Text

Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) Using Risk-Informed Process for Evaluations
	ML22014A415
Person / Time
Site:	Palo Verde
Issue date:	01/14/2022
From:	Rash B; Arizona Public Service Co
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	102-08377-BJR/TNW
	Download: ML22014A415 (77)
	v • d • e

10 CFR 50.12 A member of the STARS Alliance, LLC Callaway

Diablo Canyon

Palo Verde

Wolf Creek BRUCE J. RASH Vice President Nuclear Engineering/Regulatory Palo Verde Nuclear Generating Station P.O. Box 52034 Phoenix, AZ 85072 Mail Station 7602 Tel 623.393.5102 102-08377-BJR/TNW January 14, 2022 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001

Dear Sirs:

Subject:

Palo Verde Nuclear Generating Station Units 1, 2, and 3 Docket Nos. STN 50-528, 50-529, and 50-530 Renewed Operating License Number NPF-41, NPF-51, and NPF-74 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations In accordance with the provisions of 10 CFR 50.12, Specific Exemptions, Arizona Public Service Company (APS) is submitting a request for an exemption from certain requirements in the 10 CFR 50.62(c)(1) regulation for Palo Verde Nuclear Generating Station (PVNGS) Units 1, 2, and 3.

The exemption request would remove the requirement for the Diverse Auxiliary Feedwater Actuation System (DAFAS) from the PVNGS licensing basis using the Risk-Informed Process for Evaluations (RIPE). The RIPE process is a Nuclear Regulatory Commission (NRC) approved risk-informed method that is used to disposition issues of very low safety significance that are within the licensing basis of a plant. The RIPE process is used to evaluate the safety significance of an issue, and if it is determined to be of low safety significance, an exemption request can be submitted to the NRC and qualify for a streamlined NRC review.

The enclosure to this letter provides a description and assessment of the proposed exemption using RIPE. The exemption request being submitted is consistent with Nuclear Energy Institute (NEI) 21-01, Industry Guidance to Support Implementation of NRCs Risk-Informed Process for Evaluations, dated April 2021, and the NRC, Guidelines for Characterizing the Safety Impact of Issues, Revision 1, dated June 2021

[Agencywide Documents Access and Management System (ADAMS) Accession No. ML21180A014]. Attachment 1 of the enclosure provides the final screening impact results. Attachment 2 of the enclosure provides the final risk evaluation for the proposed exemption. Attachment 3 of the enclosure contains a summary of the plant Integrated Decision-making Panel (IDP) evaluation results.

The exemption request is permissible under 10 CFR 50.12 because it is authorized by law, will not present an undue risk to the public health and safety, is consistent with the common defense and security, and presents special circumstances.

Pre-submittal meetings for this exemption request were held between APS and the NRC staff on September 1, 2021 (ADAMS Accession No. ML21245A415) and November 17, 2021 (ADAMS Accession No. ML21333A002). Additionally, an IDP meeting was held on September 30, 2021, which was observed by the NRC.

102-08377-BJR/TNW ATTN: Document Control Desk U.S. Nuclear Regulatory Commission Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations Page 2 By copy of this letter, the exemption is being forwarded to the Arizona Department of Health Services - Bureau of Radiation Control for information.

No new commitments are being made to the NRC by this letter.

Should you need further information regarding this letter, please contact Matthew S.

Cox, Licensing Section Leader, at (623) 393-5753.

Sincerely, BJR/TNW/mg

Enclosure:

Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations cc:

S. A. Morris NRC Region IV Regional Administrator S. P. Lingam NRC NRR Project Manager for PVNGS L. N. Merker NRC Senior Resident Inspector for PVNGS B. D. Goretzki Arizona Department of Health Services - Bureau of Radiation Control Rash, Bruce (Z77439)

Digitally signed by Rash, Bruce (Z77439)

DN: cn=Rash, Bruce (Z77439)

Date: 2022.01.14 13:37:48

-07'00'

ENCLOSURE Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations i

Description and Assessment of Proposed Exemption

Subject:

Exemption Request - Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 1.0

SUMMARY

DESCRIPTION

2.0 BACKGROUND

2.1 10 CFR 50.62 Requirements 2.2 Implementation of 10 CFR 50.62 Requirements at PVNGS 3.0 DETAILED DESCRIPTION 3.1 Reason for Proposed Exemption 3.2 Description of Proposed Change

4.0 TECHNICAL EVALUATION

4.1 Screening Impact Results 4.2 Technical Adequacy of the Probabilistic Risk Assessment 4.3 Plant-Specific Risk Assessment Results 4.4 PVNGS Design Features 4.5 Manual Actuation of Auxiliary Feedwater 4.6 Integrated Decision-Making Panel (IDP) Process 4.7 IDP Results

5.0 REGULATORY EVALUATION

5.1 Justification for Exemption and Special Circumstances 5.2 Precedents 6.0 ENVIRONMENTAL ASSESSMENT

7.0 CONCLUSION

8.0 REFERENCES

ATTACHMENTS:

1.

Evaluation of Screening Impact

2.

Evaluation of Risk Significance

3.

Integrated Decision-Making Panel (IDP) Evaluation Results

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 1

1.0

SUMMARY

DESCRIPTION This enclosure provides the Arizona Public Service Company (APS) request for exemption under Title 10 of the Code of Federal Regulations (CFR) Section 50.12 (10 CFR 50.12), Specific Exemptions, from certain requirements in 10 CFR 50.62, Requirements for reduction of risk from anticipated transients without scram (ATWS) events for light-water-cooled nuclear power plants, for Palo Verde Nuclear Generating Station (PVNGS) Units 1, 2, and 3.

The request is for partial exemption from 10 CFR 50.62(c)(1). The portion of 10 CFR 50.62(c)(1) for which the exemption is requested is shown below in bold.

(c) Requirements. (1) Each pressurized water reactor must have equipment from sensor output to final actuation device, that is diverse from the reactor trip system, to automatically initiate the auxiliary (or emergency) feedwater system and initiate a turbine trip under conditions indicative of an ATWS. This equipment must be designed to perform its function in a reliable manner and be independent (from sensor output to the final actuation device) from the existing reactor trip system.

The requirements for Combustion Engineering (CE) plants such as PVNGS is to provide a Diverse Scram System (DSS), Diverse Auxiliary Feedwater Actuation System (DAFAS) and Diverse Turbine Trip (DTT). The exemption request would remove the requirement for the DAFAS from the PVNGS licensing basis using the Risk-Informed Process for Evaluations (RIPE). This exemption does not alter the requirements for the DSS or DTT at PVNGS Units 1, 2, and 3.

2.0 BACKGROUND

2.1 10 CFR 50.62 Requirements On February 22 and 25, 1983, the Salem Nuclear Generating Station experienced ATWS events. Following these events, the Nuclear Regulatory Commission (NRC) staff completed a regulatory analysis in SECY-83-293, Amendments to 10 CFR 50 Related to Anticipated Transients Without Scram (ATWS) Events, dated July 19,1983 (Reference 1), which concluded that additional ATWS safety requirements were justified. Efforts to establish requirements to address ATWS events were completed, and NRC issued, on June 26, 1984, an amendment to Section 50.62 of Title 10 of the Code of Federal Regulations (10 CFR 50.62), Requirements for reduction of risk from anticipated transients without scram (ATWS) events for light-water-cooled nuclear power plants [Federal Register (FR) 49FR26036]. The requirements of 10 CFR 50.62 became effective on July 26, 1984, and were applicable to all commercial light-water-cooled nuclear plants.

The purpose of the ATWS Rule, as documented in SECY-83-293 (Reference 1), is to require equipment/systems that are diverse from the existing reactor trip system (RTS) and capable of preventing or mitigating the consequences of an ATWS event.

The failure mechanism of concern is a common mode failure of identical components within the RTS (e.g., logic circuits; actuation devices; and instrument channel components, excluding sensors). The hardware/component diversity required by the ATWS Rule is intended to ensure that common mode failures that could disable the electrical portion of the existing reactor trip system will not affect the capability of ATWS prevention and mitigation system(s) equipment to perform its design function.

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 2

The objective of the ATWS Rule is to reduce the likelihood of ATWS events to an acceptable level and to mitigate the consequences of such events.

In developing the ATWS Rule, the NRC staff used a combination of probabilistic risk assessment (PRA) techniques and engineering judgment. As part of the decision process, value-impact (i.e., benefit/cost) analyses were performed on a reactor manufacturer generic basis. The value-impact (V/I) analyses were based on the estimated reduction in annual core damage frequency and the resultant release of radioactive fission products to the environment for each of the generic reactor types

[i.e., General Electric, Westinghouse, and CE/Babcock and Wilcox (B&W) Generic Options]. The annual frequency of an ATWS leading to unacceptable plant conditions was estimated. Also computed were the costs of these options and the estimated value due to reduction of ATWS frequency. The CE/B&W generic plants were grouped together because the proposed ATWS modifications, probability reduction, and costs to implement the modifications were very close for these two plants. The value-impact analyses from Table S-1 in SECY-83-293, are provided in Table 2.1-1.

Table 2.1-1: Comparison of Generic Options Alternatives Generic Option Description PATWS/yr Value (Millions)

Impact (Millions)

V/I CE/B&W Generic Options 0

Base Case 8.0x10-5 1

Utility Proposal

- Diverse Scram System

- Diverse Auxiliary Feedwater and Turbine Trip 2.2x10-5

$17.4M

$5.5M 3.2 2

Safety Valves or Modifying Core, Added to Utility Proposal 7.2x10-6

$4.4M

$10.0M 0.44 Westinghouse Generic Options 0

Base Case 3.7x10-5 1a Utility Proposal Diverse Auxiliary Feedwater Initiation and Turbine Trip 5.8x10-6

$9.4M

$2.8M 3.3 1b Diverse Scram System 5.3x10-6

$9.5M

$2.8M 3.4 2

Diverse Scram System, Added to Utility Proposal 2.0x10-6

$1.1M

$1.0M 1.1 For CE/B&W reactor types, the ATWS rule generally adopted the approach that was used in the Utility Group's petition, which is provided as generic option #1 in Table 2.1-1. Option #1 provided the best value-impact benefit for CE/B&W plants. It should be noted, in SECY-83-293, and the Final Rule Statements of Consideration (49FR26038, dated June 26, 1984), the following statement is made regarding the requirement for diverse and independent emergency feedwater initiation and diverse turbine trip:

It has a highly favorable value/impact for Westinghouse plants and a marginally favorable value/impact for Combustion Engineering and Babcock and Wilcox plants.

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 3

Enclosure "D" to SECY-83-293, Recommendations of the ATWS Task Force (Reference 1), documents the probabilistic basis for the ATWS Rule. In this report it is stated that "the Task Force set as a goal that the estimated core melt frequency due to ATWS events should probably be no more than about 1x10-5 per year." The Task Force very conservatively equated core damage to the likelihood of exceeding the pressure limit corresponding to the American Society of Mechanical Engineers (ASME) Boiler &

Pressure Vessel Code Level C service limit criterion (approximately 3200 psi).

Additionally, SECY-83-293 (Reference 1) noted that an exemption from the rule's requirements would be appropriate if the risk from ATWS were demonstrated to be sufficiently low. By using an NRC approved risk-informed method to disposition issues of very low safety significance, the RIPE process remains consistent with the regulatory principles used to develop the ATWS rulemaking.

2.2 Implementation of 10 CFR 50.62 Requirements at PVNGS The issuance of 10 CFR 50.62, on July 26, 1984, required PVNGS Units 1, 2, and 3 to establish improvements to its design and operation to meet the requirements of the ATWS Rule described in SECY-83-293 (Reference 1). The objective of the ATWS Rule is to reduce the likelihood of a failure to shutdown the reactor, following anticipated transients, thereby mitigating the consequence of an ATWS event.

PVNGS Units 1, 2, and 3 are CE System 80 plants. As such, the plants contained several design improvements which had not been employed in previously built plants.

These plant improvements represent the application of proven design concepts. The improvements of interest for the prevention and/or mitigation of the effects of an ATWS event are the System 80 safety grade systems listed below.

1. Reactor Protective System (RPS) - Initiates a reactor trip in the event of high pressurizer pressure or low steam generator level.

2. Engineered Safety Features Actuation System (ESFAS) - Generates an Auxiliary Feedwater Actuation Signal (AFAS) in the event of low steam generator level.

3. Supplementary Protection System (SPS) - Augments the RPS by initiating a reactor trip in the event of a high-high pressurizer pressure utilizing an independent and diverse trip logic relative to the RPS trip logic.

To ensure compliance with the ATWS Rule, APS modified, by the DSS Modification, the existing SPS to reflect the addition of control grade circuitry to allow the SPS to trip the Control Element Drive Mechanism (CEDM) motor generator set output load contactors. This trip, with appropriate isolation, provided diversity and independence from the RPS actuation of the reactor trip breakers. The isolation devices maintained the current reliability of the SPS as a safety grade system. The SPS with the modified output stage complied with the requirement of the ATWS Rule for a DSS and DTT.

Additionally, to ensure full compliance with the ATWS Rule, the DAFAS was installed to provide a diverse means to automatically actuate the Auxiliary Feedwater (AF)

System. The DAFAS is designed to address the unique situation that an ATWS combined with low steam generator level signal has occurred with a failure of ESFAS to initiate an AFAS. The actuation of the AF system through the DAFAS provides a diverse means of event mitigation.

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 4

Although the systems and equipment specified by the ATWS Rule are not required to meet the requirements for safety related equipment, the SPS and the DAFAS meet safety related criteria. By letter dated October 18, 1990, the NRC staff concluded that the PVNGS design conformed to the requirements of 10 CFR 50.62 (Reference 2).

3.0 DETAILED DESCRIPTION 3.1 Reason for Proposed Exemption Risk-informed and performance-based approaches provide for greater focus on items of the highest safety significance, enable more efficient use of agency resources, and reduce unnecessary regulatory burden. A probabilistic approach enhances and extends the traditional deterministic approach by allowing consideration of a broader set of potential challenges to safety, providing a logical means for prioritizing these challenges based on safety significance, and allowing consideration of a broader set of resources to defend against these challenges. In contrast to the deterministic approach, PRAs address credible initiating events by assessing the event frequency.

Mitigating system reliability is then assessed, including the potential for common cause failures. The probabilistic approach to regulation is an extension and enhancement by considering risk in a comprehensive manner.

To take advantage of the safety enhancements available through the use of PRA, in 2021 the NRC issued the RIPE. The RIPE process provides a risk-informed method to disposition issues of very low safety significance that are within the licensing basis of a plant.

The RIPE process may be used for actions needed to correct an issue that would result in a minimal safety impact. Examples of issues for which the RIPE process may be used include, but are not limited to:

Actions needed to address inspection findings, Resolution of issues identified through other regulatory or licensee processes, Responses to orders requiring changes or modifications to the plant, Generic issues requiring changes or modifications to the plant This exemption is requested because the vendor for the DAFAS Modicon programmable logic controllers (PLCs), displays, and associated equipment is no longer in business; so, replacement parts are no longer available. The vendor supplied a proprietary platform for the Modicon PLCs and because of the age of the system, replacement parts from another vendor are not an option. The DAFAS design using Modicon PLCs is unique to PVNGS. The maintenance associated with the DAFAS requires significant engineering resources to reverse engineer components and fiber optic communication problems are affecting system availability. The RIPE process will be used to disposition the very low safety significance of the DAFAS.

This exemption request is a licensee-identified issue, where the delta risk is the difference between the approved existing licensing basis condition and the condition that would exist after NRC approval and implementation.

3.2 Description of Proposed Change Subsequent to approval of the exemption by the NRC, APS will remove the requirement for the DAFAS from the PVNGS licensing basis.

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 5

4.0 TECHNICAL EVALUATION

The NRC staff approved the RIPE in January 2021 (Reference 3). This process is effective and provides a risk-informed method to disposition issues of very low safety significance that are within the licensing basis of a plant. The RIPE process is used to evaluate the safety significance of an issue, and if it is determined to be of low safety significance, an exemption request can be submitted to the NRC and qualify for a streamlined NRC review. The RIPE being implemented for this exemption is consistent with Nuclear Energy Institute (NEI) 21-01, Industry Guidance to Support Implementation of NRCs Risk-Informed Process for Evaluations, dated April 2021 (Reference 4), and the NRC, Guidelines for Characterizing the Safety Impact of Issues, Revision 1, dated June 2021 (Reference 5).

NEI 21-01 (Reference 4) describes an approach that is acceptable to the NRC staff for developing a risk-informed application for an exemption request that applies risk insights, consistent with the guidance in Regulatory Guide (RG) 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, Revision 3 (Reference 6).

The risk-informed process for evaluations can be used by licensees that have a technically acceptable PRA as demonstrated by having implemented risk-informed initiatives including risk-informed completion time (TSTF-505) or the surveillance frequency control program (TSTF-425) and have established a 50.69-equivalent integrated decision-making panel (IDP). Licensees with an approved and implemented risk-informed completion time (RICT) amendment and a 10 CFR 50.69 (or equivalent)

IDP can leverage their PRA models to perform safety impact characterizations using this process. The NRC approved the PVNGS RICT license amendment consistent with NEI 06-09, Risk-Informed Technical Specifications Initiative 4B, Risk-Managed Technical Specifications (RMTS) Guidelines (Reference 7), in lieu of TSTF-505 since at the time the NRC had temporarily suspended approval of TSTF-505.

PVNGS has implemented RICT, TSTF-425, and has established an IDP as part of implementation of 10 CFR 50.69. Therefore, PVNGS meets the requirements to submit exemption requests via the RIPE process.

In order to characterize an issue as having a minimal safety impact, all of the following must apply:

The issue contributes less than 1x10-7/year to core damage frequency (CDF).

The issue contributes less than 1x10-8/year to large early release frequency (LERF).

The issue screens to no impact (per Step 1, Section 4.1 of NEI 21-01) or minimal impact (per Step 2, Section 4.2 of NEI 21-01).

Cumulative risk is acceptable using the guidelines in Section 5 of NEI 21-01.

If any of the criteria above are not met, then the proposed change cannot be characterized as having minimal impact on safety.

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 6

4.1 Screening Impact Results NEI 21-01, Industry Guidance to Support Implementation of NRCs Risk-Informed Process for Evaluations, Sections 4.1 and 4.2 (Reference 4), provides a set of screening questions that are used to determine the impact of the proposed exemption. The findings of the PVNGS Units 1, 2, and 3, screening questions, contained in Attachment 1 of this submittal, confirms that removing the DAFAS from the licensing basis screened in as adverse, but is considered to have a minimal impact on safety. Attachment 1 of this enclosure provides the detailed answers to the screening questions.

4.2 Technical Adequacy of the Probabilistic Risk Assessment PVNGS implemented RICT in accordance with NEI Topical Report 06-09, (Revision 0)-

A, Risk-Informed Technical Specification Initiative 4b, Risk-Managed Technical Specifications (RMTS) Guidelines (Reference 7). Additionally, 10 CFR 50.69 was implemented in accordance with NEI 00-04, Revision 0, 10 CFR 50.69 SSC Categorization Guideline, Revision 0, which was endorsed by the NRC in Regulatory Guide 1.201, Guidelines for Categorizing Structures, Systems, and Components in Nuclear Power Plants According to their Safety Significance, Revision 1 (Reference 8).

The NRC safety evaluations for the 10 CFR 50.69 and RICT license amendments were issued on October 10, 2018 (Reference 9), and May 29, 2019 (Reference 10),

respectively. The NRC found the PVNGS PRA acceptable to support the 10 CFR 50.69 and RICT Program and determined that the PVNGS PRA models for internal and external events, fires, and seismic used to implement 10 CFR 50.69 and the RICT Program satisfied the guidance of RG 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, Revision 2 (Reference 12), with the completion of the implementation items described in each NRC safety evaluation.

The PVNGS PRA has undergone numerous peer reviews and Fact and Observation (F&O) closure reviews. All finding level F&Os have been resolved and F&O closure reviews performed to document closure. There are no open finding level F&Os associated with the PRA.

PVNGS implemented 10 CFR 50.69 and RICT on January 3, 2019, and July 10, 2020, respectively. The PVNGS PRA is technically adequate to support this risk-informed application.

Internal Events and Internal Flood PRA The Internal Events PRA model was peer reviewed in July 1999 by the Combustion Engineering Owners Group (CEOG) prior to the issuance of RG 1.200 (Reference 11).

As a result, a self-assessment of the Internal Events PRA model was conducted by APS in March 2011 in accordance with Appendix B of RG 1.200, Revision 2 (Reference 12), to address the PRA quality requirements not considered in the CEOG peer review.

The Internal Events PRA quality (including the CEOG peer review and self-assessment results) has previously been reviewed by the NRC in requests to extend the Inverter Technical Specification Completion Time dated September 29, 2010 (Reference 13),

and to implement TSTF-425, Relocate Surveillance Frequencies to Licensee Control -

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 7

RITSTF Initiative 5b, dated December 15, 2011 (Reference 14). All PRA upgrades [as defined by the ASME PRA Standard RA-Sa-2009 (Reference 15)] implemented since conduct of the CEOG peer review in 1999 have been peer reviewed.

