Text

License Amendment Request to Revise the Required Actions of Technical Specifications 3.8.1, AC Sources - Operating, for One-Time Extension of Completion Time for Unit 1 and Swing Emergency Diesel Generators
	ML20213C715
Person / Time
Site:	Hatch
Issue date:	07/31/2020
From:	Gayheart C; Southern Nuclear Operating Co
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	NL-20-0843
	Download: ML20213C715 (118)
	v • d • e

Cheryl A. Gayheart 3535 Colonnade Parkway Regulatory Affairs Director Birmingham, AL 35243 205 992 5316 cagayhea@southernco.com July 31, 2020 Docket Nos.: 50-321 NL-20-0843 50-366 10 CFR 50.90 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, D. C. 20555-0001 Edwin I. Hatch Nuclear Plant - Units 1 and 2 License Amendment Request to Revise the Required Actions of Technical Specifications 3.8.1, AC Sources - Operating, for One-Time Extension of Completion Time for Unit 1 and Swing Emergency Diesel Generators Ladies and Gentlemen:

Pursuant to 10 CFR 50.90, Southern Nuclear Operating Company (SNC) hereby requests a license amendment to Edwin I. Hatch Nuclear Plant (HNP) Units 1 and 2 renewed facility operating licenses DPR-57 and NPF-5, respectively.

The proposed change would revise technical specifications (TS) 3.8.1, AC Sources -

Operating, to provide a one-time extension of the completion time of Required Action B.4 (Unit 1 TS) and Required Actions B.4 and C.4 (Unit 2 TS) of TS 3.8.1 for each Unit 1 diesel generator (DG) and the swing DG from 14 days to 19 days. This one-time TS change for these standby emergency DGs is a necessary contingency to support preventative maintenance activities, including replacement of the diesel engine cylinder liners. The scheduled time to perform this overhaul maintenance for each DG is greater than 75% of the current TS allowable out-of-service time, which may be exceeded due to unforeseen DG component degradations.

In addition, the possibility exists for unexpected delays due to impacts related to coronavirus disease 2019 (COVID-19) controls, such as the U.S Centers for Disease Control and Prevention guideline for employers to isolate potentially infectious individuals based on COVID-19 signs and symptoms.

Performance of maintenance on the swing DG will impact the onsite AC sources of both HNP units, and failure to restore the swing DG to operable status within the TS required completion time would require a dual unit shutdown. A maintenance outage that exceeds 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months on a Unit 1 DG could result in a dual unit TS required shutdown if the swing DG remains inhibited from automatically aligning to Unit 2 coincident with exceeding the TS completion time to restore the DG to operable status. Extending the completion time on a temporary one-time basis as requested will mitigate the risk of an unnecessary shutdown of one or both HNP units. This amendment is being requested preemptively to avoid the possible need for an emergent or emergency TS change.

U. S. Nuclear Regulatory Commission NL-20-0843 Page 2 The enclosure provides a description and assessment of the proposed changes. Attachment 1 to the enclosure shows the existing TS pages marked to show the proposed changes. provides revised (clean) TS pages. Attachment 3 provides TS Bases pages marked to show the proposed changes for information only.

The proposed amendment is risk-informed and follows the guidance in NRC Regulatory Guide (RG) 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, Revision 3, and NRC RG 1.177, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications, Revision 1. A summary of the risk evaluation is provided in Attachment 4 to the enclosure.

SNC has concluded that the proposed change presents no significant hazards consideration under the standards set forth in 10 CFR 50.92, Issuance of amendment.

This amendment request contains regulatory commitments in support of implementing the compensatory defense-in-depth and risk management controls discussed in the enclosure.

These regulatory commitments describe the compensatory and risk management actions that HNP will be required to establish and maintain during the extended TS completion time. The list of commitments is provided in Attachment 5 to the enclosure.

Approval of the proposed amendment is requested by September 20, 2020. Once approved, the amendments will be implemented upon issuance.

In accordance with 10 CFR 50.91, SNC is notifying the State of Georgia of this license amendment request by transmitting a copy of this letter and enclosure to the designated State Official.

If you have any questions, please contact Jamie Coleman at 205.992.6611.

I declare under penalty of perjury that the foregoing is true and correct. Executed on the 31st day of July 2020.

Respectfully submitted, C. A. Gayheart Director, Regulatory Affairs Southern Nuclear Operating Company CAG/tle/scm

Enclosure:

Evaluation of Proposed Change

U. S. Nuclear Regulatory Commission NL-20-0843 Page 3 cc: Regional Administrator, Region ll NRR Project Manager - Hatch Senior Resident Inspector - Hatch Director, Environmental Protection Division - State of Georgia RType: CHA02.004

ENCLOSURE Evaluation of Proposed Change

Subject:

License Amendment Request to Revise the Required Actions of Technical Specifications 3.8.1, AC Sources - Operating, for One-Time Extension of Completion Time for Unit 1 and Swing Emergency Diesel Generators

1.

SUMMARY

DESCRIPTION

2. DETAILED DESCRIPTION 2.1 System Design and Operation 2.2 Current Technical Specification Requirements 2.3 Reason for Proposed Change 2.4 Description of Proposed Change

3. TECHNICAL EVALUATION

3.1 Background

3.2 Basis of Proposed Actions 3.3 Deterministic Evaluation 3.4 Risk Evaluation Approach 3.5 Risk Assessment Results

4. REGULATORY EVALUATION 4.1 Applicable Regulatory Requirements/Criteria 4.2 Precedent 4.3 No Significant Hazards Consideration Determination Analysis 4.4 Conclusions

5. ENVIRONMENTAL CONSIDERATION

6. REFERENCES ATTACHMENTS:

1. HNP Unit 1 and Unit 2 Technical Specifications Marked-up Pages

2. HNP Unit 1 and Unit 2 Technical Specifications Revised TS Pages

3. HNP Unit 1 and Unit 2 Technical Specifications Bases Marked-up Pages (Information Only)

4. HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG

5. List of Regulatory Commitments

Enclosure to NL-20-0843 Evaluation of Proposed Change

1.

SUMMARY

DESCRIPTION The proposed change would revise technical specifications (TS) 3.8.1, AC Sources -

Operating, to provide a one-time extension of the completion time of Required Action B.4 (Unit 1 TS) and Required Actions B.4 and C.4 (Unit 2 TS) of TS 3.8.1 for each Unit 1 diesel generator (DG) and the swing DG from 14 days to 19 days. This one-time TS change for these standby emergency DGs is a necessary contingency to support preventative maintenance activities, including replacement of the diesel engine cylinder liners. The scheduled time to perform this overhaul maintenance for each DG is greater than 75% of the current TS allowable out-of-service time (AOT),

which may be exceeded due to unforeseen DG degradations. In addition, the possibility exists for unexpected delays due to impacts related to coronavirus disease 2019 (COVID-19) controls, such as the U.S Centers for Disease Control and Prevention guideline for employers to isolate potentially infectious individuals based on COVID-19 signs and symptoms.

2. DETAILED DESCRIPTION 2.1 System Design and Operation The HNP offsite circuit design is robust and highly reliable. Offsite power is supplied to the station from the 230kV ring bus by five electrically and physically separate feeds through startup auxiliary transformers (SATs) 1C and 2C (via a common switchyard feed), 1D, 1E, 2D, and 2E, to the respective unit 4.16 kV engineered safety feature (ESF) buses E, F, and G. Each SAT provides the normal source of power to its respective ESF bus. If any 4.16 kV ESF bus loses power, an automatic transfer occurs from the normal offsite power source to its alternate offsite power source. By design, no single SAT can supply more than two 4.16 kV ESF buses simultaneously.

The SATs are sized to accommodate the simultaneous starting of all required ESF loads on receipt of an accident signal without the need for load sequencing. Only one SAT per unit is required to supply two 4.16 kV ESF buses, which are sufficient to provide the required safety functions and support unit shutdown and cooldown to cold conditions. As a result, only two SATs per unit are required to meet limiting condition for operation (LCO) 3.8.1 to support a single failure in the event of a loss of all onsite AC power sources (i.e., loss of all DGs).

Onsite standby emergency power is supplied by independent DGs, with 4.16 kV ESF Buses E and G each supplied by a dedicated unit DG and the 4.16 kV ESF Bus F on both units supplied by the swing DG (i.e., DG 1B). The swing DG cannot supply both F buses simultaneously. A simplified diagram of the HNP Class 1E electrical system is shown in Figure 2.1-1.

E-1

Enclosure to NL-20-0843 Evaluation of Proposed Change Figure 2.1-1, Simplified HNP Class 1E Electrical System The DGs start automatically on a loss of coolant accident (LOCA) signal or on an ESF bus degraded voltage or undervoltage signal. After the DG has started, it automatically ties to its respective bus after offsite power is tripped as a consequence of ESF bus undervoltage or degraded voltage, independent of or coincident with a LOCA signal.

Each HNP unit is designed with three emergency 4.16 kV ESF buses (E, F, and G). The emergency portion of the 4.16 kV system is arranged into redundant electrical divisions. Each electrical division consists of the complement of safety-related equipment needed to achieve safe plant shutdown and to mitigate the consequences of a design basis accident (DBA). 4.16 kV ESF Buses E and G contain most of the redundant divisional equipment and 4.16 kV ESF Bus F bus contains some equipment from both electrical divisions (e.g., a residual heat removal (RHR) pump from each RHR loop). Two DGs per unit can fully provide the required safety functions to support a DBA and support unit shutdown and cooldown to cold conditions and remain in cold shutdown conditions for 30 days.

2.2 Current Technical Specification Requirements LCO 3.8.1 requires, in part, two unit DGs and the swing DG. Additionally, depending on the plant lineup, an additional opposite unit DG is required to meet LCO 3.8.1 to support at least one low pressure coolant injection (LPCI) valve load center, one required opposite standby gas treatment subsystem, and for Unit 2, one subsystem of main control room environmental control and air conditioning systems. These minimum requirements ensure that, in the event of a full loss of E-2

Enclosure to NL-20-0843 Evaluation of Proposed Change offsite power (LOOP) and the failure of a single DG, the required 4.16 kV ESF buses are available to support a DBA.

When a Unit 1 DG is inoperable, Unit 1 TS 3.8.1, Required Action B.4 and Unit 2 TS 3.8.1, Required Action C.4 require, in part, restoration of the DG to operable status within 14 days provided the maintenance restrictions are met and the swing DG is inhibited from automatically aligning to Unit 2.

When the swing DG is inoperable, Unit 1 and Unit 2 TS 3.8.1 Required Action B.4 requires, in part, restoration of the DG to operable status within 14 days provided the maintenance restrictions are met.

If the DG is not restored to operable status within the required completion time, Unit 1 and Unit 2 TS 3.8.1, Required Action H.1 requires the unit to be placed in Mode 3 (i.e., hot shutdown) within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

2.3 Reason for Proposed Change Major maintenance, including diesel engine cylinder liner replacement, is scheduled on the swing DG and the Unit 1 DGs to ensure the preventative maintenance is completed before their required frequency periods expire.

In January 2020, the U.S. Department of Health and Human Services declared a national public health emergency and in March 2020, a national emergency was declared by the President of the United States in response to the COVID-19 pandemic. As a result, careful planning and contingencies are required to ensure necessary preventative maintenance can be performed on the HNP Unit 1 DGs and the swing DG, and a safe and healthy working environment can be established during the ongoing COVID-19 pandemic.

To facilitate performance of other major preventative maintenance while the diesel engine is disassembled for the cylinder liner replacement, the schedule indicates a period of greater than 75% of the TS required completion time of 14 days.

Table 2.3-1 provided herein summarizes the maintenance tasks to be performed for the swing DG and the expected duration for each task. The table includes contingent tasks with estimated duration to complete these tasks, if they are required. These tasks and durations are comparable to those expected for the maintenance outages of the Unit 1 DGs.

Table 2.3-1: HNP Swing DG Projected Maintenance Schedule Task Duration Project Task No. (Hours) 1 Hang Tagouts 9 2 Replace Lube Oil Pressure Sensor and Expansion Joint 12 3 Replace Bypass Fitting Gaskets 56 4 Replace O-Rings 60 E-3

Enclosure to NL-20-0843 Evaluation of Proposed Change Task Duration Project Task No. (Hours) 5 Heat and Remove Pinion Gears 7 6 Cleaning and Inspection 18 7 Contingent: Replace or repair component(s) in response to failed 108 inspection (e.g., Crank Shaft or Generator Stator Windings) 8 Contingent: Technician impact due to COVID-19 pandemic (e.g., 48 technician inadvertent exposure to COVID-19 virus) 9 Install New Exhaust Belts and Bypass Fittings 12 10 Install Engine Block Liners 12 11 Install Water Jumpers and Cool Decking 12 12 Add Engine Coolant to Engine and Vent and Perform Line O-Ring 11 Hydro Testing and Install Ring Compressor 13 Install Pistons 8 14 Install Upper Piston Temporary Support, Lower Vertical Drive, 28 Upper Vertical Drive, Vertical Drive Spring Back, Lower Half of Main Bearing, Upper Crank Shaft 15 Install Front Cover, Tach Driver, Upper Main Bearings, Micro 22 Switch, Cover Pins, Upper Crank Case Cover, Connecting Rod Cap, and Bolting 16 Reconnect Fuel Jumper Tubing, Install Air Start Check Valves, Ball 11 Check Valves, Fuel Drain Headers 17 Restore Tagouts, Prepare for and Perform Post-Maintenance Run 14 TOTAL: Without Contingencies 292 hours0.00338 days 0.0811 hours 4.828042e-4 weeks 1.11106e-4 months (12 days, 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months )

TOTAL: With Contingencies 448 hours0.00519 days 0.124 hours 7.407407e-4 weeks 1.70464e-4 months (18 days, 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months )

Rounded to 19 days Because the standby emergency DGs are greater than 40 years old, it is possible that unforeseen engine or generator degradation will be discovered during the disassembly which could require more time to repair and restore the DG. The current schedule does not provide sufficient margin to support discovery, repair, and restoration of unforeseen DG component degradations, such as a cracked crank or cam shaft, cracked piston rod, or degraded stator winding. In addition, the possibility exists for other unforeseen complications as a result of the ongoing COVID-19 pandemic; for example, discovery of an essential DG worker in close contact with a family member or other non-essential person infected by the COVID-19 virus, which could place multiple essential DG workers in quarantine.

This amendment is needed as a contingency to support discovery, repair, and restoration of unforeseen DG component degradation; and to support unforeseen complications as a result of additional controls to minimize exposure of essential personnel to the COVID-19 virus and the potential spread of the COVID virus.

E-4

Enclosure to NL-20-0843 Evaluation of Proposed Change In addition, performance of maintenance on the swing DG will impact the onsite AC sources of both HNP units. The failure to restore the DG to operable status within the TS required completion time would require a dual unit shutdown. A maintenance outage that exceeds 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months on a Unit 1 DG also impacts the required onsite AC sources of Unit 2 because there is no onsite standby emergency source available to one Unit 2 LPCI valve load center (i.e., LCO 3.8.1.f is not met). This condition could result in a dual unit TS required shutdown if the swing DG remains inhibited from automatic aligning to Unit 2 coincident with exceeding the TS completion time to restore the DG to operable status. Extending the completion time as requested on a one-time basis for each DG will help to mitigate the risk of an unnecessary shutdown of one or both HNP units.

Recently, similar amendments have been issued to several units as a result of unforeseen exigent or emergency circumstances (e.g., Columbia Generating Station in May 2020, St. Lucie Plant, Unit 1 in July 2019, and Palo Verde Nuclear Generating Station, Unit 3 in January 2017). Therefore, this amendment is being requested preemptively to minimize the possible need for an exigent or emergency TS change.

2.4 Description of Proposed Change The change would add optional proposed requirements to Unit 1 TS 3.8.1 Condition B and Unit 2 TS 3.8.1 Conditions B and C. Current Required Actions B.4 and C.4 are renumbered to B.4.1 (C.4.1), and an OR is added to support the contingent required actions.

Unit 1 Additional Required Actions

Two notes are provided that will apply to the proposed actions of Condition B.

Note 1 states, Only applicable during diesel engine cylinder liner replacement outage. Note 2 states, Only applicable once per DG.

Required Action B.4.2.1 - Establish defense-in-depth and risk management controls for extended DG outage with completion times of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months thereafter from discovery of defense-in-depth or risk management controls not met.

AND

Required Action B.4.2.2 - Inhibit swing DG from automatically aligning to Unit 2 with a completion time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . A note is added that states, Only applicable to Unit 1 DGs.

AND

Required Action B.4.2.3 - Restore DG to operable status with a completion time of 19 days.

E-5

Enclosure to NL-20-0843 Evaluation of Proposed Change Unit 2 Additional Required Actions

Two notes are provided that will apply to the proposed actions in Condition B.

Note 1 states, Only applicable during diesel engine cylinder liner replacement outage of Unit 1 or swing DG. Note 2 states, Only applicable to swing DG.

Required Action B.4.2.1 - Establish defense-in-depth and risk management controls for extended DG outage with completion times of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months thereafter from discovery of defense-in-depth or risk management controls not met.

AND

Required Action B.4.2.2 - Restore DG to operable status with a completion time of 19 days.

A note is provided that will apply to the proposed actions in Condition C. The note states, Only applicable during diesel engine cylinder liner replacement outage.

Required Action C.4.2.1 - Establish defense-in-depth and risk management controls for extended DG outage with completion times of 7 days and 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months thereafter from discovery of defense-in-depth or risk management controls not met.

AND

Required Action C.4.2.2 - Inhibit swing DG from automatically aligning to Unit 2 with a completion time of 7 days.

AND

Required Action C.4.2.3 - Restore DG to operable status with a completion time of 19 days.

3. TECHNICAL EVALUATION

3.1 Background

A typical standard plant electrical system design arrangement consists of two 4.16 kV ESF buses with one DG supplying each bus. With one DG in an extended outage, an additional DG failure would result in a loss of both AC electrical power divisions in the event of a LOOP. The onsite emergency AC source design at Vogtle Units 1 and 2 is an example of this design.

The HNP electrical power system design diversifies electrical loads between three 4.16 kV ESF buses per unit. As such, the loss of a single 4.16 kV ESF bus will not result in a complete loss of the electrical division and the remaining 4.16 kV ESF buses are adequate to provide the plant safety functions. Due to several shared E-6

Enclosure to NL-20-0843 Evaluation of Proposed Change systems, the opposite unit supplies power to some shared systems, which further electrically diversifies loads necessary for safe plant shutdown. An example of this is the LPCI valve load centers. The load centers are normally powered from the opposite units 4.16 kV ESF buses and alternate power is provided by the swing DG via the subject units 4.16 kV ESF F bus. Therefore, following a LOOP, a failure of the swing DG concurrent with a failure of an opposite unit DG would be required to lose power to a LPCI valve load center.

In the event of a non-DBA LOOP, the opposite unit DGs are not required for the purposes of safe shutdown of the subject unit because the shared systems are not required for coping with this event. Analyses indicate that one unit 4.16 kV ESF bus and one DG per unit are sufficient to cope with a loss of the offsite electrical power system network.

SNC evaluated the proposed change using the key principles provided in Section 2 of NRC Regulatory Guide (RG) 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis (Reference 1) and Section B of NRC RG 1.177, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications (Reference 2).

3.2 Basis of Proposed Actions A proposed note is added to the actions limiting the extended completion time to restore a DG to operable status to only during the Unit 1 DG or swing DG outage periods involving the replacement of the engine cylinder liners. In addition, a note is proposed to limit the extended completion time to restore a DG to operable status to one-time use for each DG (i.e., each Unit 1 DG and the swing DG). The positioning and wording of the proposed actions and notes prevent the use of the proposed actions for the Unit 2 DGs.

The proposed time periods to establish defense-in-depth and risk management controls for the extended DG outage corresponds to the current time periods required to restore a unit DG or the swing DG to operable status with no additional restrictions or controls. If after the initial time period the defense-in-depth and risk management controls are established it is discovered that these controls are not met, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months from discovery of the required controls not met is proposed to reestablish the defense-in-depth and risk management controls. This time period is intended to allow the operator time to evaluate and re-establish any discovered control not met. The 24-hour time period from the discovery of the required control(s) not met is acceptable because it minimizes risk while allowing time for re-establishing the control(s) before subjecting the unit to transients associated with a unit shutdown while a DG is inoperable.

The proposed required action to inhibit the swing DG from automatically aligning (on a LOCA or LOOP signal) to the other unit is consistent with the current requirement to inhibit the swing DG from aligning to the other unit when utilizing the current 14-day AOT. This action ensures two operable DGs are dedicated to each unit during a LOCA or LOOP event when a unit DG is inoperable. A note is proposed to clarify that this action is only applicable when the TS condition is E-7

Enclosure to NL-20-0843 Evaluation of Proposed Change entered due to an inoperable DG other than the swing DG. When the TS condition is entered due to the swing DG inoperable, this action is not applicable and is not needed since each unit has two dedicated operable DGs available in the event of a LOCA or LOOP event. The proposed time period to inhibit the swing DG corresponds to the current time required to restore a unit DG to operable status with no additional restrictions or controls.

The specified completion time to restore the DG to operable status represents a balance between the risk associated with continued plant operation with less than the required system or component redundancy and the risk associated with initiating a plant transient while transitioning the unit based on the loss of redundancy. The extended TS completion time to restore the required DG to operable status takes into account the capacity and capability of the remaining AC sources, reasonable time for maintenance, and low probability of a DBA or a LOOP occurring during this period. Thus, the acceptability of the maximum length of the extended AOT interval relative to the potential occurrences of design basis events is considered.

Since extending the AOT for a single inoperable DG does not change the design basis for the standby emergency power system (i.e., DGs), the one-time extension of the completion time to restore each Unit 1 DG and the swing DG is acceptable.

3.3 Deterministic Evaluation During the proposed extended DG AOT, Units 1 and 2 are expected to be in operational mode 1. None of the offsite power sources are affected by the planned DG maintenance and will remain operable. Additionally, only one DG will be removed from service at a time.

As shown herein, two DGs per unit can fully provide the required safety functions to support a DBA and a unit shutdown and cooldown to cold conditions and remain in cold shutdown conditions. In addition, analyses indicate DG capacity is sufficient for one DG per unit to supply required loads to support the safe shutdown and cooldown of both units without offsite power.

In the highly unlikely event of a loss of the offsite electrical power system network during an extended DG outage, two DGs and associated ESF buses per unit will continue to be available to support shutdown and cooldown of each unit. Based on the discussion provided herein, HNP has sufficient onsite emergency AC sources during an extended DG outage to ensure at least one DG and associated 4.16 kV ESF bus per unit are available and the power source has enough capacity to carry LOOP loads to transition the units to cold shutdown conditions without any load shedding. Since two DGs remain operable during the extended DG outage, another DG per unit is available as an additional alternate AC (AAC) power source to support the transition to cold shutdown conditions.

A deterministic evaluation was performed considering the impact on the plant design basis and safety analysis, station blackout (SBO) coping, and fire safe shutdown capability, and addressed Key Principles 1, 2, and 3 of RG 1.174 (Reference 1) and NRC RG 1.177 (Reference 2).

E-8

Enclosure to NL-20-0843 Evaluation of Proposed Change Design Basis and Safety Analysis The design basis of the onsite standby emergency AC electrical power system is to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, reactor coolant system (RCS), and containment design limits are not exceeded.

Maintaining the onsite standby emergency AC electrical power sources operable during accident conditions is an initial assumption in the safety analyses in the event of an assumed loss of offsite power sources and a postulated worst case single failure. As indicated in Table 15C-10, NSOA [nuclear safety operational analysis] Auxiliary System/Event Matrix, of the final safety analysis report (FSAR),

the following events assume the standby emergency DGs are operable for event mitigation:

Accidents - LOCA, main steam line break accident, and feedwater line break accident,

Special Events - Anticipated transient without a scram and fire events, and

Anticipated operational occurrences (AOOs) - Loss of RHR shutdown cooling and loss of auxiliary power.

Additionally, the SBO event considers standby emergency DGs as AAC sources for coping and terminating the SBO event.

Since the safety analysis assumes a single failure (e.g., failure of a DG to start or the loss of a single 4.16 kV ESF bus), the one-time extension of the AOT for an inoperable DG has no impact on the system design basis. The proposed change does not alter the design, operation, or testing acceptance criteria of the DGs.

Minimum AC power sources credited in the accident analyses are not altered by the proposed change. Therefore, the safety analyses acceptance criteria as provided in the FSAR are not impacted by this change.

