure Interlock) Setpoint.

Trip function automatically blocked above P-11 and may be blocked below

~

P-11 when Safety Injection on low steam line pressure is not blocked.

~-------------~

restore the inoperable channel to ACTION STATEMENTS OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or ACTION 13 - With the number of OPERABLE cha els one less than the Minimum Channels OPERABLE requirement, e in at least HOT STANDBY within 42 hours4.861111e-4 days 0.0117 hours 6.944444e-5 weeks 1.5981e-5 months and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months ; however, one channel may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing per Specification 4.3.2.1, provided the other channel is OPERABLE.

.....th-e-ne_x

...... t-6__,

ACTION 14 -With the number of OPERABLE channels one less than the Total Number of Channels, STARTUP and/or POWER OPERATION may proceed provided the following conditions are satisfied:

a.

The inoperable channel is placed in the tripped condition within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , and

b.

The Minimum Channels OPERABLE requirements is met; however, the inoperable channel may be bypased for up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months for surveillance testing of other channels per Specification 4.3.2. 1. ~------,

within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months ACTION 15 -With the number of OPERABLE channels o ss than the Total Number of Channels, operation may proce d 1ded the inoperable channel is placed in the bypassed condition d the Minimum Channels OPERABLE requirement is met. One additional channel may be bypassed for up to 4~ ~

hours for surveillance testing per Specification 4.3.2.1.

- ~

ACTION 16 - With less than the Minimum Channels OPERABLE requirement, operation may continue provided the containment purge supply and exhaust valves are maintained closed.

ACTION 17 - With the number of OPERABLE channels one less than the Minimum Channels OPERABLE requirement, restore the inoperable channel to OPERABLE status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months .

ACTION 18 -With the number of OPERABLE channels one less than the Total Number of Channels, STARTUP and/or POWER OPERATION may proceed provided the following conditions are satisfied:

SEABROOK - UNIT 1 3/4 3-22 Amendment No. ~. 444 SBK-L-18089 Attachment 1 14 of 15

TABLE 3.3-3 (Continued)

ACTION STATEMENTS (Continued)

a.

The inoperable channel is placed in the tripped conditio~

hours, and

~ 2

b.

The Minimum Channels OPERABLE requirem t is met; however, #le

.-lo_n_e--..f--?'inoperable channel may be bypassed for up to hours for surveillance ~

testing of other ohannels per Specification 4.3.2.1.

ACTION 19 - With less than the Minimum Number of Channels OPERABLE, within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months determine by observation of the associated permissive annunciator window(s) that the interlock is in its required state for the existing plant condition, or apply Specification 3.0.3.

ACTION 20 -With the number of OPERABLE nnels one less than the Minimum Channels OPERABLE req

ent, restore the inoperable channel to OPERABLE status within &-hours or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in at least HOT SHUTDOWN within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ; however, one channel may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing per Specification 4.3.2.1 provided the other channel is OPERABLE.

ACTION 21 -With the number of OPERABLE channels one less than the Total Number of Channels, restore the inoperable channel to OPERABLE status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months or be in at least HOT STANDBY within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in at least HOT SHUTDOWN within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

ACTION 22 - With the number of OPERABLE channels one less than the Minimum Channels OPERABLE requirement, restore the inoperable channel to t OPERABLE status within hours or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ; howeve, one channel may be bypassed for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for surveillance testing pl~plecification 4.3.2.1 provided the other channel is OPERABLE.

24 ACTION 23 - With the number of OPERABLE channels one less than the Total Number of Channels, restore the inoperable channel to OPERABLE status within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months or declare the associated valve inoperable and take the ACTION required by Specification 3.7.1.5.

SEABROOK - UNIT 1 3/4 3-23 Amendment No. Je SBK-L-18089 Attachment 1 15 of 15

SBK-L-18089 Markup of the Technical Specification Bases

INSTRUMENTATION BASES 3/4.3.1 and 3/4.3.2 REACTOR TRIP SYSTEM and ENGINEERED SAFETY FEATURES ACTUATION SYSTEM INSTRUMENTATION (Continued)

Injection pumps start and automatic valves position, (2) Reactor trip, (3) feedwater isolation, (4) startup of the emergency diesel generators, (5) containment spray pumps start and automatic valves position, (6) containment isolation, (7) steam line isolation, (8) turbine trip, (9) emergency feedwater pumps start and automatic valves position, (10) containment cooling fans start and automatic valves position, and (11) automatic service water valves position.