A focused-scope PRA peer review of the PVNGS internal flood PRA (IFPRA) to determine compliance with Addendum A of the ASME/ANS PRA Standard and RG 1.200, Revision 2, was performed in 2010.

Focused scope peer reviews of all F&Os that constituted an upgrade to the PRA were performed in 2017 (Reference 16), 2018 (Reference 17), and 2020 (Reference 18).

All F&Os were reviewed and confirmed closed during concurrent F&O closure reviews performed in 2017 (Reference 16), 2018 (Reference 19), and 2020 (Reference 20).

Fire PRA A full-scope peer review to determine compliance with Addendum A of the ASME/ANS PRA Standard and RG 1.200, Revision 2, was performed on the PVNGS Fire PRA by the Pressurized Water Reactors Owners Group (PWROG) in 2012. In 2014, after updating the PVNGS Fire PRA to address selected F&Os identified in the full-scope fire PRA peer review, a focused-scope peer review was performed on the PVNGS fire PRA.

Focused scope peer reviews of all F&O resolutions that constituted an upgrade to the PRA were performed in 2017 (Reference 16), 2018 (Reference 17), and 2020 (Reference 18). All F&Os were reviewed and confirmed closed during concurrent F&O closure reviews performed in 2017 (Reference 16), 2018 (Reference 19), and 2020 (Reference 20).

Seismic PRA APS conducted a full scope Seismic PRA model peer review in February 2013, in accordance with the current endorsed standard ASME/ANS RA-Sa-2009 and NEI 12-13 (Reference 21), including NRC comments on NEI 12-13. All finding F&Os were resolved.

Focused scope peer reviews of all F&O resolutions that constituted an upgrade to the PRA were performed in 2017 (Reference 16), 2018 (Reference 17), and 2020 (Reference 18). All F&Os were reviewed and confirmed closed during concurrent F&O closure reviews performed in 2017 (Reference 16), 2018 (Reference 19), and 2020 (Reference 20).

Other External Hazards PRA APS conducted a full scope External Hazards screening peer review in December 2011, in accordance with RG 1.200, Revision 2.

All F&Os were subsequently resolved and then were confirmed closed during an F&O closure review performed in 2018 (Reference 19).

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 8

Assessment of RG 1.200, Revision 3 A risk assessment associated with the exemption is contained in Attachment 2 of this submittal, which applies RG 1.200, Revision 2 (Reference 12), to remove the requirement for the DAFAS from the PVNGS licensing basis. APS conducted a review of the recent issuance of RG 1.200, Revision 3 (Reference 22), to determine if there were any impacts with this exemption request, due to the changes in RG 1.200 from Revision 2 to Revision 3. The review of RG 1.200 from Revision 2 to Revision 3, did not identify any impacts to the PRA model that is used for the plant-specific risk assessment conducted to support this change. Therefore, it is appropriate to use the PVNGS PRA model used in Attachment 2, which applies RG 1.200, Revision 2 (Reference 12), to support this exemption request.

PRA Maintenance and Update The APS risk management process ensures that the applicable PRA models used in this application continue to reflect the as-built and as-operated plant for each of the PVNGS units. The process delineates the responsibilities and guidelines for updating the PRA model, and includes criteria for both regularly scheduled and interim PRA model updates. The process includes provisions for monitoring potential areas affecting the PRA model (e.g., due to changes in the plant, errors or limitations identified in the model, or industry operational experience) for assessing the risk impact of unincorporated changes, and for controlling the model and associated computer files. The process assesses the impact of these changes on the plant PRA model in a timely manner but no longer than once every two refueling outages.

4.3 Plant-Specific Risk Assessment Results A plant-specific risk assessment was performed to determine the impact of removing the requirement for the DAFAS from the PVNGS licensing basis. The PVNGS PRA model that the NRC found acceptable to support the 10 CFR 50.69 and RICT Program screened out the DAFAS. The screening of the DAFAS has been evaluated in the peer reviews for all hazards (i.e., internal and external events, fires, and seismic). The PVNGS PRA model as reviewed by peer reviews does not give any credit for the DAFAS. The DAFAS is a backup to the ESFAS AFAS for initiating auxiliary feedwater.

The primary function of the DAFAS and the ESFAS AFAS is to automatically actuate the A Auxiliary Feedwater (AFA-P01) pump and B Auxiliary Feedwater (AFB-P01) pump. The actuation for the ESFAS AFAS is inherently reliable and with the detailed PRA modeling for the ESFAS, the DAFAS was determined to have a minimal impact on risk. Therefore, the DAFAS screened out of the PVNGS PRA model.

The PVNGS PRA model includes failures of AFAS initiation relays, matrix logic, sensors and steam generator level transmitters that result in failures of auxiliary feedwater to provide flow to steam generators via an automatic actuation of class AF pumps and the valves necessary to provide a flow path from AF pumps to steam generators 1 and 2. The AFAS system modeling also addresses common cause failures of the isolation relays failing to transfer. The ESFAS AFAS component failure rates are based on generic data. The ESFAS AFAS model is based upon a CE report, CEN-327A, RPS/ESFAS Extended Test Interval Evaluation (Reference 23).

A bounding sensitivity evaluation to account for the impact of the DAFAS, had it been modeled in the PVNGS PRA, was performed to support this exemption. The bounding sensitivity assumed that without any logic changes to the PVNGS PRA model, the

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 9

maximum benefit of the DAFAS is represented by setting the existing basic events and common mode failures for the ESFAS AFAS to false in the PVNGS PRA One Top Multi Hazard Model (OTMHM). The PVNGS PRA OTMHM was quantified using the default truncation values of 1x10-10 per year for CDF and 1x10-11 per year for LERF, which ensure convergence of the results.

An internal events calculation was performed to allow internal events cutsets that were truncated out in the PVNGS OTMHM CDF and LERF calculations to be identified.

The purpose of this sensitivity calculation is to identify any unique internal event DAFAS-related core damage/large early release sequences potentially masked by higher likelihood external event and internal flood DAFAS-related core damage/large early release sequences. It was expected that the internal events quantification performed using truncation values of 2.0x10-13 per year and 1.0x10-14 per year for CDF and LERF would produce more internal events related CDF and LERF cutsets than the PVNGS OTMHM which was quantified at 1.0x10-10 per year and 1.0x10-11 per year.

The default truncation values of 2.0x10-13 per year for internal events CDF and 1.0x10-14 per year for internal events LERF were used, because truncation analysis documented in 13-NS-B067, At-Power Level 1 PRA Quantification, Revision 8, demonstrate that the PVNGS internal events CDF and LERF results converge at these truncation values.

The findings of the PVNGS Units 1, 2, and 3 risk assessment, contained in Attachment 2 of this submittal, confirms that the risk impact associated with removing the DAFAS is not risk significant. Attachment 2 of this enclosure provides the risk significance evaluation. A summary of the quantitative analysis results associated with removing the DAFAS is provided in Table 4.3-1.

Table 4.3-1: Quantification Results Case Core Damage Frequency (CDF)

Large Early Release Frequency (LERF)

PVNGS OTMHM PVNGS Baseline 5.5x10-5/year 9.5x10-6/year PVNGS DAFAS Sensitivity 5.5x10-5/year 9.5x10-6/year Delta CDF and LERF (i.e.,

maximum risk increase with DAFAS removed) 3.2x10-9/year 5.9x10-11/year PVNGS Internal Events PVNGS Internal Events 2.9x10-6/year 1.4x10-7/year PVNGS Internal Events DAFAS Sensitivity 2.9x10-6/year 1.4x10-7/year Delta CDF and LERF (i.e.,

maximum risk increase with DAFAS removed) 1.8x10-9/year 8.2x10-11/year Overall Total Delta CDF and LERF (i.e., maximum risk increase with DAFAS removed) 5.0x10-9/year 1.4x10-10/year NEI 21-01 RIPE Acceptance Guidelines

< 1.0x10-7/year

< 1.0x10-8/year

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 10 The cumulative risk impact associated with this exemption request is provided in Table 4.3-2. The results indicate the cumulative risk remains within the acceptance guidelines established in Regulatory Guide 1.174.

Table 4.3-2: Cumulative Risk Core Damage Frequency (CDF)

Large Early Release Frequency (LERF)

PVNGS OTMHM Baseline 5.5x10-5/year 9.5x10-6/year Total Delta CDF and LERF (i.e., maximum risk increase with DAFAS removed) 5.0x10-9/year 1.4x10-10/year Total CDF and LERF with DAFAS removed 5.5x10-5/year 9.5x10-6/year NRC RG 1.174 Acceptance Guideline

< 1.0x10-4/year

< 1.0x10-5/year Based on the minimal risk impact of removing the DAFAS, no risk management actions are required to offset the risk increase. Therefore, the risk associated with the PVNGS request to remove the requirement for the DAFAS from the PVNGS licensing basis is not risk significant per the guidance provided in Section 4 of NEI 21-01 (Reference 4).

Reliability The failure probability for each AFAS logic channel [Auxiliary Feedwater Actuation Signal for Steam Generator #1 (AFAS-1) Train A, AFAS-1 Train B, Auxiliary Feedwater Actuation Signal for Steam Generator #2 (AFAS-2) Train A, and AFAS-2 Train B] was calculated to be 1.6x10-4. These calculations did not take credit for operator actions to manually actuate AFAS since that is not credited in the PRA model. These results support the conclusion that individual AFAS logic channels are highly reliable.

To further support the reliability of RPS and ESFAS, a review of historical performance over the past 15-years was performed to demonstrate the high reliability of these systems. The review was focused on demonstrating the fail-safe technology of these systems and that the systems have not experienced a failure to trip on demand. The RPS and ESFAS are comprised with fail-safe technology such that associated relay logic for initiating trips and protective functions actuate in a de-energized state. This ensures, upon a loss of power to the cabinets or failure of an actuation relay such as a shorted coil, the system will not fail to provide any trips or protective functions, bringing the plant to a stable, safe shutdown condition. If a channel in these systems were to fail in such a way that a trip or initiation could not occur within that channel, the remaining three channels would still be capable of providing the logic required to initiate a trip or engineered safety features (ESF) actuation.

A few false failures to trip were identified. These are failures to trip that occurred because of degraded test circuitry. The test circuitry is only used to functionally test the RPS and ESFAS and to initiate trips for functional testing during surveillance tests.

Failures of test circuitry in this manner does not affect the ability for RPS and ESFAS to perform their associated functions. To further verify the high reliability of these systems, a review was performed for both the RPS and ESFAS regarding historical

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 11 surveillance test performances. The dataset for this review includes a 20-year review of the performances for the following procedures:

1. 36ST-9SB04, PPS Functional Test - RPS/ESFAS Logic

2. 36ST-9SB44, RPS Matrix Relays to Reactor Trip Response Time Test

3. 36ST-9SB46, ESF Matrix Relays to Initiation Relays Response Time Test These surveillance tests were selected for review due to their specific intent of testing and initiating RPS and ESFAS trip and actuation logic. Both RPS and ESFAS logic are comprised of relay cards sharing the same model number (Model: 33335) and provided by the same manufacturer (Electro-Mechanics Inc.). The review of these surveillance tests identified zero failures for the relay cards to perform their intended function of initiating an RPS trip or ESFAS actuation upon demand.

The detailed historical performance review provides evidence of the reliability and capability of both systems to perform their automatic functions upon demand. No evidence was found pertaining to any non-conservative failures for the systems to perform their trip and initiation functions.

4.4 PVNGS Design Features The existing PVNGS design, as described in the Updated Final Safety Analysis Report (UFSAR), incorporates several safety grade systems designed to protect the plant and mitigate the consequences of the ATWS event in addition to various design basis events. The low likelihood of an ATWS event at PVNGS is explained by several unique PVNGS features:

Reactor Protective System Core Protection Calculator (CPCs) Trips Low Steam Generator (SG) Level Trips High Pressurizer Pressure Trip Engineered Safety Features Actuation System AFAS on Low SG Level Trips Supplementary Protection System High-High Pressurizer Pressure Trip Diverse Turbine Trip CEDM Power Bus Undervoltage Trip Reactor Protective System The RPS initiates a reactor trip to protect the Reactor Coolant System (RCS) pressure boundary in the event of high pressurizer pressure or low steam generator level (conditions indicative of an ATWS). The high pressurizer pressure and low steam generator level trips are provided to trip the reactor when measured pressurizer pressure and steam generator level reach a preset value. The high pressurizer pressure trip is designed to occur at a setpoint of less than or equal to 2383 pounds per square inch absolute (psia) and the low steam generator level trip is designed to occur with a trip setpoint of greater than or equal to 44.2 percent (%) wide range (WR) level indication. The RPS setpoints are specified in the UFSAR, Section 7.2.1.1.1, Trips, and are consistent with the allowable values in the Technical Specifications (TS). The system consists of sensors, bistables, bistable relays, matrix relays, initiation relays, and actuation devices.

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 12 Four independent channels of the RPS normally monitor each of the selected plant parameters. The RPS logic is designed to initiate protective action whenever the signal of any two channels of a given parameter reach the preset limit. Should this occur, the power supplied to the CEDM is interrupted, releasing the Control Element Assemblies (CEA) which drop into the core to shutdown the reactor. The two-out-of-four logic can be converted to two-out-of-three logic to allow one channel to be bypassed for testing maintenance or operation.

The CPCs provide inputs to the RPS by actuating the appropriate RPS bistable relays when calculated core peak local power density (LPD) and/or calculated departure from nucleate boiling ratio (DNBR) reaches a preset value. The CPCs have several trip functions that monitor parameters to limits other than Low DNBR or High LPD. These trip functions are called auxiliary trips and, if a trip is generated, the DNBR and LPD trip contact outputs are set. These auxiliary trips include monitoring of RCS pressure (condition indicative of an ATWS) to ensure it does not exceed the allowable range.

The CPC auxiliary trip setpoints for RCS pressure are a high pressure auxiliary trip set to less than 2388 psia and a low pressure auxiliary trip set to greater than or equal to 1860 psia.

Engineered Safety Features Actuation System The ESFAS operates in a manner similar to the RPS to automatically actuate the ESF Systems. The ESFAS generates an AFAS in the event of low steam generator level.

The low steam generator level trip is designed to occur with a trip setpoint of greater than or equal to 25.8% WR level indication. The ESFAS has a selective two-out-of-four actuation logic that can be converted to a selective two-out-of-three logic. The ESFAS is completely independent of the control systems. The system utilizes the outputs from RPS sensors to actuate the AFAS specific bistables, bistable relays, matrix relays, initiation relays, and actuation devices.

Supplementary Protection System This diverse reactor trip system augments the RPS by utilizing an independent and diverse trip logic (relative to the RPS) for initiation of a reactor trip. The SPS provides a simple, reliable, and diverse mechanism to increase the reliability of a reactor trip when the pressurizer pressure exceeds a predetermined value. The existing SPS is a four-channel safety grade system which is independent and diverse from the CPCs, RPS (up to the final actuation device), and the AFAS. The final actuation devices for the SPS safety grade reactor trip are the reactor trip breakers which are also actuated by an RPS trip signal.

The SPS, with the DSS Modification, provides a turbine trip initiation that is diverse and independent from the reactor trip system. The SPS causes a reactor trip by interrupting power to the CEA common power bus. Upon interruption of this power, undervoltage relays attached to the bus de-energize, causing actuation of the turbine trip circuitry. The turbine trip is initiated from both the existing RPS and through the diverse modified SPS.

The SPS utilizes four identical channels which are referred to as the Supplemental Protection Logic Assemblies (SPLAs). The SPS uses the SPLAs in a two-out-of-four logic to interrupt the power supplied by the CEDMs and thereby causes a reactor trip.

The output logic is used to open one of the two RPS motor generator set output contactors. Both contactors must open to remove power from the CEA, causing a

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 13 reactor scram. The SPS trip setpoint is set above the RPS high pressurizer pressure trip setpoint which permits the RPS to be initiated first. The SPS will initiate a reactor trip when pressurizer pressure exceeds a predetermined setpoint of less than or equal to 2409 psia. The SPS setpoint is specified in the UFSAR, Section 7.2.1.1.1, Trips.

Diverse Turbine Trip The DTT system is essentially an extension of the SPS. The DTT is a control-grade system that senses CEDM power bus under voltage. When the DSS causes a reactor scram, power is interrupted to the CEDM coils upstream of the control rod power bus under voltage relays. The de-energizing of these under voltage relays actuates the turbine trip circuitry. The components that are unique to the DTT (i.e., under voltage relays, trip relays, master trip relays, and the master solenoid) do not appear in any of the RTS trip paths.

4.5 Manual Actuation of Auxiliary Feedwater The PVNGS Standard Post Trip Actions (SPTAs) identify operator actions, including immediate actions, which must be accomplished following an automatic or manually initiated reactor trip and the Diagnostic Actions necessary to determine a preliminary diagnosis of the event(s). The SPTAs are based in part on CEN-152, the generic technical guideline described in NUREG-0899. The SPTAs are organized around those critical safety functions which must be satisfied when a reactor trip is actuated or required to ensure that the plant is placed in a stable, safe condition or that the plant is configured to further respond to a continuing casualty. The safety functions in the SPTAs are organized in the following manner:

1. Reactivity Control

2. Maintenance of Vital Auxiliaries

3. RCS Inventory Control

4. RCS Pressure Control

5. Core Heat Removal

6. RCS Heat Removal

7. Containment Isolation

8. Containment Temperature and Pressure Control In the PVNGS SPTAs, the operator is given specific, unambiguous acceptance criteria which can be evaluated without interpolation directly from the control room instruments. These criteria are located under the INSTRUCTIONS heading. These criteria bound the expected conditions that would follow a reactor trip. Thus, checking the acceptance criteria serves two purposes: First, if the acceptance criteria are met, then this serves as a verification that the safety function is being fulfilled; second, meeting all the acceptance criteria is a diagnostic indicator that nothing more than a relatively uncomplicated reactor trip has occurred. If the acceptance criteria are not met, then the operator performs the appropriate actions located under the CONTINGENCY ACTIONS heading.

The DAFAS is designed to address the unique situation that an ATWS with SPS actuation, combined with a low steam generator level signal has occurred with a failure of AFAS to actuate. This scenario addresses the potential for a common cause failure of both trains of AFAS postulated in the ATWS rulemaking in the mid-1980s.

The SPS augments reactor protection by utilizing a separate and diverse trip logic from the RPS for initiation of reactor trip to satisfy the Reactivity Control safety

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 14 function. The SPS directly addresses the common cause failure potential of the RPS to trip the reactor in the ATWS rulemaking. APS is not seeking to change the SPS element of the PVNGS plant design and licensing basis.

The critical safety function applicable to this exemption request regarding the removal of the DAFAS from the PVNGS licensing basis is RCS Heat Removal. By design, the DAFAS plays a minor role in supporting the RCS Heat Removal safety function by means of an automatic action if plant conditions indicative of an ATWS are met. The RCS Heat Removal safety function ensures that there is adequate heat removal from the RCS via at least one steam generator (SG). The parameters associated with RCS Heat Removal are concerned mostly with the steam generators, which are the primary means of removing heat from the RCS. Steam generator level and pressure have the potential for change based on the supply of feedwater to the generators and the amount of heat being removed by the Steam Bypass Control System (SBCS) or the Atmospheric Dump Valves (ADVs).

DAFAS is an automatic system with no operator manual interface and, therefore, is transparent to the operating crews. Only the effect of the DAFAS or AFAS actuation or failure to provide makeup to the steam generators is monitored by the operators. The reliability of AFAS over the intervening almost 40-years of reactor operation since the ATWS rulemaking is addressed in the PRA and defense-in-depth sections of this submittal and is the primary basis for the exemption request.

The RCS Heat Removal acceptance criteria are provided in Table 4.5-1.

Table 4.5-1: RCS Heat Removal Acceptance Criteria INSTRUCTIONS CONTINGENCY ACTIONS Determine that RCS Heat Removal acceptance criteria are met by the following:

a. Check that at least one SG meets BOTH of the following conditions:

Level is 35% WR or more

Feedwater is restoring or maintaining level 45 - 60 % NR

[narrow range]

a.1 Restore and maintain level in at least one SG 45 - 60% NR.

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 15 INSTRUCTIONS CONTINGENCY ACTIONS

b. Check that Tc is 560 - 570°F b.1 IF Tc is greater than 570°F, THEN perform the following:

1) Ensure that feedwater is being restored to at least one SG.

2) Restore Tc to 560 - 570°F using SBCS or ADVs.

b.2 IF Tc is less than 560°F, THEN perform the following:

1) Ensure feed flow is NOT excessive.

2) Ensure SG Blowdown is isolated.

3) Restore Tc to 560 - 570°F using SBCS or ADVs.

4) IF MSIS [Main Steam Isolation Signal]

has actuated AND the cooldown terminates, THEN stabilize Tc using ADVs.

5) IF AFAS has actuated, AND at least one SG level is 10% WR

[wide range] or more, THEN override and throttle Auxiliary Feedwater to maintain Tc 560 - 570°F.

c. Check that SG pressure is 1140 - 1200 psia c.1 IF SG pressure drops to the MSIS setpoint, THEN ensure MSIS has actuated.

c.2 IF SG pressure is less than 1140 psia, THEN perform the following:

1) Ensure the SBCS valves are closed.