SBO Coping HNP coping time during an SBO is not affected by the proposed change because no more than two DGs per unit (i.e., four of five standby emergency DGs) are assumed to be restored for SBO coping. The coping time is calculated based on guidance provided in Nuclear Management and Resource Council (NUMARC) 87-00, Guidelines and Technical Bases for NUMARC Initiatives Addressing Station Blackout at Light Water Reactors (Reference 3).

SBO flow charts and associated procedures provide instructions for coping with an SBO or an extended loss of all AC power. These coping methodologies are not changed by the proposed one-time extension of the completion time to restore a Unit 1 DG or swing DG.

NRC RG 1.155, Station Blackout, (Reference 4) provides a method for demonstrating conformance to the SBO rule promulgated in 10 CFR 50.63.

NRC RG 1.155 also endorses NUMARC 87-00 guidelines as an acceptable method for conforming to the SBO regulation.

E-9

Enclosure to NL-20-0843 Evaluation of Proposed Change The SBO analysis shows that the plant can successfully cope with an SBO event for the required 4-hour duration with no impact on the availability of the required safety-related equipment. As stated in Unit 2 FSAR Subsection 8.4.2.2, which describes the SBO coping analysis for both Units 1 and 2, the analysis evaluates a LOOP to both units. However, an SBO is assumed for only one unit due to the independence of onsite emergency AC sources. No DBAs, other events, or additional single failures other than the loss of one DG on the non-blackout unit are assumed to occur prior to or during the SBO event.

For the blackout unit with a DG in an extended outage period, either of the two remaining DGs may be credited as an AAC source for SBO coping. To represent the most limiting condition, the swing DG is typically designated as the AAC power source for either unit and can be aligned to Division 1 load centers and initiated within one hour to the blackout unit when the diesel loading margins are met.

When the swing DG is not available, either of the two unit DGs may be used as the AAC. Plant coping is controlled predominately by Class 1E DC power and steam driven sources until the AAC power is available for loading. A combination of battery power and emergency AC power from the AAC source (one DG per unit) is used to bring the blackout unit to and maintain hot shutdown conditions from full power conditions. After the 4-hour coping period, the station operators either restore offsite power or start an additional DG to bring the plant to a cold shutdown condition terminating the SBO event. Adequate cooling and equipment necessary to cope with an SBO will be available without interruption to both the blackout unit and the non-blackout unit.

Key Principle 1: The Proposed Change Meets Current Regulations The proposed change does not alter the design or operational requirements associated with the DGs and structures, systems, and components (SSCs) that are part of the primary success path and actuate to mitigate the related DBAs and transients. The proposed change extends the time to restore an inoperable DG to operable status. HNP Units 1 and 2 continue to comply with regulations as previously licensed and approved by the NRC, including the applicable requirements of 10 CFR §50.34, §50.36, §50.63, §50.65, applicable preliminary general design criteria (GDC) identified in Federal Register 32 FR 10213, published July 11, 1967, and applicable GDC specified in Appendix A of 10 CFR 50. Section 4.1 of this enclosure provides discussion of the applicable regulations and requirements. SNC therefore concludes that HNP Units 1 and 2 continue to comply with existing regulations with the proposed TS change.

Key Principle 2: The Proposed Change is Consistent with Defense-in-Depth Philosophy NRC RG 1.93, "Availability of Electric Power Sources" (Reference 5), provides guidance with respect to operating restrictions and completion time to restore onsite and offsite AC electrical power sources if the number of available AC sources is less than that required by the TS LCO. This guide recommends a maximum time to restore an inoperable DG to operable status of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . In the current TS, the maximum time to restore an inoperable DG to operable status is 14 days, which is beyond the guidance provided in NRC RG 1.93. Extending E-10

Enclosure to NL-20-0843 Evaluation of Proposed Change 14 days to 19 days to restore an inoperable DG to operable status represents a potential reduction in the defense-in-depth incorporated in the plant design.

However, any potential reduction in defense-in-depth is offset by the proposed controls listed in the regulatory commitments provided in Attachment 5 to this enclosure.

In the event of a LOOP coincident with a DBA with a Unit 1 DG or the swing DG in an extended maintenance outage, two 4.16 kV ESF buses would continue to be available to each unit for support of an accident on one unit and a shutdown and cooldown of the other unit. Likewise, in the event of a non-DBA LOOP with a Unit 1 DG or the swing DG in an extended maintenance outage, two 4.16 kV ESF buses would continue to be available to each unit for support of a shutdown and cooldown of the both units from 100% and maintain cold shutdown for 30 days.

A technical analysis supporting this proposed change has demonstrated that one DG per unit can supply required loads for the safe shutdown from 100% power to cold shutdown conditions within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months without offsite power. Since two DGs remain operable for each unit during the extended DG outage, at least one DG per unit would be available to support this transition to cold shutdown in the highly unlikely event of a loss of the offsite electrical power system network concurrent with an additional failure of a DG.

If an extended DG outage is determined necessary, the proposed TS actions require the establishment of defense-in-depth controls for various plant maintenance configurations to maintain and manage acceptable risk levels ensuring adequate electrical power sources and safety-related equipment are available in the event of a loss of the offsite electrical power system network during the extended DG outage period. The intent of these compensatory measures is to reduce the duration of risk-sensitive activities and avoid high-risk sensitive equipment outages or maintenance states that result in high-risk plant configurations. The proposed defense-in-depth controls are listed in the regulatory commitments provided in Attachment 5 to this enclosure and provided in the proposed TS bases provided in Attachment 3 to this enclosure. The bases for these controls are further described herein.

Currently, to utilize the 14-day AOT for an inoperable DG, TS actions require maintenance restrictions. These maintenance restrictions are specified in the plant online configuration risk management program and include protecting equipment needed to support shutdown and cooldown of both units in the event of a full loss of offsite power. This requirement is also proposed as a defense-in-depth control to utilize the extended DG AOT.

To meet LCO 3.8.1, only two qualified circuits between the offsite transmission network and the onsite Class 1E electrical distribution system (i.e., SATs and associated circuit paths to the ESF buses) are required to be operable and ESF bus automatic transfer capability is only required to one of two 4.16 kV ESF buses per SAT. To improve the defense-in-depth and minimize risk of a loss of all offsite power during the extended DG AOT, offsite electrical power system diversity is maximized by requiring all three circuits (i.e., SATs and associated circuit paths to the 4.16 kV ESF buses) per unit to be maintained operable and automatic transfer E-11

Enclosure to NL-20-0843 Evaluation of Proposed Change capability to all three 4.16 kV ESF buses per unit to be maintained operable.

Additionally, to minimize the risk of a LOOP to HNP during the extended DG outage, daily communication with the electrical system load dispatcher will be required to ensure multiple line contingencies are available. During the extended DG outage, HNP operations management may consider a plant shutdown when offsite electrical system stability has eroded to a single contingency, provided the plant shutdown does not result in a further destabilization of the offsite electrical power system network.

The shutdown cooling (SDC) mode of both RHR loops will be maintained operable during the extended DG outage. Alternately, the LPCI alternate SDC mode may be maintained available during the extended DG outage. Maintaining redundancy of these modes of the RHR system is considered a necessary defense-in-depth measure to protect the low pressure cooling function of the RCS in the event of an additional single failure while a DG is in an extended outage.

To further enhance defense-in-depth during an extended DG outage, both steam driven injection systems (i.e., high pressure coolant injection (HPCI) and reactor core isolation cooling (RCIC) systems) will be maintained operable. These redundant closed cooling steam driven systems ensure a method will be available to maintain reactor vessel water level and promote an RCS cooldown in the event of an extended SBO until the AC electrical power system is restored from either offsite power or the onsite standby emergency DGs.

Defense-in-Depth Considerations

1. Any potential reduction in defense-in-depth by extending the completion time to restore an inoperable DG to operable status from 14 days to 19 days is offset by the proposed defense-in-depth controls. These controls will provide a reasonable balance between layers of defense by requiring an additional layer of equipment to be maintained operable that otherwise would be allowed to be inoperable concurrent with an inoperable DG. Examples include:

a) only two offsite circuits per unit are required to be operable to meet LCO 3.8.1, however, the controls will maximize the offsite electrical power system diversity by requiring all three circuits (i.e., SATs and associated circuit paths to the respective 4.16 kV ESF buses) per unit to be maintained operable during the extended DG outage; b) either HPCI or RCIC could be inoperable for 14 days with a DG inoperable, however, both HPCI and RCIC will be maintained operable during the extended DG outage; and c) there is no current requirement for the SDC mode of RHR to be maintained operable or the LPCI alternate SDC mode available while the plant is operating, however, each RHR loop must have either the SDC mode operable or the LPCI alternate SDC mode available during the extended DG outage.

E-12

Enclosure to NL-20-0843 Evaluation of Proposed Change These additional layers of equipment operability and other defense-in-depth controls either: reduce the probability of a complete LOOP to HNP by maintaining multiple circuit paths between the transmission network and the onsite Class 1E electrical distribution system; or maintain redundant systems operable or available to ensure the units can be shutdown and cooled down in the event of a LOOP and a single failure in addition to the DG removed for maintenance.

2. The proposed defense-in-depth controls protect and maintain current plant design features operable as additional defense-in-depth layers rather than alter the plant design features, install temporary portable features, or alter or create new procedures. Thus, the proposed controls preserve the capability of the existing plant design features so as not to over rely on programmatic controls to maintain defense-in-depth.

3. The proposed defense-in-depth controls minimize the probability of a complete loss of reactor inventory control and containment cooling and core decay heat removal functions following a LOOP assuming a single active failure by requiring redundancy be maintained on systems required to perform these functions during the extended DG outage.

4. The proposed change does not alter the design or operation of the onsite standby emergency AC power system. Independence and redundancy of the system are not affected by the proposed change and no new single failure mechanism is created by the proposed change. Since the planned maintenance activity is preventative, a common mode failure is not expected to be identified. In the event a degradation is discovered on the inoperable DG and the subsequent causal analysis determines a common failure mode exists in the redundant DGs, applicable TS 3.8.1 conditions will be entered and the required actions will be taken in accordance with the HNP Unit 1 and Unit 2 TS. Therefore, adequate defense against common cause failure mechanisms is preserved.

5. Only one DG will be removed from service at a time, thereby ensuring that two DGs per unit continue to be capable of supplying the required loads for the safe shutdown of both units without offsite power. Therefore, the HNP onsite standby emergency AC power system will continue to meet the intent of the system design basis by providing sufficient capacity, capability, redundancy, and reliability ensuring the availability of necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded. Thus, multiple fission product barriers will be maintained in the highly unlikely event of a loss of the offsite electrical power system network during an extended DG outage.

6. The proposed change does not introduce new operational modes and does not alter the DG human engineering or method in which the DGs are operated or tested. The DG maintenance will be performed by knowledgeable and trained technicians using current maintenance procedures. This will preserve the current level of defense against human errors, which has been considered sufficient.

E-13

Enclosure to NL-20-0843 Evaluation of Proposed Change

7. To summarize, none of the offsite power sources are affected by the planned extended DG outage and will remain operable. Only one DG will be removed from service at a time, thereby ensuring that two DGs per unit continue to be capable of supplying the required loads for the safe shutdown of both units without offsite power. Therefore, the HNP onsite standby emergency AC power system will continue to meet the intent of the system design basis by providing sufficient capacity, capability, redundancy, and reliability. This will ensure the availability of necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded.

Key Principle 3: The Proposed Change Maintains Sufficient Safety Margins The design of the HNP onsite standby emergency AC electrical power system accommodates a single failure of one DG. The one-time extension of the AOT for an inoperable DG has no impact on the system design basis or the applicable codes and standards that formed the design basis. HNP Units 1 and 2 continue to meet the accident analysis requirements considering no additional failure in safety-related equipment except those directly impacted by the DG outage. Safety analyses acceptance criteria, as provided in the FSAR, are not impacted by this change. AC power sources credited in the accident analyses will remain the same. Operation in accordance with the proposed TS ensures that the assumptions for initial conditions of key parameter values in the safety analyses remain valid. This ensures that applicable design and performance criteria associated with the safety analysis will continue to be met and sufficient safety margin is maintained.

3.4 Risk Evaluation Approach A quantitative and qualitative analysis of risk was performed to support the conclusion that the change in risk associated with the proposed one-time AOT extension for the Unit 1 DGs and swing DG is acceptable. The risk analysis addressed Key Principles 4 and 5 of NRC RG 1.174 (Reference 1) and RG 1.177 (Reference 2) and the risk was calculated consistent with NRC guidance provided in these RGs.

Key Principle 4: Change in Risk is Consistent with the Safety Goal Policy Statement The risk assessment performed for this change addresses the philosophy of risk-informed decision-making and a summary report of the risk assessment is provided in Attachment 4 to this enclosure. The results are within the acceptance guidelines listed in NRC RG 1.177 (Reference 2) for a one-time TS completion time extension. As such, the change in risk is small and consistent with the intent of the Commission's Safety Goal Policy Statement. Section 3.5 of this enclosure provides a summary of the risk results in support of the proposed one-time TS change to extend the AOT from 14 days to 19 days for each Unit 1 DG and the swing DG.

E-14

Enclosure to NL-20-0843 Evaluation of Proposed Change Key Principle 5: Monitor the Impact of the Proposed Change The impact of the proposed change will be monitored for effectiveness in accordance with the existing plant maintenance rule program pursuant to 10 CFR 50.65(a)(4) and the associated implementation guidance, NRC RG 1.160, Monitoring the Effectiveness of Maintenance at Nuclear Power Plants (Reference 6). The program requires, in part, that performing maintenance activities shall not reduce the overall availability of SSCs, which are important to safety. This program also ensures that DG reliability is maintained at or above the SBO target level, and the effectiveness of maintenance on the DGs and support systems is monitored.

If an extended DG outage is determined necessary, the proposed TS actions require the establishment of defense-in-depth and risk management controls for various plant maintenance configurations to maintain and manage acceptable risk levels ensuring adequate electrical power sources and safety-related equipment are available in the event of a loss of the offsite electrical power system network during the extended DG outage period. The intent of these compensatory measures is to reduce the duration of risk-sensitive activities and avoid high-risk sensitive equipment outages or maintenance states that result in high-risk plant configurations.

The defense-in-depth and risk management controls that must be established and maintained during the proposed extended completion time period are listed in the regulatory commitments provided in Attachment 5 to this enclosure. These controls include protection of equipment that supports the stability of the offsite power circuits and include weather considerations. The plant online configuration risk management program requires maintenance on sensitive or critical equipment to be removed from the work schedule, unless deemed necessary by operations management, during periods of severe weather forecasts, grid degradation, or when system alert conditions are imminent. This would include removing a planned DG preventative maintenance overhaul from the work schedule during these periods.

The HNP standby emergency DGs are included in the plant mitigating system performance index (MSPI) program. This program ensures that failures, unavailability, demands, and run hours affecting MSPI systems are properly evaluated and input into the appropriate industry database. The MSPI program will continue to monitor, trend, and evaluate performance of the DGs, associated values, and failure worths to detect adverse trends and take corrective action prior to adverse effect on MSPI indicators.

Although this amendment request is proposing an extended DG AOT of 19 days, the inoperable DG will be restored to an operable status as soon as reasonably practicable to minimize plant risk and minimize the impact on reliability factors monitored under the 10 CFR 50.65 program. NRC RG 1.160 endorses the guidance in Section 11 of NUMARC 93-01, Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants (Reference 7), which considers dynamic plant configuration issues, emergent conditions, and other aspects pertinent to plant operation with the DG inoperable for an extended period E-15

Enclosure to NL-20-0843 Evaluation of Proposed Change of time. In the event the extended DG AOT is utilized, these considerations may result in additional risk management and other compensatory actions being required during the extended period that the DG is inoperable.

Work management procedures require a post work analysis to ensure post work lessons learned are captured and adequately addressed. Post work critiques compare current performance with desired performance for areas needing improvement and identify gaps for improvement opportunities, including schedule deviations and deficiencies. SNC will assess the lessons learned from each extended DG outage and develop strategies, if possible, to minimize the out-of-service time of subsequent DG outages.

Severe Weather Considerations In addition to the defense-in-depth and risk management controls listed in the regulatory commitments provided in Attachment 5 to this enclosure, existing plant procedures will continue to address monitoring weather conditions, and ensuring that actions are taken in the event adverse conditions are expected onsite. These actions, relevant during hurricane season, include housekeeping, flooding, and high wind preparation considerations. Also, at least two hours prior to the onset of hurricane force winds at the site, operational procedures place the units in a condition where the inoperable DG is not required by directing a shutdown. This allows enough time for 50% of the decay heat to be dissipated to the condenser.

For severe weather events affecting the plant site and as time permits, plant procedures require the following general instructions:

a. Inspect/walk-down the site for potential missiles, and other objects which are unsecured which may potentially block large surface areas of critical intake screens.

b. Remove or secure equipment that could become a missile or cause significant blockage of critical intake screens.

c. If time and conditions permit, prior to severe weather impacting the site, inspect offsite power circuits in the low voltage switchyard for damage, signs of connection fatigue or cracking that could lead to open-phase events.

d. Check alignment of operable DGs, evaluate onsite fuel storage and supply to ensure they are sufficient for the hazard/risk, and review the availability, location and duration to provide fuel supply from external sources.

e. Maximize the availability of the high voltage switchyard (i.e., offsite power), by coordinating with the transmission network system control center, as applicable, to suspend activities in the high and low voltage switchyards and applicable substations.

As described in FSAR, Section 2.4, the probable maximum flood (PMF) height, including wave crest, is 108.3 ft. Flood levels above 108.3 ft. are considered beyond design basis and assume at least one upstream dam failure or more than 18 in. of cumulative rainfall in a three day period. Flood levels during a hurricane or tropical storm are not expected to exceed the maximum design flood level of E-16

Enclosure to NL-20-0843 Evaluation of Proposed Change 108.3 ft. In the event river levels are projected to exceed this PMF level, plant procedures direct, within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of level reaching 108.3 ft., a shutdown of both units and cooldown to cold conditions.

To support the diverse and flexible mitigation capability (FLEX) strategies assessment, the flood hazard was reevaluated. The evaluation for the PMF combined with upstream overtopping dam failures (i.e., combined effects flooding hazard) concluded that the water surface elevation is estimated to be slightly less than 110 ft, which is below the finished floor level of the plant intake structure. The local intense precipitation (LIP) evaluation determined a maximum accumulation of slightly greater than 19 inches in one hour followed by a recession period. These evaluations concluded that inundation of water from flooding due to either LIP hazard or the combined effects flooding hazard will remain below the lowest SSC.

FLEX Considerations The FLEX DGs are not credited as compensatory actions in the risk analysis for the extended DG AOT. However, the FLEX DGs can support the Class 1E 600 V ESF buses on both units thereby providing defense-in-depth in addition to the proposed defense-in-depth controls listed in the regulatory commitments provided in Attachment 5 to this enclosure.

3.5 Risk Assessment Results The tables provided herein document the results of the probabilistic risk assessment (PRA) conducted in support of the proposed one-time TS change to extend the restoration completion time from 14 days to 19 days for each Unit 1 DG and the swing DG. Details of the risk assessment are provided in Attachment 4 to this enclosure. Because the proposed change is not a permanent change, the following acceptance guidelines from NRC RG 1.177 (Reference 2) are applicable for evaluating the core damage frequency (CDF) and large early release frequency (LERF) risk associated with one-time only AOT changes:

Incremental conditional core damage probability (ICCDP) of less than 1.0E-06 and incremental conditional large early release probability (ICLERP) of less than 1.0E-07, or

ICCDP of less than 1.0E-05 and ICLERP of less than 1.0E-06 with effective compensatory measures implemented to reduce the sources of increased risk.

The ICCDP and ICLERP risk quantification results are presented for each unit in Tables 3.5-1 and 3.5-2 herein and are based on a DG restoration completion time of 19 days, including the 14 days associated with the current TS requirement for each DG. In cases where the reduction in risk due to setting prohibited maintenance terms to zero was greater than the increase in risk with the DG out of service, the ICCDP and/or ICLERP terms were set to zero.

E-17

Enclosure to NL-20-0843 Evaluation of Proposed Change Table 3.5-1: HNP Unit 1 ICCDP and ICLERP Hazard Breakdown Internal Internal Internal Events Floods Fires Seismic Total DG 1A Base Case 5.01E-06 2.38E-07 5.89E-05 9.53E-07 6.51E-05 DG Out of CDF 1.09E-05 4.50E-7 6.00E-05 1.03E-06 7.24E-05 Service ICCDP 3.07E-07 1.10E-08 5.73E-08 4.01E-09 3.79E-07 Base Case 3.66E-07 5.95E-09 3.64E-06 2.47E-07 4.26E-06 DG Out of LERF 6.47E-07 1.13E-08 3.72E-06 2.47E-07 4.63E-06 Service ICLERP 1.46E-08 2.78E-10 4.16E-09 0.00 1.91E-08 DG 1B (Swing Diesel)

Base Case 5.01E-06 2.38E-07 5.89E-05 9.53E-07 6.51E-05 DG Out of CDF 8.22E-06 2.18E-07 6.03E-05 1.04E-06 6.98E-05 Service ICCDP 1.67E-07 0.00 7.29E-08 4.53E-09 2.45E-07 Base Case 3.66E-07 5.95E-09 3.64E-06 2.47E-07 4.26E-06 DG Out of LERF 4.06E-07 5.65E-09 3.61E-06 2.62E-07 4.28E-06 Service ICLERP 2.08E-09 0.00 0.00 7.81E-10 2.86E-09 DG 1C Base Case 5.01E-06 2.38E-07 5.89E-05 9.53E-07 6.51E-05 DG Out of CDF 1.09E-05 1.06E-06 7.58E-05 8.64E-07 8.86E-05 Service ICCDP 3.07E-07 4.28E-08 8.80E-07 0.00 1.23E-06 Base Case 3.66E-07 5.95E-09 3.64E-06 2.47E-07 4.26E-06 DG Out of LERF 6.40E-07 2.35E-08 4.05E-06 2.15E-07 4.93E-05 Service ICLERP 1.43E-08 9.14E-10 2.13E-08 0.00 3.65E-08 The ICCDP and ICLERP values were calculated using the following equations:

ICCDP = (OOS case - Base case) * (19/365) ICLERP = (OOS case - Base case) *

(19/365)

E-18

Enclosure to NL-20-0843 Evaluation of Proposed Change Table 3.5-2: HNP Unit 2 ICCDP and ICLERP Hazard Breakdown Internal Internal Internal Events Floods Fires Seismic Total DG 1A Base Case 7.45E-06 3.00E-07 5.62E-05 8.58E-07 6.48E-05 DG Out of CDF 1.08E-05 6.39E-07 6.44E-05 9.53E-07 7.68E-05 Service ICCDP 1.74E-07 1.76E-08 4.27E-07 4.95E-09 6.24E-07 Base Case 3.70E-07 6.93E-09 3.62E-06 2.60E-07 4.26E-06 DG Out of LERF 3.73E-07 3.31E-08 4.08E-06 2.79E-07 4.77E-06 Service ICLERP 1.56E-10 1.36E-09 2.39E-08 9.89E-10 2.65E-08 DG 1B (Swing Diesel)

Base Case 7.45E-06 3.00E-07 5.62E-05 8.58E-07 6.48E-05 DG Out of CDF 1.10E-05 6.39E-07 6.71E-05 9.86E-07 7.97E-05 Service ICCDP 1.85E-07 1.76E-08 5.67E-07 6.66E-09 7.77E-07 Base Case 3.70E-07 6.93E-09 3.62E-06 2.60E-07 4.26E-06 DG Out of LERF 3.56E-07 2.87E-08 4.11E-06 2.76E-07 4.77E-06 Service ICLERP 0.00 1.13E-09 2.55E-08 8.33E-10 2.75E-08 DG 1C Base Case 7.45E-06 3.00E-07 5.62E-05 8.58E-07 6.48E-05 DG Out of CDF 1.08E-05 7.38E-07 6.44E-05 9.92E-07 7.69E-05 Service ICCDP 1.74E-07 2.28E-08 4.27E-07 6.98E-09 6.31E-07 Base Case 3.70E-07 6.93E-09 3.62E-06 2.60E-07 4.26E-06 DG Out of LERF 3.68E-07 3.55E-08 4.08E-06 2.91E-07 4.77E-06 Service ICLERP 0.00 1.49E-09 2.39E-08 1.61E-09 2.70E-08 The ICCDP and ICLERP values were calculated using the following equations:

ICCDP = (OOS case - Base case) * (19/365) ICLERP = (OOS case - Base case) *

(19/365)

The risk results presented in the tables herein are shown to not pose a significant challenge to the risk level as presented in NRC RG 1.177 (Reference 2) for one-time TS action completion time changes.

