Text

Supplemental Information - Adopt Risk-Informed Completion Times TSTF-505, Revision 2, Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4
	ML24011A293
Person / Time
Site:	Arkansas Nuclear
Issue date:	01/11/2024
From:	Couture P; Entergy Operations
To:	; Office of Nuclear Reactor Regulation, Document Control Desk
References
	2CAN012403
	Download: ML24011A293 (1)
	v • d • e

Entergy Operations, Inc. 1340 Echelon Parkway, Jackson, MS 39213 2CAN012403 10 CFR 50.90 January 11, 2024 ATTN: Document Control Desk U. S. Nuclear Regulatory Commission Washington, DC 20555-0001

Subject:

Supplemental Information - Adopt Risk-Informed Completion Times TSTF-505, Revision 2, "Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4" Arkansas Nuclear One - Unit 2 NRC Docket No. 50-368 Renewed Facility Operating License No. NPF-6 By letter dated April 5, 2023 (Reference 1), Entergy Operations, Inc. (Entergy) requested to change the Arkansas Nuclear One, Unit 2 (ANO-2) Technical Specification (TS). The proposed amendment would modify TS requirements to permit the use of Risk Informed Completion Times (RICT) in accordance with TSTF-505, Revision 2, "Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b" (ML18253A085), dated November 21, 2018.

By letter dated August 9, 2023 (Reference 2), the NRC notified Entergy of their intent to conduct a regulatory virtual audit from October 17 through October 19, 2023, with Entergy staff in support of the License Amendment Request (LAR) in Reference 1. The letter contains a virtual audit plan with an initial list of information to be placed on an online portal.

By letter dated September 22, 2023 (Reference 3), the NRC provided an initial list of audit questions to be answered and discussed during the virtual audit. The responses to these questions were uploaded to the audit portal prior to the formal audit, which occurred on October 17 and 18 (audit virtual meeting completed on October 18). At the conclusion of the audit on October 18, the NRC requested that Entergy respond in the form of a supplement to selected audit questions, either for clarification, to add or remove detail, or to formally document Entergy's responses to the questions.

This letter is a supplement to the Reference 1 LAR. Attachment 1 to this letter provides a response to the audit questions posed by the NRC staff during the regulatory virtual audit.

Attachments 2 and 3 to this letter provide the TS markups and retyped TS, respectively, to address the requested supplemental information and should be used to replace the related pages in Reference 1 Attachments 2 and 3. The information provided in Attachments 1, 2, and 3 to this letter supersede the information provided in Attachments 2 and 3 Phil Couture Sr. Manager Fleet Regulatory Assurance - Licensing 601-368-5102

2CAN012403 Page 2 of 3 of Reference 1 for TS pages and Enclosure 1, Table E1-1 of Reference 1. All other information in Attachments 2 and 3 of Reference 1 and the unaffected portion of Enclosure 1, Table E1-1 of Reference 1 remain unchanged.

Entergy has reviewed the information supporting a finding of no significant hazards consideration and the environmental consideration provided to the NRC in Reference 1. The supplemental information provided in this letter does not affect the bases for concluding that the proposed license amendments do not involve a significant hazards consideration. Furthermore, the supplemental information provided in this letter does not affect the bases for concluding that neither an environmental impact statement nor an environmental assessment needs to be prepared in connection with the proposed amendments.

This letter contains no new regulatory commitments.

In accordance with 10 CFR 50.91, "Notice for Public Comment; State Consultation," Entergy is notifying the State of Arkansas of this amendment request by transmitting a copy of this letter and enclosures to the designated State Official.

If there are any questions or if additional information is needed, please contact Riley Keele, Manager, Regulatory Assurance, Arkansas Nuclear One, at 479-858-7826.

I declare under penalty of perjury that the foregoing is true and correct. Executed on this 11th day of January 2024.

Sincerely, Phil Couture PC/mar Philip Couture Digitally signed by Philip Couture Date: 2024.01.11 14:35:41

-06'00'

2CAN012403 Page 3 of 3 Attachments:

1.

Responses to NRC Audit Questions

2.

Technical Specification Page Markups

3.

Retyped Technical Specification Pages

References:

1)

Letter from Entergy to NRC, "License Amendment Request to Revise Technical Specifications to Adopt Risk-Informed Completion Times TSTF-505, Revision 2, 'Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4' " (ML23095A281) (2CAN042301) dated April 5, 2023

2)

Letter from T. Wengert (Senior Project Manager, U.S. Nuclear Regulatory Commission) to Entergy, "Regulatory Audit Plan in Support of License Amendment Request to Revise Technical Specifications to Adopt Risk-Informed Completion Times (EPID L-2023-LLA-0052)"

(ML23209A602) (2CNA082301) dated August 9, 2023

3)

Email from T. Wengert (Senior Project Manager, U.S. Nuclear Regulatory Commission) to Entergy, "Audit Questions - License Amendment Request to Revise Technical Specifications to Adopt TSTF-505, Revision 2" (ML23269A023) (2CNA092301) dated September 22, 2023 cc:

NRC Region IV Regional Administrator NRC Senior Resident Inspector - Arkansas Nuclear One NRC Project Manager - Arkansas Nuclear One Designated Arkansas State Official

2CAN012403 Responses to NRC Audit Questions 2CAN012403 Page 1 of 69 RESPONSES TO NRC AUDIT QUESTIONS APLA Question 01 - Digital Instrumentation and Control (I&C) Modeling Concerning the quality of the [probabilistic risk analysis] PRA model, Nuclear Energy Institute (NEI) 06-09-A, "Risk-Informed Technical Specifications Initiative 4b Risk-Managed Technical Specifications (RMTS) Guidelines," Revision 0-A (ML12286A322) [Reference 1], states that Regulatory Guide (RG) 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis" [Reference 2] and RG 1.200, "Acceptability of Probabilistic Risk Assessment Results for Risk-Informed Activities," [Reference 3] define the quality of the PRA in terms of its scope, level of detail, and technical adequacy. The quality must be compatible with the safety implications of the proposed [technical specification] TS change and the role the PRA plays in justifying the change.

LAR Attachment 1, "Evaluation of Proposed Changes," and Attachment 5, "ANO-1 (sic)

[ANO-2] Technical Specification [technical specification task force] TSTF-505 Cross-Reference," explain that ANO-2 is considered a "digital" plant and identifies the following digital I&C systems:

1) Control Element Assembly Calculators (TS 3.3.1.1)

2) Reactor Protective System (RPS) Logic and Trip Initiation (TS 3.3.1.1)

3) Engineered Safety Features (ESF) Actuation System (ESFAS) Logic and Manual Trip (TS 3.3.2.1)

4) Diesel Generator (DG) - Loss of Voltage Start (LOVS) (TS 3.3.2.1).

Regarding digital I&C, the NRC staff notes the lack of consensus industry guidance for modeling these systems in plant PRAs to be used to support risk-informed regulatory applications. In addition, known modeling challenges exist, such as the lack of industry data for digital I&C components, the difference between digital and analog system failure modes, and the complexities associated with modeling software failures, including common-cause software failures. Also, although reliability data from vendor tests may be available, this source of data is not a substitute for in-the-field operational data. Given these challenges, the uncertainty associated with modeling a digital I&C system could impact the [risk informed completion time]

RICT program. Therefore, address the following:

a) Clarify whether digital I&C systems, other than those identified above, are credited in the PRA models that will be used in the RICT program.

b) For the digital I&C systems that are credited in the PRA models, and which will be used in the RICT program, provide justification (e.g., describe and provide the results of a sensitivity study) that demonstrates the modeling uncertainty associated with crediting digital I&C systems has an inconsequential impact on the RICT calculations.

-OR-2CAN012403 Page 2 of 69 Alternatively, if a justification is not provided, identify which [limiting conditions for operation] LCOs are determined to be impacted by digital I&C systems modeling for which risk management actions (RMAs) will be applied during a RICT. Explain and justify the criteria used to determine what level of impact to the RICT calculation requires additional RMAs.

Response

a) ANO-2 has recently installed a turbine control system (TCS) which is not part of the current PRA model update and has digital I&C components. Although the TCS modification impact will be included in the upcoming PRA update, the TCS is not a TS required system and is not included in the RICT program. There are no other digital I&C systems.

The Common Feedwater System (CFW) is a non-safety-related system credited in the PRA as a backup to the EFW system There are no TS associated with the CFW system; however, it is required by the ANO-1 and 2 Technical Requirements Manuals (TRMs). It is noted that the CFW system contains an electronic interface for starting and operating the pumps. However, the operation of the CFW system is based on existing plant instrumentation and must be started manually and can be controlled manually. This system has digital devices for starting and controlling the system, along with a simple programable controller for maintaining steam generator levels. In summary, this system includes digital components and failure rates, but is not using a digital device to monitor, respond and control the plant operations and requires manual interfaces.

Additionally, embedded into safety related systems are embedded digital devices.

For example, the turbine driven emergency feedwater (EFW) pumps electro-mechanical governor control system utilizes a microprocessor-based system to control the EFW turbine steam inlet governor valves, 2CV-0332. These embedded devices use digital technology but are not considered digital I&C.

b) The plant protection system is comprised with both the reactor protection system (RPS) and engineered safety features actuation signal (ESFAS) system. The RPS has two digital trips and eight analog trips, the ESFAS system has seven analog trips.

The two digital trips in the RPS system are associated in the core protection calculator (CPC) and control element assembly calculator (CEAC) systems and are for low departure from nucleate boiling ratio (DNBR) and high local power density (LPD). However, the full RPS system is not modeled in the PRA. Neither LPD and DNBR are modeled and require surrogate PRA modeling; therefore, these impacts do not impact the PRA calculations. All remaining RPS inputs, the ESFAS system, and the diesel generator loss of voltage start are non-digital components.

The embedded digital devices are subcomponents and are included within the failure rates of the main component. Therefore, there is no impact to the RICT calculations.

The common feedwater system uses a screening value of 1E-03 for the failure of the programmable logic controller and the human machine interface (HMI) screens.

2CAN012403 Page 3 of 69 Since the operation of the CFW system requires a manual start, variations in failure of single basic event will have negligible impact on the RICT calculations.

A sensitivity is provided on the RICT calculations by increasing the screening value of the HMI by an order of magnitude to 1E-02, and the results are provided in Table APLA-01-1. The results of the sensitivity showed minimal impact on the RICT calculations. The screening value for the HMI interface does have a marginal impact on the Fire PRA calculations with its reliance on the CFW system. However, this assumed failure rate is not a key source of uncertainty for the RICT calculations since most changes are only a few hours in duration. Small changes in RICT times are within the error bounds of the analysis and mitigated through generic RMAs not credited in the PRA. The largest change identified was a two day decrease in TS 3.3.2.1 and TS 3.8.1.1. Given that the change in RICT time is small relative to the allowed outage time (27.9 to 25.1 days) and increasing the HMI failure rate to 1E-02 is exceptionally conservative, the assumed failure rate of the HMI is not a key source of uncertainty for the RICT program. Additionally, TS 3.3.2.1 actions 9 and 14.b are conservatively modeled in the PRA and do not include credit for all available relays.

Table APLA-01-1 CFW HMI Sensitivity on sample RICT Calculations Tech Spec TS Condition LCO Condition Required Action Base RICT Estimate CFW HMI RICT Estimate 3.3.1.1, Reactor Protective Instrumentation 3.3.1.1 Action 1 Three Matrix Logic Channels shall be operable Action 1 With only two channels operable, restore within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months (STS 3.3.4, Required Action A.1) 30.0 30.0 3.3.1.1, Reactor Protective Instrumentation 3.3.1.1 Action 6a Two CEACs shall be operable Action 6.a With one CEAC inoperable, restore in 7 days (or take additional actions)

(TSTF-505 does not apply a RICT to STS 3.3.3, Required Action A.2) 30.0 30.0 3.3.2.1, Engineered Safety Feature Actuation System Instrumentation 3.3.1.1 Actions 8a and 9 Two sets of two Manual Trip Buttons shall be operable Action 9 With one channel inoperable, restore channel within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months (STS 3.3.6, Required Action B.1) 30.0 30.0 3.3.2.1, Engineered Safety Feature Actuation System Instrumentation 3.3.2.1 Action 9 Four Initiation Logic channels shall be operable Action 9 With one channel inoperable, restore channel within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months (STS 3.3.6, Required Action B.1) 28.1 27.2 2CAN012403 Page 4 of 69 Table APLA-01-1 CFW HMI Sensitivity on sample RICT Calculations Tech Spec TS Condition LCO Condition Required Action Base RICT Estimate CFW HMI RICT Estimate 3.3.2.1, Engineered Safety Feature Actuation System Instrumentation 3.3.2.1 Action 12 Three Matrix Logic Channels shall be operable Action 12 With only two channels operable, restore within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months (TSTF-505 does not apply a RICT to STS 3.3.6, Required Action A.1) 28.1 27.2 3.3.2.1, Engineered Safety Feature Actuation System Instrumentation 3.3.2.1 Action 13 Two Automatic Actuation Logic channels shall be operable Action 13 With one channel inoperable, restore channel within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months (STS 3.3.6, Required Action D.1) 28.1 27.2 3.3.2.1, Engineered Safety Feature Actuation System Instrumentation 3.3.2.1 Actions 7a and 9 Two Loss of Voltage (LOV) relays per bus and two Degraded Voltage (DV) relays per bus shall be operable Actions 9 and 14.b With one channel inoperable, restore channel within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months (STS 3.3.8, Required Actions A.1 and B.1) 27.9 25.1 3.3.2.1, Engineered Safety Feature Actuation System Instrumentation 3.3.2.1 Action 14b Two Loss of Voltage (LOV) relays per bus and two Degraded Voltage (DV) relays per bus shall be operable Actions 9 and 14.b With one channel inoperable, restore channel within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months (STS 3.3.8, Required Actions A.1 and B.1) 27.9 25.1 3.5.2, Emergency Core Cooling Systems (ECCS)

Subsytems Tavg 300 °F 3.5.2 Action a Two ECCS subsystems shall be operable Action a With one ECCS subsystem inoperable due to an inoperable LPSI [Low Pressure Safety Injection] train, restore LPSI train within 7 days (STS 3.5.2, Required Action A.1) 30.0 30.0 3.5.2, ECCS Subsytems Tavg 300 °F 3.5.2 Action b Two ECCS subsystems shall be operable Action b With one or more ECCS subsystems inoperable for reasons other than Action a, restore subsystem[s] within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (STS 3.5.2, Required Action B.1) 30.0 30.0 2CAN012403 Page 5 of 69 Table APLA-01-1 CFW HMI Sensitivity on sample RICT Calculations Tech Spec TS Condition LCO Condition Required Action Base RICT Estimate CFW HMI RICT Estimate 3.6.1.3, Containment Air Locks 3.6.1.3 Action c Each containment air lock shall be operable Action c With one or more containment air locks inoperable for reasons other than Actions a or b, restore within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (STS 3.6.2, Required Action C.3) 7.7 7.7 3.6.3.1, Containment Isolation Valves 3.6.3.1 Each containment isolation valve shall be operable Actions a, b, and c With one or more penetration flow paths with one containment isolation valve inoperable, restore, isolate via a deactivated automatic valve, or isolate via manual valve / blind flange within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months (Actions a, b, and c, respectively)

(STS 3.6.3, Required Actions A.1, B.1, and D.1) 7.9 7.9 3.6.2.1, Containment Spray System 3.6.2.1 Action a Two containment spray trains shall be operable Action a With one containment spray train inoperable, restore within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (STS 3.6.5, Required Action A.1) 30.0 30.0 3.6.2.3, Containment Cooling System 3.6.2.3 Action a Two containment cooling groups shall be operable Action a With one containment cooling group inoperable and both containment spray systems operable, restore cooling group within 7 days (STS 3.6.5, Required Action C.1) 30.0 30.0 3.6.2.3, Containment Cooling System 3.6.2.3 Action b Two containment cooling groups shall be operable Action b With two containment cooling groups inoperable, restore at least one cooling group within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (STS 3.6.5, Required Action E.1) 30.0 30.0 3.6.2.3, Containment Cooling System 3.6.2.3 Action c Two containment cooling groups shall be operable Action c With one containment cooling group and one containment spray system inoperable, restore containment spray system within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and the cooling group within 7 days (STS 3.6.5, Required Action D.1) 30.0 30.0 2CAN012403 Page 6 of 69 Table APLA-01-1 CFW HMI Sensitivity on sample RICT Calculations Tech Spec TS Condition LCO Condition Required Action Base RICT Estimate CFW HMI RICT Estimate 3.7.1.5, Main Steam Isolation Valves (MSIVs) 3.7.1.5 Action a Each MSIV shall be operable MODE 1 Action With one MSIV inoperable, restore MSIV within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months (STS 3.7.2, Required Action A.1) 24.6 24.6 3.7.1.2, Emergency Feedwater (EFW)

System 3.7.1.2 Action a Two EFW trains shall be operable Action a With the turbine driven EFW train inoperable due to one inoperable steam supply, restore within 7 days (STS 3.7.5, Required Action A.1) 30.0 30.0 3.7.1.2, Emergency Feedwater (EFW)

System 3.7.1.2 Action b Two EFW trains shall be operable Action b One EFW train inoperable for reasons other than Action a, restore EFW train within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (STS 3.7.5, Required Action B.1) 30.0 30.0 3.7.1.2, Emergency Feedwater (EFW)

System 3.7.1.2 Action c Two EFW trains shall be operable Action c Turbine driven EFW train inoperable due to one inoperable steam supply AND motor driven EFW train inoperable, restore either the inoperable steam supply or the motor driven EFW train within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (STS 3.7.5 does not contain this Action) 30.0 30.0 3.7.3.1, Service Water System (SWS) 3.7.3.1 Two SWS loops shall be operable Action a With one SWS loop inoperable, restore within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (STS 3.7.8, Required Action A.1) 13.3 12.5 3.8.1.1, A.C.

Sources 3.8.1.1 Action a.3 Two offsite circuits and two EDGs shall be operable Action a.3 One offsite circuit inoperable, restore within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (STS 3.8.1, Required Action A.3) 8.8 8.1 3.8.1.1, A.C.

Sources 3.8.1.1 Action b.4 Two offsite circuits and two EDGs shall be operable Actions b.4, e.3, and Note 1 One EDG inoperable, restore within 14 days (STS 3.8.1, Required Action B.4) 27.9 25.1 3.8.1.1, A.C.

Sources 3.8.1.1 Actions c.4 and c.5 Two offsite circuits and two EDGs shall be operable Actions c.4, c.5, and Note 1 One offsite circuit AND one EDG inoperable, restore at least one source within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months (STS 3.8.1, Required Actions D.1 and D.2) 2.0 1.7 2CAN012403 Page 7 of 69 Table APLA-01-1 CFW HMI Sensitivity on sample RICT Calculations Tech Spec TS Condition LCO Condition Required Action Base RICT Estimate CFW HMI RICT Estimate 3.8.1.1, A.C.

Sources 3.8.1.1 Actions d.3 and d.4 Two offsite circuits and two EDGs shall be operable Actions d.3 and d.4 Two offsite circuits inoperable, restore within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (STS 3.8.1, Required Action C.2) 8.8 8.1 3.8.2.1, A.C.

