Supplement to License Amendment Request to Revise Technical Specifications to Adopt Risk-Informed Completion Times TSTF-505, Revision 2, Provide Risk-Informed Extended Completion Times - Ritstf

ML22118A496
Person / Time
Site:	Sequoyah
Issue date:	04/28/2022
From:	Jim Barstow Tennessee Valley Authority
To:	Document Control Desk, Office of Nuclear Reactor Regulation
References
CNL-22-023, EPID L-2021-LLA-0145
Download: ML22118A496 (87)
v • d • e

Text

10 CFR 50.90 1101 Market Street, Chattanooga, Tennessee 37402 CNL-22-023 April 28, 2022 ATTN: Document Control Desk U.S. Nuclear Regulatory Commission Washington, D.C. 20555-0001 Sequoyah Nuclear Plant, Units 1 and 2 Renewed Facility Operating License Nos. DPR-77 and DPR-79 NRC Docket Nos. 50-327 and 50-328

Subject:

Supplement to License Amendment Request to Revise Technical Specifications to Adopt Risk-Informed Completion Times TSTF-505, Revision 2, Provide Risk-Informed Extended Completion Times -

RITSTF Initiative 4b (SQN-TS-20-03) EPID L-2021-LLA-0145

References:

1. TVA Letter to NRC, CNL-21-026, License Amendment Request to Revise Technical Specifications to Adopt Risk-Informed Completion Times TSTF-505, Revision 2, Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b, (SQN-TS-20-03), dated August 5, 2021 (ML21217A174) 2.

NRC electronic mail to TVA, RE: Sequoyah TSTF-505 LAR Supplemental Information, dated March 22, 2022 In Reference 1, Tennessee Valley Authority (TVA) requested an amendment to the Sequoyah Nuclear Plant (SQN), Units 1 and 2 Renewed Facility Operating License Nos.

DPR-77 and DPR-79. The proposed amendment would modify Technical Specifications (TS) requirements to permit the use of Risk-Informed Completion Times in accordance with TSTF-505, Revision 2, Provide Risk-Informed Extended Completion Times - RITSTF

[Risk-Informed TSTF] Initiative 4b.

In Reference 2, the Nuclear Regulatory Commission (NRC) agreed with TVAs proposal to supplement the license amendment request (LAR) in Reference 1 to address several of the NRC staffs questions posed during the January 2022 regulatory audit that was held in support of the LAR review. Enclosure 1 provides TVAs response to a selection of the NRC staffs regulatory audit questions. Enclosure 2 provides certain modifications to the Reference 1 LAR resulting from audit question responses.

U.S. Nuclear Regulatory Commission CNL-22-023 Page 2 April 28, 2022 This letter does not change the no significant hazard considerations or the environmental considerations contained in Reference 1. Additionally, in accordance with 10 CFR 50.91(b)(1), TVA is sending a copy of this letter and the enclosures to the Tennessee Department of Environment and Conservation.

There are no regulatory commitments contained in this submittal.

Please address any questions regarding this submittal to Stuart L. Rymer, Senior Manager, Fleet Licensing, at slrymer@tva.gov.

I declare under penalty of perjury that the foregoing is true and correct. Executed on this 28th day of April 2022.

Respectfully, James Barstow Vice President, Nuclear Regulatory Affairs and Support Services

Enclosures:

1.

Response to Selected Audit Questions 2.

Modifications to the License Amendment Request cc (w/Enclosures):

NRC Regional Administrator - Region II NRC Senior Resident Inspector - Sequoyah Nuclear Plant NRC Project Manager - Sequoyah Nuclear Plant Director, Division of Radiological Health - Tennessee State Department of Environment and Conservation Digitally signed by Rearden, Pamela S

Date: 2022.04.28 12:45:22 -04'00'

CNL-22-023 Response to Selected Audit Questions

CNL-22-023 E1-2 of 65 Response to Selected Audit Questions Note: The Nuclear Regulatory Commission (NRC) staffs questions are in italics throughout this enclosure. The Tennessee Valley Authority (TVA) responses are in unitalicized font.

PRA Licensing Branch A (APLA) Audit Questions - Internal Events PRA and RICT Implementation Regulatory Guide (RG) 1.174, Revision 3, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis (ADAMS Accession No. ML17317A256), states that the scope, level of detail, and technical adequacy of the probabilistic risk assessment (PRA) are to be commensurate with the application for which it is intended and the role the PRA results play in the integrated decision process. The NRCs SE for Nuclear Energy Institute (NEI) Topical Report NEI 06-09, Revision 0-A, Risk-Informed Technical Specifications Initiative 4b, Risk-Managed Technical Specifications (RMTS) Guidelines, Industry Guidance Document, dated November 6, 2006 (ADAMS Package Accession No. ML122860402)

(hereafter NEI 06-09-A), and the NRCs Final Safety Evaluation for NEI 06-09-A, dated May 17, 2007 (ADAMS Accession No. ML071200238), state that the PRA models should conform to the guidance in RG 1.200, Revision 1, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities. The current version is RG 1.200, Revision 2 (ADAMS Accession No. ML090410014), which clarifies the current applicable American Society of Mechanical Engineers/American Nuclear Society (ASME/ANS) PRA standard is ASME/ANS RA-Sa-2009, Addenda to ASME/ANS RA-S-2008, Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications. In RG 1.200, the quality of the PRA must be compatible with the safety implications of the proposed TS change and the role the PRA plays in justifying the change. RG 1.200 describes a peer review process using ASME/ANS RA-Sa-2009 as one acceptable approach for determining the technical acceptability of the PRA. The primary results of a peer review are the facts and observations (F&Os) recorded by the peer review team and the subsequent resolution of these F&Os. A process to close finding-level F&Os is documented in Appendix X to the NEI guidance documents NEI 05-04, NEI 07-12, and NEI 12-13, titled NEI 05-04/07-12/12-[13] Appendix X: Close-out of Facts and Observations (F&Os) (ADAMS Package Accession No. ML17086A431), which was accepted by the NRC in a letter dated May 3, 2017 (ADAMS Accession No. ML17079A427). NEI 06-09-A states that the PRA shall meet Capability Category (CC)-II for the supporting requirements of the PRA standard, and any deviations from these capability categories relative to the RMTS program shall be justified.

APLA AUDIT QUESTION 01 - PRA Model Uncertainty Analysis Process The NRC staff SE to NEI 06-09-A specifies that the LAR should identify key assumptions and sources of uncertainty and assess and disposition each as to its impact on the RMTS application. Section 2.3.4 of NEI 06-09-A states that PRA modeling uncertainties shall be considered in application of the PRA base model results to the RICT program and that sensitivity studies should be performed on the base model prior to initial implementation of the RICT program on uncertainties that could

CNL-22-023 E1-3 of 65 potentially impact the results of a RICT calculation. NUREG-1855, Revision 1, "Guidance on the Treatment of Uncertainties Associated with PRAs in Risk-Informed Decision-Making, Main Report," dated March 2017 (ADAMS Accession No. ML17062A466) presents guidance on the process of identifying, characterizing, and qualitatively screening model uncertainties.

LAR Enclosure 9 states that the process for identifying key assumptions and sources of uncertainty for the internal events (including internal floods), fire, and seismic PRAs was performed using the guidance in NUREG-1855, Revision 1. The LAR indicates that in addition to plant-specific assumptions and sources of uncertainty from the internal events (including internal floods), fire, and seismic PRA notebooks, that generic industry sources of uncertainty were also reviewed for applicability presented in Electric Power Research Institute (EPRI) Topical Report (TR) 1016737, "Treatment of Parameter and Model Uncertainty for Probabilistic Risk Assessments, and EPRI TR 1026511, "Practical Guidance of the Use of Probabilistic Risk Assessment in Risk-informed Applications with a Focus on the Treatment of Uncertainty." The LAR states that no assumptions and sources of uncertainty were identified to have the potential to impact the TSTF-505 application (i.e., no key assumptions and sources of uncertainty). The LAR presents two sources of modeling uncertainty (i.e., modeling of FLEX and digital equipment) in, Tables E9-1, E9-3, and E9-4, but states they were not determined to be key sources of uncertainty for Sequoyah. No other assessment of candidate assumptions or sources of uncertainty was provided in the LAR, and the LAR did not identify any sensitivity studies to support its conclusions or identify any Risk Management Actions (RMAs) needed for LCO conditions that could be impacted by modeling uncertainty.

The word screened is not used in LAR Enclosure 9, but it appears that a master compilation of plant-specific and generic industry PRA modeling assumptions and sources of uncertainty was screened using a set of criteria to determine that none of the applicable PRA modeling assumptions and sources of uncertainty are key to this application. It is not clear to NRC staff what evaluation criteria were used to consistently evaluate plant-specific and generic sources of uncertainty to conclude that none are key for this application. Therefore, address the following:

a) Describe and justify the criteria used to consistently evaluate a comprehensive list of internal events (including internal floods), fire, and seismic PRA modeling assumptions and sources uncertainty (including those associated with plant-specific features, modeling choices, and generic industry concerns) to conclude none are key to the Sequoyah RICT program.

b) Discuss and provide the results of sensitivity studies (if any) that were performed to evaluate an identified assumption or source of uncertainty for its impact on the RICT calculations.

c) Discuss additional RMAs (if any) that will be used to address sources of PRA modeling uncertainty: (1) describe how these RMAs will be identified prior to the implementation of the RMTS program, consistent with the guidance in Section 2.3.4 of NEI 06 09; and (2) provide RMA examples that may be considered during a RICT program entry to minimize any potential adverse impact from this uncertainty and explain how these RMAs are expected to reduce the risk associated with this uncertainty.

CNL-22-023 E1-4 of 65 TVA Response Response to Part a)

To determine whether each assumption or source of uncertainty is key for the Risk-Informed Completion Times (RICT) application, the assumption or source of uncertainty was assessed against the criteria listed below. These criteria are based on the definitions in RG 1.200 Revision 3 along with related guidance from NUREG-1855 Revision 1 and related references (i.e., EPRI 1016737, EPRI 1013491, EPRI 1026511, and ASME/ANS RA-Sa-2009). Consistent with Section 4.1 of EPRI Report 1016737 and ASME/ANS RA-Sa-2009, a source of uncertainty is labeled key "when it could impact the PRA results that are being used in a decision, and consequently, may influence the decision being made". EPRI Report 1016737 and ASME/ANS RA-Sa-2009 further indicate that this impact "would need to be significant enough that it changes the degree to which the risk acceptance guidelines are met, and therefore, could potentially influence the decision."

Assumptions and sources of uncertainty that do not meet any of the following screening criteria are determined to be potentially key for the application.

1. The uncertainty is addressed by implementing a "consensus model" defined as follows.

Consensus model - In the most general sense, a consensus model is a model that has a publicly available published basis and has been peer reviewed and widely adopted by an appropriate stakeholder group. In addition, widely accepted PRA practices may be regarded as consensus models. Examples of the latter include the use of the constant probability of failure on demand model for standby components and the Poisson model for initiating events. For risk-informed regulatory decisions, the consensus model approach is one that NRC has utilized or accepted for the specific risk-informed application for which it is proposed. (NUREG-1855).

Consensus method/model - In the context of risk-informed regulatory decisions, a method or model approach that the NRC has used or accepted for the specific risk-informed application for which it is proposed. A consensus method or model may also have a publicly available, published basis and may have been peer reviewed and widely adopted by an appropriate stakeholder group. (RG 1.200).

EPRI 1013491 elaborates on the definition of a consensus model to include those areas of the PRA where extensive historical precedent is available to establish a model that has been accepted and yields PRA results that are considered reasonable and realistic. Thus, assumptions for which there is extensive historical precedent, and which produces results that are reasonable and realistic, can be screened from further consideration. According to NRC Regulatory Position C.3.3.2 in RG 1.200.

"When a key assumption is shown to be consistent with a consensus method or approach, that key assumption may no longer be subject to additional sensitivity studies in the context of a PRA application."

2. The uncertainty has no impact or insignificant impact on the PRA results and therefore no impact or insignificant impact on the calculated change in risk due to proposed changes that are to be addressed by the PRA application.

CNL-22-023 E1-5 of 65

3. The assumption introduces a realistic conservative bias in the PRA model results.

EPRI 1013491 uses the term "realistic conservatisms" and notes that "judiciously applied realistic conservatism can provide a PRA that avoids many of the traps associated with the use of excess conservatism." This criterion, which allows screening of sources of conservative bias, is intended to be less restrictive than the previous criterion, which does not distinguish between conservative and nonconservative bias. Thus, using this criterion, assumptions that introduce realistic (slight) conservatisms can be screened from further consideration.

4. There is no reasonable alternative assumption or reasonable modeling refinement to address the uncertainty that would produce different results. For the base PRA, the term "different results" refers to a change in the risk profile (e.g., total core damage frequency (CDF) and total large early release frequency (LERF), or the set of initiating events and accident sequences that contribute most to CDF and to LERF) and the associated changes in insights derived from the changes in the risk profile. A "reasonable alternative" assumption is one that has broad acceptance within the technical community and for which the technical basis for consideration is at least as sound as that of the assumption being challenged. (NUREG-1855, ASME/ANS RA-Sa-2009).

5. There is no reasonable alternative assumption or reasonable modeling refinement to address the uncertainty that is at least as sound as the assumption under consideration. A "reasonable alternative" assumption is one that has broad acceptance within the technical community and for which the technical basis for consideration is at least as sound as that of the assumption being challenged.

(NUREG-1855, ASME/ANS RA-Sa-2009).

Response to Part b)

Because the uncertainty evaluation found that there are no key assumptions or sources of uncertainty, no sensitivity studies to investigate the impact of assumptions and uncertainties on the results of the RICT calculations were performed.

Response to Part c)

If a key assumption or source of uncertainty is determined to have a potentially important impact on the RICT application, the potentially affected limiting condition for operation (LCO) should be identified and RMAs should be proposed to compensate for the uncertainty. Because the uncertainty evaluation found that there are no key assumptions or sources of uncertainty, no RMAs are proposed to compensate for uncertainty.

However, RMAs to compensate for equipment out of service will be developed and applied when appropriate using insights from the PRA model results specific to the configuration subject to the RICT application.

APLA AUDIT QUESTION 02 - Dispositions of PRA Model Assumptions and Sources of Uncertainty - Internal Events The NRC staff SE to NEI 06-09-A specifies that the LAR should identify key assumptions and sources of uncertainty and should assess and disposition each as to their impact on the RMTS application. Section 2.3.4 of NEI 06-09-A states that PRA modeling uncertainties shall be considered in application of the PRA base model results to the RICT program and that sensitivity studies should be performed on the base model prior to initial implementation of the RICT program on uncertainties that could potentially impact

CNL-22-023 E1-6 of 65 the results of a RICT calculation. NUREG-1855, Revision 1, presents guidance on the process of identifying, characterizing, and qualitative screening of model uncertainties.

The NRC staff reviewed the dispositions of two sources of modeling uncertainty identified in LAR Table E9-1 and also reviewed the dispositions of other internal events (including internal floods) PRA modeling uncertainties evaluated by the licensee in the PRA notebooks for their impact on the RICT application. In a few instances, there is not enough information for NRC staff to conclude that the assumption or source of modeling uncertainty would not have an impact on the RICT calculations. Therefore, address the following:

a) LAR Table E9-1 identifies modeling of the Digital I&C Process Protection System (i.e., Eagle 21) as being a source of modeling uncertainty. of the LAR provides the following statements about the modeling of this digital equipment:

The failure probability of the comparator/bistable is representative of the Eagle 21 digital control system.

There is no common cause failure (CCF) added for the digital aspects of the system.

The results of the Eagle 21 availability assessment and the equivalent analog process protection system demonstrate that the Eagle 21 digital system is at least as reliable as the analog technologies.

Based on the statements above and the review of the Reactor Protection System (RPS) PRA notebook, it appears that the Eagle 21 system was modeled using an analog component failure event (i.e., failure of the comparator/bistable) as a surrogate. Moreover, it appears that the licensee considers using the failure probability of a comparator/bistable sufficient for modeling the Eagle 21 system including potential CCFs because the cited availability assessment determined that the Eagle 21 system is at least as reliable as the analog technologies. A description of this availability assessment was not provided in the LAR. It is not clear to NRC staff that modeling a digital system using an analog system failure event as a surrogate is sufficient to reflect the failure modes that are possible in a digital system including CCF. Additionally, it is not clear to NRC staff whether other digital systems besides the Eagle 21 are credited in the PRA models.

NRC staff notes the lack of consensus industry guidance for modeling digital systems in plant PRAs to be used in support of risk-informed applications. Known modeling challenges exist, such as the lack of industry failure data for digital I&C components, the difference between digital and analog system failure modes, and the complexities associated with modeling software failures, including common cause software failures. Research and guidance documents such as NUREG/CR-6962, Traditional Probabilistic Risk Assessment Methods for Digital Systems (ADAMS Accession No. ML083110448), indicate that software CCF can involve failures across function and system boundaries. Accordingly, it seems possible that software failure could defeat more than one function s Protection System such as failure of the software that performs centralized calculations.

CNL-22-023 E1-7 of 65 Given the observations and challenges described above, it appears that the uncertainty associated with modeling a digital I&C system could impact the RICT program. Therefore, address the following:

i.

Identify the digital systems that are credited in the Real-Time Risk (RTR) model that will be used to support the RICT program and for each digital system describe the function(s) that the digital equipment is credited to provide.

ii. Describe and provide the results of a sensitivity study performed for each digital system credited in the RTR model demonstrating that the uncertainty associated with modeling of the digital systems has an inconsequential impact on the calculated RICTs. The LCO conditions used for the sensitivity study should be those in scope of RMTS that are most impacted by the modeling uncertainty and have a RICT less than the 30-day backstop (i.e., the 30-day RICT back-stop condition could mask the impact of this uncertainty in the sensitivity study). Note that the sensitivity study should be sufficiently conservative to address the modeling concerns and challenges discussed above for digital equipment.

iii. As an alternative to part (ii) above, identify the LCO conditions in scope of RMTS impacted by digital system modeling for which RMAs will be applied during a RICT. Include discussion of the kinds of RMAs that would be applied and justification that the RMAs will be sufficient to address the modeling concerns and challenges discussed above for digital equipment.

TVA Response:

Response to Part a)i The only digital system credited in the RTR model is the Eagle-21 system. The Eagle-21 system serves as part of: (a) the reactor trip system (RTS), which automatically keeps the reactor operating within a safe region by shutting down the reactor whenever the limits of the region are approached, and (b) the engineered safety feature actuation system (ESFAS), which provides initiating signals to the various engineered safety features to prevent or mitigate damage to the core and to maintain containment integrity. The RTS and ESFAS include the Process Protection Set Racks (EAGLE-21) and Solid-State Protection System (SSPS). These two systems: (a) generate all necessary process protection signals, combine them into logic matrices, and initiate a reactor trip or actuate necessary ESF equipment and (b) maintain physical and electrical separation by providing four sets of process protection system (EAGLE-21) cabinets and two sets of SSPS cabinets (racks), one for each protection train (A and B).

The EAGLE-21 process protection system is a microprocessor-based system housed in 14 instrumentation cabinets divided into four protection channel sets as shown in Figure 1.

A brief description of the operation of Eagle-21 for the functions credited in the PRA is as follows. For each of the Eagle-21 cabinets: 1) transmitters (flow, pressure, level) and resistance temperature detectors (RTD) are connected to provide inputs; 2) the Eagle

CNL-22-023 E1-8 of 65 Analog Input (EAI) and Eagle RTD Input (ERI) boards provide power to the sensors; 3) a Loop Calculation Processor (LCP) provides signal conditioning and calculation operations on the inputs, and 4) the LCP monitors inputs and provides outputs to the SSPS via Eagle Partial Trip (EPT) boards when setpoints are exceeded.

To summarize the foregoing description, the functions of Eagle-21 credited in the PRA are similar to those of comparators / bistables, where a certain input parameter configuration threshold leads to the generation (or not) of a given signal.

As a safety-related system, Eagle-21 incorporates design features to ensure required RPS functions. In particular, Eagle-21 has the following characteristics.

1) Redundancy - The use of multiple channels ensures that any single failure within a channel will not prevent initiation of a required protection system action (single failure criterion).

2) Independence - Each channel is physically and electrically independent.

Independence ensures that a malfunction of one component will not prevent the function of another.

3) Diversity - Several different parameters are monitored to provide similar protection. Diversity ensures that if one parameter does not indicate an event, then another diverse parameter will still ensure the protective actions take place.

4) Fail-safe - On a loss of power or component failure, Eagle-21 is designed to provide trip/actuation signals to SSPS. Therefore, Eagle-21 loss of power or component failure does not prevent a protective action.

5) Surveillance testing features (testability) - Eagle-21 provides self-calibration and self-diagnostics capabilities which are continuous.

Figure 1. ESFAS Simplified Diagram for the Reactor Protection System Response to Part a)ii Consistent with the physical and electrical independence of each channel described in the response to Part i, Eagle-21 is modeled in the PRA by surrogate components specific to each of the four protection channel sets shown in Figure 1. In addition, Eagle-21 components are represented by the failure on demand of a comparator / bistable

CNL-22-023 E1-9 of 65 (Type Code = SBBFD), consistent with the functional similarity of the operation of Eagle-21 to this type of actuator, as described in the response to Part i.

The modeling of Eagle-21 in the PRA also accounts for the possibility of common cause failures (CCFs), which would lead to the concurrent failures of the modeled components.

CCFs are modeled using the computer-aided fault tree analysis (CAFTA) CCF Tool based on CCF data for the bistable. The alpha factor method is used. The modeling takes into consideration CCFs across separate channels. Specifically, the PRA accounts for the possibility of Eagle-21 CCF failure affecting the four protection channel sets and leading, for each type of ESFAS or RPS signal modeled in the PRA, to its failure on both Train A and Train B. This is summarized in Table 1, which shows the Eagle-21 functional categories that can be affected by a CCF.

Table 1. Modeling of Eagle-21 CCF in the PRA Eagle-21 functional categories modeled with CCF CCF combinations involve failure of one or more of ESFAS containment sump high level train A and B Eagle-21 loop 99-920A, 99-921A, 99-940A, and 99-941A ESFAS high containment pressure train A and B Eagle-21 loop 99-334B, 99-335B, and 99-336B ESFAS high high containment pressure train A and B

Eagle-21 loop 99-934A, 99-935A, 99-936A, and 99-937A High PZR pressure train A and B Eagle-21 loop high pressurizer pressure Set I through IV ESFAS Low PZR pressure train A and B Eagle-21 loop 99-455D, 99-456D, and 99-457D OTDT (over temperature delta temperature) train A and B Eagle-21 OTDT Set I through IV ESFAS RWST low level train A and B Eagle-21 loop 99-913A, 99-914A, 99-915A, and 99-916A ESFAS SG 1 to 4 low low level Eagle-21 loop 99-517B, 99-518B, 99-519B, 99-527B, 99-528B, 99-529B, 99-537B, 99-538B, 99-539B, 99-547B, 99-548B, and 99-549B ESFAS steamline low pressure Eagle-21 loop 99-514A, 99-515A, 99-516A, 99-524A, 99-525A, 99-526A, 99-534A, 99-535A, 99-536A, 99-544A, 99-545A, and 99-546A.

The Eagle-21 categories outlined in Table 1 are not subject to an overarching CCF that would affect the entire system. Doing so would be improper since 1) CCFs are modeled for similar components that accomplish similar functions under similar conditions, and

2) the categories outlined in Table 1 represent different functions, each evaluated by a diversity of parameters (as described in the response to Part i). In addition, an unnoticed software failure or maintenance error affecting multiple functions across multiple channels has an insignificant probability due to Eagle-21s self-calibration and self-diagnostics capabilities which are continuous, as noted in the response to Part i. Realistically, a software failure or maintenance error would be noticed, leading to shutdown of the plant.

The failure of Eagle-21 can be mitigated by reliable and feasible operator action (e.g., manual trip of the reactor, manual startup of safety injection (SI) and alternate feedwater (AFW) pumps, etc.). Finally, there is no external inbound communication link and the systems are not time synced, so they lack a common trigger to instigate a CCF failure of any two racks.

The SBBFD basic events and the associated CCF basic events have very low importance in the PRA model. Therefore, uncertainty in their probabilities is expected to have little effect on RICT results.