E-19

Enclosure to NL-20-0843 Evaluation of Proposed Change Risk Management Actions To support the risk evaluation of the proposed one-time TS change to extend the AOT from 14 days to 19 days for DG 1C, an additional risk management action will be established prior to and maintained during the DG 1C extended maintenance outage. The risk management action will limit access to the cable spreading room, including the boundary isolation devices (BID) server room, to fire watches, on-shift operations personnel, and security personnel for the purposes of required area surveillance and inspection. No maintenance activities or project activities in the cable spreading room will be allowed, including fire protection surveillances, construction activities, engineering or maintenance walk-downs, BID equipment replacements, etc. without shift supervisor approval. The intent is to strictly limit the potential for the introduction of transient combustible materials or ignition sources into the cable spreading room during the DG 1C extended maintenance outage. This restriction will not be needed for the diesel engine cylinder liner replacement outages on either DG 1A or the swing DG. The proposed risk management control is explicitly listed in the regulatory commitments provided in Attachment 5 to this enclosure and in the proposed TS bases provided in Attachment 3 to this enclosure.

4. REGULATORY EVALUATION 4.1 Applicable Regulatory Requirements/Criteria 10 CFR 50.36, Technical specifications - The onsite AC emergency electrical power system design satisfies 10 CFR 50.36(c)(2)(ii), Criterion 3. Proper starting and loading of the DGs is considered a primary success path to mitigate the accidents and transients. The proposed change does not delete requirements associated with the DGs and LCO 3.8.1 continues to maintain requirements associated with SSCs that are part of the primary success path and actuate to mitigate the related DBAs and transients. The proposed change does not alter any surveillance testing requirement. Therefore, the proposed change continues to assure that the necessary quality of systems and components is maintained, that facility operation will be within safety limits, and that the limiting conditions for operation will be met as required by 10 CFR 50.36(c)(3). The proposed amendment continues to provide remedial actions and shutdown requirements required by 10 CFR 50.36(c)(2)(i). The proposed change extends the time, on a one-time basis per DG, to restore the Unit 1 DGs and swing DG to operable status during the performance of their diesel engine cylinder liner replacement outages.

The technical analysis performed to support this proposed change has demonstrated that one DG per unit can supply all required loads for the safe shutdown of both units without offsite power and the onsite standby emergency AC electrical power system capacity continues to be adequate to supply the ESF loads for the DBA, assuming the failure of a single active component in the system. In addition, the risk assessment performed to support this proposed change has demonstrated that the plant risk is within applicable regulatory guidance limits.

E-20

Enclosure to NL-20-0843 Evaluation of Proposed Change 10 CFR 50.63, Loss of all alternating current power - Each light water cooled nuclear power plant licensed to operate must be able to withstand for a specified duration and recover from a station blackout (SBO).

Section 8.4 of the Unit 2 FSAR provides the SBO analysis and coping evaluations for HNP Units 1 and 2.

NRC RG 1.155 (Reference 4) describes a means acceptable to the NRC for meeting the requirements of 10 CFR 50.63. NRC RG 1.155 states that the NRC has determined that NUMARC 87-00 (Reference 3) also provides guidance that is in large part identical to the NRC RG 1.155 guidance and is acceptable to the NRC for meeting these requirements, including the supplemental NUMARC letter dated January 4, 1990 (Reference 8). The vendor topical reports referenced in HNP Unit 2 FSAR Section 8.4 summarize the SBO evaluation performed for an increase in the rated thermal power to 2804 MWt. With the proposed change, two DGs and associated ESF buses per unit will remain available in the event of an SBO, which are adequate to bring the blackout unit and non-blackout unit to cold shutdown conditions and recover from an SBO event.

In March 2012, the NRC issued Order EA-12-049, Issuance of Order to Modify Licenses with Regard to Requirements for Mitigation Strategies for Beyond-Design-Basis External Events, (NRC Agencywide Documents Access and Management System (ADAMS) Accession No. ML12054A735). This order directed licensees to develop, implement, and maintain guidance and strategies to maintain or restore core cooling, containment and spent fuel pool cooling capabilities in the event of a beyond-design-basis external event.

In a letter from the NRC to SNC dated August 4, 2017, the NRC provided the results of the staff review of strategies related to the HNP FLEX (NRC ADAMS Accession No. ML17179A286). The NRC determined that SNCs actions during an extended loss of all AC power, including use of portable generators, provides additional defense-in-depth measures. The FLEX strategies provide reasonable assurance that in the event of an extended SBO during the proposed one-time AOT for the Unit 1 DGs and the swing DG, the long-term core cooling and spent fuel pool cooling will be managed until external resources are available.

10 CFR 50.65, Requirements for monitoring the effectiveness of maintenance at nuclear power plants - This regulation requires, in part, that performing maintenance activities shall not reduce the overall availability of the SSCs, which are important to safety. NRC RG 1.160 (Reference 6) provides implementation guidance for 10 CFR 50.65(a)(4) and endorses the guidance in Section 11 of NUMARC 93-01 (Reference 7). Pursuant to 10 CFR 50.65(a)(4), the risk of the proposed change has been assessed and actions are provided to manage the increase in risk that may result thereby ensuring the overall availability of SSCs, which are important to safety.

The HNP Unit 1 emergency power system was designed to the following applicable Atomic Energy Commission preliminary GDC identified in Federal Register 32 FR 10213, published July 11, 1967 (NRC ADAMS Accession No. ML043310029):

E-21

Enclosure to NL-20-0843 Evaluation of Proposed Change 1967 GDC 39 - Emergency Power for Engineered Safety Features (Category A):

The proposed change does not alter the design of the onsite or offsite electric power system design. Alternate power systems continue to be provided and designed, as previously licensed and approved by the NRC, with adequate independency, redundancy, capacity, and testability to permit the function required of the engineered safety features. The onsite and offsite power systems continue to, independently, provide this capacity assuming a failure of a single active component in the power system, as previously licensed and approved by the NRC.

The HNP Unit 2 onsite emergency power system was designed to the following 10 CFR Part 50, Appendix A General Design Criteria for Nuclear Power Plants:

GDC 17 - Electric power systems: The proposed change does not alter the design of the onsite or offsite electric power system design and the electric power systems continue to permit functioning of SSCs important to safety. With the proposed change, the safety function for onsite electric power system continues to provide sufficient capacity and capability to assure that (1) specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences and (2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents, as previously licensed and approved by the NRC.

Independence, redundancy, and testability of the onsite electric power system, assuming a single failure, has not been impacted by the proposed change. The electric power from the transmission network to the onsite electric distribution system continues to be supplied by at least two physically independent circuits (not necessarily on separate rights of way) designed and located so as to minimize to the extent practical the likelihood of their simultaneous failure under operating and postulated accident and environmental conditions.

Provisions continue to be included, as previously licensed and approved by the NRC, to minimize the probability of losing electric power from any of the remaining supplies as a result of, or coincident with, the loss of power generated by the nuclear power unit, the loss of power from the transmission network, or the loss of power from the onsite electric power supplies.

GDC 18 - Inspection and testing of electric power systems: The proposed change does not alter the onsite or offsite electrical power system. Electric power systems important to safety continue to permit appropriate periodic inspection and testing of important areas and features, such as wiring, insulation, connections, and switchboards, to assess the continuity of the systems and the condition of their components. The proposed change does not alter the capability, as previously licensed and approved by the NRC, to test periodically (1) the operability and functional performance of the components of the systems, such as onsite power sources, relays, switches, and buses, and (2) the operability of the systems as a whole and, under conditions as close to design as practical, the full operation sequence that brings the systems into operation, including operation of applicable portions of the protection system, and the transfer of power among the nuclear power unit, the offsite power system, and the onsite power system.

E-22

Enclosure to NL-20-0843 Evaluation of Proposed Change NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition, (SRP) -

NRC branch technical position (BTP) 8-8, Onsite (Emergency Diesel Generators) and Offsite Power Sources Allowed Outage Time Extensions, (Reference 9) -

The purpose of NRC BTP 8-8 is to provide guidance from a deterministic perspective in reviewing amendment requests for one-time or permanent AOT extensions for DGs and offsite power sources to perform online maintenance of DGs and offsite power sources.

As discussed in Section 3.3 of this enclosure, one DG per unit can, without any load shedding, supply loads necessary for safe shutdown from 100% power to cold conditions within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months following a LOOP. Since two DGs remain operable for each unit during the extended DG outage, at least one DG per unit would be available to support this transition to cold shutdown in the highly unlikely event of a loss of the offsite electrical power system network concurrent with an additional failure of a DG. SNC believes this meets the intent of the position presented in BTP 8-8.

BTP 8-8 is limited to a 14-day AOT extension, which is currently allowed in the HNP TS. A draft revision of NRC BTP 8-8, Onsite and Offsite Power Sources Completion Time Extensions, dated October 2019 (Reference 10) states:

Applications that deviate from the deterministic criteria outlined in this BTP [BTP 8-8] should be reviewed in accordance with SRP Section 16.1, Risk-Informed Decision Making: Technical Specifications, and SRP Section 19.2, Review of Risk Information Used to Support Permanent Plant-Specific Changes to the Licensing Basis: General Guidance. Such reviews are outside the scope of this BTP.

Therefore, this amendment request follows the guidance of SRP Sections 16.1 and 19.2. Chapter 16.1 of the SRP states that licensees submitting risk information should address each of the principles of risk-informed regulation addressed in NRC RG 1.177 (Reference 2). Sections 3.3 and 3.4 of this enclosure addresses the key principles outlined in NRC RG 1.177.

Sections 19.1 and 19.2 of SRP Chapter 19 provide guidance on evaluating PRA quality and general guidance for evaluating the technical basis for proposed risk-informed changes, respectively. Technical adequacy, scope, and level of detail are components of overall PRA quality. NRC RG 1.174 (Reference 1),

provides guidance regarding the attributes of PRA quality and defines an acceptable approach for use in analyzing and evaluating proposed license changes. NRC RG 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities (Reference 11), describes an acceptable approach for determining whether the quality of the PRA model, in total, or the parts used to support a license change application, is sufficient to provide confidence in the results such that the PRA model can be used in regulatory decision-making.

E-23

Enclosure to NL-20-0843 Evaluation of Proposed Change The NRC recently reviewed the quality of the HNP internal events PRA model, including the fire PRA, against the PRA standard ASME/ANS RA-Sa-2009 and NRC RG 1.200 (Reference 11) for transition to 10 CFR 50.48(c), National Fire Protection Association Standard NFPA 805 and to 10 CFR 50.69, Risk-informed categorization and treatment of structures, systems and components for nuclear power reactors. In the safety evaluation for both license amendments related to NFPA-805 and 10 CFR 50.69 transition, the NRC concluded that the HNP PRA model is adequate to support calculations for related risk-informed changes (NRC ADAMS Accession Nos. ML20066F592 and ML20077J704).

Attachment 4 of this enclosure addresses the principles of risk-informed regulation outlined in NRC RG 1.177 (Reference 2) and the quality of the HNP PRA in accordance with the guidance of NRC RG 1.200 (Reference 11).

4.2 Precedent In April 2020, Energy Northwest requested a one-time AOT extension for inoperable AC and DC electrical distribution subsystems from 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months and 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , respectively, to 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months at Columbia Generating Station to perform emergent repairs to the electrical distribution cooling system (NRC ADAMS Accession No. ML20107G972). The amendment request was requested under exigent circumstances and submitted due to unforeseen circumstances associated with the ongoing COVID-19 pandemic and the resulting impact on the Columbia Generating Station. On May 12, 2020, the NRC issued Amendment 258 to the Columbia Generating Station approving the exigent one-time change to extend the AOT for inoperable AC and DC electrical distribution subsystems to 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months (NRC ADAMS Accession No. ML20125A080).

In July 2019, Florida Power & Light requested a one-time AOT extension for an inoperable DG from 14 days to 30 days at St. Lucie Plant to perform repairs and extensive refurbishment of the DG due to an engine component failure (NRC ADAMS Accession No. ML19200A283). The amendment request was risk-informed and requested under exigent circumstances. On July 26, 2019, the NRC issued Amendment 248 to St. Lucie Plant, Unit 1 approving the exigent one-time change to extend the DG AOT from 14 days to 30 days (NRC ADAMS Accession No. ML19203A166).

In April 2019, Exelon Generation Company requested a one-time AOT extension for an inoperable offsite circuit from 7 days to 21 days at Peach Bottom Atomic Power Station (PBAPS) to perform physical modification work on an emergency auxiliary transformer (NRC ADAMS Accession No. ML19116A196). On October 29, 2019, the NRC issued Amendments 328 and 331 to PBAPS, Units 2 and 3, respectively, approving the one-time change to extend the AOT for an inoperable offsite circuit from 7 days to 21 days (NRC ADAMS Accession No. ML19266A622).

In November 2017, Virginia Electric and Power Company requested a one-time AOT extension for an inoperable offsite circuit from 7 days to 21 days at Surry Power Station to replace a reserve station service transformer and cabling (NRC ADAMS Accession No. ML17317A464). On October 5, 2018, the NRC E-24

Enclosure to NL-20-0843 Evaluation of Proposed Change issued Amendments 293 and 293 to Surry Power Station, Units 1 and 2, respectively, approving the one-time change to extend the AOT for an inoperable offsite circuit from 7 days to 21 days (NRC ADAMS Accession No. ML18261A099).

In December 2016, Arizona Public Service Company requested an AOT extension for an inoperable DG from 10 days to 21 days at Palo Verde Nuclear Generating Station to collect and analyze data associated with the failure of a DG and continue DG repairs (NRC ADAMS Accession No. ML16356A689). The amendment request was based on a deterministic justification and requested under emergency circumstances. On December 23, 2016, the NRC issued Amendment 199 to Palo Verde Nuclear Generating Station, Unit 3 approving the one-time emergency TS change to extend the AOT for an inoperable DG from 10 days to 21 days (NRC ADAMS Accession No. ML16358A676). Following issuance of Amendment 199, Arizona Public Service Company made an additional emergency request to revise the one-time DG AOT extension from 21 days to 62 days. (NRC ADAMS Accession No. ML16365A240). The follow-up amendment request, also requested under emergency circumstances, was risk-informed.

On January 4, 2017, the NRC issued Amendment 200 to Palo Verde Nuclear Generating Station, Unit 3 approving an emergency revision to the DG AOT one-time extension from 21 days to 62 days to reestablish DG operability (NRC ADAMS Accession No. ML17004A020).

4.3 No Significant Hazards Consideration Determination Analysis Pursuant to the provisions of Section 50.90 of Title 10 of the Code of Federal Regulations (10 CFR), Southern Nuclear Operating Company (SNC) hereby requests an amendment to the Hatch Nuclear Plant (HNP) Units 1 and 2 renewed facility operating licenses DPR-57 and NPF-5, respectively.

The proposed change would revise technical specifications (TS) 3.8.1, AC Sources - Operating, to provide a one-time extension of the completion time of Required Action B.4 (Unit 1 TS) and Required Actions B.4 and C.4 (Unit 2 TS) of TS 3.8.1 for each Unit 1 diesel generator (DG) and the swing DG from 14 days to 19 days. This one-time TS change for these standby emergency DGs is a necessary contingency to support preventative maintenance activities, including replacement of the diesel engine cylinder liners. The scheduled time to perform this overhaul maintenance for each DG is greater than 75% of the current TS allowable out-of-service time (AOT), which may be exceeded due to unforeseen DG component degradations. In addition, the possibility exists for unexpected delays due to impacts related to coronavirus disease 2019 (COVID-19) controls, such as the U.S Centers for Disease Control and Prevention guideline for employers to isolate potentially infectious individuals based on COVID-19 signs and symptoms.

E-25

Enclosure to NL-20-0843 Evaluation of Proposed Change SNC has evaluated whether a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, Issuance of amendment, as discussed below:

1. Does the proposed amendment involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No The proposed change provides a one-time extension of the DG restoration time allowed by TS. This change will have no effect on accident probabilities since the DGs are not considered accident initiators. The proposed DG AOT extension does not require any physical plant modifications. Since no individual precursors of an accident are affected, the proposed amendment does not increase the probability of a previously analyzed event. The consequences of an evaluated accident are determined by the operability of plant systems designed to mitigate those consequences. The consequences of an evaluated accident with an inoperable DG is not altered by the proposed change and will not affect the consequences of an accident previously evaluated.

Therefore, the proposed change does not involve a significant increase in the probability or consequences of an accident previously evaluated.

2. Does the proposed change create the possibility of a new or different accident from any accident previously evaluated?

Response: No The proposed change does not involve a physical alteration of the plant (i.e.,

no new or different type of equipment will be installed). Operation in accordance with the revised TS and its limits precludes new challenges to systems, structures, or components that might introduce a new type of accident. Applicable design and performance criteria will continue to be met and no new single failure mechanisms will be created. The proposed change to extend the DG restoration time does not involve the alteration of plant equipment or introduce unique operational modes or accident precursors.

Therefore, the proposed change will not create the possibility of a new or different accident from any accident previously evaluated.

3. Does the proposed change involve a significant reduction in a margin of safety?

Response: No.

The margin of safety is related to the ability of the fission product barriers to perform their design functions during and following an accident. These barriers include the fuel cladding, the reactor coolant system, and the containment. The performance of these fission product barriers is not adversely affected by the proposed change.

E-26

Enclosure to NL-20-0843 Evaluation of Proposed Change The proposed change provides a risk-informed, one-time extension of the DG restoration time allowed by TS. A deterministic evaluation of the proposed completion time extension demonstrates there is sufficient margin to safety during the extended DG AOT period. During the extended DG AOT period, sufficient controls will be established to maintain the defense-in-depth design philosophy to ensure the electrical power system meets its design safety function and risk management actions will be established to maintain the risk as low as reasonably achievable within the regulatory acceptance guidelines.

Operation in accordance with the revised TS ensures that the assumptions for initial conditions of key parameter values in the safety analyses remain valid.

This ensures that applicable design and performance criteria associated with the safety analysis will continue to be met and that the margin of safety is not adversely affected.

Therefore, the proposed change does not involve a significant reduction in a margin of safety.

Based on the above, SNC concludes that the proposed amendment does not involve a significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and, accordingly, a finding of no significant hazards consideration is justified.

4.4 Conclusions In conclusion, based on the considerations discussed herein, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commissions regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

5. ENVIRONMENTAL CONSIDERATION A review has determined that the proposed amendment would change a requirement with respect to installation or use of a facility component located within the restricted area, as defined in 10 CFR Part 20 or a surveillance requirement. However, the proposed change does not involve (i) a significant hazards consideration, (ii) a significant change in the types or significant increase in the amounts of any effluent that may be released off site, or (iii) a significant increase in individual or cumulative occupational radiation exposure. Accordingly, the proposed amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9). Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need to be prepared in connection with the proposed amendment.

E-27

Enclosure to NL-20-0843 Evaluation of Proposed Change

6. REFERENCES

1. NRC Regulatory Guide 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, Revision 3, January 2018 (NRC ADAMS Accession No. ML17317A256).

2. NRC Regulatory Guide 1.177, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications, Revision 1, May 2011 (NRC ADAMS Accession No. ML100910008).

3. Nuclear Management and Resource Council (NUMARC) 87-00, Guidelines and Technical Bases for NUMARC Initiatives Addressing Station Blackout at Light Water Reactors, Revision 1, August 1991 (NRC ADAMS Accession No. ML12137A732).

4. NRC Regulatory Guide 1.155, Station Blackout, Revision 0, August 1998 (NRC ADAMS Accession No. ML003740034).

5. NRC Regulatory Guide 1.93, Availability of Electric Power Sources, Revision 0, December 1974 (NRC ADAMS Accession No. ML003740292).

6. NRC Regulatory Guide 1.160, "Monitoring the Effectiveness of Maintenance at Nuclear Power Plants," Revision 4, August 2018 (NRC ADAMS Accession No. ML18220B281)

7. NUMARC 93-01, Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants, Revision 4F, April 2018 (NRC ADAMS Accession No. ML18120A069).

8. NUMARC supplemental letter to the NUMARC Board of Directors, "Station Blackout (SBO) Implementation: Request for Supplemental SBO Submittal to NRC," January 4, 1990.

9. NRC Branch Technical Position 8-8, Onsite (Emergency Diesel Generators) and Offsite Power Sources Completion Time Extensions, dated February 2012 (NRC ADAMS Accession No. ML113640138).

10. NRC Branch Technical Position 8 DRAFT, Onsite and Offsite Power Sources Completion Time Extensions, Revision 0, dated October 2019 (NRC ADAMS Accession No. ML19219A184).

11. NRC Regulatory Guide 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, Revision 2, March 2009 (NRC ADAMS Accession No. ML090410014).

E-28

Attachment 1 HNP Unit 1 and Unit 2 Technical Specifications Marked-up Pages (9 total pages including cover page)

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME B. (continued) B.2 Declare required 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months from discovery feature(s), supported by of Condition B the inoperable DG, concurrent with inoperable when the inoperability of redundant required redundant required feature(s) are feature(s) inoperable.

AND B.3.1 Determine OPERABLE 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months DG(s) are not inoperable due to common cause failure.

OR B.3.2 Perform SR 3.8.1.2.a 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for OPERABLE DG(s).

AND B.4 Restore DG to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months for a OPERABLE status. Unit 1 DG with the swing DG not

.1 inhibited or maintenance restrictions not met AND 14 days for a Unit 1 DG with the swing DG inhibited from automatically aligning to Unit 2 and maintenance restrictions met AND 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months for the swing diesel with maintenance restrictions not met (continued)

HATCH UNIT 1 3.8-3 Amendment No. 259

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME B. (continued) B.4 (continued) AND 14 days for the swing

.1 diesel with maintenance restrictions met

C. One required Unit 2 DG C.1 Perform SR 3.8.1.1 for 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months inoperable OPERABLE required offsite circuit(s). AND Once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter AND C.2 Declare required 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months from discovery feature(s), supported by of Condition C the inoperable DG, concurrent with inoperable when the inoperability of redundant required redundant required feature(s) are inoperable. feature(s)

AND C.3.1 Determine OPERABLE 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months DG(s) are not inoperable due to common cause failure.

OR C.3.2 Perform SR 3.8.1.2.a for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months OPERABLE DG(s).

(continued)

HATCH UNIT 1 3.8-4 Amendment No. 279

U1 Insert 3.8.1-1 OR

NOTES---------------

1. Only applicable during diesel engine cylinder liner replacement outage.

2. Only applicable once per DG.

B.4.2.1 Establish defense-in- 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months depth and risk management controls AND for extended DG outage. 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months thereafter from discovery of defense-in-depth or risk management controls not met AND B.4.2.2 -----------NOTE------------

Only applicable to Unit 1 DGs.

Inhibit swing DG from 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months automatically aligning to Unit 2.

AND B.4.2.3 Restore DG to 19 days OPERABLE status.

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME B. (continued) B.2 Declare required 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months from discovery feature(s), supported by of Condition B the inoperable DG, concurrent with inoperable when the inoperability of redundant required redundant required feature(s) are feature(s) inoperable.

AND B.3.1 Determine OPERABLE 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months DG(s) are not inoperable due to common cause failure.

OR B.3.2 Perform SR 3.8.1.2.a for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months OPERABLE DG(s)

AND B.4 Restore DG to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months for a OPERABLE status. Unit 2 DG with

.1 the swing DG not inhibited or maintenance restrictions not met AND 14 days for a Unit 2 DG with the swing DG inhibited from automatically aligning to Unit 1 and maintenance restrictions met AND 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months for the swing diesel with maintenance restrictions not met (continued)

HATCH UNIT 2 3.8-3 Amendment No. 203

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME B. (continued) B.4 (continued) AND 14 days for the swing

.1 diesel with maintenance restrictions met

C. One required Unit 1 DG C.1 Perform SR 3.8.1.1 for 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months inoperable. OPERABLE required offsite circuit(s). AND Once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter AND C.2 Declare required 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months from feature(s), supported by discovery the inoperable DG, of Condition C inoperable when the concurrent with redundant required inoperability of feature(s) are redundant required inoperable. feature(s)

AND C.3.1 Determine OPERABLE 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months DG(s) are not inoperable due to common cause failure.

OR C.3.2 Perform SR 3.8.1.2.a for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months OPERABLE DG(s).

(continued)

HATCH UNIT 2 3.8-4 Amendment No. 223

U2 Insert 3.8.1-1 OR

NOTES---------------

1. Only applicable during diesel engine cylinder liner replacement outage of Unit 1 DGs or swing DG.

2. Only applicable to swing DG.

B.4.2.1 Establish defense-in- 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months depth and risk management controls AND for extended DG outage. 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months thereafter from discovery of defense-in-depth or risk management controls not met AND B.4.2.2 Restore DG to 19 days OPERABLE status.