2) Ensure the ADVs are closed.

c.3 IF SG pressure is greater than 1200 psia, THEN restore and maintain SG pressure to less than 1200 psia using SBCS or ADVs.

If a safety function is not satisfied, the operating crew [Reactor Operators (At-the-Controls Operator and Balance-of-Plant Operator), and Control Room Supervisor (CRS)], take prompt action to restore the safety function. While there is no time limit for how long a parameter is allowed to be outside an acceptance criteria, restoring a safety function is high priority and the operating crew actively uses all available resources to restore the safety functions as soon as possible. If steam generator levels are not greater than the prescribed level and being restored or maintained to the normal band by the main feedwater system, the operators will attempt to restore feedwater. The feedwater recovery steps in the SPTAs are limited to those actions that can be attempted from the Control Room.

To maintain steam generator level, the general priorities for restoration of an auxiliary feedwater to the steam generators from the Control Room are as follows (listed in order of preference):

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 16 AFN-P01 [N Auxiliary Feedwater Pump (Class 1E motor-driven)]

AFB-P01 [B Auxiliary Feedwater Pump (Class 1E motor-driven)]

AFA-P01 [A Auxiliary Feedwater Pump (turbine-driven)]

It is expected that both steam generators are available for heat removal following a relatively uncomplicated reactor trip. The operators ensure that at least one operable steam generator is available for removing heat. The operators ensure that automatic or manual control of feedwater is capable of restoring and maintaining at least one steam generator to the required level band. Adequate RCS heat removal is maintained if at least one steam generator is available for removing heat (i.e.,

indicated level and capable of feed and steam flow). When manually feeding steam generators, the operators ensure that an inadvertent RCS cooldown or heatup, with subsequent pressurizer level and pressure transients, or an inadvertent overfilling of the steam generators are avoided. Steam generator levels are increased at a rate consistent with decay heat steaming requirements to maintain the desired RCS temperatures.

Additionally, if one or more safety functions did not meet the acceptance criteria in the SPTAs, then the CRS is directed to perform Diagnostic Actions. The intent of the Diagnostic Actions is to formally diagnose the event using a Diagnostic Flowchart to determine which Emergency Operating Procedure [i.e., optimal recovery procedure (single event is diagnosed) or functional recovery procedure (more than one event is diagnosed)] to implement upon exiting the SPTAs to best mitigate an event which resulted in a reactor trip. The Optimal recovery procedure (ORP) that is entered if at least one steam generator does not have adequate feed is a Loss of All Feed (LOAF).

The goals of the LOAF procedure are to mitigate the effects of a LOAF, maintain the plant in hot standby (or hot shutdown), to establish shutdown cooling entry conditions while minimizing radiological releases to the environment, and maintaining adequate core cooling.

If a lack of adequate steam generator inventory occurs, procedural guidance is available to operators to restore and maintain at least one steam generator to 45 -

60% narrow range (NR) by obtaining an adequate feed rate. The emergency operating procedures (EOPs) generally consider a lack of adequate steam generator inventory when the water level is below 0% WR (below any Control Room indication).

An actual lack of adequate steam generator inventory condition would be indicated by a lowering of steam generator steam pressure, accompanied by a rise in reactor coolant temperature and pressure.

The operators are frequently trained on each success path when it comes to the restoration of feed and continue to pursue the success paths even if a lack of adequate steam generator inventory occurs. The LOAF procedure provides additional defense-in-depth mitigation strategies that are available to mitigate a loss of feedwater event in addition to the three auxiliary feedwater pumps that would be operated during SPTAs, such as condensate pumps and fire protection water.

A deterministic computer code engineering evaluation was performed to provide insight into the beyond design basis case of a Loss of Normal Feedwater (LONF) flow accident sequence occurring coincident with a trip on SPS high-high pressurizer pressure, no AFAS-1 and AFAS-2 occurring, and no DAFAS. The event was analyzed under two pairs of transients. This deterministic analysis began with a simultaneous loss of both main feedwater pumps as the initiating event. The deterministic results

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 17 identify that whether DAFAS is activated or not, the maximum RCS pressure is reached early in the transient and is not affected by the timing of auxiliary feedwater reaching the steam generators.

In addition, RCS pressure during the deterministic computer code engineering evaluation remained well below the pressure limit corresponding to the ASME Boiler &

Pressure Vessel Code Level C service limit criterion (approximately 3200 psi) that was originally very conservatively assumed by the ATWS Task Force in the original development of the ATWS rulemaking. The maximum RCS pressure (2624 psia) remained bounded by the most limiting case in the UFSAR Chapter 15, a Loss of Condenser Vacuum (LOCV) combined with a single failure. In the LOCV case, the peak RCS pressure is documented to be 2745 psia which is less than 110% (2750 psia) of the RCS design pressure (2500 psia). At PVNGS 2750 psia is also the Technical Specification 2.1.2 RCS pressure Safety Limit.

A lack of adequate steam generator inventory can be identified and responded to by operators using the appropriate EOPs. The SPTAs and EOPs ensure that we methodically address each safety function to ensure abnormalities are identified promptly. Operators are trained on the use of both SPTAs and EOPs.

The effectiveness of operator training is evident from the simulator runs recently performed for the postulated loss of feedwater event, that also prevented the automatic RPS trips, in support of this exemption request. Without advance knowledge of the scenario, two licensed operating crews successfully identified the need for and manually actuated auxiliary feedwater for a failure of automatic AFAS and DAFAS to operate, in the simulator. Both crews identified the transient and manually tripped the reactor after receiving a loss of both main feedwater pumps, prior to the expected automatic actuation of the SPS.

The SPTAs were entered and addressed the Reactivity Control safety function. After addressing this safety function, the Balance-of-Plant (BOP) Reactor Operator recommended transitioning to N Auxiliary Feedwater Pump for RCS Heat Removal.

After recommending transitioning to the N Auxiliary Feedwater Pump, one crew started the N Auxiliary Feedwater Pump from the Control Room, while the other crew noticed that the AFAS setpoint had been exceeded and manually initiated AFAS 1 and 2 before manually starting the N Auxiliary Feedwater Pump from the Control Room.

The simulator runs indicate that operator training and plant procedures ensure auxiliary feedwater will be delivered to the steam generators, and that the manual actuation of auxiliary feedwater through the SPTAs and EOPs provides a diverse means of event mitigation.

4.6 Integrated Decision-Making Panel (IDP) Process APS implemented the RIPE process into station procedure, Integrated Decision-Making Panel Composition, Training and Qualification Requirements, in accordance with Enclosure 1 of NEI 21-01 (Reference 4). The changes to the procedure included the following:

The IDP is composed of a group of at least five experts who have plant-specific knowledge and experience. The minimum quorum requirements for the RIPE IDP meetings will be composed of a group with joint expertise in the following

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 18 fields: Plant Operations, Design Engineering, PRA Engineering, System Engineering, Safety Analysis, and Licensing.

The IDP is trained in the specific requirements related to the RIPE process.

Training addressed, at a minimum, the purpose of the safety impact determination, the RIPE process, the risk-informed defense-in-depth philosophy and criteria to maintain this philosophy; PRA fundamentals including details of the plant-specific PRA analyses that are relied upon for the preliminary categorization (including the modeling scope and assumptions),

interpretation of risk importance measures, and the role of sensitivity studies and change in risk evaluations; and the IDP process, including roles and responsibilities.

The decision criteria for the IDP is documented in a RIPE package. Decisions of the IDP are arrived at by consensus. Differing opinions are documented and resolved, if possible. However, a simple majority of the panel is enough for final decisions regarding the safety impact of the issues.

4.7 IDP Results An IDP meeting for the removal of the DAFAS from the PVNGS licensing basis was held on September 30, 2021. The IDP determined the removal of the DAFAS from the licensing basis is considered a low safety impact and the issue may be submitted to the NRC for expedited review. The IDP evaluation results is documented in of this enclosure.

Summary of Changes Based on IDP Comments The nine methods to restore feedwater to at least one steam generator are included in Attachment 1 for the minimal impact screening question #5.

Included a discussion of the manual actuation of auxiliary feedwater in Section 4.5 of this enclosure and added extensive information about SPTAs, LOAF, and Functional Recovery opportunities to restore feedwater to Attachment 1 for the minimal impact screening questions.

As a result of incorporating the IDP comment regarding truncation values, the delta CDF and LERF values have been updated based on the PRA results in Section 4.3 and Attachment 2 of this enclosure.

The detailed historical performance review is documented in Section 4.3, Reliability, and Attachment 1 provides evidence of the high reliability and capability of both the RPS and ESFAS to perform their automatic functions upon demand.

Based upon the high reliability of RPS and ESFAS, which ensure automatic actuation of auxiliary feedwater, demonstration of operator proficiency on the simulator and robust EOPs and training, it was decided that no formal time critical operator actions were required to support the conclusion that the RIPE process could be used for this exemption request. Further detail is provided in, response to Question 5 of the Screening for Minimal Impact.

The special circumstances for 50.12 were modified from 10 CFR 50.12(a)(2)(ii), Underlying Purpose, to 10 CFR 50.12(a)(2)(iii), Undue Hardship.

The resolution to the action items from the IDP meeting are complete and documented in the PVNGS Corrective Action Program (CAP).

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 19

5.0 REGULATORY EVALUATION

5.1 Justification for Exemption and Special Circumstances In accordance with 10 CFR 50.12, the Commission may, upon application by any interested person or upon its own initiative, grant exemptions from the requirements of the regulations of Part 50 which are authorized by law, will not present an undue risk to the public health and safety, and are consistent with the common defense and security. 10 CFR 50.12 also states that the Commission will not consider granting an exemption unless special circumstances are present. As discussed below, this exemption request satisfies the provisions of Section 50.12.

The exemption is authorized by law The NRC has authority under the Atomic Energy Act of 1954, as amended, to grant exemptions from its regulations if doing so would not violate the requirements of law.

10 CFR 50.12 allows the NRC to grant exemptions from the requirements of 10 CFR Part 50 with provision of proper justification. Approval of the exemption from 10 CFR 50.62(c)(1) would not result in a violation of the Atomic Energy Act of 1954, as amended. Therefore, the exemption is authorized by law.

The exemption will not present an undue risk to public health and safety Removal of the Diverse Auxiliary Feedwater Actuation System (DAFAS) from the Palo Verde Nuclear Generating Station (PVNGS) Units 1, 2, and 3 licensing basis has been evaluated in accordance with Nuclear Energy Institute (NEI) 21-01, Industry Guidance to Support Implementation of NRCs Risk-Informed Process for Evaluations (Reference 4). The Risk-Informed Process for Evaluations (RIPE) method described in NEI 21-01 is used and determined that the removal of the DAFAS from the PVNGS Units 1, 2, and 3 licensing basis is adverse, but considered to have minimal impact on safety. As discussed in this request, the probabilistic risk assessment (PRA) and engineering analysis demonstrate that the calculated risk is not risk-significant (i.e., minimal or less than minimal) and consistent with the intent of the Commissions safety goal policy statement, which defines an acceptable level of risk that is a small fraction of other risks to which the public is exposed.

Therefore, removing the DAFAS from the licensing basis using the RIPE will not present an undue risk to the public health and safety.

The exemption is consistent with the common defense and security Use of the RIPE to remove the requirement for the DAFAS from the PVNGS licensing basis will not affect plant operations and is consistent with common defense and security. Therefore, the common defense and security are not impacted by this exemption.

Special circumstances In accordance with 10 CFR 50.12(a)(2), the NRC will not consider granting an exemption to its regulations unless special circumstances are present. Special circumstances are present as discussed below.

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 20 10 CFR 50.12(a)(2)(iii): Compliance would result in undue hardship or other costs that are significantly in excess of those contemplated when the regulation was adopted The anticipated transients without scram (ATWS) Rule was intended to require plant modifications to reduce the frequency of ATWS induced core damage and minimize the consequences of an ATWS event. The modifications required equipment/systems to be diverse and capable of preventing or mitigating the consequences of an ATWS event. The diversity required by the ATWS Rule intended to ensure that common mode failures would not affect the capability of ATWS prevention and mitigation system(s) equipment to perform its design function. In developing the final ATWS Rule, the NRC staff used a combination of PRA techniques and engineering judgment.

As part of the decision process, a value-impact (i.e., benefit/cost) analysis was performed and done on a reactor manufacturer generic basis. The value-impact formed the basis to reduce the probability of common-mode failures affecting the reactor trip system and certain systems relied upon to mitigate an ATWS event. The Final Rule Statements of Consideration (49FR26038, dated June 26, 1984) regarding the value of the DAFAS is shown below in bold.

Diverse and Independent Auxiliary Feedwater Initiation and Turbine Trip for PWRs: § 50.62(c)(1)

This was proposed by the Utility Group on ATWS. It consists of equipment to trip the turbine and initiate auxiliary feedwater independent of the reactor trip system. It has the acronym AMSAC, which stands for Auxiliary (or ATWS)

Mitigating Systems Actuation Circuitry. It has a highly favorable value/impact for Westinghouse plants and a marginally favorable value/impact for Combustion Engineering and Babcock and Wilcox plants. Since it has the potential for a spurious trip of the reactor which reduces its value/impact, it should be designed to minimize these trips.

Compliance with 10 CFR 50.62(c)(1) would result in undue hardship. The undue hardship is because the vendor for the DAFAS Modicon programmable logic controllers (PLCs), displays, and associated equipment is no longer in business; so, replacement parts are no longer available. The vendor supplied a proprietary platform for the Modicon PLC and because of the age of the system, replacement parts from another vendor are not an option. The DAFAS design using Modicon PLC is unique to PVNGS.

The maintenance associated with the DAFAS requires significant engineering resources to reverse engineer components and fiber optic communication problems are affecting system availability.

The RIPE provides a risk-informed method that leverages the safety enhancements available using Probabilistic Risk Assessment (PRA), to effectively disposition issues of very low safety significance that are within the licensing basis of a plant.

The PRA results indicate that the risk impact of removing the DAFAS is a 5.0x10-9/year increase in Core Damage Frequency (CDF) and a 1.4x10-10/year increase in Large Early Release Frequency (LERF). The cumulative risk for removing the DAFAS is a 5.5x10-5/year in CDF and a 9.5x10-6/year in LERF. The proposed change to remove the requirement for the DAFAS from the PVNGS Units 1, 2, and 3 licensing basis reduces the diversity to initiate auxiliary feedwater; however, based on core damage and large early release frequency results, the removal of the DAFAS

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 21 from the licensing basis does not reduce the reliability of the Auxiliary Feedwater (AF)

System.

The use of RIPE confirms that removing the DAFAS from the licensing basis screened in as adverse, but is considered to have a minimal impact on safety. The DAFAS is not credited in the Updated Final Safety Analysis Report (UFSAR) Chapter 15 accident analysis for actuating auxiliary feedwater to remove residual decay heat. The AFAS and the AF system are unaffected by the removal of the DAFAS from the licensing basis. The PRA analysis demonstrates the DAFAS is not risk-significant and that the existing PVNGS design, as described in the UFSAR, is designed to protect the plant and mitigate the consequences of the ATWS event.

PVNGS also considered two other options as potential solutions for the DAFAS, 1)

Replace the DAFAS with a new system design or 2) Replace the DAFAS under 10 CFR 50.69, Risk-informed categorization and treatment of structures, systems and components for nuclear power reactors. However, both options were considered cost prohibitive. The resources (i.e., cost and time) associated with maintaining or replacing the DAFAS is not commensurate to its safety significance and presents an undue hardship for compliance with CFR 50.62(c)(1).

Therefore, the removal of the DAFAS from the PVNGS Units 1, 2, and 3, licensing basis represents undue hardship. Thus, special circumstances are present which the NRC may consider, pursuant to 10 CFR 50.12(a)(2)(iii), to grant the exemption request.

5.2 Precedent A precedent has not been established for use of the RIPE process; however, the following guidance documents describe an approach that is acceptable to the NRC for developing a risk-informed exemption request:

NEI 21-01, Industry Guidance to Support Implementation of NRCs Risk-Informed Process for Evaluations, dated April 2021 (Reference 4), and NRC, Guidelines for Characterizing the Safety Impact of Issues, Revision 1, dated June 2021 (Reference 5) 6.0 ENVIRONMENTAL ASSESSMENT The proposed exemption meets the eligibility criterion for categorical exclusion set forth in 10 CFR 51.22(c)(25), because the proposed exemption involves: (i) no significant hazards consideration; (ii) no significant change in the types or significant increase in the amounts of any effluents that may be released offsite; (iii) no significant increase in individual or cumulative public or occupational radiation exposure; (iv) no significant construction impact; (v) no significant increase in the potential for or consequences from radiological accidents; and (vi) the requirements from which the exemption is sought involve inspection or surveillance requirements, equipment servicing or maintenance scheduling requirements. Therefore, in accordance with 10 CFR 51.22(b), no environmental impact statement or environmental assessment need to be prepared in connection with the proposed exemption.

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 22 No Significant Hazards Consideration Determination Arizona Public Service Company (APS) has evaluated whether or not a significant hazards consideration is involved with the proposed exemption by focusing on the three standards set forth in 10 CFR 50.92, Issuance of amendment, as discussed below:

1. Does the proposed change involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No.

The proposed change to allow an exemption from 10 CFR 50.62(c)(1) to implement a risk-informed evaluation methodology does not initiate an accident and therefore, the proposed change does not increase the probability of an accident occurring. The risk evaluation concludes that the risk associated with the proposed change is very small and within Region III as defined by Regulatory Guide (RG) 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, Revision 3 (Reference 6), for both core damage frequency (CDF) and large early release frequency (LERF). As a result, the required systems, structures, and components (SSCs) used to mitigate the consequences of an anticipated transients without scram (ATWS) event will perform their safety functions with a high probability, and the proposed change does not alter or prevent the ability of SSCs to perform their intended function to mitigate the consequences of an accident previously evaluated within the acceptance limits. The safety analysis acceptance criteria continue to be met for the proposed change. Additionally, in accordance with the guidance of RG 1.174, there is substantial safety margin and defense-in-depth that provide additional confidence that the design-basis functions are maintained.

Therefore, the proposed exemption does not result in a significant increase in the probability or consequences of an accident previously evaluated.

2. Does the proposed change create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No.

The proposed change to allow an exemption from 10 CFR 50.62(c)(1) to implement a risk-informed evaluation methodology to remove the requirement for the Diverse Auxiliary Feedwater Actuation System (DAFAS) from the Palo Verde Nuclear Generating Station (PVNGS) licensing basis does not initiate an accident and therefore, the proposed change does not increase the probability of an accident occurring. The proposed change does not introduce any changes or mechanisms that create the possibility of a new or different kind of accident.

Equipment important to safety will continue to operate as designed.

The accidents and events previously analyzed remain bounding. Therefore, the proposed exemption does not create the possibility of a new or different kind of accident from any previously evaluated.

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 23

3. Does the proposed change involve a significant reduction in a margin of safety?

Response: No.

The proposed change does not affect any safety limits or limiting conditions for operation used to establish safety margin. The safety margins included in the analyses of accidents are not affected by the proposed change. The setpoints at which protective actions are initiated are not altered by the proposed change.

There are no new or significant changes to the initial conditions contributing to accident severity of consequences. The proposed exemption will not affect the plant protective boundaries, will not cause a release of fission products to the public, nor will it degrade the performance of any other structures, systems or components important to safety.

Therefore, the proposed exemption does not involve a significant reduction in a margin of safety.

APS concludes that the proposed exemption does not involve a significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and, accordingly, a finding of no significant hazards consideration is justified.

There is no significant change in the types or significant increase in the amounts of any effluents that may be released offsite.

There are no expected changes in the types, characteristics, or quantities of effluents discharged to the environment associated with the proposed exemption. There are no materials or chemicals introduced into the plant that could affect the characteristics or types of effluents released offsite. In addition, the method of operation of waste processing systems will not be affected by the exemption. The proposed exemption will not result in changes to the design basis requirements of SSCs that function to limit or monitor the release of effluents. The SSCs associated with limiting the release of effluents will continue to be able to perform their functions. Therefore, the proposed exemption will result in no significant change to the types or significant increase in the amounts of any effluents that may be released offsite.

Approval of the exemption requires the calculated risk associated with removing the DAFAS from the licensing basis to meet the acceptance guidelines in NEI 21-01 (Reference 4), thereby maintaining public health and safety. Therefore, there is no significant change in the types or significant increase in the amounts of any effluents that may be released offsite.

There is no significant increase in individual or cumulative public or occupational radiation exposure The exemption will result in no expected increases in individual or cumulative occupational radiation exposure on either the workforce or the public. No new operator actions are implemented that could affect occupational radiation exposure.

There are no expected changes in normal occupational doses. Likewise, the dose of the postulated accident is not impacted by the proposed exemption.

There is no significant construction impact No construction activities are associated with the proposed exemption.

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 24 There is no significant increase in the potential for or consequences from radiological accidents See the no significant hazards considerations discussion above.

