NL-04-0469, Response to RAI Related to DC Sources - Operating

From kanterella
Jump to navigation Jump to search
Response to RAI Related to DC Sources - Operating
ML040930188
Person / Time
Site: Farley Southern Nuclear icon.png
Issue date: 03/31/2004
From: Stinson L
Southern Nuclear Operating Co
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
NL-04-0469
Download: ML040930188 (22)
v  d  e


Text

L M. Stinson (Mike) Southern Nuclear Vice President Operating Company, Inc.

40 Invcrness Center Parkway Post Office Box 1295 Birmingham, Alabama 35201 Tel 205.992.5181 Fax 205.992.0341 i SOUTHERN EN March 31, 2004 COMPANY Energy to Serve Your World9 Docket No.: 50-348 NL-04-0469 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, D. C. 20555-0001 Joseph M. Farley Nuclear Plant Plant - Unit I Response to Request for Additional Information Related to DC Sources - Operatingl Ladies and Gentlemen:

By letter dated September 19, 2003, Southern Nuclear Operating Company (SNC) submitted a request to amend the Farley Nuclear Plant (FNP) Unit I Technical Specifications, DC Sources - Operating. NRC letter dated March I1, 2004 requested SNC to provide additional information related to this request. The Enclosure provides the NRC questions and the SNC responses.

Mr. L. M. Stinson states he is a Vice President of Southern Nuclear Operating Company, is authorized to execute this oath on behalf of Southern Nuclear Operating Company and to the best of his knowledge and belief, the facts set forth in this letter are true.

This letter contains no NRC commitments. If you have any questions, please advise.

Respectfully submitted, SOUTHERN NUCLEAR OPERATING COMPANY

.......... -L.M. Stinson Swsorntlo and subscribedbefore me this ._/ dayof 7__ , 2004.

- -Notary P blic

-. . My commission expires:

LMS/WAS/sdl Enclosure

U. S. Nuclear Regulatory Commission NL-04-0469 Page 2 cc: Southern Nuclear Operating Company Mr. J. B. Beasley, Jr., Executive Vice President %v/oEnclosure Ms. C. D. Collins, General Manager - Farley Mr. D. E. Grissette, General Manager - Plant Farley RTYPE: CFA04.054; LC# 13991 U. S. Nuclear Regulatory Commission Mr. L. A. Reyes, Regional Administrator Mr. S. E. Peters, NRR Project Manager - Farley Mr. C. A. Patterson, Senior Resident Inspector - Farley Alabama Department of Public Health Dr. D. E. Williamson, State Health Officer

ENCLOSURE SNC Response to NRC Request for Additional Information Related to DC Sources - Operating

SNC Response to NRC Request for Additional Information Related to DC Sources - Operating Enclosure NRC Question 1 Regulatory Guide (RG) 1.177, "An Approach for Plant-Specific, Risk-Informed Decisionmaking:

Technical Specifications," Section 2.2.1, "Defense in Depth," indicates that the proposed TS change request should maintain defense against potential common cause failures. In the cover letter of the submittal and on Page 1 of Enclosure 1, the licensee's request states that the cells in battery bank 1B appear to be aging. Please address the following issues:

a. What are the average, minimum, and maximum ages of the cells in each battery bank?

SNC Response:

All of the cells for IA and 1B Auxiliary Building Batteries, including the original spares, were manufactured and purchased at the same time. Installation of the IA and lB Auxiliary Building Batteries was completed in April 1988. Since the last outage, three cells of the lB Auxiliary Building Battery have been replaced with original spares. Auxiliary Building Battery IA consists of all original cells.

Therefore, the average, minimum, and maximum age of the cells in the IA and lB Auxiliary Building Batteries is 16 years. Auxiliary Building Batteries 2A and 2B were purchased in 1993. None of the cells in the 2A or 2B Auxiliary Building Batteries have been replaced. Therefore, the average, minimum, and maximum age of the cells in the 2A and 2B Auxiliary Building Batteries is 11 years.

b. Are there indications of aging in the other battery banks?

SNC Response:

Auxiliary Building Battery banks 1A, 2A and 2B show normal signs of aging and exhibit no significant anomalies. However, the lB Auxiliary Building Battery has signs of abnormal aging. Based on recent walkdowns, approximately 15% of the cells showed sulfation, 10% showed signs of positive plate growth and cracked post seals and 17 % had sponge lead in the bottom of the case. In addition, crystalline structures are present on the bottom support tabs of the negative plates for approximately half of the cells.

c. Has a root cause analysis been performed? If so, are there any indications of common-cause failures?

SNC Response:

A root cause analysis was performed and extensive monitoring and investigation of the behavior of lB Auxiliary Building Battery continues. While the age of the battery, room temperature, ripple current, and float voltage levels are contributors, no clear root cause has been identified. Inspection and monitoring have confirmed that similar abnormal degradation has not occurred on the other Auxiliary Building battery banks in the plant. This investigation has not identified any common-cause failure mechanism.

Enclosure Response to RAI Page 2 of 19 NRC Question 2 As discussed in RG 1.177, Section 2.3.3.1, "Detail Needed forTS Changes," please provide the following numerical reliability data for the battery banks. For each value, identify the source of the data (e.g., plant-specific data). Summarize the methods used to convert raw data into final parameter estimates (e.g., maximum likelihood estimates, Bayesian methods):

a. Failure probability - Indicate if this value is based on a failure-on-demand probability (binomial model) or derived using a standby failure rate (Poisson model).

If the latter, provide the time between tests.

SNC Response:

Due to monitoring programs in place at Farley, the plant has experienced few failures of the auxiliary building batteries. Batteries which are discovered to be degraded are typically removed from service for corrective maintenance prior to loss of function.