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME C. (continued) AND C.4 Restore required DG to 7 days with the OPERABLE status. swing DG not

.1 inhibited or maintenance restrictions not met AND 14 days with the swing DG inhibited from automatically aligning to Unit 2 and maintenance

<U2 Insert 3.8.1-2> restrictions met D. Two or more required D.1 Declare required 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months from discovery offsite circuits inoperable. feature(s) with no offsite of Condition D power available concurrent with inoperable when the inoperability of redundant required redundant required feature(s) are feature(s) inoperable.

AND D.2 Restore all but one 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months required offsite circuit to OPERABLE status.

E. One required offsite circuit -------------------NOTE-----------------

inoperable. Enter applicable Conditions and Required Actions of LCO 3.8.7, AND "Distribution Systems -

Operating," when Condition E is One required DG entered with no AC power source inoperable. to one 4160 V ESF bus.

E.1 Restore required offsite 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months circuit to OPERABLE status.

(continued)

HATCH UNIT 2 3.8-5 Amendment No. 203

U2 Insert 3.8.1-2 OR

NOTE-----------------

Only applicable during diesel engine cylinder liner replacement outage.

C.4.2.1 Establish defense-in- 7 days depth and risk management controls AND for extended DG outage. 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months thereafter from discovery of defense-in-depth or risk management controls not met AND C.4.2.2 Inhibit swing DG from 7 days automatically aligning to Unit 2.

AND C.4.2.3 Restore DG to 19 days OPERABLE status.

Attachment 2 HNP Unit 1 and Unit 2 Technical Specifications Revised Pages (9 total pages including cover page)

$&6RXUFHV2SHUDWLQJ

$&7,216

&21',7,21 5(48,5('$&7,21 &203/(7,217,0(

% FRQWLQXHG % 'HFODUHUHTXLUHG KRXUVIURPGLVFRYHU\

IHDWXUH V VXSSRUWHGE\ RI&RQGLWLRQ%

WKHLQRSHUDEOH'* FRQFXUUHQWZLWK

LQRSHUDEOHZKHQWKH LQRSHUDELOLW\RI

UHGXQGDQWUHTXLUHG UHGXQGDQWUHTXLUHG

IHDWXUH V DUH IHDWXUH V

LQRSHUDEOH

$1'

% 'HWHUPLQH23(5$%/( KRXUV

'* V DUHQRW

LQRSHUDEOHGXHWR

FRPPRQFDXVHIDLOXUH

25

% 3HUIRUP65D KRXUV

IRU23(5$%/('* V

$1'

% 5HVWRUH'*WR KRXUVIRUD

23(5$%/(VWDWXV 8QLW'*ZLWK

WKHVZLQJ'*QRW

LQKLELWHGRU

PDLQWHQDQFH

UHVWULFWLRQVQRWPHW

$1'

GD\VIRUD

8QLW'*ZLWK

WKHVZLQJ'*

LQKLELWHGIURP

DXWRPDWLFDOO\

DOLJQLQJWR

8QLWDQG

PDLQWHQDQFH

UHVWULFWLRQVPHW

$1'

KRXUVIRUWKHVZLQJ

GLHVHOZLWK

PDLQWHQDQFH

UHVWULFWLRQVQRWPHW

FRQWLQXHG

+$7&+81,7 $PHQGPHQW1R

$&6RXUFHV2SHUDWLQJ

$&7,216

&21',7,21 5(48,5('$&7,21 &203/(7,217,0(

% FRQWLQXHG % FRQWLQXHG $1'

GD\VIRUWKHVZLQJ

GLHVHOZLWK

PDLQWHQDQFH

UHVWULFWLRQVPHW

25

127(6

2QO\DSSOLFDEOHGXULQJGLHVHO

HQJLQHF\OLQGHUOLQHU

UHSODFHPHQWRXWDJH

2QO\DSSOLFDEOHRQFHSHU'*

% (VWDEOLVKGHIHQVHLQGHSWK KRXUV

DQGULVNPDQDJHPHQW

FRQWUROVIRUH[WHQGHG'* $1'

RXWDJH

KRXUVWKHUHDIWHU

IURPGLVFRYHU\RI

GHIHQVHLQGHSWKRU

ULVNPDQDJHPHQW

FRQWUROVQRWPHW

$1'

% 127(

2QO\DSSOLFDEOHWR8QLW

'*V

,QKLELWVZLQJ'*IURP KRXUV

DXWRPDWLFDOO\DOLJQLQJWR

8QLW

$1'

% 5HVWRUH'*WR GD\V

23(5$%/(VWDWXV

FRQWLQXHG

+$7&+81,7 D $PHQGPHQW1R

$&6RXUFHV2SHUDWLQJ

$&7,216 FRQWLQXHG

&21',7,21 5(48,5('$&7,21 &203/(7,217,0(

& 2QHUHTXLUHG8QLW'* & 3HUIRUP65IRU KRXU

LQRSHUDEOH 23(5$%/(UHTXLUHG

RIIVLWHFLUFXLW V $1'

2QFHSHUKRXUV

WKHUHDIWHU

$1'

& 'HFODUHUHTXLUHG KRXUVIURPGLVFRYHU\

IHDWXUH V VXSSRUWHGE\ RI&RQGLWLRQ&

WKHLQRSHUDEOH'* FRQFXUUHQWZLWK

LQRSHUDEOHZKHQWKH LQRSHUDELOLW\RI

UHGXQGDQWUHTXLUHG UHGXQGDQWUHTXLUHG

IHDWXUH V DUHLQRSHUDEOH IHDWXUH V

$1'

& 'HWHUPLQH23(5$%/( KRXUV

'* V DUHQRWLQRSHUDEOH

GXHWRFRPPRQFDXVH

IDLOXUH

25

& 3HUIRUP65DIRU KRXUV

23(5$%/('* V

FRQWLQXHG

+$7&+81,7 E $PHQGPHQW1R

$&6RXUFHV2SHUDWLQJ

$&7,216

&21',7,21 5(48,5('$&7,21 &203/(7,217,0(

% FRQWLQXHG % 'HFODUHUHTXLUHG KRXUVIURPGLVFRYHU\

IHDWXUH V VXSSRUWHGE\ RI&RQGLWLRQ%

WKHLQRSHUDEOH'* FRQFXUUHQWZLWK

LQRSHUDEOHZKHQWKH LQRSHUDELOLW\RI

UHGXQGDQWUHTXLUHG UHGXQGDQWUHTXLUHG

IHDWXUH V DUH IHDWXUH V

LQRSHUDEOH

$1'

% 'HWHUPLQH23(5$%/( KRXUV

'* V DUHQRW

LQRSHUDEOHGXHWR

FRPPRQFDXVHIDLOXUH

25

% 3HUIRUP65DIRU KRXUV

23(5$%/('* V

$1'

% 5HVWRUH'*WR KRXUVIRUD

23(5$%/(VWDWXV 8QLW'*ZLWK

WKHVZLQJ'*QRW

LQKLELWHGRU

PDLQWHQDQFH

UHVWULFWLRQVQRWPHW

$1'

GD\VIRUD

8QLW'*ZLWK

WKHVZLQJ'*

LQKLELWHGIURP

DXWRPDWLFDOO\

DOLJQLQJWR

8QLWDQG

PDLQWHQDQFH

UHVWULFWLRQVPHW

$1'

KRXUVIRUWKHVZLQJ

GLHVHOZLWK

PDLQWHQDQFH

UHVWULFWLRQVQRWPHW

FRQWLQXHG

+$7&+81,7 $PHQGPHQW1R

$&6RXUFHV2SHUDWLQJ

$&7,216

&21',7,21 5(48,5('$&7,21 &203/(7,217,0(

% FRQWLQXHG % FRQWLQXHG $1'

GD\VIRUWKHVZLQJ

GLHVHOZLWK

PDLQWHQDQFH

UHVWULFWLRQVPHW

25

127(6

2QO\DSSOLFDEOHGXULQJGLHVHO

HQJLQHF\OLQGHUOLQHU

UHSODFHPHQWRXWDJHRI8QLW

'*VRUVZLQJ'*

2QO\DSSOLFDEOHWRVZLQJ'*

% (VWDEOLVKGHIHQVHLQ KRXUV

GHSWKDQGULVN

PDQDJHPHQWFRQWUROV $1'

IRUH[WHQGHG'*

RXWDJH KRXUVWKHUHDIWHU

IURPGLVFRYHU\RI

GHIHQVHLQGHSWKRUULVN

PDQDJHPHQWFRQWUROV

QRWPHW

$1'

% 5HVWRUH'*WR GD\V

23(5$%/(VWDWXV

FRQWLQXHG

+$7&+81,7 D $PHQGPHQW1R

$&6RXUFHV2SHUDWLQJ

$&7,216

&21',7,21 5(48,5('$&7,21 &203/(7,217,0(

& 2QHUHTXLUHG8QLW'* & 3HUIRUP65IRU KRXU

LQRSHUDEOH 23(5$%/(UHTXLUHG

RIIVLWHFLUFXLW V $1'

2QFHSHUKRXUV

WKHUHDIWHU

$1'

& 'HFODUHUHTXLUHG KRXUVIURP

IHDWXUH V VXSSRUWHGE\ GLVFRYHU\

WKHLQRSHUDEOH'* RI&RQGLWLRQ&

LQRSHUDEOHZKHQWKH FRQFXUUHQWZLWK

UHGXQGDQWUHTXLUHG LQRSHUDELOLW\RI

IHDWXUH V DUH UHGXQGDQWUHTXLUHG

LQRSHUDEOH IHDWXUH V

$1'

& 'HWHUPLQH23(5$%/( KRXUV

'* V DUHQRW

LQRSHUDEOHGXHWR

FRPPRQFDXVHIDLOXUH

25

& 3HUIRUP65DIRU KRXUV

23(5$%/('* V

FRQWLQXHG

+$7&+81,7 E $PHQGPHQW1R

$&6RXUFHV2SHUDWLQJ

$&7,216

&21',7,21 5(48,5('$&7,21 &203/(7,217,0(

& FRQWLQXHG $1'

& 5HVWRUHUHTXLUHG'*WR GD\VZLWKWKH

23(5$%/(VWDWXV VZLQJ'*QRW

LQKLELWHGRU

PDLQWHQDQFH

UHVWULFWLRQVQRWPHW

$1'

GD\VZLWKWKH

VZLQJ'*LQKLELWHG

IURPDXWRPDWLFDOO\

DOLJQLQJWR8QLWDQG

PDLQWHQDQFH

UHVWULFWLRQVPHW

25

127(

2QO\DSSOLFDEOHGXULQJGLHVHO

HQJLQHF\OLQGHUOLQHUUHSODFHPHQW

RXWDJH

& (VWDEOLVKGHIHQVHLQ GD\V

GHSWKDQGULVN

PDQDJHPHQWFRQWUROV $1'

IRUH[WHQGHG'*

RXWDJH KRXUVWKHUHDIWHU

IURPGLVFRYHU\RI

GHIHQVHLQGHSWKRU

ULVNPDQDJHPHQW

FRQWUROVQRWPHW

$1'

& ,QKLELWVZLQJ'*IURP GD\V

DXWRPDWLFDOO\DOLJQLQJWR

8QLW

$1'

& 5HVWRUH'*WR GD\V

23(5$%/(VWDWXV

FRQWLQXHG

+$7&+81,7 D $PHQGPHQW1R

$&6RXUFHV2SHUDWLQJ

$&7,216 FRQWLQXHG

&21',7,21 5(48,5('$&7,21 &203/(7,217,0(

' 7ZRRUPRUHUHTXLUHG ' 'HFODUHUHTXLUHG KRXUVIURPGLVFRYHU\

RIIVLWHFLUFXLWVLQRSHUDEOH IHDWXUH V ZLWKQRRIIVLWH RI&RQGLWLRQ'

SRZHUDYDLODEOH FRQFXUUHQWZLWK

LQRSHUDEOHZKHQWKH LQRSHUDELOLW\RI

UHGXQGDQWUHTXLUHG UHGXQGDQWUHTXLUHG

IHDWXUH V DUH IHDWXUH V

LQRSHUDEOH

$1'

' 5HVWRUHDOOEXWRQH KRXUV

UHTXLUHGRIIVLWHFLUFXLWWR

23(5$%/(VWDWXV

( 2QHUHTXLUHGRIIVLWHFLUFXLW 127(

LQRSHUDEOH (QWHUDSSOLFDEOH&RQGLWLRQVDQG

5HTXLUHG$FWLRQVRI/&2

$1' 'LVWULEXWLRQ6\VWHPV

2SHUDWLQJZKHQ&RQGLWLRQ(LV

2QHUHTXLUHG'* HQWHUHGZLWKQR$&SRZHUVRXUFH

LQRSHUDEOH WRRQH9(6)EXV

( 5HVWRUHUHTXLUHGRIIVLWH KRXUV

FLUFXLWWR23(5$%/(

VWDWXV

FRQWLQXHG

+$7&+81,7 E $PHQGPHQW1R

Attachment 3 HNP Unit 1 and Unit 2 Technical Specifications Bases Marked-up Pages (Information Only)

(14 total pages including cover page)

$&6RXUFHV2SHUDWLQJ

%

%$6(6

$&7,216 % FRQWLQXHG

x $VQHHGHGIRUWKHVZLQJ'*ZKHQLWLVLQKLELWHGIURP

DXWRPDWLFDOO\DOLJQLQJWR8QLWLQRUGHUIRUWKHGD\

&RPSOHWLRQ7LPHWREHXVHGIRUD8QLW'*

7KH$1'FRQQHFWRUEHWZHHQWKHKRXUDQGGD\&RPSOHWLRQ

7LPHVPHDQVWKDWERWK&RPSOHWLRQ7LPHVDSSO\VLPXOWDQHRXVO\7KDW

LVWKHGD\&RPSOHWLRQ7LPHIRUDQ$RU&'*ZLWKWKHVZLQJ'*

LQKLELWHGDSSOLHVIURPWKHWLPHRIHQWU\LQWR&RQGLWLRQ%QRWIURPWKH

<U1 Insert B 3.8.1-1> WLPHWKHVZLQJ'*LVLQKLELWHG

&

7RHQVXUHDKLJKO\UHOLDEOHSRZHUVRXUFHUHPDLQVZLWKRQHUHTXLUHG

8QLW'*LQRSHUDEOHLWLVQHFHVVDU\WRYHULI\WKHDYDLODELOLW\RIWKH

UHTXLUHGRIIVLWHFLUFXLWVRQDPRUHIUHTXHQWEDVLV6LQFHWKH5HTXLUHG

$FWLRQRQO\VSHFLILHVSHUIRUPDIDLOXUHRI65DFFHSWDQFH

FULWHULDGRHVQRWUHVXOWLQD5HTXLUHG$FWLRQEHLQJQRWPHW+RZHYHU

LIDFLUFXLWIDLOVWRSDVV65LWLVLQRSHUDEOH8SRQRIIVLWHFLUFXLW

LQRSHUDELOLW\DGGLWLRQDO&RQGLWLRQVPXVWWKHQEHHQWHUHG

&

5HTXLUHG$FWLRQ&LVLQWHQGHGWRSURYLGHDVVXUDQFHWKDWDORVVRI

RIIVLWHSRZHUGXULQJWKHSHULRGWKDWRQHUHTXLUHG8QLW'*LV

LQRSHUDEOHGRHVQRWUHVXOWLQDFRPSOHWHORVVRIVDIHW\IXQFWLRQRI

FULWLFDOV\VWHPV7KHVHIHDWXUHVDUHGHVLJQHGZLWKUHGXQGDQWVDIHW\

UHODWHGGLYLVLRQV LHVLQJOHGLYLVLRQV\VWHPVDUHQRWLQFOXGHG

5HGXQGDQWUHTXLUHGIHDWXUHVIDLOXUHVFRQVLVWRILQRSHUDEOHIHDWXUHV

DVVRFLDWHGZLWKDGLYLVLRQUHGXQGDQWWRWKHGLYLVLRQWKDWKDVDQ

LQRSHUDEOH'*

FRQWLQXHG

+$7&+81,7 % 5(9,6,21

Unit 1 Insert B 3.8.1-1 B.4.2.1, B.4.2.2, and B.4.2.3 The Completion Time to restore the DG to OPERABLE status may be extended to 19 days provided action is taken within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to: 1) for an inoperable Unit 1 DG, inhibit the swing DG from automatically aligning to the Unit 2 4.16 kV ESF bus, and 2) establish defense-in-depth and risk management controls.

The B.4.2 Required Actions are modified by two Notes. Note 1 ensures that the B.4.2 Required Actions are only applied during the DG outage period that includes replacement of the engine cylinder liners. Note 2 specifies that the B.4.2 actions are only applicable one time for each DG because they are only approved for one-time use.

The extended Completion Time is subject to additional defense-in-depth measures and risk management actions to ensure adequate electrical power sources and safety related equipment are available in the event of a loss of the offsite electrical power system during the extended DG outage period.

The following defense-in-depth controls must be established and maintained during the extended Completion Time period:

a. Three qualified circuits between the offsite transmission network and the onsite Class 1E Electrical Distribution System (i.e., SATs and associated circuit paths to the 4.16 kV ESF buses) per unit must be OPERABLE and aligned to their respective 4.16 kV ESF bus and no SAT will supply more than one 4.16 kV ESF bus;

b. Feeder lines from the 230 kV switchyard to the primary of each SAT will be protected and no discretionary maintenance or testing will be scheduled on these lines for the duration of the extended Completion Time period;

c. No discretionary maintenance or testing will be scheduled in the 500 kV or 230 kV switchyards that could affect the stability of the feeder lines to the SATs;

d. Electrical system load dispatcher will be contacted once per day to verify multiple line contingencies are available and to ensure no significant grid perturbations (i.e., high grid loading unable to withstand a single contingency of line or generation outage) are expected during the extended DG maintenance period;

e. Each automatic transfer of unit power supply from the normal offsite circuit to the alternate offsite circuit must be OPERABLE for each Class 1E 4.16 kV ESF bus;

f. At least two DGs must be OPERABLE to Unit 1;

g. High Pressure Coolant Injection (HPCI) and RCIC Systems must be OPERABLE;

h. For each residual heat removal (RHR) loop, either the shutdown cooling (SDC) mode must be OPERABLE or the LPCI alternate SDC mode must be available; and

i. Additional systems and components specified in Appendix A of the plant online configuration risk management program will be maintained available and no discretionary maintenance or testing will be scheduled on these systems or components (Ref. 16).

The requirement to establish and maintain features (i.e., systems, subsystems, and components) OPERABLE as a defense-in-depth control may be performed as an administrative

check, by examining logs or other information, to determine if the required features are out of service for maintenance or other reasons. It does not mean it is necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the required features.

There are no specific risk management controls to be maintained for DG 1A or the swing DG during the extended Completion Time period. The following risk management control must be established for DG 1C and maintained during the extended Completion Time period:

No discretionary maintenance or testing, including fire protection surveillances, will be scheduled on any equipment in the cable spreading room during the extended completion time and access will be limited to fire watches, on-shift operations personnel; and security personnel for the purposes of required area surveillance and inspection.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time of Required Action B.4.2.1 corresponds to the time required by Required Action B.4.1 to restore a unit DG or the swing DG to OPERABLE status with no additional restrictions or controls. If after the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time, it is discovered that these controls are not met, a Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months from discovery of the required controls not met is allowed to reestablish the defense-in-depth and risk management controls.

The Completion Time is intended to allow the operator time to evaluate and re-establish any discovered control not met. This Completion Time also allows for an exception to the normal "time zero" for beginning the Completion Time "clock." Following the initial 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to establish the required controls, discovering one or more of the required controls not met results in starting the Completion Time for Required Action B.4.2.1. Twenty-four hours from the discovery of the required control(s) not met is acceptable because it minimizes risk while allowing time for re-establishing the control(s) before subjecting the unit to transients associated with shutdown while a DG is inoperable.

Required Action B.4.2.2 requires the swing DG to be inhibited from automatically aligning (on a LOCA or LOSP signal) to the other unit. This ensures two OPERABLE DGs are dedicated to each unit during a LOCA or LOSP event when a unit DG is inoperable. Required Action B 4.2.2 is modified by a Note that clarifies this action is only applicable when Condition B is entered due to DG 1A or 1C inoperable. When Condition B is entered due to the swing DG inoperable, this action is not applicable and is not needed since each unit has two dedicated OPERABLE DGs available in the event of a LOCA or LOSP event. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time of Required Action B.4.2.2 corresponds to the time required by Required Action B.4.1 to restore a unit DG to OPERABLE status with no additional restrictions or controls.

Once Required Action B.4.2.1, and Required Action B.4.2.2 for the Unit 1 DGs, are performed, the DG must be restored to OPERABLE status within 19 days. The extended Completion Time of Required Action B.4.2.3 represents a balance between the risk associated with continued plant operation with less than the required system or component redundancy and the risk associated with initiating a plant transient while transitioning the unit based on the loss of redundancy. With defense-in-depth and risk management controls established, the remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. The extended Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for maintenance, and low probability of a DBA or an LOSP occurring during this period.

The Completion Time of Required Action B.4.2.3 is based on a defense-in-depth philosophy and risk informed using the plant PRA. The risk impact of the extended Completion Time has been evaluated pursuant to the risk assessment and management provisions of the Maintenance Rule, 10 CFR 50.65 (a)(4), and the associated implementation guidance, Regulatory Guide 1.160, "Monitoring the Effectiveness of Maintenance at Nuclear Power Plants." Regulatory Guide 1.160 endorses the guidance in Section 11 of NUMARC 93-01, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants." This guidance provides

for the consideration of dynamic plant configuration issues, emergent conditions, and other aspects pertinent to plant operation with the DG inoperable for an extended period of time.

These considerations may result in additional risk management and other compensatory actions being required during the extended period that the DG is inoperable.