CNL-22-023 E1-10 of 65 To test the expectation that the uncertainty in the Eagle-21 failure probabilities has little effect on RICT results, a sensitivity study setting the point estimate of Type Code SBBFD to the 95th percentile of its failure probability distribution has been performed. The mean probability of SBBFD as used in the baseline PRA is 5.44E-04 and the corresponding 95th percentile, 2.09E-03 (approximately a factor of three higher than the mean), is applied as the point estimate for the sensitivity study. The CAFTA CCF Tool was used to adjust the associated CCF basic events accordingly.

An indication of the importance of SBBFD on the PRA results is the fractional increase in risk (CDF or LERF) given the change in SBBFD that was used in the sensitivity study (Table 2). In addition, Table 2 shows insignificant risk achievement worth (RAW) importance of the Eagle-21 failure probabilities with respect to overall PRA risk (RAW < 2).

The RAW importance measure for SBBFD in Table 2 is calculated as:

SBBFD 1

1

1 where:

a = 5.44E-4 b = 2.09E-3 R(a) = overall PRA risk with SBBFD = a R(b) = overall PRA risk with SBBFD = b.

Table 2. Sensitivity of Overall PRA Risk to the Eagle-21 Failure Probabilities Unit Risk Metric Fractional Increase in Overall PRA Risk RAW Importance of SBBFD 1

CDF 2.02E-04 1.13 1

LERF 8.87E-05 1.06 2

CDF 1.89E-04 1.12 2

LERF 1.24E-04 1.08 As can be seen in Table 2, the RAW importance of SBBFD is small. This is a reasonable result given 1) the diversity of signals described in the response to Part i, and

2) the fact that the failure of automatic reactor trip or ESFAS signals can typically be mitigated by a feasible and reliable operator action in the main control room (MCR).

The results of the RICT sensitivity study are presented in Table 3. The results without the 30-day backstop are shown to avoid masking the results. The increases in Eagle-21 failure probabilities have an inconsequential effect on the RICT results. In the cases where the RICT days result is greater than the 30-day backstop, the increases or reductions in the RICT days result are minor without the 30-day backstop and are inconsequential with the 30-day backstop. In the cases where the RICT days result is less than the 30-day backstop, the difference in results is insignificant (less than 5E-3) and inconsequential because the results are equal when rounded to tenths of days.

CNL-22-023 E1-11 of 65 Table 3. Results of the Sensitivity Study on the Eagle-21 Failure Probabilities U1, U2 U1, U2 Fractional Plant Baseline Sensitivity Increase in Unit Case Description Min RICT Days Min RICT Days RICT Days Comment 1

3-3-1-D_9 Reactor Trip System (RTS) Instrumentation - One 1.32E+04 1.32E+04 4.9E-14 This case was selected for the sensitivity 2

Power Range Neutron Flux - High channel 3.32E+03 3.29E+03

-1.0E-02 study because Eagle-21 components are inoperable. Mapped to the bistable/comparator directly failed and because the Unit 1 RICT (Eagle-21) for both Over Temperature Delta day result is relatively low compared to other Temperature (OTDT) and High Pressurizer RTS cases. This case sets the Set I Eagle-21 Pressure (HPP) Protection Set I (channel portion reactor trip initiation components TRUE.

which impacts both trains).

1 3-3-1-D_10 Reactor Trip System (RTS) Instrumentation - One 1.33E+04 1.33E+04 0.0E+00 This case was selected for the sensitivity 2

Power Range Neutron Flux - High channel 3.32E+03 3.29E+03

-9.7E-03 study because Eagle-21 components are inoperable. Mapped to the bistable/comparator directly failed and because the Unit 1 RICT (Eagle-21) for both OTDT and HPP Protection Set day result is relatively low compared to other II (channel portion which impacts both trains).

RTS cases. This case sets the Set II Eagle-21 reactor trip initiation components TRUE.

1 3-3-1-D_11 Reactor Trip System (RTS) Instrumentation - One 1.45E+03 1.45E+03 4.0E-06 This case was selected for the sensitivity 2

Power Range Neutron Flux - High channel 4.70E+04 4.41E+04

-6.2E-02 study because Eagle-21 components are inoperable. Mapped to the bistable/comparator directly failed and because the Unit 1 RICT (Eagle-21) for both OTDT and HPP Protection Set day result is relatively low compared to other III (channel portion which impacts both trains).

RTS cases. This case sets the Set III Eagle-21 reactor trip initiation components TRUE.

1 3-3-1-D_12 Reactor Trip System (RTS) Instrumentation - One 1.44E+03 1.44E+03 6.8E-15 This case was selected for the sensitivity 2

Power Range Neutron Flux - High channel 3.63E+04 3.41E+04

-6.1E-02 study because Eagle-21 components are inoperable. Mapped to the bistable/comparator directly failed and because the Unit 1 RICT (Eagle-21) for both OTDT and HPP Protection Set day result is relatively low compared to other IV (channel portion which impacts both trains).

RTS cases. This case sets the Set IV Eagle-21 reactor trip initiation components TRUE.

1 3-3-2-C_2 Engineered Safety Feature Actuation System 1.11E+03 1.11E+03 4.9E-03 This case was selected for the sensitivity 2

(ESFAS) Instrumentation - One train inoperable.

5.21E+03 5.21E+03 0.0E+00 study because Eagle-21 components are Train B Safety Injection (SI) signal fails.

expected to be made more important due to the failure of ESFAS instrumentation and because the Unit 1 RICT day result is relatively low compared to other ESFAS cases.

CNL-22-023 E1-12 of 65 U1, U2 U1, U2 Fractional Plant Baseline Sensitivity Increase in Unit Case Description Min RICT Days Min RICT Days RICT Days Comment 1

3-3-2-D_11 ESFAS instrumentation - One channel 1.21E+03 1.22E+03 5.2E-03 This case was selected for the sensitivity 2

inoperable. Input Relay pressurizer pressure low 1.34E+04 1.34E+04 2.6E-03 study because Eagle-21 components are channel II - Train B inoperable.

expected to be made more important due to the failure of ESFAS instrumentation and because the Unit 1 RICT day result is relatively low compared to other ESFAS cases.

1 3-3-2-D_12 ESFAS Instrumentation - One channel 1.24E+03 1.25E+03 5.4E-03 This case was selected for the sensitivity 2

inoperable. Input Relay pressurizer pressure low 1.59E+04 1.60E+04 2.6E-03 study because Eagle-21 components are channel III - Train B inoperable.

expected to be made more important due to the failure of ESFAS instrumentation and because the Unit 1 RICT day result is relatively low compared to other ESFAS cases.

1 3-5-2-A_1 Emergency Core Cooling System (ECCS) -

8.88E+00 8.88E+00

-6.5E-06 This case was selected for the sensitivity 2

Operating - One or more trains inoperable.

1.06E+01 1.06E+01 6.4E-07 study because, although it is not directly Centrifugal Charging (High Head) pump A fails to related to the RTS or ESFAS systems, it run / fails to start or run in first hour.

presents an example in which the RICT days result is below the 30-day backstop.

1 3-7-5-B_1 Auxiliary Feedwater (AFW) System - One AFW 2.55E+01 2.55E+01

-4.3E-05 This case was selected for the sensitivity 2

train inoperable. Motor Driven pump A-A fails to 3.64E+01 3.64E+01

-1.0E-04 study because, although it is not directly start.

related to the RTS or ESFAS systems, it presents an example in which the RICT days result is near or below the 30-day backstop.

CNL-22-023 E1-13 of 65 Response to Part a)iii A Part a)iii response is not required because a sensitivity study was performed in Part a)ii showing minimal impact to the RICT calculations.

APLA/APLC AUDIT QUESTION 03 - Credit for FLEX Equipment and Actions The NRC memorandum dated May 30, 2017, Assessment of the Nuclear Energy Institute 16-06, Crediting Mitigating Strategies in Risk-Informed Decision Making, Guidance for Risk-Informed Changes to Plants Licensing Basis (ADAMS Accession No. ML17031A269), provides the NRCs staff assessment of challenges to incorporating FLEX equipment and strategies into a PRA model in support of risk-informed decision-making in accordance with the guidance of RG 1.200, Revision 2.

With regards to equipment failure probability, in the May 30, 2017 memo, the NRC staff concludes (Conclusion 8):

The uncertainty associated with failure rates of portable equipment should be considered in the PRA models consistent with the ASME/ANS PRA Standard as endorsed by RG 1.200. Risk-informed applications should address whether and how these uncertainties are evaluated.

With regards to human reliability analysis (HRA), Section 7.5 of NEI 16-06 recognizes that the current HRA methods do not translate directly to human actions required for implementing mitigating strategies. Sections 7.5.4 and 7.5.5 of NEI 16-06 describe such actions to which the current HRA methods cannot be directly applied, such as: debris removal, transportation of portable equipment, installation of equipment at a staging location, routing of cables and hoses; and those complex actions that require many steps over an extended period, multiple personnel and locations, evolving command and control, and extended time delays. In the May 30, 2017 memo, the NRC staff concludes (Conclusion 11):

Until gaps in the human reliability analysis methodologies are addressed by improved industry guidance, [Human Error Probabilities] HEPs associated with actions for which the existing approaches are not explicitly applicable, such as actions described in Sections 7.5.4 and 7.5.5 of NEI 16-06, along with assumptions and assessments, should be submitted to NRC for review.

Regarding uncertainty, Section 2.3.4 of NEI 06-09-A states that PRA modeling uncertainties shall be considered in application of the PRA base model results to the RICT program and that sensitivity studies should be performed on the base model prior to initial implementation of the RICT program on uncertainties that could potentially impact the results of a RICT calculation.

NEI 06-09-A also states that the insights from the sensitivity studies should be used to develop appropriate RMAs, including highlighting risk significant operator actions, confirming availability and operability of important standby equipment, and assessing the presence of severe or unusual environmental conditions. Uncertainty exists in PRA modeling of FLEX strategies related to the equipment failure probabilities for FLEX equipment used in the model, the corresponding operator actions, and pre-initiator failure probabilities. Therefore, FLEX modeling assumptions can be key assumptions and sources of uncertainty for RICTs proposed in this application.

CNL-22-023 E1-14 of 65 LAR Enclosure 2, Section 6, states that FLEX equipment is credited in the PRA models that will be used to support the RICT program. However, the LAR characterizes the credited 480 V and 6.9kV 3 MW FLEX diesel generators (DGs) as installed on the Auxiliary Building roof and in the Additional Diesel Generator Building, respectively. The LAR also describes required support systems such as the ventilation system for the 6.9kV 3 MW DGs. It does not appear that portable FLEX equipment and actions associated with moving and setting up FLEX equipment are credited in the PRA models, though the DGs need to be manually started. However, the LAR does refer to skid mounted FLEX equipment inferring that the FLEX equipment is capable of being moved. It is not clear whether FLEX equipment might be moved under certain circumstances or be in a configuration in which they are not installed. Also, it is not clear whether the operation of installed FLEX equipment requires portable supporting equipment or actions such as routing of cables or hoses. NRC staff notes the comments made in LAR, Tables E9-1, E9-3, and E9-4 indicating that FLEX DGs are not risk significant in the internal events and fire PRAs but are relatively more important to the seismic risk. To complete the NRC staffs review of the FLEX strategies modeled in the PRA, the NRC staff requests the following information for the internal events PRA (including internal floods), fire PRA, and seismic PRA, as appropriate:

a) Summarize the FLEX strategies, including the operator actions and associated equipment that have been quantitatively credited for each of the PRA models (i.e.,

internal events, internal floods, fire, and seismic) used to support this application. Include discussion of whether the credited FLEX equipment is portable or permanently installed equipment.

b) Regarding the credited FLEX equipment:

i.

Discuss whether the credited FLEX equipment (regardless of whether it is portable or permanently installed) are similar to other plant equipment credited in the PRA (i.e., structures, systems, and components (SSCs) with sufficient plant-specific or generic industry data).

ii. For credited FLEX equipment that is not similar to other plant equipment credited in the PRA:

Discuss the data and failure probabilities used to support its modeling and provide the rationale for using the chosen data. Discuss whether the uncertainties associated with the parameter values are in accordance with the ASME/ANS PRA Standard, as endorsed by RG 1.200, Revision 2.

Justify and provide results of LCO-specific sensitivity studies for the seismic PRA that assess impact on the RICT due to FLEX equipment data and failure probabilities. As part of the response, include the following information:

1. Justify values selected for the sensitivity studies, including justification of why the chosen values constitute bounding realistic estimates.

2. Discuss the bases for the chosen TS LCO conditions in the sensitivity studies. Because the 30-day RICT back-stop condition could mask the impact of this uncertainty in the sensitivity study,

CNL-22-023 E1-15 of 65 discuss whether the RICTs for plant configurations involving more than one LCO entry (e.g., where the calculated RICTs are less than the 30-day backstop) are significantly impacted by this uncertainty.

3. Provide numerical results on specific selected RICTs and discussion of the results.

4. Discuss whether the uncertainty associated with FLEX equipment failure probabilities is a key source of uncertainty for the RMTS program.

If this uncertainty is key, then describe and provide a basis for how this uncertainty will be addressed in the RMTS program (e.g.,

programmatic changes such as identification of additional RMAs, program restrictions, or the use of bounding analyses which address the impact of the uncertainty). If the programmatic changes include identification of additional RMAs, then (1) describe how these RMAs will be identified prior to the implementation of the RMTS program, consistent with the guidance in Section 2.3.4 of NEI 06-09-A; and (2) for those TS LCO conditions in LAR Enclosure 12 (Risk Management Action Examples) that are significantly impacted by this uncertainty, provide updated RMAs that may be considered during a RICT program entry to minimize any potential adverse impact from this uncertainty, and explain how these RMAs are expected to reduce the risk associated with this uncertainty.

c) Regarding human reliability analysis (HRA), address the following:

i.

Discuss whether any credited operator actions related to FLEX equipment contain actions described in Sections 7.5.4 and 7.5.5 of NEI 16-06.

ii. For credited operator actions related to FLEX equipment that contain actions described in Sections 7.5.4 and 7.5.5 of NEI 16-06:

Justify and provide results of LCO-specific sensitivity studies for the seismic PRA that assess impact on the RICT from the FLEX independent and dependent HEPs associated with deploying and staging FLEX portable equipment. As part of the response, include the following information:

1. Justify the independent and joint HEP values selected for the sensitivity studies, including justification of why the chosen values constitute bounding realistic estimates.

2. Discuss the bases for the chosen TS LCO conditions in the sensitivity studies. Because the 30-day RICT back-stop condition could mask the impact of this uncertainty in the sensitivity study, discuss whether the RICTs for plant configurations involving more than one LCO entry (e.g., where the calculated RICTs are less

CNL-22-023 E1-16 of 65 than the 30-day backstop) are significantly impacted by this uncertainty.

3. Provide numerical results on specific selected RICTs and discussion of the results.

4. Discuss composite sensitivity studies of the RICT results to the operator action HEPs and the FLEX equipment reliability uncertainty sensitivity study provided in response to part (3.b.ii) above.

5. Discuss whether the uncertainty associated with FLEX HEPs is a key source of uncertainty for the RMTS program.

If this uncertainty is key, then describe and provide a basis for how this uncertainty will be addressed in the RMTS program (e.g.,

programmatic changes such as identification of additional RMAs, program restrictions, or the use of bounding analyses which address the impact of the uncertainty). If the programmatic changes include identification of additional RMAs, then (1) describe how these RMAs will be identified prior to the implementation of the RMTS program, consistent with the guidance in Section 2.3.4 of NEI 06 09, Revision 0-A; and (2) for those TS LCOs in LAR Enclosure 12 (Risk Management Action Examples) that are significantly impacted by this uncertainty, provide updated RMAs that may be considered during a RICT program entry to minimize any potential adverse impact from this uncertainty, and explain how these RMAs a expected to reduce the risk associated with this uncertainty.

OR:

x Alternatively, provide information associated with the following items listed in supporting requirements (SR) HR-G3 and HR-G7 of the ASME/ANS RA-Sa-2009 PRA Standard to support the NRC staffs detailed review of the LAR:

1. the level and frequency of training that the operators and/or non-operators receive for deployment of the FLEX equipment (performance shaping factor (a) in SR HR-G3),

2. performance shaping factor (f) in SR HR-G3, regarding estimates of time available and time required to execute the response,

3. performance shaping factor (g) in SR HR-G3, regarding complexity of detection, diagnosis, and decision-making and executing the required response,

4. Performance shaping factor (h) in SR HR-G3, regarding consideration of environmental conditions, and

CNL-22-023 E1-17 of 65

5. Human action dependencies as listed in SR HR-G7 of the ASME/ANS RA-Sa-2009 PRA Standard.

d) The Section 1-2 of Part 1 of ASME/ANS RA-Sa-2009 PRA Standard, as endorsed by RG 1.200, Revision 2, defines PRA upgrade as the incorporation into a PRA model of a new methodology or significant changes in scope or capability that impact the significant accident sequences or the significant accident progression sequences. Section 1-5.4 of Part 1 of ASME/ANS RA-Sa-2009 PRA Standard states that PRA upgrades shall receive a peer review in accordance with the requirements specified in the peer review section of each respective part of this Standard.

Given the challenges of modeling FLEX mitigation strategies, explain whether the modeling of FLEX equipment and FLEX actions in the PRA has been peer reviewed in accordance with NRC accepted methods. If it was not, then justify how the model changes associated with incorporating FLEX mitigating strategies does not constitute a PRA upgrade as defined in Section 1-2 pf ASME/ANS RA-Sa-2009, as endorsed by RG 1.200, Revision 2.

TVA Response Response to Part a)

Only the permanently installed FLEX DGs (the 6.9KV Diesels and the 480V Diesels) and associated permanently installed equipment to get the diesels in use (breakers, exhaust fans, etc.) are credited in the PRA models. No other FLEX equipment is credited. The 6.9KV FLEX DGs are the onsite standby power source designed for Extended Loss of AC Power (ELAP) events or other similar external events. They are part of the FLEX Response System (FRS) and are required to provide power to the Emergency Core Cooling System when power is lost to the 6.9KV Shutdown Boards from both offsite power as well as the emergency diesel generators (EDG). In such an event, power to the 6.9KV Shutdown Boards and the safety related loads downstream is established using the 6.9KV FLEX DGs. The 480V FLEX DGs primary function is to power the 125VDC and 120VAC Vital Power Systems.

The breakers, the DC power control circuits (including the remote-control device associated with the DGs startup), the DGs monitoring circuits, and the DGs control circuits are all part of the FLEX DG boundary. This is similar to the boundary of the EDGs.

The FLEX DGs at Sequoyah Nuclear Plant (SQN) are pre-staged in place, minimal effort is required to align and operate them in case of emergency upon the declaration of the ELAP event. An HRA action is modeled to align and start the FLEX DG (one HRA for the 6.9KV Diesels and one HRA for the 480V Diesels). The 6.9KV Diesels are housed in the Additional Diesel Generator Building (ADGB) which is assumed in the model to require ventilation so the ventilation fan for the ADGB is modeled. The 480V Diesels do not require ventilation in the PRA models.

Response to Part b)i Both the 3MW FLEX DG and the 480V FLEX DG are similar in design to the (EDG). Because the industry and plant specific data for the FLEX DGs is not firmly established, the EDG failure rate was used as a surrogate in each of the PRA models.

CNL-22-023 E1-18 of 65 Response to Part b)ii All credited FLEX equipment is similar to other plant equipment credited in the PRA.

Response to Part c)i There are no operator actions related to FLEX equipment that contain actions described in Sections 7.5.4 and 7.5.5 of NEI 16-06. All operator actions are proceduralized and performed on the permanently installed FLEX equipment.

To start up the 6.9KV Flex DGs, the operators turn off protective relaying for FLEX DG startup and place the exhaust fan in auto. The diesel is placed in run to failure mode and tornado doors are opened. The DG is then started and aligned to applicable shutdown boards by manipulating switches.

The 6.9KV Flex DG has makeup aligned to the fuel oil day tank following DG startup. This action ensures the diesel does not run out of fuel for long term operation. The diesel is capable of running initially without makeup from the fuel oil day tank (greater than 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />) but requires the extra fuel for long term operation. The steps are all proceduralized and require the operator to route the fuel oil transfer pump discharge hose through the tornado doorway to the 2A-A Diesel room emergency exit door and into the day tank. The hose is pre-staged within the Additional Diesel Generator Building along with the 6.9KV Flex DGs.

These rooms are directly adjacent. The action to align the hose is very straightforward and it involves unwinding the entire hose, removing any kinks, opening the day tank suction valve, and connecting the transfer hose. To initiate fuel makeup, the pump suction and discharge isolation valves are opened, and the transfer pump is turned on.

To start up the 480V Flex DGs, the operators will locally start them on the Auxiliary Building Roof by using hand switches and then ensuring the appropriate loads are aligned by actuating breakers.

Response to Part c)ii As indicated in c)i above, there are no operator actions related to FLEX equipment that contain actions described in Sections 7.5.4 and 7.5.5 of NEI 16-06.

Response to Part d)

The incorporation of the FLEX DG modeling into the Fire and Seismic PRA models was performed prior to the Peer Reviews held for the Fire PRA (FPRA) and the Seismic PRA.

During the Fire and Seismic Peer Reviews, each of the system SRs were reviewed with respect to the Fire and Seismic PRAs. All open finding level F&Os related to the Peer Reviews were closed during the subsequent F&O Closure Review and there are currently no open finding level F&Os on any of the PRA models.

The inclusion of FLEX into the Internal Events model was not considered a PRA upgrade because the Fire and Seismic PRAs build their logic on the Internal Events logic, therefore a separate peer review was not performed for the Internal Events model with respect to the FLEX DG modeling. The FLEX DGs were included in the Internal Events model as an additional source of power during a loss of offsite power as a backup source to the EDGs.

The modeling was included in the Internal Events model following the Fire and Seismic PRA

CNL-22-023 E1-19 of 65 Peer Reviews because it was thought that any discrepancies with the modeling of the FLEX DGs would be the same for the Seismic, Fire, and Internal Events model. This is because the FLEX DGs are additional permanently installed pieces of equipment that are credited during loss of offsite power scenarios.

APLA AUDIT QUESTION 04 - Consideration of Shared Systems in RICT Calculations RG 1.200, Revision 2, states, [t]he base PRA serves as the foundational representation of the as-built and as-operated plant necessary to support an application.

Table E8-1 of LAR Enclosure 8 indicates the existence of cross-ties between units and identifies several systems that are shared. It is not clear to NRC staff how these systems are shared, whether they can support both units in an accident, and how the shared systems are credited for each unit in the PRA models. NRC staff notes that for certain events, such as dual unit events (e.g., loss of offsite power), it may be appropriate to only credit the shared systems for one unit. Therefore, address the following:

a) Explain how shared systems are modeled in the RTR model for each unit in a dual unit event demonstrating that shared systems are not over-credited in the RTR model.

OR:

b) If the RTR model does not address the impact of events that can create a concurrent shared by both units, then justify that this exclusion has an inconsequential impact the RICT calculations.

TVA Response Shared systems are generally designed to support demands associated with an accident on one unit and normal or ordinary shutdown loads on the other unit, and this is implicit in the model success criteria. It is assumed that there will not be simultaneous accidents (LOCAs, steam generator (SG) tube ruptures, etc.) on both units.

With respect to the systems identified in Enclosure 8, Table E-1:

Condensate and Feedwater System/ Shared component condenser vacuum priming pumps The vacuum priming pumps function to keep condenser waterboxes full, to maximize heat transfer across condenser tubes. Unavailability of condenser vacuum priming pumps could result in a very gradual degradation of the heat transfer capability needed for power operation.

The condenser provides limited mitigation potential during postulated accidents and a slow degradation of heat transfer capability would not impact the ability of the condenser to support post-accident decay heat removal for scenarios where that is contemplated.

Condenser Vacuum Priming pumps are not significant to risk evaluation and are not modeled.

Auxiliary Feedwater system/ Condensate Storage Tank (CST) A & B Adequate CST capacity exists for initial response by both units in event of a postulated accident on one unit. Station design and procedures then anticipate alignment of the safety

CNL-22-023 E1-20 of 65 related supply, Essential Raw Cooling Water (ERCW). ERCW is an infinite source sufficient to support both units. ERCW cooling water supply is modeled.