Therefore, there is no plant-specific data upon which to base the battery failure probability. Therefore, for Revision 5 of the Farley PRA (which was used in evaluating the AOT extension), the battery failure rate is l .OOE-06/hour which is taken from NUREG/CR-4550, Volume 1, Revision 1,Table 8.2-5. The battery basic event failure probability is based on the hourly failure rate and the required mission time for the batteries. By design, the batteries will support the safety related DC components for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> without battery charger support. As a PRA conservative assumption, the mission time is assumed to be 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to bound undetected failures immediately prior to an initiating event. Therefore, the final basic event failure probability for the auxiliary building batteries is 2.40E-05.

Basic Event Failure Probability je = (NUREG/CR-4550 probability)

  • 24

= (I.OOE-06/hour)

  • 24 = 2.40E-05
b. Average unavailability due to maintenance during Mode 1 - Indicate if this value only considers corrective maintenance, or all maintenance.

SNC Response:

The maintenance unavailability for the Revision 5 PRA model is based on historical data for all maintenance events from 1984 through 1997. During that period, there were a total of 19 maintenance events for the two units at Farley (4 batteries) with a total out-of-service time of 24.67 hours7.75463e-4 days <br />0.0186 hours <br />1.107804e-4 weeks <br />2.54935e-5 months <br />. The two units were in Mode 1 for a total of 213,459.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. This results in a maintenance unavailability probability of 5.78E-05.

U = (total out of service time / (Time in Mode I

  • Batteries per unit))

= (24.67 hours7.75463e-4 days <br />0.0186 hours <br />1.107804e-4 weeks <br />2.54935e-5 months <br /> / (213,459.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> per battery

  • 2 batteries))

= 5.78E-05

Enclosure Response to RAI Page 3 of 19

c. Probability of common-cause failure - Indicate what model (e.g., beta factor) was used to make the estimate.

SNC Response:

The common cause analysis for the Farley IPE was based on a plant-specific screening of the data from a September 1990 EPRI draft report. This database did not include any common-cause failure events for batteries. Therefore, the Farley IPE and subsequent revisions have not included a common-cause failure event for the auxiliary building batteries. A review of past unavailability events shows that there is a significant difference in the experience related to the IA and IB battery banks.

In addition, walkdowns to assess battery condition identified specific issues related to the condition of the 1B battery that did not exist on the IA battery. Therefore, conditions causing the additional out-of-service time for the 1B battery bank are not considered indicative of a common-cause failure.

NRC Question 3 As presented in RG 1.177, Section 2.3.4, "Assumptions in AOT and STI Evaluations," please provide the following details about how the incremental conditional core damage probability and incremental conditional large early release probability values were calculated:

a. Were the risk impacts based on the change in average core damage frequency/large early release frequency (CDF/LERF) using the mean outage times for the current and proposed completion time? If so, provide the value and basis for the increased battery bank unavailability due to maintenance. If the risk impacts were estimated using a zero-maintenance state as the base case (i.e., the risk impacts were estimated using "risk meter" software), please state so.

SNC Response:

Average maintenance unavailability values were used for all components other than the station batteries for assessing the CDF for both the current and proposed completion times. The maintenance unavailability for the batteries was adjusted as follows:

The maintenance frequency should not increase with the new AOT based on discussions with the battery maintenance personnel. For the purpose of this evaluation, the outage duration for the batteries is based on an average time derived from historical data. Because the current Completion Time for an inoperable battery is so short, the batteries are not taken out of service during power operation unless some sort of corrective maintenance is required. The proposed extended Completion Time is not intended to provide for on-line preventive maintenance; it is only to provide for more orderly corrective maintenance. Therefore, in order to evaluate the risk impact of the proposed extended Completion Time, as recommended by the WOG "General Process for Evaluating the Safety Impact of Changes to Technical Specification Allowed Outage Times," the average maintenance frequency was increased to a value estimated based on the ratio of proposed AOT and current AOT (1212). The current maintenance unavailability for the auxiliary building batteries is

Enclosure Response to RAI Page 4 of 19 5.78E-05. The "new" maintenance unavailability for the Class IE batteries is as follows:

U new = (proposed AOT / the old AOT) U old = (12/2)

  • 5.78E-5 = 3.468E-04
b. What truncation limits were used for accident sequence solution?

SNC Response:

The analysis was performed at a truncation value of L.OE-1 I for core damage frequency and 5.OE-13 for large early release frequency consistent with the baseline quantification for Farley PRA Revision 5.

c. What are the base case importance measures (Fussell-Vesely and risk achievement worth for battery bank 1B?

SNC Response:

The core damage importance measures for battery bank I B based on the baseline quantification for Farley PRA Revision 5 are:

RAW = 9.65 Fussell-Vesely = 2.74E-04 NRC Question 4 As discussed in RG 1.177, Section 2.4, "Acceptance Guidelines for TS Changes," and RG 1.174, Sections 2.2.4, "Acceptance Guidelines," and 2.2.5, "Comparison of PRA Results with the Acceptance Guidelines," please provide the base case CDF, change in CDF (ACDF), base case LERF, and change in LERF (ALERF).

SNC Response:

Baseline Risk (per Risk with Increased battery Change in Risk Risk Measure reactor year) AOT (per reactor year) (per reactor year)

CDF 3.858E-05 3.872E-05 1.400E-07 LERF 4.187E-07 4.187E-07 O.OOOE+00 NRC Question S As presented in RG 1.177, Section 2.3.2, "Scope of the PRA for TS Change Evaluations," and RG 1.174, Sections 2.2.5.4, "Completeness Uncertainty," and 2.2.5.6, "Comparisons with Acceptance Guidelines," do the estimated numerical risk impacts include the contributions from internal floods and external events such as fires, earthquakes, etc.? If not, please provide a qualitative discussion of the risk impacts from these types of events.