Distribution -

Operating 3.8.2.1 The listed A.C.

electrical buses shall be operable Action One or more required A.C. electrical buses inoperable, restore bus within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months (STS 3.8.9, Required Actions A.1 and B.1) 0.3 0.3 3.8.2.3, DC Sources -

Operating 3.8.2.3.b Train A and Train B DC electrical power subsystems shall be operable Action b With one DC electrical power subsystem inoperable for reasons other than Action a, restore the subsystem within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months (STS 3.8.4, Required Actions B.1 and C.1)

(STS 3.8.9, Required Action C.1) 0.8 0.8 2CAN012403 Page 8 of 69 APLA Question 02 - Consideration of Shared Systems in RICT Calculations RG 1.200, Revision 2, states, "[t]he base PRA serves as the foundational representation of the as-built and as-operated plant necessary to support an application." LAR Enclosure 8, "Attributes of the Real-Time Risk Model," explains that "Systems with shared components or capability across units which are credited in the RTR models are able to be represented in both unit PRA models simultaneously, reflecting availability or unavailability of the shared system to each unit based on the actual plant configuration." However, the LAR does not appear to specifically address the systems that are cross-tied or shared between units and how these are modeled and accounted for in the development of RICTs. The NRC staff has reviewed system documents on the licensees audit portal that have shared systems. The NRC staff notes that for some of these systems, it appears the sharing of a system is not consistent between units. It appears that some operational aspects, such as alternate alignments, were excluded from the PRA models. For multi-unit events (e.g., loss of offsite power and seismic events), credit for a shared system may be limited to one unit.

Clarify what systems are shared, how they are shared, and whether they can support one or both units in the event of an accident. Explain how the shared systems are credited for each unit in the PRA models. This discussion should also address the following:

a) Explain whether shared systems are credited in the internal events, including flooding and fire PRA models for both units and, if so, identify those systems.

b) If shared systems are credited in the real time risk (RTR) tool that supports the RICT calculations, then explain how the shared system is modelled for each unit in a dual unit event demonstrating that shared systems are not over-credited in the PRA models.

c) If a shared system is credited in the RTR model that supports the RICT calculations and the impact of events that can create a concurrent demand for the system shared by both units is not addressed in the PRA models, then justify that this exclusion has an inconsequential impact on the RICT calculations.

Response

a) Shared systems between units are credited in the PRA models. Specific credited systems include Common Feedwater (CFW), the Alternate AC Diesel Generator (AAC), cross tie to the ANO-2 4160 V vital buses 2A3 and 2A4 through 2A9 from the ANO-1 vital 4160 V buses, Startup Transformer No. 2 (SU2), 500 kV grid, Instrument Air (IA), backup DC power to non-vital busses 2A1, 2A2 (4160V), and 2H1 and 2H2 (6900V); and portable Flexible equipment (FLEX).

b) CFW: The CFW system is designed to provide an independent feedwater source to the ANO-1 or ANO-2 Steam Generators for the purpose of reactor coolant system (RCS) heat removal following the loss of primary (Main and Emergency Feedwater) and auxiliary feedwater (AFW). The CFW system is normally in standby and requires manual actuation, as it is isolated from the emergency feedwater (EFW) system during power operation. By design, only one CFW pump can be operated at any 2CAN012403 Page 9 of 69 given time. The CFW system was added to mitigate fire related events and the demand for CFW on both units would require multiple and simultaneous fires at the same time which is not modeled per NUREG/CR-6850. The ANO-2 model does not model a dual-unit total loss of feedwater/emergency feedwater event.

AAC: The AAC diesel generator is designed as a stand-alone power source with a requirement to provide the load of one of the four safety busses (two on each unit).

Any combination of ANO-1 and ANO-2 vital and non-vital busses may be energized as long as total load remains < 4400 kW, 4600 kW for 500 hours0.00579 days 0.139 hours 8.267196e-4 weeks 1.9025e-4 months , or 5320 kW for 30 minutes. The simultaneous demand of the AAC on both units would require multiple failures of the opposite units emergency diesel generator (EDG) system, in addition to the RICT configuration, to result in a dual unit SBO event. The electrical system for ANO-2 is electrically self-sufficient and is independent of the ANO-1 power sources.

As a result, the ANO-2 Full Power Internal Events (FPIE) model does not model the failure of the AAC in the low likelihood scenario of a dual unit SBO event.

Cross tie from the ANO-1 4kV buses through 2A9: This cross tie is not credited in a dual unit Loss of Offsite Power (LOOP). If a dual unit LOOP occurs, then ANO-1 will require the use of its own EDGs, and the crosstie will not be credited. Any unavailability or unreliability of a single ANO-1 powered vital switchgear or EDG is conservatively assumed to prevent the use of the cross tie. Only the vital ANO-1 busses are modeled for this cross tie, and the non-vital busses are not modeled.

SU2: Startup Transformer No. 2 is shared by both ANO-1 and ANO-2 on the 161 kV grid. As a result, only a portion of each units loads can be powered from SU2 without overloading the transformer. The PRA models the appropriate load shedding when supplied by SU2.

The 500 kV grid is fed to a common ring header and then provided to a startup transformer for each unit. The total loss of offsite power from the 500 kV grid would affect both units.

IA: The success criteria for each top event is to provide air from one Instrument Air compressor to the IA header. Success is any one of the four primary compressors (two for ANO-1 and two for ANO-2) maintaining header pressure. The unit cross tie is normally open, and any one of the four compressors has sufficient capacity to support/maintain header pressure. Unavailability of specific air compressors can be represented in both unit PRA models through the RTR tool simultaneously, and specific flags for which air compressor(s) are in service are included in the PRA models. Further, loss of instrument air is modeled as a dual unit initiating event in both Unit PRAs.

Backup DC to Non-vital 4160 V / 6900 V buses: The backup DC to the non-vital buses is a redundant DC source designed to mitigate a fire induced event resulting in loss of control power to the non-vital buses 2A1, 2A2, 2H1, and 2H2 and ensure DC control power is available to trip the reactor coolant pumps on loss of seal cooling.

The cross-unit supply is from a non-vital bus on the opposite unit. The new DC system is also modeled in the FPIE and Internal Flooding (IF) models as the as-built, as-operated plant. Dual-unit LOOP would result in a loss of the backup DC power 2CAN012403 Page 10 of 69 supplies. However, the normal DC supply remains available resulting in the system only being important for Fire scenarios. The failure mode of a dual-unit trip is not modeled for this system.

FLEX: Only one train of the two redundant FLEX trains is credited in the PRA.

c) As described in part (b), multiple additional equipment failures would be required before the systems would be unavailable due to a dual unit demand. Simplification of PRA modeling of dual unit impacts are low likelihood sequences and will have minimal impacts in the RICT calculations as no one initiating event can lead to the demand of the shared system simultaneously. A summary of the modeling/redundancies is provided:

AAC: The electrical systems are independent between units and would require a dual unit SBO or transient requiring any combination of ANO-1 and ANO-2 vital and non-vital busses total load greater than 4400 kW, 4600 kW for 500 hours0.00579 days 0.139 hours 8.267196e-4 weeks 1.9025e-4 months , or 5320 kW for 30 minutes. A sensitivity analysis was performed by inserting a surrogate basic event (i.e., a single basic event accounting for the entire train of EDGs on the opposite unit) for the ANO-1 EDG system train A and a surrogate event for train B into the ANO-2 AAC logic. Therefore, should the entire ANO-1 EDG systems fail (with a Dual Unit LOOP), the AAC would be unavailable to support ANO-2. A sensitivity was performed with both ANO-1 and ANO-2 EDGs in a RICT (one planned and an unplanned event on the opposite side). For completeness, all ANO-2 RICT were ran with the ANO-1 EDG in a RICT. The results are listed in below in Table APLA-02-1 (U1EFW&EDG Results Column). The results of the sensitivity showed no impact to the RICT calculations. Note, this sensitivity evaluates the shared CFW system simultaneously. In other words, ANO-1 is in an EFW and EDG RICT. See CFW writeup below.

Cross tie from the ANO-1 4kV buses through 2A9: This cross tie can supply power to a unit, and the PRA models the dual unit loss of offsite power events and ANO-1 switchgear.

CFW: Would require a total loss of all feedwater and emergency feedwater on both units. A sensitivity analysis was performed by inserting a surrogate basic event (i.e., a single basic event accounting for the entire train of EFW on the opposite unit) for the ANO-1 EFW system train A and a surrogate event for train B into the ANO-2 CFW logic. Therefore, should the entire ANO-1 EFW systems fail, CFW would be unavailable to support ANO-2. A sensitivity was performed with both an ANO-1 and ANO-2 EFW system in a RICT (one planned and an unplanned event on the opposite side). For completeness, all ANO-2 RICTs were ran with the ANO-1 EFW motor driven pump in a RICT. The results are listed in below in Table APLA-02-1 (U1EFW&EDG Results Column). The results of the sensitivity showed no impact to the RICT calculations. Note, this sensitivity evaluates the AAC shared system simultaneously with CFW. See AAC writeup above.

SU2: It is designed to supply power to both units, and the PRA models the allowed load configurations.

2CAN012403 Page 11 of 69 500 kV grid: It is designed to supply power to both units, and the PRA models the dual unit loss of offsite power events.

IA: The Real Time Risk (RTR) models the potential failures of the shared system and the associated impact.

Back up DC: The Back up DC supply is supplied by two separate sources (one from each unit) in addition to the normal DC supply. This scenario would require multiple simultaneous fires to result in a dual unit trip and disable the normal DC supply to both units non-vital buses. This is beyond the scope of NUREG/CR-6850.

FLEX: Only one train of portable equipment is modeled while two exist.

Table APLA-02-1 provides the instance where the shared systems may impact the RICT calculations. The Sensitivity was run assuming ANO-1 is in a planned RICT for its EDG and EFW system and ANO-2 went into an unplanned RICT. This case maximizes the demand for the other unit based on failures of the remaining EDG and EFW systems concurrent in a dual unit LOOP scenario. The results of the sensitivity analysis showed very small impact and is within the error bounds of the analysis.

Therefore, this is not a key source of uncertainty for the RICT program.

Table APLA-02-1 Sensitivity Analysis for CFW and AAC Shared Systems When One Unit is in an Unplanned RICT Tech Spec TS Condition LCO Condition Required Action Base RICT Estimate ANO-1 In EFW&EDG RICT Estimate 3.3.1.1, Reactor Protective Instrumentation 3.3.1.1 1

Three Matrix Logic Channels shall be operable Action 1 With only two channels operable, restore within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months (STS 3.3.4, Required Action A.1) 30.0 30.0 3.3.1.1, Reactor Protective Instrumentation 3.3.1.1 Action 6a Two CEACs shall be operable Action 6.a With one CEAC inoperable, restore in 7 days (or take additional actions)

(TSTF-505 does not apply a RICT to STS 3.3.3, Required Action A.2) 30.0 30.0 3.3.2.1, Engineered Safety Feature Actuation System Instrumentation 3.3.2.1 Function 8a Action 9 Two sets of two Manual Trip Buttons shall be operable Action 9 With one channel inoperable, restore channel within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months (STS 3.3.6, Required Action B.1) 30.0 30.0 2CAN012403 Page 12 of 69 Table APLA-02-1 Sensitivity Analysis for CFW and AAC Shared Systems When One Unit is in an Unplanned RICT Tech Spec TS Condition LCO Condition Required Action Base RICT Estimate ANO-1 In EFW&EDG RICT Estimate 3.3.2.1, Engineered Safety Feature Actuation System Instrumentation 3.3.2.1 9

Four Initiation Logic channels shall be operable Action 9 With one channel inoperable, restore channel within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months (STS 3.3.6, Required Action B.1) 28.1 28.0 3.3.2.1, Engineered Safety Feature Actuation System Instrumentation 3.3.2.1 12 Three Matrix Logic Channels shall be operable Action 12 With only two channels operable, restore within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months (TSTF-505 does not apply a RICT to STS 3.3.6, Required Action A.1) 28.1 28.0 3.3.2.1, Engineered Safety Feature Actuation System Instrumentation 3.3.2.1 13 Two Automatic Actuation Logic channels shall be operable Action 13 With one channel inoperable, restore channel within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months (STS 3.3.6, Required Action D.1) 28.1 28.0 3.3.2.1, Engineered Safety Feature Actuation System Instrumentation 3.3.2.1 7a 9 Two Loss of Voltage (LOV) relays per bus and two Degraded Voltage (DV) relays per bus shall be operable Actions 9 and 14.b With one channel inoperable, restore channel within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months (STS 3.3.8, Required Actions A.1 and B.1) 27.9 27.7 3.3.2.1, Engineered Safety Feature Actuation System Instrumentation 3.3.2.1 14b Two Loss of Voltage (LOV) relays per bus and two Degraded Voltage (DV) relays per bus shall be operable Actions 9 and 14.b With one channel inoperable, restore channel within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months (STS 3.3.8, Required Actions A.1 and B.1) 27.9 27.7 2CAN012403 Page 13 of 69 Table APLA-02-1 Sensitivity Analysis for CFW and AAC Shared Systems When One Unit is in an Unplanned RICT Tech Spec TS Condition LCO Condition Required Action Base RICT Estimate ANO-1 In EFW&EDG RICT Estimate 3.5.2, [Emergency Core Cooling Systems] ECCS Subsytems Tavg 300 °F 3.5.2 a

Two ECCS subsystems shall be operable Action a With one ECCS subsystem inoperable due to an inoperable LPSI [Low Pressure Safety Injection] train, restore LPSI train within 7 days (STS 3.5.2, Required Action A.1) 30.0 30.0 3.5.2, ECCS Subsytems Tavg 300 °F 3.5.2 b

Two ECCS subsystems shall be operable Action b With one or more ECCS subsystems inoperable for reasons other than Action a, restore subsystem[s] within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (STS 3.5.2, Required Action B.1) 30.0 30.0 3.6.1.3, Containment Air Locks 3.6.1.3 c

Each containmen t air lock shall be operable Action c With one or more containment air locks inoperable for reasons other than Actions a or b, restore within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (STS 3.6.2, Required Action C.3) 7.7 7.7 3.6.3.1, Containment Isolation Valves 3.6.3.1 Each containmen t isolation valve shall be operable Actions a, b, and c With one or more penetration flow paths with one containment isolation valve inoperable, restore, isolate via a deactivated automatic valve, or isolate via manual valve / blind flange within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months (Actions a, b, and c, respectively)

(STS 3.6.3, Required Actions A.1, B.1, and D.1) 7.9 7.9 3.6.2.1, Containment Spray System 3.6.2.1 a

Two containmen t spray trains shall be operable Action a With one containment spray train inoperable, restore within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (STS 3.6.5, Required Action A.1) 30.0 30.0 3.6.2.3, Containment Cooling System 3.6.2.3 a

Two containmen t cooling groups shall be operable Action a With one containment cooling group inoperable and both containment spray systems operable, restore cooling group within 7 days (STS 3.6.5, Required Action C.1) 30.0 30.0 2CAN012403 Page 14 of 69 Table APLA-02-1 Sensitivity Analysis for CFW and AAC Shared Systems When One Unit is in an Unplanned RICT Tech Spec TS Condition LCO Condition Required Action Base RICT Estimate ANO-1 In EFW&EDG RICT Estimate 3.6.2.3, Containment Cooling System 3.6.2.3 b

Two containmen t cooling groups shall be operable Action b With two containment cooling groups inoperable, restore at least one cooling group within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (STS 3.6.5, Required Action E.1) 30.0 30.0 3.6.2.3, Containment Cooling System 3.6.2.3 c

Two containmen t cooling groups shall be operable Action c With one containment cooling group and one containment spray system inoperable, restore containment spray system within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and the cooling group within 7 days (STS 3.6.5, Required Action D.1) 30.0 30.0 3.7.1.5, Main Steam Isolation Valves (MSIVs) 3.7.1.5 a

Each MSIV shall be operable MODE 1 Action With one MSIV inoperable, restore MSIV within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months (STS 3.7.2, Required Action A.1) 24.6 24.6 3.7.1.2, Emergency Feedwater (EFW)

System 3.7.1.2 a

Two EFW trains shall be operable Action a With the turbine driven EFW train inoperable due to one inoperable steam supply, restore within 7 days (STS 3.7.5, Required Action A.1) 30.0 30.0 3.7.1.2, Emergency Feedwater (EFW)

System 3.7.1.2 b

Two EFW trains shall be operable Action b One EFW train inoperable for reasons other than Action a, restore EFW train within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (STS 3.7.5, Required Action B.1) 30.0 30.0 3.7.1.2, Emergency Feedwater (EFW)

System 3.7.1.2 c

Two EFW trains shall be operable Action c Turbine driven EFW train inoperable due to one inoperable steam supply AND motor driven EFW train inoperable, restore either the inoperable steam supply or the motor driven EFW train within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (STS 3.7.5 does not contain this Action) 30.0 30.0 3.7.3.1, Service Water System (SWS) 3.7.3.1 Two SWS loops shall be operable Action a With one SWS loop inoperable, restore within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (STS 3.7.8, Required Action A.1) 13.3 13.2 2CAN012403 Page 15 of 69 Table APLA-02-1 Sensitivity Analysis for CFW and AAC Shared Systems When One Unit is in an Unplanned RICT Tech Spec TS Condition LCO Condition Required Action Base RICT Estimate ANO-1 In EFW&EDG RICT Estimate 3.8.1.1, A.C.

Sources 3.8.1.1 a.3 Two offsite circuits and two EDGs shall be operable Action a.3 One offsite circuit inoperable, restore within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (STS 3.8.1, Required Action A.3) 8.8 8.8 3.8.1.1, A.C.

Sources 3.8.1.1 b.4 Two offsite circuits and two EDGs shall be operable Actions b.4, e.3, and Note 1 One EDG inoperable, restore within 14 days (STS 3.8.1, Required Action B.4) 27.9 27.7 3.8.1.1, A.C.

Sources 3.8.1.1 c.4 / c.5 Two offsite circuits and two EDGs shall be operable Actions c.4, c.5, and Note 1 One offsite circuit AND one EDG inoperable, restore at least one source within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months (STS 3.8.1, Required Actions D.1 and D.2) 2.0 2.0 3.8.1.1, A.C.

Sources 3.8.1.1 d.3 / d.4 Two offsite circuits and two EDGs shall be operable Actions d.3 and d.4 Two offsite circuits inoperable, restore within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (STS 3.8.1, Required Action C.2) 8.8 8.8 3.8.2.1, A.C.