There are two CSTs, one per unit. The CSTs are cross-connected and have a common suction line to the AFW system on both units. CST capacity is 385,000 gallons. Output of a single Motor Driven Auxiliary Feedwater pump is sufficient to remove decay heat via the SGs.

A motor-driven AFW pump can supply 440 gpm. When CST supply is exhausted Auto swap-over of the AFW system from CST to ERCW occurs.

A simple hand calculation can be used to conservatively bound the time that the CSTs could supply both units: 385,000*2/ (2

• 440) = 875 minutes or 14.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. After that time auto transfer to ERCW supply would occur and provide an infinite source of makeup.

Raw Cooling water / Strainers, main cooling water header The Essential Raw Cooling Water System provides heat removal from various components and systems important to safety. It consists of two trains with 4 pumps on each train. Design basis is that two ERCW pumps on a single train are sufficient to provide adequate cooling to mitigate accidents on one unit and safe shutdown of the other unit and the Sequoyah model incorporates this. Impacts of strainer failures are included in the model. Failure of ERCW cooling water lines are included in modeling for the Sequoyah internal flooding analysis.

ERCW Design Basis:

The safety functions of the ERCW system shall consist of the capability to provide necessary cooling or makeup for safety-related plant equipment and components in response to adverse plant operating conditions (design basis events) which impose safety-related performance requirements on the systems being served. The availability of cooling water for the most demanding condition on the ERCW system shall be based on the following events occurring simultaneously:

a. Loss of offsite power

b. Loss of downstream dam

c. Loss of two diesel generators serving the same power train. (This means that cooling water must be supplied with two ERCW pumps operating through two headers on the same plant train)

d. Design Basis Earthquake (SSE)

The PRA does not model all these conditions (for example loss of downstream dam is not modeled) but it does consider that during a loss of offsite power two ERCW pumps are sufficient.

Additionally from Updated Final Safety Analysis Report (UFSAR) section 9.2.5.1, the ultimate heat sink should be capable of providing sufficient cooling for at least 30 days: (a) to permit simultaneous safe shutdown and cooldown of all nuclear reactor units that it serves, and maintain them in a safe shutdown condition, and (b) in the event of an accident in one unit, to permit control of that accident safely and permit simultaneous safe shutdown and cooldown of the remaining units and maintain them in a safe shutdown condition.

Therefore, two ERCW pumps on a single train are sufficient to support an accident response on one unit and allow safe shutdown of a non-accident unit. Implicit in this is an assumed loss

CNL-22-023 E1-21 of 65 of offsite power so two ERCW pumps on a single train can be seen to be sufficient to support a simultaneous loss of offsite power on both units, without occurrence of an accident.

Compressed air system/ compressors, dryers, various valves common to both units Shared compressed air systems are designed with adequate capacity to support both units in an accident. Compressors, dryers, and main valves are included in the SQN model.

Component cooling system/ B train pump, C-S {pump} and 0B1 and 0B2 heat exchangers By design the shared B-train of component cooling water is capable of providing for accident mitigation on one unit while supporting safe shutdown of the opposite unit. The PRA model reflects this capability. The PRA models pump C-S and CCS Heat Exchangers 0B1/0B2 as normally aligned to B-train and reflects the potential for pumps 1B and 2B to be aligned to B-train in event of maintenance to the C-S pump.

CCS train B supported by 1 CCS pump is sufficient to support one unit experiencing an accident (such as a large loss of coolant accidents (LOCA)) and the other unit either in Mode 3 or in cold shutdown. Design basis analyses supporting this assume a simultaneous loss of offsite power so it can be seen that a simple loss of offsite power to both units is bounded by this.

6900V Electric Power and Switchyard/Cross-ties via the shutdown utility bus The shutdown utility bus is only modeled as available in a beyond design basis event where both shutdown boards and EDGs on the donor unit are available. Therefore, the model does not allow simultaneous crediting of the utility bus to support unavailability of AC power on both units.

APLA AUDIT QUESTION 05 - Impact of Seasonal Variations The Tier 3 assessment in RG 1.177 stipulates that a licensee should develop a program that ensures that the risk impact of out-of-service equipment is appropriately evaluated prior to performing any maintenance activity. NEI 06-09-A and its associated NRC safety evaluation state that, for the impact of seasonal changes, either conservative assumptions should be made, or the PRA should be adjusted appropriately to reflect the current (e.g., seasonal or time of cycle) configuration.

LAR Enclosure 8, Section 3, on attributes of the RTR model, states, Seasonal variations are included in the SQN risk model. Systems included in this treatment include Emergency Raw Cooling Water (ERCW) and component cooling systems. The LAR explains that success criteria for the number of ERCW pumps required is related to the river water temperature, and that this change is made in the PRA models by applying a flag to toggle between both seasons in the model. It is not clear to NRC staff what mechanism and criteria are used to determine when PRA adjustments need to be made in the RTR due to the change in river water temperature. It is also not clear whether other modeling adjustments besides the cited example are needed to account for seasonal and time of cycle dependencies and what kind of adjustments will be made. Therefore, address the following to clarify the treatment of seasonal and time of cycle variations:

a) Discuss any other PRA modeling adjustments made in the RTR to account for seasonal and time of cycle variations during a RICT evolution. Also, explain how

CNL-22-023 E1-22 of 65 these adjustments are made and how this approach is consistent with the guidance in NEI 06-09-A and its associated NRC safety evaluation.

b) Describe the criteria used to determine when PRA adjustments due to seasonal or time le variations need to be made in the RTR and what mechanism initiates these changes.

TVA Response The Sequoyah PRA model CAFTA database was reviewed in order to identify flags (name contains FLG) which referenced temperature or season and the following were identified:

FLG_0024SUMMER FOUR OF FIVE RCW PUMPS ARE REQUIRED FLG_0024OTHER THREE OF FIVE RCW PUMPS ARE REQUIRED FLG_ERCW_TEMP ERCW SUPPLY HEADER TEMPERATURE GREATER THAN 70 F FLG0062_TEMP_LT_63 BAT AREA TEMPERATURE BELOW 63 F With respect to the system 24 (non-safety raw cooling water):

Importance measures show the flags used in modeling of the raw cooling water system (FLG_0024SUMMER, FLG_0024OTHER) have minimal importance values (for instance risk reduction worth, Birnbaum). TVA will set the more conservative 4 out of 5 pumps required summer flag when performing RICT calculations. This will conservatively bound both seasonal configurations.

With respect to the system 67 ERCW seasonal modeling:

Flag FLG_ERCW_TEMP can be set to adjust the number of Component Cooling Water heat exchangers which must be aligned (with ERCW cooling supplied) in order to mitigate modeled events. It should be set when ERCW header temperature is greater than 70F.

This will be settable in the Risk Management Configuration Risk Software tool. Guidance to require appropriate setting of this flag will be proceduralized.

With respect to the boric acid tank area temperature flag FLG0062_TEMP_LT_63 (BAT AREA TEMPERATURE BELOW 63 F):

Flag FLG0062_TEMP_LT_63 does not appear in base cutsets, indicating low importance for the setting of this flag. This flag will be set to the more conservative (temperature less than 63F) position for RICT calculations. This will conservatively bound both higher-and lower-temperature configurations.

This is consistent with NEI guidance which says that settings must either be realistic or conservative.

APLA AUDIT QUESTION 06 - In-Scope LCOs and Corresponding PRA Modeling The NRC SE to NEI 06-09-A specifies that the LAR should provide a comparison of the TS functions to the PRA modeled functions to show that the PRA modeling is consistent with the licensing basis assumptions or to provide a basis for when there is a difference. LAR Enclosure 1, Table E1-1 identifies each TS LCO Condition proposed to be in the RICT program, describes whether the systems and components participating in the TS LCO are modeled in

CNL-22-023 E1-23 of 65 the PRA, and compares the design basis and PRA success criteria. For certain TS LCO Conditions, the table explains that the associated SSCs are not explicitly modeled in the PRAs, but their unavailability will be represented using a surrogate event that fails the function performed by the SSC. For some LCO Conditions, the LAR did not provide enough description for NRC staff to conclude that the PRA modeling will be sufficient for each proposed LCO Condition. Therefore, address the following:

a) LAR Table E1-1 states for TS LCO 3.6.2 (Containment Air Locks) Condition C (One or more containment airlocks inoperable for reasons other than Condition A or B) that the design basis success criterion is Single door closure and the PRA success criterion is Containment intact. The comment column for this entry states that the containment airlocks are not modeled but indicates that small and large containment leaks will be used as surrogates. It is not clear to NRC staff what affect the surrogate failure events has on containment functionality. The phrase large containment leak suggests a failure of containment isolation that could lead to large early release, but the phrase small containment leak suggests the containment may be still isolated or partially isolated. Therefore, address the following:

i.

Explain what impact the surrogate failure events for modeling the unavailability of an airlock (i.e., small and large containment leaks) identified for LCO 3.6.2.C has on containment functionality. Include discussion of the difference between using a small or large leak as the surrogate event, and if there is a difference, discuss why different impacts are needed to model air lock unavailability.

ii.

Justify that the impacts discussed in part (i), above, are equivalent to or bound the impact of an inoperable airlock.

b) LAR Table E1-1 states for TS LCO 3.7.7 (Component Cooling Water System (CCS))

Condition A (One CCS train inoperable) that the design basis success criterion is One CCS train and the PRA success criteria is One of two pumps for train A. One of one pump for train B. Based on the information provided in the table, it is not clear whether the PRA success criteria is consistent with the design basis success criterion.

In one case the criterion is presented at the train level, and in the other case it is presented at the pump level. LAR Table E1-1 does not state for this LCO condition whether the design basis and PRA success criteria are consistent. If there is a difference, the basis not clear. Therefore, address the following:

i.

Clarify whether the PRA success criteria for LCO 3.7.7.A is consistent with the design basis success criteria. Include discussion of the success criteria for the design basis and PRA in terms of both trains and individual pumps.

ii.

If the PRA success criteria is inconsistent with the design basis success criteria, then explain how it is different and justify the success criteria used in the PRA to model LCO 3.7.7.A.

c) LAR Table E1-1 states for TS LCO 3.7.8 (Essential Raw Cooling Water (ERCW))

Condition B (One ERCW System train inoperable for reasons other than Condition A) that the design basis success criteria are One ERCW train in conjunction with CCS and a 100% capacity containment cooling system and the PRA success criteria is One of four pumps per train when CS heat exchangers not in operation. Two of four pumps per train when CS heat exchangers in operation. The design basis success criteria are provided in terms of ERCW trains, and the PRA success criteria are

CNL-22-023 E1-24 of 65 provided in terms of pumps per ERCW train. Therefore, it is not clear whether the PRA success criteria are consistent with the design basis success criteria for the case in which the Containment Cooling System (CS) is in operation. LAR Table E1-1 does not state for this LCO condition that the design basis and PRA success criteria are consistent. If there is a difference, the basis for the difference is not clear. Therefore, address the following:

i.

Describe both the design basis and PRA success criteria in terms of ERCW trains as well as pumps.

ii.

If the PRA success criteria is inconsistent with the design basis success criteria in the case when CS is in operation, then justify the success criteria used in the PRA to model LCO 3.7.8.B for this case and for the case when CS is not in operation.

TVA Response Response to Part a)i During the creation of Table E1-1, numerous cases were performed for each technical specifications (TS) LCO scenario depending on which components were affected. When LCO 3.6.2 impacted components were reviewed, it was determined that there were no directly modeled components in the PRA. However, a surrogate modeling of a containment leak could be used to demonstrate the impact of the containment air lock failing to close. Because it could not be determined how much leakage would occur during a containment air lock failure (due to multiple doors and redundancy), both the small and large containment leak scenarios were run and only the most bounding case scenario was used in determining the RICT timeframe (in this case large containment leakage). When RICT is run at the plant, the operators will have the ability to choose which configuration of the TS condition they are in. In the case of the containment air locks, the most limiting case surrogate will be used, the large containment leak.

Response to Part a)ii The surrogate used to model failure of the containment air lock assumes that there is a direct leakage from containment to outside. This is conservative considering the redundancy of the containment air lock doors. There are two doors that would have to fail, and both are alarmed (so it would be known if both are opened).

Response to Part b)i The CCS system has 5 pumps between Units 1 and 2. Unit 1 Train A consists of two pumps (the 1A and 1B CCS pumps); Unit 2 Train A consists of two pumps (the 2A and 2B CCS pumps); and Train B is a common header that includes three pumps (the C-S CCS pump or can manually align 1B or 2B CCS pump). Each train also includes two separate heat exchangers.

The design success criterion is one train of CCS, which consists of two heat exchangers (in parallel), one pump, a surge tank with associated valves, instrumentation, and controls. The PRA success criteria include the pumps, as well as all of the other components within the flow path to ensure adequate flow.

CNL-22-023 E1-25 of 65 For the sample calculations presented in the LAR, the CCS pumps were taken out of service as the other components in the Risk Function Equipment Group (FEG) have the same effect as a loss of a pump. The CCS success criteria for the PRA is a single train (Train A or B).

Unit 1 Train A requires one pump (either the 1A pump or 1B pump), heat exchanger, and associated valves and instrumentation to be successful. Unit 2 Train A requires one pump (either the 2A pump or 2B pump), heat exchanger, and associated valves and instrumentation to be successful. Train B is the same regarding the types of components, but is assumed to only have one pump available (C-S) pump) for the RICT scenarios as the 1B/2B pumps are conservatively assumed to be used on Train A. The PRA Success Criteria for Table E1-1 of to the license amendment request (LAR) for TS 3.7.7 Condition A has been clarified to reflect this.

Table E1-1 was specified differently between the design basis success criteria and the PRA success criteria to highlight that in the PRA, the B pumps were not credited on Train B. The PRA relied only on the C-S pump as the credited pump for the RICT sample calculations in order to show the most bounding case. Once the RMTS program is in place and actively being used, the Phoenix Risk Monitor will have the alignments set up based on the actual plant configuration. Alignments may be set in the Phoenix Risk Monitor to align the appropriate pumps to the A and B trains of CCS. Only the available pumps will be credited for each train.

If any pump is being used on the other train or in maintenance, then the logic prevents that pump from being used simultaneously in the opposite train.

Response to Part b)ii See response to APLA 6.b)i above.

Response to Part c)i See response to APLA 6.c)ii below.

Response to Part c)ii The ERCW system includes eight pumps, four pumps for Train A and four for Train B. In addition, there are four strainers, two for Train A and two for Train B. There are four ERCW headers that cool the loads in the plant (1A-A, 1B-B, 2A-A, and 2B-B). One Train consists of two supply headers, two strainers, four pumps, two traveling water screens, and associated piping, valving, and instrumentation.

The design success criteria ensures that one train of ERCW is available with CCS and 100%

capacity containment cooling system (containment spray) to bound any design basis accident that may occur that might require the containment cooling system to be used. To be successful, the ERCW system requires an entire train of ERCW to be available (header, strainers, pumps, screens, etc.), a train of CCS (described above in the response to APLA 06.b), and 100% capacity containment cooling system.

The PRA success criteria is slightly different as the model includes scenarios which includes the containment cooling system (containment spray) to be functional as well as scenarios that do not require the containment spray to be functional. This is because the PRA includes realistic scenarios as well as the conservative design basis scenarios. For those scenarios that require containment spray to be functional, any one pump and associated strainer is required for each plant header (1A-A, 1B-B, 2A-A, and 2B-B). For scenarios where

CNL-22-023 E1-26 of 65 containment spray is not required to be functional, one A pump and one B pump and each plant header with associated strainer is required. Component Cooling Water (CCS) is still required for those scenarios that use any required loads cooled by CCS.

APLA AUDIT QUESTION 07 - Total Risk and Accounting for the SOKC Based on RG 1.174 and Section 6.4 of NUREG-1855, Revision 1, for a Capability Category II risk evaluation, the mean values of the risk metrics (total and incremental values) need to be compared against the risk acceptance guidelines. The risk management threshold values for the RICT program have been developed based on RG 1.174, and therefore, the most appropriate measures with which to make a comparison are also mean values. Point estimate PRA results are commonly calculated and reported, but these are typically lower than the mean values and do not account for the state-of-knowledge correlation (SOKC) between nominally independent basic event probabilities. NUREG-1855, Revision 1, provides guidance on evaluating how the SOKC uncertainty impacts the comparison of the PRA results with the guideline values. Under certain circumstances, a formal propagation of uncertainty may not be required if it can be demonstrated that the SOKC is unimportant (i.e., the risk results are well below the acceptance guidelines).

Section 1 of LAR Enclosure 9 states that the SOKC was addressed in the Sequoyah uncertainty and sensitivity study and was determined to be less than 2% of core damage frequency (CDF). However, it is not clear to NRC staff whether this study was performed for the internal events, fire, and seismic PRAs or just the internal events PRA. LAR Enclosure 5, Section 2, Table E5-1 presents total CDF and large early release frequency (LERF) values for Sequoyah Units 1 and 2 that appear to be based on point estimates. The mean seismic CDF values reported in the Sequoyah seismic PRA (SPRA) report (ADAMS Accession No. ML19291A003) for Units 1 and 2 are 1.27E-05 per year and 1.50E-05 per year, respectively.

Whereas the seismic CDF values reported in the LAR for Units 1 and 2 are 4.19E-06 per year and 3.95E-06 per year, respectively. This suggests that the CDF and LERF values reported in Table E5-1 of Sequoyah TSTF-505 LAR are point estimate values given that the mean values reported in the seismic PRA are significantly higher by a factor of 3 to 4 than the seismic CDF and LERF values reported in the LAR. Also, the LAR explains that SOKC multipliers are applied in the PRA model via recovery rules to address SOKC. Therefore, it appears that rather than correlating the failure probabilities that were used in the PRA derived from the same data in the parametric uncertainty analysis, another method involving a multiplier was used to estimate the SOKC impact. This multiplier approach, its basis, and the multiplier value used are not discussed in the LAR.

Based on the observations above, the difference in the point estimate and mean total CDF could be significantly higher than the 2% reported in the LAR. As a result, it is not clear to NRC staff: (1) whether the total CDF and LERF values could exceed the RG 1.174 risk acceptance guidelines when the mean values that consider SOKC are used to determine the total risk; and how the RICT calculation will consider the mean values in the determination of the change in CDFs (CDFs) and change in LERFs (LERFs) for extended completion times if the difference between the point estimate and mean values are significant. Given these observations and those observations in APLC Question 02 (Inconsistency in Reported Seismic CDF and LERF Results), address the following:

a) If failure probabilities used in the PRA models that are derived from common data sources were not correlated in the parametric uncertainty analysis and another approach was used to estimate the SOKC correlation, then describe that approach.

CNL-22-023 E1-27 of 65 Include justification for the approach and multiplier values used to provide an adequate estimate of the impact of SOKC for this application.

b) If it cannot be justified that the approach and multiplier values used to estimate the impact of the SOKC on total CDF and LERF are adequate for this application, then provide a revised estimate of the impact of the SOKC on CDF and LERF using an acceptable method (e.g., by correlating failure probabilities that come from the same data source during quantification). Also, provide a description and justification of the method used for this revised SOKC assessment.

c) Based on the total mean internal events (including internal floods), fire, and seismic CDF and LERF values calculated considering any change in approach resulting from the response to part (b), above, demonstrate that Sequoyah is in conformance with the RG 1.174 risk acceptance guidelines.

d) Provide and discuss the results of a comparison study between the RICT values calculated using point estimate versus mean risk values for various LCO conditions in scope of RICT program. The LCO conditions selected for this comparison study should be those judged most likely to be impacted by the SOKC uncertainty and have a point estimate RICT less than the 30-day backstop so that the comparison results are not masked by the backstop. Provide the bases for the chosen LCO conditions in this comparison study. Also, provide the intermediate risk results from these RICT calculations (e.g., the CDFs and LERFs for the baseline case using point estimates and for sensitivity case using mean values from the internal events (including internal floods), fire and seismic PRAs). Perform this comparison study considering any change in approach resulting from the response to part (b), above, e) Based on the results above, provide a summary of how the SOKC will be addressed for RICT calculations during RICT program implementation (i.e., based upon the risk metrics to be considered), and explain how this process/approach is consistent with NUREG-1855, Revision 1.

TVA Response Response to Part a)

The failure probabilities used in the PRA models that are derived from common data sources are correlated in the parametric uncertainty analysis through the use of type codes. An example would be the type code for an air handling unit failing to run (type code AHUFR). All basic events associated with the AHU failing to run use the AHUFR type code. When the sampling is done by the UNCERT code to calculate the mean CDF, all AHUFR basic events are correlated. SOKC multipliers are applied in the PRA model via recovery rules to address SOKC for interfacing system LOCAs as described in WCAP-17154. The use of this method did not have a significant effect on CDF or LERF since interfacing system (ISLOCA) is not a significant contributor to risk (~1E-11 per year for CDF and LERF).

The SQN FPRA model includes uncertainties for many different parameters, including but not limited to uncertainties in the following parameters.

x Fire ignition frequencies x

Non-suppression probabilities

CNL-22-023 E1-28 of 65 x

Hot short probabilities x

Component failures x

Human failures The basic events used in the FPRA Model associated with these parameters were correlated using type codes in the same manner as described above for the internal events PRA model.

Response to Part b)

As discussed above, the failure probabilities used in the PRA models that are derived from common data sources were correlated in the parametric uncertainty analysis. The multiplier method was only used for ISLOCA initiators in accordance with WCAP-17154 and did not have a significant effect on CDF or LERF. The concerns with the mean values versus the point estimate values submitted with the SQN Seismic PRA are addressed below.

The SQN Seismic Probabilistic Risk Assessment (SPRA) was submitted to the NRC on October 18, 2019, under a letter titled Seismic Probabilistic Risk Assessment for Sequoyah Nuclear Plant, Units 1 and 2 - Response to NRC Request for Information Pursuant to Title 10 of the Code of Federal Regulations 50.54(f) Regarding Recommendation 2.1 of the Near-Term Task Force Review of Insights from the Fukushima Dai-ichi Accident (ML19291A003). The point estimate and mean values for the Units 1 and 2 CDF and LERF were calculated and included in this submittal. The values reported in the submittal were as follows.

x SQN SPRA Point Estimate Values (2019 Submittal) x U1 CDF 6.69E-06 x

U1 LERF 3.76E-06 x

U2 CDF 8.72E-6 x

U2 LERF 3.83E-06 x

SQN SPRA Mean Values (2019 Submittal) x U1 CDF 1.27E-5 x

U1 LERF 6.87E-06 x

U2 CDF 1.50E-05 x

U2 LERF 6.93E-06 The values reported were correct based on the signed calculations as of the submittal date.

The SQN SPRA has been updated since that submittal. This model update included the incorporation of the updated base internal events model (including data updates) and the correcting of minor errors in the SPRA model. This model was subsequently incorporated into the SQN one top multi-hazard model (OTMHM) for use with the SQN RMTS program (for calculating risk informed completion times or RICT). While preparing for the NRC audit of the RMTS program, the values of the previously submitted SPRA mean values were questioned internally in the PRA group. After subsequent review of the SPRA calculations, it was determined that an error was made in calculating the Units 1 and 2 CDF and LERF mean values reported in the SQN SPRA submittal (ML19291A003). This error was made by not correctly setting a single parameter used by the UNCERT computer code (@POINTCALC) in calculating mean values. This error significantly affected how the mean values were calculated. The correct mean values for Unit 1s and 2 Seismic CDF and LERF were

CNL-22-023 E1-29 of 65 calculated using the SQN OTMHM in a PRA Evaluation. The point estimate and mean values are as follows.

x SQN SPRA Point Estimate (Current OTMHM results) x U1 CDF 4.19E-06 x

U1 LERF 3.00E-06 x

U2 CDF 3.95E-06 x

U2 LERF 2.83E-06 x

SQN SPRA Mean Frequency (Current OTMHM results) x U1 CDF 4.20E-06 x

U1 LERF 3.01E-06 x

U2 CDF 3.95E-06 x

U2 LERF 2.84E-06 This PRA evaluation shows that the point estimate values are now within 2 percent of the calculated mean values. Therefore, there is no need to perform a revised SOKC analysis.