$&6RXUFHV2SHUDWLQJ

%

%$6(6

5()(5(1&(6 &)5$SSHQGL[$*'&

)6$56HFWLRQVDQG

1RWXVHG

8QLW)6$56HFWLRQ

8QLW)6$5&KDSWHU

5HJXODWRU\*XLGH'HFHPEHU

*HQHULF/HWWHU

&)5$SSHQGL[$*'&

5HJXODWRU\*XLGH0DUFK

5HJXODWRU\*XLGH$XJXVW

5HJXODWRU\*XLGH2FWREHU

,(((6WDQGDUG

15&1R)LQDO3ROLF\6WDWHPHQWRQ7HFKQLFDO

6SHFLILFDWLRQ,PSURYHPHQWV-XO\

1('&$5HYLVLRQ7HFKQLFDO-XVWLILFDWLRQWR6XSSRUW

5LVN,QIRUPHG0RGLILFDWLRQWR6HOHFWHG5HTXLUHG(QG6WDWHV

IRU%:53ODQWV'HFHPEHU

16. SNC Procedure NMP-GM-031, "On-line Risk Management Program," Appendix A, Version 8.0.

+$7&+81,7 % 5(9,6,21

$&6RXUFHV2SHUDWLQJ

%

%$6(6

$&7,216 % FRQWLQXHG

7KHWLPHPD\EHXVHGDVQHHGHGWRFRPSOHWHXQSODQQHG

PDLQWHQDQFH7KLVWLPHVKDOOEHPLQLPL]HG

x $VQHHGHGIRUWKHVZLQJ'*ZKHQLWLVLQKLELWHGIURP

DXWRPDWLFDOO\DOLJQLQJWR8QLWLQRUGHUIRUWKHGD\

&RPSOHWLRQ7LPHWREHXVHGIRUD8QLW'*

7KH³$1FRQQHFWRUEHWZHHQWKHKRXUDQGGD\&RPSOHWLRQ

7LPHVPHDQVWKDWERWK&RPSOHWLRQ7LPHVDSSO\VLPXOWDQHRXVO\7KDW

LVWKHGD\&RPSOHWLRQ7LPHIRUDQ$RU&'*ZLWKWKHVZLQJ'*

LQKLELWHGDSSOLHVIURPWKHWLPHRIHQWU\LQWR&RQGLWLRQ%QRWIURPWKH

WLPHWKHVZLQJ'*LVLQKLELWHG

<U2 Insert

B 3.8.1-1>

&

7RHQVXUHDKLJKO\UHOLDEOHSRZHUVRXUFHUHPDLQVZLWKRQHUHTXLUHG

8QLW'*LQRSHUDEOHLWLVQHFHVVDU\WRYHULI\WKHDYDLODELOLW\RIWKH

UHTXLUHGRIIVLWHFLUFXLWVRQDPRUHIUHTXHQWEDVLV6LQFHWKH5HTXLUHG

$FWLRQRQO\VSHFLILHVSHUIRUPDIDLOXUHRI65DFFHSWDQFH

FULWHULDGRHVQRWUHVXOWLQD5HTXLUHG$FWLRQEHLQJQRWPHW+RZHYHU

LIDFLUFXLWIDLOVWRSDVV65LWLVLQRSHUDEOH8SRQRIIVLWHFLUFXLW

LQRSHUDELOLW\DGGLWLRQDO&RQGLWLRQVPXVWWKHQEHHQWHUHG

&

5HTXLUHG$FWLRQ&LVLQWHQGHGWRSURYLGHDVVXUDQFHWKDWDORVVRI

RIIVLWHSRZHUGXULQJWKHSHULRGWKDWRQHUHTXLUHG8QLW'*LV

LQRSHUDEOHGRHVQRWUHVXOWLQDFRPSOHWHORVVRIVDIHW\IXQFWLRQRI

FULWLFDOV\VWHPV7KHVHIHDWXUHVDUHGHVLJQHGZLWKUHGXQGDQWVDIHW\

UHODWHGGLYLVLRQV LHVLQJOHGLYLVLRQV\VWHPVDUHQRWLQFOXGHG

5HGXQGDQWUHTXLUHGIHDWXUHVIDLOXUHVFRQVLVWRILQRSHUDEOHIHDWXUHV

DVVRFLDWHGZLWKDGLYLVLRQUHGXQGDQWWRWKHGLYLVLRQWKDWKDVDQ

LQRSHUDEOH'*

7KH&RPSOHWLRQ7LPHLVLQWHQGHGWRDOORZWKHRSHUDWRUWLPHWR

HYDOXDWHDQGUHSDLUDQ\GLVFRYHUHGLQRSHUDELOLWLHV7KLV&RPSOHWLRQ

7LPHDOVRDOORZVIRUDQH[FHSWLRQWRWKHQRUPDOWLPH]HURIRU

EHJLQQLQJWKHDOORZHGRXWDJHWLPHFORFN,QWKLV5HTXLUHG$FWLRQWKH

&RPSOHWLRQ7LPHRQO\EHJLQVRQGLVFRYHU\WKDWERWK

D $QLQRSHUDEOHUHTXLUHG8QLW'*H[LVWVDQG

E $UHGXQGDQWUHTXLUHGIHDWXUHRQWKHRWKHUGLYLVLRQ 'LYLVLRQ

RU RUGLYLVLRQVLQWKHFDVHRIWKH8QLWDQG6*76\VWHP

LVLQRSHUDEOH

,IDWDQ\WLPHGXULQJWKHH[LVWHQFHRIWKLV&RQGLWLRQ UHTXLUHG

8QLW'*LQRSHUDEOH DUHGXQGDQWIHDWXUHVXEVHTXHQWO\EHFRPHV

LQRSHUDEOHWKLV&RPSOHWLRQ7LPHEHJLQVWREHWUDFNHG

FRQWLQXHG

+$7&+81,7 % 5(9,6,21

Unit 2 Insert B 3.8.1-1 B.4.2.1 and B.4.2.2 The Completion Time to restore the swing DG to OPERABLE status may be extended to 19 days provided action is taken within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to establish defense-in-depth and risk management controls.

The B.4.2 Required Actions are modified by two Notes. Note 1 ensures that the B.4.2 Required Actions are only applied during the DG outage period that includes replacement of the engine cylinder liners of the Unit 1 DGs or the swing DG. Note 2 specifies that the B.4.2 actions are only applicable to the swing DG and, therefore, are not applicable when Condition B is entered due to the inoperability of a Unit 2 DG.

The extended Completion Time is subject to additional defense-in-depth measures and risk management actions to ensure adequate electrical power sources and safety related equipment are available in the event of a loss of the offsite electrical power system during the extended DG outage period.

The following defense-in-depth controls must be established and maintained during the extended Completion Time period:

a. Three qualified circuits between the offsite transmission network and the onsite Class 1E Electrical Distribution System (i.e., SATs and associated circuit paths to the 4.16 kV ESF buses) per unit must be OPERABLE and aligned to their respective 4.16 kV ESF bus and no SAT will supply more than one 4.16 kV ESF bus;

b. Feeder lines from the 230 kV switchyard to the primary of each SAT will be protected and no discretionary maintenance or testing will be scheduled on these lines for the duration of the extended Completion Time period;

c. No discretionary maintenance or testing will be scheduled in the 500 kV or 230 kV switchyards that could affect the stability of the feeder lines to the SATs;

d. Electrical system load dispatcher will be contacted once per day to verify multiple line contingencies are available and to ensure no significant grid perturbations (i.e., high grid loading unable to withstand a single contingency of line or generation outage) are expected during the extended DG maintenance period;

e. Each automatic transfer of unit power supply from the normal offsite circuit to the alternate offsite circuit must be OPERABLE for each Class 1E 4.16 kV ESF bus;

f. Unit 2 DGs must be OPERABLE;

g. HPCI and RCIC Systems must be OPERABLE;

h. For each RHR loop, either the SDC mode must be OPERABLE or the LPCI alternate SDC mode must be available; and

i. Additional systems and components specified in Appendix A of the plant online configuration risk management program will be maintained available and no discretionary maintenance or testing will be scheduled on these systems or components (Ref. 15).

The requirement to establish and maintain features (i.e., systems, subsystems, and components) OPERABLE as a defense-in-depth control may be performed as an administrative

check, by examining logs or other information, to determine if the required features are out of service for maintenance or other reasons. It does not mean it is necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the required features.

There are no specific risk management controls to be maintained for the swing DG during the extended Completion Time period.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time of Required Action B.4.2.1 corresponds to the time required by Required Action B.4.1 to restore the swing DG to OPERABLE status with no additional restrictions or controls. If after the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time, it is discovered that these controls are not met, a Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months from discovery of the required controls not met is allowed to reestablish the defense-in-depth and risk management controls. The Completion Time is intended to allow the operator time to evaluate and re-establish any discovered control not met. This Completion Time also allows for an exception to the normal "time zero" for beginning the Completion Time "clock." Following the initial 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to establish the required controls, discovering one or more of the required controls not met results in starting the Completion Time for Required Action B.4.2.1. Twenty-four hours from the discovery of the required control(s) not met is acceptable because it minimizes risk while allowing time for re-establishing the control(s) before subjecting the unit to transients associated with shutdown while a DG is inoperable.

Once Required Action B.4.2.1 is performed, the swing DG must be restored to OPERABLE status within 19 days. The extended Completion Time of Required Action B.4.2.2 represents a balance between the risk associated with continued plant operation with less than the required system or component redundancy and the risk associated with initiating a plant transient while transitioning the unit based on the loss of redundancy. With defense-in-depth and risk management controls established, the remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. The extended Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for maintenance, and low probability of a DBA or an LOSP occurring during this period.

The Completion Time of Required Action B.4.2.2 is based on a defense-in-depth philosophy and risk informed using the plant PRA. The risk impact of the extended Completion Time has been evaluated pursuant to the risk assessment and management provisions of the Maintenance Rule, 10 CFR 50.65 (a)(4), and the associated implementation guidance, Regulatory Guide 1.160. Regulatory Guide 1.160 endorses the guidance in Section 11 of NUMARC 93-01. This guidance provides for the consideration of dynamic plant configuration issues, emergent conditions, and other aspects pertinent to plant operation with the swing DG inoperable for an extended period of time. These considerations may result in additional risk management and other compensatory actions being required during the extended period that the DG is inoperable.

AC Sources - Operating B 3.8.1 BASES ACTIONS C.4 (continued)

In Condition C, the remaining OPERABLE offsite circuit is adequate to supply electrical power to the required onsite Unit 1 Class 1E Distribution System. The 7 day Completion Time is based on the shortest restoration time allowed for the systems affected by the inoperable DG in the individual system LCOs. A risk-informed, deterministic evaluation performed for Plant Hatch justifies operation in Condition C for 14 days, provided action is taken to ensure two DGs are dedicated to each Hatch unit. This is accomplished for an inoperable A or C DG by inhibiting the automatic alignment (on a LOCA or LOSP signal) of the swing DG to the other unit. The Completion Times take into account the capacity and capability of the remaining AC sources, reasonable time for maintenance, and low probability of a DBA occurring during this period. Use of the 14 day Completion Time, subject to additional restrictions controlled by NMP-GM-031, is permitted as follows:

x Once per DG per operating cycle for performing a major overhaul of a DG.

x As needed to complete unplanned maintenance. This

<U2 Insert B 3.8.1-2> time shall be minimized.

D.1 and D.2 Required Action D.1 addresses actions to be taken in the event of inoperability of redundant required features concurrent with inoperability of two or more required offsite circuits. Required Action D.1 reduces the vulnerability to a loss of function. The Completion Time for taking these actions is reduced to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months from that allowed with one 4160 V ESF bus without offsite power (Required Action A.2). The rationale for the reduction to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is that Regulatory Guide 1.93 (Ref. 6) allows a Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for two required offsite circuits inoperable, based upon the assumption that two complete safety divisions are OPERABLE. (While this ACTION allows more than two circuits to be inoperable, Regulatory Guide 1.93 assumed two circuits were all that were required by the LCO, and a loss of those two circuits resulted in a loss of all offsite power to the Class 1E AC Electrical Power Distribution System.

Thus, with the Plant Hatch design, a loss of more than two required offsite circuits results in the same conditions assumed in Regulatory Guide 1.93.) When a concurrent redundant required feature failure exists, this assumption is not the case, and a shorter Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is appropriate. These features are designed with redundant safety related divisions, (i.e., single division systems are not included in the list). Redundant required features failures consist of any of these features that are inoperable because any inoperability is on a division redundant to a division with inoperable offsite circuits.

(continued)

HATCH UNIT 2 B 3.8-13 REVISION 96

Unit 2 Insert B 3.8.1-2 C.4.2.1, C.4.2.2, and C.4.2.3 The Completion Time to restore the required Unit 1 DG to OPERABLE status may be extended to 19 days provided action is taken within 7 days to: 1) inhibit the swing DG from automatically aligning to the Unit 2 4.16 kV ESF bus, and 2) establish defense-in-depth and risk management controls.

The C.4.2 Required Actions are modified by a Note that ensures the C.4.2 Required Actions are only applied during the DG outage period that includes replacement of the engine cylinder liners.

The extended Completion Time is subject to additional defense-in-depth measures and risk management actions to ensure adequate electrical power sources and safety related equipment are available in the event of a loss of the offsite electrical power system during the extended DG outage period.

The following defense-in-depth controls must be established and maintained during the extended Completion Time period:

a. Three qualified circuits between the offsite transmission network and the onsite Class 1E Electrical Distribution System (i.e., SATs and associated circuit paths to the 4.16 kV ESF buses) per unit must be OPERABLE and aligned to their respective 4.16 kV ESF bus and no SAT will supply more than one 4.16 kV ESF bus;

b. Feeder lines from the 230 kV switchyard to the primary of each SAT will be protected and no discretionary maintenance or testing will be scheduled on these lines for the duration of the extended Completion Time period;

c. No discretionary maintenance or testing will be scheduled in the 500 kV or 230 kV switchyards that could affect the stability of the feeder lines to the SATs;

d. Electrical system load dispatcher will be contacted once per day to verify multiple line contingencies are available and to ensure no significant grid perturbations (i.e., high grid loading unable to withstand a single contingency of line or generation outage) are expected during the extended DG maintenance period;

e. Each automatic transfer of unit power supply from the normal offsite circuit to the alternate offsite circuit must be OPERABLE for each Class 1E 4.16 kV ESF bus;

f. At least two DGs must be OPERABLE to Unit 2;

g. HPCI and RCIC Systems must be OPERABLE;

h. For each RHR loop, either the SDC mode must be OPERABLE or the LPCI alternate SDC mode must be available; and

i. Additional systems and components specified in Appendix A of the plant online configuration risk management program will be maintained available and no discretionary maintenance or testing will be scheduled on these systems or components (Ref. 15).

The requirement to establish and maintain features (i.e., systems, subsystems, and components) OPERABLE as a defense-in-depth control may be performed as an administrative check, by examining logs or other information, to determine if the required features are out of service for maintenance or other reasons. It does not mean it is necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the required features.

There are no specific risk management controls to be maintained for DG 1A during the extended Completion Time period. The following risk management control must be established for DG 1C and maintained during the extended Completion Time period:

No discretionary maintenance or testing, including fire protection surveillances, will be scheduled on any equipment in the cable spreading room during the extended completion time and access will be limited to fire watches, on-shift operations personnel; and security personnel for the purposes of required area surveillance and inspection; The 7 day Completion Time of Required Action C.4.2.1 corresponds to the time required by Required Action C.4.1 to restore the required Unit 1 DG to OPERABLE status with no additional restrictions or controls. If after the 7 day Completion Time, it is discovered that these controls are not met, a Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months from discovery of the required controls not met is allowed to reestablish the defense-in-depth and risk management controls. The Completion Time is intended to allow the operator time to evaluate and re-establish any discovered control not met. This Completion Time also allows for an exception to the normal "time zero" for beginning the Completion Time "clock." Following the initial 7 days to establish the required controls, discovering one or more of the required controls not met results in starting the Completion Time for Required Action C.4.2.1. Twenty-four hours from the discovery of the required control(s) not met is acceptable because it minimizes risk while allowing time for re-establishing the control(s) before subjecting the unit to transients associated with shutdown while a DG is inoperable.

Required Action C.4.2.2 requires the swing DG to be inhibited from automatically aligning (on a LOCA or LOSP signal) to the other unit. This ensures two OPERABLE DGs are dedicated to each unit during a LOCA or LOSP event when a required Unit 1 DG is inoperable. The 7 day Completion Time of Required Action C.4.2.2 corresponds to the time required by Required Action C.4.1 to restore a required Unit 1 DG to OPERABLE status with no additional restrictions or controls.

Once Required Actions C.4.2.1 and C.4.2.2 are performed, the DG must be restored to OPERABLE status within 19 days. The extended Completion Time of Required Action C.4.2.3 represents a balance between the risk associated with continued plant operation with less than the required system or component redundancy and the risk associated with initiating a plant transient while transitioning the unit based on the loss of redundancy. With defense-in-depth and risk management controls established, the remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. The extended Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for maintenance, and low probability of a DBA or an LSOP occurring during this period.

The Completion Time of Required Action C.4.2.3 is based on a defense-in-depth philosophy and risk informed using the plant PRA. The risk impact of the extended Completion Time has been evaluated pursuant to the risk assessment and management provisions of the Maintenance Rule, 10 CFR 50.65 (a)(4), and the associated implementation guidance, Regulatory Guide 1.160. Regulatory Guide 1.160 endorses the guidance in Section 11 of NUMARC 93-01. This guidance provides for the consideration of dynamic plant configuration issues, emergent conditions, and other aspects pertinent to plant operation with the DG inoperable for an extended period of time. These considerations may result in additional risk

management and other compensatory actions being required during the extended period that the DG is inoperable.

$&6RXUFHV2SHUDWLQJ

%

%$6(6 FRQWLQXHG

5()(5(1&(6 &)5$SSHQGL[$*'&

)6$56HFWLRQVDQG

5HJXODWRU\*XLGH0DUFK

)6$56HFWLRQ

)6$5&KDSWHU

5HJXODWRU\*XLGH'HFHPEHU

*HQHULF/HWWHU

&)5$SSHQGL[$*'&

5HJXODWRU\*XLGH$XJXVW

5HJXODWRU\*XLGH2FWREHU

,(((6WDQGDUG

15&1R)LQDO3ROLF\6WDWHPHQWRQ7HFKQLFDO

6SHFLILFDWLRQ,PSURYHPHQWV-XO\

1('&$5HYLVLRQ7HFKQLFDO-XVWLILFDWLRQWR6XSSRUW

5LVN,QIRUPHG0RGLILFDWLRQWR6HOHFWHG5HTXLUHG(QG6WDWHV

IRU%:53ODQWV'HFHPEHU

15. SNC Procedure NMP-GM-031, "On-line Risk Management Program," Appendix A, Version 8.0.

+$7&+81,7 % 5(9,6,21

Attachment 4 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG (50 total pages including cover page) to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG RISK EVALUATION Purpose The purpose of this report is to document the technical adequacy of the Hatch Nuclear Plant (HNP) Units 1 and 2 Probabilistic Risk Assessment (PRA) models and the acceptability of the analyses performed to support the implementation of the one-time extension of the technical specification completion time to restore the standby emergency diesel generators (DGs) to operable status from 14 days to 19 days. The one-time extension will apply to the Unit 1 DGs (i.e., DGs 1A and 1B) and the swing DG (i.e., DG 1B) during their upcoming overhaul maintenance outages.

Regulatory Guidance NRC Regulatory Guide (RG) 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, Section 6.3 (Ref. 1), contains a list of topics to be addressed in the documentation submitted to support a risk-informed change to the licensing basis. NRC RG 1.177, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications, Section 4 (Ref. 2) contains a similar list of topics. This report is structured to address each topic in roughly the same order as they are listed in these guides.

This report supports the conclusion that the proposed one-time technical specification change is consistent with the key principles of risk-informed regulation. The following topics listed in Section 6.3 of RG 1.174 are addressed in this report:

Key assumptions in the PRA that impact the application (e.g., voluntary licensee actions),

elements of the monitoring program, and commitments made to support the application. As defined in the ASME/ANS PRA standard endorsed in NRC RG 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, (Ref.3) an assumption is labeled key when it may influence (i.e.,

have the potential to change) the decision being made.

Structures systems and components (SSCs) for which requirements should be increased.

Information to be provided as part of the plants licensing basis (e.g., FSAR, technical specifications, licensing conditions).

Whether provisions of Appendix B to 10 CFR Part 50 apply to the PRA.

The following information shows that the engineering analyses conducted to justify the proposed licensing basis change are appropriate to the nature and scope of the change:

A description of the risk assessment methods used.

Documentation showing that the base PRA is acceptable.

A description of the licensees process for ensuring PRA acceptability and a discussion of why the PRA is acceptable to support the current application.

A4-1 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG

The key modeling assumptions necessary to support the analysis or that affect the application. An assumption is considered key when it may influence (i.e., have the potential to change) the decision being made.

Information related to consideration of uncertainty in the analyses used to support the application.

The event trees and fault trees that require modification to support analyses of the proposed change with a description of their modification.

A list of operator actions modeled in the PRA that affect the application and their error probabilities.

A summary of the results of the risk assessment include the following:

The effects of the proposed change on the more significant sequences (e.g., sequences that contribute more than 5 percent to the risk) to show that the change does not create risk outliers and does not exacerbate existing risk outliers.

An assessment of the change to CDF and LERF, including a description of the significant contributors to the change.

Information related to the assessment of the full-scope base CDF and full-scope base LERF.

Results of sensitivity analyses showing that the conclusions as to the impact of the proposed change on plant risk do not vary significantly under a different set of plausible assumptions; and

Information related to issues identified in Section C.2.6 of NRC RG 1.174 (Ref. 1) if the risk metrics approach the acceptance guidelines.

PRA Scope, Applicability and Acceptability PRA Scope HNP has peer reviewed PRA models for Internal Events, Internal Flooding, Internal Fires, and Seismic events evaluating both core damage frequency (CDF) and larger early release frequency (LERF). An external event screening evaluation has eliminated all other hazard groups. The HNP PRA has a qualitative defense-in-depth model for use during off-line modes.

A full Level 2 analysis has been performed, a subset of which is the source of the LERF modeling.

PRA Applicability Section 3.2 of NRC RG 1.200 (Ref. 3) requires identification of the pieces of the PRA model for each hazard group that are needed to support the application. Because this evaluation impacts the safety-related electrical distribution system which supports most modeled functions, all the model pieces and hazards are relevant.

A4-2 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG PRA Acceptability HNP has peer reviewed the at-power base PRA models for internal events, internal flooding, internal fires and seismic events that represent the as-built, as-operated plant. A formal process for evaluating other external events hazards using current methodology has been performed and no other PRA hazard models are required. The HNP PRA maintenance and update processes and technical capability evaluations described herein provide a robust basis for concluding that the PRA models are suitable for use in risk-informed licensing applications.

The HNP hazard Models of Record (MORs) are currently Revision 8. These models incorporated changes identified during the recent transition to 10 CFR 50.48(c), National Fire Protection Association Standard NFPA 805 and to 10 CFR 50.69, Risk-informed categorization and treatment of structures, systems and components for nuclear power reactors. The changes were evaluated as updates and involved no new methods. During this process, all model revisions were synchronized at Rev 8. A summary of the revisions after peer review and facts and observations (F&O) closure is presented below:

Model Peer Review F&O Closure Revisions After F&O Closure Internal Events Rev 4 Rev 6 Rev 7 (not used), Rev 8 Internal Flooding Rev 4 Rev 6 Rev 8 Internal Fires Rev 1 Rev 1 Rev 7 (NFPA 805), Rev 8 Seismic Rev 1 Rev 3 Rev 8 In the safety evaluation for both license amendments related to NFPA-805 and 10 CFR 50.69 transition, the NRC concluded that the HNP PRA model is adequate to support calculations for related risk-informed changes (NRC Agencywide Documents Access and Management System (ADAMS) Accession Nos. ML20066F592 and ML20077J704).

The HNP hazard models reflect the as-built, as-operated plant. The Revision 8 models include recent plant modifications such as the installation of a third startup transformer and re-structuring of the cable bus feeds to the 4.16 kV switchgear to address degraded grid concerns.

These modifications were completed during the February 2109 (Unit 2) and 2020 (Unit 1) refueling outages. The individual hazard and total CDF and LERF for both Units 1 and 2 are shown in Tables 4-1 and 4-2 herein. The internal flooding, internal fire and seismic results were obtained by quantifying the hazards using the single top fault trees created by the FRANX files specific to each hazard. The total plant risk for each unit is below the 1E-04 CDF and 1E-05 LERF thresholds specified in RG 1.174.

Table 4-1, Unit 1 base MOR CDF LERF HAZARD (/YR) (/YR)

IE (I) 6.59E-06 4.05E-07 FIRE (F) 6.38E-05 4.20E-06 FLOOD (L) 3.53E-07 8.84E-09 SEISMIC (S) 9.53E-07 2.70E-07 Total 7.17E-05 4.88E-06 A4-3 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG Table 4-2, Unit 2 base MOR CDF LERF HAZARD (/YR) (/YR)

IE (I) 7.33E-06 3.67E-07 FIRE (F) 5.29E-05 3.60E-06 FLOOD (L) 2.95E-07 6.75E-09 SEISMIC (S) 8.75E-07 2.80E-07 Total 6.14E-05 4.25E-06 Internal Events and Internal Flooding PRA Model Peer Review and F&O Closure A peer review was conducted and compared draft Revision 4 of the HNP PRA against the criteria of RG 1.200 (Ref. 3), ASME/ANS PRA Standard Ra-Sa-2009, Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications (Ref. 4), and Nuclear Energy Institute (NEI) 05-04, Process for Performing Internal Events PRA Peer Reviews Using the ASME/ANS PRA Standard (Ref.5). The peer review included all elements of the internal events/internal flooding model and was completed in November 2009.

The peer review F&Os were addressed and incorporated into the final Revision 4 PRA model. In July 2017, all but two findings (associated with internal flooding) were closed by a focused peer review using Appendix X of NEI 05-04/07-12/12-06, Closeout of F&Os (Ref. 6). The internal flooding model was subsequently separated from the internal events model and significantly revised. An additional focused scope peer review was conducted using the guidance of NEI 05-04/07-12/12-06 (Ref. 6) and the two open findings from the original peer review were closed.

Internal Fire PRA Model Peer Review and F&O Closure.

A peer review was conducted and compared draft Revision 1 of the HNP fire PRA against the criteria of RG 1.200 (Ref. 3), ASME/ANS PRA Standard Ra-Sa-2009 (Ref. 4), and NEI 07-12, Fire Probabilistic Risk Assessment (FPRA) Peer Review Process Guidelines (Ref.7). The peer review included all elements of the internal fire flooding model and was completed in June 2016.

The fire PRA peer review F&Os were addressed and incorporated into the final Revision 1 Unit 1 and Unit 2 fire PRA models. An F&O closure independent assessment was performed per Appendix X of NEI 05-04/07-12/12-06 (Ref. 6) in October 2017. All findings were closed per this review.

Seismic PRA Model Peer Review and F&O Closure.

A peer review was conducted and compared Revision 1 of the HNP seismic PRA against the criteria of RG 1.200 (Ref. 3), ASME/ANS PRA Standard Ra-Sa-2009 (Ref. 4), and NEI 12-13, A4-4 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG External Hazards PRA Peer Review Process Guidelines, (Ref. 8). The peer review included all elements of the seismic PRA model and was completed in September 2016.