Distribution Operating 3.8.2.1 The listed A.C.

electrical buses shall be operable Action One or more required A.C.

electrical buses inoperable, restore bus within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months (STS 3.8.9, Required Actions A.1 and B.1) 0.3 0.3 3.8.2.3, DC Sources Operating 3.8.2.3.b Train A and Train B DC electrical power subsystems shall be operable Action b With one DC electrical power subsystem inoperable for reasons other than Action a, restore the subsystem within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months (STS 3.8.4, Required Actions B.1 and C.1)

(STS 3.8.9, Required Action C.1) 0.8 0.8 2CAN012403 Page 16 of 69 APLA Question 03 - Impact of Seasonal Variations The Tier 3 assessment in RG 1.177, "An Approach for Plant-specific, Risk-informed Decision-making: Technical Specifications," Revision 2 (ML20164A034), stipulates that a licensee should develop a program that ensures the risk impact of out-of-service equipment is appropriately evaluated prior to performing any maintenance activity. NEI 06-09-A and its associated NRC safety evaluation (SE) (ML071200238) state that, for the impact of seasonal changes, either conservative assumptions should be made, or the PRA should be "adjusted appropriately to reflect the current (e.g., seasonal or time of cycle) configuration."

LAR Enclosure 8, "Attributes of the Real-Time Risk Model," states that the RTR tool to be used for the RICT program will either conservatively model seasonal variations or include the capability to account for the variations if determined to impact the calculated RICT. However, the LAR does not appear to address specific modeling adjustments needed to account for seasonal and time of cycle dependencies and what kind of adjustments will be made.

Therefore, address the following to clarify the treatment of seasonal and time of cycle variations:

a) Explain how the RICT calculations address changes in PRA data points, basic events, and structures, systems, and components (SSCs) operability constraints because of extreme weather conditions, seasonal variations, other environmental factors, or time of cycle. Also, explain how these adjustments are made in the configuration risk management program (CRMP) model and how this approach is consistent with the guidance in NEI 06-09-A and its associated NRC final SE.

b) Describe the criteria used to determine when PRA adjustments due to extreme weather conditions, seasonal variations, other environmental factors, or time of cycle variations need to be made in the CRMP model and what mechanism initiates these changes.

Response

a) For extreme weather and related emergent weather-related conditions, the ANO models are built with the option to modify initiating events, which is already in place for the 10 CFR 50.65(a)(4) program. The CRMP model has settings for severe weather (severe thunderstorm warning) as well as settings for tornado watch, tornado warning, and grid instability. Fault tree logic is used to increase the value of various initiating events when one of these severe weather flags is set. Adjustments made in the CRMP model that adjust configuration risk will cascade to the RICT configuration risk for the duration of the adjustment. Additionally, qualitative considerations driven by the configuration risk management process support adequate assessment of the impact of external conditions, consistent with the guidance of NEI 06-09-A.

For seasonal variations, the success criteria notebook, system notebooks, and fault tree were reviewed for the ANO-2 models, and no seasonal changes in PRA success 2CAN012403 Page 17 of 69 criteria were identified. As noted in Enclosure 8 of the LAR, the CRMP model used for the RICT Program is required to either conservatively model seasonal variations or to include the capability to account for the variations if determined to impact the calculated RICT time. While no current seasonal changes in PRA success criteria are identified, seasonal changes will continue to be evaluated in updates to the CRMP model for the RICT Program.

For changes in success criteria based on the time in the core operating cycle

[i.e., impact on anticipated transient without scram (ATWS) pressure relief], the ANO-2 ATWS analysis (Reference 4) develops specific fractions for the time in core cycle for which moderator temperature coefficient (MTC) is not sufficiently negative.

These fractions are developed while also considering success or failure of turbine trip and emergency feedwater (EFW) actuation. For the CRMP model used for the RICT program, the models will be assessed for impact from these time in cycle variations to determine how MTC should be assessed for the RICT program. The CRMP will utilize the time in cycle to directly represent the configuration or a conservative state (such as MTC not sufficiently negative) will be utilized, in accordance with the guidance of NEI 06-09-A.

b) For emergent extreme weather, the Operators are directed to evaluate severe weather through guidance in procedure COPD-024 (Reference 5), consistent with 10 CFR 50.65(a)(4) process. Operations is trained on adjusting the settings within the CRMP model. In addition to the quantitative adjustment, a qualitative elevation of 10 CFR 50.65(a)(4) risk level is directed, which drives additional contingency actions.

For seasonal variations and time in core cycle, adjustments to the CRMP model will be assessed and implemented in developing the model for RICT implementation.

These adjustments and assumptions are expected to be evaluated as part of the CRMP update process following updates to the associated PRA models and modified as required. These evaluations will be included in PRA model update procedures and procedures covering development of the risk monitor.

For time in cycle variations, the conservative state (MTC not sufficiently negative) can be set upfront when establishing or updating the CRMP model for use with the program. If the time in cycle is to be directly represented in the CRMP model, variables will be added to the CRMP model which directly set the associated PRA basic events to their required values for representing the time in cycle, similar to a system alignment.

For seasonal variations or time in cycle settings which require real-time adjustment within the CRMP model, specific criteria directing the adjustments will be established and the adjustments will be included in RICT training materials. The RICT program procedure, EN-DC-401 (Reference 6), includes generic guidance for applying any required alignments and variations for emergent RICT entries as well as for planned RICTs by reference to work planning procedures.

2CAN012403 Page 18 of 69 APLA Question 05 - Performance Monitoring The NRC SE for NEI 06-09-A, states in part, "The impact of the proposed change should be monitored using performance measurement strategies." NEI 06-09-A considers the use of NUMARC 93-01, Revision 4F, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants" (ML18120A069), as endorsed by RG 1.160, "Monitoring the Effectiveness of Maintenance at Nuclear Power Plants," Revision 4 (ML18220B281), for the implementation of the Maintenance Rule. NUMARC 93-01, Section 9.0, contains guidance for the establishment of performance criteria.

In addition, the NEI 06-09-A methodology satisfies the five key safety principles specified in RG 1.177, Revision 2, relative to the risk impact due to the application of a RICT.

Moreover, NRC staff position C.3.2 provided in RG 1.177, Revision 2, for meeting the fifth key safety principle acknowledges the use of performance criteria to assess degradation of operational safety over a period. It is unclear how the licensees RICT program captures performance monitoring for the SSCs within the scope of the [risk-managed technical specifications] RMTS program. Therefore:

a) Confirm that the ANO-2 Maintenance Rule program incorporates the use of performance criteria to evaluate SSC performance as described in NUMARC 93-01, as endorsed by RG 1.160.

b) Alternatively, describe the approach or method used by ANO-2 for SSC performance monitoring, as described in NRC staff position C.3.2 of RG 1.177, Revision 2, for meeting the fifth key safety principle. In the description, include criteria (e.g., qualitative or quantitative), along with the appropriate risk metrics, and explain how the approach and criteria demonstrate the intent to monitor the potential degradation of SSCs in accordance with the NRC SE for NEI 06-09-A.

Response

a) The Maintenance Rule (MR) program in place at ANO-2 was developed in accordance with the guidance of NUMARC 93-01. Procedure EN-DC-204 contains the guidance for development of performance criteria for the Maintenance Rule program.

Performance criteria are developed for SSCs within the scope of the MR commensurate with the safety significance of the SSC and MR function. Performance criteria includes plant level monitoring, functional failures, unavailability monitoring, and condition monitoring.

b) Not applicable 2CAN012403 Page 19 of 69 APLA Question 06 - In-Scope LCOs and Corresponding PRA Modeling The NRCs SE for NEI 06-09-A specifies that the LAR should provide a comparison of the TS functions to the PRA modeled functions to show that the PRA modeling is consistent with the licensing basis assumptions or to provide a basis for when there is a difference. Table E1-1, "In Scope TS/LCO Conditions to Corresponding PRA Functions," of LAR Enclosure 1 identifies each LCO in the TSs proposed for inclusion in the RICT program. The table also describes whether the systems and components covered by the LCO are modeled in the PRA and, if so, presents both the design success criteria and PRA success criteria. For certain LCOs, the table explains that the associated SSCs are not modeled in the PRAs but will be represented using a surrogate event that fails the function performed by the SSC. For some LCOs, the LAR did not provide an adequate description for the NRC staff to conclude that the PRA modeling will be sufficient.

a)

Regarding TS LCO 3.3.1.1, Functional Unit 11.A, LAR Table E1-1 states that the six Matrix Logic channels are not explicitly modeled and that the conservative surrogate is to fail the downstream trip path solid state relays. From this description, the NRC staff interprets this to mean that one or more of the four relays will be failed in the PRA model if only two Matrix Logic channels are operable. It is unclear to the NRC staff that this is conservative because each Matrix Logic channel, which receives input from two of the four measurement channels, will trip all four relays resulting in a reactor trip.

Address the following:

i.

Identify and summarize the function of the PRA model components that are assumed to be failed as a surrogate for an out-of-service Matrix Logic Channel.

ii. Provide justification that the surrogate conservatively bounds the reactor trip function of a Matrix Logic channel.

b)

Regarding TS LCO 3.3.1.1, Functional Unit 14, LAR Table E1-1 states that the components for the two Control Element Assembly Calculator (CEAC) are not explicitly modeled and that the conservative surrogate is to fail the downstream trip path solid state relays. From this description, the NRC staff interprets this to mean that one or more of the four relays will be failed in the PRA model if only one CEAC system is operable. Similar to part a) above, it is unclear to the NRC staff that this is conservative because each CEAC provides input to the four Core Protection Calculators (CPCs), each of which provides input to three of six Logic Matrix channels, and each Logic Matrix channel will trip all four relays resulting in a reactor trip.

Address the following:

i.

Identify and summarize the function of the PRA model components that are assumed to be failed as a surrogate for an out-of-service CEAC.

ii. Provide justification that the surrogate conservatively bounds the function of a CEAC to provide input to the CPCs which act to initiate a reactor trip.

b Supplemental)

The audit portal response states, in part that, " it is suggested the surrogate is revised to reduce one train of the modeled NSSS inputs..." This description is not clear to the NRC staff. The staff believe the licensee is saying is that 2CAN012403 Page 20 of 69 all of the signal inputs to one input channel are set to trip so that essentially one (out of four) input channel is set to trip. The staff recalls from the audit that the ANO-2 PRA RPS model only models the input signals, the trip initiation circuits, and the trip logic.

The staff would like confirmation that its understanding of the licensees statement is correct and, if so, for the licensee to consider revising its statement above to be in line with this more standard language when describing their surrogate.

If the NRC staffs understanding is not correct, then additional discussion will be necessary for full understanding.

c)

Regarding TS LCO 3.3.2.1, Functional Units 1.a, 2.a, 3.a, 4.a, 5.a, 6.a, and 8.a, Table E1-1 states that, for engineered safety features actuation system (ESFAS) manual initiation, that either ESF master relays, operator actions, or automatic actuations for the affected functions that are modeled will be used as conservative surrogates. From this description it is unclear to the NRC staff what surrogates will be used for the affected functions. For example, it is unclear to the NRC staff how assuming failure of a modeled automatic actuation is conservative with respect to failure of an operator action. Address the following:

i.

Describe the PRA model surrogates to be used for each of the Functional Units 1.a, 2.a, 3.a, 4.a, 5.a, 6.a, and 8.a.

ii.

Provide justification that each of the surrogates conservatively bounds the associated ESFAS function.

d)

Regarding TS LCO 3.3.2.1, Functional Units 1.d.1, 2.c.1, 3.c.1, 4.c.1, 5.d.1, 6.c.1, and 8.d.1, Table E1-1 states that, for ESFAS Matrix Logic channels, these channels are not explicitly modeled in the PRA and that the conservative surrogate is to fail the downstream trip path ESF solid state relays. Similar to part a) above, it is unclear to the NRC staff that this is conservative because each Matrix Logic channel, which receives input from two of the four measurement channels, will trip all four relays resulting in a reactor trip. Address the following:

i.

For each of the Functional Units 1.d.1, 2.c.1, 3.c.1, 4.c.1, 5.d.1, 6.c.1, and 8.d.1, identify and summarize the functions of the PRA model components that are assumed to be failed as a surrogate for an out-of-service Matrix Logic Channel.

ii.

Provide justification that the surrogates conservatively bound the reactor trip function of a Matrix Logic channel.

Response

a.i)

A logic matrix trip signal de-energizes four logic matrix relays. These four logic matrix relays provide interruption of power to one of four trips paths causing the trip path solid state relays (SSRs) to de-energize. The trip path SSR control the trip circuit breaker control relays (K1-K4), which in turn, control the reactor trip circuit breakers (TCBs).

The TCBs, when open, interrupt power to the control element drive mechanism (CEDMs) by de-energizing CEDM power supply busses 2C70 and 2C71, dropping the control element assemblies into the reactor core, tripping the reactor.

2CAN012403 Page 21 of 69 In the sample calculations, the surrogate used was two of four TCB control relays, either K1 and K3, or K2 and K4, fails to de-energize down-stream of the logic matrix.

This leaves only two TCB SSRs remaining and its associated matrix output, but only one TCB SSR can fail before the RPS system is unable to de-energize 2C70 and 2C71 and insert the CEAs.

a.ii)

Due to the multiple redundancies, the PRA does not model the RPS systems matrices and their associated outputs. It is noted that the surrogate applied assumes all matrices are available. However, as stated in the response to a.i, the RPS system only has one TCB SSR remaining to de-energize the TCB for use to trip the reactor.

Note, there is still the manual scram and redundant diverse scram system (DSS) system.

This configuration is a conservative surrogate because two matrices can provide a signal to all four TCB SSRs. The surrogate has one less TCB SSR, and less trip paths than if two matrices were modeled.

2CAN012403 Page 22 of 69 b.i)

The surrogate for the CEACs used in the sample calculations are the same as listed in question APLA-06 part a.i.

b.ii)

This surrogate is overly conservative as it is modeling logic downstream of the matrices reducing the available trip paths in half, with any of the two TCB SSRs failing will result in failure of the RPS system. Note the DSS system and manual trip remain available. Since the CEACs provide input into the CPCs, which is only one input into the matrices, limiting the downstream paths to one TCB SSR failure is conservative.

See response to question APLA-06, item a.ii which discusses two or less matrix logic available.

However, given the possibility the site could be in a situation where both TS LCO 3.3.1.1 Matrix Components and the CEACs could be in a RICT, it is suggested the surrogate is revised to reduce one train of the modeled NSSS inputs, which provide diverse and redundant means of monitoring the reactor and providing RPS protection.

This surrogate would use its modeled analog counterpart but be functionally equivalent in the PRA model.

b Supplemental) Using the RPS one-line diagram above, the CEACs provide a digital input from NSS to each of the four bistables (channels A,B,C, and D). The CEACs are conservatively not credited as an input into the RPS system in the PRA. However, four sets of analog inputs to each bistable channel are included in the RPS system in the PRA. The surrogate would identify a limiting analog input and fail/reduce the number of inputs to each of the four bistable channels from four inputs down to three inputs to each channel. Using the diagram above, with NSS inputs 1,2,3, and 4 being modeled in the PRA, the surrogate would reduce the inputs by one train. In other words, assuming input 4 is the surrogate, the PRA would fail inputs 4 into A, 4 into B, 4 into C, and 4 into D. The PRA calculations would estimate the risk associated with the degraded RPS system and the loss of its redundant input.

The staff is correct. Using the diagram above, the inputs/bistables, and the trip control relays are modeled. The logic Matrices and Matrix relays are not.

c.i)

The manual initiation for every ESFAS function is not modeled for every PRA function.

For functions where the manual initiation is modeled, no surrogate is needed. For functions where the manual initiation is not modeled, the sample RICT calculations failed a train of automatic initiation using the events associated with master relays or automatic functions as surrogate modeling.

c.ii)

The failure rate of the operator action to manually initiate the ESFAS logic is conservative relative to the failure rates of the automatic system and its designed redundancies. As a result, failing the automatic functions is a conservative surrogate relative to the manual function.

d.i)

For each of the Functional Units 1.d.1, 2.c.1, 3.c.1, 4.c.1, 5.d.1, 6.c.1, and 8.d.1 ESFAS Matrix Logic channels, the surrogate used is that the downstream trip relays are assumed to be failed (failure to de-energize). The downstream trip relays can degrade entire channels of ESFAS logic called "load groups" (load group I is composed of red train components and load group II is composed of green train components) and provide 2CAN012403 Page 23 of 69 a conservative surrogate for the automatic actuation of one train of equipment. Refer to the figure below for a simplified overview of the ESFAS trip paths.

d.ii)

Current surrogate modeling is overly conservative as it is failing one train of automatic initiation of the PRA credited components. Less than three matrix cards available can still de-energize any ESFAS solid state trip relays. Therefore, a more refined surrogate modeling will fail a subset of solid-state trip relays and not the entire actuation train. Instead of limiting the number of outputs provided by the reduced number of matrices, the surrogate model will reduce the number of downstream trip relays available to actuate the system, which will model a more limited set of trip capabilities than if the matrices were included in the model.

2CAN012403 Page 24 of 69 APLA Question 07 - Sources of PRA Model Uncertainty RG 1.200 states in part "NRC reviewers, [will] focus their review on key assumptions and areas identified by peer reviewers as being of concern and relevant to the application." The NRC Staff evaluates the acceptability of the PRA for each new risk-informed application and as discussed in RG 1.174, recognizes that the acceptable technical adequacy of risk analyses necessary to support regulatory decision-making may vary with the relative weight given to the risk assessment element of the decision-making process. The NRC staff notes that the calculated results of the PRA are used directly to calculate a RICT, which subsequently determines how long SSCs (both individual SSCs and multiple, unrelated SSCs) controlled by TSs can remain inoperable. Therefore, the PRA results are given a very high weight in a TSTF-505 application and the NRC staff requests additional information on the following issues that have been previously identified as potentially key fire PRA assumptions.

a) LAR Table E9-2, "Fire PRA Sources of Model Uncertainty," Item #3, "FPRA [Fire PRA]

Cable Selection," identifies that some FPRA components were assumed to be failed because the locations of associated cables were undetermined. The disposition is that, based on the results of a sensitivity study in which the cables were assumed to not be failed in any fire scenario, the risk of assuming the cables are failed is small.

This is confirmed by a review of the ANO-2 uncertainty analysis report, (Reference 7),

which was provided on the audit portal. However, Table E9-2 does not provide a disposition as to whether this assumption is a key source of uncertainty and whether RMAs are needed to address this source of uncertainty. Address the following:

i.

Identify the SSCs that are assumed to be always failed in the fire PRA, or are not included in the FPRA, due to lack of cable tracing or other reasons.

ii. Justify that this assumption has an inconsequential impact on the RICT calculations.

iii. If, in response to part ii) above, it cannot be determined that the cited assumption has an inconsequential impact on the estimated RICTs, then identify what programmatic changes will be considered to compensate for this uncertainty and the basis for their consideration (e.g., identification of additional RMAs).

b) LAR Enclosure 9 Section 4, "Assessment of Level 2 Epistemic Uncertainty Impacts,"

states that no key sources of uncertainty for the RICT program were identified for the Level 2 PRA. In reviewing the ANO-2 key assumptions and sources of uncertainty analysis report (Reference 7) provided on the audit portal, the NRC staff noted, in Table 8.4-3, that the assessment of the sensitivity of the steam generator tube rupture (SGTR) probability of burst assumption shows that the RICT for LCO 3.7.1.5, "Main Steam Isolation Valves," is very sensitive to the model assumption (reduction in the RICT of 55 percent), and so it appears to be a key source of uncertainty for the RMTS application. Therefore, address the following:

i.