The Engineered Safety Features Actuation System interlocks perform the following functions:

P-4 Reactor tripped - Actuates Turbine trip, closes main feedwater valves on Tavg below Setpoint, prevents the opening of the main feedwater valves which were closed by a Safety Injection or High Steam Generator Water Level signal, allows Safety Injection block so that components can be reset or tripped.

Reactor not tripped - prevents manual block of Safety Injection.

P-11 On increasing pressurizer pressure, P-11 automatically reinstates Safety Injection actuation on low pressurizer pressure. On decreasing pressure, P-11 allows the manual block of Safety Injection actuation on low pressurizer pressure, and the manual block of SI and steamline isolation on steamline low pressure. On the manual block of steamline low pressure, manual block of steamline low pressure automatically initiates steamline isolation on steam generator pressure negative rate - high.

Bases Insert 1 P-14 On increasing steam generator water level, P-14 automatically trips the turbine and all feedwater isolation valves; inhibits feedwater control valve modulation; and blocks the start of the startup feedwater pump.

3/4.3.3 MONITORING INSTRUMENTATION 3/4.3.3.1 RADIATION MONITORING FOR PLANT OPERATIONS The OPERABILITY of the radiation monitoring instrumentation for plant operations ensures that: (1) the associated action will be initiated when the radiation level monitored by each channel or combination thereof reaches its Setpoint, (2) the specified coincidence logic is maintained, and (3) sufficient redundancy is maintained to permit a channel to be out of service for testing or maintenance. The radiation monitors for plant operations sense radiation levels in selected plant systems and locations and determine whether or not predetermined limits are being exceeded. If they are, the signals are combined into logic matrices sensitive to combinations indicative of various accidents SEABROOK - UNIT 1 B 3/4 3-3 SBK-L-18089 Attachment 2 1 of 3

BASES INSERT 1 WCAP-14333-P-A, Revision 1, "Probabilistic Risk Analysis of the RPS And ES FAS Test Times and Completion Times" provides the justification for increasing the bypass times for testing and the Allowed Outage Times (AOTs) in the Reactor Trip System instrumentation and Engineered Safety Features Actuation System instrumentation Technical Specifications. WCAP-14333 justifies the following AOTs and Bypass test times:

Inoperable analog channel AOT of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , Analog channel testing in bypass time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , and Inoperable logic train AOT of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

WCAP-15376-P-A, Revision 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," provides the justification for changes to increase the AOT and the bypass test time for the reactor trip breakers. WCAP-15376-P-A justifies the following for the Reactor Trip System instrumentation:

Inoperable reactor trip breaker AOT of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , and Reactor trip breaker testing in bypass time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months .

Planned Maintenance and Tier 2 Restrictions Consistent with the NRG Safety Evaluation (SE) requirements for WCAP-14333-P-A and WCAP-15376-P-A, Tier 2 insights must be included in the decision making process before removing an RTS or ESFAS logic train from service (WCAP-14333-P-A) or an RTB train (WCAP-15376-P-A) and implementing the associated extended (risk-informed) AOT. These "Tier 2 restrictions" are considered to be necessary to avoid risk significant plant configurations during the time an RTS or ESFAS logic train, or an RTB train is inoperable.

Entry into an AOT for an inoperable RTS or ESFAS logic train or an RTB train is not a typical pre-planned evolution during the MODES of Applicability for this equipment, other than when necessary for surveillance testing. Since the AOT may be entered due to equipment failure, some of the Tier 2 restrictions discussed below may not be met at the time of AOT entry. In addition, it is possible that equipment failure may occur after an RTS or ESFAS logic train or an RTB train is removed from service for surveillance testing or planned maintenance, such that one or more of the required Tier 2 restrictions are no longer met. In cases of equipment failure the programs and procedures in place to address the requirements of 1 OCFR 50.65(a)(4) require assessment of the emergent condition with appropriate actions taken to manage risk.