Enclosure Response to RAI Page 5 of 19 SNC Response:

These comparisons include only the impacts of internal initiating events, including internal flooding. Based on the results of the quantifications, a large portion of the risk increase is due to the inability to establish the generator flashing field with the associated battery. These impacts are magnified by the fact that the Farley PRA model does not credit the opposite unit battery as a source of DC power for starting Diesel Generators 1/2A, 1C, and 2C. Therefore, the actual increase in plant risk would be smaller if the alternate DC sources, which are automatically aligned through power seeking transfer switches, were credited. Another source of conservatism in the risk analysis is that manual operation of the Atmospheric Relief Valves for the secondary side heat sink is only credited in the PRA model for Station Blackout events. It is expected that these conservatisms in the internal risk analysis would offset any increase in the ICCDP, ICLERP, delta CDF, and delta LERF from inclusion of external risk initiating events. Therefore, the conclusions are considered valid considering all potential initiating events.

NRC Question 6 In Enclosure 1, Page 4, the licensee's request states, 'There is reasonable assurance that risk-significant equipment configurations will not occur..." and "Increases in risk.. .will be managed."

Please provide additional detail so that a decision concerning satisfaction of the Tier 2 guidance in R.G. 1.177, Sections 2.3, "Evaluation of Risk Impact," and 2.4, "Acceptance Guidelines for TS Changes," (second item) can be reached. Has a systematic search been made for risk-significant equipment configurations when battery bank lB is out of service? What, if any, compensatory measures are proposed?

SNC Response:

A systematic search for risk-significant equipment configurations was conducted by calculating Core Damage RAW values for each component included in the Farley risk monitor assuming that Auxiliary Building battery lB was also out-of-service. This evaluation was performed for both Train A and Train B on-service alignments. The RAW values generated in this fashion allow identification of those combinations which would produce a higher Equipment Out-of-Service (EOOS) Monitor Risk Profile Indicator Color than the battery maintenance alone. One battery out-of-service produces a CDF Risk Profile Indicator Color of YELLOW. Therefore, based on the guidance contained in FNP-0-ACP-52.1, "Guidelines For Scheduling Of On-Line Maintenance," voluntary removal from service of additional equipment resulting in an ORANGE CDF Risk Profile Indicator Color would require OSS and Operations Manager concurrence and voluntary removal from service of additional equipment resulting in a RED CDF Risk Profile Indicator Color should be avoided. The list of equipment identified as producing higher risk configurations will be provided to Farley Nuclear Plant work planning and operations personnel with the revised specification.

Since a large portion of the risk increase is due to the inability to start a diesel generator with the associated battery in response to a loss of offsite power (LOSP), compensatory measures will be put in place to ensure no maintenance activities are initiated in the high voltage or low voltage switchyards at Farley Nuclear Plant when battery bank IB is in maintenance.

Additionally, grid operators will be notified of the battery maintenance and asked to forego

Enclosure Response to RAI Page 6 of 19 voluntary system operations which could increase the likelihood of LOSP affecting the Farley site.

NRC Question 7 In Enclosure 1, Page 3, the licensee's request states that the probabilistic risk assessment (PRA) was reviewed against NEI 00-02 in August 2001. As discussed in RG 1.177, Section 2.3.1, "Quality of the PRA," and RG 1.174, Sections 2.2.3.3, "PRA Technical Acceptability," and 2.5, "Quality Assurance," please provide the Category A and B review findings and address the following items:

a. Indicate what progress has been made over the past two years towards resolving these findings, and what work remains to be finished.

SNC Response:

There were no Category A findings resulting from the Farley peer review. Issues with Facts and Observations classified as significance level "B" are addressed below:

b. Summarize changes to design and operational practices made since the review was completed that have an impact on PRA elements, but that have not yet been incorporated into the PRA model.

SNC Response:

There are no known changes in design and operational practices since the peer review was completed that would have an impact on PRA elements addressed in the peer review.

Observation IE-2 Issue: The Interfacing System LOCA Frequency notebook documents the development of the ISLOCA initiating event frequency. When calculating the probability of failure of valves in series (i.e., RHR discharge and suction), the probability of failure was not correlated (pages 28-3 1). The correlation is dependent on the variance of the probability distribution, which is usually quite large for valve rupture probabilities. The necessity of correlating variables is discussed in NUREG/CR-5744, "Assessment of ISLOCA Risk-Methodology and Application to a Westinghouse Four-Loop Ice Condenser Plant."

That NUREG also provides an overall ISLOCA evaluation approach that is generally accepted as more realistic than the approach used for the Farley IPE, addressing in more detail such factors as alternate pathways resulting from failures of other equipment (e.g., heat exchangers, relief valves) in the interfacing systems.

SNC Response to the Observation: PRA Revision 5 updated the ISLOCA analysis using the guidance in NSAC-154, NUREG/CR-5102, NUREG/CR-5744 and NUREG/CR-5682.

This revised analysis treats each potential ISLOCA pathway as a separate event tree considering the potential for pathway isolation and mitigating system impacts. The ISLOCA initiating event frequencies for the revised model are calculated using a Monte Carlo equation to address uncertainties in each component failure mode making up the initiating event

Enclosure Response to RAI Page 7 of 19 frequency. This also ensures proper correlation of failure rates for identical components.

The revised ISLOCA modeling was independently reviewed by an outside contractor to ensure that the analysis meets current industry standards. Therefore, this issue has been resolved.

Observation IE-3 Issue: The Farley PRA includes initiators PSV1 and PSV2 for one and two stuck open primary safety valves, respectively. The IE frequencies of PSVI and PSV2 are stated as 0.0047/yr and 3.4E 4/yr. The initiating events have Fussel Vessely values of .064 and .0 17.

This means approximately 8% of the CDF is due to stuck open safety valves. This result is unusual for Westinghouse PWRs.

The IE frequencies for these initiators should be reviewed, including examining the data in NUREG/CR-5750. LERs noted in NUREG/CR-5750 indicate that there have been 2 events where a safety valve opened spuriously. Both of those events occurred at a single plant, and were due to the existence of loop seals downstream of the safety valves. The loop seal in the line was lost, effectively lowering the safety valve setpoint, so that the safety valve opened.

The valve reclosed and the SI actuation setpoint was not reached (reactor was manually tripped). These events are not applicable to Farley unless the piping configuration is similar.

Further, the reviewers believe that the only events where two safety valves have been challenged in response to a transient have occurred at plants without pressurized PORVs.