Response to Part c)

As discussed above, there was no need to perform a revised SOKC analysis. The tables below show the comparison of the point estimate values to the mean values for all hazards and by individual hazard. It also shows that the total Units 1 and 2 CDF and LERF values for all hazards are well below the NRC Safety Goals.

All Hazards Point Estimate Mean Frequency (1/yr)

Percent Change for All Hazards NRC Safety Goal U1 CDF 7.12E05

7.22E05

1.3%

1.00E-04 U1 LERF 8.01E06

8.11E06

1.2%

1.00E-05 U2 CDF 7.55E05

7.61E05

0.9%

1.00E-04 U2 LERF 8.85E06

8.87E06

0.3%

1.00E-05 Internal Events/

Internal Flooding PRA Point Estimate Mean Frequency (1/yr)

Percent Change for Individual Hazard U1 CDF 4.88E-06 4.95E-06 1.3%

U1 LERF 6.63E-07 6.75E-07 1.9%

U2 CDF 5.19E-06 5.28E-06 1.6%

U2 LERF 6.97E-07 7.12E-07 2.2%

FPRA Point Estimate Mean Frequency (1/yr)

Percent Change for Individual Hazard U1 CDF 6.22E-05 6.30E-05 1.4%

U1 LERF 4.35E-06 4.43E-06 1.8%

U2 CDF 6.63E-05 6.69E-05 0.9%

U2 LERF 5.32E-06 5.32E-06 0.2%

CNL-22-023 E1-30 of 65 Seismic PRA Point Estimate Mean Frequency (1/yr)

Percent Change for Individual Hazard U1 CDF 4.19E-06 4.20E-06 0.2%

U1 LERF 3.00E-06 3.01E-06 0.2%

U2 CDF 3.95E-06 3.95E-06 0.1%

U2 LERF 2.83E-06 2.84E-06 0.1%

Response to Part d)

An evaluation was performed to examine the effect of using mean values for CDF and LERF as opposed to using point estimate values for calculation of RICTs. Four TS conditions were selected for each unit. The TS conditions that have example RICTs in the LAR of 30 days were not selected since the 30-day backstop may mask any difference in using the point estimates versus the mean values. The four that were selected involved various unavailabilities of electrical and mechanical systems and have the potential for significant differences in the point estimate and mean values for CDF and LERF. The selected TS conditions are shown below.

TS LCO Condition Unit 1 RICT Estimate From LAR (Days)

Unit 2 RICT Estimate From LAR (Days) 3.7.5.B Auxiliary Feedwater (AFW) System - AFW train inoperable in MODE 1, 2, or 3 for reasons other than Condition A 25.5 26.1 3.8.1.B AC Sources - Operating - One or more Train A DG(s) inoperable OR One or more Train B DG(s) inoperable 12.1 11.4 3.8.1.E AC Sources - Operating - One offsite circuit inoperable for reasons other than Condition C AND DG 1A-A or 1B-B inoperable 3.8 5.3 3.8.9.B Distribution Systems - Operating - One or more AC vital instrument power distribution subsystems inoperable 7.7 9.3 The RICT is the minimum of the CDF RICT and the LERF RICT. The RICT for each case has been calculated for each unit using both the mean values and the point estimates. The results of these calculations are shown in the tables below.

Comparison Unit 1 RICTs Using Mean Values Versus Point Estimates Unit 1 CDF Case Name Point Estimate Mean Value Change to Mean RICT Using PE RICT Using Mean

% Change Using Mean 3-7-5-B_1_C 2.098E-04 2.117E-04 1%

26.0 25.7

-1%

3-8-1-B_5_C 3.236E-04 3.238E-04 0%

14.4 14.4 0%

3-8-1-E_4_C 1.034E-03 1.029E-03 0%

3.8 3.8 1%

CNL-22-023 E1-31 of 65 3-8-9-B_2_C 2.690E-04 2.706E-04 1%

18.3 18.2

-1%

U1_CDF_ALL_1E-11_zm 6.949E-05 6.959E-05 0%

Unit 1 LERF Case Name Point Estimate Mean Value Change to Mean RICT Using PE RICT Using Mean

% Change Using Mean 3-7-5-B_1_L 1.480E-05 1.484E-05 0%

56.1 55.8 0%

3-8-1-B_5_L 3.562E-05 3.588E-05 1%

13.4 13.2

-1%

3-8-1-E_4_L 6.394E-05 6.414E-05 0%

6.6 6.5 0%

3-8-9-B_2_L 5.429E-05 5.476E-05 1%

7.9 7.9

-1%

U1_LERF_ALL_1E-12_zm 8.294E-06 8.304E-06 0%

Unit 1 - Minimum RICTs 3-7-5-B 26.0 25.7

-1%

3-8-1-B 13.4 13.2

-1%

3-8-1-E 3.8 3.8 1%

3-8-9-B 7.9 7.9

-1%

Comparison Unit 2 RICTs Using Mean Values Versus Point Estimates Unit 2 CDF Case Name Point Estimate Mean Value Change to Mean RICT Using PE RICT Using Mean

% Change Using Mean 3-7-5-B_2_C_2 2.127E-04 2.130E-04 0%

26.5 26.5 0%

3-8-1-B_6_C_2 3.545E-04 3.552E-04 0%

13.1 13.0 0%

3-8-1-E_1_C_2 7.599E-04 7.707E-04 1%

5.3 5.2

-2%

3-8-9-B_2_C_2 2.304E-04 2.332E-04 1%

23.5 23.1

-2%

U2_CDF_ALL_1E-11_zm 7.502E-05 7.512E-05 0%

Unit 2 LERF Case Name Point Estimate Mean Value Change to Mean RICT Using PE RICT Using Mean

% Change Using Mean 3-7-5-B_2_L_2 1.756E-05 1.763E-05 0%

43.3 43.4 0%

3-8-1-B_6_L_2 3.834E-05 3.846E-05 0%

12.5 12.5 0%

3-8-1-E_1_L_2 6.533E-05 6.576E-05 1%

6.5 6.5

-1%

3-8-9-B_2_L_2 4.719E-05 4.786E-05 1%

9.6 9.4

-2%

U2_LERF_ALL_1E-12_zm 9.135E-06 9.214E-06 1%

Unit 2 - Minimum RICTs 3-7-5-B 26.5 26.5 0%

3-8-1-B 12.5 12.5 0%

3-8-1-E 5.3 5.2

-2%

3-8-9-B 9.6 9.4

-2%

CNL-22-023 E1-32 of 65 As demonstrated in the tables above, the RICTs calculated using the mean values are within 2% of the RICTs calculated using the point estimate values, which is not a significant difference.

Therefore, the use of point estimates instead of mean values to calculate RICTs is justified. As discussed above, there was no need to perform a revised SOKC analysis, so there was no change in approach.

Response to Part e)

Based on the responses provided above, the SOKC does not have a significant effect on the calculation of RICTs. The use of type codes in the PRA mode ensures that the same point estimate values are used for correlated components. Therefore, the RICT calculations will use the point estimates from the CDF and LERF calculations. No adjustments will be made to address SOKC. This is consistent with NUREG-1855 since it allows the SOKC to be ignored if it has been shown to be insignificant.

APLA AUDIT QUESTION 08 - PRA Model Update Process Section 2.3.4 of NEI 06-09-A specifies that criteria shall exist in PRA configuration risk management to require PRA model updates concurrent with implementation of facility changes that significantly impact RICT calculations.

LAR Enclosure 7 states that if a plant modification or a corrective action [is] identified with potential significant impact to the RICT Program calculations or results in a change in CDF/LERF of more than 25%, as defined by TVA procedures, an unscheduled update of the PRA model will be implemented. It is not clear to NRC staff how plant changes and discovered conditions are monitored and assessed for their impact to the RICT program and whether the cited criterion of a change in CDF/LERF of more than 25% is by itself sufficient to identify plant changes or discovered conditions with the potential to significantly impact the calculated RICTs. Therefore, address the following:

a) Explain how plant changes (including changes in procedures) and discovered conditions (including conditions that could change important assumptions made in the PRA models) are monitored for impact on the RICT program.

b) Explain what mechanism or criteria is used in conjunction with the criterion of a change in CDF/LERF of more than 25% to identify plant changes or discovered conditions with the potential to significantly impact the calculated RICTs. It appears possible to NRC staff that plant changes of discovered conditions that result in less impact on the CDF and LERF could impact the RICT calculations for certain plant configurations.

TVA Response a) As part of the design change process, SQN notifies the PRA group of modifications and procedure changes that may affect the PRA. These are periodically reviewed for impact to both the model and assumptions and the results of the reviews are documented.

b) The TVA PRA update procedure indicates that model updates should be completed at least once every two refueling cycles or sooner if estimated cumulative impact of plant configuration changes exceed the threshold of +/-25% of CDF or LERF. The procedure

CNL-22-023 E1-33 of 65 also indicates the decision to update the PRA model ahead of the normal schedule should be made commensurate with the overall impact to the model, taking into consideration the impact on applications and programs that use the results from quantifying the model.

The following additional monitoring will be performed to monitor for potential impacts to the RICT program.

x A check will be performed using the FPIE model to identify if there is a >2x increase in an accident class/ sequence that contributes > 5% to risk.

x A qualitative check will be performed to evaluate whether an impact is expected to key components which by themselves result in non-green risk increase factors in Phoenix-EOOS.

These evaluations ensure changes that could significantly impact RICT calculations initiate an emergent PRA model update or result in administrative limits on the RICT program per TVA procedures.

APLA AUDIT QUESTION 09 - Performance Monitoring The LAR states that the application of a RICT will be evaluated using the guidance provided in NEI 06-09-A. NEI 06-09-A was approved by the NRC on May 17, 2007 (ADAMS Accession No. ML071200238). The NRC SE for NEI 06-09-A, states, [t]he impact of the proposed change should be monitored using performance measurement strategies. NEI 06-09-A considers the use of NUMARC 93-01, Revision 4F, Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants (ADAMS Accession No. ML18120A069), as endorsed by RG 1.160, Revision 4 (ADAMS Accession No. ML18220B281), for the implementation of the Maintenance Rule. NUMARC 93-01, Section 9.0, contains guidance for the establishment of performance criteria.

In addition, the NEI 06-09-A methodology satisfies the five key safety principles specified in RG 1.177 relative to the risk impact due to the application of a RICT. Moreover, NRC staff position C.3.2 provided in RG 1.177 for meeting the fifth key safety principle acknowledges the use of performance criteria to assess degradation of operational safety over a period. It is unclear how the licensees RICT program captures performance monitoring for the SSCs within-scope of the RMTS program. Therefore:

a) Confirm that the Sequoyah Maintenance Rule program incorporates the use of performance criteria to evaluate SSC performance as described in the NRC-endorsed guidance in NUMARC 93-01.

b) Alternatively, describe the approach or method used by Sequoyah for SSC performance monitoring, as described in Regulatory Position C.3.2 of RG 1.177, for meeting the fifth key safety principle. In the description, include criteria (e.g., qualitative or quantitative), along with the appropriate risk metrics, and explain how the approach and criteria demonstrate the intent to monitor the potential degradation of SSCs in accordance with the NRC SE for NEI 06-09.

CNL-22-023 E1-34 of 65 TVA Response Response to Part a)

The governing TVA Maintenance Rule (MR) implementing procedure provides instruction for Scoping/Risk Significance Classification/Specific Level Performance Criteria, and requires that SSC/Functions that are within the scope of the MR are shown in each sites Technical Instruction or database(s), along with the screening criteria used to determine MR applicability. Changes to Scope/Risk Significance Classification/Specific Level Performance Criteria may be needed as a result of regulatory actions, design change, PRA, plant/industry event, industry lessons learned, temporary equipment performing a MR function, etc. A procedure attachment is used to add/change/delete the Scoping/Risk Significance Classification/Specific Level Performance Criteria of SSC/Functions.

Performance criteria includes applicable qualitative methodologies used to measure each functions performance (Unavailability, Unreliability, etc.) and delineate the quantitative value for each parameter. Words like no more than X number of Functional Failures should be utilized to avoid confusion over the exact maximum allowable value. The Unavailability Performance Criteria should be expressed as a percentage (##.#%) rather than as hours per monitoring period.

Furthermore, TVAs process follows the guidance of NUMARC 93-01 §9.2 for establishing risk and performance criteria. Therefore, it is confirmed that TVAs MR Program makes use of performance criteria to evaluate SSC performance.

Response to Part b)

Regulatory Position C.3.2 of RG 1.177 Revision 1, states:

To ensure that extension of a TS CT or reduction of a TS SF does not degrade operational safety over time, the licensee should ensure, as part of its Maintenance Rule program (10 CFR 50.65), that when equipment does not meet its performance criteria, the evaluation required under the Maintenance Rule includes prior related TS changes in its scope. If the licensee concludes that the performance or condition of TS equipment affected by a TS change does not meet established performance criteria, appropriate corrective action should be taken, in accordance with the Maintenance Rule. Such corrective action could include consideration of another TS change to shorten the revised CT or increase the revised SF, or imposition of a more restrictive administrative limit, if the licensee determines this to be an important factor in reversing the negative trend.

The key safety principles are found in RG 1.174. The 5th principle states The impact of the proposed licensing basis change should be monitored using performance measurement strategies.

In the description, include criteria (e.g., qualitative, or quantitative), along with the appropriate risk metrics, and explain how the approach and criteria demonstrate the intent to monitor the potential degradation of SSCs in accordance with the NRC Safety Evaluation (SE) for NEI 06-09, Risk-Informed Technical Specifications Initiative 4b: Risk-Managed Technical Specifications (RMTS) Guidelines.

TVA drafted TVA RICT procedure mimics the requirements of NEI 06-09, including monitoring of accrued risk while in an RICT. The total cumulative risk impact is monitored to ensure a

CNL-22-023 E1-35 of 65 total risk impact change remains below E-05/yr CDF and E-06/yr LERF, and for an individual configuration (i.e., instantons risk) of less than E-04/yr and less than E-05/yr consistent with RF 1.174 for acceptable small changes in risk.

APLA AUDIT QUESTION 10 - RICT Program Implementation When CDF or LERF Limits are Exceeded The NRC safety evaluation for NEI 06-09-A, dated May 17, 2007, states:

[T]he NRC staff interprets TR NEI 06-09, Revision 0, guidance as not permitting a RICT to be entered (i.e., to exceed the frontstop CT [completion time]) when the configuration-specific risk exceeds the 10-3 CDF or 10-4 LERF limits, since use of a RICT is a voluntary decision to extend a CT. However, TR NEI 06-09, Revision 0, does not require exiting a RICT if the limits of either 10-3 CDF or 10-4 LERF are subsequently exceeded due to emergent conditions which arise after a RICT is in effect. This is consistent with the guidance of NUMARC 93-01. The RICT, once in effect, is solely governed by the ICDP and ILERP limits described above, and emergent configurations whose risk level exceeds the 10-3 CDF or 10-4 LERF limits are managed using RMAs.

Note 2 in LAR Tables E1-2 and E1-3 states:

Per NEI 06-09-A, for cases where the total CDF or LERF is greater than 1E-03/yr or 1E-04/yr, respectively, the RICT Program will not be voluntarily entered. However, it is possible that the LCO could be entered for an emergent failure and RICT entry would be allowed.

Section 3 of LAR Enclosure 12 states, If, as the result of an emergent condition, the ICDF or the ILERF exceeds 10-3 per year or 10-4 per year, respectively, RMAs will be required to be implemented. However, the RICT will need to be exited and the Technical Specification will drive the completion time. These requirements are consistent with the guidelines of NEI 06-09-A, Revision 0.

It is unclear to NRC staff how the RICT program will be implemented when the CDF or LERF limits are exceeded due to emergent conditions. For example, note 2 in LAR Tables E1-2 and E1-3 seems to suggest that a RICT entry is allowed for emergent conditions when the 1E-3/year or 1E-4/year limits are exceeded for CDF or LERF, respectively. However, this is not consistent with the NRC safety evaluation for NEI 06-09-A that states a RICT cannot be entered when configuration-specific risk exceeds the CDF or LERF limits, since use of a RICT is a voluntary decision; however, a RICT does not require exiting if these CDF or LERF limits are subsequently exceeded due to emergent conditions which arise after a RICT is in effect.

Another example, note 2 in LAR Tables E1-2 and E1-3 seems to contradict Section 3 of LAR 2 that states the RICT will be exited if the CDF or LERF limits are exceeded due to an emergent condition.

Explain how the RICT program will be implemented when the CDF or LERF limits are exceeded due to an emergent condition which arises: (1) after a RICT is in effect; and (2) when a RICT is not in effect. Also, explain how this approach is consistent with the guidance in NEI 06-09-A and its associated NRC safety evaluation.

CNL-22-023 E1-36 of 65 TVA Response

1) If a RICT is in effect, and an emergent issue arises that results in 10-3/yr CDF or 10-4/yr LERF, SQN shall immediately implement appropriate risk management actions to limit the extent and duration of the high risk configuration. A new completion time will be determined and the work shall return equipment to a PRA available status to reduce the instantaneous CDF and LERF below 10-3 and 10-4/yr, respectively. Upon expiration of the completion time, action shall be taken to implement the applicable Technical Specification action statement(s).

2) Consistent with the NRCs Safety Evaluation Acceptance Guidelines, entry into a RICT is not permitted when the configuration-specific risk exceeds the 10-3 CDF or 10-4 LERF limits.

APLB AUDIT QUESTION 01 - Deviations from NRC Endorsed Guidance as Source of Modeling Uncertainty RG 1.200 states, NRC reviewers [will] focus their review on key assumptions and areas identified by peer reviewers as being of concern and relevant to the application. The implementation of some of the complex fire PRA methods often use nonconservative and over-simplified assumptions to apply the method to specific plant configurations. Historically, some of these issues were not always identified in F&Os by the peer review teams but are considered potential key assumptions by the NRC staff because using more defensible and less simplified assumptions could substantively affect the fire risk and fire risk profile of the plant. The NRC staff evaluates the acceptability of the PRA for each new risk-informed application, and as discussed in RG 1.174, recognizes that the acceptable technical adequacy of risk analyses necessary to support regulatory decision-making may vary with the relative weight given to the risk assessment element of the decision-making process. The calculated results of the PRA are used directly to calculate a RICT, which subsequently determines how long SSCs (both individual SSCs and multiple unrelated SSCs) controlled by TSs can remain inoperable. Therefore, the PRA results are given a very high weight in a TSTF-505 application, and the NRC staff is asking for information on the following issues that have been previously identified in previous TSTF-505 LARs as potentially key fire PRA assumptions.

APLB AUDIT QUESTION 01.a - Treatment of Sensitive Electronics Based on NRC staff review of the electronic portal documents during the audit of the treatment of sensitive electronics, it was not clear whether an attempt was made to identify and characterize cabinets that contain credited sensitive electronics in order to evaluate their vulnerability to fire. Frequently Asked Question (FAQ) 13-0004, Clarifications on Treatment of Sensitive Electronics (ADAMS Accession No. ML13322A085), provides supplemental guidance for application of the damage criteria provided in Sections 8.5.1.2 and H.2 of NUREG/CR-6850, EPRI/NRC-RES Fire PRA Methodology for Nuclear Power Facilities, Volume 2 (ADAMS Accession No ML052580118), for solid-state and sensitive electronics. The fire modeling uncertainty associated with treatment of sensitive electronics could have an impact on the RICT calculations. Therefore, provide the following:

a) Confirm that credited sensitive electronics were identified and characterized using some process such as walkdowns.

b) Describe the treatment of sensitive electronics for the fire PRA and explain whether it is consistent with the guidance in FAQ 13-0004, including the caveats about

CNL-22-023 E1-37 of 65 configurations that can invalidate the approach (i.e., sensitive electronics mounted on the surface of cabinets and the presence of louver or vents).

c) If the approach is not consistent with FAQ 13-0004, please provide justification that the treatment of sensitive electronics has an inconsequential impact on the RICT calculations. [Based on text in the Fire Modeling report, sensitive electronics may only exist in locations where the treatment of potential fire damage is conservatively bounding.] An acceptable approach is to describe and provide the results of a sensitivity study for sensitive electronics credited in the RTR model demonstrating that the uncertainty associated with the modeling the digital I&C systems has an inconsequential impact on the calculated RICTs using LCO conditions that could be most impacted by this modeling uncertainty having RICTs less than the 30-day backstop TVA Response Response to Part a)

The SQN FPRA includes treatment of sensitive electronics as targets consistent with the guidance in NUREG/CR-6850 and FAQ 13-0004. Fire damage to sensitive electronics has been postulated in the Main Control Room 732-C12, the Computer Room 685-C03 and the Aux Instruments Rooms 685-C01(Unit 1) and 685-C04 (Unit 2). Based on the ignition source walkdowns performed during the development of the FPRA, these were the physical analysis units (PAU) housing the main set of control and relay panels supporting the plant. The decision for specifically selecting these PAUs is also based on the scenario development process for the PAUs in the SQN FPRA where individual fire scenarios are defined (i.e., PAUs that are not treated as full compartment burn). These PAUs include general areas of the Auxiliary and Turbine buildings (not areas where sensitive electronics are located), selected mechanical rooms (not areas where sensitive electronics are located), the shutdown board rooms, (i.e., switchgear rooms) and the cable spreading rooms. For the last two set of rooms, under the scenario development strategy, the ignition source and any adjacent panel are failed at ignition or within the zone of influence very early in the event. In these rooms automatic suppression is credited, and activation of the system occurs before the hot gas layer covers at least the top half of the cabinets and reaches the damage temperature of 60°C. Therefore, early failure of sensitive electronics (except in the cabinet of fire origin, which sensitive electronics are failed at the time of ignition) is not postulated before automatic suppression system is activated. In the scenario progression, there is a branch in the event tree that assumes failure of the automatic suppression system. This outcome includes the failure of the sensitive electronics including the cabinets adjacent to the ignition source. The risk contribution of failure of sensitive electronics is low given the credit for the automatic suppression system. It is noted that the modeling for transient fires follows a similar progression in which the cabinets within the area were the transient fire is postulated are failed at the time of ignition.

In the aux instrument rooms, the time for the hot gas layer to reach the floor and fill up the cabinets exposing internals to fire generated temperatures is approximately 24 minutes. This time is longer than the calculated time for activating the automatic fire protection system, which is approximately 5 minutes. Therefore, early failure of sensitive electronics (except in the cabinet of fire origin, which sensitive electronics are failed at the time of ignition) is not postulated before automatic suppression system is activated. In the scenario progression, there is a branch in the event tree that assumes failure of the automatic suppression system.

CNL-22-023 E1-38 of 65 This outcome includes the failure of the sensitive electronics including the cabinets adjacent to the ignition source at the time of 5 minutes. The 5-minute time to damage was calculated for this scenario progression as 1 minute for damage and ignition of the first tray above the cabinet (1 minute is the lowest damage time listed in Appendix H of NUREG/CR-6850) and an additional 4 minutes for propagation and damage to the second tray in the stack (recommended value for fire propagation time to the second tray in the stack in Appendix R of NUREG/CR-6850). Transient fires are modeled using a similar progression in which the cabinets within the area were the transient fire is postulated are failed at the time of ignition.

The risk contribution of failure of sensitive electronics is low given the credit for the automatic suppression system.

The computer room is modeled as a full compartment burn scenario. Therefore, early failure of sensitive electronics is accounted for.

In the case of the main control room, abandonment due to fire generated conditions (i.e.,

habitability) is postulated for cases in which the hot gas layer reaches 95°C or generates 1kW/m2 of incident heat flux. The condition bounds scenarios where the hot gas layer covers the cabinets in the room and potentially affecting sensitive electronics based on the damage criteria for heat flux. That is, 1kW/m2 is below the heat flux damage threshold for sensitive electronics listed in Appendix H of NUREG/CR-6850 of 3kW/m2. In cases in which no abandonment due to habitability is predicted, the room does not reach the 1kW/m2 threshold for abandonment and therefore, no damage to sensitive electronics is expected. The CFAST results, as documented in the main control room abandonment FPRA notebook, indicate that the hot gas layer is not expected to be lower than 1.5 m above the floor. For some fire scenarios, the hot gas layer settles more than 2 m above the floor. This suggest that panels will not be fully immersed in the smoke and sensitive electronics will not be exposed to damaging temperatures. Consequently, control room abandonment due to habitability or by loss of control bounds the failures of sensitive electronics due to hot gas layer heating. For transient ignition sources the cabinets adjacent to the ignition source failed at the time to ignition. For electrical cabinets, the ignition source is failed at the time to ignition and the cabinets adjacent to the ignition source are failed early in the scenario progression (i.e., there is a branch in the scenario progression where the cabinets fail in both abandonment and non-abandonment conditions).