Requirements from which exemption is sought involve inspection or surveillance requirements, equipment servicing or maintenance scheduling requirements The requirement from which the exemption is sought involve inspection and maintenance requirements as defined in 10 CFR 50, Appendix B, and 10 CFR 50.62(c)(1).

7.0 CONCLUSION

The use of RIPE confirms that removing the DAFAS from the PVNGS licensing basis screened in as adverse, but is considered to have a minimal impact on safety. The calculated risk associated with removing the DAFAS from the licensing basis meets the acceptance guidelines in both NEI 21-01 and RG 1.174. In conclusion, based on the considerations discussed above, the exemption request is permissible under 10 CFR 50.12 because it is authorized by law, will not present undue risk to the health and safety of the public, is consistent with the common defense, and presents special circumstances.

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 25

8.0 REFERENCES

1.

SECY-83-293, Amendments to 10 CFR 50 Related to Anticipated Transients Without Scram (ATWS) Events, dated July 19,1983

2.

Compliance With the Anticipated Transients Without Scram (ATWS) Rule -

Palo Verde Nuclear Generating Station (PVNGS) Units Nos. 1, 2, and 3 (TAC Nos. 59124, 62698, and 67168), Letter, S. R. Peterson (NRC) to W. F.

Conway (PVNGS), October 18, 1990

3.

Ho K. Nieh, to Craig G. Erlanger, January 7, 2021, Approval of the Risk-Informed Process for Evaluations, Office of Nuclear Reactor Regulation, U.S.

Nuclear Regulatory Commission, Agencywide Documents Access and Management System (ADAMS) Accession No. ML21006A324

4.

NEI 21-01, Industry Guidance to Support Implementation of NRCs Risk-Informed Process for Evaluations, dated April 2021

5.

NRC, Guidelines for Characterizing the Safety Impact of Issues, Revision 1, dated June 2021 (ADAMS Accession No. ML21180A014)

6.

Regulatory Guide (RG) 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, Revision 3

7.

Nuclear Energy Institute (NEI) Topical Report NEI 06-09, (Revision 0)-A, Risk-Informed Technical Specification Initiative 4b, Risk-Managed Technical Specifications (RMTS) Guidelines

8.

NEI 00-04, Revision 0, 10 CFR 50.69 SSC Categorization Guideline, Revision 0, which was endorsed by the NRC in Regulatory Guide 1.201, Guidelines for Categorizing Structures, Systems, and Components in Nuclear Power Plants According to their Safety Significance, Revision 1

9.

Palo Verde Nuclear Generating Station, Units 1, 2, and 3, Issuance of Amendments 207, 207, and 207 to Adopt 10 CFR 50.69, Risk-Informed Categorization and Treatment of Structures, Systems and Components for Nuclear Power Reactors ADAMS Accession No. ML18243A280), dated October 10, 2018

10. Palo Verde Nuclear Generating Station, Units 1, 2, and 3, Issuance of Amendments 209, 209, and 209, Re: Adoption of Risk-Informed Completion Times in Technical Specifications ADAMS Accession No. ML19085A525),

dated May 29, 2019

11. RG 1.200, Revision 0, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, February 2004 (ADAMS Accession No. ML040630078)

12. RG 1.200, Revision 2, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, March 2009 (ADAMS Accession No. ML090410014)

Enclosure Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 26

13. Palo Verde Nuclear Generating Station, Units 1, 2, and 3, Issuance of Amendments 180, 180, 180, Re: Changes To Technical Specification 3.8.7, Inverters-Operating (ADAMS Accession No. ML102670352), dated September 29, 2010

14. Palo Verde Nuclear Generating Station, Units 1, 2, and 3, Issuance of Amendments 188, 188, 188, Re: Adoption of TSTF-425, Revision 3, Relocate Surveillance Frequencies to Licensee Control RITSTF Initiative 5b (ADAMS Accession No. ML112620293), dated December 15, 2011

15. ASME/ANS RA-Sa-2009, Addenda to ASME/ANS RA-S-2008, Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, dated February 2009.

16. ABS Consulting Report R-3882824-2037, Palo Verde Generating Stations PRA Finding Level Fact and Observation Closure Review, June 23, 2017

17. ABS Consulting, Palo Verde Generating Station Probabilistic Risk Assessment Focused-Scope Peer Review, R-4076030-2073, June 21, 2018

18. ABS Consulting, Palo Verde Generating Station Probabilistic Risk Assessment Focused-Scope Peer Review, R-4369996-2141, June 23, 2020

19. ABS Consulting, Palo Verde Generating Station Probabilistic Risk Assessment Finding Level Fact and Observation Closure Review, R-3882824-2037, June 25, 2018

20. ABS Consulting, Palo Verde Generating Station Probabilistic Risk Assessment Finding Level Fact and Observation Closure Review, R-4369996-2142, June 23, 2020

21. NEI 12-13, External Hazards PRA Peer Review Process Guidelines, August 2012 (ADAMS Accession No. ML12240A027)

22. RG 1.200, Revision 3, Acceptability of Probabilistic Risk Assessment Results for Risk-Informed Activities, December 2020 (ADAMS Accession No. ML20238B871)

23. CEN-327A, RPS/ESFAS Extended Test Interval Evaluation, CE Owners Group, May 1986

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 1

ATTACHMENT 1:

Evaluation of Screening Impact

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 2

NEI 21-01, Industry Guidance to Support Implementation of NRCs Risk-Informed Process for Evaluations, dated April 2021, and the NRC, Guidelines for Characterizing the Safety Impact of Issues, Revision 1, dated June 2021, provide the screening questions for no impact and minimal impact for the Risk-Informed Process for Evaluations (RIPE). The screening for no impact involves addressing the following set of questions in Step 1:

Step 1 - Screening for No Impact If the responses to the above questions are no, the issue screens to no impact.

However, if any of the responses to these questions are yes, the following set of questions in Step 2 determine if the magnitude of the adverse impact on safety identified in Step 1 screening questions are minimal:

Step 2 - Screening for Minimal Impact If the responses to the questions in Step 2 are no, the issue screens to minimal impact. However, if any of the responses to these questions are yes, the issue has a more than minimal impact on safety.

For PVNGS, the result of the responses to the screening questions for no impact (Step 1), does result in an adverse impact. Specifically, an adverse impact was identified for questions 2, 3 and 5. The result of the screening questions for minimal impact (Step

2) was that all adverse impacts identified were determined to be minimal impacts.

Therefore, the result of the PVNGS screening questions contained in this attachment, confirms that removing the DAFAS from the licensing basis screened in as adverse, but is considered to have a minimal impact on safety.

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 3

Step 1 - Screening for No Impact

1. Does the issue result in an adverse impact on the frequency of occurrence of an accident initiator or result in a new accident initiator?

Response: No.

The DAFAS is designed to monitor plant conditions and automatically actuate auxiliary feedwater during conditions indicative of an ATWS event and steam generator low level conditions if the primary means of providing auxiliary feedwater fails to actuate. While the system is designed with features to minimize inadvertent actuations, it is required to assume that DAFAS will fail to a mode which will result in a DAFAS actuation signal at the system level.

If an inadvertent actuation were to occur, thus initiating auxiliary feedwater flow, an increase in feedwater flow to the steam generator secondary side could result.

An increase in feedwater flow is considered in the accident analysis of the UFSAR, Section 15.1.2, Increase in Main Feedwater Flow, and the presence of the DAFAS increases the probability of the occurrence of the event.

As such, the issue of removing the requirement of the DAFAS from the PVNGS licensing basis will allow for a lower probability of occurrence of this accident initiator. This is a beneficial effect of the proposed exemption. No new accident initiators were identified.

2. Does the issue result in an adverse impact on the availability, reliability, or capability of SSCs or personnel relied upon to mitigate a transient, accident, or natural hazard?

Response: Yes.

The DAFAS is designed to meet the intent of 10 CFR 50.62 and is diverse and independent from the existing reactor protective system. The DAFAS automatically initiates auxiliary feedwater flow upon conditions indicative of an ATWS combined with selective low steam generator level signals. The DAFAS is not relied upon for the UFSAR Chapter 15 accident conditions. However, the issue of removing the requirement of the DAFAS from the PVNGS licensing basis does result in an adverse impact in that there is zero availability for an automatic diverse auxiliary feedwater actuation if the conditions (ATWS combined with low steam generator level) required for an actuation were present.

This issue does not affect the availability, reliability, or capability of the AF and ESFAS functions for providing AFAS-1 and AFAS-2, which are the primary means of providing feedwater due to low steam generator level. The RPS and SPS are also not affected.

3. Does the issue result in an adverse impact on the consequences of an accident sequence?

Response: Yes.

Chapter 15 of the UFSAR does not include safety analyses for ATWS events. This means the DAFAS is not considered for any of the UFSAR Chapter 15 accident

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 4

sequences. Some considerations are still required to be made regarding accident sequences:

The UFSAR, Section 7.3.5.1.11, Inadvertent Actuation, and Section 7.3.5.4.2, DAFAS Inadvertent Actuation, detail inadvertent DAFAS actuation. Although unlikely, the DAFAS has a postulated failure mode such that if an inadvertent actuation of the DAFAS were to occur, thus initiating auxiliary feedwater flow, an increase in feedwater flow to the steam generator secondary side could result. An increase in main feedwater flow accident is defined in the UFSAR, Section 15.1.2, Increase in Main Feedwater Flow, and the issue of removing the requirement of the DAFAS from the PVNGS licensing basis will result in a lower probability of occurrence of an increase in main feedwater flow event.

This is a beneficial effect of the proposed exemption.

The DAFAS actuation partially mitigates the consequence of an ATWS event.

The scenario is a high RCS pressure due to reduced heat removal through the steam generators. The DAFAS actuation is provided following an ATWS if the normal means of auxiliary feedwater did not actuate due to low steam generator level. An ATWS is characterized as an Anticipated Operational Occurrence (such as loss of main feedwater), coincident with a failure of the RPS to initiate a reactor trip. Failure of the RPS is indicated by a reactor trip initiated on high-high pressurizer pressure by the SPS. In the specific case of an ATWS event that requires auxiliary feedwater (i.e., AFAS did not actuate),

removing the requirement of the DAFAS from the PVNGS licensing basis is an adverse impact to the currently assumed ATWS accident sequence.

Accident consequences are often quantified in terms of public dose, however, the proposed rulemaking for ATWS made clear that Applicants or licensees are not required to calculate the potential offsite radiological doses resulting from an anticipated transient without scram event under § 100.11 of this chapter. This is based upon the following from the Statements of Consideration (46FR57524, dated November 24, 1981):

In formulating the proposed rule, the Commission has considered the need to compare for each plant the offsite doses that might result from ATWS events with 10 CFR Part 100 guidelines. Based on conservative generic calculations performed by the staff, there is reasonable assurance that calculated offsite doses from ATWS will be within the Part 100 dose guidelines if the acceptance criteria of the proposed rule are met.

Accordingly, the Commission has decided that applicants and licensees will not be required to calculate the potential offsite radiological doses resulting from an ATWS event under § 100.11.

4. Does the issue result in an adverse impact on the capability of a fission product barrier?

Response: No.

The PVNGS multiple fission product barriers are fuel cladding, RCS pressure boundary, and containment. Removal of the DAFAS from the licensing basis does not remove, reduce, or otherwise impact the existing PVNGS multiple fission product barriers.

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 5

Fuel Cladding:

An increase in main feedwater flow event in combination with an additional single failure (for example, a loss of power following turbine trip) is defined in the UFSAR, Section 15.1.2, Increase in Main Feedwater Flow, and is classified as an infrequent event, which may result in limited fuel cladding degradation. The issue of removing the requirement of the DAFAS from the PVNGS licensing basis will allow for a lower probability of the occurrence of an increase in feedwater flow event that could result from an inadvertent actuation of the DAFAS. This is a beneficial effect of the proposed exemption.

RCS Pressure:

Given the accident analysis for the UFSAR Section 15.2.3, Loss of Condenser Vacuum, a maximum RCS pressure of 2745 psia occurs only seconds after the initiating events of a simultaneous LOCV, turbine trip, and main feedwater pump trip. The LOCV is the most limiting event in the UFSAR Chapter 15 for peak RCS pressure. The UFSAR, Table 15.2.3-1, Sequence of Events for the LOCV Primary Side Peak Pressure and Fuel Performance (DNBR) Event, defines the sequence of events in which maximum RCS pressure is reached in 9.6 seconds and an AFAS is credited to occur 62.9 seconds into the accident sequence. The AFAS occurs as the plant begins to cooldown and depressurize.

While the DAFAS is not analyzed in Chapter 15 of the UFSAR, by system design, a diverse auxiliary feedwater actuation will not occur until after peak RCS pressure is reached. This is because auxiliary feedwater will not be initiated until the steam generator levels decrease below their pre-determined setpoint, which would occur well after peak RCS pressure is reached.

Since auxiliary feedwater does not directly minimize the postulated peak RCS pressure, there is no concern for an adverse impact to the capability of the RCS as a fission product barrier if the requirement for the DAFAS were removed from the PVNGS licensing basis. The SPS (also referred to as Diverse Scram System) remains in place to provide a redundant trip of the reactor in the event of a high-high pressurizer pressure condition, consistent with the requirements of the ATWS Rule.

Containment:

The DAFAS provides no function to preserve containment integrity. The issue of removing the requirement of the DAFAS from the PVNGS licensing basis will not affect the ability for the containment structure to act as a fission product barrier.

5. Does the issue result in an adverse impact on defense-in-depth capability or impact in safety margin?

Response: Yes.

Defense-in-depth is often characterized by varying layers of defense, each of which may represent conceptual attributes of nuclear power plant design and operation or tangible objects such as the physical barriers between fission products and the environment. The NRC implements defense-in-depth as four layers of defense that are a mixture of conceptual constructs and physical barriers (see NUREG/KM-0009, Historical Review and Observations of Defense-in-Depth, for further detail). For the purposes of Regulatory Guide 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 6

Changes to the Licensing Basis, nuclear power plant defense-in-depth is taken to consist of layers of defense (i.e., successive measures) to protect the public:

Robust plant design to survive hazards and minimize challenges that could result in an event occurring Prevention of a severe accident (core damage) if an event occurs Containment of the source term if a severe accident occurs Protection of the public from any releases of radioactive material (e.g.,

through siting in low-population areas and the ability to shelter or evacuate people, if necessary)

By design and requirement from the 10 CFR 50.62, ATWS Rule, the DAFAS is a defense-in-depth system which employs a diverse design to accomplish the function of providing auxiliary feedwater to the steam generators in the event of an ATWS event and low steam generator levels. As such, the proposed issue of removing the requirement of the DAFAS from the PVNGS licensing basis presents an adverse impact to defense-in-depth.

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 7

Step 2 - Screening for Minimal Impact

1. Does the issue result in more than a minimal increase in frequency of occurrence of a risk significant accident initiator or result in a new risk significant accident initiator?

Response: No.

Table A.1-1 provides a list of accident initiator categories that were evaluated and considered for risk significance concerning the role of the DAFAS. The term risk-significant refers to structures, systems, and components (SSCs) performing risk-significant functions, including nonsafety-related and safety-related SSCs and actions dependent on human performance. NUMARC 93-01, Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants, provides specific guidance on risk-significant criteria. The potential for a more than minimal increase in the frequency of occurrence was considered for all categories to identify whether they could be affected by the removal of the DAFAS from the PVNGS licensing basis. The risk impact is based on the relative change in frequency associated with baseline CDF and LERF. Generally, items that are not risk-significant are those that contribute less than 1x10-7/year and 1x10-8/year for CDF and LERF, respectively.

Table A.1-1 provides typical accident initiators and operating modes (e.g., at power, low power, or shutdown conditions) that were considered for the potential to be affected by removing the requirement of the DAFAS from the PVNGS licensing basis.

Table A.1-1: Accident Initiator Categories Accident Initiator Categories Risk Significant?

More than Minimal Increase?

Transients initiated by frontline systems No No. Identified a potential effect regarding an accident initiated by an increase in main feedwater flow event. This accident initiator category sees a reduced frequency of occurrence given the removal of the DAFAS from the PVNGS licensing basis.

Transients initiated by support systems No No. The DAFAS is not considered a support system.

Primary system integrity loss (e.g.,

SGTR, RCP seal LOCA, LOCA)

No No. The DAFAS does not present any accident initiators that affect primary system integrity.

Secondary system integrity loss No No. The potential to affect secondary system integrity by allowing auxiliary feedwater to overfill the steam generators was considered here. This accident initiator category sees a reduced frequency of occurrence given the removal of the DAFAS from the PVNGS licensing basis.

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 8

Accident Initiator Categories Risk Significant?

More than Minimal Increase?

Internal flooding No No. The DAFAS does not present any accident initiators that affect internal flooding.

Internal fires No No. The DAFAS does not present any accident initiators that affect internal fires.

Earthquakes No No. The DAFAS does not present any changes to external accident initiators.

External flooding No No. The DAFAS does not present any changes to external accident initiators.

Tornados and High Winds No No. The DAFAS does not present any changes to external accident initiators.

Other External Hazards No No. The DAFAS does not present any changes to external accident initiators.

External hazard frequencies cannot be reduced or increased by a plant-initiated change. The removal of the requirement of the DAFAS from the PVNGS licensing basis presents no change to external hazards.

A PRA evaluation was performed in support of the RIPE process and concluded the final delta in CDF and LERF, quantified as the maximum risk benefit if the DAFAS were modeled in a PRA, to be 5.0x10-9/year for CDF and 1.4x10-10/year for LERF.

The overall conclusion of this risk assessment is that removing the DAFAS results in a change to the frequency of CDF and LERF that is within NRC guidelines for what is considered a minimal risk significant change to CDF and LERF. As such, the DAFAS is determined to have minimal risk significance. This risk assessment reviewed the top 100 baseline and the DAFAS sensitivity CDF and LERF cutsets to ensure those cutsets were minimal and consistent with expectations. The top one hundred CDF and LERF cutsets for the baseline case and the DAFAS sensitivity case were identical. This was expected because of the negligible relative change in CDF and LERF between the base cases and the DAFAS sensitivity cases.

The first item identified to be affected is transients initiated by frontline systems.

This accident initiator category was considered due to the design of the DAFAS and its frontline role in monitoring plant conditions and actuating auxiliary feedwater during conditions indicative of an ATWS event and steam generator low level conditions, in which AFAS had not actuated. If an inadvertent actuation were to occur, thus initiating auxiliary feedwater flow, an increase in feedwater flow to the steam generator secondary side could result.

An increase in feedwater flow is considered in the accident analysis of the UFSAR, Section 15.1.2, Increase in Main Feedwater Flow. The UFSAR, Section 15.1.2, considers an increase in feedwater caused by inadvertent equipment malfunctions in the Feedwater Control System, resulting in the opening of feedwater control valves beyond their desired positions, or an increase in feedwater pump speed.

The maximum increase in feedwater flow that would result is estimated to be

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 9

approximately 25% of the nominal main feedwater system flow rate at 100%

power. Per the Feedwater System Design Basis Manual, Revision 15, the nominal feedwater flow rate at 100% power is rated for about 20,700 gpm per steam generator or 41,400 gpm to both generators. A 25% increase in the nominal flow rate to both steam generators would be 51,750 gpm for a delta of 10,350 gpm increase in flow to both steam generators.

Since it is assumed that the DAFAS can fail to a mode which will result in a DAFAS actuation, an increase in feedwater flow event would occur. The potential for the DAFAS to cause such an event and the resulting transient is not evaluated in Chapter 15 of the UFSAR. Regardless, the presence of the DAFAS increases the probability of the occurrence of such an event. The consequences of the event initiated by the DAFAS can be bounded by the existing UFSAR, Section 15.1.2, analysis. Per the Auxiliary Feedwater System DBM, Revision 26, both safety-related AF pumps, AFA-P01 and AFB-P01, are designed to each provide only 1010 gpm (which includes a recirculation flow of approximately 260 gpm). Thus, the maximum anticipated increase in feedwater flow resulting from a failure of the DAFAS such that auxiliary feedwater is actuated is only 750 gpm per AF pump.

This allows for a maximum capacity of 1500 gpm to be delivered to both steam generators resulting in a 3.6% increase of the nominal main feedwater system flow rate at 100% power.

As such, the consequences of an increase in feedwater flow accident initiated by the DAFAS are bounded by the existing UFSAR, Section 15.1.2, analysis results.

Removing the requirement of the DAFAS from the PVNGS licensing basis will allow for a lower probability of the occurrence of an increase in main feedwater flow event that could result from an inadvertent actuation of the DAFAS. This is a beneficial effect of the proposed exemption.

Table A.1-2 provides accident initiator frequency considerations regarding the transients initiated by frontline systems accident initiator category.

Table A.1-2: Accident Initiator Frequency Considerations for Transients Initiated by Frontline Systems Accident Initiator Frequency Considerations Potential Effect?

More than Minimal Increase?

Changes in Maintenance/

Training Yes No. With the proposed removal of the DAFAS from the licensing basis, allowing for the potential removal of the system, maintenance and training would no longer be required. Error precursors that might lead to an increase in the transients initiated by the frontline systems accident initiator category no longer exist in this scenario.

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 10 Accident Initiator Frequency Considerations Potential Effect?

More than Minimal Increase?