Depending on the specific situation, these actions could include activities to restore the inoperable logic train or RTB train and exit the AOT, or to fully implement the Tier 2 restrictions, or to perform a unit shutdown, as appropriate from a risk management perspective.

The following WCAP-14333-P-A Tier 2 restrictions on concurrent removal of certain equipment will be implemented as described above when entering the AOT for an inoperable RTS or ESFAS logic train:

To preserve ATWS mitigation capability, activities that degrade the availability of the auxiliary feedwater system, RCS pressure relief system (pressurizer PO RVs and safety valves), AMSAC, or turbine trip should not be scheduled when a logic train is inoperable.

Page 1 of 2 SBK-L-18089 Attachment 2 2 of3

To preserve LOCA mitigation capability, one complete ECCS train that can be actuated automatically must be maintained OPERABLE. Note that TS 3.5.2, "ECCS Subsystems

- Tavg Greater Than or Equal To 350°F", ensures that this restriction is met. Therefore, this restriction does not have to be implemented by a separate procedure or program.

To preserve reactor trip and safeguards actuation capability, activities that cause master relays or slave relays in the available train and activities that cause analog channels to be unavailable should not be scheduled when a logic train is inoperable.

Activities on electrical systems (AC and DC power) and cooling systems (service water and component cooling water) that support the systems or functions listed in the first three bullets should ntjt be scheduled when a logic train is inoperable. That is, one complete train of a function that supports a complete train of a function noted above must be available.

The following WCAP-15376-P-A Tier 2 restrictions on concurrent removal of certain equipment will be implemented as described above when entering the AOT for an inoperable RTB:

The probability of failing to trip the reactor on demand will increase when a RTB is removed from service, therefore, systems designed for mitigating an ATWS event should be maintained available. RCS pressure relief (pressurizer PORVs and safety valves),

auxiliary feedwater flow (for RCS heat removal), AMSAC, and turbine trip are important to A TWS mitigation. Therefore, activities that degrade the availability of the auxiliary feedwater system, RCS pressure relief system (pressurizer PORVs and safety valves),

AMSAC, or turbine trip should not be scheduled when a RTB is inoperable.

Due to the increased dependence on the available reactor trip train when one logic train is unavailable, activities that degrade other components of the RTS, including master relays or slave relays, and activities that cause analog channels to be unavailable, should not be scheduled when a logic train is inoperable.

Activities on electrical systems (AC and DC power) that support the systems or functions listed in the first two bullets should not be scheduled when a RTB is inoperable.

Page 2 of 2 SBK-L-18089 Attachment 2 3 of3 J

v t e Letter Sequence Request
EPID:L-2019-LLA-0237, TSTF-418, TSTF-411 (Approved, Closed)
Initiation Request, Request Acceptance Administration Questions 11 June 2020 Answers 13 July 2020 Results Approval Other:
MONTHYEAR2020-12-28 [Table View]

SBK-L-18089, License Amendment Request 17-06, Change to the Technical Specification Requirements for Reactor Trip System Instrumentation and Engineered Safety Features Actuation System Instrumentation to Implement WCAP-14333 and WCAP-15376

Text

Subject:

Enclosure:

Subject:

SUMMARY

3.0 TECHNICAL EVALUATION

4.0 REGULATORYEVALUATION

5.0 ENVIRONMENTAL CONSIDERATION

6.0 REFERENCES

3.0 TECHNICAL EVALUATION

5.0 ENVIRONMENTAL CONSIDERATION

6.0 REFERENCES

Navigation menu

SBK-L-18089, License Amendment Request 17-06, Change to the Technical Specification Requirements for Reactor Trip System Instrumentation and Engineered Safety Features Actuation System Instrumentation to Implement WCAP-14333 and WCAP-15376

Text

Subject:

Enclosure:

Subject:

SUMMARY

3.0 TECHNICAL EVALUATION

4.0 REGULATORYEVALUATION

5.0 ENVIRONMENTAL CONSIDERATION

6.0 REFERENCES

3.0 TECHNICAL EVALUATION

5.0 ENVIRONMENTAL CONSIDERATION

6.0 REFERENCES

Navigation menu

Search