The seismic PRA peer review F&Os were addressed and incorporated into the Revision 3 Seismic PRA model. In July 2017, the F&Os were closed by a peer review using Appendix X of NEI 05-04/07-12/12-06 (Ref. 6) . Two of the finding resolutions were considered a model upgrade and a subsequent focused peer review was performed on those elements affected with no additional findings issued.

Other External Event Considerations HNP performed external events screening per ASME/ANS PRA Standard Ra-Sa-2009, Section 6 (Ref. 4) and all external events hazards other than seismic screened out.

PRA Level of Detail and Plant Representation The HNP models contain adequate detailed modeling for this application and are kept up to date with the as-built as-operated plant as described herein.

Level of Detail in the HNP Models The quantification methodology employed required development of integrated plant models, separate for each unit, in which the accident sequence logic, top logic, front-line system logic, and the support system logic fault trees are integrated into a single master fault tree model.

Potential initiating events are first identified. For the HNP PRA, initiators are those events which lead to a reactor trip at-power. Internal events are those initiators which originate within the plant systems (e.g., loss of feedwater). Following the identification of potential initiators, success criteria are developed. Success criteria refer to those key safety functions which must be accomplished to prevent core damage following a given initiator. Sequence specific thermal-hydraulic analyses and formal engineering calculations were used as the basis for the success criteria.

Once the success criteria are developed, they are transformed into a logical accident sequence progression using an event tree. Event trees identify which front-line systems must be successful during the accident progression for each of the key safety functions. Each branch in an event tree represents the success or failure of the safety functions defined with respect to systems. A downward branch typically represents failure of the system while an upward branch represents success. Thus, following the event tree along the branches is the accident sequence progression.

Functional fault tree models are developed to represent the failure of an event tree branch.

Although the event trees only identify front-line functions (Pressure Relief, High Pressure Injection, Depress, Low Pressure Injection, Long Term Heat Removal, etc.), necessary support system fault trees are also developed. The data necessary to support the fault tree model solution is provided by the data analysis process. Although there are relatively few front-line systems directly called by the event trees; the associated fault tree models may be quite large.

The system fault tree models have "transfers" to supporting systems as necessary (e.g., the residual heat removal (RHR) system model identifies certain transfers into the electric power model for various pumps and valves and the RHR pumps support both low pressure injection A4-5 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG and heat removal). The integrated plant model is generated by combining all system fault tree models into a single file. The sequences are translated into fault trees by a series of AND gates representing the success and failure portions of the event sequences which is organized according to the accident sequences defined in the event trees and links the front-line and support system fault trees. Flags are inserted into these gates to easily allow identification of which sequence is represented by individual cutset or group of cutsets.

All support systems are modeled down to the component level, generally following the definitions of component boundaries used in NUREG/CR-6850, to more easily allow use of industry component reliability data. There are a few specific exceptions to this guidance, one example is that the DG output breakers and diesel start logic are modeled separately instead of being included in the DG component events. Individual control inputs associated with pumps and valves are not modeled and failures of those components are evaluated by failing the parent component. The loss of coolant accident (LOCA) and loss of offsite power (LOOP) logic associated with each essential 4.16 kV switchgear is modeled in detail because that logic inputs to many supported components.

Failure to operate events and spurious operation events are used for individual components.

Failure distributions are assigned, and type coding is used to allow for the state of knowledge correlation (SOKC) during uncertainty analysis. Maintenance events are assigned to the major components in flow paths such as pumps, fans, switchgear, motor control centers, etc. Common cause groupings are developed as appropriate and are also assigned distributions and constructed from type codes so SOKC can be included in uncertainty analysis. Human failure events (HFEs) are added to model performance of manual actions if automatic logic fails, or where a system function is not automatically initiated (such as torus cooling mode of the RHR system). Equipment recovery is not generally credited. Dependency analyses were performed for HFE combinations and both the individual and dependent actions assigned failure distributions. All events are based, where possible, on industry data updated with plant specific data.

Implementation of the diverse and flexible mitigation capability (FLEX) initiative at HNP included permanent changes to the plant and provisions for connecting portable equipment to plant systems. The permanently installed components included new AC distribution panels supplied from the station batteries thru inverters, and the addition of accumulators and additional pneumatic supplies to the containment venting and pneumatic systems. As changes to the plant, using components like existing components, and added as safety-related components with appropriate surveillance and maintenance controls, the permanently installed components and associated operator actions have been incorporated into the base hazard models. Use of FLEX portable equipment is credited in a limited way in the Seismic PRA model only. Given the uncertainty associated with FLEX equipment reliability and operator actions, the seismic base model calculations include appropriate sensitivity analyses for the use of portable equipment.

PRA Maintenance and Update Process Southern Nuclear Company (SNC) Risk Informed Engineering (RIE) developed a comprehensive PRA model and application process in response to internal and external assessments and issuance of industry configuration management guidance documents. This process ensures that the applicable PRA models remain an accurate reflection of the as-built and as-operated units. This process delineates the responsibilities and guidelines for updating A4-6 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG the PRA models at the operating SNC nuclear generation sites. It defines the process for implementing PRA model updates, for tracking issues identified as potentially affecting the PRA models (e.g., due to hardware or process changes in the plant, errors or limitations identified in the model, industry operational experience), and for controlling the model and associated computer files. Components of this process include:

Design change impact reviews are performed by RIE prior to implementation.

Procedures that can affect PRA modeling or assumptions are reviewed by RIE prior to issue.

Licensing document changes are reviewed by RIE prior to issue.

RIE personnel participate in the Maintenance Rule expert panel and surveillance frequency control program independent decision-making panel.

SNC risk management procedures require that potential impacts to the PRA models be identified and entered into the PRA Model Change log. The entry in the change log requires an evaluation of the impact of the individual change, as well as an evaluation of the cumulative impact for unincorporated changes. This results in a continuous change tracking process so that the difference between the models and the plant can be quickly determined and evaluated.

In addition to these activities, SNC risk management procedures provide the guidance for PRA documentation quality and maintenance activities. This guidance includes:

Documentation of the PRA model, PRA products, and bases documents.

Requirements for the use of qualified, experienced personnel to perform PRA activities.

Requirements for strict oversight and reviews of vendor provided PRA products.

Requirement to evaluate model changes against the ASME standard definitions of Upgrade and Model Maintenance. Requirement to conduct focused peer review for any changes classified as an Upgrade.

The approach for controlling electronic storage of Risk Management (RM) products including PRA update information, PRA models, and PRA applications.

Guidance for use of quantitative and qualitative risk models in support of the On-Line Work Control Process Program for risk evaluations for maintenance tasks (corrective maintenance, preventive maintenance, minor maintenance, surveillance tests and modifications) on systems, structures, and components (SSCs) within the scope of the Maintenance Rule (10 CFR 50.65 (a)(4)).

In accordance with this guidance, regularly scheduled PRA model updates nominally occur on an approximate two refueling outage cycle; however, longer intervals may be justified if it can be shown that the PRA continues to adequately represent the as-built, as-operated plant.

Provisions exist for the creation of Application Specific models or unscheduled full model of record updates if required.

A4-7 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG PRA Changes to Assess the Risk Impact Review of Unincorporated Plant Changes The PRA model change log database was reviewed to evaluate if any open items could impact use of the base MOR for evaluating the risk impact of emergency DGs (EDGs) out of service.

This review concentrated on items related to modeling or plant changes to the EDGs, safety-related switchgear, LOOP logic, DC systems, RHR and high-pressure injection systems.

Several open items were identified that were directly related to these and an application specific model was developed to incorporate these items.

One change that could potentially impact the evaluation involved the plant design change completed in March 2020 as part of the degraded grid project. The design change modified the degraded voltage relaying for the safety-related 4.16 kV switchgear from a 2-of-2 arrangement to a 2-of-3 arrangement. Since the existing model configuration has a higher risk of failure (i.e., failure of one relay fails the function instead of failure of two relays) and is thus more conservative, the modified degraded voltage relay configuration was not incorporated into this evaluation.

Review of External Events Screening NRC RG 1.200, Section 1.2.5 (Ref. 3), recognizes that hazards with low contributions to risk may be screened out of the detailed PRA modeling. SNC utilizes a systematic, site-specific screening process for HNP. To support the one-time extension of the DG allowable out-of-service time, the criteria and basis for each screened hazard were reviewed. This review focused on determining if the screening was potentially impacted by changing the assumed availability of a DG. Only the high winds and external flooding hazard screenings were determined to warrant further review.

The High Winds screening is based on compliance with the design basis and the low contribution to CDF. Compliance with the design basis of the plant is required so that mitigating systems for a high wind initiating event are not rendered non-functional by wind-driven objects (e.g. adequate physical protection from tornado missiles). This was demonstrated by a comprehensive walkdown and is documented in the HNP Tornado Missile Project (TMP)

Summary Report. Although some non-compliant items were discovered during those walkdowns, the conditions were documented and corrected using the plant design change process. The CDF contribution from the hazard was used as an additional screening criterion although ASME/ANS PRA standard Section 6 allows screening of the hazard based only on compliance with the design basis. Per NUREG/CR-7005, extreme winds at the HNP site from thunderstorms and hurricanes are bounded by the design basis tornado winds. The site-specific tornado frequency calculated in accordance with NUREG/CR-4461, Rev 2, was used along with the loss of offsite power conditional core damage probability (CCDP), assuming a loss of offsite power with no credit for recovery. For the high winds screening, tornado strike frequencies were developed using National Weather Service data from 1950 through 2003. Adjustments were made for the portion of the total swept area of each strength of tornado that would be representative of lower wind speeds. The probability of a F2 or greater Tornado induced LOOP was estimated at 3.4E-6 (strike probability of 2.45E-05 and conditional wind speed exceedance of 0.189) and the CCDP of an LOOP with no offsite power recovery was 1.3E-03, thus the very low CDF provided additional confirmation that the hazard could be screened out.

A4-8 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG Since screening was performed, the internal events PRA models have been updated. In the Revision 8 Unit 1 internal events MOR, the CCDP for the LOOP initiating event with all NR-OSP-* offsite power recovery failure events set to TRUE is 7.5E-04. The CCDP for Consequential LOOP events with no credit for offsite power recovery is 8.8E-04. Total CCDP for these is 1.6E-3, a small increase from the 1.3E-03 value used in the screening. For the DG out of service evaluation, the 1A and 1C diesels have the highest change to internal events CDF when out of service, so the 1C diesel was chosen as the most conservative case. With diesel generator 1C out of service, CCDP for %LOOP is 2.7E-03 and for consequential LOOP events is 6.0E-03, for a total of 8.7E-03. This results in a tornado induced LOOP CDF contribution of 3.0E-08, below the 1E-06 criteria in the ASME standard.

To address the uncertainty associated with the larger size of tropical events, the methodology suggested in section 5 of NUREG/CR-4461 was utilized. In table 5.1 of the NUREG, the strike probability for all eastern tornadoes is given as 2.58E-05, with uncertainty bounds of 2.3 to 2.9E-05. The strike probability was increased to the 95% value of 2.9E-05, and the conditional exceedance probability increased to 1.0, for a total tornado probability of 2.9E-05, a factor of 8.5 increase. This results in an annual CDF contribution of 2.5E-07. The resulting ICCDP for 19 days is 1.3E-08, so the added ICCDP does not substantially impact the overall results. This is conservative since it assumes that all events cause a LOOP. As described in the Unit 2 UFSAR Section 8.2.1, the offsite transmission system is designed to minimize the possibility of loss of all offsite sources.

Several of the proposed diesel outages are scheduled during the typical peak of hurricane season. Although the HNP site is well inland, multiple tropical disturbances have been experienced at the site. Thus, the Local Intense Precipitation (LIP) screening was also re-examined. A flooding focused evaluation was developed to assess LIP and combined effects flooding to address FLEX mitigation strategies.

The LIP analysis above utilized a 1-hour/1-square mile Probable Maximum Precipitation (PMP) approach to determine local flood levels across a grid. Some doors were identified where the maximum LIP exterior water surface elevation would be greater than the finished floor elevation for a given duration.

Calculations showed that the water ingress from the LIP event is insufficient to damage key SSCs. The LIP analysis credits only passive mitigation features; thus the screening of the flooding event is not impacted by removing a DG from service.

The combination of robust plant design and low risk associated with high winds, assuming one DG out of service, still results in the high wind hazard being screened out and a detailed analysis is not required. The LIP evaluation does not depend on the DGs and remains screened out.

Application Specific Model Development An Application-Specific Models (ASM) was created to support the license amendment request (LAR) for the DG outage extensions. This ASM removes conservatisms and incorporates enhancements to the model in order to evaluate the risk associated with an DG outage using a more realistic model. An ASM was created for Unit 1 for all hazards, and an ASM was created for Unit 2 for fire and seismic only. This ASM does not supersede the current Revision 8 MOR A4-9 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG however, changes included in this ASM may be candidates for inclusion in a future update to Revision 8 of the MOR. The changes corrected specific portions of the system response fault trees and did not impact the event sequences.

To determine the impact of the modifications made to the PRA model, the ASM was quantified and compared to the PRA MOR for internal events, internal flooding, fire, and seismic. A comparison of the results can be seen below in Table 4-3. Note, the CAFTA, and not ACUBE, values are provided for seismic. The ASM truncation limits are the same as the MOR:

U1 Internal Events: 1.00E-11/yr for CDF and 1.00E-13/yr for LERF U1 Internal Flooding: 1.00E-11/yr for CDF and 1.00E-13/yr for LERF U1 Fire: 1.00E-10/yr for CDF and 1.00E-11/yr for LERF U1 Seismic: 1.00E-10/yr for CDF and 1.00E-11/yr for LERF U2 Seismic: 1.00E-10/yr for CDF and 1.00E-11/yr for LERF The differences in results between the MOR and ASM are consistent with the model changes incorporated into the MOR to create the ASM. In addition, the differences in results between the MOR and ASM are also consistent with the observations from the model and cutset review meetings.

Table 4-3, Summary of ASM Quantification Results MOR ASM Endstate Results Results %Change U1 Internal Events CDF 6.59E-06 5.01E-06 -23.98%

LERF 4.05E-07 3.66E-07 -9.63%

U1 Internal Flooding CDF 3.53E-07 2.38E-07 -32.58%

LERF 8.84E-09 5.95E-09 -32.69%

U1 Fire CDF 6.38E-05 5.89E-05 -7.68%

LERF 4.20E-06 3.64E-06 -13.33%

U1 Seismic CDF 8.94E-07 9.53E-07 6.60%

LERF 2.33E-07 2.47E-07 6.01%

A4-10 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG MOR ASM Endstate Results Results %Change U2 Fire CDF 5.29E-05 5.62E-05 6.24%

LERF 3.60E-06 3.62E-06 0.56%

U2 Seismic CDF 8.25E-07 8.58E-07 4.00%

LERF 2.55E-07 2.60E-07 1.96%

The consideration of parametric uncertainty determined that the parametric uncertainty results on the current MOR show a propagated mean estimate that is slightly greater than the point-estimate based mean. In addition, the propagated mean estimate is based on uncertainty parameter inputs that are largely generic or assumed values, so the propagated mean is not necessarily a better risk estimate. For this ASM, Table 4-5 identifies two (2) new basic event probabilities credited in the ASM. Updating the parametric uncertainty analysis was not in the scope of the risk evaluation for the ASM. However, any potential risk insights from performing a parametric uncertainty analysis are judged not to alter the conclusions of the DG completion time extension risk evaluations that are based on this ASM.

Base Logic Model Changes Several modifications were made to the fault tree of the MOR to create the ASM. The changes are made in the common backbone model (CBM), but most changes only impact the internal events and internal flooding hazards. Changes were not needed to any event sequences, only to lower level support system fault trees.

Model Change 1 The first change is to correct a model error associated with torus cooling, which removed incorrect ATWS sequences and impacted the internal events quantification only. See Figures 4-1 and 4-2.

A4-11 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG FIGURE 4-1 ORIGINAL LOGIC A4-12 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG FIGURE 4-2 UPDATED LOGIC Model Change 2 The second set of changes updated the internal events logic for the degraded grid modification similar to the fire logic. This corrects the logic such that it requires a failure of all three station auxiliary transformers (SATs) to lead to a LOOP, as opposed to just two of three. See Figures 4-3 through 4-6.

A4-13 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG FIGURE 4-3 ORIGINAL LOGIC A4-14 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG FIGURE 4-4 UPDATED LOGIC A4-15 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG FIGURE 4-5 ORIGINAL LOGIC A4-16 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG FIGURE 4-6 UPDATED LOGIC Model Change 3 For the third model change, the logic was changed in the consequential LOOP recovery tree allowing credit for recovery of AC power given a consequential LOOP and a single diesel failure, instead of limiting this credit to only SBO sequences (i.e., failure of all emergency AC power).

See Figures 4-7 and 4-8.

A4-17 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG FAILURE OF ALL DIESEL GENERATORS -

LONG-TERM DIESELSD DG A FAILS TO SUPPLY DG C FAILS TO SUPPLY POWER TO 4160-V BUS POWER TO 4160-V BUS E GIVEN LOSS OF BUS G GIVEN LOSS OF BUS POWER POWER DGA-1 DGC-1 DG B FAILS TO SUPPLY POWER TO 4160-V BUS F GIVEN LOSS OF BUS POWER DGB-1 FIGURE 4-7 ORIGINAL LOGIC A4-18 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG FAILURE OF ALL DIESEL GENERATORS -

LONG-TERM DIESELSD DG A FAILS TO SUPPLY DG C FAILS TO SUPPLY POWER TO 4160-V BUS POWER TO 4160-V BUS E GIVEN LOSS OF BUS G GIVEN LOSS OF BUS POWER POWER DGA-1 DGC-1 DG B FAILS TO SUPPLY POWER TO 4160-V BUS F GIVEN LOSS OF BUS POWER DGB-1 FIGURE 4-8 UPDATED LOGIC Model Change 4 A logic change was made to add an operator action to manually open RHR Service Water crosstie valves, however the postulated operator action was determined to be infeasible, so the added basic event was set to TRUE and the logic change does not impact the quantification.

Model Change 5 The fifth set of model changes correspond to crediting recovery of diesel failures for internal events. The following changes were made:

See Figures 4-9 and 4-10 for changes to the failure of DG to start sequence. Logic for DG 1A is shown, logic for DGs 1B and 1C changed identically. See Figures 4-11 and 4-12 for the failure of a DG supply breaker to close sequence. Logic for DG 1B is shown, changes to DGs 1A and 1C are similar.

A4-19 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG FIGURE 4-9 ORIGINAL LOGIC FIGURE 4-10 UPDATED LOGIC A4-20 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG FIGURE 4-11 ORIGINAL LOGIC FIGURE 4-12 UPDATED LOGIC Model Change 6 The sixth set of model changes was completed in order to insert a flag used in the updated recovery rule. Figures 4-13, 4-14 and 4-15 show the changes to the HSA gate and the new gate. Changes to HSB and the new gate are similar.

A4-21 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG RHR SERVICE WATER DIVISION I FAILS HSA FAILURE OF RHRSW MANUAL VALVE F002A HEAT EXCHANGER TRANSFERS CLOSED OUTLET VALVE - F068A HSA_1 HVXC1E11F002A 8 7.47E-05 MANUAL VALVE F309C FAILURE OF REACTOR TRANSFERS CLOSED BUILDING MCC-1C (1R24S011)

HVXC1E11F309C AC-1R24S011 13 7.66E-05 MOV F068A FAILS TO OPEN G-MVXC1E11F003A MVFO1E11F068A RHRSW STRAINER SELECTION DIVISION I G-MVXC1E11F047A HSA-G010 RHRSW PUMP TRAINS A Res tora ti on of Cool ing

& C FAIL to Inta ke Structure HS-G00MEE INTAKESTRUCCOOLING MANUAL VALVE F014A MSOs THAT IMPACT TRANSFERS CLOSED RHR SW LOOP A (FIRE)

HVXC1E11F014A MSO-RHRSW-A 8 7.47E-05 HEAT EXCHANGER B001A RUPTURES/PLUGS HXPL1E11B001A 8 1.25E-05 FIGURE 4-13 ORIGINAL LOGIC A4-22 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG RHR SERVICE WATER DIVISION I FAILS HSA FAILURE OF RHRSW MANUAL VALVE F002A HEAT EXCHANGER TRANSFERS CLOSED OUTLET VALVE - F068A HSA_1 HVXC1E11F002A 8 7.47E-05 MANUAL VALVE F309C MOV F068A FAILS TO TRANSFERS CLOSED OPEN HVXC1E11F309C MVFO1E11F068A 13 7.66E-05 RHRSW STRAINER SELECTION DIVISION I G-MVXC1E11F003A HSA-G010 Res tora ti on of Cool i ng to Inta ke Structure G-MVXC1E11F047A INTAKESTRUCCOOLING RHRSW PUMP TRAINS A MSOs THAT IMPACT

& C FAIL RHR SW LOOP A (FIRE)

HS-G00MEE MSO-RHRSW-A MANUAL VALVE F014A LONG TERM AC POWER TRANSFERS CLOSED HVXC1E11F014A AC-1R24S011-LT 8 7.47E-05 HEAT EXCHANGER B001A RUPTURES/PLUGS HXPL1E11B001A 8 1.25E-05 FIGURE 4-14 UPDATED LOGIC A4-23 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG LONG TERM AC POWER AC-1R24S011-LT FAILURE OF REACTOR POTENTIAL OSP BUILDING MCC-1C RECOVERY (1R24S011)

AC-1R24S011 SEQ_OSPREC 2 1.00E+00 FIGURE 4-15 NEW LOGIC Table 4-4 Gates Added or Modified for the ASM Unit Description MOR ASM Type Type 1 FAILURE OF ALL DIESEL GENERATORS - AND OR(1)

LONG-TERM 1 DG1A FAILS TO START AND FAILURE IS NOT EQU AND RECOVERED 1 DG1B FAILS TO START AND FAILURE IS NOT EQU AND RECOVERED 1 DG1C FAILS TO START AND FAILURE IS EQU AND NOT RECOVERED 1 DG1B SUPPLY BREAKER FAILS TO CLOSE EQU AND AND IS NOT RECOVERED 1 DG1A SUPPLY BREAKER FAILS TO CLOSE EQU AND AND IS NOT RECOVERED 1 LONG TERM AC POWER N/A AND 1 LONG TERM AC POWER N/A AND Note 1: Gate changed to OR gate in recovery fault tree only.

A4-24 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG Table 4-5, Basic Events Added or Modified for the ASM Unit Description MOR Probability ASM Probability 1 OPERATOR ACTION TO SECURE A DIESEL N/A 5.00E-02(2)

ON LOSS OF PSW, MANUALLY CLOSE THE PSW ISOLATION VALVES, RESTART THE DIESEL.

1 POTENTIAL OSP RECOVERY CUTSET FLAG N/A 1.00E+00 1 NON-RECOVERY OF AC POWER AT 10 N/A 5.23E-01(2)

HOURS GIVEN NO RECOVERY AT 5 HOURS 1 FAILURE TO RECOVER A DG START 1.00E+00 4.00E-01(1)

FAILURE OR A DG OUTPUT BREAKER FAILURE Note 1: The calculated value of 4.10E-01 is more appropriate for this basic event; however, the ASM uses a value of 4.00E-01, and this has negligible impact (<1%) on individual quantification case results and no impact on the overall conclusions of the analysis as the change in probability is small.

Note 2: Added in the recovery rules only, not to the fault tree logic.

Internal Events and Internal Flooding Recovery Rule Changes During cutset reviews of the internal events DG out of service (OOS) model case results (July 2020), offsite power recovery conservatisms and invalid cutsets were identified. These issues were corrected through the addition of the updated recovery rule flag added into the logic and into additional recovery rules. This flag was added to indicate that decay heat removal is failed due to loss of power and that there is no credit for offsite power recovery. Two sequences that were top contributors to the risk increase in the Draft DG OOS quantification case results were LOSP-2 and LOSP-5, which assume successful recovery of offsite power for the reactor core isolation cooling (RCIC) system 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months success; however, some failures were propagating through these sequences as offsite power recovery was not credited on the failure branch of the sequence for decay heat removal. These cutsets are invalid as long as there are no hardware failures of the power supply logic for RCIC (i.e., a hardware failure of a 600V bus),

and the invalid cutsets have been removed using the recovery commands below. An additional rule was added to the command line in order to prevent incorrectly applying the recovery to scenarios with a hardware failure; this conservatively only applies the recovery to cutsets with an operator action failure of the power supply and not a hardware failure. Note, that this is slightly conservative as the recovery rules could be applied to cutsets with certain hardware failures that would not prevent power to RCIC given offsite power recovery.