Changes in specific SSCs (e.g.,

installing a more reliable component)

Yes No. With the removal of the DAFAS from the licensing basis, the DAFAS is no longer required. The potential removal of the DAFAS results in no increase to the transients initiated by frontline systems accident initiator category.

Changes in materials No No. This consideration does not apply for the removal of the DAFAS from the licensing basis.

Equipment replacements to address age related degradation No No. This consideration does not apply for the removal of the DAFAS from the licensing basis.

Changes in redundancy or diversity Yes No. With the removal of the DAFAS from the licensing basis, the DAFAS is no longer required. The potential removal of the DAFAS results in a minimal impact to redundancy and diversity. See Question #5. This does not result in an increase to the transients initiated by frontline systems accident initiator category.

Addition of equipment No No. This consideration does not apply for the removal of the DAFAS from the licensing basis.

Changes in operating practices Yes No. The DAFAS is not relied upon in the PVNGS EOPs. The DAFAS is an automatic system and does not provide manual trip functionality. As such, there is no increase to the transients initiated by frontline systems accident initiator category.

The second item identified to be affected is secondary system integrity loss. This accident initiator category was considered due to the design of the DAFAS and its role in providing auxiliary feedwater to the affected steam generator(s). The DAFAS is designed to automatically initiate auxiliary feedwater during conditions indicative of an ATWS event and steam generator low level conditions at or below 20.3% wide range level [Engineering Calculation, 13-JC-SG-0202, SG Wide Range Level Instrument (SGX-L-1113X & SGX-L-1123X) Uncertainty and Setpoint Calculation, Revision 12], for when AFAS does not actuate. The DAFAS will also reset the trip when steam generator level is restored to at or above 40.8% wide range level (Engineering Calculation, 13-JC-SG-0202, Revision 12). Auxiliary feedwater valve closure also occurs at 40.8% wide range level. A failure to secure auxiliary feedwater could lead to overfilling of one or both steam generators allowing the potential for liquid water to enter the main steam lines and compromise secondary system integrity. The qualitative likelihood of this scenario to occur is low as operators would have time to act and manually secure flow prior

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 11 to a steam generator overfill event caused by a diverse auxiliary feedwater actuation.

PVNGS is protected from a steam generator overfill event by automatic actuation of a Main Steam Isolation Signal (MSIS) on high steam generator water level as required by Generic Letter (GL) 89-19, Request for Action Related to Resolution of Unresolved Safety Issue A-47, Safety Implication of Control Systems in LWR Nuclear Power Plants Pursuant to 10 CFR 50.54(f). A steam generator overfill event is considered and not expected to occur for multiple UFSAR Chapter 15 accident analyses including the UFSAR, Section 15.1.2, Increase in Main Feedwater Flow. As such, this event is qualitatively bounded by the UFSAR, Section 15.1.2, accident analysis. Removing the requirement of the DAFAS from the PVNGS licensing basis will allow for a lower probability of the occurrence of secondary system integrity loss that could result from an inadvertent actuation of the DAFAS. This is a beneficial effect of the proposed exemption.

Table A.1-3 provides accident initiator frequency considerations regarding the secondary system integrity loss accident initiator category.

Table A.1-3: Accident Initiator Frequency Considerations for Secondary System Integrity Loss Accident Initiator Frequency Considerations Potential Effect?

More than Minimal Increase?

Changes in Maintenance/

Training Yes No. With the proposed removal of the DAFAS from the licensing basis, allowing for the potential removal of the system, maintenance and training would no longer be required. Error precursors that might lead to an increase in the secondary system integrity loss accident initiator category no longer exist.

Changes in specific SSCs (e.g.,

installing a more reliable component)

Yes No. With the removal of the DAFAS from the licensing basis, the DAFAS is no longer required. The potential removal of the DAFAS results in no increase to the secondary system integrity loss accident initiator category.

Changes in materials No No. This consideration does not apply for the removal of the DAFAS from the licensing basis.

Equipment replacements to address age related degradation No No. This consideration does not apply for the removal of the DAFAS from the licensing basis.

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 12 Accident Initiator Frequency Considerations Potential Effect?

More than Minimal Increase?

Changes in redundancy or diversity Yes No. With the removal of the DAFAS from the licensing basis, the DAFAS is no longer required. The potential removal of the DAFAS results in a minimal impact to redundancy and diversity. This does not result in an increase to the secondary system integrity loss accident initiator category.

Addition of equipment No No. This consideration does not apply for the removal of the DAFAS from the licensing basis.

Changes in operating practices Yes No. The DAFAS is not relied upon in the PVNGS EOPs. The DAFAS is an automatic system and does not provide manual trip functionality. As such, there is no increase to the secondary system integrity loss accident initiator category.

Removing the DAFAS from the PVNGS licensing basis will result in a lower probability of the occurrence of transients initiated by frontline systems and/or secondary system integrity loss.

The removal of the requirement of the DAFAS from the PVNGS licensing basis was determined to not present any increase in the frequency of occurrence of an accident initiator and there are no new accident initiators resulting from this change.

2. Does the issue result in more than a minimal decrease in the availability, reliability, or capability of SSCs or personnel relied upon to mitigate a risk significant transient, accident, or natural hazard?

Response: No.

The DAFAS is designed to meet the intent of 10 CFR 50.62 and provides a diverse and independent method from the existing reactor protective system and AFAS to automatically initiate an auxiliary feedwater actuation during conditions indicative of an ATWS event and steam generator low level conditions, when the primary means of providing auxiliary feedwater fails to actuate. Removing the requirement of the DAFAS from the PVNGS licensing basis would result in an adverse impact in which there is zero availability for an automatic diverse auxiliary feedwater actuation if the conditions required for an actuation were present.

The equipment used in the design of the DAFAS is entirely diverse from the existing ESFAS aside from the steam generator level sensors and the final actuation devices, both of which are not required to be diverse in accordance with 10 CFR 50.62 (the ATWS Rule). Given that the final actuation devices (the cycling and subgroup relays used to control the pumps and valves in the auxiliary

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 13 feedwater system) are shared between the DAFAS and the AFAS portion of the ESFAS, their availability to mitigate a plant transient will not be affected. By design, the AFAS initiation and actuation by the ESFAS and other options (such as operator action to provide feedwater flow) are unaffected by a potential DAFAS failure. These devices remain available to perform their safety-related design basis functions or complete time sensitive actions without the presence of the DAFAS and DAFAS-specific components.

The DAFAS is designed as a diverse and redundant input that is independent to the existing ESFAS initiation circuit. The absence of this system does not affect the existing AFAS-1 and AFAS-2 ability to actuate when plant conditions warrant an actuation. The AFAS function is accomplished using two diverse AF Pumps (turbine driven AFA-P01 and motor driven AFB-P01). A third AF pump (motor driven AFN-P01) does not receive an actuation signal from the DAFAS or AFAS and is manually started from the control room. The availability of these auxiliary feedwater pumps to be manually started is unaffected.

The potential for changes in operating practices or human performance were considered. The system only provides an automatic backup function with specific actuation criteria to support a beyond design basis ATWS event. The DAFAS does not provide for any operator ability to initiate a manual trip or actuation. Instead, the manual trip capability of the existing AFAS would be relied upon. Since there is no need for operator interaction with the system during an Anticipated Operational Occurrence (AOO), there are no changes to the existing operating practices or human performance requirements.

The applicable EOP for events in which auxiliary feedwater is relied upon were reviewed and verified to not interact with the DAFAS in any way (optimal recovery procedure, 40EP-9EO06, Loss of All Feedwater, Revision 22). Procedural guidance for control room operators is limited to the DAFAS alarm response procedure and bypass and bypass removal operations. The DAFAS alarm response is limited to verification of whether the alarms are valid and if there are errors present or if the DAFAS testing is being performed. Accordingly, there are no PRA time sensitive operator actions dependent on manipulation or interaction with the DAFAS.

Given the minimal risk significance of the DAFAS, its utilization of existing AFAS actuated devices, and the ability for operators to manually provide feedwater to the steam generators, removing DAFAS from the PVNGS licensing basis does not result in a more than minimal decrease in the availability, reliability, or capability of SSCs or personnel relied upon to mitigate a transient, accident, or natural hazard.

Table A.1-4 outlines considerations for the availability, reliability, or capability of SSCs or personnel.

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 14 Table A.1-4: Availability, Reliability, or Capability Considerations Availability, Reliability, or Capability Considerations Potential Effect?

More than Minimal Decrease?

Changes in maintenance, testing, training Yes No. With the proposed removal of the DAFAS from the licensing basis, allowing for the potential removal of the system, maintenance and training would no longer be required.

Changes in specific SSCs Yes No. With the proposed removal of the DAFAS from the licensing basis, the DAFAS is no longer required.

The potential removal of the DAFAS does not affect the existing auxiliary feedwater system and associated components. The change in frequency to CDF and LERF resulting from this exemption request was found to be 5.0x10-9/year for CDF and 1.4x10-10/year for LERF.

Changes in materials No No. The removal of the DAFAS from the licensing basis does not present any changes in SSCs.

Equipment replacements to address age related degradation No No. The removal of the DAFAS from the licensing basis does not present any equipment replacements.

Changes in redundancy and diversity Yes No. With the removal of the DAFAS from the licensing basis, the DAFAS is no longer required. The potential removal of the DAFAS results in a minimal decrease to redundancy and diversity. See Question #5. This minimal decrease is supported by the findings in the probabilistic risk assessment for this exception request.

Addition of equipment No No. The removal of the DAFAS from the licensing basis does not present any addition of equipment.

Strengthening of equipment No No. The removal of the DAFAS from the licensing basis does not present any strengthening of equipment.

Moving equipment No No. The removal of the DAFAS from the licensing basis does not require moving equipment.

Eliminating the need for recovery action No No. The removal of the DAFAS from the licensing basis does not present any changes to recovery actions.

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 15 Availability, Reliability, or Capability Considerations Potential Effect?

More than Minimal Decrease?

Improving performance shaping factor related to human performance Yes No. With the proposed removal of the DAFAS from the licensing basis, allowing for the potential removal of the system, performance shaping factors related to human performance would no longer be required.

Changes in operating practices Yes No. With the proposed removal of the DAFAS from the licensing basis, allowing for the potential removal of the system, operating practices for the DAFAS would no longer be required (such as bypass and bypass removal).

3. Does the issue result in more than a minimal increase in the consequences of a risk significant accident sequence?

Response: No.

Chapter 15 of the UFSAR does not include safety analyses for ATWS events. This means the DAFAS is not considered for any of the UFSAR Chapter 15 accidents.

Some considerations are made regarding risk significant accident sequences.

The UFSAR, Section 7.3.5.1.11, Inadvertent Actuation, and Section 7.3.5.4.2, DAFAS Inadvertent Actuation, detail inadvertent DAFAS actuation. Although unlikely, DAFAS has a postulated failure mode such that if an inadvertent actuation of the DAFAS were to occur, thus initiating auxiliary feedwater flow, an increase in feedwater flow to the steam generator secondary side could result. An increase in feedwater flow accident is defined in the UFSAR, Section 15.1.2, and removing the requirement of the DAFAS from the PVNGS licensing basis will result in a lower probability of the occurrence of an increase in main feedwater flow event. This is a beneficial effect of the proposed exemption.

Per the NRC guidance for applying RIPE, in addressing the definition of what constitutes a more than minimal increase in consequences, an increase of greater than 10 percent in dose for risk-significant sequences is used as the criterion. An increase of less than 10 percent in calculated consequence is small enough that it cannot be reasonably concluded that the consequences have changed. The limiting dose event in the UFSAR Chapter 15, Section 15.2.8, Feedwater System Pipe Breaks, was considered and qualitatively analyzed for any increase in dose given the role of the AFAS in the accident sequence.

Again, the UFSAR Chapter 15 accident analysis does not credit the DAFAS in any of these scenarios. It was determined that the DAFAS would not provide a meaningful role in this accident analysis given the presence of a MSIS caused

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 16 by high containment pressure. Normally, the ESFAS will initiate an auxiliary feedwater lockout to the affected steam generator based on the delta in pressure between both steam generators. The DAFAS does not perform a delta pressure lockout function and instead is designed to be inhibited from providing auxiliary feedwater while an MSIS is present to avoid feeding the affected steam generator. As such, the dose considerations remain unchanged and are bounded by the feedwater system pipe break accident sequence in the UFSAR, Section 15.2.8.

Accident consequences are often quantified in terms of public dose, however, the proposed rulemaking for ATWS made clear that Applicants or licensees are not required to calculate the potential offsite radiological doses resulting from an anticipated transient without scram event under § 100.11 of this chapter. This is based upon the following from the Statements of Consideration (46FR57524, dated November 24, 1981):

In formulating the proposed rule, the Commission has considered the need to compare for each plant the offsite doses that might result from ATWS events with 10 CFR Part 100 guidelines. Based on conservative generic calculations performed by the staff, there is reasonable assurance that calculated offsite doses from ATWS will be within the Part 100 dose guidelines if the acceptance criteria of the proposed rule are met.

Accordingly, the Commission has decided that applicants and licensees will not be required to calculate the potential offsite radiological doses resulting from an ATWS event under § 100.11.

The DAFAS was originally screened out from being included in the PVNGS PRA model based on its minimal risk significance as documented in engineering study, 13-NS-B096, At-Power PRA System Study for the ESF Actuation System, Revision

2. The system was screened out based on the following justification:

DAFAS circuitry and input to the AFAS actuation circuitry is not modeled.

DAFAS is a back up to the existing initiation circuit. The AFN-P01 pump does not receive an actuation signal from DAFAS or AFAS and is started from the control room. Since there are three AF pumps and an operator starts AFN-P01 or can locally start the AFA-P01 pump, the system is inherently reliable and operator action is the dominant risk for backup.

The same 2 out of 4 wide range steam generator level instruments that would provide a spurious initiation input to DAFAS would also generate a spurious AFAS. A spurious AFAS signal being present will prevent generation of a DAFAS signal. High output failure of 2 out of 4 pressurizer pressure signals would not result in a DAFAS without the additional failure of at least 2 out of 4 steam generator level signals, which would require at least four independent failures. Since the sensors are on different process types on different systems, they qualitatively screen out for common cause failure. Therefore, this contribution is insignificant.

Drawing SDOC N001-1306-00168, DAFAS System Cabling Diagram, Rev.

5 shows that all cabling connecting the instruments from the Foxboro cabinets to the DAFAS cabinets and from the DAFAS cabinets to the Auxiliary Relay Cabinets consists of fiber optic cable. Fiber optic cable is not susceptible to spurious hot shorts or grounds, so there is no impact from fire.

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 17 Thus, there is no additional failure mode for the DAFAS beyond what is already modeled for AFAS spurious actuation and failure to actuate.

DAFAS utilizes fiber optics to interface with safety related system cabinets such as the ESFAS auxiliary relay cabinets, the electronic isolation system cabinets, and the process protective cabinets. While fiber optic cable may be susceptible to damage and loss of signal resulting from fire, the fiber optics themselves cannot present an initiator to accident sequences caused by fire since they are not susceptible to spurious hot shorts or grounding conditions.

Given the above considerations, the removal of the DAFAS from the PVNGS licensing basis does not present a more than minimal increase in the consequences of a risk-significant accident sequence. This minimal risk significance is further supported via the PRA evaluation performed in support of the RIPE process in which the final delta in CDF and LERF if DAFAS were modeled in PRA was found to be 5.0x10-9/year for CDF and 1.4x10-10/year for LERF.

4. Does the issue result in more than a minimal decrease in the capability of a fission product barrier?

Response: No.

The PVNGS multiple fission product barriers are fuel cladding, RCS pressure boundary, and containment. Removal of the DAFAS from the licensing basis does not remove, reduce, or otherwise impact the existing PVNGS multiple fission product barriers.

Fuel Cladding:

Chapter 15 of the UFSAR does not include safety analyses for ATWS events. This means the DAFAS is not considered for any of the UFSAR Chapter 15 accidents and there is no licensing consideration for the potential for the DAFAS to damage fuel. The DAFAS has a postulated failure mode such that if an inadvertent actuation of the DAFAS were to occur, thus initiating auxiliary feedwater flow, an increase in feedwater flow to the steam generator secondary side could result.

An increase in main feedwater flow accident scenario combined with a single failure as defined in the UFSAR, Section 15.1.2, Increase in Main Feedwater Flow, is classified as an infrequent event, which may result in limited fuel cladding degradation. The consideration of fuel damage resulting from an increase in main feedwater flow accident scenario caused by the DAFAS is bounded by the evaluation in the UFSAR, Section 15.1.2. The maximum change in feedwater flow caused by the DAFAS would be less than a 4% increase relative to the nominal feedwater flow at 100% power. This small increase in flow is substantially bounded by the analyzed increase of 25% feedwater flow in the UFSAR, Section 15.1.2.

Removing the DAFAS from the PVNGS licensing basis will allow for a lower probability of the occurrence of an increase in main feedwater flow accident. This is a beneficial effect of the proposed exemption.

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 18 RCS Pressure:

Given the accident analysis for the UFSAR, Section 15.2.3, Loss of Condenser Vacuum, a maximum RCS pressure of 2745 psia occurs only seconds after the initiating events of a simultaneous loss of condenser vacuum, turbine trip, and main feedwater pump trip. The LOCV is the most limiting event in the UFSAR Chapter 15 for peak RCS pressure. The UFSAR, Table 15.2.3-1, Sequence of Events for the LOCV Primary Side Peak Pressure and Fuel Performance (DNBR)

Event, defines the sequence of events in which maximum RCS pressure is reached in 9.6 seconds and an AFAS is credited to occur 62.9 seconds into the accident sequence. The AFAS does not occur until the plant begins to cooldown and depressurize.

In certain transients, pressurizer safety valves (PSVs) are anticipated to lift and relieve into containment when RCS pressure exceeds the setpoint of the safety valves, a potential impact was considered for these safety valves and their role as a fission product barrier in the RCS pressure boundary. While the DAFAS is not analyzed in Chapter 15 of the UFSAR, by system design, a diverse auxiliary feedwater actuation will not occur until after peak RCS pressure is reached. This is because auxiliary feedwater will not be initiated until the steam generator levels decrease below their pre-determined setpoint which would occur well after peak RCS pressure is reached. Since auxiliary feedwater does not directly minimize the postulated peak RCS pressure, there is no concern for an adverse impact to the capability of the RCS as a fission product barrier if the DAFAS were removed from the PVNGS licensing basis. Any accident scenario that results in lifting PSVs is already bounded by its peak RCS pressure which is reached early in the transient.

The SPS also remains in place to provide a redundant trip of the reactor in the event of a high-high pressurizer pressure condition, consistent with the requirements of the ATWS Rule.

Containment:

The function of the containment building as a fission product barrier remains unchanged regarding the removal of the DAFAS from the PVNGS licensing basis.

Removing the DAFAS from the PVNGS licensing basis does not present an adverse impact on the capability of any fission product barrier.

The minimal impact to the capability of a fission product barrier is supported via the PRA evaluation performed in support of the RIPE process. This risk assessment concluded the final delta in CDF and LERF to be 5.0x10-9/year for CDF and 1.4x10-10/year for LERF. These values are below the NRC guidelines defining minimal risk significance as a contribution to CDF and LERF of less than 1x10-7/year and 1x10-8/year, respectively.

5. Does the issue result in more than a minimal decrease in defense-in-depth capability or safety margin?

Response: No.

By design and requirement from the ATWS Rule, the DAFAS is a defense-in-depth system which employs a diverse design to accomplish the function of providing auxiliary feedwater to the steam generators in the event of an ATWS event and low steam generator levels. Removing the requirement for the DAFAS from the

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 19 PVNGS licensing basis was identified to have an adverse effect on defense-in-depth. Regardless of this adverse effect, the principles of defense-in-depth remain preserved such that the removal of the DAFAS from the PVNGS licensing basis does not result in a more than minimal decrease in defense-in-depth capability or safety margin.

Removing the DAFAS from the PVNGS licensing basis will not affect PVNGS compliance with the DSS and DTT portions of 10 CFR 50.62 (ATWS Rule). The existing SPS meets and exceeds the DSS requirements of the ATWS Rule. The SPS design consists of four safety-related instrument channels, each of which provides an input to two, separate, two-out-of-four, de-energize-to-actuate logic matrices.

Upon receipt of a high-high pressurizer pressure signal, the SPS will trip the reactor by opening the reactor trip circuit breakers and the motor generator (MG) set output contactors. Opening the MG set output contactors removes power from the control element assemblies (CEAs), causing a reactor scram.

The PVNGS DTT design is a control-grade system that senses CEDM power bus undervoltage. When the SPS causes a reactor scram, power is interrupted to the CEDM coils upstream of the control rod power bus undervoltage relays. The de-energizing of these undervoltage relays actuates the turbine trip circuitry. These systems ensure that a reactor trip and turbine trip will occur if conditions for an ATWS are present. The amount of redundancy and diversity across these systems provide a highly reliable source of protection from an ATWS.