Response to Part b)

The treatment for sensitive electronics described in the response to Part a) does not rely on caveats about configurations that can invalidate the technical approach. Specifically: 1) no credit is taken for thermoset damage criteria for calculating a time to damage for sensitive electronics, 2) sensitive electronics are failed at the time of ignition for the cabinets of fire origin,

3) sensitive electronics are failed when hot gas layer descends and immerses the panel in smoke, and 4) for PAUs modeled as full compartment burn, sensitive electronics are failed at time zero (i.e., no credit for time to damage).

Response to Part c)

The treatment for sensitive electronics is consistent with FAQ 13-0004 although it does not rely on the key insight described in the FAQ of using Thermoset damage criteria for sensitive electronics inside electrical enclosures.

CNL-22-023 E1-39 of 65 APLB AUDIT QUESTION 01.b - Obstructed Plume Fire Modeling Based on NRC staff review of the electronic portal documents during the audit of fire modeling treatments, it appears that the fire modeling of obstructed plumes is credited in the fire PRA.

NUREG-2178, Volume 1, "Refining and Characterizing Heat Release Rates from Electrical Enclosures During Fire (RACHELLE-FIRE), Volume 1: Peak Heat Release Rates and Effect of Obstructed Plume" (ADAMS Accession No. ML16110A140), contains guidance on fire modeling the effect of plume obstruction in addition to refined peak heat release rates (HRRs).

NUREG-2178 provides guidance that indicates that the obstructed plume model is not applicable to cabinets in which the fire is assumed to be located at elevations of less than one-half of the cabinet. The fire modeling uncertainty associated with obstructed plume modeling could have an impact on the RICT calculations. Therefore, address the following:

a) If obstructed plume modeling was used, then indicate whether the base of the fire was assumed to be located at an elevation of less than one-half of the cabinet.

b) Justify any fire modeling in which the base of an obstructed plume is located at less than one half of the cabinet's height.

c) As an alternative to item (b) above, justify that the treatment of obstructed plume modeling has an inconsequential impact on the RICT calculations. An acceptable approach is to describe and provide the results of a sensitivity study for obstructed plume modeling credited in the RTR model demonstrating that the treatment has an inconsequential impact on the calculated RICTs using LCO conditions that could be impacted by this modeling uncertainty having RICTs less than the 30-day backstop.

TVA Response Response to Part a)

The obstructed plume model was not used in the SQN FPRA.

Response to Part b)

The obstructed plume model was not used in the SQN FPRA.

Response to Part c)

The obstructed plume model was not used in the SQN FPRA.

APLB AUDIT QUESTION 01.c - Well-Sealed Motor Control Center (MCC) Cabinets NRC staff review of the electronic portal documents during the audit of fire modeling treatments did not identify a description of how well-sealed cabinets were treated in the fire PRA. Guidance in FAQ 08-0042 from Supplement 1 of NUREG/CR-6850 applies to electrical cabinets below 440 V. With respect to Bin 15, as discussed in Chapter 6, it clarifies the meaning of "robustly or well-sealed." Thus, for cabinets of 440 V or less, fires from well-sealed cabinets do not propagate fire outside the cabinet. For cabinets of 440 V and higher, the original guidance in Chapter 6 remains and requires that Bin 15 panels which house circuit voltages of 440 V or greater are counted because an arcing fault could compromise panel integrity (an arcing fault

CNL-22-023 E1-40 of 65 could burn through the panel sides, but this should not be confused with the high energy arcing fault type fires)." Fire PRA FAQ 14-0009, Treatment of Well-Sealed MCC Electrical Panels Greater than 440V (ADAMS Accession No. ML15119A176) provides the technique for evaluating fire damage from MCC cabinets having a voltage greater than 440 V. Therefore, propagation of fire outside the ignition source panel must be evaluated for all MCC cabinets that house circuits of 440 V or greater. The modeling uncertainty associated with well-sealed MCC cabinets fire modeling could have an impact on the RICT calculations. Therefore, address the following:

a) Describe how fire propagation outside of well-sealed MCC cabinets greater than 440 V is evaluated and address if it is consistent with the guidance in fire PRA FAQ 14-0009.

b) The guidance in NUREG/CR-6850 does not include well-sealed cabinets less than 440 V in the Bin 15 count of ignition sources. If well-sealed cabinets less than 440 V are included in the Bin 15 count of ignition sources, provide justification for using this approach.

c) As an alternative to parts (a) and/or (b), demonstrate that the treatment of well-sealed MCC cabinets has an inconsequential impact on the RICT calculations. An acceptable approach is to describe and provide the results of a sensitivity study for the unacceptable treatment of well-sealed MCC cabinets credited in the RTR model demonstrating that the treatment has an inconsequential impact on the calculated RICTs using LCO conditions that could be most impacted by this modeling uncertainty having RICTs less than the 30-day backstop TVA Response Response to Part a)

The SQN FPRA does not use the guidance in FAQ 14-0009 associated with well-sealed MCCs.

MCC at SQN were identified and counted as ignition sources with no credit for the capability of "well sealed" electrical enclosures to prevent fire propagation. Therefore, fire scenarios postulated at MCCs are modeled with propagation outside the panel consistent with the treatment of any other electrical enclosure that is not well sealed.

Response to Part b)

The counting guidance for electrical enclosures (i.e., electrical cabinets) in Chapter 6 of NUREG/CR-6850 and applicable FAQs documented in Supplement 1 of NUREG/CR-6850 were followed for identifying ignition sources. There are over two thousand electrical enclosures (including vertical sections) identified as ignition sources for the two units. A review of the pictures obtained during the development of the FPRA for the electrical cabinets in the PAUs where detailed fire modeling was conducted indicates that the electrical enclosures within the count do not meet the definition of well-sealed. This is consistent with the guidance in NUREG/CR-6850, which indicates that well-sealed panels should not be included in the count.

Therefore, the potential for well-sealed cabinets diluting the ignition frequency is negligible and within the range of uncertainty typically associated with the engineering judgment necessary for implementing the counting guidance in Chapter 6 of NUREG/CR-6850.

CNL-22-023 E1-41 of 65 Response to Part c)

MCCs in the SQN FPRA are not treated as well sealed.

APLB AUDIT QUESTION 01.d - Influence Factors for Transient Fires Based on NRC staff review of the electronic portal documents during the audit of the application of transient fire influence factors, it appears that guidance used to apply transient fire influence factors was limited to NUREG/CR-6850, Volume 2 (ADAMS Accession No ML052580118).

Further guidance in FAQ 12-0064, Hot Work/Transient Fire Frequency Influence Factors" (ADAMS Accession No. ML12346A488), describes the process for assigning influence factors for hot work and transient fires. Modeling uncertainty associated with use of transient fire influence factors could have an impact on the RICT calculations. Provide the following regarding application of NRC guidance to use of transient fire influence factors:

a) Clarify whether the methodology used to calculate hot work and transient fire frequencies applies influencing factors using NUREG/CR-6850 guidance or FAQ 12-0064 guidance.

b) Indicate whether administrative controls are used to reduce transient fire frequency, and if so, describe and justify these controls.

c) Indicate whether any specific non-conformances of administration control to limit combustible materials with NUREG/CR-6850 guidance or FAQ 12-0064 guidance exist and discuss the transient fire frequency influence factors assigned to these non-conformances. For those which were assigned an influence factor of 1 (Low) or less, indicate the value of the assigned influence factors and provide the justification.

d) If an influencing factor of "0" was assigned to Maintenance, Occupancy, or Storage, or Hot Work for any fire Physical Analysis Units (PAUs), provide the justification e) The guidance in FAQ 12-0064 indicates weighting factors of 50 should be used in any fire PAU. Please identify and justify any deviations.

TVA Response a) The SQN FPRA influence factors for transients and hotwork are based on the guidance in Chapter 6 of NUREG/CR-6850. Consistent with NUREG/CR-6850, hotwork activities are covered under the maintenance influence factors. That is, SQN did not apply the provision in FAQ 12-0064 which allows for a hotwork specific influence factor.

b) Transient fires were postulated for all PAUs regardless of administrative controls.

Administrative controls were not used to reduce transient fire frequency.

c) Programmatic controls governing transient combustibles include storing transient combustibles in metal containers when not in use or constantly attended except when introduced by permit for Risk Level 1 Areas and without a permit in Risk Level 2 Areas but only in small quantities. When deficiencies are observed during periodic inspections, corrective actions are initiated, and the condition is expeditiously remedied. Such controls protect the basis for the influence factor values, including those of 1 or less. That is, the influence factors reflect the as operated condition of the plant.

CNL-22-023 E1-42 of 65 d) No PAUs were assigned a 0 for Maintenance, Occupancy, or Storage. Refer to Response c) above. A 0.3 value influence factor was assigned to PAU 690-A033 between the Auxiliary Building and Turbine Building. This is a relatively small penetration area with no access door or equipment requiring maintenance. The value of 0.3 can be interpreted as conservative as the guidance in NUREG/CR-6850 for the use of a value of zero (0) is applicable given that there is no access to this PAU.

e) An influencing factor of 50 was not applied as no PAUs were identified as exhibiting Very High maintenance relative to other PAUs.

APLB AUDIT QUESTION 01.e - PRA Treatment of Fire Dependencies between Units 1 and 2 Many operating nuclear power plants with more than one unit have adjoined and common areas. For plants, the risk contribution from fires originating in one unit must be addressed for impacts to the other unit given the physical proximity of the other unit, common areas, and the and common areas, and shared systems:

a) Explain how the risk contribution of fires originating in one unit is addressed for the other unit given impacts due to the physical proximity of equipment and cables in one unit to equipment and cables in the other unit. Include identification of locations where fire in one unit can affect components in the other unit and explain how the risk contributions of such scenarios are allocated in the LAR.

b) Explain how the contributions of fires in common areas are addressed, including the risk contribution of fires that can impact components in both units.

TVA Response Response to Part a)

The SQN FPRA consists of two types of fire scenarios, full room burns, or smaller fires associated with a limited number of components. Full room burn scenarios are scenarios in which all components included within that room are failed and the associated CDF/LERF for that unit is calculated based on those failures.

The smaller fires include a smaller subset of components within the room (e.g., component fires associated with a particular component catching on fire, transient fires, welding and cutting, etc.). Each of these scenarios have a certain zone of influence that will impact a specific set of components and cables in the room.

The SQN FPRA also includes propagation scenarios that evaluate the impact of a fire propagating from one room to another.

The SQN FPRA logic is built into a single fault tree model with a separate top event for CDF and LERF for each unit. The logic is built such that common equipment is modeled under each top event (Unit 1 CDF, Unit 1 LERF, Unit 2 CDF, and Unit 2 LERF). Therefore, all components within the zone of influence that are directly impacted by the fire or components associated with cables that can be adversely affected by the fire scenario will be failed in the model. This includes components for each unit or components relied upon for both units. These failures will propagate to the top event as allowed for by the fault tree logic. Because of this, dependencies between units are accounted for in the fault tree logic. Each of the fire scenarios (whether in a

CNL-22-023 E1-43 of 65 Unit 1 room, a Unit 2 room, or in a common area) are quantified in each unit for CDF and LERF to ensure that the impacts from a particular fire scenario is captured for both units.

Response to Part b)

See the response to APLB-01.e Part (a).

APLB AUDIT QUESTION 02 - Dispositions of PRA Model Assumptions and Sources of Uncertainty - Internal Fire The NRC staff SE to NEI 06-09-A specifies that the LAR should identify key assumptions and sources of uncertainty and to assess and disposition each as to their impact on the RMTS application. Section 2.3.4 of NEI 06-09-A states that PRA modeling uncertainties shall be considered in application of the PRA base model results to the RICT program and that sensitivity studies should be performed on the base model prior to initial implementation of the RICT program on uncertainties that could potentially impact the results of a RICT calculation. NUREG-1855, Revision 1, presents guidance on the process of identifying, characterizing, and qualitative screening of model uncertainties.

The NRC staff reviewed the disposition of the source of modeling uncertainty identified in LAR Table E9-3 and reviewed the dispositions of other fire PRA modeling uncertainties evaluated by the licensee in the PRA notebooks for their impact on the RICT application. In a few instances, there is not enough information for NRC staff to conclude that the assumption or source of modeling uncertainty would not have an impact on the RICT calculations. Therefore, address the following:

a) Portal report SQN-0-21-126, Sequoyah Nuclear: Review of Sources of Uncertainty for the RICT LAR, identifies the treatment of components without cable routing information as always failed in the fire PRA to be a source of modeling uncertainty.

These components are referred to in the report as Unknown Equipment List (UNL) components and the report explains that a sensitivity study was performed on their treatment. Though the assumption that UNL components always fail in a fire scenario is conservative, NRC staff notes that this conservatism in fire PRA modeling could have a nonconservative impact on the RICT calculations. If an SSC is part of a system not credited in the fire PRA or supports a system that is assumed to always fail, then the risk increases due to taking that SSC out of service could be masked. The report states based on the sensitivity study results that the treatment of this uncertainty was determined to have at most a moderate impact on fire CDF (i.e., greater than 10%

and less than 100% change) and that the modeling uncertainty is, therefore, considered not to be a key source of uncertainty. The report did not identify the SSCs that were assumed always to fail in a fire scenario. Given that the results of the sensitivity study indicate that impact of this modeling uncertainty on fire CDF is moderate, it is not clear to NRC staff why the licensee concluded that this source of uncertainty has an inconsequential impact of the RICT calculations for the plant configuration allowed by the RICT program. Therefore, address the following:

i.

Identify the UNL systems or components that are assumed to be always failed in the fire PRA or are not included in the fire PRA model.

CNL-22-023 E1-44 of 65 ii.

Justify that this assumption has an inconsequential impact on the RICT calculations by describing and performing a sensitivity study using LCO conditions that could be most impacted by this modeling uncertainty having RICTs less than the 30-day backstop.

iii.

As an alternative to part (ii) above, identify the LCO conditions impacted by the treatment of this modeling uncertainty for which RMAs will be applied during a RICT. Include discussion of the kinds of RMAs that would be applied and justification that the RMAs will be sufficient to address the modeling uncertainty.

b) Portal report SQN-0-21-126 identifies an assumption made about the properties of electrical cable used in the plant to be a source of modeling uncertainty. The report states that the electrical cables in the control room are treated like thermoplastic cables because they do not meet the qualification criteria for thermoset cables. According to the guidance in Appendix H of NUREG/CR-6850 for fire PRA (ADAMS Accession No. ML052580118), the thermal damage threshold of thermoplastic cable (i.e., 6 kW/m2) is significantly lower than the thermal damage threshold of thermoset cables (i.e., 11 kW/m2). The report states, however, based on a parameter sensitivity study that this assumption only introduces a slight conservative bias in the PRA model results. It is not clear to NRC staff how the licensee concluded that this assumption leads to just a slight conservative bias in the PRA model results. Using the damage threshold for thermoplastic cables could result in significantly more damaged targets than using the damage threshold for thermoset cables. Additionally, NRC staff notes that a conservatism in fire PRA modeling could have a nonconservative impact on the RICT calculations. If SSC targets are considered damaged because nearby cables were assumed to be thermoplastic cables that otherwise would not be considered damaged if the cables were assumed to thermoset cables, then the risk increase due to taking that SSC out of service could be masked.

Another portal report on fire modeling (MDN000NA201000469) states that the licensee assumed all cables in the plant are thermoplastic, even though it was determined that a significant fraction could have thermoset properties. This contrasts with the uncertainty analysis report which indicates that the conservative cable property assumption was limited to the control room.

In light of the observations above, address the following:

i.

Clarify where the cable property assumption was applied (e.g., to the whole plant or just the control room).

ii.

Justify that this assumption has an inconsequential impact on the RICT calculations. One option for doing this is describing and performing a sensitivity study using LCO conditions that could be most impacted by this modeling uncertainty having RICTs less than the 30-day backstop.

iii.

As an alternative to part (ii) above, identify the LCO conditions impacted by the treatment of this modeling uncertainty for which RMAs will be applied during a RICT. Include discussion of the kinds of RMAs that would be applied and justification that the RMAs will be sufficient to address the modeling uncertainty.

CNL-22-023 E1-45 of 65 TVA Response Response to Part a)

Item i:

The basic events representing structures, systems, and components (SSCs) assumed to be always-failed in the baseline FPRA were reviewed and were determined to fall into the following categories.

a) Condensate/Main feedwater b) Hot leg recirculation in case of a large loss of coolant accident (large LOCA) c) One out of several valves needed to cause an interfacing-system LOCA (ISLOCA) d) 480V unit board (1A, 1B, 2A, 2B) e) Vital Battery Board V f) Service air g) Demineralized (Demin) water makeup h) Boration with Boric Acid Tank (BAT) i) Power on 6900V unit board (1A to 1D, 2A to 2D) j) One fan of shutdown transformer room k) Control power to reactor coolant pump (RCP) trip l) Turbine trip and ATWS mitigation system actuation circuitry (AMSAC) m) Motor-operated valve (MOV) 2-FCV-63-175 (safety injection miniflow valve) n) Unit 2 reactor trip instrumentation o) Unit 2 containment pressure indicators used for manual initiation of containment spray Item ii:

The always-failed basic events falling in the categories listed in the response to Item i were qualitatively evaluated for fire impacts. The qualitative evaluation determined, for each category, whether a quantitative sensitivity study was warranted, and if so, which LCO conditions were expected to be most impacted by the modeling uncertainty. The results of the evaluation are listed in Table APLB02-01.

Table APLB02-01 Qualitative Evaluation of Always-Failed Assumption on RICT Calculation Always-Failed Basic Event SSC Category Impact on RICT Results

a. Condensate/main feedwater Inconsequential - After a fire leading to reactor trip, the condensate/feedwater system is challenging to maintain and not expected to remain available. Decay heat removal is performed via the AFW system. The condensate/main feedwater system is not credited for Safe Shutdown (SSD) and is not credited in the SQN fire procedures. Therefore, not crediting the condensate/feedwater system is considered to be realistic.

CNL-22-023 E1-46 of 65 Always-Failed Basic Event SSC Category Impact on RICT Results

b. Hot leg recirculation (large LOCA)

Inconsequential - Hot leg recirculation is needed in case of a large LOCA. Large LOCAs are not a risk contributor in the FPRA. Crediting hot leg recirculation would therefore have no impact to the FPRA model. In addition, hot leg recirculation is not credited in the SSD or FPRA procedures.

c. One out of several valves needed to cause an ISLOCA Inconsequential - ISLOCAs are very low (Less than 0.01%) risk contributors in the FPRA. Removing the isolation failure of the non-credited valves would therefore have an insignificant impact to the FPRA.

d. 480V unit board (1A, 1B, 2A, 2B)

Inconsequential - The 480V unit boards are non-essential power sources providing power to non-safety related boards. They essentially provide power to condensate/main feedwater equipment, whose operation or maloperation was already judged to be inconsequential to the fire risk (see Entry Condensate/main feedwater in this table). Systems powered by the 480V unit boards are not credited in the SSD and fire procedures.

e. Vital Battery Board V Conservative - Vital Battery Board V is not evaluated directly in the LCO conditions, but the closest one is LCO 3.8.4.A, which fails one or two vital battery chargers. Vital Battery Board V provides a redundant source of power for these battery chargers. Therefore, assuming that it is always-failed in the FPRA removes beneficial impacts of that redundancy, resulting in conservative RICT values for LCO 3.8.4.A. Evaluated with a sensitivity study on 3.8.4.A in Table APLB02-02. The Vital Battery Board V and all other always-failed basic events in the baseline FPRA will, in the sensitivity study, remain immune to fire impacts.

f. Service air Inconsequential - Service air is not evaluated directly in LCO conditions. Service air facilitates plant operation but is not needed to bring the plant to safe and stable shutdown. Service air is highly vulnerable due to fire because of soldered piping and the numerous components that can fail the service air system. Reliable human actions are credited in the FPRA to mitigate loss of service air, rendering the loss of this system inconsequential to the RICT calculations.

g. Demin water makeup Inconsequential - Demin water makeup is not evaluated directly in the LCO conditions. Demin water makeup provides water to the Condensate Storage Tank and as such supports long-term operation of the AFW system. The Demin water makeup is not credited in the SSD analysis or in the FPRA procedures and would not be utilized during an Appendix R fire. In the FPRA, the primary make-up source for AFW is Demin Water, and ERCW providing a backup source.

Therefore, loss of the primary source (Demin Water) has an inconsequential impact provided ERCW remains available.

CNL-22-023 E1-47 of 65 Always-Failed Basic Event SSC Category Impact on RICT Results

h. Boration with BAT Inconsequential - Boration with BAT is not evaluated directly in the LCO conditions. Boration with BAT provides an alternate way to control reactor criticality. In the FPRA, boration is ensured via the RWST. The BAT is not credited in the SSD or FPRA procedures and would not be utilized in an Appendix R fire. Assuming that boration with BAT is always-failed in the FPRA therefore leads to an inconsequential impact.

i. Alternate offsite power to 6900V unit board (1A to 1D, 2A to 2D)

Inconsequential - The 6900V unit boards provide an alternate source of power to 6900V shutdown boards. The always-failed breakers are an alternate source of offsite power to the 6900V unit board. Thus, the normal offsite power feed and the EDGs are credited. The SSD and fire procedures dont credit this alternate source of power and it would not be utilized during an Appendix R fire. Assuming this is always-failed will lead to an inconsequential impact to the RICT analysis.

j. One fan of shutdown transformer room Inconsequential - Loss of ventilation in electrical rooms is not evaluated directly in the LCO conditions. In addition, there are four fans in the shutdown transformer rooms and any one can maintain adequate room temperature. Assuming in the FPRA, the loss of one of those fans has an inconsequential impact on the RICT estimates of the AC electrical systems in the affected rooms. In addition, this fan is not credited in the SSD analysis.

k. Control power to RCP trip Inconsequential - Control power to RCP trip is not evaluated directly in the LCO conditions. There is no obvious LCO condition that would be affected by loss of control power to RCP trip, except in a remote way, safety injection functions (e.g., ESFAS-related LCOs) caused by a seal LOCA subsequent to the failure of RCPs to trip. However, since the FPRA credits a redundant source of power for RCP trip control and given the tenuous link between RCP trip power control and ESFAS-related LCOs, the impact is expected to be inconsequential.

l. Turbine trip and AMSAC Inconsequential and Conservative - Turbine trip and startup of AFW provided by AMSAC can be reliably performed by the operators. Due to the diverse set of reactor trip signals and that the reactor trip happens immediately in the fire scenario, the RPS system is assumed to work in the FPRA. Therefore, turbine trip and AMSAC failures have an inconsequential impact on the RICT results. Evaluated with a sensitivity study on 3.3.1.M in Table APLB02-02.

m. MOV 2-FCV-63-175 (SI Pump B mini-flow valve)

Unit 2 specific Inconsequential - The FPRA assumes spurious closure of the mini-flow valve of SI Pump B, leading to the failure of that train and reliance on redundant train A. The SSD and FPRA procedures dont credit SI for inventory control in an Appendix R fire. Thus, crediting train B of SI for Unit 2 has an inconsequential impact.

CNL-22-023 E1-48 of 65 Always-Failed Basic Event SSC Category Impact on RICT Results

n. Unit 2 reactor trip instrumentation Unit 2 specific Conservative - The FPRA assumes that some neutron flux and temperature instruments are always-failed, which in turn leads to the failure of an over-temperature delta-temperature train channel. However, a diverse protection channel is credited (high pressurizer pressure) for reactor trip actuation.

This results in conservative results for RTS (Evaluated with a sensitivity study on 3.3.1.D in Table APLB02-02).

o. Unit 2 Containment pressure indicator used for manual initiation of containment spray Unit 2 specific Inconsequential - The FPRA assumes that some containment pressure indicators used for manual initiation of containment spray are always-failed. However, there are other indicators that the operators can use, and redundant automatic actuation is not affected. Therefore, this approach yields inconsequential results for ESFAS-related LCO conditions.