There is no evidence of spurious opening of 2 safety valves in NUREG/CR-5750.

SNC Response to the Observation: Revision 5 of the Farley PRA included a re-analysis of initiating events PSVI and PSV2. It was concluded that these events were included in NUREG/CR-5750 as functional impact rather than initial plant fault events. Since the Farley linked fault tree model explicitly models stuck open safety valves as a consequential LOCA, the inclusion of initiating events PSV1 and PSV2 were considered overly conservative and the events were removed. Therefore, this issue has been resolved.

Observation AS-01 Issue: The SGTR event tree does not question isolation of the ruptured SG if HHSI is available. Sequence 2 even allows a success state without isolation for recirculation after feed and bleed.

The distinguishing factor between the SGTR and SLOCA is the loss of primary inventory from containment for a SGTR. An analysis supporting injection capability for the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time with this continued loss of inventory could not be located.

SNC Response to the Observation: The Steam Generator Tube Rupture success criteria have been reviewed and verified to cover the case of successful operation of HHI and AFW

, as a safe, stable end state. Therefore, this issue has been resolved.

Observation AS-11 Issue: ISLOCA initiating event frequency is calculated as a separate calculation and the lE frequency, taken as the sum of frequencies for all scenarios evaluated, is input into the event tree, which models a "limiting case." The dependencies between the events causing ISLOCA

Enclosure Response to RAI Page 8 of 19 (i.e., the individual ISLOCA scenarios) and the systems mitigating ISLOCA are not considered. There are two possible considerations missing from this approach:

1. ISLOCA can occur in the charging pump suction line, the seal water return line, and the excess letdown heat exchanger. The fault tree asks for makeup from HHSI and assumes all 3 HHSI pumps are available, without verifying that the HHSI suction is intact after the ISLOCA initiating event. The ISLOCA or the flooding effect of the ISLOCA could fail one or more of the HHSI pumps and they would not be available for make-up.
2. The RHR discharge and suction lines contribute about 20% to ISLOCA initiating event frequency. These breaks could be 6"-10" breaks. The tree assumes 120 gpm make-up is adequate to mitigate the break. 120 gpm is adequate for decay heat 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> after shutdown. A 10" break would blow down much faster and the assumption of 120 gpm would not be appropriate.

SNC Response to the Observation: See response to observation IE-2.

Observation SY-02 Issue: This element asks if the model matches the as-built, as-operated plant, including information in the AOPs and EOPs. A brief review was performed, focusing on the system models for electric power, CCW, SW and AFW. The model fidelity with plant systems as described in available documentation generally seemed good, but there were a number of apparent differences which should be resolved.

1. Plant procedures address alignment of service water as a long-term source of CST/AFW supply but this does not appear in the model. If CST inventory is guaranteed to be adequate for the PRA mission time, then some discussion of this in the documentation should be provided. If not, the SW supply (or other applicable means of decay heat removal) needs to be modeled. (See F&O SY-04 for Element SY-13 for further elaboration).
2. There is a check valve, NIP16V538, in the turbine building SW return line which the modeling assumptions (p. 211) indicate is not modeled because it is "non-safety grade."

To match the "as-built, as-operated plant," the appropriate failure modes for this check valve should be modeled, irrespective of the safety-grade classification of the valve.

Possibly these modes could include failure to close, failure to open (for scenarios where there is an interruption in SW flow), and transfers closed.

3. The SW pump discharge check valve fails-to-close should be added as a failure mode for the other pump(s) in that train. That is, if a running pump fails to run (or trips and fails to restart, such as during a LOSP event) and its check valve does not seat, a recirculation path back to the SW pond is created and the output of the remaining "good" pump(s) will be diverted. Since the pump will be running, this event may be harder for operators to detect than a simple failure of two pumps to function. The model should be reviewed to see if there are other systems where modeling this failure mode might be appropriate.
4. Strainer faults (main and lube/cooling water), as well as common-cause events involving strainers, should be modeled. Traveling screen failures should also be modeled.

Modeling assumptions indicate that debris blockage is not expected and that the screens

Enclosure Response to RAI Page 9 of 19 are not "water tight," apparently indicating that there is a significant amount of bypass flow. It would be better to put the screens in the model and let the quantification demonstrate their (non)-importance. Note that strainer/screen fouling has occurred at plants due to introduction of man-made material (trash at one plant, Furmanite concrete patch material at another), so this failure mode is possible even if the suction pond is relatively clean. Also, consider that if bypass flow around screens is sufficient to render them unnecessary, then they may not be providing the protection they are designed to provide.

5. CCF of all service water pumps should be added to the model. It was not clear to the reviewers if these pumps are all of identical manufacture, but there are many common elements associated with their installation and use. The model should be reviewed to see if there are other systems where common-cause failures need to be applied to n of n components (such as CCW).
6. There is apparently a SW control air system. The reviewers did not find a modeling assumption justifying why this system does not need to be modeled. If this system does not need to be modeled, such justification should be provided.
7. This comment is applicable to emergency air, and possibly other systems. Spurious opening of safety/relief valves should be added as failure modes to systems where this could impair function (e.g., Emergency air system safety/relief valves on compressor and receiver). See also F&O SY-06 related to CCW relief valves and flow diversions.

SNC Response to the Observation: With regard to item 1, CST inventory has been shown to be adequate for all analyzed scenarios, including the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time following Very Small LOCA or General Transient initiating events. However, to ensure completeness of the model, the Service Water System backup feed for AFW was incorporated in Revision 5.

With regard to item 2, failure of this check valve will only impact the cooling for the Main Feedwater pumps and Condensate pumps. The only events which would interrupt the flow of service water through this valve would be a Loss of Offsite Power. Since the Main Feedwater Pumps and Condensate Pumps are not modeled for mitigation after an LOSP, this valve does not need to be modeled.

With regard to item 3, Revision 5 added failure of the discharge check valve on an idle pump as a potential failure mode to all pumps where appropriate (i.e., where the pumps are physically aligned to the same discharge path).