In addition to these automatic systems, there remains the ability for the operator to manually initiate a reactor trip or auxiliary feedwater actuation. Plant-specific EOPs are generally based on CE emergency procedure guidelines and include appropriate actions for mitigating postulated ATWS events, as described in Section 15.3.9 of Supplement 6 (October 1984) of the original PVNGS safety evaluation report, NUREG-0857, Safety Evaluation Report related to the operation of Palo Verde Nuclear Generating Station, Units 1, 2, and 3.

The PVNGS Units 1, 2, and 3 are based on the CE System 80 plant design. As such, the units are equipped with a Plant Protection System (PPS) that maintains plant safety by continuously monitoring selected plant parameters and initiating appropriate protective action if any parameter indicates an unsafe condition. The PPS consists of three safety-grade systems, the RPS, ESFAS, and the SPS. The removal of the DAFAS from the PVNGS licensing basis will not affect these highly reliable systems or their defense-in-depth design features. Beyond the scope of initiating a reactor trip and/or actuating engineered safety features equipment, these three systems are pertinent to the prevention of and/or mitigation of postulated ATWS events. The design characteristics of each of these systems is provided below to demonstrate the means in which they continue to support the defense-in-depth philosophy and support the prevention from and/or mitigation of ATWS events.

The RPS consists of sensors, calculators, logic, and other equipment necessary to monitor fifteen different nuclear steam supply system conditions and to effect reliable and rapid reactor shutdown (reactor trip), if any or a combination of the monitored conditions approach specified limiting safety system settings. Four measurement channels with electrical and physical separation are provided for each of the fifteen different trip parameters used in the direct generation of trip signals. A coincidence of two like trip signals is required to generate a reactor trip

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 20 signal providing redundant two-out-of-four logic. This trip logic is accomplished using bistable relay cards arranged in matrices such that every possible trip combination is accounted for the four monitoring channels. These matrices are identified as AB, AC, AD, BC, BD, and CD coincidence logic matrices. If a coincidence matrix trip occurs, initiation circuits are de-energized to force initiation of an RPS trip with simultaneous trip indication and annunciation. A manual trip is also provided to permit the operators to trip the reactor.

The RPS is designed to eliminate credible multiple channel failures originating from a common cause. The failure modes of redundant channels and the conditions of operation that are common to them are analyzed to ensure that a predictable common failure mode does not exist. This analysis is documented in CENPD-148, Review of Reactor Shutdown System (PPS Design) for Common Mode Susceptibility.

Of the fifteen different RPS trip parameters, five are of particular interest for the purposes of this exemption request:

Parameter 3, High Local Power Density, UFSAR Section 7.2.1.1.1.3 Parameter 4, Low Departure from Nucleate Boiling Ratio, UFSAR Section 7.2.1.1.1.4 Parameter 5, High Pressurizer Pressure, UFSAR Section 7.2.1.1.1.5 Parameter 7, Low Steam Generator 1 Water Level, UFSAR Section 7.2.1.1.1.7 Parameter 8, Low Steam Generator 2 Water Level, UFSAR Section 7.2.1.1.1.7 The parameter 3 and parameter 4 trip functions are of particular interest in that they provide two digital trips associated with the RPS, both trips are generated by the RPS when the CPCs determine that the monitored parameter has reached a preset value. In the case of parameter 3, the CPCs calculate the peak LPD and compensate the calculated peak LPD to account for the thermal capacity of the fuel. For parameter 4, the calculation of DNBR is based on average power, reactor coolant pressure, reactor inlet temperature, reactor coolant flow, and the core power distribution. In both cases, the calculated trips are designed such that they occur before violation of the LPD and DNBR safety limits are reached in the core.

The CPCs also have several trip functions that monitor parameters to limits other than Low DNBR or High LPD. These trip functions are called auxiliary trips and, if a trip is generated, the DNBR and LPD trip contact outputs are set. The digital nature of these trip inputs provides a diverse approach to initiating a reactor trip that stands apart from that of the analog voltage signals input to the remaining thirteen RPS trip parameters. This diverse design provides an extra layer of defense for the prevention of an ATWS event.

The parameters 5, 7 and 8 trip functions are of particular interest for this exemption request due to their role in the defense-in-depth discussion. Parameter 5 provides the RPS with a trip on high pressurizer pressure, this trip is relevant in the discussion of ATWS events since high pressurizer pressure is the same parameter that is monitored by the SPS albeit with different field sensors. A normal high pressurizer pressure trip is designed to occur at a setpoint of less than or equal to 2383 psia. This setpoint is important in that the trip is designed to occur well before the SPS trip setpoint is reached which occurs at less than or equal to 2409 psia. As such, any transient that rapidly increases pressurizer pressure is anticipated to cause a normal RPS trip on high pressurizer pressure before the SPS is relied upon for initiating a reactor trip.

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 21 By nature, the high pressurizer pressure trip is, by means of redundancy, a layer of defense for the prevention of an ATWS event. Parameters 7 and 8 provide the RPS with a trip on low steam generator level in steam generator #1 (SG1) and steam generator #2 (SG2), respectively. The low SG level trips are notable since the same parameters are monitored as an input for both the initiation of AFAS (parameters 18 and 19) and DAFAS. A low SG level trip is designed to occur with a trip setpoint of greater than or equal to 44.2% wide range level indication. An AFAS actuation is designed to occur when levels reach the setpoint of greater than or equal to 25.8% WR and a DAFAS would not be permitted until the level reaches an even lower setpoint of 20.3% WR.

The ESFAS consists of the sensors, bistables, initiation logic, and actuation logic that monitors selected plant parameters and provide an actuation signal to each individual actuated component in the ESF system if the plant parameters reach preselected setpoints. The ESFAS matrix logic is designed like the RPS matrix logic in that any two-out-of-four combination of channel trips will cause a coincidence matrix trip and will subsequently operate an initiation circuit that opens the initiation relays. The outputs of the initiation relays go to the ESFAS auxiliary relay cabinets where they create the selective two-out-of-four logic required for an ESFAS actuation. This logic propagates simultaneously and independently to both ESFAS auxiliary relay cabinets, generating both Train A and Train B signals.

Receipt of two selective initiation channel signals will de-energize the ESF subgroup relays, which generate the appropriate actuation channel signals.

AFAS-1 is the AF actuation signal applicable to SG1 while AFAS-2 applies to SG2 and both are responsible for actuating two trains of AF system equipment to support the critical safety function of providing heat removal from the primary system if plant conditions require auxiliary feedwater. The monitored input parameter for actuation of AFAS-1 and AFAS-2 (low SG level, parameters 18 and

19) is the same as that of RPS trip parameters 7 and 8. While the monitored input parameter is the same, entirely separate logic paths are utilized for the generation of trips or ESF actuation.

A final layer of redundancy is observed in the fact that independent circuits are provided for actuation to either SG. This design provides an extra layer of redundancy to ensure that even if one of the single-failure proof AFAS failed to operate, another single-failure proof circuit remains available to provide feedwater to at least one SG.

Like the RPS, the ESFAS is designed to eliminate credible multiple channel failures originating from a common cause. The failure modes of redundant channels and the conditions of operation that are common to them are analyzed to assure that a predictable common failure mode does not exist.

The SPS is designed to augment reactor protection by utilizing a separate and diverse trip logic from the RPS for initiation of a reactor trip to satisfy the ATWS requirements of 10 CFR 50.62. The addition of the SPS provides a simple, reliable, yet diverse mechanism which is designed to increase the reliability of initiating a reactor trip. The SPS will initiate a reactor trip when pressurizer pressure exceeds a predetermined setpoint of less than or equal to 2409 psia. This trip is often referred to as high-high pressurizer pressure. The system is designed using four electrically and physically isolated SPLAs to allow for a selective two-out-of-four logic to open both the existing reactor trip switchgear as well as the MG Set load

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 22 output contactors. The system exceeds 10 CFR 50.62 requirements since it is designed to conform to the same criteria as the PPS.

While still meeting the same design criteria, the SPS is designed to be an entirely diverse design with respect to the RPS with the following differences noted in the UFSAR, Section 7.2.5.2, Supplementary Protection System (SPS) Diversity to the Reactor Protection System (RPS):

Manufacturing Diversity - Different vendors were used which produced a different design, different system production techniques and different testing procedures.

System Part Diversity - The vendor used different components than the RPS and MIL Spec parts whenever possible.

Cabinet Diversity - The SPLA uses one cabinet per channel (4-channel system).

Electrical Diversity - Each SPLA channels is electrically isolated and separated from the others. There is no cross-channel communication between SPLA channels.

Initiation Logic Diversity - The RPS and SPS utilize different designs for initiation logic.

Sensor Diversity - The pressure transmitters used in the RPS and SPLA are produced by the same manufacturer and monitor pressurizer pressure via a common tap per channel. Based on 10 CFR 50.62 requirements, lack of diversity between sensors is satisfactory since the equipment from the sensor output to actuation devices in the SPLA remain diverse. Redundancy is still maintained in that the SPLA and RPS are physically separate sensors, which exceeds 10 CFR 50.62 requirements.

Power Supply Diversity - The SPLA uses a custom power supply while the RPS uses a commonly available power supply.

Human Factors Diversity - The SPLA cabinets are designed smaller and are physically separated from each other. Front panel controls are in different locations and are much fewer relative to RPS. Adjustment controls for the test and setpoint voltages are different and the SPLA front panel has fewer test points than the RPS.

To verify the high reliability of these systems, an operating experience review was performed for both the RPS and ESFAS regarding historical surveillance test performances. The dataset for this review includes a 15-year condition report history against the RPS/ESFAS cabinets and a 20-year performance history of the following procedures:

36ST-9SB04, PPS Functional Test - RPS/ESFAS Logic 36ST-9SB44, RPS Matrix Relays to Reactor Trip Response Time Test 36ST-9SB46, ESF Matrix Relays to Initiation Relays Response Time Test The above surveillance tests were selected for review due to their specific intent of testing and initiating RPS and ESFAS trip and actuation logic. Both RPS and ESFAS logic are comprised of relay cards sharing the same model number (Model:

33335) and provided by the same manufacturer (Electro-Mechanics Inc.). Failures associated with this common component could present an item of concern for the purposes of this exemption request. However, out of a total of 478 performances between the above procedures since 2000, there were zero failures identified for

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 23 the relay cards to perform their intended function of initiating an RPS trip or ESFAS actuation upon demand.

Of the 478 performances, a total of 415 were completed in their entirety with satisfactory results. The remaining 63 performances documented minor equipment conditions that did not affect the ability of RPS or ESFAS to perform their intended functions. The condition report review identified 354 different condition reports generated against the RPS and ESFAS cabinets. Zero of the condition reports in this review were associated with a failure of the RPS or ESFAS to initiate a trip upon demand.

Previously demonstrated, the PPS and its associated subsystems comprise a highly redundant and diverse means of providing the plant with means of a reliable and safe shutdown. The reliability of the PPS is such that, throughout the operating history of all three units, the SPS or DAFAS have never been relied upon for the initiation of a reactor trip or feedwater actuation. The PPS provides a strong single-failure proof design with design elements that eliminate credible multiple channel failures originating from a common cause. The common mode failure susceptibility review is documented in CENPD-148, Review of Reactor Shutdown System (PPS Design) for Common Mode Susceptibility.

The systems are comprised with a fail-safe technology such that associated relay logic for initiating trips and protective functions always actuate in a de-energized state. This ensures that, even upon a loss of power to the cabinets or upon failure of an actuation relay such as a shorted coil, the system will not fail to provide any trips or protective functions, always bringing the plant towards a stable, safe shutdown condition.

If a channel in these systems were to fail in such a way that a trip or initiation could not occur within that channel, the remaining three channels would still be capable of providing the logic required to initiate a trip or ESF actuation. The design of these systems provides thorough support of defense-in-depth for not only initiating automatic reactor trips but also for initiating the appropriate safety features such as AFAS-1 and AFAS-2 if conditions warranted.

The reliability of these systems, especially regarding ESFAS and auxiliary feedwater components are also highlighted by their performance under 10 CFR 50.65, Requirements for monitoring the effectiveness of maintenance at nuclear power plants. Both the ESFAS and AF system have zero Maintenance Rule Functional Failures (MRFFs) or 10 CFR 50.65 (a)(1) performance criteria issues over their respective monitoring periods. It should be noted that DAFAS, is currently in (a)(1) monitoring for all three units due to exceeding its unavailability performance criteria. The unavailability criteria were exceeded due to various failures of obsolete components that required the system to remain in bypass while significant resources were expended to reverse engineer and dedicate suitable replacement components for use in the plant.

The RPS and SPS have nearly perfect maintenance rule performance over their respective monitoring periods except for Unit 2, RPS Channel C, which is currently in (a)(1) monitoring after an inadvertent actuation occurred because of a test equipment failure during RPS matrix logic testing. The condition that placed Unit 2, RPS Channel C, into (a)(1) monitoring is a demonstration of the systems design and propensity to fail in the conservative direction. The consequence from

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 24 this condition was a safety system actuation that led to a reactor trip. The systems fail-safe design and ability to respond to transients via monitoring trip parameters was never compromised.

Regardless of the strength in design and excellent reliability characteristics of the ESFAS, the removal of the DAFAS from the PVNGS licensing basis does result in the elimination of a diverse means of automatic AF actuation to an affected steam generator. By nature of this fact, there is marginally higher reliance upon the ESFAS to automatically actuate AF. Upon the unlikely scenario that the ESFAS fails to initiate automatic action, there is then a higher reliance upon operators to manually provide feedwater, whether it is via manually actuating AFAS or by one of many diverse success paths, such as through the utilization of the AFN-P01 pump. While this is an increase to the potential need to rely on manual action, it does not present an increase to human performance error uncertainties. Since DAFAS provides no means for manual action, human performance is not directly affected by the removal of the DAFAS from the PVNGS licensing basis.

Human interaction regarding the ability to manually provide auxiliary feedwater is completely independent of the DAFAS. As such, the normal operator training and actions taken to respond to an accident condition or trip, already encompass the means of manual action to provide feedwater to the SGs and do not need to be modified to ensure the appropriate operator response is performed. This statement is supported later in this response by a deterministic evaluation and simulator runs that were performed to demonstrate operators response to accident conditions in which feedwater is lost.

A review of procedure 40DP-9ZZ04, Time Critical Action Program, was performed to ensure that removing the DAFAS from the licensing basis does not create an action that must be controlled under the time critical action (TCA) program. A TCA is a manual action or series of actions that must be completed within a specified time to meet the licensing basis of the plant. A change in the required completion time is a change to the TCA. It was determined that since the removal of the DAFAS does not affect any existing operator actions, the existing TCAs are not affected by this change.

The potential for new actions being generated, such as manual actuation of AFAS or any action to provide feedwater to a steam generator, was also considered.

Since the DAFAS is only an automatic system, current training and operating response procedures do not interface with this system. A review of emergency operating procedures, 40EP-9EO01, Standard Post Trip Actions, 40EP-9EO06, Loss of All Feedwater, and 40EP-9EO09, Functional Recovery, confirm that operators do not interface with the DAFAS in any way during response to plant conditions that may require manual actuation of auxiliary feedwater. These procedures are constructed, and operators are trained on performing them as if the DAFAS was not present.

Based on the complete diversity in which manual action is taken and the layers of diverse and redundant means in which auxiliary feedwater can be manually provided by operations, it was determined that existing operations training and response procedures are acceptable to meet plant needs during a transient requiring auxiliary feedwater. No new operator actions are warranted and as such, no new TCAs are needed.

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 25 Both a deterministic computer code engineering evaluation and PRA engineering evaluation were completed to ensure the risk significance of removing the DAFAS from the PVNGS licensing basis remains conservatively bounded by NRC guidelines.

For the purposes of providing a deterministic evaluation, the accident analysis provided in the UFSAR, Section 15.2.7, Loss of Normal Feedwater Flow, was selected to consider the potential impact of the DAFAS during which a failure to provide normal auxiliary feedwater occurs. A LONF accident sequence may be initiated by losing one or both main feedwater pumps or by a spurious signal being generated by the feedwater control system resulting in a closure of the feedwater control valves. The sequence of events in this postulated accident begins with a decreasing water level and increasing pressure and temperature in the steam generators. The RCS pressure and temperature also rise until a reactor trip occurs either due to low steam generator water level or high pressurizer pressure. The decrease in core heat rate after insertion of the CEAs in combination with the main steam safety valves opening restores the RCS to a new steady state condition.

Auxiliary feedwater flow occurs automatically on a low steam generator level, ensuring sufficient steam generator inventory for core decay heat removal. While this UFSAR Chapter 15 accident analysis was selected to support a deterministic evaluation on the impact of the DAFAS in an accident sequence, it does not credit the DAFAS. Additionally, the DAFAS is not credited in any other UFSAR Chapter 15 accident sequence. As such, the exemption request will not result in an adverse impact on the consequences of the UFSAR Chapter 15 accident sequences.

Even though the DAFAS is not modeled in any UFSAR Chapter 15 accident analysis, it may be considered that the DAFAS could support providing auxiliary feedwater if a LONF accident were to occur coincident with an ATWS scenario for which a failure to provide normal auxiliary feedwater occurs. The consequence of such an event would be high RCS pressure due to reduced heat removal through the steam generators and a DAFAS actuation could support mitigating this consequence. The DAFAS actuation is provided following an ATWS which is characterized as an AOO (such as loss of feedwater), coincident with a failure of the RPS to initiate a reactor trip. Failure of the RPS is indicated by a reactor trip initiated on high-high pressurizer pressure by the SPS. In the specific case of an ATWS event that requires auxiliary feedwater, removing the DAFAS from the PVNGS licensing basis was identified as an adverse impact on the consequences of an ATWS accident sequence.

A deterministic computer code engineering evaluation was performed to provide insight into the beyond design basis case of a LONF accident sequence occurring coincident with a trip on SPS high-high pressurizer pressure, no AFAS-1 and AFAS-2 occurring, and no DAFAS. The event was analyzed under two pairs of transients. This deterministic analysis began with a simultaneous loss of both main feedwater pumps as the initiating event. The deterministic results indicate that whether DAFAS is activated or not, the maximum RCS pressure is always reached early in the transient and is not affected by the timing of auxiliary feedwater reaching the steam generators.

In addition, RCS pressure during the deterministic computer code engineering evaluation remained well below the pressure limit corresponding to the ASME

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 26 Boiler & Pressure Vessel Code Level C service limit criterion (approximately 3200 psi) that was originally very conservatively assumed by the ATWS Task Force in the original development of the ATWS rulemaking. The maximum RCS pressure (2624 psia) remained bounded by the most limiting case in the UFSAR Chapter 15, a LOCV combined with a single failure. In the LOCV case, the peak RCS pressure is documented to be 2745 psia which is less than 110% (2750 psia) of the RCS design pressure (2500 psia). At PVNGS 2750 psia is also the Technical Specification 2.1.2, Reactor Coolant System (RCS) Pressure [Safety Limit] SL.

The deterministic evaluation assumption of no automatic actuation of AFAS requires manual actuation of auxiliary feedwater. Provided auxiliary feedwater is initiated, the steam generators will have adequate inventory and continue to provide an adequate heat sink for the primary system. Deterministically assuming the lack of automatic actuation of AFAS, the lack of adequate steam generator inventory can be identified and responded to by operators using the appropriate EOPs. The SPTAs and EOPs ensure that each safety function is methodically addressed to ensure abnormalities are identified promptly. Operators are trained on the use of both SPTAs and EOPs.

For the assumed deterministic beyond design basis scenario, a lack of adequate steam generator inventory does not represent a condition indicating core damage.

The scenario was selected to provide information with regard to the PVNGS plant response, in support of the assessment of defense-in-depth for the exemption request, consistent with the RIPE process. In an actual lack of adequate steam generator inventory event, assuming the lack of automatic actuation of AFAS, operators can identify and respond using the appropriate EOPs. These procedures are designed to address postulated accident events as well as those events in which a diagnosis is not possible with the goal of placing the plant in a stable and safe condition.

In any accident scenario, including an ATWS event, operators will first address the plants critical safety functions by performing 40EP-9EO01, Standard Post Trip Actions. The SPTAs are performed immediately following a reactor trip and provides operator actions, including immediate actions which must be completed and the diagnostic actions necessary to determine a preliminary diagnosis of an event. These actions include verification of the RCS Heat Removal critical safety function. If this function is not being met, the operator shall immediately begin taking action to restore and maintain level in at least one steam generator to 45-60% NR. The operator will accomplish this by utilizing any of the three AF pumps (AFA-P01, AFB-P01, or AFN-P01). These three pumps provide a rapid, reliable, and diverse means of restoring feedwater and attempts to utilize these pumps for feedwater will be exhausted during performance of SPTAs before moving on to other recovery methods.

If plant conditions necessitate, the SPTAs will drive operators to diagnose the accident (e.g., a loss of all feedwater accident) and they will be directed to enter the appropriate optimal recovery procedure (e.g., 40EP-9EO06, Loss of All Feedwater) or if the accident cannot be diagnosed, the operator would then enter procedure 40EP-9EO09, Functional Recovery. The entry conditions for these procedures can vary and, depending on specific plant conditions and indications, either procedure may be entered by the operator at any time.