Describe the plant-specific assessment used as the basis to develop the PRA modeling assumptions regarding SGTR probability of burst under severe accident conditions.

2CAN012403 Page 25 of 69 ii. Justify that these assumptions have an inconsequential impact on the RICT calculations.

c) LAR Table E9-1, "Internal Events Characterization of Generic Sources of Modeling Uncertainty," Item #12, "Containment sump / strainer performance," identifies the assumed sump strainer failure rates as a source of PRA modeling uncertainty. The modeling is based on the results of NUREG/CR-6771, "GSI-191: The Impact of debris Induced Loss of ECCS [Emergency Core Cooling System] Recirculation on PWR [Pressurized Water Reactor] Core Damage Frequency" (ML022410135).

NUREG/CR-6771 shows that core damage frequency (CDF) can be significantly impacted by the performance of the containment sumps during severe accidents and explains that there is significant uncertainty about containment sump performance under severe accident conditions because, in part, it is dependent on plant-specific conditions. The ANO-2 modeling appears to be a generic assumption and not based on a plant-specific assessment. The NRC staff notes that conservative PRA modeling could have a nonconservative impact on the RICT calculations. Therefore, address the following:

i)

Describe the plant-specific assessment used as the basis to develop the PRA modeling assumptions regarding containment sump performance under severe accident conditions.

ii)

Justify that these assumptions have an inconsequential impact on the RICT calculations. If, in response to part ii) above, it cannot be determined that the cited assumption has an inconsequential impact on the estimated RICTs, then identify what programmatic changes will be considered to compensate for this uncertainty and the basis for their consideration (e.g., identification of additional RMAs).

Response

a.i)

The Always Failed List is provided in Appendix A of PSA-ANO2-03-ES, ANO Component and Cable Report Rev 0 and are identified using the Y3 Component mapping code.

a.ii)

All the RICT sample cases, including the base case, were evaluated by revising the "always failed" list to "always available" in the RICT program uncertainty calculation, (Reference 7). To perform this sensitivity, the FPRA was modified to assume that circuits on the "always failed list" are not damaged by fire in any fire scenario. Since it is conservative to assume the circuits will be available in every fire scenario (i.e.,

lowering the base case), the sensitivity provides a bounding case to evaluate any potential masking in the RICT calculations. All sample RICT calculations were evaluated, which demonstrated that only small impacts to the overall RICT times were observed and none of the RICT times were decreased. As a result, the uncertainty of the always failed list is negligible in the RICT application. Therefore, the circuits not credited in the FPRA due to unknown location and route points is not a key source of uncertainty for the RICT program.

2CAN012403 Page 26 of 69 a.iii)

See response to part ii above.

b.i)

Conditional SGTR probability of burst (POB) of 0.027 is provided in NUREG/CR-6365 and was developed with inputs from NUREG-0844. There is no current industry published value for conditional probability of burst during a plant transient. The site-specific POB of 1.4E-03 was developed for the ANO-2 model using site specific data from the bobbin inspection with Monte-Carlo statistical methods to sample points over the parameter uncertainty distribution to generate a mean frequency. The site-specific analysis was developed using the principals from NUREG/CR-6365 with actual wear data from previous ANO inspections to conservatively refine the POB to a site-specific value for the probability of burst resulting in a pressure-induced tube rupture under accident conditions (i.e., high differential pressures). This analysis is documented in ANOs evaluation to improve the ANO2 SG POB used in the plants PRA.

The SGTR POB is not a PRA assumption, but a statistical analysis based off of site-specific wear data. However, it is agreed that there is some uncertainty in the value itself, given the lack of industry wide data and the only published value coming from a small sample set with data being from before 1990.

SGTR scenarios are important accident sequences in PWR PRAs, especially in LERF, and conservatisms are often used to simplify the PRA modeling. Adjustments up or down to the POB can impact the PRA risk metric. Therefore, a sensitivity was provided should the trend in wear data not support the calculated values and provide an understanding of the impact on RICT.

There is no concise list of consensus models available for use in the PRAs, but the POB calculations use accepted statistical analysis and reviewed the input from NUREG/CR-6365 for developing the POB. Additionally, the analysis has its basis in the Monte-Carlo method described in the Electric Power Research Institute (EPRI)

Flaw Handbook Calculator, used currently at ANO, to perform condition monitoring and operational assessment of the steam generators at a regular interval. The Monte-Carlo method considers all pertinent uncertainties, including material properties, NDE, burst pressure, and flaw growth. Since the calculations are based off of the Steam Generator Integrity Program performed on the operational assessment of each steam generator every few cycles to demonstrate a low probability of failure, it is considered a consensus model approach.

b.ii)

It is noted that LCO 3.7.1.5 is sensitive to the SGTR changes, but the issue is more related to the conservatism of the RICT sensitivity calculation than the POB value. As shown in Table 8.4-3 of PSA-ANO2-06-4B-SOU (Reference 7), the RICT time decreased by 55% as the POB analysis became more conservative and all other LCOs remained the same. The issue with 3.7.1.5 is the PRA assumes, for the sample RICT calculations, the MSIVs are stuck open, and also spuriously open. However, if ANO should enter this RICT, the MSIVs would be stuck in position (most likely in a closed or a partially closed state, not a spurious opening), and not flashing the SG dry, resulting in the large increase in delta pressure, which increases the chances of a pressure-induced tube rupture at the time of the transient.

2CAN012403 Page 27 of 69 Additionally, if the steam generator tubes showed increased wear, the POB would increase in subsequent model updates, thus reducing the RICT times for LCO 3.7.1.5.

As a result, this analysis is adequate for the application and is not a key source of uncertainty impacting the RICT evaluations.

c.i)

The ANO-2 sump strainer failure probabilities are obtained from industry guidance document WCAP-16882-NP, "PRA Modeling of Debris-Induced Failure of Long Term Core Cooling via Recirculation Sumps," for medium and large LOCA (LLOCA) initiating events. The following is the guidance directly from the WCAP:

As a general rule, for the MLOCA [Medium LOCA], the loss of long-term core cooling due to debris generation should be modeled as an order of magnitude less than the reference value for this class of initiating events (i.e., a value of 1E-04 is recommended). The exception to this is for those plants that have determined that medium LOCAs are within the limiting breaks assessed for the licensing basis. This is generally limited to plants with lines directly above the containment sump screens where transport of all of the debris generated by the break is highly likely. In this case, the reference probability of 1E-03 should be used for that portion of the medium break initiating event frequency represented by the limiting pipe break location. A separate medium break initiating event should be defined and assessed for that break location.

If breaks in this [the LLOCA] size range are not analyzed in the licensing basis sump screen assessments, it is less likely that debris accumulation on the sump screen for a large LOCA would result in significant sump screen head loss or any downstream effects. As a general rule, the loss of long term core cooling due to debris generation should be modeled as a half order of magnitude less than the reference value for this class of initiating events (i.e., a value of 2E-04 is recommended). The exception to this is for those plants that have determined that large LOCAs are within the limiting breaks assessed for the licensing basis. This is generally limited to plants with lines directly above the containment sump screens where transport of all of the debris generated by the break is highly likely. In this case, the reference probability of 1E-03 should be used.

Therefore, the lower probabilities in each of the discussions above are applicable to ANO-2.

This conclusion is based on the following facts:

1.

The ECCS pipes inside containment generally run from the east, while the sump is on the south side of the containment near the containment wall, so no pipes were identified that ran directly over the sump.

2.

WCAP-16882-NP was developed based on the original sump designs at the various plants, which includes the sumps having a single "face" that could be easily plugged if the entire amount of debris was "dropped" in near vicinity to the screen. As part of the GSI-191 resolution, plants were required to address this potential plugging concern. Based on the response to GSI-191, ER-ANO-2001-1208-000 "Containment Sump Strainer Replacement Project," the sump plugging issue was addressed by installing the new three-dimensional box strainers - which precludes the potential for debris from a single break point blanketing all of the screen surface since the water flow will wash the debris on one screen face, but 2CAN012403 Page 28 of 69 the others will remain un-plugged and pump NPSH will remain sufficient. The new strainers installed at ANO-2 are box strainers that are specifically designed to prevent sump plugging even in the case of a limiting break, so sump plugging is an unlikely event for the limiting large LOCA, and all other LOCAs.

In summary, ANO-2 applied a sump strainer failure rate of 2E-04 for LLOCAs and 1E-04 for MLOCAs to account for Generic Safety Issue (GSI)-191, "The Impact of Debris Induced Loss of ECCS Recirculation on PWR Core Damage Frequency (NUREG/CR-6771),"

considerations. The ANO-2 containment layout and installed sump strainer design meets the recommendations in industry guidance document WCAP-16882-NP. As such, the failure rates used in the model are considered accurate. The sensitivity cases described below, setting the sump strainer failure rates both high and low, did not have an appreciable change in risk metrics. Use of a higher failure rate would be unrealistic and overly conservative based on the design of the installed replacement sump strainers. As such, the values utilized for ANO-2 sump strainer plugging rates are neither overly conservative nor overly non-conservative.

c.ii)

A sensitivity analysis was performed that both decreased and increased the strainer failure rates for medium and large LOCAs by an order of magnitude. The sensitivity evaluated the sample RICT calculations. The sensitivity analysis demonstrates the failure rates have an inconsequential impact on the RICT times and is not a key source of uncertainty; therefore, the ANO-2 modeling assumption discussed above in APLA-07 part C has an inconsequential impact on the estimated RICTs.

2CAN012403 Page 29 of 69 APLA Question 08-Credit for FLEX Equipment and Actions NRC memorandum dated May 6, 2022 provides the NRCs staff updated assessment of identified challenges and strategies for incorporating Diverse and Flexible Mitigation Capability (FLEX) equipment into a PRA model in support of risk-informed decision making in accordance with the guidance of RG 1.200.

Section 6 of Enclosure 9 of the LAR states that FLEX is credited in the ANO-2 full power internal events PRA, which includes internal flooding, and the FPRA. The enclosure explains how NRCs "Updated Assessment of Industry Guidance for Crediting Mitigating Strategies in Probabilistic Risk Assessments" (ML22014A084) (Reference 8) is addressed in the modeling of FLEX. The following summarizes specific areas either addressed or not addressed in the enclosure:

The PRAs do not currently use the equipment failure data from PWROG-18042-NP, "FLEX Equipment Data Collection and Analysis," Revision 1 (ML22123A259), but that the failure data in this report will be incorporated in the 2023 update of the PRAs.

The guidance in Electric Power Research Institute (EPRI) Knowledge Base Article 2021-001, "Guidance for Pre-Initiator HRA (Human Reliability Analysis) for FLEX Portable Equipment," Revision 1, was used for identifying pre-initiator human failure events (HFEs).

The guidance in EPRI Knowledge Base Article 2021-007, "Guidance for Modeling Refueling of FLEX and Portable Equipment," was not cited in the LAR as being used in the PRAs, however, Table E9-5, "FLEX System Post-Initiator Human Failure Events,"

of the LAR identifies the operator action "Operator Fails to Refuel FLEX Equipment."

The LAR does not cite EPRI 3002013018, "Human Reliability Analysis (HRA) for Diverse and Flexible Mitigation Strategies (FLEX) and Use of Portable Equipment,"

which includes guidance for how to perform HRA for the use of onsite portable equipment.

In reviewing the ANO-2 key assumptions and sources of uncertainty analysis report (PSA-ANO2-06-4B-SOU) (Reference 7) provided on the audit portal, the NRC staff noted in Tables 8.2-4 and 8.2-5 that RICTs can be significantly impacted (e.g., RICTs reduced by up to 50 percent) by FLEX equipment reliability assumptions and in Tables 8.3 -2 and 8.3-4 that RICTs can be significantly impacted (e.g., RICTs reduced by up to 40 percent) by FLEX human error probability (HEP) assumptions.

Address the following:

a) Propose a mechanism to incorporate updated FLEX parameter values in accordance with PWROG-18042-N into the ANO-2 PRA models used for RICT calculations prior to implementing the RMTS program.

-OR-2CAN012403 Page 30 of 69 Alternatively, identify the LCO conditions impacted by the treatment of this modelling uncertainty for which RMAs will be applied during a RICT. Include discussion of the kinds of RMAs that would be applied and justification that the RMAs will be sufficient to address the modeling uncertainty.

b) Provide a discussion detailing the methodology used to assess operator actions related to installation and operation of FLEX equipment. The discussion should include:

i)

A list of the FLEX-related operator actions and a summary description of the plant-specific HRA used as the basis to develop the HEPs for each operator action.

ii) An assessment of how the HRA is or is not in accordance with EPRI 3002013018 and EPRI Knowledge Base Article 2021-007.

iii) If the FLEX-related HRA is not in accordance with the NRC memorandum dated May 6, 2022, justification that the HRA assumptions have an inconsequential impact on the RICT calculations.

iii Supplemental)

In the table titled "Assessment of FLEX Uncertainties," the licensee states that surrogates A and B are not applicable to ANO-2 and so modeling of portable equipment and connecting temporary hoses is plant-specific in accordance with EPRI 3002013018 guidance.

The disposition of Surrogate C is unclear because the NRC staff do not understand what is meant by the statement, "An override has been applied to FLX2XHE-FO-QCSTRF due to a Note in ANO procedure CFSG-006 Exhibit A." It appears that Surrogate C was also determined to not be applicable to ANO-2 and so modeling of validation of portable pump operability is plant-specific.

The NRC staff requests the licensee to clarify that Surrogate C is not applicable and that plant-specific modeling is used, if applicable, and to explain what is meant by this statement and its relevance to implementation of the guidance (i.e., EPRI 3002013018).

iv) If, in response to part iii) above, it cannot be determined that the cited assumptions have an inconsequential impact on the estimated RICTs, then identify the LCO conditions impacted by the treatment of this modelling uncertainty for which RMAs will be applied during a RICT. Include a discussion of the programmatic changes that the licensee will consider to compensate for this uncertainty and the basis for their consideration (e.g., identification of additional RMAs and justification that they are sufficient to address the modeling uncertainty).

c) If the PRA modeling of FLEX equipment and/or operator actions is revised or updated to be in accordance with the NRC memorandum dated May 6, 2022, provide justification that the revisions do not meet the definition of a PRA upgrade as defined by RG 1.200.

-OR-2CAN012403 Page 31 of 69 Alternatively, if justification cannot be provided, propose a mechanism to conduct a focused-scope peer review (FSPR) regarding incorporation of the PWR Owners Group FLEX equipment reliability modeling and/or EPRI FLEX HRA methodology for the ANO-2 PRA models. Include in the mechanism to close out all Facts and Observations (F&Os) that result from the FSPR prior to implementing the RMTS program.

Response

a)

The Full-power Internal Events model and Internal Flooding models use the PWROG-18042-N failure rates for FLEX portable equipment. The Fire PRA is being updated and is to be completed to support the RICT program implementation; therefore, this is not a modeling uncertainty for the RICT program.

b.i)

Table E9-5 in the ANO-2 LAR identifies the ANO-2 FLEX-related operator actions. The Fire HRA is being revised in the current model update to reflect table E9-5 and the current FPIE model of record. Table APLA-08-1 summarizes the plant specific HRA used for the selection of actions that install and operate FLEX equipment. The PRA-credited additional actions related to FLEX, such as declaration of ELAP, do not involve installation and operation of FLEX equipment, and are thus not included in the following table.

Table APLA-08-1 Installation and Operation of FLEX - Human Failure Events Post-Initiator Event ID Plant-Specific HRA FLX2XHE-FO-800KDG ANO procedure CFSG-005: Attachments 3&4 direct staging the 800 kW Diesel Generator and connecting cables; Exhibit A directs operating the 800 kW Diesel Generator.

FLX2XHE-FO-ALTFWI ANO procedure CFSG-005: Attachment 3 directs staging the FLEX pumps. ANO procedure 2FSG-003: Section 4 directs connecting the SG/RCS Makeup Pump; Exhibit A directs operating the SG/RCS Makeup Pump.

FLX2XHE-FO-QCSTRF ANO procedure CFSG-006: Section 4 directs connecting the Inventory Transfer Pump to the QCST; Exhibit A directs operating the Inventory Transfer Pump.

FLX2XHE-FO-REFUEL ANO procedure CFSG-005: Attachment 6 directs connecting and operating the Fuel Transfer Pumps.

FLX2XHE-FO-REFUEL-E ANO procedure CFSG-005: Attachment 6 directs using the Refueling Trailer.

FLX2XHE-FO-SGLVLM ANO procedure 2FSG-007: Attachments 1&2 direct installing SG level indication.

FLX2XHE-FO-SGMVLV ANO procedure 2FSG-003: Section 4 directs connecting the SG/RCS Makeup Pump.

FLX2XHE-FO-SWFPSS ANO procedure 2FSG-002: Attachment 1 directs connecting the Diesel Firewater Pump.

b.ii)

It is noted that the EPRI guidance 3002013018 is not listed as a reference in the LAR.

When developing the FLEX HRA, ANO reviewed the examples listed in EPRI 3002013018 for the FLEX HRA modeling. All the example HFEs in the EPRI 2CAN012403 Page 32 of 69 document are included in the PRA. Operator interviews and the integrated FLEX timeline were also performed consistent with the EPRI examples.

It is also noted that the reference to EPRI Knowledge Base Article 2021-007 is not listed in the references. The actions to refuel equipment are modeled in the PRA/HRA.

FLX2XHE-FO-REFUEL is included in the PRA and this is consistent with option 3 of the Knowledge Base Article 2021-007.

b.iii)

The FLEX-related HRA is in accordance with NRC memorandum dated May 6, 2022, as specified in Table E9-7 of the LAR. Table APLA-08-2 further expands upon the disposition for each HRA item.

It is noted that the RICT calculations will be performed in a CRMP tool that will combine the FPIE and FPRA into a single logic structure. Currently, ANO is synchronizing the FPIE with the FPRA for use in the RICT Program. The following discussion is based on the FPIE modeling, which will be used for calculating RICTs for both FPIE and FPRA.

2CAN012403 Page 33 of 69 Table APLA-08-2 Assessment of FLEX Uncertainties Conclusions from 2017 Memo ANO-2 Disposition HRA - Conclusion 11 EPRI 3002013018 provides updated detailed industry guidance for estimating the human error probabilities (HEPs) of the actions needed to implement mitigating strategies using portable equipment. The actions are classified into three stages:

deploy, implement, and sustain. Each stage has human reliability elements of cognition (i.e., decision to initiate the tasks of the stage) and execution (i.e., perform the tasks). For example, declaring an extended loss of alternating current power (ELAP) is a cognition element in the deploy stage, and refueling the diesel pump is an action element of the sustain stage. EPRI 3002013018 provides guidance and examples to estimate the HEPs of typical mitigating strategies in a base case ELAP scenario (i.e., without an external event), including declaring an ELAP, deploying portable equipment, performing deep direct current (DC) load shed, implementing portable equipment, and refueling portable equipment. The report then explores variations that may occur from the base case scenario. The examples presented in EPRI 3002013018 are not applicable to every plant as-is. Therefore, plant-specific practices must be considered when determining which variations are most applicable and in applying those examples to a specific plant. EPRI 3002013018 provides guidance that is acceptable to the NRC, with the clarifications below, for performing HRA for mitigating strategies using portable equipment. EPRI 3002013018 provides limited qualitative guidance on performing HRA for human actions impacted by extreme external events. EPRI 3002013018 does not provide quantitative guidance for performing HRA for actions impacted by extreme external events but identifies the need to develop guidance to address external hazards, which involve environmental exposure (e.g., external flood, high winds, etc.) as future work. Until additional industry guidance is provided that is consistent with the guidance in RG 1.200, a justification for quantitative credit for the use of portable equipment in an extreme external event in PRAs used for risk-informed applications should be submitted to the NRC for review and approval.