With regard to item 4, Revision 5 of the PRA model added plugging of the traveling screens, discharge strainers and lube and cooling strainers as potential failure modes for the system.

With regard to item 5, SNC has plans to develop a common methodology for common cause analysis to be used across all SNC PRA models. The application of common cause to groups including both running and standby equipment will be included in this methodology.

With regard to item 6, the SWIS instrument air system is used to control the SW pump miniflow valves (which fail closed) and to provide air to SW pond level instruments. No mitigating functions are impacted by the failure of SWIS instrument air.

Enclosure Response to RAI Page 10 of 19 With regard to item 7, many of the relief valves in Farley fluid systems are thermal relief valves designed to protect equipment from overpressure following its isolation. These valves are not expected to be challenged by normal system pressure transients. However, PRA Model Revision 5 did add potential failure of check valves to the CCW system since a relatively small volume loss in the system will lead to draining of the surge tank on the system. In addition, other systems were reviewed and verified to have relief valve failures included where appropriate.

All issues with the exception of the common cause modeling for the service water pumps have been resolved. Common cause modeling is further discussed in the response to Observation SY-07.

Observation SY-03 Issue: Enhancement of the level of modeling detail for Emergency Diesel Generators (EDGs) and their support systems is suggested. The onsite emergency AC power system modeling was examined and it does not appear to include some detail expected by the reviewers. In particular, the fuel oil supply system to EDGs should be modeled if credit for DG run times greater than allowed by the day tank inventory is needed. A 24-hour DG run time is usually used, consistent with the PRA mission time (e.g., to cover all possibilities of power recovery for LOSP), and it is assumed that the day tank alone could not support a run of this length.

Assumption 11 of the IPE Service Water System Notebook, Revision 0, June 1993 (Westinghouse Reference Numbers: CN-PORI-92-277 / CN-PORI-92-385) discusses the exclusion of Service Water strainers from the model. The component identifiers are not specifically called out. It is assumed that the affected components are F5OIA and F5OIB.

The following statements are from PRA Summary Rev. 4, Service Water section. "Plugging of the SW strainers is not included in the fault tree logic model. Plant experience shows that there has been no strainer plugging" (PRA Summary Rev. 4, Service Water section). Similar statements could have been made for other utilities until a significant event occurred (e.g.,

frazil icing of service water systems at Wolf Creek). Screening of apparent low failure items may mask their true importance to system functional success. It is believed that inclusion of the strainers in the appropriate fault tree would provide a more complete and current state-of-technology model for use in risk-informed applications.

Common-cause issues for DG fuel oil components and strainers should also be evaluated.

SNC Response to the Observation: PRA Model Revision 5 incorporated detailed modeling of the diesel generator fuel oil makeup system including appropriate common cause failures.

Revision 5 also incorporated modeling of all Service Water system strainers and the intake traveling screens as noted above. Therefore, this issue has been resolved.

Observation SY-04 Issue: The AFW fault tree does not model alternate sources of condensate to the AFW pumps other than the CST. The AFW system notebook provides discussion of the SW supply to the AFW pump suction in the event the CST fails, but this capability is not modeled in the fault tree. The plugging of the CST suction valve (XV501) has a Fussel Vessely value of .06.

The failure probability for the valve is calculated from an elementary failure rate of IE-7/hr

Enclosure Response to RAI Page 11 of 19 for 18 months. This valve is virtually tested every time one of the motor driven AFW pumps is run from the CST. The test interval of 18 months seems too long. Realistic calculation of the valve failure rate should be considered.

Also, consider modeling the SW backup as a source of condensate to prevent core damage.

SNC Response to the Observation: As stated in the response to Observation SY-02, Service Water backup to the Auxiliary Feedwater Pump suction has been added in PRA Model Revision 5. In addition, the test interval for CST suction check valve XV501 has been changed to quarterly to better reflect the actual test conditions. This may still be somewhat conservative because of staggering of the motor-driven AFW pump surveillance tests, but because the amount of staggering between tests may vary depending on plant conditions, the quarterly interval is believed to be appropriate. Therefore, this issue has been resolved.

Observation SY-05 Issue: Modeling of support to important plant systems credited during LOSP sequences should be reviewed, particularly for dual-unit LOSPs, to ensure that assumptions are consistent and logical. For example, consider the following sequence: The SBO event tree indicates that given little or no RCP seal leakage and TDAFWP success, 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> are available for recovery of offsite power. It appears that the TDAFWP is modeled to succeed for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, until the emergency air system necessary for pump control and operation of SG PORVs fails. It is apparently assumed that core uncovery will not occur for at least 3 h after that time, and that recovery of offsite power within 5 h will allow restoration of RCS inventory, resumption of core cooling, and avoidance of core damage.

There is an implicit assumption in this sequence that DC power will be available to support necessary instrumentation for at least the period of time that the TDAFWP is relied upon.

For example, steam generator level indication supplied with DC power is necessary so that the TDAFWP can be controlled. Accordingly, availability of DC power for at least two hours is required for sequence success. However, document A-181004, "Electrical Distribution System" indicates that the plant IE 125 v batteries can support necessary loads for 2 hr on one unit and 1 hr on the adjacent unit. This appears to conflict with the model assumption.

SNC Response to the Observation: Documentation provided to the reviewers late in the review process revealed that the Electrical System Functional System Description (A-181004) statement concerning the battery capacity for Unit 2 was not correct. During an Electrical System Function System Inspection (EDFSI) at FNP, it was discovered that the Unit 2 batteries could not be verified to have sufficient capacity to operate all safety related components at the end of two hours with no battery charger support. However, design changes were completed in 1994 to restore the capability to operate all safety related DC loads at two hours. At that time, document A-181004 should have been revised to remove the referenced comment concerning the Unit 2 battery capacity, but was not. Therefore, the PRA modeling assumptions are correct, and appropriate SNC personnel have been informed of the error in document A-181004. Therefore, this issue has been resolved.