Additionally, recovery of offsite power is treated conservatively in the Unit 1 MOR. The Unit 1 MOR assumes containment failure when the suppression pool water temperature exceeds 260°F, which can occur at approximately five hours based on HNP plant-specific thermal-hydraulic calculations; however, this containment failure criteria should only have been used as a failure criterion for Anticipated Transient without Scram (ATWS) scenarios. For non-ATWS scenarios, a much higher criterion should be used (e.g., ultimate primary containment failure pressure of ~98 psig as documented in the HNP Level 2 PRA calculation. For loss of decay A4-25 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG heat removal scenarios in the ASM, offsite power recovery is based on the time to reach the Primary Containment Vent Pressure (i.e., 54 psig for Unit 1 and 56 psig for Unit 2), where successful Containment Venting will result in loss of NPSH for low pressure ECCS pumps taking suction from the suppression pool. At least ten hours is available to credit offsite power recovery prior to the time to reach the Primary Containment Vent pressure. Therefore, for long-term loss of decay heat sequences with successful low pressure, the ten hour offsite power recovery failure probability is applied in the ASM. This change was made by adding the additional recovery rules, which append a new event, NR-OSP-5to10HR, to any cutsets propagating through the applicable long-term loss of decay heat removal sequences and with a five hour offsite power recovery event. The failure probability of the five hour failure to recover event is 1.97E-01 and the probability of the ten hour failure to recover event is 1.03E-01; thus, a factor of 5.23E-01 (i.e., 1.01E-01/1.97E-01) is applied to every cutset that satisfies the criteria described herein.

These additional recovery rules are contained in the new recovery rule file and only pertain to Unit 1. The internal events and internal flooding CDF cutsets are post-processed with this recovery rule (i.e., the rules are applied manually to the cutsets after the cutsets have been produced by the quantification engine; the rules are not applied or called by the master recovery rule file).

Fire Model Logic Changes An incorrect cable to function state mapping in the fire FRANX database was leading to artificially high risk results in the DG outage cases. This mapping was removed from the Unit 1 FRANX databases prior to creating the ASM one top model; and thus, this failure is not included in the ASM. The correct mapping of this cable was verified to be in the FRANX file.

An unlocated conduit in fire compartment 0024A (Cable Spreading Room) was also leading to high risk results in the DG outage cases due to a cable whose failure was modeled as causing a spurious opening of breaker 1R22S007/CB10. Since the cable was in an unlocated raceway, it was conservatively being failed by all fire scenarios in the room. The conduit was determined to run across the ceiling of this fire compartment, which is outside of the zone of influence (ZOI) of the transient fire scenarios. This determination was made by identifying the end points of the conduit and associated cables, then identifying the length of the conduit, which is 30 feet long.

Based on the distance between the panels, the conduit must run in approximately a straight line between the panels. This configuration is not susceptible to the aforementioned damage. Thus, this target was removed from all transient fires in 0024A for Unit 1, which are scenarios beginning with %HF_0024A_TS*, in FRANX prior to creating the ASM one top model.

During cutset reviews, it was determined that some offsite power recoveries were getting incorrectly applied to some fire cutsets, since the fire PRA calculations state that there is no credit offsite power recovery. Offsite power recovery basic events (NR-OSP* events) that were not already being failed for all fire scenarios were identified This enhancement was implemented by adding the events to the UNL fire zone in the FRANX databases which fails them for all fire scenarios for both Units 1 and 2.. This is the same methodology used for the NR-OSP* events already excluded and the one documented in the Fire PRA plant response model calculation.

After the above changes were made, FRANX was utilitzed to create a stand-alone CDF/LERF fault tree for quantification.

A4-26 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG Fire Recovery Rule and HRA Changes Conservative cutsets were identified during review of the initial fire DG OOS model case results.

Fire scenarios in fire compartment 1101J were failing the automatic closure of plant service water (PSW) system isolation valves, leading to a flow diversion of the PSW and then resulting in an assumed failure of the associated DG due to insufficient cooling. A human failure event (HFE) already existed in the seismic PRA for tripping the affected DG within 20 minutes given failure of DG cooling. In the seismic PRA, a dominant failure mode of DG cooling is due to relay chatter which causes complete failure of the PSW pumps. The HFE also includes the potential to fail to restart the DG once DG cooling is re-established. Using the seismic HFE as a template, a similar HFE was modified for fire events in fire compartment 1101J. This fire HFE includes tripping the DG within 15 minutes, locally closing one of the two valves to stop the flow diversion, and then re-establishing DG cooling from PSW (the last two actions have a time window of approximately five hours). Note that for the seismic HFE, 20 minutes is used for the first action. This is because the PSW pumps trip and are not a load on the EDG, thus reducing the heat up rate of the EDG. For the fire HFE, the PSW pumps have not tripped and therefore remain a load to the EDG, resulting in less time before the DG overheats. Conservatively, 15 minutes is assumed; however, the DG may run for a few minutes more after its qualification temperature is reached. Using the 15minute value, a total human error probability (HEP) of 5.18E-02 was calculated for these actions. However, because it is judged that the DG may survive for some minutes beyond 15 (perhaps up to 20), the HEP used in the quantification of the cutsets is reduced to 5.0E-02. The difference in HEPs does not substantially impact the overall results and insights.

The HFE, OPHE-REC-PSW-F, is applied to a cutset if the cutset pertains to a fire in 1101J, propagates through sequences SBO-5 or SBO-28, does not already contain a separate operator action (thus, no dependency analysis is needed), and does not contain a random failure of the PSW pump to start (note, the HFE would also not be applied to cutsets with other random failures of the PSW system, but only the random failure of the PSW pump was showing up in the SBO-5 and SBO-28 sequences).

Seismic Quantification Change Due to computation limitations and the computational time required to quantify hazard intervals

%G12, %G13, and %G14, the Unit 1 and Unit 2 fault trees were modified so that these hazard bins are modeled to lead directly to CDF and LERF (i.e., CCDP and CLERP equal to 1.0). This treatment is conservative; however, these hazard bins have high CCDPs and CLERPs, and are not top contributors to the seismic results in the MORs, so this change has only a small impact on the results.

Methods to optimize the seismic PRA quantification support that use of the Factored Minimum Cut Upper Bound (FMCUB) approach provides a slightly higher calculated CDF and LERF compared to use of the EPRI ACUBE software. However, the difference is identified to be small and does not adversely impact the DG CT risk-informed application.

DG Cases and Quantification Setup To ensure that the full impact of the out of service diesel was captured properly, all basic events associated with each diesel were set to 1.0 in each case. This allows the failed events to appear A4-27 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG in cutsets for inspection during the model quality and results reviews and for use in recovery rules. This does result in a small number of non-minimal cutsets, however the impact is minimal and does not impact the conclusions. Settings lock the swing DG 1B alignment to Unit 1 during the applicable DG outage for Internal Events, Internal Flooding, Fire hazards, and seismic hazards.

The alignment of the RPS bus alternate supply to a source supplied by the 1A DG was modeled per existing restrictions associated with the DG 1C 14 day completion time.

The ASM model used is an average-risk model, with selected components addressed by existing procedural limitations that prohibit scheduled maintenance during extended diesel outages evaluated by setting the associated maintenance event to FALSE. This allows some flexibility for plant staff and is more specific and verifiable than prohibiting all maintenance.

Table 4-6, Maintenance Events Prohibited by Procedure Configuration Risk Management Procedural Restrictions for No Maintenance HPCI RCIC Division 1 of RHRSW RHRSW pumps A and C and their associated breakers Division 2 of RHRSW RHRSW pumps B and D and their associated breakers Division 1 of LPCI and Shutdown Cooling RHR pumps A and C Division 2 of LPCI and Shutdown Cooling RHR pumps B and D Division 1 or division 2 of Suppression Pool Cooling.

PSW pumps A, B, C, and D and their associated breakers.

MCC 1R24S026 to DG 1B support systems Core Spray pumps A and B and their associated breakers Diesel batteries and the associated components which are necessary for the batteries to perform their function.

Station Service batteries and the associated components which are necessary for the batteries to perform their function RBCCW Pumps A, B and C and the associated breakers The CD transformer used to bring alternate power to either 600VAC C or 600VAC D Startup Transformers C, D and E RPS MG Sets A and B Main Control Room A/C systems A, B and C and associated motor control centers Closed Cooling Water pumps A and B for the Station Service Air Compressors LPCI loop A and B injection path components; MCR A/C Exhaust fans A and B and associated breakers CRD Pump A and B and associated breakers.

A4-28 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG In addition, maintenance on the other diesels and several motor control centers was also set to FALSE in the evaluated cases based on the controls in the protected equipment procedure NMP-OS-010.

Table 4-7, Protected Components Component in Components in Protected Equipment Maintenance Procedure or would result in Technical Specification Loss of Safety Function.

DG 1A DG 1B, DG 1C, DG 2A, DG 2C, DIV 2 REACTOR BUILDING MCC, DIV 2 LPCI MCC DG 1B DG 1A, DG 1C, DG 2A, DG 2C DG 1C DG 1A, DG 1B, DG 2A, DG 2C, DIV 1 REACTOR BUILDING MCC, DIV 1 LPCI MCC The EDGs are in a common cause group of five diesels. With 4 different failure modes, this results in 120 DG common cause failure (CCF) events. These were not modified for this analysis. This is slightly conservative, as the CCF event representing all five site EDGs and any CCF events pertaining to the OOS DG should be set to FALSE, and all other DG CCFs would be adjusted to consider four EDGs instead of five. This would reduce the number of CCFs from 120 to 60 with a corresponding reduction in the evaluation cases. Modifying the CCF events would have minimal impact on the results and no impact on the conclusions of this analysis.

The maintenance event probabilities for the diesels were not adjusted in the base model case since the evolution is a one-time evolution and the maintenance events are an average of out of service time over several operating cycles. This is conservative because the events are either set to 1.0 or False in the evaluation cases, so increasing the values in the base models would increase the base risk and not impact the case risk, decreasing the calculated delta risk.

Tier 1 - DG Risk Evaluation Results and Insights As defined in NRC RG 1.177 (Ref. 2), Tier 1 is the evaluation of the impact on plant risk of the proposed TS change as expressed by the risk metrics discussed below. The following sections present the results of those quantitative risk analyses. Note, some hazards for certain cases show a zero ICCDP and/or ICLERP. For these cases, the risk increases due to the DG outage was minimized or even outweighed by the risk decrease due to the maintenance restrictions on other equipment and/or the DG 1B alignment per the DG OOS procedures. Additionally, the seismic PRA results were not post processed with ACUBE, which is consistent with the ASM.

The differences in results between the ASM and DG CT cases are consistent with the changes (e.g., flag file changes) incorporated into the individual DG 1A, 1B, and 1C cases. The difference in results between the ASM and DG CT cases are also consistent with the observations from the model and cutset review meetings.

The risk metrics of interest for one-time changes to Technical Specifications are the incremental conditional core damage probability (ICCDP) and the incremental conditional large early release probability (ICLERP). For Unit 1, the ASM was be used for all hazards, and for Unit 2 an ASM A4-29 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG was used for fire and seismic events only with internal events and internal flooding using the Unit 2 MOR. Calculational approaches for each metric are listed below.

ICCDP, Incremental Conditional Core Damage Probability

ICCDP = (CDFINST - CDFBASE)

TINST

CDFBASE = Baseline annual average CDF with average unavailability of EDGs consistent with the current 14 day CT.

CDFINST = CDF evaluated from the PRA model with an DG OOS and maintenance restrictions and system alignments

TINST = Total duration of extended completion time, expressed as a fraction of one year.

ICCDP = Additional Core Damage risk incurred during the total duration of the extended CT.

ICLERP, Incremental Conditional Large Release Probability

ICLERP = (LERFINST - LERFBASE)

TINST

where,

LERFBASE = Baseline annual average LERF with average unavailability of EDGs consistent with the current 14 day CT.

LERFINST = LERF evaluated from the PRA model with an DG OOS and maintenance restrictions and system alignments as discussed in Section 4.2.

TINST = Total duration of extended completion time, expressed as a fraction of one year.

ICLERP = Additional Large Early Release risk incurred during the total duration of the extended CT.

Incremental Conditional Risk for DG 1A OOS Case Tables 4-8 through 4-12 provide the calculated risk increases for ICCDP and ICLERP for Units 1 and 2 when DG 1A is out of service for 19 days.

Table 4 Unit 1 DG 1A Case - ICCDP PRA Hazard CDFBASE (/yr) CDFINST (/yr) Time ICCDP Internal Events 5.01E-06 1.09E-05 19 Days 3.07E-07 Internal Flood 2.38E-07 4.50E-07 19 Days 1.10E-08 Internal Fire 5.89E-05 6.00E-05 19 Days 5.73E-08 Seismic 9.53E-07 1.03E-06 19 Days 4.01E-09 Total Risk 6.51E-05 7.24E-05 19 Days 3.79E-07 A4-30 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG Table 4 Unit 1 DG 1A Case - ICLERP PRA Hazard LERFBASE (/yr) LERFINST (/yr) Time ICLERP Internal Events 3.66E-07 6.47E-07 19 Days 1.46E-08 Internal Flood 5.95E-09 1.13E-08 19 Days 2.78E-10 Internal Fire 3.64E-06 3.72E-06 19 Days 4.16E-09 Seismic 2.47E-07 2.47E-07 19 Days 0.00E+00 Total Risk 4.26E-06 4.63E-06 19 Days 1.91E-08 Table 4 Unit 2 DG 1A Case - ICCDP PRA Hazard CDFBASE (/yr) CDFINST (/yr) Time ICCDP Internal Events 7.45E-06 1.08E-05 19 Days 1.74E-07 Internal Flood 3.00E-07 6.39E-07 19 Days 1.76E-08 Internal Fire 5.62E-05 6.44E-05 19 Days 4.27E-07 Seismic 8.58E-07 9.53E-07 19 Days 4.95E-09 Total Risk 6.48E-05 7.68E-05 19 Days 6.24E-07 Table 4 Unit 2 DG 1A Case - ICLERP PRA Hazard LERFBASE (/yr) LERFINST (/yr) Time ICLERP Internal Events 3.70E-07 3.73E-07 19 Days 1.56E-10 Internal Flood 6.93E-09 3.31E-08 19 Days 1.36E-09 Internal Fire 3.62E-06 4.08E-06 19 Days 2.39E-08 Seismic 2.60E-07 2.79E-07 19 Days 9.89E-10 Total Risk 4.26E-06 4.77E-06 19 Days 2.65E-08 Incremental Conditional Risk for DG 1B OOS Case Tables 4-12 through 4-15 provide the calculated risk increases for ICCDP and ICLERP for Units 1 and 2 when DG 1B is out of service for 19 days.

A4-31 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG Table 4 Unit 1 DG 1B Case - ICCDP PRA Hazard CDFBASE (/yr) CDFINST (/yr) Time ICCDP Internal Events 5.01E-06 8.22E-06 19 Days 1.67E-07 Internal Flood 2.38E-07 2.18E-07 19 Days 0.00E+00 Internal Fire 5.89E-05 6.03E-05 19 Days 7.29E-08 Seismic 9.53E-07 1.04E-06 19 Days 4.53E-09 Total Risk 6.51E-05 6.98E-05 19 Days 2.45E-07 Table 4 Unit 1 DG 1B Case - ICLERP PRA Hazard LERFBASE (/yr) LERFINST (/yr) Time ICLERP Internal Events 3.66E-07 4.06E-07 19 Days 2.08E-09 Internal Flood 5.95E-09 5.65E-09 19 Days 0.00E+00 Internal Fire 3.64E-06 3.61E-06 19 Days 0.00E+00 Seismic 2.47E-07 2.62E-07 19 Days 7.81E-10 Total Risk 4.26E-06 4.28E-06 19 Days 2.86E-09 Table 4 Unit 2 DG 1B Case - ICCDP PRA Hazard CDFBASE (/yr) CDFINST (/yr) Time ICCDP Internal Events 7.45E-06 1.10E-05 19 Days 1.85E-07 Internal Flood 3.00E-07 6.39E-07 19 Days 1.76E-08 Internal Fire 5.62E-05 6.71E-05 19 Days 5.67E-07 Seismic 8.58E-07 9.86E-07 19 Days 6.66E-09 Total Risk 6.48E-05 7.97E-05 19 Days 7.77E-07 A4-32 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG Table 4 Unit 2 DG 1B Case - ICLERP PRA Hazard LERFBASE (/yr) LERFINST (/yr) Time ICLERP Internal Events 3.70E-07 3.56E-07 19 Days 0.00E+00 Internal Flood 6.93E-09 2.87E-08 19 Days 1.13E-09 Internal Fire 3.62E-06 4.11E-06 19 Days 2.55E-08 Seismic 2.60E-07 2.76E-07 19 Days 8.33E-10 Total Risk 4.26E-06 4.77E-06 19 Days 2.75E-08 Incremental Conditional Risk for DG 1C OOS Case Table 4-16 thru 4-19 provide the calculated risk increases for ICCDP and ICLERP for Units 1 and 2 when DG 1C is out of service for 19 days.

Table 4 Unit 1 DG 1C Case - ICCDP PRA Hazard CDFBASE (/yr) CDFINST (/yr) Time ICCDP Internal Events 5.01E-06 1.09E-05 19 Days 3.07E-07 Internal Flood 2.38E-07 1.06E-06 19 Days 4.28E-08 Internal Fire 5.89E-05 7.58E-05 19 Days 8.80E-07 Seismic 9.53E-07 8.64E-07 19 Days 0.00E+00 Total Risk 6.51E-05 8.86E-05 19 Days 1.23E-06 Table 4 Unit 1 DG 1C Case - ICLERP PRA Hazard LERFBASE (/yr) LERFINST (/yr) Time ICLERP Internal Events 3.66E-07 6.40E-07 19 Days 1.43E-08 Internal Flood 5.95E-09 2.35E-08 19 Days 9.14E-10 Internal Fire 3.64E-06 4.05E-06 19 Days 2.13E-08 Seismic 2.47E-07 2.15E-07 19 Days 0.00E+00 Total Risk 4.26E-06 4.93E-06 19 Days 3.65E-08 A4-33 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG Table 4 Unit 2 DG 1C Case - ICCDP PRA Hazard CDFBASE (/yr) CDFINST (/yr) Time ICCDP Internal Events 7.45E-06 1.08E-05 19 Days 1.74E-07 Internal Flood 3.00E-07 7.38E-07 19 Days 2.28E-08 Internal Fire 5.62E-05 6.44E-05 19 Days 4.27E-07 Seismic 8.58E-07 9.92E-07 19 Days 6.98E-09 Total Risk 6.48E-05 7.69E-05 19 Days 6.31E-07 Table 4 Unit 2 DG 1C Case - ICLERP PRA Hazard LERFBASE (/yr) LERFINST (/yr) Time ICLERP Internal Events 3.70E-07 3.68E-07 19 Days 0.00E+00 Internal Flood 6.93E-09 3.55E-08 19 Days 1.49E-09 Internal Fire 3.62E-06 4.08E-06 19 Days 2.39E-08 Seismic 2.60E-07 2.91E-07 19 Days 1.61E-09 Total Risk 4.26E-06 4.77E-06 19 Days 2.70E-08 The Unit 2 results for DG 1A and 1C are conservative due to the assumption that swing DG 1B cannot be aligned to Unit 2 while they are in maintenance.

Risk Insights The differences in results between the ASM and DG CT cases are consistent with the changes (e.g., flag file changes) incorporated into the individual DG 1A, 1B, and 1C cases. The difference in results between the ASM and DG CT cases are also consistent with the observations from the model and cutset review meetings.

After the model results were generated, they were reviewed for insights for each diesel and hazard by comparing the ASM results with the DG results, comparing event sequence importance, initiating event importance, component importance, common cause importance, operator action importance and operator action dependency importance. Performing this review by hazard and by diesel, focusing on the changes due to the DG extended completion time, allows the significant contributors to each hazard to be identified individually, and then the overall risk impacts to be determined.

Cutsets and importance measures were reviewed to identify risk contributors that can be used as input to develop specific compensatory measures. The following are general risk importance insights from these reviews.

Initiating Events LOOP Initiating Event A4-34 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG Human Failure Events Operator fails to align available systems for decay heat removal (e.g., SPC)

Operator fails to initiate primary containment venting Operator fails to align 600V Bus C to alternate supply (e.g., for extending RCIC operating time)

Operator fails to bypass high RCIC exhaust pressure for 24-hour mission time Operator fails to align 600V Bus D to 4.16 kV Bus C Operator fails to place Division II battery chargers in service Component Failure Events DG 1A and 1B failures Other Events Recovery of offsite power Conditional LOOP Failure to recover an DG start or output breaker failure

+ Internal Fire Events Initiating Events (Fire Compartments)

Main Control Room (0024C)

Control Building North and South Corridors (0014K)

Cable Spreading Room (0024A)

Human Failure Events Operator fails to align available systems for decay heat removal Operator fails to bypass high RCIC exhaust pressure for 24-hour mission time Operator fails to initiate containment venting Operator fails to depressurize Operator fails to start and control RCIC at Remote Shutdown Panel (RSP)

Operator fails to depressurize from the RSP Component Failure Events Fire-induced failure of ADS inhibit switches Fire-induced failure of RCIC turbine exhaust vacuum breaker isolation valve Other Events Recovery of offsite power Conditional LOOP The largest increase in risk was due to the 1C DG impact on the Fire PRA model. This is an expected result, as Division 2 components are the primary fire safe shutdown path in the deterministic fire safe shutdown analysis for fires in the control room and cable spreading room.

The remote shutdown panels contain mostly Division 2 components with circuits routed outside the cable spreading and control rooms.

It was noted during the general discussions of insights that many of the above events were already significant in the base ASM model and a more detailed review was performed based on A4-35 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG the Internal Events and Fire PRA CDF results for the Unit 1 DG 1C OOS case, as they were the dominant risk contributors. Similar risk insights were observed based on the results from other Unit 1 DG OOS cases for other hazards as well as for the Unit 2 PRA results. The LERF contributions are low and detailed analysis of those results was not deemed necessary.

The following guidance was used to focus on changes due to the EDGs out of service for this detailed review:

Event sequences that contribute more than 5% to the overall risk, and increased from the ASM results, or event sequences that increased to more than 1% of total risk.

Initiating events, worth 1% or more, where the CCDP (Birnbaum) value increased by a factor of 2 or greater or increased to above 1% in worth.

Components with RAW >2 or F-V > 0.005, where the RAW or F-V value increased by a factor of 2 or more, or components whose worth increased above the RAW or F-V limits.

Common Cause factors with RAW > 20, where the RAW increased by a factor of 2 or more or increased to > 20.

Operator actions with Birnbaum values greater than 1E-05, that increased by a factor of 2 or more, or increased to greater than 1E-05

Dependent operator actions with Birnbaum values greater than 1E-05, that increased by a factor of 2 or more, or increased to greater than 1E-05 For the DG 1A and 1B CDF cases, in the seismic model event sequence SBO_20 increased from a negligible contribution to 5.6%.

Sequence SBO_20: This sequence goes to core damage. After 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months power is not recovered, and depressurization fails which means no injection occurs after 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months . The MAAP case conservatively applied for this sequence assumes failure of RCIC occurs at 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months as opposed to 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months . In order to account for the 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months of initial injection, 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months is added to the calculated times. This gives core damage at 12.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , vessel failure at 20.1 hours1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and containment failure at 20.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

HPCI operation is not credited in the SBO sequences because it uses such large amounts of steam that it depressurizes the vessel quickly and adds a very large heat load to the torus. In addition, the very large flow rate results in rapid cycling of the system, thus the batteries cannot support long term usage. This is reflected explicitly by not including HPCI in the event tree logic.

The operation of RCIC is contingent on not exceeding HCTL (torus temperature as a function of RPV pressure) where RPV emergency depressurization would be directed. Therefore, the RPV depressurization based on not exceeding HCTL limits the time over which RCIC operates and sets the time available before RPV depressurization is required. In addition, battery life of 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months depletes and disables RCIC and SRV operation.

The DG 1C CDF case identified the following event sequences worth 5% or more in the base ASM model that increased in value or increased to more than a 5% contribution.

LOOP_5 increased from 6% to 22.1% in the internal events results and from 2.5% to 9.8% in the fire results.

A4-36 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG

SBO_28 increased from 8% to 11.7% in the internal events results.

LOOP_9 increased from 2% to 10.7% in the internal events results

SBO_5 increased from 2.5% to 9.4% in the fire results.

GT_11 increased from 5.1% to 9.4% in the fire results and from 23.6% to 30.2% in the internal flooding model.

GT_3 increased from 7,4% to 24.2% in the internal flooding model.

GT_4 increased from 12.2% to 17,6% in the internal flooding model.

A brief description of these sequences is presented below.