The results of the sensitivity studies identified in Table APLB02-01 are given in Table APLB02-02. For each LCO condition identified in Table APLB02-01 as object of the sensitivity study, the minimum RICT was calculated. All previously always-failed basic events associated with SSCs that were assigned a sensitivity study in Table APLB02-01 (i.e., items e, l, and n) were assumed to now be immune from fire impacts. Thus, for example, the sensitivity study on 3.8.4.A, which in Table APLB02-01 was expected to be most impacted by the Vital Battery Board V SSCs (item e), was performed considering that the set of previously always-failed basic events of items e, l, and n was now immune to fire impacts. Considering an expanded set of basic events immune to fire impacts provides added confidence that the set of sensitivity studies considered is appropriate, since it increases the potential for masking removal for each of these sensitivity studies.

CNL-22-023 E1-49 of 65 Table APLB02-02 Sensitivity Study RICT Calculation Results Plant Unit Case (Note 1)

Description of LCO condition (Note 1)

U1, U2 Baseline Min RICT Days (Note 1)

U1, U2 Sensitivity Min RICT Days (Note 2)

Comment 1

2 3.8.4.A DC Sources -

Operating - One or two vital battery chargers on one train inoperable 3.0 3.4 11.9 8.0 Sensitivity study shows no decrease in the RICT days value of the baseline case.

1 2

3.3.1.M Reactor Trip System (RTS) Instrumentation

- One Turbine Trip channel inoperable.

30.0 30.0 30.0 30.0 Sensitivity study shows no decrease in the RICT days value of the baseline case.

1 2

3.3.1.D Reactor Trip System (RTS) Instrumentation

- One Power Range Neutron Flux

- High channel inoperable 30.0 30.0 30.0 30.0 Sensitivity study shows no decrease in the RICT days value of the baseline case.

Notes:

1. Technical specification (TS) condition case.

2. RICT days are given a maximum value of 30 days.

CNL-22-023 E1-50 of 65 Item iii:

Based on the results of Table APLB02-01, the SSCs assumed to be always-failed in the FPRA have an inconsequential or conservative impact on RICT calculations. As such, no RMA is needed.

Response to Part b)

Item i: All cables in the plant are assumed to be thermoplastic.

Item ii: The assumption that the cables in the plant are thermoplastic is judged to have an inconsequential impact on the RICT calculations based on the following considerations.

a. An assessment of the cable data in the plant suggests that the majority of cable insulation is thermoset, but the jacket material composition remains unconfirmed, with a proportion of at least 5 percent that qualifies as thermoplastic. In absence of positive confirmation of the jacket material composition, evaluating the cables as thermoset in the FPRA would lead to an underestimation of the fire risk, due to the relatively greater vulnerability of thermoplastic cable to fire impacts.

b. The approach above is consistent with the guidance given in Section H.1.1 of NUREG/CR-6850, EPRI/NRC-RES Fire PRA Methodology for Nuclear Power Facilities, Volume 2: Detailed Methodology, which indicates that in the case of a cable raceway housing a mixture of TP and TS cables, the damage criteria for thermoplastic should be applied. (This presumes that ignition of a thermoplastic cable would quickly compromise co-located thermoset cables).

c. With the greater fire vulnerability of thermoplastic relative to thermoset, the assumption that plant cables are thermoplastic introduces a conservatism in the fire risk. The degree of this conservatism is judged to be low based on the consideration that the ignition of thermoplastic cable in a raceway would compromise the fire resistance of thermoset cables, as explained in NUREG/CR-6850 cited above. This is supported by a review of the jacket and insulation material in the population of cables at the site, which indicates that the proportion of thermoplastic material is greater than 5 percent. Stated otherwise, the presence of thermoplastic cables in the plant increases the fire risk to a level commensurate with the situation where all cables are thermoplastic. Because the conservatism in risk results introduced by the necessary assumption of thermoplastic cables is low, any masking effect in the RICT calculation will be inconsequential for the RICT application.

Item iii: Not applicable, given that the response to Item ii finds an inconsequential impact on the RICT calculations.

PRA Licensing Branch C (APLC) Audit Questions - Seismic PRA and External Hazards APLC AUDIT QUESTION 01 - Resolution of Focused-Scope Peer Review F&Os The LAR states that, as part of the Independent Assessment, four of the seven SHA findings were assessed to be upgrades and were resolved as part of a focused scope of HLRs, SHA-I

CNL-22-023 E1-51 of 65 and SHA-J. It is not clear to the NRC staff whether any F&Os were generated by the focused-scope peer review and whether they were closed. Therefore:

a) Explain whether F&Os were generated by the focused-scope peer review and confirm that they were closed during the Independent Assessment.

b) If F&Os were generated by the focused-scope peer review and not closed during the Independent Assessment, then provide the open F&Os and justify that each open focused-scope generated F&Os will have an inconsequential impact on the RICT calculations.

TVA Response Response to Part a)

The original peer review of the SQN Seismic PRA had seven finding level F&Os for seismic hazards analysis (SHA). The Independent Assessment team concluded that the resolutions for four of the seven F&Os were upgrades to the PRA model, which required a focused scope peer review.

Although a review of high level requirements (HLR) SHA-I was originally assessed to be sufficient to address the original four upgrade SHA findings, the team subsequently concluded that HLR SHA-J would also be impacted. Consequently, the scope of the review included supporting requirements (SR) SHA-I2, SHA-J1, SHA-J2, and SHA-J3. SR SHA-I1 was assessed to be not applicable since this SR was judged not to be impacted by the original four upgrade SHA findings. All four reviewed SRs were assessed to be met with three new F&Os (2 finding level, 1 suggestion).

Finding F&O 1-2 was generated from the review of SR SHA-I2. Finding F&O 1-3 and Suggestion F&O 1-4 were generated from the review of SR SHA-J2. The three findings were ultimately closed based on information provided by TVA on April 1, 2019, in F&O closure review.

Response to Part b)

A total of three F&Os (2 findings and one suggestion) were generated by the focused-scope peer review but were all closed during the Independent Assessment.

APLC AUDIT QUESTION 02 - Inconsistency in Reported Seismic CDF and LERF Results LAR Enclosure 5, Table E5-1 presents the point estimate seismic CDFs for Sequoyah to be 4.19E-06 and 3.95E-06 per year for Units 1 and 2, respectively. Section 6.0 of the Sequoyah SPRA (Fukushima) report presents the point estimate seismic CDFs for Sequoyah to be 4.1E-06 and 4.95E-06 per year for Units 1 and 2, respectively. Similarly, LAR Enclosure 5, Table E5-1 presents the point estimate seismic LERFs for Sequoyah to be 3.00E-06 and 2.83E-06 per year for Units 1 and 2, respectively, but Section 6.0 of the Sequoyah SPRA report presents the point estimate seismic LERFs for Sequoyah to be 2.6E-06 and 2.4E-06 per year for Units 1 and 2, respectively.

CNL-22-023 E1-52 of 65 Accordingly, there is an inconsistency in the reported seismic CDF for Unit 2 and seismic LERF for Units 1 and 2 between the LAR and the SPRA report. Therefore, address the following:

a) Reconcile the differences between point estimate seismic CDF and LERF values presented in the LAR and SPRA and confirm which seismic CDF and LERF values are being used in support of the Sequoyah TSTF-505 LAR. In particular, explain and justify why the seismic CDF value for Unit 2 in the LAR is 20% lower than the value in the SPRA Fukushima report.

b) If different seismic CDF and/or LERF values are being used in support of the Sequoyah TSTF-505 LAR than presented in LAR Enclosure 5, Table E5-1, then ensure that the appropriate values are used when responding to APLA Question 07.

TVA Response Response to Part a)

SQN Seismic PRA described in the Fukushima report was based on Revision 3 of the SQN Internal Events PRA model. The SQN Internal Events PRA model has been revised twice since the SQN Seismic PRA was originally created and now Revision 5 of the SQN Internal Events PRA model is the model of record. Revision 4 was a mini update performed to make a correction to the state of knowledge correlation modeling and fix some minor logic errors.

Revision 5 of the model included a data analysis update, incorporation of some event tree changes, Level 2 changes, correction of some fault tree errors, and reanalysis of the human reliability analysis (HRA) as described in the following paragraphs.

The SQN internal events data was revised to reflect Bayesian updating of all basic events that use plant specific data. The data update also included correction of minor errors since the last data update.

Several changes were made to the event trees. The event tree changes are listed below.

x Removed some overly conservative very small LOCA sequences that were previously assumed to lead to core damage, which have now been shown to not result in core damage through thermal hydraulic analyses.

x Removed sequences that were previously believed to be result in a large early release, but now have been shown to not be large early sequences.

x Revised to credit Essential Raw Cooling Water (ERCW) as a backup water source to the steam generators through the Auxiliary Feed Water (AFW) pumps (without taking credit for the AFW pumps providing motive force) instead of bleed and feed.

x Removed bleed and feed of the reactor pressure vessel with Safety Injection.

x Addition of Steam Generator Tube Rupture sequences where isolation of the break occurs as a non-bypass scenario.

The SQN Internal Events PRA HRA was updated to account for procedure changes, changes in the dependency analysis, and minor errors that have been identified.

CNL-22-023 E1-53 of 65 Several changes were made to the Large Early Release model. The changes are listed below.

x Realistically model early containment failure split fractions using the containment capacity curve to distinguish between high pressure and low pressure sequences.

x Update direct containment heating split fractions based on the containment capacity curve.

x Reclassified containment isolation failure of penetration X-44 as a late rather than early sequence. This penetration is in a closed system outside of containment and any release passing through this penetration would not occur early.

The SQN Seismic PRA model was updated based on Revision 5 of SQN Internal Events PRA model. This update included an update to the SPRA HRA dependency analysis. All changes to the model were model maintenance and are not upgrades. The updated SQN SPRA Model was incorporated into the one top multi hazard model (OTMHM). The values in LAR Enclosure 5, Table E5-1 for Units 1 and 2 Seismic CDF and LERF were calculated using the OTMHM.

The changes to the internal events model, which resulted in changes to the Seismic PRA model, account for the differences between point estimate seismic CDF and LERF values presented in the LAR when compared to the Fukushima submittal. The OTMHM will be used in the Phoenix Real Time Risk Monitor to calculate risk informed completion times in the Risk Managed Tech Specs program as discussed in the Sequoyah TSTF-505 LAR.

Response to Part b)

The OTMHM will be used in the Phoenix Real Time Risk Monitor to calculate risk informed completion times in the Risk Managed Tech Specs program as discussed in the Sequoyah TSTF-505 LAR. The OTMHM was used to produce the seismic CDF and LERF values in LAR, Table E5-1 of the Sequoyah TSTF-505 LAR.



APLC AUDIT QUESTION 03 - External Flooding and Intense Precipitation Section 2.3.1, Item 7, of NEI 06-09-A states that the impact of other external events risk shall be addressed in the RMTS program, and explains that one method to do this is by documenting prior to the RMTS program that external events that are not modeled in the PRA are not significant contributors to configuration risk. The SE for NEI 06-09 states that [o]ther external events are also treated quantitatively, unless it is demonstrated that these risk sources are insignificant contributors to configuration-specific risk.

LAR Enclosure 4, Section 4, Table E4-1 discusses the evaluation of the risk from the external flooding hazard on the RICT application. Table E4-1 indicates that criterion C5 (Event develops slowly, allowing adequate time to eliminate or mitigate the threat) was used to screen the extreme flood and intense precipitation. However, as noted in LAR, the revision of the warning time analysis has not yet been performed. The LAR states that this analysis is expected to be complete by early May 2022, and therefore, the LAR commits to either (1) supplement the TSTF-505 request with the revised warning time analysis that supports the screening criterion of C5, or (2) propose a license condition that requires confirmation from the revised Sequoyah warning time prior to implementation of the RICT program or use another screening criteria from Section 6-2 of the AMSE/ANS RA Sa-2009 PRA Standard in the event that the hazard cannot be screened using criterion C5. Explain how the licensee intends to confirm that the revised warning time will allow adequate time to eliminate or prevent the threat.

CNL-22-023 E1-54 of 65 TVA Response TVA is developing new external flooding calculations for the Sequoyah plant. As stated in the LAR, the calculation should be issued in the May 2022 timeframe. This calculation will provide the timing available to take actions to eliminate the threat. SQN has a flooding plan that is based on conditions upstream of the SQN plant, postulated rainfall, and dam failures. The calculation is intended to confirm that an adequate amount of time is available to take measures to safely shutdown the plant and to maintain a safe shutdown condition. As such, the revised calculation will provide the timing, and the SQN flood response procedure will prescribe actions to be taken within those time allowances.

Containment and Plant Systems Branch (SCPB) Audit Question SCPB AUDIT QUESTION 01 - Design Success Criteria for TS Condition 3.6.8.B TS Condition 3.6.8.B of Table E1-1 in Enclosure 1 of the LAR (pdf page 323 of 405) gives the Design Success Criteria as One region without an operable ignitor. It appears that without should be changed to with. Please clarify.

TVA Response TVA confirms that the Design Success Criteria for TS Condition 3.6.8.B of Table E1-1 should be One region with an operable ignitor. The LAR has been revised, as provided in Enclosure 2.

Technical Specifications Branch (STSB) Audit Question STSB AUDIT QUESTION 01 - TS 5.5.18, Proposed Administrative Controls for the RICT Program The proposed administrative controls for the RICT Program in TS 5.5.18 paragraph e of Attachments 2.1 and 2.2 of the LAR were based on the TS markups of TSTF-505, Revision 2 for Sequoyah Unit 1 and Unit 2, respectively. The NRC staff recognizes that the model SE for TSTF-505, Revision 2, contains improved phrasing for the administrative controls for the RICT Program in TS 5.5.18, paragraph e, namely the phrasing approved for use with this program instead of used to support this license amendment. In lieu of the original phrasing in paragraph e of TS 5.5.18, discuss whether the phrases used to support Amendment #

xxx or, as discussed in the TSTF-505 model SE, approved for use with this program would provide more clarity for this paragraph.

TVA Response TVA has determined that the phraseology for TS 5.5.18 paragraph e in the model SE to TSTF-505 for TS 5.5.18, approved for use with this program, provides more clarity for this paragraph. The LAR has been revised, as provided in Enclosure 2.

CNL-22-023 E1-55 of 65 Electrical Engineering Branch (EEEB) Audit Questions EEEB AUDIT QUESTION 01 - DSC for Electrical TSs For all electrical TS proposed changes in LAR Table E1-1, is each of their Design Success Criteria (DSC) based on a successful response to the Sequoyah worst case accident by the station or each unit?

TVA Response DSC is based on successful response by the station with one unit in an accident.

EEEB AUDIT QUESTION 02 - DSC for TS 3.8.1.B In LAR Table E1-1 for TS 3.8.1.B DSC, if the only remaining power sources for the station is one DG from each load group or train, is that a loss of function (LOF) scenario for station? Are the load groups or trains A and B for each unit fully redundant based on that? Is a LOF note applicable for LAR Tables E1-2 and E1-3 for this TS since that could happen for some scenarios for remaining DGs available for operation? For DSC, do both accident and non-accident unit only need one DG each?

TVA Response A loss of one EDG from each load group (leaving one EDG from each load group operable) is a LOF scenario for the station.

Load groups include common equipment dependent on unitized equipment. A complete load group requires Units 1 and 2 associated equipment irrespective of the accident-affected unit.

No LOF occurs for a loss of one or two EDG from a single load group (train). Two independent failures (one from each train) would result in LOF.

Functionality is maintained for both units when both A train EDG (1A-A and 2A-A) or both B train EDG (1B-B and 2B-B) are available. Both accident and non-accident units require two DG from the same train and this one pair may support both units.

EEEB AUDIT QUESTION 05 - DSC for TS 3.8.7.A In LAR Table E1-1 for TS 3.8.7.A DSC, is this for accident unit or for station? Denote in DSC how many channels are required for accident unit?

TVA Response Two ESF power divisions for RPS and ESFAS initiation are required for the station. Power divisions is used interchangeably with channel. Two channels are required to make up a single train.

CNL-22-023 E1-56 of 65 EEEB AUDIT QUESTION 09 - Calculated RICTs for Electrical TSs For LAR Tables E1-2 and E1-3, explain why RICT times are so different for Units 1 and 2 for TSs 3.8.1, 3.8.4, 3.8.7, and 3.8.9?

TVA Response

1. The RICT days estimates for Unit 1 (U1) and Unit 2 (U2) Tech Spec (TS) Case 3.8.1.A are 9.0 days and 30 days, respectively. A review of the corresponding cutsets between Units 1 and 2 indicates that the differences in RICT days are primarily attributable to asymmetries between Units 1 and 2 with respect to the interactions between fire characteristics and cable routing. This conclusion is based on the observation that, although the Units 1 and 2 cutset files are both dominated by fire cutsets, the dominant cutsets are different between units, indicating different fire scenarios contributing to risk in each case. These kinds of differences are to be expected due to asymmetries between plant units with respect to cable routing, equipment layout, and potential fire scenarios.

2. The RICT days estimates for Units 1 and 2 TS Case 3.8.1.B are 12.1 days and 11.4 days, respectively. Consistent with the discussion in Item 1 above, these differences are primarily attributable to asymmetries between Units 1 and 2 with respect to the interactions between fire characteristics, equipment layout, and cable routing. This conclusion is based on the observation that, although the Units 1 and 2 cutset files have many of the top seismic or fire cutsets in common, many fire cutsets are different between units, indicating different fire scenarios contributing to risk in each case.

3. The RICT days estimates for Units 1 and 2 TS Case 3.8.1.C are 9.0 days and 30 days, respectively. A review of cutsets was performed, and it was concluded that the differences are primarily attributable to asymmetries between Units 1 and 2 with respect to the interactions between fire characteristics, equipment layout, and cable routing.

4. The RICT days estimates for Units 1 and 2 TS Case 3.8.1.D are 3.7 days and 3.7 days, respectively. A review of cutsets was performed, and it was concluded in contrast to cases discussed above that, in this case, although fire cutsets dominate, many of the dominant cutsets are equivalent indicating a high degree of symmetry between the units with respect to the interactions between fire characteristics, equipment layout, and cable routing.

5. The RICT days estimates for Units 1 and 2 TS Case 3.8.1.E are 3.8 days and 5.3 days, respectively. A review of cutsets was performed, and it was concluded that the differences are primarily attributable to asymmetries between Units 1 and 2 with respect to the interactions between fire characteristics, equipment layout, and cable routing.

6. The RICT days estimates for Units 1 and 2 TS Case 3.8.4.A are 3.0 days and 3.4 days, respectively. A review of cutsets was performed, and it was concluded that the differences are primarily attributable to asymmetries between Units 1 and 2 with respect to the interactions between fire characteristics, equipment layout, and cable routing.

7. The RICT days estimates for Units 1 and 2 TS Case 3.8.4.B are 3.0 days and 3.2 days, respectively. A review of cutsets was performed, and it was concluded that the differences are primarily attributable to asymmetries between Units 1 and 2 with respect to the interactions between fire characteristics, equipment layout, and cable routing.

CNL-22-023 E1-57 of 65

8. The RICT days estimates for Units 1 and 2 TS Case 3.8.7.A are 30 days and 30 days, respectively after application of the 30-day backstop. That is, there is no difference in the RICT days estimates for this case. However, there are full power internal events (FPIE) model asymmetries between Units 1 and 2 that affect the RICT days estimates before application of the backstop in this case. The associated FPIE model asymmetries will not exist in the final RICT model.

9. The RICT days estimates for Unit 1 and 2 TS Case 3.8.9.A are 2.2 days and 2.4 days, respectively. A review of cutsets was performed, and it was concluded that the differences are primarily attributable to asymmetries between Units 1 and 2 with respect to the interactions between fire characteristics, equipment layout, and cable routing.

10. The RICT days estimates for Units 1 and 2 TS Case 3.8.9.B are 7.7 days and 9.3 days, respectively. A review of cutsets was performed, and it was concluded that fire cutsets do not dominate the results. However, the differences are partially attributable to asymmetries between Units 1 and 2 with respect to the interactions between fire characteristics, equipment layout, and cable routing and partially attributable to asymmetries associated with the FPIE model. Note that the associated FPIE model asymmetries will not exist in the final RICT model.

11. The RICT days estimates for Units 1 and 2 TS Case 3.8.9.C are 3.0 days and 3.2 days, respectively. A review of cutsets was performed, and it was concluded that the differences are primarily attributable to asymmetries between Units 1 and 2 with respect to the interactions between fire characteristics, equipment layout, and cable routing.

Instrumentation and Controls Branch (EICB) Audit Questions EICB AUDIT QUESTION 01 - TS Table 3.3.1-1 Function 13, SG Water Level For TS Table 3.3.1-1 Function 13, Steam Generator (SG) Water Level, the proposed technical variation to TSTF-505 is discussed in LAR Section 2.3.2.1, starting on page A1-4 of 7 (PDF page 8 of 405).

a) The TS Bases state:

Control/protection interaction is addressed by the use of the Median Signal Selector that prevents a single failure of a channel providing input to the control system requiring protection function action. That is, a single failure of a channel providing input to the control system does not result in the control system initiating a condition requiring protection function action. The Median Signal Selector performs this by not selecting the channels indicating the highest or lowest steam generator levels as input to the control system.

However, it is not clear how control/protection interaction is adequately addressed when one channel inoperable, but is not placed in trip or has the setpoint adjusted. If control/protection interaction is NOT adequately addressed, then a LOF condition exists b) How does the OR (between V.1 & V.2, as well as between W.1 & W.2 - see PDF page 26 of 405 of the LAR) work on proposed condition (V) and (W) when deciding on entering a RICT?

CNL-22-023 E1-58 of 65 TVA Response Response to Part a)

Current plant design is that control/protection interaction is addressed by the use of the Median Signal Selector that prevents a single failure of a channel providing input to the control system requiring protective function action. That is, a single failure of a channel providing input to the control system does not result in the control system initiating a condition requiring protection function action. The Median Signal Selector performs this by not selecting the channels indicating the highest or lowest steam generator levels as input to the control system. The non-safety Steam Generator Water Level control system continuously performs range and deviation checking on the signals used for level control. Any out of range condition or deviation greater than allowed values are promptly handled automatically by the system to prevent driving water level high or low to challenge safety systems. Upon failure of the first channel, the remaining channels are averaged to provide the control function. The Steam Generator Water Level - Low Low Function is a 2-out-of-3 logic. This precludes an analyzed event from occurring with the inoperability of that channel. Should a second channel fail in the control system, the controller will be in manual at the last good value with an alarm to the MCR staff.

With one channel inoperable, the safety function is maintained, but no longer meets single failure criteria. Performing either Required Action U.1 or U.2 will restore required redundancy.

If neither of these Required Actions occur within the required Completion Times, then while a loss of function has not occurred, Proposed Condition X requires plant shutdown.

Response to Part b)

Required Actions V.1 (W.1) and V.2 (W.2) are co-equal options and are not inter-dependent. If Required Action V.1 (W.1) was chosen as the success path, a 6-hour Completion Time is required. If Required Action V.2 (W.2) was chosen, the channel would be placed in trip in a Completion Time of either 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> or in accordance with the Risk Informed Completion Time Program. Alternatively, both Required Actions could be pursued concurrently or sequentially (e.g., V.2 (W.2) is commenced prior to exceeding the Completion Time of V.1 (W.1)).

EICB AUDIT QUESTION 03 - TS Condition 3.3.2.F Regarding LAR Table E1-1, Condition 3.3.2.F, explain why one of one switch is not a loss of function.

TVA Response There are four switches in the control room and each switch initiates action to immediately close its associated main steam isolation valve (MSIV). With one manual initiation switch inoperable, the other three are available to perform their required function. This is bounded by the Additional Justification provided in LAR Enclosure 1, Section 2.6 regarding Condition A: One MSIV inoperable in Mode 1. As described therein, the steam line break isolation function assumed in the accident analysis is maintained with one MSIV inoperable (but open).

Therefore, loss of one of four manual isolation switches does not constitute a loss of function.

The Design Success Criteria of LAR Table E1-1, Condition 3.3.2.F has been clarified to read Three of four main steam line isolation manual channels in Enclosure 2.