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 27 Procedure 40EP-9EO06, provides operator actions which must be accomplished in the event of a loss of all feedwater. The actions are necessary to ensure the plant is placed in a safe, stable condition. The goals of this procedure are to mitigate the effects of a LOAF, maintain the plant in hot standby (or hot shutdown), to establish shutdown cooling entry conditions while minimizing radiological releases to the environment, and to maintain adequate core cooling. Regarding methods of restoring feedwater, this procedure provides nine independent and diverse methods available for operators to restore feedwater to at least one steam generator. The available methods to restore feedwater to at least one steam generator are listed as follows and operation instructions are provided in each Appendix maintained under 40EP-9EO10, Standard Appendices.

Auxiliary Feedwater o

Appendix 38, Resetting AFA-P01 o

Appendix 39, Local Operation of AFB-P01 o

Appendix 40, Local Operation of AFA-P01 Using Main Steam o

Appendix 41, Local Operation of AFN-P01 o

Appendix 42, Aligning Essential Aux Feedwater Pumps Suction to

[Reactor Makeup Water Tank] RMWT o

Appendix 112, Manual Operation of AFA-P01 During a Security Event Main Feedwater o

Appendix 43, Restarting [Main Feedwater Pumps] MFPs Contingency Actions o

Appendix 44, Feeding with the Condensate Pumps o

Appendix 118, Cross-Connect [Fire Pump] FP to AF o

If feed to at least one Steam Generator can NOT be restored, then go to 40EP-9EO09, Functional Recovery Finally, 40EP-9EO09, Functional Recovery, provides operator actions for events in which a diagnosis is not possible, or for which an optimal recovery procedure is not sufficient. The actions of this procedure are necessary to ensure the plant is placed in a stable, safe condition. If deemed necessary, the operator may enter this procedure at any time.

The likelihood of a lack of adequate steam generator inventory scenario occurring, assuming the lack of automatic actuation of AFAS, is very low. In an ATWS event, it is anticipated that operators would identify the need to trip the plant prior to the SPS trip setpoint being reached, which occurred during simulator exercises with two operating crews. In the ATWS event, the SPS would initiate a trip should conditions warrant a high-high pressurizer trip. Upon receipt of or initiation of a reactor trip, operators would then immediately begin performing SPTAs (procedure 40EP-9EO01) to ensure the critical safety functions are met.

In support of this exemption request, simulator runs were performed for the postulated loss of feedwater event. The simulator scenario included the following simulator malfunctions:

Simultaneous overspeed trip of main feedwater pump (MFWP) Train A and Train B.

Malfunctions that prevented all automatic RPS trips.

o The only automatic trip initiation available to the crew would be from the DSS/SPS - High RCS pressure trip at >2409 psia.

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 28 o

The reactor trip pushbuttons on Board 05 were not disabled and available to manually trip the reactor.

Malfunctions that prevented an automatic AFAS.

Without advance knowledge of the scenario, two licensed operating crews successfully identified the need for and manually actuated auxiliary feedwater for a failure of automatic AFAS and DAFAS to operate, in the simulator. Both crews identified the transient and manually tripped the reactor after receiving a loss of both main feedwater pumps, prior to the expected automatic actuation of either RPS or SPS. Both operating crews consisted of three qualified Reactor Operators (ROs), a Control Room Supervisor (CRS), Shift Technical Adviser (STA), and Shift Manager (SM).

The first crew identified the transient and manually tripped the reactor only thirty seconds after receiving a loss of both main feedwater pumps. This manual trip was initiated prior to any two-out-of-four coincident trip logic being met. The SPTAs were entered and addressed the Reactivity Control safety function. After addressing this safety function, the Balance of Plant (BOP) RO recommended transitioning to the N Auxiliary Feedwater Pump. After the appropriate plant line-up to deliver auxiliary feedwater was achieved, the simulator was taken to freeze.

The need to manually provide auxiliary feedwater was identified and initiated after a total elapsed time of 3 minutes and 40 seconds. The lowest steam generator level observed during this simulator run was 18% WR.

The second crew also initiated a manual reactor trip only 25 seconds into the transient. After the reactor tripped, the crew entered SPTAs and the BOP Reactor Operator recommended transitioning to the N Auxiliary Feedwater Pump, the CRS concurred with the recommendation and continued with SPTAs Reactivity Control safety function. As the BOP RO was aligning the AFN-P01 pump, they identified that the AFAS setpoint had been exceeded and manually initiated AFAS-1 and AFAS-2, all four channels from the control room. Upon the full, manual actuation of AFAS, the simulator was taken to freeze. The total elapsed time to identify the need for and initiate auxiliary feedwater was 1 minute and 50 seconds. The lowest steam generator water level during the simulator run was 21.8% WR.

The simulator exercise demonstrated the adequacy of existing operator training and emergency procedures to promptly respond to rapidly changing plant conditions and readily identify the need to restore critical safety functions such as RCS Heat Removal. In both cases, the need to provide feedwater was quickly identified and feedwater was manually restored during the performance of the SPTAs. Additionally, these exercises demonstrate the diverse and redundant methods that operators can rely upon to deliver auxiliary feedwater to the steam generators. Given the operators ability to respond to and address plant transients requiring restoration of feedwater via operator knowledge and the appropriate procedures, it is acceptable to credit manual actuation as an element in defense-in-depth.

Consistency with the defense-in-depth philosophy is maintained by following the seven defense-in-depth considerations provided in Regulatory Guide (RG) 1.174, Revision 3. Key Principle 2 states, The proposed licensing basis change is consistent with the defense-in-depth philosophy. RG 1.174, Section C.2.1.1.2,

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 29 provides considerations for evaluating the impact of the proposed licensing basis change on defense-in-depth.

This section addresses seven considerations that the NRC finds acceptable for a licensee to use to evaluate how the proposed licensing basis change impacts defense-in-depth. The seven defense-in-depth considerations and the PVNGS response to each is provided below.

Seven Defense-In-Depth Considerations (per RG 1.174, Revision 3):

1. Preserve a reasonable balance among the layers of defense.

The layers of defense include minimizing challenges to the plant, preventing any events from progressing to core damage, containing the radioactive source term, and emergency preparedness. The removal of the DAFAS from the licensing basis was determined to not impact the likelihood of an initiating event or plant conditions that the DAFAS was originally required by 10 CFR 50.62(c)(1) to mitigate. Also, in the event the accident sequence progresses to core damage, unavailability of the DAFAS does not negatively impact radioactive release mitigation nor emergency preparedness response.

The RPS, ESFAS, and SPS are unaffected by this change and are designed with adequate diversity, redundancy, and reliability for the prevention of and/or mitigation of an ATWS event. The AFAS and the ability to manually initiate auxiliary feedwater as a procedurally directed backup to AFAS are unaffected by removal of the DAFAS from the licensing basis. The ESFAS is a highly reliable two-out-of-four channel logic system which actuates two trains of auxiliary feedwater upon sensing field conditions that require either one or both AFAS-1 and AFAS-2 actuations. The third auxiliary feedwater, AFN-P01, remains available to be manually actuated.

The DAFAS provides diverse backup to AFAS, but based on core damage and large early release frequency results, the removal of the DAFAS from the licensing basis does not reduce the reliability of the AF system. As such, the reasonable balance among the layers of defense is preserved.

2. Preserve adequate capability of design features without an overreliance on programmatic activities as compensatory measures.

By design, the RPS, ESFAS, and SPS provide for adequate capability for reactor trips and automatic initiation of AF. Since both AFAS and DAFAS actuations are automatic, normal compensatory measures such as emergency operating procedures (for example, SPTAs or Loss of All Feedwater) remain unaffected by this exemption request. These procedures are appropriately designed to direct operators to place the plant in a safe and shutdown condition via manual actions that are entirely independent of the DAFAS. It is acknowledged that the removal of the DAFAS results in the loss of one means of automatic actuation and as such a minimal increase to the potential frequency of reliance on manual action.

In evaluating the risk associated with this exemption request, the change in CDF and LERF was determined to be orders of magnitude smaller than NRC guidelines. The negligible change in frequency indicates that the risk impact associated with this change is minimal and as such, would not result in an overreliance on programmatic activities. This is further supported by the high

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 30 reliability and redundancy of the PPS design features to automatically actuate auxiliary feedwater. An overreliance on programmatic activities does not exist.

3. Preserve system redundancy, independence, and diversity commensurate with the expected frequency and consequences of challenges to the system, including consideration of uncertainty.

The proposed change does reduce the diversity, redundancy, and independence of a means of actuating auxiliary feedwater. The remaining redundant, independent, and diverse features within the ESFAS are preserved and sufficient given the expected frequency and challenges to the system.

These features include independence from offsite power, two actuation trains, two-out-of-four independent level sensing/transmitters and actuation logic all powered from four separate 125 Volt DC power channels.

The PRA evaluation calculates the challenge to the system redundancy, diversity, and independence of actuating auxiliary feedwater before and after the removal of the DAFAS. The results show that each of these design principles are preserved commensurate with the expected frequency and consequences of challenges to the actuation system. The PRA model and the PRA evaluation inherently considers uncertainty of the proposed change via a sensitivity risk calculation (i.e., the CDF and LERF before and after the DAFAS removal from the licensing basis) and through inclusion of parametric uncertainty of component failure probabilities. The uncertainties of the PRA model are unaffected by the removal of the DAFAS from the licensing basis.

The results of the risk analysis determine that the change in CDF and LERF for the case of removing DAFAS is orders of magnitude lower than NRC guidelines for determining minimal risk significance.

4. Preserve adequate defense against potential CCFs.

The RPS, ESFAS, and SPS are designed with adequate defense against potential common cause failures (CCFs). They are designed to eliminate credible multiple channel failures originating from a common cause. The failure modes of redundant channels and the conditions of operation that are common to them are analyzed to assure that a predictable common failure mode does not exist. This analysis is documented in CENPD-148, Review of Reactor Shutdown System (PPS Design) for Common Mode Susceptibility.

The AFAS portion of ESFAS and DAFAS share common sensors and output relays. The AFAS is designed with two independent actuation trains, each with two-out-of-four initiation logic. The PRA model includes the potential for common cause failure of AFAS channels. Adequate defense is also confirmed within the PRA model even with the common cause failure potential. The initiation logic including CCF for AFAS is included within the PRA model.

Additionally, PRA modeling for AF actuation only credits the automatic ESFAS actuation of AF in an ATWS. As such, the ability of operators to manually actuate AFAS or provide feedwater by means of a different manual action does not influence the conservative PRA results and further supports the ability to provide adequate defense against potential CCFs. Adequate defense against potential CCFs is preserved with the removal of the DAFAS from the PVNGS licensing basis.

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 31

5. Maintain multiple fission product barriers.

The PVNGS multiple fission product barriers are fuel cladding, RCS pressure boundary, and containment. Removal of the DAFAS from the licensing basis does not remove, reduce, or otherwise impact the existing PVNGS designed multiple fission product barriers.

6. Preserve sufficient defense against human errors.

The RPS, ESFAS, and SPS provide a redundant and automatic means for initiating reactor trips and actuation of AFAS-1 or AFAS-2, as necessary. The DAFAS is designed as a backup to AFAS should it fail to initiate the AF system under certain rule-based scenarios. It is acknowledged that removal of the DAFAS will result in a minor increase to the likelihood in which manual action must be relied upon. While this likelihood is increased, human performance uncertainties are not directly affected by the removal of the DAFAS from the PVNGS licensing basis, since the DAFAS provides no means for manual action.

All human interaction regarding the ability to manually provide auxiliary feedwater is completely independent of the DAFAS.

Operating procedures used to place the plant in a safe and stable condition upon initiation of plant transient(s) are already constructed and trained on as if the DAFAS did not exist. As such, the normal operator training and actions taken to respond to an accident condition or trip already encompass every means of manual action to provide feedwater to the SGs and do not need to be modified to ensure the appropriate operator response is performed. Since no new operator actions outside of normal programmatic activities are required, removal of the DAFAS does not reduce any defense against human errors.

7. Continue to meet the intent of the plants design criteria.

By nature of the exemption request, the design criteria associated with the DAFAS will not be met since it is to be removed from the licensing basis. Based on the design of RPS, ESFAS, SPS, and AF, the DAFAS performs a minimally significant role in mitigating an ATWS event. The RPS, ESFAS, SPS, and AF designs and functions are unaffected by the exemption request and continue to meet their associated general design criterion. Therefore, removal of the DAFAS from the licensing basis does not impact the ability to continue to meet the intent of the plants design criteria.

Regulatory Guide 1.174, Revision 3, Key Principle 3 states:

The proposed licensing basis change maintains sufficient safety margins.

Further, Section 2.1.2, Safety Margin, of RG 1.174 states:

With sufficient safety margins, (1) the codes and standards or their alternatives approved for use by the NRC are met and (2) safety analysis acceptance criteria in the licensing basis (e.g., FSAR, supporting analyses) are met or proposed revisions provide sufficient margin to account for uncertainty in the analysis and data.

The PVNGS AF system is designed with required safety margin to provide sufficient feedwater to the steam generators to meet post-reactor trip decay heat removal requirements as required under the UFSAR Chapter 15 accident scenarios. The DAFAS is not credited in the UFSAR Chapter 15 accident analysis.

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 32 Codes and standards approved for use by the NRC and applicable to the AF system will continue to be met following removal of the DAFAS from the licensing basis. Since the DAFAS only provides a backup means of actuating a system already designed and built with sufficient safety margin and does not impact any other feature of the AF system, the AF system codes and standards and safety analysis acceptance criteria will continue to be met and its safety margins will remain sufficient and unchanged following removal of the DAFAS from the licensing basis.

The Use of Probabilistic Risk Assessment Methods in Nuclear Regulatory Activities; Final Policy Statement published in the Federal Register (60FR42622, dated August 16, 1995) provides the following information and policy statement regarding the use of PRA to support the defense-in-depth philosophy:

In the defense-in-depth philosophy, the Commission recognizes that complete reliance for safety cannot be placed on any single element of the design, maintenance, or operation of a nuclear power plant. Thus, the expanded use of PRA technology will continue to support the NRCs defense-in-depth philosophy by allowing quantification of the levels of protection and by helping to identify and address weaknesses or overly conservative regulatory requirements applicable to the nuclear industry.

[Commission Policy Statement] (1) The use of PRA technology should be increased in all regulatory matters to the extent supported by the state-of-the-art in PRA methods and data and in a manner that complements the NRCs deterministic approach and supports the NRCs traditional defense-in-depth philosophy.

The PRA evaluation further supports the deterministic evaluation results. This risk assessment documented in the PRA evaluation maintains technical adequacy by utilizing Revision 21 of the PVNGS Unit 1, 2, and 3 One Top Multi Hazard Model which was issued on July 4, 2020, addressing internal events, internal floods, internal fires, and seismic hazards. This PRA model addresses all the licensee conditions in the NRCs safety evaluation for license amendment 209 that authorized adoption of risk-informed completion times for PVNGS. The risk impact defined in this exemption request is based on the relative change in frequency associated with baseline CDF and LERF. Generally, items that are not risk-significant are those that contribute less than 1x10-7/year and 1x10-8/year for CDF and LERF, respectively.

The risk assessment in the PRA evaluation concluded the final delta in CDF and LERF to be 5.0x10-9/year for CDF and 1.4x10-10/year for LERF. This risk assessment reviewed the top 100 baseline and the DAFAS sensitivity CDF and LERF cutsets to ensure those cutsets were minimal and consistent with expectations. The top one hundred CDF and LERF cutsets for the baseline case and the DAFAS sensitivity case were identical. This was expected because of the negligible relative change in CDF and LERF between the base cases and the DAFAS sensitivity cases. The overall conclusion of this assessment is that removing the DAFAS is not risk significant.

Defense-in-depth is often characterized by varying layers of defense, each of which may represent conceptual attributes of nuclear power plant design and operation or tangible objects such as the physical barriers between fission

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 33 products and the environment. The NRC implements defense-in-depth as four layers of defense that are a mixture of conceptual constructs and physical barriers (see NUREG/KM-0009 for further detail). For the purposes of RG 1.174, nuclear power plant defense-in-depth is taken to consist of layers of defense (i.e.,

successive measures) to protect the public:

Robust plant design to survive hazards and minimize challenges that could result in an event occurring Prevention of a severe accident (core damage) if an event occurs Containment of the source term if a severe accident occurs Protection of the public from any releases of radioactive material (e.g.,

through siting in low-population areas and the ability to shelter or evacuate people, if necessary)

Given the deterministic evaluation, each of these layers of defense are preserved with minimal impact regarding the removal of the requirement of the DAFAS from the PVNGS licensing basis. The CE System 80 design of PVNGS Units 1, 2, and 3 is designed to survive hazards and minimize challenges that could result in an event occurring. The existing RPS provides two-out-of-four trip logic for 15 different parameters, most notably a high pressurizer pressure and low steam generator level trip that inherently provide redundant protection from an ATWS event. For low steam generator level, the redundant four-channel independency extends as far back as four level transmitters for each steam generator. The two channel ESFAS provides for redundant capability of AFAS-1 and AFAS-2 actuations by means of two-out-of-four logic (like that of the RPS) should plant conditions warrant them.

In an unlikely event that automatic actuation of either of the redundant ESFAS trains fail, there are numerous methods to manually initiate emergency auxiliary feedwater. These design features are independent of the two-out-of-four trip logic, and include manual actuation switches on both the operators control board and at the auxiliary relay cabinets that house the ESFAS actuation relays. These switches open contacts in the initiation and actuation circuitry respectfully, to provide a diverse means of achieving equipment actuation. The third auxiliary feedwater pump, AFN-P01, which is outside of the ESFAS design, provides the capability for direct supply of feedwater to the steam generators, in addition to the other means procedurally directed in emergency operating procedures. Finally, EOPs provide a substantial amount of diverse success paths for operators to use to obtain control of the plant and place it in a stable and safe condition.

In an ATWS scenario, the SPS remains in place to provide a redundant trip of the reactor in the event of a high-high pressurizer pressure condition, consistent with the requirements of the ATWS Rule. As described in the response to Question 1, removing the DAFAS from the PVNGS licensing basis does not present any increase to the frequency of an event occurring. All these design measures provide reasonable assurance for the prevention of a severe accident (core damage) if an event occurs. In addition to the design features, operator action has been demonstrated adequate in identifying the need for manual control to preserve the critical safety functions so that a severe accident can be prevented.

In addition to being able to rapidly identify the need for feedwater, operators have multiple solutions available to restore auxiliary feedwater provided in 40EP-9EO06, Loss of All Feedwater.

Enclosure Attachment 1 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 34 A severe accident has a very low likelihood of occurring given that the exemption request does not present any challenges to the existing fission product barriers of fuel cladding, RCS pressure boundary, and containment (See Question 4). If a severe accident were to occur and result in core damage, the containment building would remain unaffected and would continue to provide protection to the public from any releases of radioactive material. The deterministic approach to this exemption request supports the defense-in-depth philosophy with only a minimal decrease in defense-in-depth for removing the DAFAS from the PVNGS licensing basis. Multiple independent and redundant layers of defense are available to compensate for potential human and mechanical failures such that no single failure is exclusively relied upon to prevent an event or severe accident from occurring.

The PRA analysis reinforces the results of the deterministic evaluation with the final determination that the increase in CDF and LERF resulting from this change is orders of magnitude below the NRC guidelines of less than 1x10-7/year and 1x10-8/year for CDF and LERF, respectively. The advancements in PRA modeling since the mid-1980s provides for more competent risk-informed decision-making to support the defense-in-depth philosophy. Incorporating PRA technology into the evaluation is not only consistent with the NRCs policy statement, but results in a more informed representation of the impact of removing the DAFAS from the PVNGS licensing basis.

The minimal impact of this change to defense-in-depth and safety margin is supported by the remaining RPS, ESFAS and SPS designs, the PRA risk assessment in the PRA evaluation, and the deterministic evaluation supported by the deterministic computer code engineering evaluation. In conclusion, removing the requirement of the DAFAS from the PVNGS licensing basis does not result in more than minimal decrease in defense-in-depth capability or safety margin.

Enclosure Attachment 2 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 1

ATTACHMENT 2:

Evaluation of Risk Significance

Enclosure Attachment 2 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 2

PRA Analysis The Nuclear Energy Institute (NEI) has provided the following guidance on CDF and LERF thresholds for risk significance in technical report NEI 21-01, Industry Guidance to Support Implementation of NRCs Risk-Informed Process for Evaluations.

Generally, items that are not risk-significant are those that contribute less than 1 x 10-7/year and 1 x 10-8/year for CDF and LERF, respectively.

This risk assessment used these thresholds to characterize the quantitative risk impact of removing the DAFAS. The DAFAS was screened out from inclusion in the Palo Verde Nuclear Generating Station (PVNGS) Probabilistic Risk Assessment (PRA) model per Engineering Study 13-NS-B096, At-Power PRA System Study for the ESF Actuation System, Revision 2.