FLEX is not credited for extreme external hazards. FLEX is only credited for Internal Events, Internal Flooding, and Fire.

EPRI 3002013018 developed three surrogates - A, B, and C - to assess the reliabilities of three types of human tasks that are not included in the Technique for Human Error Rate Prediction (THERP) HRA method (NUREG/CR1278, "Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications - Final Report," ADAMS Accession No. ML071210299). Surrogate A is for transporting portable equipment. Surrogate B is for connecting temporary hoses. Surrogate C is for validation of portable pump operability. These three surrogates are specific to the plant used in the examples and may not be applicable for other plants. The NRC notes that while Surrogates A and B may be applicable to many plants, Surrogate C is Surrogate A: HFEs FLX2XHE-FO-800KDG and FLX2XHE-FO-ALTFWI model transportation of portable equipment. A THERP error of omission mean value is used for execution as the surrogate was evaluated to not be applied.

Surrogate B: HFEs FLX2XHE-FO-ALTFWI and FLX2XHE-FO-QCSTRF model 2CAN012403 Page 34 of 69 Table APLA-08-2 Assessment of FLEX Uncertainties Conclusions from 2017 Memo ANO-2 Disposition not expected to be widely applicable because it is only applicable for a very specific set of procedural cues that were verified through operator interviews to be appropriate for the specific plant used in the examples. These three surrogates have been adequately documented and are acceptable for use in a licensees PRA used for risk-informed applications, if applicable, without additional NRC review. Any other proposed surrogates necessary to credit mitigating strategies in a licensees PRA used for a risk-informed application should be submitted to the NRC for review and approval.

connecting temporary hoses. A THERP error of omission mean value is used for execution as the surrogate was evaluated to not be applied.

Surrogate C: HFEs FLX2XHE-FO-ALTFWI, FLX2XHE-FO-QCSTRF, and FLX2XHE-FO-SWFPSS model validation of portable pump operability. An override has been applied to FLX2XHE-FO-QCSTRF due to a Note in ANO procedure CFSG-006 Exhibit A.

EPRI 3002013018 does not include guidance for calculating the HEPs for actions such as connecting/disconnecting trailers or loading/unloading equipment. EPRI 3002013018 states that the feasibility study or task analysis decided these items would not drive the HRA results because there were no credible failure mechanisms, or the impact of the failure mechanisms were negligible. EPRIs conclusion that there are no credible failure mechanisms for loading/unloading equipment is specific to the plant used in the examples and may not be applicable to all plants. As such, each licensee should confirm that there have not been any changes to their mitigating strategies since the feasibility study was completed that may impact the ability to complete these tasks and, if applicable, licensees are to document the basis for excluding such tasks from HRA.

The ANO FLEX Validation [ANO-2015-0078]

was completed in 2015. Since 2015, any revisions to FLEX procedures have not changed the direction to connect/disconnect trailers or load/unload equipment such that the validation would no longer be correct, specifically Action Item #8 of Attachment 2.

EPRI 3002013018 does not include detailed guidance for modeling refueling actions where no personnel are available to monitor the fuel level or there are no clear pre-defined procedures or plans directing refueling. If there are no personnel available to monitor the fuel level or there are no clear pre-defined procedures or plans directing refueling, the licensee should submit a justification for the modeling approach used to the NRC for review and approval.

HFEs FLX2XHE-FO-REFUEL and FLX2XHE-FO-REFUEL-E (only execution within FLX2XHE-FO-REFUEL, not in the PRA logic) model refueling and have been developed using the ANO procedure CFSG-005, Attachment 6. Both ANO procedures FDS-002 and CFSG-005 contain a step that prompts refueling.

EPRI 3002013018 provides guidance for modeling refueling of portable equipment where personnel are available to monitor the fuel level and there are clear pre-defined procedures or plans directing refueling. EPRI 3002013018 includes screening criteria that may be used to determine whether refueling can be excluded from the PRA model based on the allowance in SR SYA15 of the ASME/ANS PRA Standard RA-Sa-2009 that failure modes can be excluded from the PRA model if the relative contribution of HFEs FLX2XHE-FO-REFUEL and FLX2XHE-FO-REFUEL-E (only execution within FLX2XHE-FO-REFUEL, not in the PRA logic) to refuel FLEX equipment have not been screened out of the PRA model. A Note in ANO procedure CFSG-005 pertains 2CAN012403 Page 35 of 69 Table APLA-08-2 Assessment of FLEX Uncertainties Conclusions from 2017 Memo ANO-2 Disposition the failure mode is less than 1 percent of the total failure rate for the component. EPRI KBA 2021007 provides additional guidance for modeling refueling of portable equipment, including clarification of when use of the refueling screening criteria is appropriate. EPRI 3002013018, with the clarifications provided in EPRI KBA 2021007, provides guidance that is acceptable to the NRC for modeling refueling of portable equipment where personnel are available to monitor the fuel level and there are clear pre-defined procedures or plans directing refueling.

to personnel availability to coordinate refueling.

EPRI 3002013018 uses THERP to calculate the HEPs associated with DC load shedding. The EPRI report states that a self-check value of 0.5 is applied as a recovery factor for failure to open a breaker and is appropriate because of general improvements in operator training since THERP was published in 1983. The NRC does not agree with this statement because the execution values in THERP already account for self-checking. The value of 0.5 appears to be based on analyst judgement applied as part of the reasonableness check. If this approach is taken, it should be submitted to the NRC for review and approval.

HFE FLX2XHE-FO-LOADSD does not use the generic EPRI self-check value of 0.5. A recovery value of 0.144 is currently being applied. Procedure Improvement Form (PIF) 2-23-0159 has been developed for including an explicit verification step to check the DC load shed, in procedure 2FSG-004 Rev. 3 Att.

1. The execution recovery notes will be updated to reference this PIF, and later the new step. This is being tracked by LR-LAR-2022-00063 Action 57.

2CAN012403 Page 36 of 69 iii Supplemental)

Surrogate C is not applicable to FLX2XHE-FO-QCSTRF and the analysis is plant specific. CFSG-006 Exhibit A begins with a note that no pre-start checks are required to be performed. The analysis of FLX2XHE-FO-QCSTRF sets the HEP for pre-start checks to 0.0 given this note. This 0.0 override shows that no surrogates are being applied and this is conservative. The Note tells the operators that these pre-check verifications are optional. The PRA could credit using a surrogate value but has conservatively chosen not to.

b.iv)

The cited assumptions have an inconsequential impact on the estimated RICTs.

The fire PRA will use the HRA methods described in this response in addition to the FLEX PWROG failure rates when calculating RICTs.

c.)

There are no proposed model changes to the internal events PRA, and the methods are in accordance with the NRC memorandum, dated May 6th, 2022. Currently, ANO is in the process of synchronizing the FPIE and FPRA models and will use the approaches described above when calculating the RICTs.

The FPIE/IF flooding models underwent a peer review for upgrades in their SBO accident sequences which included the FLEX logic and HRA. Implementation of FLEX by itself was not determined to be an upgrade. All findings were subsequently closed out.

The Fire PRA will be built on top of the peer reviewed SBO accident sequences.

Therefore, incorporation of FLEX changes into the Fire PRA are not considered an upgrade for the following reasons:

Using the FLEX failure rates in the FPRA does not constitute an upgrade since updating equipment failure rates to the latest industry guidance is routine maintenance and requires no new and unreviewed methods to complete the change.

Updating the Fire HRA only requires the conversion of FPIE operator actions to fire specific actions outlined in NUREG-1921. The use of NUREG-1921 was previously peer reviewed; therefore, no new methods are required for this change.

2CAN012403 Page 37 of 69 APLC Question 01 - Determination of the High Winds CDF and Large Early Release Frequency (LERF) Penalty Section 2.3.1, Item 7, of NEI 06-09, Revision 0-A, states, in part, that the "impact of other external events risk shall be addressed in the RMTS program," and explains that one method to do this is by "performing a reasonable bounding analysis and applying it along with the internal events risk contribution in calculating the configuration risk and the associated RICT." The NRC staffs safety evaluation for NEI 06-09 states, in part, that "[w]here PRA models are not available, conservative or bounding analyses may be performed to quantify the risk impact and support the calculation of the RICT."

Section 4.2 of LAR Enclosure 4 provides the results of the development of CDF and LERF penalty factors to include in RICT calculations to bound the impact of tornado-generated missiles for certain maintenance or LCO configurations. It is stated that these penalty factors are "conservative." However, only the results of this assessment are provided; no description is provided of the methodology, input, and assumptions used to develop the risk model and to justify that the results are conservative. Address the following:

a) Identify the SSCs that are the tornado missile risk targets for the development of the tornado-generated missile CDF and LERF penalty factors for the RICT calculations and provide justification for why these were selected for evaluation.

b) A description of the approach used for the development of the tornado-generated missile CDF and LERF penalty factors for the RICT calculations with justification for the results of the approach being conservative. The description and justification should (i) include information about the tornado missile failure frequencies, conditional failure probabilities for impacted SSCs, and the plant response model, and (ii) identify any deviations from the Tornado Missile Risk Evaluator [TMRE] methodology approved for use for ANO-2 (ML20135H141) c) In reviewing the ANO-2 Conservative Tornado Risk Model [PSA-ANO2-06-4B-TRM]

provided on the audit portal, the NRC staff noted in Tables A-2 and A-4 that the mean fragilities and mean tornado missile hit probabilities, respectively, decreased with increasing wind speed in some cases (e.g., Target Group Number 7 for initiators F4 to F6 in Table A-2, Target Group Number 17 for initiators F5 to F6 in Table A-4). Address the following:

i.

Explain the basis for these apparent anomalies and provide justification that their treatment is conservative.

ii.

If justification cannot be provided, then provide the results of a sensitivity study that shows these assumptions have an inconsequential impact on the RICT calculations.

iii.

If, in response to part ii) above, it cannot be determined that the cited assumptions have an inconsequential impact on the estimated RICTs, then identify what programmatic changes will be considered to compensate for this uncertainty and the basis for their consideration (e.g., identification of additional RMAs).

2CAN012403 Page 38 of 69 Entergy Responses a) The tornado missile target SSCs used to develop the CDF and LERF penalty factors are:

Non-conformances identified in Table 2 of the TMRE License Amendment Request (Reference 11).

Conforming but vulnerable SSCs identified during the TMRE Vulnerable SSC Walkdown and documented in the TMRE ANO-2 TMRE Exposed Equipment Failure Probability Development (EEFP) report (Refer to CALC-ANOC-MS-18-00008).

A plant walkdown was performed in support of the penalty factor development to review the risk-significant targets. As a result of the walkdown and review of plant documents, two scenarios were determined to have no vulnerable SSCs due to having adequate barriers. Targets in both the screened scenarios were determined to meet the ANO-2 design/licensing bases but had been conservatively added to the TMRE model. The eliminated targets should not have been considered targets using the TMRE methodology; barriers were conservatively not credited, or barriers were modified subsequent to the original TMRE model being finalized.

Only vulnerable but conforming SSCs were removed from the TMRE model used to calculate the penalty factors (i.e., the Conservative Tornado Risk Model (CTRM)); all non-conforming SSCs (from Table 2 of Reference 11) remain in the model. The following targets were eliminated from the CTRM used for the development of the penalty factors, since all penetrations to these rooms are adequately protected against tornado missiles.

Room 2118 (Scenario 2118-A) - ANO-2 Control Room. (Reference 14 Section A.6)

Room 2076 (only Scenario 2076-B was screened; Scenario 2076-A remains in the model) - Electrical Equipment Room. See Reference 14 Section A.1.

Additionally, several targets were re-evaluated to remove excess conservatism (e.g., assuming that a missile penetrating a small opening fails all the SSCs in a room).

Changes to target modeling and failure probabilities are detailed in Appendix A of Reference 14. This is discussed further in the response to part b).

b) A CTRM was developed to support the development of the CDF and LERF, as mentioned in Section 4.2 of Enclosure 4 to the TSTF-505 LAR [Ref: ANO-2 TSTF-505 LAR (2CAN042301)]. The CTRM is based on the ANO-2 TMRE model that was documented in the TMRE LAR [Ref: ML19119A090]. Several updates and changes were made in developing the CTRM, following the methods described in NEI 17-02, with some exceptions. The following discusses a high-level overview of the changes, details for exceptions to the NEI 17-02 methodology, other changes made (in accordance with NEI 17-02 methodology), and justification for the CTRM approach being conservative.1 Note 1: This same question was asked about the ANO-1 tornado missile analysis, as part of the ANO-1 TSTF-505 NRC audit. This response is similar to the that provided for APLC Question 01 in the ANO-1 Supplemental LAR (Reference 15), except it is specific to ANO-2. However, the same general principles and methods were used in developing both the ANO-1 and 2 tornado missile penalty factors.

2CAN012403 Page 39 of 69 Overview of CTRM The major changes to the ANO-2 TMRE are:

The most recent ANO-2 Internal Events PRA model (Revision 6) was used as the basis for the CTRM; this is the same internal events model that was used for the TSTF-505 LAR. The methods used to create the CTRM followed NEI 17-02 guidance for modifying the internal events PRA to create the CTRM; the CTRM model development process is not unique.

The most recent cable data from Revision 6 of the ANO-2 Fire PRA (e.g., cable locations, affected SSCs) was used for target mapping.

Select target missile failure probabilities were updated, following the methods in NEI 17-02. For ANO-2, there were approximately 50 TMRE targets/scenarios; approximately 35% of the targets/scenarios were changed from the TMRE. Since most of the targets in the ANO-2 TMRE model are conforming, conservative treatment of those targets did not significantly affect the increase in risk associated with non-conforming targets in the TMRE. However, the very conservative treatment of conforming targets has a significant impact on the total tornado missile CDF.

o Added credit for robust capabilities of the targets and/or barriers that were conservatively not accounted for in the TMRE.

o Updated target areas to be more realistic. The original TMRE model conservatively included the areas of penetrations into rooms that were adequately shielded from tornado missiles.

o Re-evaluated target-to-SSC mapping, primarily to remove excessive conservatism in target correlation. Many TMRE targets included the assumption that all SSCs in a room are failed due to a single missile penetrating any opening (including small/limited penetrations).

Removed two scenarios, as discussed in the response to part a), above.

Used plant specific TORMIS failure probabilities for a limited set of targets, in lieu of the failure probabilities calculated using NEI 17-02 methods. TORMIS failure probabilities were determined for select targets that were risk significant and could be modeled less conservatively using TORMIS (as compared to TMRE). Although TORMIS provides more realistic failure probabilities for tornado missile targets, it is still a conservative method and the CTRM remains conservative and appropriate for determining the CDF and LERF penalty factors. The targets with TORMIS failure probabilities in the CTRM are:

o Door 243 to Room 2076 (Electrical Equipment Room) o Door 340 to Room 2104 (Corridor on El. 572) o Penetrations in the wall for Room 2098 (Cable Spreading Room) 2CAN012403 Page 40 of 69 o Refueling Water Tank (RWT) (2T-3) o EDG 2K-4A and 2K-4B Exhaust Stacks o Fuel Oil Storage Tanks (FOST) (2T-57) Vents o Correlated Failure of EDG Exhaust Stacks (new target)

NOTE: Report PSA-ANOC-06-4B-TORMIS, "Tornado Missile and Pressure Fragilities for Select ANO SSCs, Rev 0" (Reference 9) documents the TORMIS analysis used to support the ANO-2 Conservative Tornado Risk Model. Item 6 in Section 7.2.1 states:

Each dimension of SSCs analyzed in this missile fragility analysis is then increased for offset hit (tumbling missiles) in each (x, y, z) free direction.

For ANO, this increase was 1.5 feet in each free direction (see discussion below). Thus, a target with two free directions in the X direction is increased by a total of 3 feet in length in the X direction. A target that has one side restrained in one side in the X direction (for example, that target is protected from offset hits by an YZ concrete barrier on one side) only sees an offset hit increase of 1.5 feet in the X direction. Similarly, safety targets that rest on the ground plane are increased only 1.5 feet in the Z direction to reflect the fact that missiles cannot hit the target from below the ground plane. Refer to [Reference 10] for figures on offset hit modeling.

Added one scenario (correlated failure of both EDG exhaust stacks by a single missile)

Credited some control room operator actions that were conservatively assumed to fail in the TMRE but should not be affected using NEI 17-02 methods. Operator actions performed in the control room are unaffected in the NEI 17-02 methods.

CTRM Conservatism The ANO-2 CTRM is still considered demonstrably conservative and appropriate for use in developing the CDF and LERF. In addition to the general conservative nature of the NEI 17-02 methodology (e.g., no recovery of offsite power), the method was conservatively applied in the ANO-2 TMRE (e.g., many unnecessarily correlated targets, no credit for robustness for many targets). As described above, conservative treatment of vulnerable but conforming targets in the TMRE did not significantly impact the risk associated with non-conforming SSCs. Therefore, there was little incentive to be less conservative (i.e., requiring more effort) in modeling target failure impacts and probabilities for the TMRE.

The following are key conservative aspects of the ANO-2 CTRM, including conservative aspects of the NEI 17-02 method as applicable specifically to ANO-2.

2CAN012403 Page 41 of 69 The AAC is very important in tornado-induced LOOP scenarios. However, the AAC failure probability in the CTRM is 1.0 (as required by NEI 17-02) since the cooling unit for the AAC is unprotected. However, the cooling unit could survive some F2 winds.

Most of the targets at ANO are cables and conduits. Missile induced failures of cables and conduits are inherently conservative in the NEI 17-02 methodology.

Further, the NEI 17-02 method was applied conservatively in the ANO-2 TMRE and CTRM. Conservative assumptions in modeling cables and conduits include1:

(a) 100% of missiles can damage single or multiple cable, (b) all cables in one or multiple collocated cable trays are failed by a single missile hit (c) cables inside conduits will fail regardless of the missile striking the conduit and (d) cables are not shielded by structural members.

Note 1: No research is available to quantify the amount of conservatism inherent in the treatment of cable failures in the TMRE or other tornado missile risk assessments.

Many targets still consist of multiple correlated SSCs, when un-correlated targets could potentially be justified. Most notable of the correlations are the assumptions that all SSCs in a room are considered to fail due to a single missile, when the vulnerable openings are small and many targets are not in the line of site of the openings and/or adequately shielded. Additionally, 100% of the missile inventory is often assumed to cause the failure of correlated targets, when only a percentage of missiles would be large or energetic enough to cause the failure of multiple targets in a single strike.