CNL-22-023 E1-59 of 65 EICB AUDIT QUESTION 04 - TS Condition 3.3.2.K Regarding LAR Table E1-1, Condition 3.3.2.K, explain why one inoperable channel when 4 channels required is not a loss of function.

TVA Response TS 3.3.2 Condition K is associated with TS Table 3.3.2-1, Function 6.b.(1) [Auxiliary Feedwater

- Steam Generator Water Level - Low Low (Adverse), Coincident with RCS Loop ¨T] and Function 6.b.(2) [Auxiliary Feedwater - Steam Generator Water Level - Low Low (EAM),

Coincident with RCS Loop ¨T]. The four channels of RCS Loop ¨T are each associated with one of four Steam Generator hot and cold legs. The logic for the motor-driven AFW pumps is that the Steam Generator - Low Low actuation requires 2 of 3 channels in 1 of 4 loops. The logic for the turbine-driven AFW pump is that the Steam Generator - Low Low actuation requires 2 of 3 channels in 2 of 4 loops. Thus, the design success criteria for LAR Table E1-1, Condition 3.3.2.K should be 2 channels required.

revises the LAR for this Table E1-1 entry, and to cite an additional Technical Variation in Section 2.3 of Attachment 1 to the LAR.

EICB AUDIT QUESTION 05 - Defense in Depth Starting on LAR page E1-33 of 36 (PDF page 339 of 405), the licensee provides a general description of the defense-in-depth for the facility; however, the NRC staff is interested in evaluating the defense in depth with respect to each event in the accident analysis. Typically, the LAR includes a table that identifies, for each event in Chapter 15, the primary and the diverse means to address that event. Please prepare such a table in preparation for the audit.

TVA Response The requested table is provided below. It tabulates all the UFSAR Chapter 15 events and provides which primary Reactor Trip System (RTS) and Engineered Safety Feature Actuation System (ESFAS) functions are credited. The functions in the right-hand column represent a diverse means of performing the protective action but are not necessarily analyzed as providing equivalent protection. This table should be considered additive to LAR, Section 3.

Table EICB-05-1 Primary Diverse Means of Mitigating UFSAR Chapter 15 Events CNL-22-023 E1-60 of 65 UFSAR Section Event Description RTS or ESFAS Signal(s) Actuated Loss of Power Diverse RTS or ESFAS Instrumentation 15.1.10 Loss of One (Redundant) DC System N/A N/A N/A 15.2.1 Uncontrolled Rod Cluster Control Assembly Bank Withdrawal from a Subcritical Condition Power Range High Neutron Flux Reactor Trip (Low Setting)

N/A Power Range High Neutron Flux Reactor Trip (High Setting)

Power Range High Positive Neutron Flux Rate Trip Source Range High Neutron Flux Reactor Trip Intermediate Range High Neutron Flux Reactor Trip Manual Reactor Trip 15.2.2 Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power Power Range High Neutron Flux Reactor Trip (High Setting)

Overtemperature ¨T Trip Overpower ¨T Trip Pressurizer Pressure High Trip Pressurizer Water Level High Trip N/A Overtemperature ¨T Trip Overpower ¨T Trip Pressurizer Pressure High Trip Pressurizer Water Level High Trip Manual Reactor Trip 15.2.3 Rod Cluster Control Assembly Misalignment (dropped rod/bank)

Power Range High Negative Neutron Flux Rate Trip N/A Manual Reactor Trip 15.2.4 Uncontrolled Boron Dilution Overtemperature ¨T Trip Source Range Neutron Flux Trip Pressurizer Water Level High Trip N/A Manual Reactor Trip

Table EICB-05-1 Primary Diverse Means of Mitigating UFSAR Chapter 15 Events CNL-22-023 E1-61 of 65 UFSAR Section Event Description RTS or ESFAS Signal(s) Actuated Loss of Power Diverse RTS or ESFAS Instrumentation 15.2.5 Partial Loss of Forced Reactor Coolant Flow Reactor Coolant Flow Low Trip N/A Undervoltage Reactor Coolant Pump (RCP) Trip Manual Reactor Trip 15.2.6 Startup of an Inactive Reactor Coolant Loop Reactor Coolant Flow Low Trip with Reactor Trip System Interlocks (Power Range Neutron Flux, P-8)

N/A Manual Reactor Trip 15.2.7 Loss of External Electrical Load and/or Turbine Trip Pressurizer Pressure High Trip Pressurizer Water Level High Trip Overtemperature ¨T Trip RCP Undervoltage Trip Steam Generator Water Level Low-Low Trip N/A Turbine Trip Low Fluid Oil Pressure Trip Turbine Trip Turbine Stop Valve Closure Trip 15.2.8 Loss of Normal Feedwater Steam Generator Water Level Low-Low Trip Auxiliary Feedwater (Steam Generator Water Level Low-Low) Initiation N/A Manual Reactor Trip Auxiliary Feedwater (Trip of All Feedwater Pumps) Initiation Auxiliary Feedwater (Steam Generator Water Level Low-Low) Initiation 15.2.9 Loss of Off-site Power to the Station Auxiliaries Pressurizer Pressure High Trip Pressurizer Water Level High Trip Overtemperature ¨T Trip Overpower ¨T Trip Steam Generator Water Level Low-Low Trip Yes Turbine Trip Low Fluid Oil Pressure Trip Turbine Trip Turbine Stop Valve Closure Trip Reactor Coolant Flow Low Trip Undervoltage RCP Trip Manual Reactor Trip

Table EICB-05-1 Primary Diverse Means of Mitigating UFSAR Chapter 15 Events CNL-22-023 E1-62 of 65 UFSAR Section Event Description RTS or ESFAS Signal(s) Actuated Loss of Power Diverse RTS or ESFAS Instrumentation Auxiliary Feedwater (Steam Generator Water Level Low-Low) Initiation Auxiliary Feedwater (Trip of All Feedwater Pumps) Initiation Auxiliary Feedwater (Trip of All Feedwater Pumps) Initiation Auxiliary Feedwater (Steam Generator Water Level Low-Low) Initiation 15.2.10 Excessive Heat Removal Due to Feedwater System Malfunctions (Bounded by Event 15.2.1)

(See Event 15.2.1)

N/A (See Event 15.2.1)

Turbine Trip Low Fluid Oil Pressure Trip Turbine Trip Turbine Stop Valve Closure Trip 15.2.11 Excessive Load Increase Overpower ¨T Trip Overtemperature ¨T Trip Power Range High Neutron Flux Trip N/A Manual Reactor Trip 15.2.12 Accidental Depressurization of the Reactor Coolant System Overtemperature ¨T Trip N/A Pressurizer Pressure Low Trip 15.2.13 Accidental Depressurization of the Main Steam System Power Range Neutron Flux High Trip Overpower ¨T Trip Safety Injection (Steam Line Pressure Low) Initiation Safety Injection (Low Pressurizer Pressure) Initiation N/A Overpower ¨T Trip Power Range Neutron Flux High Trip Safety Injection (Low Pressurizer Pressure) Initiation Safety Injection (Steam Line Pressure Low) Initiation 15.2.14 Spurious Operation of the Safety Injection System at Power Pressurizer Pressure Low Trip Safety Injection Input from ESFAS Reactor Trip N/A Manual Reactor Trip 15.3.1 Loss Of Reactor Coolant from Small Ruptured Pipes or From Cracks In Pressurizer Pressure Low Trip Safety Injection (Pressurizer Pressure N/A Manual Reactor Trip Safety Injection (Containment High

Table EICB-05-1 Primary Diverse Means of Mitigating UFSAR Chapter 15 Events CNL-22-023 E1-63 of 65 UFSAR Section Event Description RTS or ESFAS Signal(s) Actuated Loss of Power Diverse RTS or ESFAS Instrumentation Large Pipes, Which Actuates Emergency Core Cooling System Low) Initiation Auxiliary Feedwater (Trip of all Main Feedwater Pumps) Initiation Turbine Trip and Feedwater Isolation (Safety Injection Initiation)

Pressure) Initiation Safety Injection Manual Initiation Auxiliary Feedwater (Safety Injection)

Initiation 15.3.2 Minor Secondary System Pipe Breaks (Bounded by Events 15.2.13 and 15.4.2)

(See Events 15.2.13 and 15.4.2)

N/A (See Events 15.2.13 and 15.4.2) 15.3.3 Inadvertent Loading of a Fuel Assembly into An Improper Position N/A N/A N/A 15.3.4 Complete Loss of Forced Reactor Coolant Flow Undervoltage RCP Trip Underfrequency RCP Trip Reactor Coolant Low Flow Trip N/A Manual Reactor Trip 15.3.5 Waste Gas Decay Tank Rupture N/A N/A N/A 15.3.6 Single Rod Cluster Control Assembly Withdrawal at Full Power Overtemperature ¨T Trip N/A Manual Reactor Trip 15.3.7 Steam Line Break Coincident with Rod Withdrawn At Power Overpower ¨T Trip Safety Injection Input from ESFAS Reactor Trip (Low Steamline Pressure)

N/A Safety Injection Input from ESFAS Reactor Trip (Low Steamline Pressure)

Overpower ¨T Trip 15.4.1 Major Reactor Coolant System Pipe Ruptures (Loss of Coolant Accident)

Pressurizer Pressure Low Trip Safety Injection (Containment Pressure Yes Manual Reactor Trip Safety Injection (Pressurizer Pressure

Table EICB-05-1 Primary Diverse Means of Mitigating UFSAR Chapter 15 Events CNL-22-023 E1-64 of 65 UFSAR Section Event Description RTS or ESFAS Signal(s) Actuated Loss of Power Diverse RTS or ESFAS Instrumentation High) Initiation Containment Spray (Containment Pressure High) Initiation Containment Isolation (Phase B Containment Pressure High High)

Low) Initiation Containment Spray Phase B Manual Initiation 15.4.2.1 Major Secondary System Pipe Rupture (Rupture of a Main Steam Line)

Overpower ¨T Trip Power Range Neutron Flux High Trip Safety Injection (Steam Line Pressure Low) Initiation Steam Line Isolation (Steam Line Pressure Low)

Steam Line Isolation (Negative Rate High)

Turbine Trip and Feedwater Isolation (Safety Injection Initiation)

Yes Manual Reactor Trip Safety Injection Input from ESFAS Reactor Trip Safety Injection (Pressurizer Pressure Low) Initiation Safety Injection (Containment Pressure High) Initiation Steam Line Isolation (Containment Pressure High)

Steam Line Isolation (Manual)

Turbine Trip and Feedwater Isolation (Automatic Actuation Logic and Actuation Relays Initiation) [Manual]

15.4.2.2 Major Secondary System Pipe Rupture (Major Rupture of a Main Feedwater Pipe)

Steam Generator Water Level Low Low Trip Safety Injection (Steam Line Pressure Low) Initiation Auxiliary Feedwater (Steam Generator Water Level Low Low) Initiation Yes Pressurizer Pressure High Trip Overtemperature ¨T Trip Safety Injection (Containment Pressure High) Initiation Auxiliary Feedwater (Safety Injection)

Initiation

Table EICB-05-1 Primary Diverse Means of Mitigating UFSAR Chapter 15 Events CNL-22-023 E1-65 of 65 UFSAR Section Event Description RTS or ESFAS Signal(s) Actuated Loss of Power Diverse RTS or ESFAS Instrumentation 15.4.3 Steam Generator Tube Rupture Pressurizer Pressure Low Trip Safety Injection (Pressurizer Pressure Low) Initiation Auxiliary Feedwater (Safety Injection)

Initiation Yes Manual Reactor Trip Safety Injection (Manual) Initiation Auxiliary Feedwater (Automatic Actuation Logic and Actuation Relay)

Initiation [Manual]

15.4.4 Single Reactor Coolant Pump Locked Rotor Reactor Coolant Flow Low Trip N/A Manual Reactor Trip 15.4.5 Fuel Handling Accident N/A N/A N/A 15.4.6 Rupture of a Control Rod Drive Mechanism Housing (Rod Cluster Control Assembly Ejection)

Power Range High Neutron Flux Trip (High and Low Setting)

N/A Power Range Neutron Flux Rate High Positive Rate Trip

Modifications to the License Amendment Request (19 Pages)

CNL-22-023

CNL-21-026 A1-4 of 7 2.3.1.6 TSTF-505 applies RICT to certain RAs that require additional plant-specific justification. For several of these RAs, the SQN design has not been able to meet the necessary justification, so a RICT has not been applied. For example, as the proposed SQN RICT Program is applicable in Modes 1 and 2, TVA will not adopt changes in TSTF-505 for Required Actions that are only applicable in Mode 3 and below.

2.3.1.7 TSTF-505 applies RICT to TS 3.6.3 RA A.1. The SQN TS differ in that Condition A references Conditions E, F, and G, whereas STS references Conditions D and E.

Additionally, the SQN RA A.1 Completion Times previously incorporated TSTF-446, Risk Informed Evaluation of Extensions to Containment Isolation Valve Completion Times (WCAP-15791). Adoption of TSTF-446 does not invalidate the ability to alternatively apply a RICT.

2.3.1.8 TSTF-505 applies a RICT to TS 3.7.8 Required Action A.1, Restore SWS train to Operable status, for Condition A, One SWS train inoperable. This correlates to SQN RA B.1, Restore ERCW System train to Operable status, for Condition B, One ERCW System train inoperable for reasons other than Condition A. An additional element of this variation is to make certain formatting changes to Page 3.7.8-2 in conformance with the ITS Writers Guide for both SQN units.

2.3.1.9 TSTF-505 applies a RICT to TS 3.3.1 Conditions C and J whose instrumentation Functions are only applicable in Modes 3, 4, 5. The SQN PRA is only applicable in Modes 1 and 2. Therefore, RICTs are not applied to these Functions.

2.3.1.10 Certain SQN TS did not include a RICT because it could not be verified that there would not be a loss of function, or that the function was adequately modeled in the PRA.

2.3.1.11 STS TS 3.8.9 Condition A states: One or more AC electrical power distribution subsystems inoperable. SQN TS 3.8.9 Condition A states: One or more AC electrical power distribution subsystems inoperable due to one or more Unit 1 AC shutdown boards inoperable, and Condition B states: One or more AC vital instrument power distribution subsystems inoperable. The SQN Conditions are considered to be subsets of the more general wording of the STS Condition. Accordingly, the justification for applying a RICT in the STS Condition are equally justified for applying a RICT to these SQN TS Conditions.

2.3.2 Technical Variations The following variations from the TSTF-505 template for NUREG-1431 are considered to be technical in nature.

2.3.2.1 SQN TS 3.3.1 has several Instrumentation Functions on Table 3.3.1-1 that do not appear in the STS, and so are not addressed in the TSTF-505 markup. These Functions are:

13.a Steam Generator Water Level Low-Low (Adverse), Coincident with Containment Pressure (EAM), and RCS Loop ¨T 13.b Steam Generator Water Level Low-Low (EAM), Coincident with RCS Loop ¨T 2.3.1.12 The language of the TSTF-505 RICT Program Description (Section 5.5.18 Paragraph e states: "Methods to assess the risk from extending the Completion Times must be PRA methods used to support this license amendment,..." The NRC Safety Evaluation for TSTF-505 has alternate phrasing: "Methods to assess the risk from extending the Completion Times must be PRA methods approved for use with this program,..." TVA has concluded the alternate NRC phrasing is more appropriate.

Reference:

Response

to STSB-01

2.3.2.4 SQN TS 3.3.2 Condition K is invoked from the RCS Loop ¨T elements of Function 6.b (Steam Generator Water Level - Low Low) that has no analogous counterpart in the STS, and so are not addressed in the TSTF-505 markup. There are three Steam Generator Water Level Low-Low channels per steam generator arranged in a two-out-of-three logic. These channels are arranged in four protection sets with each channel of the Containment Pressure (EAM) and RCS Loop ¨T inputting into its associated protection set. The Trip Time Delay (TTD) creates additional operational margin during early escalation to power, by allowing the operator time to recover level when the primary side load is sufficiently small to allow such action. The TTD is based on continuous monitoring of primary side power through the use of RCS loop T. Failure of the RCS loop ¨T channel input (failure of more than one TH RTD or failure of a TC RTD) does not affect the TTD calculation for a protection set. This results in the requirement that the operator adjust the threshold power level for zero seconds time delay from 50% RTP to 0% RTP within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. With the trip time delay adjusted to zero seconds the additional operational margin that allows the operator time to recover SG level is removed. This element of Function 6.b is therefore assessed as passing the exclusion criteria of TSTF-505 with one channel inoperable, and that placing a channel in trip will not result in a loss of function.

Accordingly, it is acceptable to allow the option of a RICT to this RA.



Insert 1

CNL-21-026 A1-5 of 7 These Functions invoke Conditions R, S, and T, which in turn direct placing an inoperable channel in trip as a Required Action (R.2, S.2, and T.2). The Steam Generator Water Level Low-Low trip protects the reactor from loss of heat sink in the event of a sustained steam/feedwater flow mismatch resulting from loss of normal feedwater or a feedwater system pipe break outside of containment. This function also provides input to the steam generator level control system. IEEE-279 requirements are satisfied by 2/3 logic for protection function actuation, thus allowing for a single failure of a channel and still performing the protection function. These Functions are therefore assessed as passing the exclusion criteria of TSTF-505 with one channel inoperable, and that placing a channel in trip will not result in a loss of function.

Accordingly, it is acceptable to allow the option of a RICT to these RAs. Consistent with the TSTF-505 philosophy, the Mode 3 RAs are nested in Condition U. Note -

Conditions R, S, T, and U are re-lettered as Conditions V, W, X, and Y, respectively.

2.3.2.2 SQN TS 3.3.2 has an Instrumentation Function on Table 3.3.2-1 that does not appear in the STS, and so is not addressed in the TSTF-505 markup. This Function is:

6.d. (1) Auxiliary Feedwater - Loss of Offsite Power - Voltage Sensors This Function invokes Condition L, which in turn directs restoring the inoperable channel to Operable status as a Required Action (L.1). A loss of offsite power to the 6.9 kV Unit-boards (Reactor Coolant Pump buses) will be accompanied by a loss of reactor coolant pumping power and the subsequent need for some method of decay heat removal. The AFW loss of offsite power is detected by a voltage drop on each 6.9 kV shutdown board. Loss of power to either 6.9 kV shutdown board will start the turbine driven AFW pump to ensure that at least one SG contains enough water to serve as the heat sink for reactor decay heat and sensible heat removal following the reactor trip. The loss-of-voltage relaying on the 6.9 kV shutdown board uses three solid-state voltage sensors in a two-out-of-three voltage sensor logic (27T-S1A, S1B, &

S1C) for loss-of-power detection. A two-out-of-three logic from the voltage sensor channels energizes two parallel separate timing relays with a one-out-of-two logic scheme (LV1 and LV2). This Function is therefore assessed as passing the exclusion criteria of TSTF-505 with one voltage sensor channel inoperable, and that restoring the channel to Operable status does not entail a loss of function. Accordingly, it is acceptable to allow the option of a RICT to this RA.

2.3.2.3 SQN TS 3.8.1 contains Condition C, which does not appear in STS, One offsite circuit inoperable solely due to an offsite power source to 6.9 kV Shutdown Board 2A-A or 2B-B inoperable. The onsite Class 1E AC Electrical Power Distribution System is divided into two redundant and independent load groups with two 6.9 kV Shutdown Boards in each load group. Each 6.9 kV Shutdown Board has a connection to a preferred offsite power source and a diesel generator (DG). Offsite power can also be supplied by the Common Station Service Transformers (CSSTs) via the 6.9 kV Start Buses and 6.9 kV Unit Boards. CSST C is the alternate power source for 6.9 kV Shutdown Boards 1A-A and 2A-A, and CSST A is the alternate power source for 6.9 kV Shutdown Boards 1B-B and 2B-B. Accordingly, one offsite circuit being inoperable solely due to an offsite power source being unable to supply the 6.9 kV Shutdown Boards does not result in a loss of function due to the availability of the alternate offsite power source and the DG. Accordingly, it is acceptable to apply a RICT to Required Action C.1, Restore offsite circuit to Operable status.

Insert 1

Reference:

Response

to EICB-04

H

7KHULVNDVVHVVPHQWDSSURDFKHVDQGPHWKRGVVKDOOEHDFFHSWDEOHWRWKH 15&7KHSODQW35$VKDOOEHEDVHGRQWKHDVEXLOWDVRSHUDWHGDQG PDLQWDLQHGSODQWDQGUHIOHFWWKHRSHUDWLQJH[SHULHQFHDWWKHSODQWDV VSHFLILHGLQ5HJXODWRU\\*XLGH5HYLVLRQ0HWKRGVWRDVVHVV WKHULVNIURPH[WHQGLQJWKH&RPSOHWLRQ7LPHVPXVWEH35$PHWKRGV XVHGWRVXSSRUWWKLVOLFHQVHDPHQGPHQWRURWKHUPHWKRGVDSSURYHG E\\WKH15&IRUJHQHULFXVHDQGDQ\\FKDQJHLQWKH35$PHWKRGVWR DVVHVVULVNWKDWDUHRXWVLGHWKHVHDSSURYDOERXQGDULHVUHTXLUHSULRU 15&DSSURYDO

XVHG WR VXSSRUW WKLV OLFHQVH DPHQGPHQW approved for use with this program PDF pages 18 and 69 of 405 to the LAR

Reference:

Response

to STSB-01

'LVWULEXWLRQ6\\VWHPV2SHUDWLQJ



6(482<$++/-81,7



$PHQGPHQWBBB

(/(&75,&$/32:(56<67(06



'LVWULEXWLRQ6\\VWHPV2SHUDWLQJ

/&2

7ZRHOHFWULFDOSRZHUGLVWULEXWLRQWUDLQVVKDOOEH23(5$%/(

$33/,&$%,/,7<

02'(6DQG

$&7,216

&21',7,21

5(48,5('$&7,21

&203/(7,217,0(

$ 2QHRUPRUH$&

HOHFWULFDOSRZHU

GLVWULEXWLRQVXEV\\VWHPV

LQRSHUDEOHGXHWRRQHRU

PRUH8QLW$&

VKXWGRZQERDUGV

LQRSHUDEOH

$

127(

(QWHUDSSOLFDEOH&RQGLWLRQV

DQG5HTXLUHG$FWLRQVRI

/&2'&6RXUFHV

2SHUDWLQJIRUYLWDO'&

HOHFWULFDOSRZHUWUDLQV

PDGHLQRSHUDEOHE\\

LQRSHUDEOH$&HOHFWULFDO

SRZHUGLVWULEXWLRQ

VXEV\\VWHPV



5HVWRUH8QLW$&HOHFWULFDO

SRZHUGLVWULEXWLRQ

VXEV\\VWHPVWR

23(5$%/(VWDWXV

KRXUV

25

,QDFFRUGDQFHZLWK

WKH5LVN,QIRUPHG

&RPSOHWLRQ7LPH

3URJUDP

% 2QHRUPRUH$&YLWDO LQVWUXPHQWSRZHU GLVWULEXWLRQVXEV\\VWHPV LQRSHUDEOH

%

5HVWRUH$&YLWDOLQVWUXPHQW

SRZHUGLVWULEXWLRQ

VXEV\\VWHPVWR

23(5$%/(VWDWXV

KRXUV

25

,QDFFRUGDQFHZLWK

WKH5LVN,QIRUPHG

&RPSOHWLRQ7LPH

3URJUDP

PDF page 177 of 405 to the LAR Correction to retyped page

Programs and Manuals 5.5 SEQUOYAH - UNIT 1 5.5-18 Amendment BBB 2.

For emergent conditions, the revised RICT must be determined within the time limits of the Required Action Completion Time (i.e., not the RICT) or 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after the plant configuration change, whichever is less.

3.

Revising the RICT is not required If the plant configuration change would lower plant risk and would result in a longer RICT.

G

For emergent conditions, if the extent of condition evaluation for

inoperable structures, systems, or components (SSCs) is not complete

prior to exceeding the Completion Time, the RICT shall account for the

increased possibility of common cause failure (CCF) by either:



Numerically accounting for the increased possibility of CCF in the

RICT calculation; or



Risk Management Actions (RMAs) not already credited in the

RICT calculation shall be implemented that support redundant or

diverse SSCs that perform the function(s) of the inoperable SSCs,

and, if practicable, reduce the frequency of initiating events that

challenge the function(s) performed by the inoperable SSCs.