Observation SY-07 Issue: It is standard practice in the Farley PRA to not model any common cause between standby and operating components. While this practice may have been acceptable during the

Enclosure Response to RAI Page 12 of 19 IPE time period, the INEEL CCF database provides some evidence of common cause dependencies between standby and operating components. Current practice suggests that you should identify and model common-cause failures which could prevent all similar components in a system from performing their intended function (for example: CCW pumps, SW pumps).

SNC Response to the Observation: SNC has plans to develop a common methodology for common cause analysis to be used across all SNC PRA models. The application of common cause to groups including both running and standby equipment will be included in this methodology. Where there are both normally running and standby pumps in a system at Farley, the operating cycle of the standby pump can be significantly different from those of the primary pump(s). Where there are significant differences in operating cycles, SNC does not feel that common cause failure (to run) due to simultaneous wear of all pumps is a credible failure mode. Where pumps take a suction from a common source, failure of the suction source, including appropriate common cause failures, is modeled under each potentially affected pump. Therefore, SNC feels that the common cause modeling is appropriate as implemented in PRA Model Revision 5, but will update the common-cause modeling to reflect later database sources in future revisions.

Observation SY-09 Issue: Documentation that a global evaluation has been performed to confirm the ability of important plant components to function as modeled in adverse environments was not identified. There is no entry for this item in the "information roadmap" supplied to the reviewers.

SNC Response to the Observation: Equipment referenced for use in the Emergency Response Procedures (ERPs) was verified to be capable of performing the required function in post-accident environments as part of the procedure development process. No equipment is credited in the Farley PRA modeling which is not included in the ERPs. Therefore, SNC considers that adverse environmental conditions have been appropriately considered for all modeled PRA components.

Observation DA-02 Issue: The common cause failure probabilities are referenced to a 1990 data source. Given the extensive research on common cause events sponsored by the NRC since the time of the IPE, a more up-to-date common cause data source should be used.

Some of the common cause failure probabilities used in the PRA are significantly different than those from a recent generic data source, NUREG/CR-5497. It is recognized that the values in that document are unscreened values and are likely to be reduced by NUREG/CR-4780 screening process that the Farley employs.

SNC Response to the Observation: Farley CCF analysis followed procedures suggested in NUREG/CR-4780. NUREG/CR-4780 procedures had been a generally accepted CCF analysis procedures until NUREG/CR-5485, was published in 1998. NUREG/CR-5485 is considered to be an enhanced version of NUREG/CR-4780.

Enclosure Response to RAI Page 13 of 19 According to the NUREG/CR-4780 (also NUREG/CR-5485), historical CCF events are specialized for a plant specific CCF. Farley performed plant specific CCF analysis. In a plant specific analysis, each historic CCF event is reviewed and its applicability to the Farley plant is determined. Different designs, environments, and operation modes are some of the factors affecting the applicability. A CCF event may be screened out, or applied with some probability, or applied with probability of 1 according to the effectiveness of plant specific defenses against the event.

It is a general observation that plant specific CCF analysis may result in lower CCF values than generic values because generic values could include contributions from events that are not applicable to plant specific cases. Sometimes, a generic value could be an order of magnitude higher than plant specific value (reference: Young G Jo. et al, "Effects of Operating Environments on the Common Cause Failures of Essential Service Water Pumps,"

Proceeding of International Topical Meeting on Probabilistic Safety Assessment, PSA02, October 2002, Detroit).

And thus, screening out of non-applicable events for plant specific CCF is a part of CCF procedures.

It is acknowledged that the common cause data needs to be updated to the later database published under the program which developed NUREG/CR-5485 and SNC has efforts underway to perform this update. However, there is no reason to expect that the probability of CCF events will be significantly increased by this update process. Therefore, the current analysis is believed to be sufficient to support the battery AOT analysis.

Observation DA-05 Issue: There are two diesel generator common cause groups. One set includes the IC and 2C diesel generators and the other set includes the 1B, 2B, and the 1/2-A diesel generators.

These two sets are apparently of different design. However, there are other factors that should be considered in establishing common cause groups, including common maintenance crews, common I&C technicians, similar procedures, common fuel oil, etc. It is recognized that, in the past, it was not common practice to consider common cause failures where substantial design differences existed. The basis for such practice lies with the practicality of implementation. In the case of the onsite emergency AC sources, no such implementation barriers exist.

SNC Response to the Observation: With respect to the diesels at FNP, plant operating experience has shown that the differences in design between the two types of diesels used are far more important factors in predicting diesel failure than any common elements between the two designs. Therefore, the current analysis is believed to be sufficient to support risk-informed analysis.

Observation DA-07 Issue: The loss of offsite power non-recovery curves were developed during the IPE based on data from NUREG-1032. The curves have not been updated for the PRA. NUREG/CR-5496, "Evaluation of Loss of Offsite Power Events at Nuclear Power Plants: 1980 - 1996," is a more up to date data source.

Enclosure Response to RAI Page 14 of 19 SNC Response to the Observation: Although not implemented in PRA Model Revision 5 which was used for the battery AOT extension, SNC has begun its regular data update activities for the Farley model. As part of this data update, a preliminary analysis of updated LOSP experience has been used to update the appropriate offsite power recovery factors. The conclusion from this update is that the recovery factors used in PRA Model Revision 5 will likely be reduced in the data update. Therefore, the values used in the battery AOT analysis are believed to be conservative.

Observation HR-01 Issue: The IPE HRA calculation developed HEPs for specific plant response trees. After the conversion to CAFTA, the linked fault tree allows them to be applied to other events. For example, HEP lDGOPOPERDGICHDE indicates that it was evaluated for use in the SBO event tree. When the event is followed up the single top CDF tree it is also found to be used in other event trees such as ATWS. There is no documentation that the calculation is valid for event trees other than SBO.

SNC Response to the Observation: The application of HEPs to sequences other than those for which they were analyzed in the IPE has always considered similarities in the events with regards to the expected PSFs and event timing. Therefore, the current analysis is believed to be sufficient to support the battery AOT analysis.