The DAFAS is a back up to the Engineered Safety Features Actuation System (ESFAS)

Auxiliary Feedwater Actuation Signal (AFAS) for initiating Auxiliary Feedwater. The N Auxiliary Feedwater (AF) pump (AFN-P01) does not receive an actuation signal from the DAFAS or AFAS and is aligned and started from the control room. Since there are three independent and diverse AF pumps and an operator can remotely start AFN-P01 or can locally start the A Auxiliary Feedwater (AFA-P01) pump, system actuation (automatic or manual) is inherently reliable. Therefore, the quantitative analysis of removing the DAFAS was determined by performing a conservative PRA calculation that provided a bounding value for the maximum reduction in CDF and LERF that could be achieved if taking credit for the DAFAS in the PRA model.

This conservative bounding analysis was accomplished by setting the events associated with AFAS components to be perfectly reliable and available as a surrogate for adding the DAFAS to the PRA model. CDF and LERF were calculated by quantifying the model of record with the basic events that represent random and common cause failures of the AFAS components set to false via a flag file created for this evaluation.

These results are considered conservative because they do not include the potential for random failures of the DAFAS components. These results are also considered bounding because the scope of the AFAS actuations made perfectly reliable and available is not limited to those associated with a DAFAS actuation. Based on design, the DAFAS acts as a backup for only a subset of AFAS actuations in the PRA model, and a DAFAS actuation will only occur when the following conditions are met.

Supplementary Protection System (SPS) actuation on high pressurizer pressure Steam Generator level of 20.3% Wide Range No Auxiliary Feedwater Actuation Signal (AFAS) present No Main Steam Isolation Signal (MSIS) present It was concluded that the spatial hazards that would fail AFAS such as fire, internal flooding, and seismic would also fail the DAFAS. This is reasonable, because of the proximity of the DAFAS cabinets to the AFAS cabinets in the main control room (MCR) and the fact that AFAS and DAFAS get many of their input signals from a common source.

Enclosure Attachment 2 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 3

The PRA model used for the evaluation was Revision 21 issued on July 4, 2020. This PRA model includes internal events, internal floods, internal fires, and seismic hazards. The PRA model was quantified for this application using the default truncation limits demonstrated for convergence. This PRA model addresses all the license conditions in the NRCs safety evaluation for License Amendment 209 that authorized adoption of Risk-Informed Completion Times (RICT) for PVNGS, and the actions taken to meet those conditions. Also, Revision 21 of the PRA model is compliant with Revision 3 of Regulatory Guide 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities.

There have been no upgrades or new methods implemented in this model other than those addressed in the NRC RICT safety evaluation. There are no open finding level Facts and Observations impacting this PRA model. In addition, the open model impacts were reviewed and determined to have no significant impact on this analysis.

Consequently, there are no identified PRA model open issues which would substantially impact the results or conclusions of this analysis. Therefore, the technical adequacy and quality of the PRA model are acceptable for use in analyzing the risk impact of exemption requests made via the RIPE process.

A review of the PRA was performed to identify key assumptions and sources of uncertainty which would be significant for this DAFAS exemption risk assessment.

This review did not identify any key assumptions or sources of uncertainty that were applicable to the DAFAS exemption request. Therefore, no additional sensitivity studies for key assumptions or sources of uncertainty are required.

Revision 21 of the PRA model includes failures of AFAS initiation relays, matrix logic, sensors and steam generator level transmitters that result in failures of AF to provide flow to steam generators via an automatic actuation of class AF pumps and the valves necessary to provide a flow path from AF pumps to steam generators 1 and 2. The AFAS modeling also addresses common cause failures of the isolation relays failing to transfer. The Engineered Safety Features Actuation System (ESFAS) AFAS component failure rates are based on generic data. The ESFAS AFAS model is based upon a Combustion Engineering report CEN-327A, RPS/ESFAS Extended Test Internal Evaluation, CE Owners Group, May 1986.

Results and

Conclusions:

An internal events calculation was performed to allow internal events cutsets that were truncated out in the PVNGS One Top Multi Hazard Model (OTMHM) CDF and LERF calculations to be identified. The purpose of this sensitivity calculation is to identify any unique internal event DAFAS-related core damage/large early release sequences potentially masked by higher likelihood external event and internal flood DAFAS-related core damage/large early release sequences. It was expected that the internal events quantification performed using truncation values of 2.0x10-13 per year and 1.0x10-14 per year for CDF and LERF would produce more internal events related CDF and LERF cutsets than the PVNGS OTMHM which was quantified at 1.0x10-10 per year and 1.0x10-11per year. The default truncation values of 2.0x10-13 per year for internal events CDF and 1.0x10-14 per year for internal events LERF were used, because truncation analysis documented in 13-NS-B067, At-Power Level 1 PRA Quantification, Revision 8, demonstrate that the PVNGS internal events CDF and LERF results converge at these truncation values.

Enclosure Attachment 2 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 4

A review was performed of the top one hundred baseline and the DAFAS sensitivity PVNGS OTMHM CDF and LERF cutsets to ensure those cutsets were minimal and consistent with expectations. The top one hundred PVNGS OTMHM CDF and LERF cutsets for the baseline case and the DAFAS sensitivity case were identical. This was expected because of the negligible relative change in CDF and LERF between the base cases and the DAFAS sensitivity cases.

The results of the quantitative analysis associated with removing the DAFAS are provided in Table A.2-1.

Table A.2-1: Quantification Results Case Core Damage Frequency (CDF)

Large Early Release Frequency (LERF)

PVNGS OTMHM PVNGS Baseline 5.5x10-5/year 9.5x10-6/year PVNGS DAFAS Sensitivity 5.5x10-5/year 9.5x10-6/year Delta CDF and LERF (i.e.,

maximum risk increase with DAFAS removed) 3.2x10-9/year 5.9x10-11/year PVNGS Internal Events PVNGS Internal Events 2.9x10-6/year 1.4x10-7/year PVNGS Internal Events DAFAS Sensitivity 2.9x10-6/year 1.4x10-7/year Delta CDF and LERF (i.e.,

maximum risk increase with DAFAS removed) 1.8x10-9/year 8.2x10-11/year Overall Total Delta CDF and LERF (i.e., maximum risk increase with DAFAS removed) 5.0x10-9/year 1.4x10-10/year NEI 21-01 RIPE Acceptance Guidelines

< 1.0x10-7/year

< 1.0x10-8/year The total delta CDF (5.0x10-9/year) and the total delta LERF (1.4x10-10/year) associated with removing the DAFAS is below the thresholds for risk significance provided in NEI 21-01.

The cumulative risk impact associated with this exemption request is provided below in Table A.2-2. The results indicate the cumulative risks remain within the acceptance guidelines established in Regulatory Guide 1.174.

Table A.2-2: Cumulative Risk Core Damage Frequency (CDF)

Large Early Release Frequency (LERF)

Total Risk without credit for DAFAS 5.5x10-5/year 9.5x10-6/year NRC RG 1.174 Acceptance Guideline

< 1.0x10-4/year

< 1.0x10-5/year

Enclosure Attachment 2 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 5

The overall conclusion of this risk assessment is that removing the DAFAS is not risk significant. This conclusion is supported by the quantification results provided above in Table A.2-1 which indicate that the risk impact of removing the DAFAS is a 5.0x10-9/year increase in CDF and a 1.4x10-10/year increase in LERF. Therefore, the risk associated with the request to remove the DAFAS is not risk significant per the guidance provided in Section 4 of NEI 21-01. Based on the minimal risk impact of the removal of the DAFAS, no risk management actions are required to offset the risk increase.

Enclosure Attachment 3 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 1

ATTACHMENT 3:

Integrated Decision-Making Panel (IDP) Evaluation Results

Enclosure Attachment 3 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 2

Integrated Decision-Making Panel (IDP) Meeting R-21-01 Risk-Informed Process for Evaluations (RIPE)

September 30, 2021 Verification of Quorum Members:

Jared Schank Chair, Operations Katy Gil System Engineering Jill Anderson Design Engineering Mike Cymbor PRA Kelly Geiszler Safety Analysis Carl Stephenson Licensing Melissa Cole IDP Coordinator Presenters:

Michael Nachman Engineering Gary Chung PRA Other:

Tom Weber, APS Jim Hickey, NRC Justin Dotson, APS Ming Li, NRC Tom Hook, APS Michelle Kichline, NRC Mark Hulet, APS Siva Lingam, NRC David A Medek, APS Chang Li, NRC Matthew Cox, APS Charley Peabody, NRC Nicholas Jackson, APS Jonathan Evans, NRC Patrick Bozym, APS Norbert Carte, NRC Sarah Kane, APS David Rahn, NRC Justin Hixson, APS Antonios Zoulis, NRC Eric Frusti, APS Richard Stattel, NRC Michael Dilorenzo, APS Michael Waters, NRC Robert Chu, APS Bo Pham, NRC Nawaporn Aaronscooke, APS Meena Khanna, NRC MAUER, Andrew, NEI Robert Beaton, NRC Brett TITUS, NEI Jennifer Dixon-Herrity, NRC Tim Reed, NRC John Hughey, NRC Minutes recorded by: Melissa Cole I.

The IDP assembled and the meeting convened at 9:00AM virtually via Microsoft Teams.

II.

AGENDA

a. Opening Remarks-Tom Weber

b. Quorum & Training Verification-Melissa Cole

c. IDP Briefing-Jared Schank

d. Issue Presentation-Mike Nachman and Gary Chung

e. IDP Discussion

f.

IDP Recommendations and Comments

g. IDP Vote

h. Action Item Review-Melissa Cole

i.

Closing Remarks-Tom Weber

j.

Meeting Adjournment

Enclosure Attachment 3 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 3

III.

IDP MEETING This Risk-Informed Process for Evaluations (RIPE) Integrated Decision-Making Panel (IDP) Meeting will explore the issue of removing the requirement of the Diverse Auxiliary Feedwater Actuation System (DAFAS) from the licensing basis.

Tom Weber provided opening remarks.

Quorum and training qualifications were verified by Melissa Cole. Jared Schank (Chair) conducted a pre-job brief for the IDP members and highlighted the scope and responsibilities for the meeting.

Michael Nachman and Gary Chung presented the key conclusions from their evaluation of the issue.

Key conclusions include:

1. Section 4.1 Responses

a. Question 1 - Does the issue result in an adverse impact on the frequency of occurrence of an accident initiator or result in a new accident initiator? NO Removing the requirement of the DAFAS from the Palo Verde Nuclear Generating Station (PVNGS) licensing basis will allow for a lower probability of the occurrence accidents initiated by inadvertent operation of the system. This is a beneficial effect of the proposed exemption. No new accident initiators were identified.

b. Question 2 - Does the issue result in an adverse impact on the availability, reliability, or capability of SSCs or personnel relied upon to mitigate a transient, accident, or natural hazard? YES The issue of removing the requirement of the DAFAS from the PVNGS licensing basis does result in an adverse impact in that there is zero availability for a diverse auxiliary feedwater actuation if the conditions (ATWS combined with low steam generator level) required for an actuation were present.

c. Question 3 - Does the issue result in an adverse impact on the consequences of an accident sequence? YES An ATWS is characterized as an Anticipated Operational Occurrence (such as loss of main feedwater), coincident with a failure of the RPS to initiate a reactor trip. Failure of the RPS is indicated by a reactor trip initiated on high-high pressurizer pressure by the SPS. In the specific case of an ATWS event that requires auxiliary feedwater (i.e., AFAS did not actuate), removing the requirement of the DAFAS from the PVNGS licensing basis is an adverse impact to this ATWS accident sequence.

d. Question 4 - Does the issue result in an adverse impact on the capability of a fission product barrier? NO The PVNGS multiple fission product barriers are fuel cladding, RCS pressure boundary, and containment. Removal of the DAFAS from the

Enclosure Attachment 3 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 4

licensing basis does not remove, reduce, or otherwise impact the existing PVNGS multiple fission product barriers.

e. Question 5 - Does the issue result in an adverse impact on defense-in-depth capability or impact in safety margin? YES By design and requirement from the 10 CFR 50.62, ATWS Rule, the DAFAS is a defense-in-depth system which employs a diverse design to accomplish the function of providing auxiliary feedwater to the steam generators in the event of an ATWS event and low steam generator levels. As such, the proposed issue of removing the requirement of the DAFAS from the PVNGS licensing basis presents an adverse impact to defense-in-depth.

2. Section 4.2 Responses

a. Question 1 - Does the issue result in more than minimal increase in the frequency of occurrence of an accident initiator or result in a new accident initiator? NO DAFAS, by design, currently presents two accident initiators:

Transients initiated by frontline systems (increase in feedwater flow)

Secondary system integrity loss (overfilling of steam generators)

Both accident initiators see a decrease in the likelihood of occurrence.

The issue of removing the DAFAS from the PVNGS licensing basis will result in a lower probability of the occurrence of transients initiated by frontline systems and/or secondary system integrity loss. This is a benefit of the proposed exemption. No new accident initiators identified.

b. Question 2 - Does the issue result in more than minimal decrease in the availability, reliability, or capability of SSCs or personnel relied upon to mitigate a transient, accident, or natural hazard? NO Given the minimal risk significance of the DAFAS, its utilization of existing AFAS actuated devices, and the ability for operators to manually provide feedwater to the steam generators, the issue does not result in a more than minimal decrease in the availability, reliability, or capability of SSCs or personnel relied upon to mitigate a transient, accident, or natural hazard.

c. Question 3 - Does the issue result in more than minimal increase in the consequences of a risk significant accident sequence? NO The UFSAR Chapter 15 does not include safety analyses for ATWS events. This means the DAFAS is not considered for any UFSAR Chapter 15 accidents. Licensees were not required to calculate the potential offsite radiological doses resulting from an ATWS.

Considerations were made for increase in feedwater flow accident and PVNGS limiting dose event in the UFSAR, Section 15.2.8, Feedwater System Pipe Breaks. Decrease in likelihood of Increase in Feedwater flow accident (Benefit) DAFAS has no impact to PVNGS limiting dose event in the UFSAR, Section 15.2.8.

d. Question 4 - Does the issue result in more than minimal decrease in the capability of a fission product barrier? NO

Enclosure Attachment 3 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 5

The PVNGS multiple fission product barriers are fuel cladding, RCS pressure boundary, and containment. Removal of the DAFAS from the licensing basis does not remove, reduce, or otherwise impact the existing PVNGS multiple fission product barriers.

Fuel Cladding - Beneficial effect (lower probability of increase in feedwater flow event)

RCS - Peak RCS pressure in most limiting accident is not affected by the DAFAS Containment - The function of the containment building as a fission product barrier remains unchanged

e. Question 5 - Does the issue result in more than minimal decrease in defense-in-depth capability or safety margin? NO The proposed issue of removing the requirement for DAFAS from the PVNGS licensing basis was identified to have an adverse effect on defense-in-depth. Regardless of this adverse effect, the principles of defense-in-depth remain preserved such that this issue does not result in a more than minimal decrease in defense-in-depth capability or safety margin.

PVNGS System 80 design by Combustion Engineering Deterministic Evaluation provided by Nuclear Fuel Management Simulator Run with Operations Crew for ATWS accident and no DAFAS Risk Analysis provided by PRA Engineering

3. Risk Assessment A plant specific risk assessment was conducted:

a. DAFAS within scope of Palo Verde PRA DAFAS function is to actuate Auxiliary Feedwater if Engineered Safety Features Actuation System (ESFAS) Auxiliary Feedwater Actuation Signal (AFAS) fails AFAS is a highly reliable, two-out-of-four channel actuation system DAFAS determined to have minimal benefit in ensuring Auxiliary Feedwater actuated Therefore, DAFAS was screened from the PRA model This screening was included in the PRA model documentation and peer reviewed

b. Bounding surrogates used for the relative change in risk Use of a bounding surrogate is acceptable under NEI 21-01 Surrogate used to model DAFAS Surrogate sets failure probability of AFAS = zero (i.e.,

AFAS/DAFAS failure including common-cause failure probability =

0.0)

c. The PRA model used reflected the following:

Scope includes internal events, internal flooding, internal fire and seismic PRA models Other External Hazards screened out

Enclosure Attachment 3 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 6

Addressed all NRC license conditions from the 10 CFR 50.69 and Risk-Informed Completion Time (RICT) License Amendments No open finding-level Facts and Observations (F&Os)

No newly developed methods No key assumptions or sources of uncertainty that were applicable to the DAFAS exemption request PRA model fully compliant with NRC RG 1.200, Revision 3

d. Risk Results (Prior to IDP comment incorporation)

Case CDF LERF PVNGS Baseline (AFAS only) 5.5x10-5/year 9.5x10-6/year PVNGS DAFAS Sensitivity (AFAS/DAFAS failure

= 0.0) 5.5x10-5/year 9.5x10-6/year Increase in Risk between Baseline &

DAFAS Sensitivity 3.2x10-9/year 5.9x10-11/year NEI 21-01 Acceptance Guidelines for risk increase met (delta CDF

<1E-7/yr; delta LERF <1E-8/yr)

NRC RG 1.174 Acceptance Guidelines for cumulative risk are met (CDF <1E-4/yr; LERF <1E-5/yr)

No risk management actions are required to offset the risk Therefore, removing DAFAS from the licensing basis is not risk-significant and has a negligible impact on nuclear safety After the key conclusions of the issue evaluation were presented, IDP discussion took place.

Schank questioned the timing of the lack of adequate steam generator inventory in 10 minutes and if a new time critical action was being created. An action was taken to complete an impact review of the time critical action program.

Gil brought up the perspective of AFAS being highly reliable and asked if there are any numbers or statistics in the PRA model that support that and also discuss the probability of failure for both human elements and equipment. Bozym (PRA) added that the failure rates are very low for the individual components and that is based on industry and plant-specific data. Our specific plant performance combined with industry data is used to calculate the failure rates. Gil asked how sensitive is this risk analysis to any type of updates to the failure rates? Chung discussed the method of doing a delta risk calculation looking at both scenarios with and without AFAS. Hook added that because of the low delta risk, it was determined that the sensitivity studies were not necessary because of the orders of magnitude lower risk results. PRA does not see any sensitivity analysis pushing the results up to the NEI acceptance criteria.

Cymbor elaborated by discussing that the PRA is a combination of a lot of inputs and there is a way to estimate the probability of failure for an entire gate, as a subset of a tree. He looked at AFAS-1 fail-to-actuate and determined a very low

Enclosure Attachment 3 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 7

result for probability of aggregate failure. Gil recommended adding the discussion to the RIPE document about why there is no sensitivity analysis performed for AFAS. The RIPE IDP Package was displayed to page through each section and document specific IDP comments. Several enhancements were noted throughout.

Qualitative considerations were discussed and Nachman acknowledged the comments to expand this section of the document and provide more detail, particularly on those items that do not apply to the issue of removing DAFAS.

On the PRA assessment analysis, some enhancement items were captured to ensure assumptions are clearly stated. Actions were taken by PRA to perform a sensitivity study using the internal events model and to add a discussion about the truncation level used in the model.

During review of the deterministic computer code runs of the Loss of Normal Feedwater event with and without the Diverse Auxiliary Feedwater Actuation Signal (DAFAS) system, some enhancement items were captured to ensure assumptions are clearly stated.

Stephenson commented on the application planned to be submitted to the NRC and satisfying the underlying purpose of the 10 CFR 50.12 rule. He made recommendations to add detailed performance history of associated systems that we will be relying on if DAFAS is removed.

IV.

ACTION ITEMS

1. 21-03084-009 - Incorporate IDP comments and send out the comment resolutions to confirm acceptability of the changes.

2. 21-03084-006 - Assess the time critical action program to determine any impacts from this issue.

3. 21-03084-007 - PRA to document the truncation levels used for the One Top Model.

4. 21-03084-008 - PRA to perform a sensitivity analysis using the internal events model at a lower truncation limit to identify the delta cutsets and validate those cutsets are minimal and appropriate.

[Section 4.7 of this enclosure provides a summary of the changes based on the IDP comments]

V.

IDP VOTE Motion from Katy Gil and seconded by Carl Stephenson to approve the final characterization of the issue as having a minimal safety impact pending comment resolution.

Quorum members:

Jared Schank-APPROVE Katy Gil-APPROVE Jill Anderson-APPROVE Mike Cymbor-APPROVE Kelly Geiszler-APPROVE Carl Stephenson-APPROVE

Enclosure Attachment 3 Request for Exemption from Certain Requirements in 10 CFR 50.62(c)(1) using Risk-Informed Process for Evaluations 8

VI.

MEETING ADJOURNMENT Tom Weber provided closing remarks and Melissa Cole adjourned the meeting.

v t e Letter Sequence Request
EPID:L-2022-LLE-0004, TSTF-505, TSTF-425, TSTF-425, TSTF-505 (Approved, Closed)
Initiation Request, Request Acceptance Supplement Administration Questions Answers Results Approval, Approval, Approval, Approval, Approval, Approval Other: ML22035A330, ML23052A077
MONTHYEAR2022-03-23 [Table View]

ML22014A415

Text

Dear Sirs:

Subject:

Enclosure:

Subject:

SUMMARY

2.0 BACKGROUND

4.0 TECHNICAL EVALUATION

5.0 REGULATORY EVALUATION

7.0 CONCLUSION

8.0 REFERENCES

SUMMARY

2.0 BACKGROUND

4.0 TECHNICAL EVALUATION

5.0 REGULATORY EVALUATION

7.0 CONCLUSION

8.0 REFERENCES

Conclusions:

Navigation menu

Search