7KHULVNDVVHVVPHQWDSSURDFKHVDQGPHWKRGVVKDOOEH

DFFHSWDEOHWRWKH15&7KHSODQW35$VKDOOEHEDVHGRQWKHDV

EXLOWDVRSHUDWHGDQGPDLQWDLQHGSODQWDQGUHIOHFWWKHRSHUDWLQJ

H[SHULHQFHDWWKHSODQWDVVSHFLILHGLQ5HJXODWRU\\*XLGH

5HYLVLRQ0HWKRGVWRDVVHVVWKHULVNIURPH[WHQGLQJWKH

&RPSOHWLRQ7LPHVPXVWEH35$PHWKRGVDSSURYHGIRUXVHZLWK

WKLVSURJUDPRURWKHUPHWKRGVDSSURYHGE\\WKH15&IRUJHQHULF

XVHDQGDQ\\FKDQJHLQWKH35$PHWKRGVWRDVVHVVULVNWKDWDUH

RXWVLGHWKHVHDSSURYDOERXQGDULHVUHTXLUHSULRU15&DSSURYDO

H

PDF page 181 of 405 to the LAR

Reference:

Response

to STSB-01

Programs and Manuals 5.5 SEQUOYAH - UNIT 

5.5-18 Amendment BBB 2.

For emergent conditions, the revised RICT must be determined within the time limits of the Required Action Completion Time (i.e., not the RICT) or 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after the plant configuration change, whichever is less.

3.

Revising the RICT is not required If the plant configuration change would lower plant risk and would result in a longer RICT.

G

For emergent conditions, if the extent of condition evaluation forinoperable structures, systems, or components (SSCs) is not completeprior to exceeding the Completion Time, the RICT shall account for theincreased possibility of common cause failure (CCF) by either:



Numerically accounting for the increased possibility of CCF in the

RICT calculation; or



Risk Management Actions (RMAs) not already credited in theRICT calculation shall be implemented that support redundant ordiverse SSCs that perform the function(s) of the inoperable SSCs,and, if practicable, reduce the frequency of initiating events thatchallenge the function(s) performed by the inoperable SSCs.

7KHULVNDVVHVVPHQWDSSURDFKHVDQGPHWKRGVVKDOOEHDFFHSWDEOHWRWKH

15&7KHSODQW35$VKDOOEHEDVHGRQWKHDVEXLOWDVRSHUDWHGDQG

PDLQWDLQHGSODQWDQGUHIOHFWWKHRSHUDWLQJH[SHULHQFHDWWKHSODQWDV

VSHFLILHGLQ5HJXODWRU\\*XLGH5HYLVLRQ0HWKRGVWRDVVHVVWKH

ULVNIURPH[WHQGLQJWKH&RPSOHWLRQ7LPHVPXVWEH35$PHWKRGVDSSURYHG

IRUXVHZLWKWKLVSURJUDPRURWKHUPHWKRGVDSSURYHGE\\WKH15&IRU

JHQHULFXVHDQGDQ\\FKDQJHLQWKH35$PHWKRGVWRDVVHVVULVNWKDWDUH

RXWVLGHWKHVHDSSURYDOERXQGDULHVUHTXLUHSULRU15&DSSURYDO

H

PDF page 249 of 405 to the LAR

Reference:

Response

to STSB-01

CNL-21-026 A5-4 of 8 TSTF-505 TS Section Title/

Section/

Condition Description TSTF-505 TS/RA SQN TS/RA Disposition Variation Reference I. One channel inoperable I.1 I.2 I.2 N/A Added RICT to I.2 N/A Administrative Variation - Section 2.3.1.3 Administrative Variation - Section 2.3.1.2 J. One Main Feedwater Pumps trip channel inoperable J.1 J.2 N.1 N.2 Added RICT to N.1 Deleted N.2 Administrative Variation - Section 2.3.1.1 Administrative Variation - Section 2.3.1.1 K. One channel inoperable K.1 K.2.1 K.2.2 Q.1 [Re-lettered]

P.2.1 P.2.2 Re-lettered P.1 Deleted P.2.1 Deleted P.2.2 Administrative Variation - Section 2.3.1.1 Administrative Variation - Section 2.3.1.1 Administrative Variation - Section 2.3.1.1 L. One or more channels inoperable N/A L.2.1 L.2.2 R.1 [Re-lettered]

Q.2.1 Q.2.2 Re-lettered Q.1 Deleted Q.2.1 Deleted Q.2.2 Administrative Variation - Section 2.3.1.3 Administrative Variation - Section 2.3.1.3 Administrative Variation - Section 2.3.1.3 M. Required Action and associated Completion Time of Conditions B, C, or K not met

[new]

M.1 [new]

M.2 [new]

S.1 [new]

S.2 [new]

Added new Condition S Added new Condition S Administrative Variation - Section 2.3.1.1 Administrative Variation - Section 2.3.1.1 N. Required Action and associated Completion Time of Conditions D, E, F, G, or L not met [new]

N.1 [new]

N.2 [new]

T.1 [Re-lettered]

T.2 [Re-lettered]

Re-lettered R.1 Re-lettered R.2 Condition T is invoked for Conditions D, E, G, H, I, J, K, or R Administrative Variation - Section 2.3.1.1 Administrative Variation - Section 2.3.1.1 Administrative Variation - Section 2.3.1.4 O. Required Action and associated Completion Time of Conditions H, I, or J not met

[new]

O.1 [new]

O.1 [new]

Added new Condition O Condition O invoked by Condition N Administrative Variation - Section 2.3.1.5 N/A N/A L.1 Added RICT to L.1 Technical Variation - Section 2.3.2.2 N/A N/A N/A U.1 [Re-lettered]

U.2 [Re-lettered]

Re-lettered S.1 Re-lettered S.2 Administrative Variation - Section 2.3.1.1 Administrative Variation - Section 2.3.1.1 N/A N/A J.3.1 J.3.2 K.3.1 K.3.2 Deleted J.3.1 Deleted J.3.2 Deleted K.3.1 Deleted K.3.2 Administrative Variation - Section 2.3.1.4 Administrative Variation - Section 2.3.1.4 Administrative Variation - Section 2.3.1.4 Administrative Variation - Section 2.3.1.4 LOP DG Start Instrumentation 3.3.5 3.3.5 A. One of more Functions with one channel per bus inoperable.

A.1 A.1 Added RICT to A.1 No variation B. One or more Function with two or more channels per bus inoperable.

B.1 B.1 Did not add RICT to B.1 Administrative Variation - Section 2.3.1.6 N/A N/A K.2 Added RICT to K.2 Technical Variation - Section 2.3.2.4

Reference:

Response

to EICB-04

CNL-21-026 A5-8 of 8 TSTF-505 TS Section Title/

Section/

Condition Description TSTF-505 TS/RA SQN TS/RA Disposition Variation Reference DC Sources - Operating 3.8.4 3.8.4 A. One [or two] battery charger[s on one train]

inoperable.

A.3 A.3 Added RICT to A.3 Administrative Variation - Section 2.3.1.1

[B. One [or two] batter[y][ies] on one train] inoperable.

B.1 N/A N/A Administrative Variation - Section 2.3.1.2 C. One DC electrical power subsystem inoperable for reasons other than Condition A

[or B].

C.1 B.1 Added RICT to B.1 Administrative Variation - Section 2.3.1.1 Inverters - Operating 3.8.7 3.8.7 A. One [required] inverter inoperable.

A.1 A.1 Added RICT to A.1 No variation Distribution Systems -

Operating 3.8.9 3.8.9 A. One or more AC electrical power distribution subsystems inoperable.

A.1 A.1 and B.1 Added RICT to A.1 and B.1 Administrative Variation - Section 2.3.1.11 B. One or more AC vital buses inoperable.

B.1 N/A N/A Administrative Variation - Section 2.3.1.2 C. One or more DC electrical power distribution subsystems inoperable.

C.1 C.1 Added RICT to C.1 Administrative Variation - Section 2.3.1.1 Risk Informed Completion Time Program 5.5.18 5.5.18 Program Description 5.5.18 5.5.18 Added Program Description No variation No variation Administrative Variation - Section 2.3.1.12

Reference:

Response

to STSB-01 CNL-21-026 E1-11 of 3

Table E1-1: In Scope TS/LCO Conditions to Corresponding PRA Functions TS Condition TS Condition Description SSCs Covered by TS LCO Condition SSCs Modeled in PRA?

Function Required by TS LCO Condition Design Success Criteria PRA Success Criteria Other Comments Steam Line Isolation - Steam Line Pressure -

Negative Rate -

High (Function 4.d.2) (3 channels per steam line)

Turbine Trip and Feedwater Isolation-SG Water Level-High High (P-14)

(Function 5.b)

(3 channels per SG required)

Water Level-High High-P-14): two of three channels on any SG 3.3.2.F ESFAS Instrumentation

- One channel inoperable Steam Line Isolation - Manual Initiation (Function 4.a)

(1 channel per steam line)

Not explicitly Manual ESFAS Initiation, Steam Line Isolation One of one switch per main steam isolation valve (MSIV)

Same as design criteria Channel inputs are not explicitly modeled, but the isolation function is modeled. Failure of MSIVs to close is used as a surrogate.

3.3.2.H ESFAS Instrumentation

- One train inoperable Steam Line Isolation -

Automatic Actuation Logic and Actuation Relays (Function 4.b) (2 trains required)

Turbine Trip and Feedwater Isolation -

Yes (except Turbine Trip and Feedwater Isolation which are implicitly modeled)

Trip main turbine, isolate MFW, actuate AFW One of two trains Same as design criteria The function not explicitly modeled in the PRA are represented by surrogate modeling for the ESFAS master relays and reduced capacity of the RTBs.

One of one switch per main steam isolation valve (MSIV)

Three of four main steam line isolation manual channels

Reference:

Response

to EICB-03 CNL-21-026 E1-12 of 3

Table E1-1: In Scope TS/LCO Conditions to Corresponding PRA Functions TS Condition TS Condition Description SSCs Covered by TS LCO Condition SSCs Modeled in PRA?

Function Required by TS LCO Condition Design Success Criteria PRA Success Criteria Other Comments Automatic Actuation Logic and Actuation Relays (Function 5.a) (2 trains required)

Auxiliary Feedwater (AFW)

- Automatic Actuation Logic and Actuation Relays (Function 6.a) (2 trains required) 3.3.2.I ESFAS Instrumentation

- One channel inoperable AFW - SG Water Level - Low Low -

Adverse (Function 6.b.(1) (3 channels per SG required)

AFW - SG Water Level - Low Low -

EAM (Function 6.b.(2) (3 channels per SG required)

Not Explicitly ESF Actuation Two out of three channels Same as design criteria Not explicitly modeled.

The modeled SG channel relays and bistable/comparator are used as surrogates.

3.3.2.K ESFAS Instrumentation

- One channel inoperable AFW - SG Water Level - Low Low -

Adverse - RCS Loop ¨T (Function 6.b.(1))

(4 channels required)

Yes ESF Actuation 4 channels required One of two trains See Note 1 4

4 2

Reference:

Response

to EICB-04 CNL-21-026 E1-13 of 3

Table E1-1: In Scope TS/LCO Conditions to Corresponding PRA Functions TS Condition TS Condition Description SSCs Covered by TS LCO Condition SSCs Modeled in PRA?

Function Required by TS LCO Condition Design Success Criteria PRA Success Criteria Other Comments AFW - SG Water Level - Low Low -

EAM - RCS Loop

¨T (Function 6.b.(2))

(4 channels required) 3.3.2.L ESFAS Instrumentation

- One voltage sensor channel inoperable AFW - Loss of Offsite Power -

Voltage Sensors (Function 6.d.(1)

(3 channel per shutdown board required)

Not Explicitly AFW initiation Two of three sensors per train One of two trains Not explicitly modeled.

Master relays for MD/TD AFW initiation are used as surrogates.

3.3.2.N ESFAS Instrumentation

- One Main Feedwater Pumps trip channel inoperable AFW - Trip of all Main Feedwater Pumps (Function 6.e) (1channel per pump required)

Not Explicitly AFW automatic initiation One of two trains Same as design criteria Not explicitly modeled.

Master relays for MD/TD AFW initiation are used as surrogates.

3.3.5.A LOP Diesel Generator (DG)

Start Instrumentation

- One or more Functions with one voltage sensor channel inoperable 6.9 kV Shutdown Board - Loss of Voltage - Voltage Sensors (3 per shutdown board),

Diesel Generator Start and Load Shed Timer (1 per shutdown board) 6.9 kV Shutdown Board - Degraded Voltage - Voltage Not Explicitly Diesel start instrumentation, bus load

shedding, initiation, and sequencing Loss of Voltage and Degraded Voltage - two out of three logic Unbalanced Voltage -

permissive one out of two logic Degraded Voltage Timer - one out of two logic Available shutdown board and DG start relay Not explicitly modeled.

Diesel Generator start relays with assumed failure of associated 6.9 kV Shutdown Board used as conservative surrogate.

2

Reference:

Response

to EICB-04 CNL-21-026 E1-17 of 3

Table E1-1: In Scope TS/LCO Conditions to Corresponding PRA Functions TS Condition TS Condition Description SSCs Covered by TS LCO Condition SSCs Modeled in PRA?

Function Required by TS LCO Condition Design Success Criteria PRA Success Criteria Other Comments 3.6.8.B HMS - One containment region with no OPERABLE hydrogen ignitor.

Two HMS trains with ignitors Yes Controlled burn of hydrogen to prevent buildup following a degraded core accident One region without an operable ignitor One of two trains Individual regions are not modeled in the PRA. Loss of both HMS trains used as a conservative surrogate.

3.6.11.A Air Return System (ARS)

- One ARS train inoperable Two ARS 100%

capacity trains Yes Rapid return of air from upper to lower containment compartment after initial blowdown following a DBA One ARS train Same as design criteria 3.7.2.A MSIVs - One MSIV inoperable in Mode 1 MSIVs Yes Isolate Main Steam Lines One MSIV closure per steam generator Same as design criteria 3.7.5.A AFW System -

Turbine driven AFW train inoperable due to one inoperable steam supply OR One turbine driven AFW pump inoperable in MODE 3 Turbine Driven AFW Train (valves, flowpath, pump)

Yes Supply feedwater to SGs to remove decay heat from the RCS One train of AFW Same as design criteria without with

Reference:

Response

to SCPB-01 CNL-21-026 E1-18 of 3

Table E1-1: In Scope TS/LCO Conditions to Corresponding PRA Functions TS Condition TS Condition Description SSCs Covered by TS LCO Condition SSCs Modeled in PRA?

Function Required by TS LCO Condition Design Success Criteria PRA Success Criteria Other Comments following refueling 3.7.5.B AFW System -

Turbine driven AFW train inoperable in MODE 1, 2, or 3 for reasons other than Condition A Turbine Driven AFW Train (valves, flowpath, pump)

Yes Supply feedwater to SGs to remove decay heat from the RCS One train of AFW Same as design criteria 3.7.7.A Component Cooling Water System (CCS)

- One CCS train inoperable Two cooling loops composed of one pump, surge tank, with associated valves, heat exchanger, instrumentation and controls Yes Heat sink for the removal of process and operating heat from safety related components One CCS train One of two pumps for train A

One of one pump for train B 3.7.8.B Essential Raw Cooling Water (ERCW)

System - One ERCW System train inoperable for reasons other than Condition A Two cooling ERCW trains comprised of pumps, valves, strainers, screens Yes Heat sink for the removal of process and operating heat from safety related components One ERCW train in conjunction with CCS and a 100%

capacity containment cooling system One of four pumps per train when CS heat exchangers not in operation Two of four pumps per train when CS heat exchangers in operation Turbine driven One Turbine Driven or Correction

Reference:

Response

to APLA-06 Part (b.i)

CNL-21-026 E1-19 of 3

Table E1-1: In Scope TS/LCO Conditions to Corresponding PRA Functions TS Condition TS Condition Description SSCs Covered by TS LCO Condition SSCs Modeled in PRA?

Function Required by TS LCO Condition Design Success Criteria PRA Success Criteria Other Comments 3.8.1.A AC Sources -

Operating -

One offsite circuit inoperable for reasons other than Condition C.

Two qualified circuits between the offsite transmission network and the onsite 1E AC Electrical Power Distribution System.

Yes Provide power from offsite transmission network to onsite Class 1 buses One qualified circuit between the offsite transmission network and the onsite 1E AC Electrical Power Distribution system As needed to supply supported functions.

3.8.1.B AC Sources -

Operating -

One or more Train A Diesel Generators (DGs) inoperable OR One or more Train B DGs inoperable Four DGs divided into Train A and Train B capable of supplying the onsite Class 1E AC Electrical Power Distribution System.

Yes Provide power to safety related buses when offsite power to the bus is lost Two DGs associated with one load group The 6900V Shutdown Boards have been modeled for fast transfer when aligned to either alternate or normal to onsite power (DGs) upon a loss of offsite power.

Emergency Power (DGs),

Normal or Alternate

Supplies, Crosstie Power, and FLEX are all credited in model

, one for load group 6.9 kV shutdown boards 1A-A and 2A-A, and one for load group 6.9 kV shutdown boards 1B-B and 2B-B for one load group.

DGs (1A-A and 2A-A)

DGs (1B-B and 2B-B) which is divided into two redundant load groups offsite Clarifications agreed to during SQN audit CNL-21-026 E1-20 of 3

Table E1-1: In Scope TS/LCO Conditions to Corresponding PRA Functions TS Condition TS Condition Description SSCs Covered by TS LCO Condition SSCs Modeled in PRA?

Function Required by TS LCO Condition Design Success Criteria PRA Success Criteria Other Comments 3.8.1.C AC Sources -

Operating -

One offsite circuit inoperable solely due to an offsite power source to 6.9 kV Shutdown Board 2A-A or 2B-B inoperable Two qualified circuits between the offsite transmission network and the onsite 1E AC Electrical Power Distribution System.

Yes Provide power from offsite transmission network to onsite Class 1 buses One qualified circuit between the offsite transmission network and the onsite 1E AC Electrical Power Distribution system The 6900V Shutdown Boards have been modeled for fast transfer when aligned to either alternate or normal to onsite power (DGs) upon a loss of offsite power.

Emergency Power (DGs),

Normal or Alternate

Supplies, Crosstie Power, and FLEX are all credited in model.

for one load group offsite

, one for load group 6.9 kV shutdown boards 1A-A and 2A-A, and one for load group 6.9 kV shutdown boards 1B-B and 2B-B Clarifications agreed to during SQN audit CNL-21-026 E1-22 of 3

Table E1-1: In Scope TS/LCO Conditions to Corresponding PRA Functions TS Condition TS Condition Description SSCs Covered by TS LCO Condition SSCs Modeled in PRA?

Function Required by TS LCO Condition Design Success Criteria PRA Success Criteria Other Comments 3.8.1.E AC Sources -

Operating -

One offsite circuit inoperable for reasons other than Condition C

AND DG 1A-A or 1B-B inoperable Reference back to LCOs 3.8.1.A and 3.8.1.B Yes Reference back to LCOs 3.8.1.A and 3.8.1.B Reference back to LCOs 3.8.1.A and 3.8.1.B The 6900V Shutdown Boards have been modeled for fast transfer when aligned to either alternate or normal to onsite power (DGs) upon a loss of offsite power.

Emergency Power (DGs),

Normal or Alternate

Supplies, Crosstie Power, and FLEX are all credited in model 3.8.4.A DC Sources -

Operating -

One or two vital battery chargers on one train inoperable Two redundant Class 1E DC electrical power trains including two batteries per train, associated battery charger(s),

and associated control equipment and interconnecting cabling Yes Ensure availability of required DC power to shut down the reactor and maintain it in a safe condition One DC train Same as design criteria One DC train One vital DC electrical power train A (channels I and III) or Train B (channels II and IV) with each channel having one vital battery charger (2 vital battery chargers total)

Clarifications agreed to during SQN audit CNL-21-026 E1-23 of 3

Table E1-1: In Scope TS/LCO Conditions to Corresponding PRA Functions TS Condition TS Condition Description SSCs Covered by TS LCO Condition SSCs Modeled in PRA?

Function Required by TS LCO Condition Design Success Criteria PRA Success Criteria Other Comments 3.8.4.B DC Sources Operating -

One vital DC electrical power train inoperable for reasons other than Condition A Two redundant Class 1E DC electrical power trains including two batteries per train, associated battery charger(s),

and associated control equipment and interconnecting cabling Yes Ensure availability of required DC power to shut down the reactor and maintain it in a safe condition One DC train As needed to supply supported functions.

Success of these top events requires that power remain available to the applicable bus for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

3.8.7.A Inverters -

Operating -

One required inverter inoperable.

Two unit inverters and one spare inverter per channel, each capable of supplying its associated AC vital instrument power boards, with 12 total inverters Yes Provide reliable AC power to vital instrument power boards Two ESF power divisions for RPS and ESFAS initiation As needed to supply supported functions.

Success of these top events requires that power remain available to the applicable bus for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

3.8.9.A Distribution Systems -

Operating -

One or more AC electrical power distribution subsystems inoperable due to one or more Unit 1 AC Two independent trains consisting of Two 6.9 kV Shutdown Boards and four 480 V Shutdown Boards (12 boards)

Yes Supply required AC electrical power to required loads One train of AC electrical power distribution (one Unit 1 6.9 kV shutdown board, one Unit 2 6.9 kV shutdown board, and associated 480 V shutdown boards)

As needed to supply supported functions.

Success of these top events requires that power remain available to the applicable bus for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

[Unit 2]

trains AC electrical power distribution subsystems (load groups) each 12 AC shutdown boards total train of subsystem (load group) consisting of four (6 AC shutdown boards total)

Two redundant trains (load groups) each consisting of two channels with two inverters (one Unit 1 inverter and one Unit 2 inverter) per channel, each capable of supplying its associated AC vital instrument boards (8 total inverters)

Two unit inverters and one spare inverter per channel each capable of supplying its associated AC vital instrument power boards with 12 total inverters Two ESF power divisions for RPS and ESFAS initiation One train (load group) consisting of two channels with two inverters (one Unit 1 inverter and one Unit 2 inverter) per channel with each channel connected to one ESF power division for RPS and ESFAS initiation (4 total inverters) 12 boards boards One vital DC electrical power train A (channels I and III) or Train B (channels II and IV)

One DC train Clarifications agreed to during SQN audit CNL-21-026 E1-24 of 3

Table E1-1: In Scope TS/LCO Conditions to Corresponding PRA Functions TS Condition TS Condition Description SSCs Covered by TS LCO Condition SSCs Modeled in PRA?

Function Required by TS LCO Condition Design Success Criteria PRA Success Criteria Other Comments shutdown boards inoperable 3.8.9.B Distribution Systems -

Operating -

One or more AC vital instrument power distribution subsystems inoperable Two independent trains consisting of two Unit 1 120 V AC vital power boards and two Unit 2 120 V AC vital power boards (8 boards)

Yes Supply required AC instrument power to required loads One train of AC vital instrument power distribution (two Unit 1 120 V AC instrument power boards and two Unit 2 120 V AC instrument power boards)

As needed to supply supported functions.

Success of these top events requires that power remain available to the applicable bus for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

3.8.9.C Distribution Systems -

Operating -

One or more vital DC electrical power distribution subsystems inoperable Two 125 V vital DC electrical power distribution subsystems, each consisting of two 125 V boards (4 boards)

Yes Supply required DC power to required loads One train of vital DC electrical power distribution (two 125 V DC boards)

As needed to supply supported functions.

Success of these top events requires that power remain available to the applicable bus for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

Notes:

1.

Low-low steam generator level requires success of 2 of 3 channels in 1 of 4 loops to actuate the motor driven pumps.

Additionally, low-low steam generator level requires success of 2 of 3 channels in 2 of 4 loops for the turbine driven pump.

independent trains AC vital instrument power distribution subsystems each instrument boards 120 V AC vital instrument power boards total train of vital subsystem (4 120 VAC vital instrument power boards total) boards 125 VDC boards total train of 125 V (two 125 V DC boards) subsystem consisting of two 125 VDC boards (I and III or II and IV; 2 125 VDC boards total)

Clarifications agreed to during SQN audit