Many of the targets are in the Auxiliary Building (AB) and can only be hit by missiles originating in or traveling through the Turbine Building (TB) and passing through penetrations (e.g., electrical, ventilation, doors) in the reinforced concrete wall between the AB and the TB (on the ground and mezzanine levels). There are many obstructions in the TB that would stop, damage, or slow down missiles; assuming that all missiles are capable of going through the TB (especially on the ground and mezzanine levels) and then penetrating openings to strike and damage targets interior to the AB is very conservative.

Robustness is not credited for certain targets when it could be, based on the NEI 17-02 method. This includes not crediting barriers which would prevent any missiles from striking certain targets.

It is assumed that a small steam line break occurs with a probability of 1.0, which requires MSIV closure for every scenario.

No credit is taken for FLEX, even though it is designed to function following a tornado, is proceduralized, and trained on.

2CAN012403 Page 42 of 69 CTRM Results and Penalty Factor Development The CTRM is developed to conservatively estimate the CDF and LERF associated with tornado missiles at ANO-1. As such, cutsets from the CTRM that do not include tornado missile failures are excluded from the results. Tornado-induced LOOPs without offsite power recovery and only random equipment and/or operator action failures (i.e., no tornado missile failures) are accounted for in the internal events weather-related LOOP cutsets; therefore, they are not included in the CTRM results.

As a result of the changes described in this response, the CTRM average maintenance CDF is significantly lower than the TMRE (Degraded Case) CDF for ANO-2. This is a result of eliminating the scenarios discussed in the response to part a) and other scenario refinements, such as for Room 2081 (removing a protected junction box from the list of targets affected by the scenario), the MSIVs (refined correlated target and added individual targets) and the TORMIS targets (e.g., Door 340 and the RWT).

Section 4.2 of the LAR Enclosure 4 describes the results of quantifying the CTRM for various LCO configurations and the basis for the CDF and LERF penalty factors.

c) Responses to parts i and ii are provided:

i.

TORMIS Target Group 7 is Door 56, which is associated with ANO-1 and is NOT a target in the ANO-2 model. Tables A-2 and A-4, in both the ANO-1 and ANO-2 CTRM notebooks (References 13 and 14) include all the targets in which TORMIS was used to develop target failure probabilities. Target 56 is an ANO-1 target (Scenario 98-B) and does not affect the ANO-2 tornado missile risk.

Note: In the ANO-1 model, target scenario 98-B uses the conservative hit probability from Table A-4; see Table A-8 in PSA-ANO1-06-4B-TRM.

Also, see Note (3) in Table A-4 from PSA-ANO2-06-4B-TRM, which discusses the anomalous behavior for this target and the modeling remedy (for the ANO-1 model).

The table below lists the source of each ANO-2 scenario for which TORMIS was used in the ANO-2 CTRM and penalty factor calculations. The report sections from PSA-ANO2-06-4B-TRM are included in this table below.

For the most part, Table A-2 (damage probabilities) was used for the target failure probabilities; this includes Target 17, which was specifically mentioned in this question. Except for TORMIS Target 20 (Scenario YARD-2T-3), the TORMIS damage probabilities increase with increasing tornado intensity. For TORMIS Target 20, see Note (2) of Table A-2 for an explanation of the F6 probability.

For TORMIS Target 12 (Door 243/Scenario 2076-A), the hit probabilities from Table A-4 are used. See Note (2) of Table A-4 for an explanation of the F6 probability.

The failure probabilities for Scenario 2098-B are calculated using the Target 15 damage and hit probabilities from Tables A-2 and A-4, as described in Section A.3 of Reference 11. The hit probabilities (Table A-4) for this target are the same for F4 - F6. This is described in more detail in Note (3) of Table A-4. However, the basic event failure probabilities for Scenario 2098-B decrease from F4 to F6, as can be seen in Table B-1 (see F4-2098-B, F5-2098-B, and F6-2098-B). Since this is 2CAN012403 Page 43 of 69 non-conservative, the Scenario 2098-B failure probabilities for F5 and F6 are recalculated, and a sensitivity analysis is performed. See the response to part ii below.

Target Group Number Description Scenario Damage Probability Table A-2 Hit Probability Table A-4 Report Section 3

Diesel Generator 2K-4A Exhaust Yard-2K-4AExhaust-Stack, YARD-2K-4A_4B X(1)

A.9 4

Diesel Generator 2K-4B Exhaust Yard-2K-4BExhaust-Stack, YARD-2K-4A_4B X(1)

A.9 12 Door 243 2076-A X

A.1 14 Door 340 2104-A X

A.5 15 Penetrations between Doors 339 and 340 2098-B X(2)

X(2)

A.3 17 ANO-2 Diesel Generator Exhausts YARD-2K-4A_4B X

A.9 20 RWT YARD-2T-3 X

A.9 23 2T57 Vents (Crimping)

YARD-2T57 X

A.9 Notes:

(1) Targets 3 and 4 are used for each exhaust stack scenario as well as the combined exhaust stack scenario.

See Section A.9.

(2) Both damage and hit probabilities are used for Scenario 2098-B; see Section A.3.

ii.

Scenario 2098-B uses both the Target 15 damage and hit probabilities from Tables A-2 and A-4 to calculate the scenario failure probability for use in the CTRM and penalty factor calculations. From Section A.3, the basic event failure probabilities for Scenario 2098-B are calculated as:

Hit Probability * (1 - Damage Probability / Hit Probability)

Or more succinctly:

Hit Probability - Damage Probability The Target 15 hit probability is the same for F4 - F6 tornados; the reason for this is explained in Note (3) of Table A-4. However, the failure probabilities for Target 15 increase with increasing tornado intensity through F6. This results in the calculated Scenario 2098-B failure probabilities (i.e., Hit Probability - Damage Probability) for F5 and F6 to be less than the Scenario 2098-B failure probability for F4. To be consistent, the calculated Scenario 2098-B failure probabilities for F5 and F6 should be equal to the F4 value: 2.05E-3.

2CAN012403 Page 44 of 69 Sensitivity cases were run to determine the impact on the average maintenance tornado missile CDF and LERF, and a sample of the more significant LCO configuration cases used to determine the CDF and LERF penalty factors. As a result of the sensitivity cases, no changes are warranted for the CDF and LERF penalty factors provided in Section 4.2 of Enclosure 4 to the ANO-2 TSTF-505 LAR.

Average Maintenance Tornado Missile Risk Sensitivity The sensitivity results for average maintenance CDF and LERF are the same as the results reported in Section 4.2 of Enclosure 4 to the ANO-2 TSTF-505 LAR. The increases in CDF and LERF from the sensitivity were too small to affect the total CDF and LERF. The total CDF and LERF and their increases are provided in the table below:

End State Sensitivity Delta CDF (/yr) 5.0E-07 5.0E-07 3E-10 LERF (/yr) 1.5E-08 1.5E-08 7E-12 LCO Tornado Missile Risk Sensitivity Several of the significant LCO cases for CDF and LERF from PSA-ANO2-06-TMPF Tables A-1 and A-2 were requantified using the updated Scenario 2098-B F5 and F6 values (i.e., 2.05E-3). The results are provided in the tables on the following page.

As a result of the sensitivity analysis, the penalty factors provided in Section 4.2 of to the TSTF-505 LAR remain the same.

CDF 5E-6/yr LERF 5E-7/yr iii.

The sensitivity study performed for part ii above resulted in no changes to the tornado missile penalty factors. Therefore, no response is required for this part.

2CAN012403 Page 45 of 69 CDF and CDF Sensitivity for Select Cases (Refer to Table A-1 of PSA-ANO2-06-TMPF)

Rank Case Name CDF (/yr)

Sensitivity CDF (/yr)

Increase in CDF (/yr)

CDF (/yr)

Sensitivity CDF (/yr)

Increase in CDF (/yr) 1 SWGRA3_DG1_SWS1_EFWB_EFW1000_DC1 6.29E-06 6.29E-06 4E-10 5.78E-06 5.78E-06 1E-11 4

SWGRA3_DG1_SWS1_EFWB_EFW1000 4.85E-06 4.85E-06 4E-10 4.34E-06 4.34E-06 1E-11 10 3-8-2-3-b_2 3.92E-06 3.92E-06 4E-10 3.41E-06 3.41E-06 5E-11 13 SWGRA4_DG2_SWS2_EFWA_ECCSB_DC2 3.30E-06 3.30E-06 4E-10 2.79E-06 2.79E-06 6E-11 LERF and LERF Sensitivity for Select Cases (Refer to Table A-2 of PSA-ANO2-06-TMPF)

Rank Case Name LERF (/yr)

Sensitivity LERF (/yr)

Increase in LERF (/yr)

LERF (/yr)

Sensitivity LERF

(/yr)

Increase in LERF

(/yr) 1 3-6-1-3-c_1 5.11E-07 5.11E-07 4E-10 4.95E-07 4.96E-07 4E-10 2

3-6-3-1_2 4.35E-07 4.35E-07 4E-10 4.19E-07 4.20E-07 4E-10 3

SWGRA3_DG1_SWS1_EFWB_EFW1000_DC1 3.49E-07 3.49E-07 9E-12 3.33E-07 3.33E-07 9E-13 5

3-8-2-3-b_1 3.04E-07 3.04E-07 8E-12 2.89E-07 2.89E-07 2E-13 15 SWGRA4_DG2_SWS2_EFW1050_ECCSB_DC2 1.44E-07 1.44E-07 9E-12 1.28E-07 1.28E-07 9E-13 2CAN012403 Page 46 of 69 EEEB Question 01 - TS LCO 3.8.1.1, Conditions a and d General Design Criterion (GDC) 17 of Appendix A to Title 10 of the Code of Federal Regulations requires, in part, that both offsite and onsite electrical power systems be provided to permit functioning of SSCs important to safety. The safety function for each system, assuming the other is not functioning, shall be to assure that fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded, the core is cooled, and containment integrity and other vital functions are maintained in the event of postulated accidents. LCO 3.8.1.1, Conditions a and d, are respectively for the inoperability of one or both offsite alternating current (AC) power circuits.

As described in Section 8.2, "Offsite Power System," of the ANO-2 Safety Analysis Report (SAR) (ML21288A074), there are two offsite AC power sources for ANO-2, which are Startup Transformers 3 and 2. These transformers provide the safe shutdown of ANO-2 and maintain it in a safe shutdown condition. For the loss of one offsite power source with main generator unavailable, the available offsite power source is sufficient for unit safe shutdown. TS 3.8.1.1, Action a.3, requires the restoration of an inoperable offsite AC circuit in 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months or be in hot standby in 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . If a design basis accident (DBA) happened at this moment, the plant could be safely shutdown using the existing available offsite AC circuit. TS 3.8.1.1, Action d.4, concerns the loss of both offsite AC power sources and requires the restoration of one source in 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or be in hot standby in 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in hot shutdown within the following six hours. As indicated in SAR Section 8.3.1.1.3, if a DBA happened at this moment, [the] plant can be safely shut down with one diesel generator (DG) of a redundant ESF train.

Design success criteria (DSC) in Table E1-1 for TS LCO 3.8.1.1, Actions a.3 and d.4 appear inconsistent with their respective LCOs by not listing the minimum power source(s) of the type identified in the respective LCO condition. Clarify or explain the following inconsistencies:

Action a.3 - Minimum offsite power circuit powered by Startup Transformer 3 or 2 to address DBA, since this LCO is for a single unavailable offsite AC circuit. LCO 3.8.1.1, Condition d is for two unavailable offsite AC circuits for which DGs are applicable, but not true for this LCO since one offsite power circuit is still available.

Action d.4 - Minimum DG to address DBA since this LCO is for both offsite AC circuits unavailable. If a single offsite AC circuit is recovered, then this LCO is exited and LCO 3.8.1.1, Condition a is entered. However, for this LCO, DGs are the only available AC power sources.

2CAN012403 Page 47 of 69

Response

Table E1-1 currently states the following in the LAR:

Action a.3 states:

a. With one offsite A.C. circuit of the above required A.C. electrical power sources inoperable, perform the following:

3. Restore the offsite A.C. circuit to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in HOT SHUTDOWN within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . LCO 3.0.4.a is not applicable when entering HOT SHUTDOWN. Startup Transformer No. 2 may be removed from service for up to 30 days as part of a preplanned preventative maintenance schedule. The 30-day allowance may be applied not more than once in a 10-year period.

2CAN012403 Page 48 of 69 Actions d.3 and d.4 state:

d. With two offsite A.C. circuits of the above required A.C. electrical power sources inoperable, perform the following:

3. Restore one of the inoperable offsite A.C. circuits to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , and

4. Restore both A.C. circuits within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months of the initiating event, As discussed in TS Bases 3/4.8, "Electrical Power Systems", the operability of the AC and DC power sources and associated distribution systems during operation ensures that sufficient power will be available to supply the safety-related equipment required for 1) the safe shutdown of the facility and 2) the mitigation and control of accident conditions within the facility. The minimum specified independent and redundant AC and DC power sources and distribution systems satisfy the requirements of General Design Criteria 17 of Appendix "A" to 10 CFR 50.

This results in maintaining at least one train of the onsite or offsite AC sources Operable during accident conditions that consider an assumed loss of all offsite power or all onsite AC power and a worstcase single failure. Therefore, as stated in the DSC in LAR Table E11 for TS LCO 3.8.1.1 Action a.3, only one train powered by an offsite power source or a DG is required to meet the accident analysis. The minimum required power source is either an off-site power source OR a diesel generator powering one train of safety equipment; therefore, the design success criteria of "At least one AC electrical train, powered by an offsite circuit or a diesel generator (DG), is required to meet accident analyses assumptions." is correct. It may be less confusing to reword the criteria to state: "At least one AC electrical train, powered by either an offsite circuit or a diesel generator (DG), is required to meet accident analyses assumptions."

Action d assumes that both offsite power sources are inoperable and both DGs are operable. In this case, only the safety-related diesel generators are available to power the required AC buses. The minimum required power source is either an off-site power source OR a diesel generator powering one train of safety equipment; therefore, the design success criteria of "At least one AC electrical train, powered by an offsite circuit or a diesel generator (DG), is required to meet accident analyses assumptions." is correct. In this case, an operable DG supplying a single AC electrical train ensures that sufficient power will be available to supply the safety-related equipment required for the safe shutdown of the facility and the mitigation and control of accident conditions within the facility. The design success criteria of "At least one AC electrical train, powered by an offsite circuit or a diesel generator (DG), is required to meet accident analyses assumptions." remains correct; however, it would be more accurate to state: "At least one AC electrical train, powered by a diesel generator (DG), is required to meet accident analyses assumptions." for TS 3.8.1.1 Action d.3 and d.4.

2CAN012403 Page 49 of 69 The Design Success Criteria in LAR Table E1-1 for TS LCO 3.8.1.1 Action a.3 should read as follows:

At least one AC electrical train, powered by either an offsite circuit or a DG, is required to meet accident analyses assumptions.

The Design Success Criteria in LAR Table E1-1 for TS LCO 3.8.1.1 Actions d.3 and d.4 should read as follows:

At least one AC electrical train, powered by a DG, is required to meet accident analyses assumptions.

The entries to Table E1-1 below incorporate the above responses and replace the corresponding portions of the table in the original LAR.

TS and Condition Description SSCs Covered by TS Condition SSC in PRA Model Functions Covered by TS Condition Design Success Criteria PRA Success Criteria Disposition 3.8.1.1, AC Sources Two offsite circuits and two DGs shall be operable Action a.3 With one offsite circuit inoperable, restore within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (STS 3.8.1, Required Action A.3)

Vital AC electrical power sources Yes AC electrical power to associated TS-required SSCs At least one AC electrical

train, powered by either an offsite circuit or a DG, is required to meet accident analyses assumptions Same as Design Criteria SSCs are modeled consistent with the TS scope and can be directly included in the CRMP tool for the RICT program.

2CAN012403 Page 50 of 69 Two offsite circuits and two DGs shall be operable Action d.3 and d.4 With two offsite circuits inoperable, restore at least one within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months and second with 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months of initial entry (STS 3.8.1, Required Action C.2)

Vital AC electrical power sources Yes AC electrical power to associated TS-required SSCs At least one AC electrical

train, powered by a DG, is required to meet accident analyses assumptions Same as Design Criteria SSCs are modeled consistent with the TS scope and can be directly included in the CRMP tool for the RICT program.

2CAN012403 Page 51 of 69 EEEB Question 02 - TS LCO 3.8.2.3, Action b GDC 17 requires, in part, that both offsite and onsite electrical power systems be provided to permit functioning of SSCs important to safety. The safety function for each system, assuming the other is not functioning, shall be to assure that fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded, the core is cooled, and containment integrity and other vital functions are maintained in the event of postulated accidents. This includes the onsite electrical direct current (DC) system.

ANO-2 SAR Section 8.3.2.1 indicates that there are two trains in the DC system. LCO [3.8].2.3, Action b refers to "subsystems" instead of trains.

DSC in LAR Table E1-1 for TS LCO 3.8.2.3, Action b appears inconsistent with the LCO by referring to "subsystems" in column 1 and "trains" in Column 5. Clarify or explain inconsistency.

Response

In this instance, the use of the term "trains" in the SAR is synonymous with the term "subsystems" in TS LCO 3.8.2.3, Action B. For consistency and to eliminate confusion, the term "subsystems" should be used in place of term "trains" for Table E1-1, TS 3.8.2.3, Action b.

2CAN012403 Page 52 of 69 EEEB Question 03 - TS LCO 3.8.2.1 GDC 17 requires, in part, that both offsite and onsite electrical power systems be provided to permit functioning of SSCs important to safety. The safety function for each system, assuming the other is not functioning, shall be to assure that fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded, the core is cooled, and containment integrity and other vital functions are maintained in the event of postulated accidents. This includes the onsite 120-Volt Uninterruptable AC Power System.

ANO-2 SAR Section 8.3.1.1.6 indicates that there are six inverters and four distribution panels in 120-Volt Uninterruptable AC Power System. System Training Manual 2-32-4, Section 2.2.1 indicates that there are red and green swing inverters with each employed if either one of the two normal inverters it supports is inoperable. The diagram in Section 2.2.2 is for a swing inverter.

If the incoming breaker for the static switch, as shown in diagram System Training Manual 2 4, Section 2.2.2, should fail, is there an alarm to indicate that failure in the main control room?

Response

Each of the inverters has a trouble alarm in the Control Room caused by any of the following conditions:

DC INPUT UNDERVOLTAGE DC INPUT OVERVOLTAGE INVERTER OUTPUT UNDERVOLTAGE INVERTER OUTPUT OVERVOLTAGE INVERTER FAILURE OUT OF SYNC FAN FAILURE STATIC SWITCH TRANSFERRED SYSTEM OVERTEMPERATURE BYPASS TRANSFORMER FAILURE SYSTEM OUTPUT UNDERVOLTAGE SYSTEM OUTPUT OVERVOLTAGE 2CAN012403 Page 53 of 69 BATT INPUT B1 VITAL MCC ALT SOURCE 2RS1 Supply V1 STATIC SWITCH Swing Inverter V2 V3 120VAC VITAL INVERTER hz STATIC INVERTER FERRORESONAN TTRANSFORME R

150A 150A 40A Inverter Frequency V1-DC Input V lt V2-Load Supply V lt V3-Alternate Source V lt E1-Inverter FA1-Load C

t B2 B800 A1 2RS3 Supply Output Transfer Switch If breaker B2 "125 VAC Inverter Output Breaker" were to be open with the inverter otherwise aligned for service, the following alarm on the inverter should alarm, resulting in an inverter trouble alarm in the Control Room:

STATIC SWITCH TRANSFERRED Additionally, the local Alternate Source Supplying Load light would be illuminated.