Observation HR-02 Issue: The emergency and abnormal operating procedures are the basis for the HRA. The only update to the 1993 IPE HRA is the addition of two new operator actions and the revision of one operator action as documented in calculation PSA-F-00-01. There is no documentation that revisions to procedures have been evaluated for their impact on the HRA although discussions with the Farley staff indicate that at least one review has been done.

SNC Response to the Observation: All procedures used in the development of HEPs for the IPE were reviewed in 1999 to identify changes that could impact the HEP calculations.

The only HEPs identified as potentially impacted by changes in procedures were re-analyzed in 2000. The documentation of this review should have been included in calculation PSA-F-00-001, but was not. SNC will ensure that future calculations for HEP update include a record of the review of all FNP procedures used as the basis of an HEP. Therefore, this issue has been resolved.

Observation HR-03 Issue: Discussion with Farley PRA staff regarding the logic behind gate OA-ARV in the mutually exclusive tree revealed that ARVLOCAL-----H had been omitted from the new emergency air system tree where OAB_A_4--D---H is used rather than OAB_A_4-----H.

The omission of gate ARVLOCAL-----H from the new emergency air system tree prevents the mutually exclusive file from deleting inappropriate cutsets involving this event. The result is that both the independent and dependent operator actions will appear in cutsets that are appropriate only for the dependent operator action.

Enclosure Response to RAI Page 15 of 19 SNC Response to the Observation: Sensitivity analyses completed during the peer review indicate the referenced example had no impact on CDF because the combination of events involved occurs only on non-minimal sequences in the event tree. The noted problem was corrected in PRA Model Revision 5 and a review was done of all mutually exclusive logic to ensure that no further examples of this issue were present.

Observation HR-04 Issue: There was no indication that miscalibration errors or common cause miscalibration errors were included. A reference was found that said miscalibration was ignored, because the high and low miscalibrations would cancel out. This reasoning does not follow.

SNC Response to the Observation: SNC considers equipment failure due to miscalibration in the development of common cause event probabilities for the affected instruments.

Therefore, the current analysis is believed to be sufficient to support the battery AOT analysis.

Observation HR-05 Issue: The HRA uses two different methods for calculating HEPs - the Success Likelihood Index Method (SLIM) and the Technique for Human Error Rate Prediction (THERP). The implementation of these HRA methods is problematic for the following reasons:

I Although several groups of plant Operations/Training personnel were involved in the assignment of SLIM weighting factors for the PSFs, this activity appears to have been dominated by two individuals who alone did the assignments for 1/3 of the HEPs and, in conjunction with a third individual, did the assignments for another 1/3 of the HEPs. The basis of the method assumes that the assignments would be done by a larger panel of experts.

2 The validity of the SLIM anchor points could not be verified during this review because the source is not identified in the HRA notebook and the referenced Westinghouse calc.

note which contains the details regarding the anchor point source is on microfiche and was not readily available for review.

3 The THERP calculations contain 0.1 multipliers for operator training/qualifications in both the diagnosis and execution portions of the calculation. They also contain a 0.1 multiplier for a "slack time recovery". These multipliers are not described in THERP and there is no justification for their use.

SNC Response to the Observation: With regard to item 1, the SLIM evaluation included not only the operating crews referenced in this observation, but also other licensed operators in the FNP Training department and General Office. Therefore, none of the SLI calculations were based on the assessments of only two or three individuals as implied. A review of the SLI calculation details in Appendix E of the Human Reliability Analysis notebook reveals that only two SLIs were based on input from fewer than 5 individuals. These two actions, OSIc and OSId, were not used in the IPE model and are not used in the current model. Of the remaining 34 actions evaluated with SLIM, 15 had the input of 10 licensed individuals, 2 had the input of 9 licensed individuals, 6 had the input of 8 licensed individuals, 5 had the input of 7 licensed individuals, 3 had the input of 6 licensed individuals and 3 had the input of 5

Enclosure Response to RAI Page 16 of 19 licensed individuals. Therefore, the majority of the SLIM evaluations had the input from at least 8 licensed individuals and is considered to have met the intent of the methodology.

With regard to item 2, this was subjected to independent review at the time of the IPE and it was concluded that appropriate anchor points were selected for use. Therefore, the intent of the SLIM methodology has been met. With regard to item 3, the noted weakness of using a 0.1 multiplier applied only to those human error events analyzed using the THERP methodology. In the Farley PRA model, THERP is used for pre-initiating event human errors and for limited recovery events. The major human error events for operator response to initiating events using the Westinghouse Emergency Response Guidelines such as alignment of Emergency Core Cooling System recirculation were evaluated using the SLIM methodology. The human error probabilities for the major operator responses to LOCA events have been compared with those used by other Westinghouse Owners Group plants; the Checklist for Technical Consistency in a PSA Model contained in the EPRI PSA Applications Guide (JR-105396), and has also been reviewed as part of the NRC benchmarking effort for the Significance Determination Process. No significant differences have been identified in these comparisons.

These issues will be resolved in an on-going project to perform a general update of the Farley HRA analysis. However, based on the factors cited above, the resolution of these issues is expected to have little impact on the total core damage frequency and therefore will not affect the conclusions of the battery AOT analysis.

Observation HR-09 Issue: There was little evidence of plant specific analysis to support the timing of the HRA quantification. For each HEP, timing constraints were established but the basis for these constraints was not referenced. It appears that many of the timing constraints are generic estimates or screening values.

SNC Response to the Observation: HEP timing constraints were established based on MAAP or THERP calculations performed as part of the IPE. These timing constraints have been provided to the Farley Training department for reference during operator simulator and job performance evaluations. This issue will be resolved in an on-going project to perform a general update of the Farley HRA analysis. However, the resolution is expected to have little impact on the total core damage frequency and therefore will not affect the conclusions of the battery AOT analysis.