2CAN012403 Page 54 of 69 STSB Question 01 NRC staff suggestion for licensee consideration: The proposed administrative controls for the RICT Program in TS 6.5.20 paragraph "e" of Attachment 2 to the LAR was based on the TS markups of TSTF-505, Revision 2. The NRC staff recognizes that the model SE for TSTF-505, Revision 2 contains improved phrasing for the administrative controls for the RICT Program in TS 5.5.7 paragraph "e," namely the phrasing "approved for use with this program" instead of "used to support this license amendment." In lieu of the original phrasing in TS 5.5.18 paragraph "e," discuss whether the phrases "used to support Amendment # xxx" or, as discussed in the TSTF-505 model SE, "approved for use with this program" would provide more clarity for this paragraph.

Response

The improved phrasing as stated in the Model SE " approved for use with this program "

provides more clarity than the original phrasing used in the ANO-2 license amendment application for TS 6.5.20 since it does not imply a connection with a particular amendment and specifically applies to the Risk Informed Completion Time Program.

ANO-2 requests to use the same phrasing as proposed in the model SE TS 5.5.18 paragraph "e".

TS 6.5.20.e in the original ANO-2 LAR:

e.

The risk assessment approaches and methods shall be acceptable to the NRC. The plant PRA shall be based on the as-built, as-operated, and maintained plant; and reflect the operating experience at the plant, as specified in Regulatory Guide 1.200, Revision 2. Methods to assess the risk from extending the Completion Times must be PRA methods used to support this license amendment, or other methods approved by the NRC for generic use; and any change in the PRA methods to assess risk that are outside these approval boundaries require prior NRC approval.

Proposed TS 6.5.20.e wording:

e.

The risk assessment approaches and methods shall be acceptable to the NRC. The plant PRA shall be based on the as-built, as-operated, and maintained plant; and reflect the operating experience at the plant, as specified in Regulatory Guide 1.200, Revision 2. Methods to assess the risk from extending the Completion Times must be PRA methods used to support this license amendment approved for use with this program, or other methods approved by the NRC for generic use; and any change in the PRA methods to assess risk that are outside these approval boundaries require prior NRC approval.

2CAN012403 Page 55 of 69 STSB Question 04 TSTF-505, Revision 2, does not allow for TS loss of function conditions (i.e., those conditions that represent a loss of a specified safety function or inoperability of all required trains of a system required to be operable) in the RICT program.

Based on the design success criteria provided in the license amendment request Table E1-1, it appears that some LCO Actions may constitute a loss of function. For example:

For TS 3.6.2.1 Action b.2, for both containment spray system (CSS) trains inoperable, the design success criteria are one CSS train and one containment cooling system (CCS) train. If both CSS trains are inoperable, this could result in a loss of function. The NRC staff notes that in Section 2.3.2.5 of the LAR it is discussed that TS 3.6.2.1 Action b.2 is cross-referenced to STS 3.6.6A Action G.1 of TSTF-505, which is not included in the RICT program. The discussion also states that: "With both Containment Spray trains inoperable, the Containment Cooling System, consisting of two service water supplied containment cooling units per train, is capable of providing the necessary post-accident heat removal function such that design pressure and temperature limits of the Containment Building are not exceeded." Based on this statement, the NRC staff believes that the design success criteria should be the CCS. In addition, in Section 2.5 of Enclosure 1 listing additional justification for TS 3.6.2.1 Action b.2, it states that:

"During a DBA, both containment spray trains, or one containment spray train and one containment cooling group is sufficient to reduce the containment building pressure and temperature." This statement mirrors the design success criteria listed in Table E1-1 but contradicts the information provided in Section 2.3.2.5 of the LAR. Confirm and correct, as necessary.

For TS 3.7.1.2 Action c, for two emergency feedwater (EFW) trains inoperable, the design success criterion is 1 out of 2 EFW trains. If both EFW trains are inoperable, this could result in a loss of function. The NRC staff notes that a discussion of this TS is in Section 2.3.2.6 of the LAR, which states that: "assuming no single failure of the remaining steam supply to the turbine-driven EFW pump, a loss of safety function can only occur if a steam line break on the steam generator supplying steam via the remaining operable steam supply valve were to occur. Because the ANO-2 PRA model can also quantify the potential of a steam line break occurring, a RICT may be applied to this unique ANO-2 Action." However, for Action c of TS 3.7.1.2, the plant is already in a condition where both EFW trains are inoperable and therefore, a loss of function exists.

Confirm and correct, as necessary.

Response

1) Administrative variation 2.3.2.5 states:

The TSTF-505 STS 3.6.6A, "Containment Spray and Cooling Systems (Atmospheric and Dual)," does not apply a RICT to Required Action G.1 (both Containment Spray trains are inoperable). Required Action G.1 requires immediate entry into LCO 3.0.3. The TSTF-505 STS markups were based on Revision 3 of NUREG 1432. With respect to inoperability of two Containment Spray trains, NUREG 1432, Revision 5 (STS 3.6.6A, Required Action C.2), and ANO-2 TS 3.6.2.1, "Containment Spray System," Action b.2, 2CAN012403 Page 56 of 69 allow 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to restore at least one of the Containment Spray trains to an operable status. Entergy proposes to apply a RICT to this configuration.

The Containment Spray System (CSS) and the Containment Cooling System (CCS) function to limit the pressure and temperature within the Containment Building during post-accident conditions. The CSS also supports iodine removal from the Containment Building atmosphere during the long-term recirculation phase post-accident. With both Containment Spray trains inoperable, the Containment Cooling System, consisting of two service water supplied containment cooling units per train, is capable of providing the necessary post-accident heat removal function such that design pressure and temperature limits of the Containment Building are not exceeded.

The 24-hour AOT provided is limited by two conditions: 1) both Control Room Emergency Ventilation System (CREVS) trains must be operable, and 2) the 24-hour AOT cannot be applied if the second Containment Spray train was intentionally made inoperable. The AOT is based on WCAP-16125-NP-A, "Justification for Risk-Informed Modifications to Selected Technical Specifications for Conditions Leading to Exigent Plant Shutdown," Revision 2 (August 2010), which demonstrated that the 24-hour AOT is acceptable based on the redundant heat removal capabilities afforded by the CCS, the iodine removal capability of the CREVS, the infrequent use of the action, and the small incremental effect on plant risk.

Because 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months may be insufficient to restore at least one of the Containment Spray trains to operable status, applying a RICT in this configuration may permit avoiding challenges to remaining safety systems due to inherent transient risks of a TS-required plant shutdown. In addition, ANO-2 TS 3.6.2.3, "Containment Cooling System," requires the unit to be shut down if any of the four containment cooling fans are inoperable when both CSS trains are inoperable (i.e., TS 3.6.2.3 does not contain a specific Action for this configuration; therefore, a unit shutdown is required). Based on the above, application of a RICT to ANO-2 TS 3.6.2.1, Action b.2, is acceptable.

The CSS in conjunction with the CCS provides sufficient redundancy so that any of the following combinations of equipment will provide adequate heat removal to attenuate the post-accident pressure and temperature conditions imposed upon the Containment following a LOCA or Main Steam Line Break (MSLB):

all four Containment cooling units; or both loops of the CSS; or two of the four Containment cooling units and one CSS loop Since the Containment Cooling System does not provide iodine removal from the Containment atmosphere, at least one Containment Spray system loop must operate following a LOCA in order to reduce Containment atmospheric iodine concentration.

The containment spray system uniquely aids in reducing iodine levels in the post-accident containment building atmosphere upon entry into the long-term recirculation phase by taking suction from the containment building sump. The sump water by this time contains sodium tetraborate (NaTB) decahydrate dissolved from the NaTB baskets located on the containment building floor (reference ANO-2 TS 3.6.2.2, "Containment Sump Buffering Agent").

2CAN012403 Page 57 of 69 TSTF-505 requires licensees to justify the ability to calculate a RICT for the aforementioned conditions, including how the system is modeled in the PRA, whether all functions of the system are modeled, and, if a surrogate is used, why the modeling is conservative.

The CCS and CSS are both modeled in the ANO-2 PRA. The CSS, which scrubs radioactive iodine from the containment building atmosphere and reduces the concentration of fission products in the containment building leakage is modeled in the LERF analysis; however, iodine scrubbing is conservatively not credited in the LERF model. Both the containment coolers and the CSS are modeled for reducing post-accident containment building pressure following a loss of coolant accident (LOCA) in the CDF and LERF models.

In summary, no surrogate modeling is required and the SSCs are modeled consistent with the TS scope and can be directly included in the CRMP tool for the RICT program.

The Design Success Criteria in LAR Table E1-1 for TS LCO 3.6.2.1 Action b.2 should read as follows: Both CCS trains OPERABLE and both CREVS trains OPERABLE in order to meet accident analyses assumptions.

TS and Condition Description SSCs Covered by TS Condition SSC in PRA Model Functions Covered by TS Condition Design Success Criteria PRA Success Criteria Disposition 3.6.2.1, Containment Spray System Two Containment Spray Systems (CSS) shall be operable Action b.2 With both Containment Spray Systems inoperable, restore within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (STS 3.6.6, Required Action G.1 in NUREG 1432, Revision

5. TSTF-505 (based on NUREG 1432, Revision 3,)

does not contain a restore time and, therefore, does not apply a RICT to STS 3.6.6)

Containment Spray Yes Containment integrity Both CCS trains OPERABLE and both CREVS trains OPERABLE in order to meet accident analyses assumptions At least one Containment Spray System OR one of four cooling units required SSCs are modeled consistent with the TS scope and can be directly included in the CRMP tool for the RICT program.

The entry to Table E1-1 above incorporates the above responses and replaces the corresponding portions of the table in the original LAR.

2CAN012403 Page 58 of 69

2) Original LAR, section 2.3.2.6 states:

ANO-2 TS 3.7.1.2, "Emergency Feedwater (EFW) System," Action c, addresses conditions where a turbine-driven EFW train is inoperable due to one inoperable steam supply AND the motor-driven EFW train is also inoperable. In this event, either the inoperable steam supply or the motor-driven EFW train must be restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . TSTF-505 applies a RICT to either of the aforementioned inoperabilities; however, STS 3.7.5 does not contain an action addressing an inoperable steam supply coincident with an inoperable motor-driven EFW pump. Entergy is proposing to apply a RICT to ANO-2 TS 3.7.1.2, Action c.

The risk associated with coincident inoperability of an inoperable steam supply and an inoperable motor-driven EFW pump can be quantified by the ANO-2 PRA model. In addition, assuming no single failure of the remaining steam supply to the turbine-driven EFW pump, a loss of safety function can only occur if a steam line break on the steam generator supplying steam via the remaining operable steam supply valve were to occur. Because the ANO-2 PRA model can also quantify the potential of a steam line break occurring, a RICT may be applied to this unique ANO-2 Action.

The condition described above assumes that a loss of function has not occurred (e.g., there is not a steam line break on the steam generator supplying steam via the remaining operable steam supply valve) and that the steam driven EFW pump can feed both steam generators utilizing the available steam supply.

2CAN012403 Page 59 of 69 STSB Question 05 TSTF-505, Revision 2, requires additional justification for STS 3.6.6A Conditions A, C, D, and E. In Attachment 5 of the LAR, page 6, TS 3.6.2.3 Actions a, b and c are cross-referenced to STS 3.6.6A Actions C.1, E.1, and D.1, respectively. In Attachment 5 of the LAR on page 6, it states that additional justification is provided in Enclosure 1 for Actions a and b. However, the NRC staff was unable to locate that information. In addition, the staff notes that additional justification is also required for Action c. Confirm and correct, as necessary.

Response

Entergy confirmed that additional justification for 3.6.2.3 Actions a, b, and c should have been explicitly noted in Enclosure 1 of submittal. The additional justification provided for TS 3.6.2.1 - Containment Spray System was intended to include the required justification for both the Containment Spray System (CSS) actions (Actions 3.6.2.1 a and b) and the Containment Cooling System (CCS) actions (a, b, and c), but 3.6.2.3 was not annotated as part of the additional justification material for 3.6.2.1 in the LAR. Therefore, that justification is provided here for TS 3.6.2.3, Actions a, b, and c.

TS 3.6.2.3 - Containment Cooling System LCO: Two Containment cooling groups shall be operable with two cooling units in each group.

Action a:

With one cooling group inoperable and both CSSs operable, restore cooling group within 7 days.

Action b:

With two cooling groups inoperable and both CSSs operable, restore at least one cooling group within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months ; restore both cooling groups within 7 days.

Action c:

With one cooling group AND one CSS inoperable, restore CCS within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months ; restore cooling group within 7 days.

Justification ANO-2 TS 3.6.2.3, Actions a, b, and c, govern conditions where one or more containment cooling groups are inoperable. The containment spray and containment cooling systems provide containment building atmosphere cooling to limit post-accident pressure and temperature in the containment building to less than the design values. In the event of a DBA, reduction of containment building pressure reduces the release of fission products from the containment building to the environment. The containment spray and containment cooling systems provide redundant methods to limit and maintain post-accident conditions to less than the containment building design values. During a DBA, one containment spray train or both containment cooling groups is sufficient to reduce the containment building pressure and temperature.

The containment spray system uniquely aids in reducing iodine levels in the post-accident containment building atmosphere upon entry into the long-term recirculation phase by taking suction from the containment building sump. The sump water by this time contains sodium tetraborate (NaTB) decahydrate dissolved from the NaTB baskets located on the containment building floor (reference ANO-2 TS 3.6.2.2, "Containment Sump Buffering Agent").

2CAN012403 Page 60 of 69 TSTF-505 requires licensees to justify the ability to calculate a RICT for the aforementioned conditions, including how the system is modeled in the PRA, whether all functions of the system are modeled, and, if a surrogate is used, why the modeling is conservative.

The Containment Cooling System and Containment Spray System are both modeled in the ANO-2 PRA. The Containment Spray System, which scrubs radioactive iodine from the containment building atmosphere and reduces the concentration of fission products in the containment building leakage is modeled in the LERF analysis; however, iodine scrubbing is conservatively not credited in the LERF model. Both the containment coolers and the Containment Spray System are modeled for reducing post-accident containment building pressure following a loss of coolant accident (LOCA) in the CDF and LERF models. In summary, no surrogate modeling is required and the SSCs are modeled consistent with the TS scope and can be directly included in the CRMP tool for the RICT program.

2CAN012403 Page 61 of 69 Supplemental Question EICB-1:

The NRC staff noted that there is no defense-in-depth assessment for instrumentation and controls (I&C) and the associated table. Please provide this information.

Response

Reactor Protective System (RPS)

The RPS design creates defense-in-depth due to the redundancy of the channels for each Function. The Function requires two channels to trip the reactor.

Each Function has four channels.

Any two tripped channels of any Function will cause a reactor trip.

A bypassed channel does not trip. It reduces the number of total available channels by one. This results in a two-out-of-three trip condition.

No more than one channel can be tripped in any Function. This is basically a one-out-of-three trip condition. Another channel trip for the same function would cause a reactor trip.

If two channels in the Function are out of service, then one channel is placed in bypass and the other is placed in trip. This results in a one-out-of-two trip condition. Another channel trip from the same function would cause a reactor trip.

The RPS trips are (8 analog and 2 digital CPC):

High Local Power Density (LPD) (Linear Heat Rate) (CPC)

Low Departure from Nucleate Boiling Ratio (DNBR) (CPC)

High Linear Power Level High Logarithmic Power Level High Pressurizer Pressure Low Pressurizer Pressure Low Steam Generator Water Level High Steam Generator Water Level (TRM required, not Tech Spec)

Low Steam Generator Pressure High Containment Pressure (RPS)

CPC "Auxiliary Trips" will cause LPD and DNBR trips if certain parameters exceed their setpoints:

RCS Cold Leg Temperature > 495°F or > 580°F Axial Shape Index (ASI) >+0.5 or < -0.5 Pressurizer Pressure < 1860 psia or > 2375 psia Integrated Radial (One Pin) Peaking Factor < 1.28 or > 7.00 RCP trip < 2 RCPs running based on RCP speed (However, penalty factors will result in trip if any RCP trips since the supporting safety analysis was not completed for < 4 RCPs)

QASI (Hot Pin ASI) out of range -0.45 to +0.45 2CAN012403 Page 62 of 69 Asymmetric Steam Generator Transient (ASGT) based on differential Cold Leg temperature of diagonally opposite RCS loops that is ramped from 31 deg F to 11 deg F from 0 to 100% power Variable Overpower Trip > 300% / minute down power or > 12% / minute up power Thot at saturation Internal processing error Engineered Safety Features Actuation System (ESFAS)

The ESFAS design creates defense-in-depth due to the redundancy of the channels for each Function. Each Function requires two channels to initiate the safety system response.

Each Function has four channels.

Any two tripped channels of any Function will cause a safety system response.

A bypassed channel does not trip. It reduces the number of total available channels by one. When a channel is bypassed, a two-out-of-three trip logic exists.

No more than one channel can be tripped for any Function. With one channel of a function tripped, a one-out-of-three trip logic exists. An additional channel trip on the same function would result in a safety system actuation.

If two channels in the Function are out of service, then one channel is placed in bypass and the other is placed in trip according to procedure. This results in a one-out-of-two trip logic. An additional channel trip on the same function would result in a safety system actuation.

From Regulatory Guide 1.174, Revision 2, Section 2.1.1 Defense-in-depth consists of a number of elements and consistency with the defense-in-depth philosophy is maintained if the following occurs:

A reasonable balance is preserved among prevention of core damage, prevention of containment failure, and consequence mitigation.

o Current Technical Specifications reflect this balance by allowing one sensor module or channel of a Function to be placed in bypass or trip, while preserving the fundamental safety function of the RPS and ESFAS. Bypassing or tripping an inoperable channel does not affect the number of channels required to provide the safety function (two channels per Function). Even in the Technical Specification Condition for two channels in a Function inoperable, the fundamental safety function is preserved, since two Operable channels remain in the Function. Note: when two channels are inoperable (LCO 3.3.1.1 Action 3),

one must be placed in bypass within an hour. This Completion Time is not included in the LAR.

Over-reliance on programmatic activities as compensatory measures associated with the change in the licensing basis is avoided.

2CAN012403 Page 63 of 69 o No programmatic activities are relied upon as compensatory measures when one or two channels of an RPS or ESFAS Function are inoperable. The remaining Operable channels for that Function are fully capable of performing the safety function of RPS or ESFAS.

System redundancy, independence, and diversity are preserved commensurate with the expected frequency, consequences of challenges to the system, and uncertainties (e.g.,

no risk outliers).

o System redundancy, independence and diversity remain the same as in the as designed condition. The number of Operable Functions has not been decreased (diversity), the number of minimum Operable channels to perform the safety function has not been decreased, and the channels remain independent as originally designed, even with one channel inoperable.