Observation ST-01 Issue: The ISLOCA analysis did not use probabilistic treatment of pipe rupture on overpressure, as indicated in NUREG/CR-5124, NUREG/CR-5744, or similar studies.

ISLOCA pathways were identified and the frequency of ISLOCA was calculated directly by examining potential valve failure modes in the ISLOCA pathways. This is actually the probability of pipe overpressure, but was used as the ISLOCA initiating event frequency.

In one case, (RHR suction) a hoop stress calculation was performed to show that the over pressure was within the ultimate strength of the pipe. This was used to justify that the suction pipes would not rupture. However, the ISLOCA was still assumed to be a medium size LOCA, and plant response was modeled on this basis.

Enclosure Response to RAI Page 17 of 19 SNC Response to the Observation: See response to observation IE-2.

Observation ST-2 Issue: The review of the flooding analysis provided no indication that probabilistic failure of the barriers to propagation of flood waters (doors, drains) was considered. Failure of doors includes structural failure as well as the probability the door is left open prior to the flood.

Plugging of floor drains was not considered.

SNC Response to the Observation: The flooding analysis conducted during the Farley Individual Plant Examination (IPE) used a screening approach to identify areas with significant flooding potential. In this screening approach, the determination that adequate drainage existed to prevent flood accumulation relied more on the existence of floor penetrations than the existence of floor drain piping. The only doors which were credited as barriers to flood propagation were submarine-style doors designed for that function. The probability of structural failure for these doors should be small relative to other failures modeled. As for the probability that doors credited as flooding barriers may be open prior to the event, SNC feels that plant administrative controls of doors used for flood area separation are sufficient to minimize the impact of this observation. Where flood barrier doors are left open for significant periods of time, this is evaluated by the maintenance rule program to ensure to risk exposure is small. Since the screening employed in the IPE was sufficient to identify any flooding vulnerabilities and reliance on floor drains and doors to mitigate flood and spray impacts was minimal, the current analysis is sufficient to support the battery AOT analysis.

Observation QU-03 Issue: Although three sensitivity analyses are documented in section 3.4.4 of the Rev 4a summary report, no discussion of a systematic search for unique or unusual sources of uncertainty is provided or performed (qualitatively or quantitatively).

SNC Response to the Observation: SNC is following industry initiatives to develop an adequate methodology to perform uncertainty analysis to meet the intent of the ASME PRA Standard and the peer review process.

Observation QU-06 Issue: There is no documented evidence that results (e.g., cutsets or sequences) from similar plants are reviewed to ensure that potentially important cutsets are not missing from the PRA model.

SNC Response to the Observation: SNC feels that the grading of this element is inappropriate since no practical means of implementing the recommendation of this observation currently exists. Therefore, this is seen as a generic industry issue rather than a specific item to be addressed in the SNC PRA program. SNC has and will continue to use information in the WOG PRA Comparison Database to compare our distribution of core damage by initiating event with the results reported by sister plants to ensure that our PRA results are generally consistent with plants of similar design.

Enclosure Response to RAI Page 18 of 19 Observation QU-07 Issue: A sampling of non-dominant sequences (cutsets) were reviewed by the peer review team. The cutsets were true to the success criteria and the fault logic. The cutsets were not illogical.

Although discussions with the Farley PRA staff indicates that they carefully checked the converted IPE cutsets against the IPE results, there is no documented systematic search mentioned for validation of non-dominant cutsets. To meet a grade 3 for non-dominant cutsets, documentation should be provided for a systematic review of non-dominant cutsets to establish they are reasonable, not deleted inappropriately, and are not overly conservative.

The sub-tier criteria for QU-15 state that "in evolving the PRA to be used for risk based applications, overly-conservative assumptions should be eliminated to avoid biasing the results." The review of the non-dominant sequences observed the instances of potentially "overly conservative criteria" given in attachment A to this F&O. Those are just a sampling of apparent conservatisms found in the IE-1 I cutset range. The overall effect of these is not known.

SNC Response to the Observation: The specific examples provided by the review team were evaluated during preparation of PRA Model Revision 5. Most of the issues raised were items included in the model at the recommendation of the independent review panel during the IPE.

The remaining item was a misunderstanding on the part of the reviewer. Therefore, no changes were made as a result of this observation and this issue has been resolved.

Observation L2-1 Issue: The LERF analysis uses the 1998 WOG definition from ESBUIWOG-98-053. Farley does not include Emergency Action Levels (EAL) in the LERF definition. The WOG definition dismisses the need to use EALs on the assumption that the operators would be sensitive to protection of the public. In accordance with the WOG definition, the "early" in LERF is defined as "within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> of the initiating event." A more common definition of "early" is "release within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> of evacuation." The SGTR accident sequences must be evaluated with respect to EALs to decide if they are LERF or Non-LERF. Sequences 4 and 5 are included as LERF, but Sequences 1,2, 3 are currently non-LERF.

SNC Response to the Observation: SNC is continuing to follow WOG efforts to clarify the definition of LERF adopted by the Risk Based Technology Working Group. In the interim, SNC revised the LERF modeling in PRA Revision 5 to include all SGTR sequences as direct containment bypasses. In addition, all Steam Generators have been recently replaced at Farley Nuclear Plant which results in minimal exposure to induced tube ruptures at this point in plant history. Therefore, this issue has been resolved.

Observation MU-02 Issue: This element asks if the update steps are traceable using the available documentation.

Using the documentation available, it did not seem that it would always be possible to determine how the inputs to the model update (operating experience, plant procedure

Enclosure Response to RAI Page 19 of 19 changes, plant modificationss, etc.) were evaluated to arrive at the list of model changes needed.

SNC Response to the Observation: The calculation documenting PRA Model Revision 5 includes a discussion of each plant design change completed since the previous model update and documents the determination of potential impacts on the PRA model. Those items selected for incorporation are further documented as to how the model was changed to address them. Therefore, this issue has been resolved.

Retrieved from "https://kanterella.com/w/index.php?title=NL-04-0469,_Response_to_RAI_Related_to_DC_Sources_-_Operating&oldid=2624087"