Defenses against potential common-cause failures are preserved, and the potential for the introduction of new common-cause failure mechanisms is assessed.

o This LAR does not impact the original determination of common cause failure for the RPS or ESFAS and its Functions. It may allow the Completion Time to be extended for one or two channels in a Function to be inoperable prior to placing the channel in trip. Placing the channel in trip fulfils one of the two required channels in trip needed to perform the safety function.

Independence of barriers is not degraded.

o Barriers are not affected by this LAR request.

Defenses against human errors are preserved.

o In the Conditions listed in the Technical Specifications, a potential extension of the Completion Time does not change any personnel actions required when the Technical Specification Condition is entered. Therefore, no change to the possibility of a human error is introduced and no change to the defenses against that potential human error have been altered.

The intent of the plants design criteria is maintained.

o The design criteria of the RPS and ESFAS is maintained as reflected in the UFSAR, Sections 7.2 and 7.3. Redundancy, diversity of signal and independence of trip channel functions are maintained with the requested change. The change requested in the LAR does not physically change the RPS or ESFAS systems in any way. It only allows additional time, under certain low risk conditions in accordance with the RICT Program, to perform Actions that the NRC has previously determined to be acceptable.

Therefore, the defense-in-depth principals prescribed in Regulatory Guide 1.174, Rev. 2 are met.

Table EICB-01-1 "Instrumentation and Controls Defense in Depth" lists various accidents from Chapter 15 of the SAR with the primary and secondary diverse reactor trips as well as the expected ESFAS response to mitigate the listed accidents.

2CAN012403 Page 64 of 69 Table EICB-01-1 Instrumentation and Controls Defense in Depth Accident RPS Response ESFAS Response Uncontrolled Control Element Assembly Withdrawal from a Subcritical Condition SAR 15.1.1 High Log Power Level Trip High Linear Power Level Trip CPC Variable Overpower Trip (VOPT)

High Local Power Density Trip Low DNBR Trip (CPC)

No Engineered Safety Features Actuation System (ESFAS) actuation assumed Uncontrolled Control Element Assembly Withdrawal from Critical Conditions SAR 15.1.2 Low DNBR Trip (CPC)

High Local Power Density Trip High Pressurizer Pressure Trip Low Steam Generator Water Level Trip CPC DNBR Variable Overpower Trip (VOPT)

Emergency Feedwater (EFW) actuation signal (EFAS) on low steam generator level CEA Misoperation (Stuck or Dropped CEA(s))

SAR 15.1.3 CPC Trip Manual Trip If Required No ESFAS actuation assumed Uncontrolled Boron Dilution Incident (During Critical Operation)

SAR 15.1.4 Low DNBR Trip (CPC)

High Local Power Density Trip High Pressurizer Pressure Trip Variable Overpower Trip No ESFAS actuation assumed Total and Partial Loss of Reactor Coolant Forced Flow (Electrical Failure)

Low DNBR Trip (CPC)

Low RCP Speed Trip (CPC)

EFAS 2CAN012403 Page 65 of 69 Table EICB-01-1 Instrumentation and Controls Defense in Depth Accident RPS Response ESFAS Response SAR 15.1.5 High Pressurizer Pressure Trip Total and Partial Loss of Reactor Coolant Forced Flow (Shaft Seizure)

SAR 15.1.5 Low DNBR Trip (CPC)

Low RCP Speed Trip (CPC)

High Pressurizer Pressure Trip EFAS Idle Loop Startup SAR 15.1.6 None No ESFAS actuation assumed Loss of External Load and/or Turbine Trip SAR 15.1.7 No trip expected if load loss is less than capacity of available Turbine Bypass and Dump Valves ~ 51%

power since Upstream Dumps are maintained isolated by MOV.

High Pressurizer Pressure Trip Loss of Normal Feedwater Flow SAR 15.1.8 Low SG level trip High Pressurizer Pressure EFAS Loss of All Normal and Preferred AC Power to the Station Auxiliaries SAR 15.1.9 Low DNBR Trip Loss of RCP Aux Trip for LPD and DNBR Diesel Generator (DG) start and load EFAS Excess Heat Removal Due to Secondary System Malfunction SAR 15.1.10 Low DNBR Trip High Local Power Density Trip CPC VOPT Low SG Level Trip Main Steam Isolation Signal (MSIS)

EFAS Safety Injection Actuation Signal (SIAS) 2CAN012403 Page 66 of 69 Table EICB-01-1 Instrumentation and Controls Defense in Depth Accident RPS Response ESFAS Response Low SG Pressure Trip Failure of the Regulating Instrumentation SAR 15.1.11 Failure of control systems discussed in SAR Section 7.7 could result in reactor trip.

No ESFAS actuation assumed Major Rupture of Pipes Containing Reactor Coolant Up to and Including Double-Ended Rupture of Largest Pipe in the Reactor Coolant System (Loss of Coolant Accident)

SAR 15.1.13 Note: RPS response not specifically discussed in SAR.

Low Pressurizer Pressure High Containment Pressure Assumed actuation on:

Low DNBR (CPC)

SIAS Containment Spray System (CSS)

Containment Cooling System (CCS)

Containment Isolation System (CIS)

DG Start and Load if concurrent with LOOP Steam Line Break SAR 15.1.14.1 Low Steam Generator Pressure Low SG Level Trip High Linear Power Level Trip Signal Low DNBR Trip Signal High Local Power Density Trip Signal Low Pressurizer Pressure Trip MSIS EFAS SIAS Containment Isolation Actuation System (CIAS)

Containment Cooling Actuation Signal (CCAS)

Containment Spray Actuation Signal (CSAS)

DG Start and Load if concurrent with LOOP Feedwater Line Break Accident SAR 15.1.14.2 Low SG level trip (Assumed only on good Steam Generator)

High Pressurizer Pressure EFAS Main Feedwater Isolation Valve (MFIV)

Closure MSIS 2CAN012403 Page 67 of 69 Table EICB-01-1 Instrumentation and Controls Defense in Depth Accident RPS Response ESFAS Response CSAS CIAS CCAS Inadvertent Loading of a Fuel Assembly into the Improper Position SAR 15.1.15 No RPS Actuation Anticipated No ESFAS Actuation Anticipated Steam Generator Tube Rupture With or Without a Concurrent Loss of AC Power SAR 15.1.18 Low DNBR Trip (if in excess of Charging Pump Capacity)

CPCS RCP Shaft Speed Low Trip (LOOP)

Low Pressurizer Pressure Trip DG Startup and Load if concurrent with LOOP EFAS SIAS Control Element Assembly Ejection SAR 15.1.20 High Linear Power Level Trip CPC DNBR Trip (Based On VOPT)

SIAS Loss of Condenser Vacuum SAR 15.1.28 High Pressurizer Pressure Trip EFAS due to no Main Feed Pumps.

Transients Resulting from the Instantaneous Closure of a Single MSIV SAR 15.1.36 CPC Asymmetric Steam Generator Transient Protection (ASGTP) Trip CPC Low DNBR Trip SG Pressure Low SG Level Low High Linear Power Level Trip Signal No ESFAS actuation assumed 2CAN012403 Page 68 of 69 RPS - Diverse inputs trip the reactor High Logarithmic Power Level High Linear Power Level Low DNBR (includes Auxiliary Trips)

High Local Power Density (includes Auxiliary Trips)

High Pressurizer Pressure Low Pressurizer Pressure Low Steam Generator Water Level Low Steam Generator Pressure High Containment Pressure Manual Reactor Trip High Steam Generator Water Level ESFAS - Inputs create diverse equipment response Containment Pressure - High Safety Injection Actuation Signal Containment Spray Actuation Signal Containment Isolation Actuation Signal Containment Cooling Actuation Signal Pressurizer Pressure - Low Safety Injection Actuation Signal Steam Generator Pressure - Low Main Steam Isolation Signal Refueling Water Tank Level - Low Recirculation Actuation Signal Steam Generator Level - Low Emergency Feedwater Actuation Steam Generator Pressure Difference - High Emergency Feedwater Actuation 2CAN012403 Page 69 of 69

References:

1.

Nuclear Energy Institute (NEI) 06-09-A, "Risk-Informed Technical Specifications Initiative 4b Risk-Managed Technical Specifications (RMTS) Guidelines," Revision 0-A (ML12286A322), dated October 12, 2012.

2.

Regulatory Guide (RG) 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis", Rev. 3, (ML17317A256), January 2018.

3.

U.S. NRC, "Acceptability of Probabilistic Risk Assessment Results for Risk-Informed Activities," RG 1.200, Revision 3, (ML20238B871), December 2020.

4.

Entergy, PSA-ANO2-01-AS-01, "ANO-2 ATWS Analysis," Revision 2, April 2023.

5.

Entergy, COPD-024, "Risk Assessment Guidelines," Revision 75, dated March 27, 2023.

6.

Entergy, EN-DC-401, "Risk Informed Completion Time," Revision 0, dated March 23, 2023.

7.

Entergy, PSA-ANO2-06-4B-SOU, "ANO-2 PRA - Assessment of Key Assumptions and Sources of Uncertainty for TSTF-505 (RICT) Submittal," Revision 0, dated February 28, 2023.

8.

NRC Letter to NEI, "Updated Assessment of Industry Guidance for Crediting Mitigating Strategies in Probabilistic Risk Assessments," (ML22014A084) dated May 6, 2022.

9.

Entergy, PSA-ANOC-06-4B-TORMIS, "Tornado Missile and Pressure Fragilities for Select ANO SSCs," Revision 0, October 2022.

10. Twisdale, L.A., et al., "Tornado Missile Risk Analysis," NP-768, Electric Power Research Institute, Palo Alto, California, May 1978.

11. Entergy Letter to NRC, "License Amendment Request to Incorporate Tornado Missile Risk Evaluator into the Licensing Basis," (ML19119A090) (0CAN041904), dated April 29, 2019.

12. NRC Letter to Entergy, "Arkansas Nuclear One, Units 1 and 2 - Issuance of Amendment Nos. 269 and 321 RE: Request to Incorporate the Tornado Missile Risk Evaluator into the Licensing Basis," (ML20135H141) (0CNA062003), dated June 30, 2020.

13. Entergy, PSA-ANO1-06-4B-TRM, "ANO-1 Conservative Tornado Risk Model,"

Revision 0, dated June 20, 2023.

14. Entergy, PSA-ANO2-06-4B-TRM, "ANO-2 Conservative Tornado Risk Model,"

Revision 0, dated June 19, 2023.

15. Entergy Letter to NRC, "Supplemental Information - Adopt Risk-Informed Completion Times TSTF-505, Revision 2, 'Provide Risk-Informed Extended Completion Times -

RITSTF Initiative 4'" (ML23264A856) (1CAN092301), dated September 21, 2023.

2CAN012403 Technical Specification Page Markups

[2 pages]

ARKANSAS - UNIT 2 6-18b Amendment No. 327, ADMINISTRATIVE CONTROLS 6.5.19 Safety Function Determination Program (SFDP)

This program ensures loss of safety function is detected and appropriate actions taken. Upon entry into LCO 3.0.6, an evaluation shall be made to determine if loss of safety function exists. Additionally, other appropriate limitations and remedial or compensatory actions may be identified to be taken as a result of the support system inoperability and corresponding exception to entering supported system ACTIONs.

This program implements the requirements of LCO 3.0.6. The SFDP shall contain the following:

a.

Provisions for cross train checks to ensure a loss of the capability to perform the safety function assumed in the accident analysis does not go undetected,

b.

Provisions for ensuring the plant is maintained in a safe condition if a loss of function condition exists,

c.

Provisions to ensure that an inoperable supported system's allowed outage time is not inappropriately extended as a result of multiple support system inoperabilities, and

d.

Other appropriate limitations and remedial or compensatory actions.

A loss of safety function exists when, assuming no concurrent single failure, no concurrent loss of offsite power, or no concurrent loss of onsite diesel generator(s), a safety function assumed in the accident analysis cannot be performed. For the purpose of this program, a loss of safety function may exist when a support system is inoperable, and:

a.

A required system redundant to the system(s) supported by the inoperable support system is also inoperable, or

b.

A required system redundant to the system(s) in turn supported by the inoperable supported system is also inoperable, or

c.

A required system redundant to the support system(s) for the supported systems (a) and (b) above is also inoperable.

The SFDP identifies where a loss of safety function exists. If a loss of safety function is determined to exist by this program, the appropriate ACTIONs of the LCO in which the loss of safety function exists are required to be entered. When a loss of safety function is caused by the inoperability of a single Technical Specification support system, the appropriate ACTIONs to enter are those of the support system.

6.5.20 Risk Informed Completion Time Program This program provides controls to calculate a Risk Informed Completion Time (RICT) and must be implemented in accordance with NEI 06-09-A, Revision 0, "Risk-Managed Technical Specifications (RMTS) Guidelines." The program shall include the following:

a.

The RICT may not exceed 30 days;

b.

A RICT may only be utilized in MODE 1 and 2;

ARKANSAS - UNIT 2 6-18c Amendment No.

6.5.20 Risk Informed Completion Time Program (continued)

c.

When a RICT is being used, any change to the plant configuration, as defined in NEI 06-09-A, Appendix A, must be considered for the effect on the RICT.

1.

For planned changes, the revised RICT must be determined prior to implementation of the change in configuration.

2.

For emergent conditions, the revised RICT must be determined within the time limits of the Required Action Completion Time (i.e., not the RICT) or 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after the plant configuration change, whichever is less.

3.

Revising the RICT is not required If the plant configuration change would lower plant risk and would result in a longer RICT.

d.

For emergent conditions, if the extent of condition evaluation for inoperable structures, systems, or components (SSCs) is not complete prior to exceeding the Completion Time, the RICT shall account for the increased possibility of common cause failure (CCF) by either:

1.

Numerically accounting for the increased possibility of CCF in the RICT calculation; or

2.

Risk Management Actions (RMAs) not already credited in the RICT calculation shall be implemented that support redundant or diverse SSCs that perform the function(s) of the inoperable SSCs, and, if practicable, reduce the frequency of initiating events that challenge the function(s) performed by the inoperable SSCs.

e.

The risk assessment approaches and methods shall be acceptable to the NRC. The plant PRA shall be based on the as-built, as-operated, and maintained plant; and reflect the operating experience at the plant, as specified in Regulatory Guide 1.200, Revision 2. Methods to assess the risk from extending the Completion Times must be PRA methods approved for use with this program used to support this license amendment, or other methods approved by the NRC for generic use; and any change in the PRA methods to assess risk that are outside these approval boundaries require prior NRC approval.

2CAN012403 Retyped Technical Specification Pages

[2 Pages]

ARKANSAS - UNIT 2 6-18b Amendment No. 327, ADMINISTRATIVE CONTROLS 6.5.19 Safety Function Determination Program (SFDP)

This program ensures loss of safety function is detected and appropriate actions taken. Upon entry into LCO 3.0.6, an evaluation shall be made to determine if loss of safety function exists. Additionally, other appropriate limitations and remedial or compensatory actions may be identified to be taken as a result of the support system inoperability and corresponding exception to entering supported system ACTIONs.

This program implements the requirements of LCO 3.0.6. The SFDP shall contain the following:

a.

Provisions for cross train checks to ensure a loss of the capability to perform the safety function assumed in the accident analysis does not go undetected,

b.

Provisions for ensuring the plant is maintained in a safe condition if a loss of function condition exists,

c.

Provisions to ensure that an inoperable supported system's allowed outage time is not inappropriately extended as a result of multiple support system inoperabilities, and

d.

Other appropriate limitations and remedial or compensatory actions.

A loss of safety function exists when, assuming no concurrent single failure, no concurrent loss of offsite power, or no concurrent loss of onsite diesel generator(s), a safety function assumed in the accident analysis cannot be performed. For the purpose of this program, a loss of safety function may exist when a support system is inoperable, and:

a.

A required system redundant to the system(s) supported by the inoperable support system is also inoperable, or

b.

A required system redundant to the system(s) in turn supported by the inoperable supported system is also inoperable, or

c.

A required system redundant to the support system(s) for the supported systems (a) and (b) above is also inoperable.

The SFDP identifies where a loss of safety function exists. If a loss of safety function is determined to exist by this program, the appropriate ACTIONs of the LCO in which the loss of safety function exists are required to be entered. When a loss of safety function is caused by the inoperability of a single Technical Specification support system, the appropriate ACTIONs to enter are those of the support system.

6.5.20 Risk Informed Completion Time Program This program provides controls to calculate a Risk Informed Completion Time (RICT) and must be implemented in accordance with NEI 06-09-A, Revision 0, "Risk-Managed Technical Specifications (RMTS) Guidelines." The program shall include the following:

a.

The RICT may not exceed 30 days;

b.

A RICT may only be utilized in MODE 1 and 2;

ARKANSAS - UNIT 2 6-18c Amendment No.

6.5.20 Risk Informed Completion Time Program (continued)

c.

When a RICT is being used, any change to the plant configuration, as defined in NEI 06-09-A, Appendix A, must be considered for the effect on the RICT.

1.

For planned changes, the revised RICT must be determined prior to implementation of the change in configuration.

2.

For emergent conditions, the revised RICT must be determined within the time limits of the Required Action Completion Time (i.e., not the RICT) or 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after the plant configuration change, whichever is less.

3.

Revising the RICT is not required If the plant configuration change would lower plant risk and would result in a longer RICT.

d.

For emergent conditions, if the extent of condition evaluation for inoperable structures, systems, or components (SSCs) is not complete prior to exceeding the Completion Time, the RICT shall account for the increased possibility of common cause failure (CCF) by either:

1.

Numerically accounting for the increased possibility of CCF in the RICT calculation; or

2.

Risk Management Actions (RMAs) not already credited in the RICT calculation shall be implemented that support redundant or diverse SSCs that perform the function(s) of the inoperable SSCs, and, if practicable, reduce the frequency of initiating events that challenge the function(s) performed by the inoperable SSCs.

e.

The risk assessment approaches and methods shall be acceptable to the NRC. The plant PRA shall be based on the as-built, as-operated, and maintained plant; and reflect the operating experience at the plant, as specified in Regulatory Guide 1.200, Revision 2. Methods to assess the risk from extending the Completion Times must be PRA methods approved for use with this program, or other methods approved by the NRC for generic use; and any change in the PRA methods to assess risk that are outside these approval boundaries require prior NRC approval.

v t e Letter Sequence Supplement
EPID:L-2023-LLA-0052, TSTF-505 (Approved, Closed)
Initiation Request, Request Acceptance Supplement Administration Questions 27 March 2024 Answers Results Approval, Approval Other: ML23209A602, ML24017A298
MONTHYEAR2024-03-27 [Table View]

2CAN012403, Supplemental Information - Adopt Risk-Informed Completion Times TSTF-505, Revision 2, Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4

Text

Subject:

References:

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

References:

Navigation menu

2CAN012403, Supplemental Information - Adopt Risk-Informed Completion Times TSTF-505, Revision 2, Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4

Text

Subject:

References:

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

References:

Navigation menu

Search