Sequence GT_3: In this sequence the MSIVs are closed because PCS is failed, but all SRVs that lifted for pressure control are closed (SORV0). RCIC operation has not been successful over a 24-hour period, but HPCI is successful, as is low pressure injection (LO). The extended loss of containment heat removal via both RHR and venting creates sufficiently high containment pressure that SRVs are forced to reclose causing the RPV to re-pressurize due to this environmental condition. Containment heat removal (QR) is failed which leads to core damage due to loss of torus inventory associated with containment failure due to lack of heat removal.

Sequence GT_4: This sequence has no main condenser for heat removal, PCS is failed. All SRVs that lifted for pressure control are closed (SORV0). RCIC operation has not been successful over a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period, but HPCI is successful. There is, however, no low-pressure injection (LO), resulting core damage. HPCI isolation occurs on low steam line pressure at approximately 100 psi, defining the HPCI mission time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . A MAAP run with RCIC in operation for 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months and then no additional injection shows that core damage starts at 7.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months (i.e., 2.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months after loss of RCIC). Containment failure occurs much later, at approximately 17 hours1.967593e-4 days 0.00472 hours 2.810847e-5 weeks 6.4685e-6 months Sequence GT_11: This sequence has no high pressure or low pressure injection. The condenser and condensate systems are failed so feedwater is unavailable; HPCI and RCIC are failed as well. The unit is depressurized but there is no low pressure injection available. Core damage begins at 0.84 hours9.722222e-4 days 0.0233 hours 1.388889e-4 weeks 3.1962e-5 months , vessel failure occurs at 7.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months and containment failure begins at 18.7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months .

Sequence LOSP_5: This sequence goes to core damage due to containment failure following failure of containment heat removal (QR). Prior to containment failure, Reactor Scram, Initial Pressure Relief, High Pressure Injection (RCIC) manual depressurization (DE) and low pressure injection (LO) are all successful.

The extended loss of containment heat removal via both RHR and venting creates sufficiently high containment pressure that SRVs are forced to reclose causing the RPV to repressurize due to this environmental condition.

A4-37 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG Continued failure to control containment pressure is probabilistically evaluated for the following environmental effects due to containment failure:

Loss of NPSH or steam binding of the systems taking suction from the torus.

Adverse environmental effects (e.g., high humidity) on the injection systems located in the Reactor Building

Failure of injection lines or misalignment of injection valves due to the consequential movement of containment and containment penetrations. These induced failures are probabilistically assessed regarding whether they cause injection to be terminated.

Loss of water from the torus as the consequence of torus failure below the torus water line In addition to environmental effects leading to degraded or failed equipment, there are also adverse effects on the performance of local operator actions for alignments and recovery actions. These adverse effects are subsumed in the applicable system fault trees by probabilistically assessing the consequences of the adverse environmental conditions.

Sequence LOSP_9: This sequence goes to core damage because of containment failure following failure of heat removal (QR). High Pressure injection using HPCI and RCIC fail, but, depressurization (DE) is successful. AD is successful for inhibiting ADS, and then ADS is un-inhibited for manual depressurization. This allows injection with low pressure sources (LO).

The extended loss of containment heat removal via both RHR and venting creates sufficiently high containment pressure that SRVs are forced to reclose causing the RPV to repressurize due to this environmental condition. Core damage due loss of low pressure injection path is assumed with containment failure.

The extended loss of containment heat removal causes the same adverse environmental conditions described in LOSP_5.

Sequence SBO_5: This case goes to core damage because offsite power is not recovered.

After RCIC operation is stopped, core uncovery occurs after 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months when offsite power recovery before 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months is failed, and there will eventually be core damage and a high pressure failure of the reactor vessel with subsequent containment failure. Core damage occurs at 7.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months , vessel failure at 15.1 hours1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , and containment failure at 15.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

HPCI operation is not credited in the SBO sequences because it uses such large amounts of steam that it depressurizes the vessel quickly and adds a very large heat load to the torus. In addition, the very large flow rate results in rapid cycling of the system, thus the batteries cannot support long term usage. This is reflected explicitly by not including HPCI in the event tree logic.

The operation of RCIC is contingent on a five hour battery life.

Sequence SBO_28: This sequence is a long term sequence, where one or more diesels initially starts, loads and runs, but fails at 15 hours1.736111e-4 days 0.00417 hours 2.480159e-5 weeks 5.7075e-6 months . Initial high pressure injection, depressurization and low pressure injection are successful, but the loss of the diesel then loses goes to core damage due to loss of low pressure injection at 15 hours1.736111e-4 days 0.00417 hours 2.480159e-5 weeks 5.7075e-6 months and no recovery of offsite power. This is assumed to allow up to 17 hours1.967593e-4 days 0.00472 hours 2.810847e-5 weeks 6.4685e-6 months for AC power recovery when the assumed diesel failure is taken to occur at 15 hours1.736111e-4 days 0.00417 hours 2.480159e-5 weeks 5.7075e-6 months . Failure of the diesels fails low pressure injection and containment heat removal and no credit is taken for re-pressurizing the vessel.

A4-38 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG For the DG 1C case, the following initiating events increased in worth.

In the Internal Events model, the -LOOP contribution increased from 25.2% to 58% of risk, as expected for a diesel out of service. The %IE-FL-BUSC loss of 600v bus 1C contribution increased from 0.7% to 5.0%, again expected when the opposite division diesel is out of service.

In the Internal Fire model, fire contribution for zone 0024A, the cable spreading room, increased from 6.7% to 9.4%. All of the increase was from transient fire scenarios.

In the Internal Fire model, fire contribution for zone 0001, control building 112 elevation, increased from 6.2% to 9.7%. Most of the increase is due to component fires. This is expected for this area since cables to the switchyard pass thru this room.

For the DG 1C case, the following operator actions increased in worth.

Operator action OPHELOSPCVCALT, to swap 600v bus 1C to its alternate feed during an LOOP event, had an increase in Birnbaum value from 5.41E-07 to 1.23E-05 in the internal events model. This action has a probability of 8.58E-02 and a beta distribution with a parameter of 7.0E-05.

Operator action OPHEEPANOLINK-F, to swap 600v bus 1D to its alternate feed during fire events, had an increase in Birnbaum values from 1.98E-06 to 4.59E-05 in the Fire model. This action has a probability of 5.7E-03 and a beta distribution with a parameter of 3.27E-05.

Newly added operator action OPHE-REC-PSW-F to secure the diesel on loss of PSW, manually isolate the PSW to turbine building valves, and restart the diesel, has a Birnbaum value in the Fire model of 1.49E-05, This action has a probability of 5.00E-02 and a beta distribution with a parameter of 1.97E-03.

These insights were used to evaluate potential compensatory actions, discussed in more detail below.

Recommended Compensatory Measures This application requires the identification of potential compensatory measures that could be taken by HNP during an extended DG outage to meet the requirements of Regulatory Guide 1.177. Dominant risk significant plant configurations associated with an DG outage are used to identify potential compensatory measures necessary to mitigate risk. The term compensatory measure is identified in a somewhat general manner with respect to actions to help mitigate risk during the DG OOS condition. It is recognized that some items identified below are already part of HNP procedures for extended DG OOS conditions (e.g., limit or prohibit maintenance that could impact offsite power sources). Other items could be characterized as a compensatory measure in that it may not be implemented as part of normal procedural guidance (e.g., limit access or prevent hot work in a specific fire area to limit fire risk for a specific issue). Cutset inspections and reviews of importance measures provide the primary plant-specific bases for identifying all risk-driven compensatory measures.

A4-39 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG Compensatory Measures based on Risk Contributors for DG OOS Condition Based on the risk contributors identified above, the following Compensatory Measures are suggested prior to or during the time of the extended DG unavailability:

During the DG 1C outage, in order to further reduce risk, access and work in the cable spreading room will be restricted or limited to reduce the frequency of transient fire scenarios.

Reduce the likelihood of Component Failures:

Verify operability of and protect the RCIC pump and related equipment

Verify operability of and protect other EDGs and related equipment

Limit maintenance on and protect Class 1E onsite power systems and related equipment Alternative Measures Considered Several additional alternatives to reduce the risk were evaluated but not recommended.

Perform the maintenance with the unit off-line.

o 1B diesel - Since the 1B diesel is a shared diesel, both units would have to be taken offline to cold shutdown to exit TS 3.8.1 and use TS 3.8.2, which only requires two diesels per unit.

o 1A and 1C diesel would require Unit 1 offline to exit TS 3.8.1 and use TS 3.8.2 instead.

HNP does not possess a quantitative shutdown risk model. The risk during shutdown is a qualitative evaluation. While in mode 4 (cold shutdown), RHR in shutdown cooling mode is the preferred decay heat removal source. The shutdown cooling mode of RHR requires several relay logic interlocks to remain energized. Even a temporary loss of power could result in valve closure and require manual action to re-open. In mode 4 the time to boil is short and the impact of losing shutdown cooling is high due to the short time before the vessel starts re-pressurizing. Taking the unit off-line and then restarting also has potential impacts on the transmission grid. These qualitative risks are judged to offset the benefit of lower decay heat while the plant is shutdown.

Obtain and connect a temporary diesel generator sized to power the required loads on the impacted 4.16 kV bus.

The safety related 4.16 kV switchgear have no provisions for connecting alternate power supplies and there are no spare breakers or spaces available. Connecting an external diesel would either require opening a disconnect switch at the startup transformer and connecting the temporary diesel or disconnecting the existing diesel and connecting the temporary one. Protective relaying would have to be disabled and trip schemes modified to accommodate connection to the startup transformer. While the diesel is being connected, one SAT would be feeding two 4.16 kV busses and modifying protective relaying trip circuits is inherently a high-risk evolution. The existing feed from the diesel to the 4.16 kV bus is from embedded conduits so there is very little space to connect new cables and still isolate the existing cables, plus this would add out of service time to A4-40 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG the diesel outage. The temporary diesel would be outdoors, and the cables exposed to severe weather events, thus this alternative is qualitatively evaluated as increasing the overall risk of the evolution.

Pre-stage FLEX portable equipment.

Pre-staging FLEX equipment, per the current FLEX commitments, makes it unavailable for normal FLEX responses. In addition, it exposes the FLEX equipment to severe weather and other external events. Thus, this option reduces the reliability of the FLEX components, and decreases the benefit of utilizing FLEX alternatives.

Identification of Key Assumptions Review of Base Hazard Model Assumptions The assumptions in the hazard model calculations were reviewed against the specific changes to the model in this assessment to identify if any could impact the results or methodology.

The following assumptions were identified as a potential impact and were evaluated further.

LOOP is assumed to occur on both units simultaneously. This is conservative, as applying the correction factor lowers the risk of the shared 1B diesel not being able to serve the primary unit. For this application, since the 1B diesel is locked to the unit in maintenance, this base modeling assumption has no impact.

The LOOP initiating event is a combined event for all four categories of initiators. The recovery events are combined also using the same proportioning method as NUREG/CR-6850. This is risk neutral as it represents a decision to keep the modeling simple and not a different methodology.

Recovery of Consequential LOOP events is only credited for cases where all three EDGs fail and where RCIC is successful. This was deemed to be overly conservative for this assessment and was addressed in the ASM model discussed herein.

No component recoveries are modeled in the base model. Operator actions are limited to manual operation of systems when automatic actions fail or where manual action is required to change the mode of operation for a system. This is conservative as it leads to greater importance for the actual component reliability and availability and less dependence on human actions. One recovery action was added in a very limited manner to this evaluation to remove some of this conservatism.

RHR and Core Spray pumps are assumed to lose NPSH if torus cooling is not in service and the containment is vented using the Hardened Containment Venting System. This is conservative and impacts the base and diesel cases in the same manner.

DC powered equipment is assumed failed once the batteries are depleted. No credit is modeled for subsequent recoveries of the chargers. This is conservative and results in a higher diesel case risk than if recovery was credited.

Loss of the intake structure vent fans results in loss of the running PSW pumps unless operator actions occur in 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . This is conservative, as it depends on the time of year and the number of pumps running and impacts the base and diesel cases in the same manner.

A4-41 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG

In the internal fire models, most of the secondary side equipment associated with the condenser, circulating water, condensate and feedwater was not subjected to circuit analysis and raceway routing verifications, and is thus failed in all fire scenarios. This increased the fire risk for scenarios that do not involve fire induced LOOP events. For this application, the diesels are only required for LOOP events, thus even if the above components were fully modeled, they would not be available in either the base or diesel cases, so the delta risk is not significantly impacted.

Application Specific Assumptions

Diesel generator maintenance/testing unavailability is mutually exclusive in the PRA models.

That is, only one DG may be taken out-of-service at the same time. This assumption is consistent with Technical Specifications and the PRA models.

It is assumed that the swing DG 1B is aligned to Unit 1 while DG 1A or DG 1C are OOS and DG 1B cannot be aligned to Unit 2 during this time. This assumption provides conservative results from the Unit 2 PRA perspective because procedural guidance would allow realigning DG 1B to supply Unit 2 if DG 1A or DG 1C (the one that is not OOS) successfully operates to supply power to Unit 1.

The outages for DG 1B and DG 1C are scheduled to occur during the Atlantic hurricane season, which runs from June 1st to November 30th; the DG 1A outage is scheduled to be performed in March 2021, which is outside of the hurricane season. Each of the DG OOS quantifications assume use of the average annual weather-related LOOP initiating event frequency contribution. However, this could potentially underpredict the actual weather-related LOOP initiating event frequency contribution during the proposed CT for DG 1B and DG 1C during hurricane season. To evaluate the potential uncertainties associated with this assumption, a sensitivity case to evaluate the risk impact of increasing the was performed.

The HNP ASM supporting the DG completion time extension risk evaluation assumes credit for recovery of DG start or output breaker hardware failures in the internal event and internal flooding logic only. Failure to recover from DG failure was originally credited in the HNP IPEEE PRA model, but was removed during the conversion of the PRA model from RISKMAN to CAFTA. Failure to recover from DG start or output breaker failure within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is modeled in the ASM in a limited way with a probability of 0.4 based on a historical review of HNP plant specific maintenance data. Existing operator actions in the Fire and Seismic models were not disturbed.

Uncertainty and Sensitivity Completeness Uncertainty Completeness uncertainty is addressed by evaluating the completeness of the risk analysis.

Because all unscreened hazards have been evaluated quantitatively and other external events have been screened and evaluated qualitatively, no major form of completeness uncertainty that would impact the results of this assessment exists.

A4-42 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG Parametric Uncertainty Review Parametric uncertainty is typically evaluated by use of software tools designed for this purpose, such as UNCERT, which propagate the parametric uncertainties of each PRA model input through the model to estimate a mean risk metric result rather than a point estimate. The component failure and common cause basic events in the HNP models are constructed to facilitate the state of knowledge correlation during the uncertainty calculations. Per the Internal Events and Internal Flooding Uncertainty calculation H-RIE-IEIF-U00-011 the point estimate Unit 1 Internal Events CDF is 6.59E-06 and the propagated mean CDF calculated with UNCERT using the Monte Carlo simulation is 6.91E-06; the point estimate Unit 2 Internal Events CDF is 7.33E-06 and the UNCERT mean CDF is 7.42E-06. This shows that the mean is only slightly higher than the point-estimate CDF, which is typical of results in other plants.

A similar comparison was performed for the other hazards. For Internal Flooding, the point estimate Unit 1 CDF is 3.53E-07 and the mean CDF calculated with UNCERT is 3.71E-07; the point estimate Unit 2 CDF is 2.95E-07 and the UNCERT mean CDF is 3.14E-07. Per the as-build as-operated Internal Fire calculation, the point estimate Unit 1 CDF is 6.38E-05 and the mean CDF calculated with UNCERT is 6.67E-05; the point estimate Unit 2 CDF is 5.29E-05 and the UNCERT mean CDF is 5.53E-05. Per the Seismic uncertainty calculation H-SEIS-U00-009-001, the point estimate Unit 1 CDF is 7.36E-07 and the mean CDF calculated with UNCERT is 9.11E-07; a parametric uncertainty analysis was only performed for the Unit 1 seismic model due to the similarities in the two Units in the seismic results. As with Internal Events, the calculated means for the other hazards are only slightly higher than the point estimates.

The evaluation of parametric uncertainty determined that the parametric uncertainty results on the current PRA show a propagated mean estimate that is very near, and only slightly greater than, the point-estimate based mean. In addition, the propagated mean estimate is based on uncertainty parameter inputs that are largely generic or assumed values, so the propagated mean is not necessarily a better risk estimate. For this analysis, basic events related to the out of service DG were either set to TRUE or to 1.0 and basic events pertaining to prohibitive maintenance were set to FALSE, all other basic retained their original values and parametric values. Therefore, since the specific changes due to this application do not directly impact parametric uncertainties, the point-estimate based mean risk results are judged to be appropriate for this application and no additional parametric uncertainty calculations were performed.

Generic Model Uncertainties All the base hazard model calculations contain lists of assumptions, generic sources of uncertainty per the guidance in documents NUREG-1855, rev 1, EPRI 1016737 and EPRI 1026511 and model specific uncertainties. Those evaluations were reviewed to see which items have a disposition that defers specific resolution until the base model is used for an application. All the sources of uncertainty that could impact this application were related to modeling assumptions and are addressed in the discussion of assumptions above.

A4-43 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG Characterize modifications to the PRA model The inputs for these risk analyses are the ASM and the Unit 2 MOR for the internal events and internal flooding hazards. As discussed above in the PRA quality, all finding level F&Os have been closed for all analyzed hazards. Modifications to the MOR to create the ASM are discussed above and predominantly pertain only to Unit 1. Uncertainty introduced into the ASM was reduced through model and cutset reviews. A new fire related HFE related to tripping and restarting an DG given a PSW flow diversion and the probability to recover a failed DG were added to the ASM. A detailed analysis was performed to calculate the HEP and this HEP is only credited as an independent recovery; thus, no dependency analysis was needed. The DG recovery action is only credited for start failures and random DG breaker failures and only for internal events and internal flooding. The DG recovery probability is based on site-specific data, as discussed in the ASM report, and is not an entirely new recovery as it was included in earlier versions of the HNP PRA model. Thus, there are no modifications to the PRA model that require characterization for impact on uncertainty.

Identify application-specific contributors Application-specific contributors are fully discussed above via examination of risk results. The dominant contributors to the changes in risk are identified there for the purposes of identifying compensatory measures. From an uncertainty perspective, these risk contributors are generally based on the best available generic industry data, so they do not introduce any unique sources of model uncertainty.

Assess sources of model uncertainty in the context of important contributors Risk-significant contributors to the base PRA model results were also examined to identify whether any of them could be important to this application. Potential sources of uncertainty are identified and detailed in the Internal Events and Internal Flooding Uncertainty Notebook and identified the following general PRA model uncertainties for further investigation in the context of this application. Model uncertainties that may be specifically related to and impact this application are identified here:

No credit for Core Spray or RHR injection with suction from the torus following successful containment venting.

No credit for offsite power recovery for non-SBO consequential LOOP sequences.

Identify key sources of model uncertainty and related assumptions relevant to the application Considering the sources of uncertainty identified above the following potential key uncertainties were identified.

Grid-related and weather-related LOOP frequencies o Variation in these parameters may impact the application due to the importance of LOOP frequencies in the results.

A4-44 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG

Consequential LOOP probability o Variation in these parameters may impact the application due to the importance of LOOP frequencies in the results.

Offsite power recovery for Consequential LOOP events o MOR only credits offsite power recovery for Consequential LOOP for SBO sequences. The ASM includes some credit for offsite power recovery for non-SBO sequences.

Onsite power recovery o ASM credits limited onsite power recovery (e.g., DG start and breaker failure) based on a review of historical HNP plant specific maineance data. Onsite power recovery was initially credited in the HNP IPEEE PRA model, but is not credited in the current MOR.

Various equipment failure rates and unavailability terms (including EDGs and RCIC system equipment) o Variation in these parameters may impact the application due to the importance of these systems in the results.

Modeling of swing DG 1B alignment o It is assumed that DG 1B is aligned to Unit 1 and cannot be aligned to Unit 2 during the DG 1A or 1C outage. This is conservative for the Unit 2 results as operators can manually align DG 1B to Unit 2 if Unit 2 is experiencing an accident with no Unit 2 EDGs available and the DG is unneeded for Unit 1. This assumption is slightly nonconservative for the Unit 1 results as a scenario may occur where DG 1B is manually aligned to Unit 2, but then Unit 1 experiences an accident and the available Unit 1 DG fails; however, this scenario is unlikely and has minimal impact on the results and no impact on the conclusions of this analysis.

Seismic risk o The factored min cut upper bound (FMCUB) approximation is used in PRA quantifications to help reduce quantification times and maintain cutsets as representative of the total frequencies they underpin. The rare event approximation works accurately only when failure probabilities are small (i.e., <5%). Seismic risk models often apply seismic failure probabilities that are not small (i.e., >5%). To improve the calculational results, the seismic MOR utilizes ACUBE; however, ACUBE was not used in the ASM or for this application. This decision was made in order to improve quantification speed and because the seismic results have only a small impact on the application.

A4-45 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG Sensitivities to address Key Sources of Uncertainty The following sensitivity cases were performed for this analysis:

Severe weather sensitivity case

Cable Spreading Room (CSR) compensatory measure sensitivity case Severe Weather Sensitivity The outages for DG 1B and DG 1C are scheduled to occur during the Atlantic hurricane season, which runs from June 1st to November 30th; the DG 1A outage is scheduled to be performed in March 2021, which is outside of the hurricane season. While high wind and external flooding events are screened from the analysis, weather-related LOOP factors into the combined loss of offsite power initiating event frequency and the probability of offsite power recovery; and thus, a sensitivity was performed to evaluate the potential risk impact due to an increase in weather-related LOOP during the DG 1C outage because it is the most limiting case with respect to the ICCDP and ICLERP risk results.

A conservative sensitivity case was performed by using the 95% upper bound weather-related LOOP initiating event frequency in place of the average annual mean weather-related frequency of 3.32E-3/yr. The 95% upper bound weather-related LOOP initiating event frequency was calculated based on the uncertainty factors from the Bayesian update of the average annual weather-related LOOP initiating event frequency from the MOR. The 95% upper bound weather-related LOOP initiating event frequency is calculated to be 1.71E-2/yr (approximately a factor of 5 increase higher than the average annual weather-related LOOP frequency of 3.32E-3/yr).

For the severe weather sensitivity case, it is assumed that the average annual LOOP frequencies for the individual plant-centered, switchyard-centered, and grid-related contributors remain the same during the 21-day DG CT configuration. Therefore, when assuming an increase of the weather-related LOOP frequency to the 95% upper bound value, the total LOOP frequency (%IE-LOSP) increases from the base value of 2.12E-2/yr to 3.67E-2/yr.

In addition, when assuming a higher weather-related LOOP contribution, the offsite power (OSP) non-recovery values need be adjusted accordingly. The OSP non-recovery values in the MOR are based on a weighted contribution of the non-recovery curves for the individual plant-centered, switchyard-centered, grid-related, and weather-related LOOP contributors. If the weather-related LOOP contribution increases by approximately a factor of 5, then the weighting of the weather-related non-recovery curve increases by approximately a factor of 5. A recovery file is developed to replace the LOOP initiating event frequency and OSP non-recovery events with the assumed increased values for the severe weather sensitivity for both the base ASM and the Unit 1 DG 1C OOS case. The DG 1C case was selected as it has the highest total ICCDP and ICLERP, thus it bounds the other cases. Only the Internal Events results are impacted for the severe weather sensitivity case because the Internal Flood, Internal Fire, and Seismic hazards do not cause weather-related LOOP initiating events.

Table -20 and Table provide the ICCDP and ICLERP results, respectively, for the severe weather sensitivity case. The ICCDP for Internal Events increases from 3.39E-7 for the BaseDG 1C case to 7.71E-7 for the severe weather sensitivity case. The total ICCDP increases from 1.36E-6 for the Base DG 1C case to 1.79E-6 for the severe weather sensitivity case.

A4-46 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG Table 4 Unit 1 Severe Weather Sensitivity for DG 1C Case - ICCDP PRA Hazard CDFBASE (/yr) CDFINST (/yr) Time ICCDP Internal Events 7.30E-06 2.07E-05 19 days 6.98E-07 Internal Flood 2.38E-07 1.06E-06 19 days 4.28E-08 Internal Fire 5.89E-05 7.58E-05 19 days 8.80E-07 Seismic 9.53E-07 8.64E-07 19 days 0.00E+00 Total Risk 6.74E-05 9.84E-05 19 days 1.62E-06 Table 4 Unit 1 Severe Weather Sensitivity for DG 1C Case - ICLERP PRA Hazard LERFBASE (/yr) LERFINST (/yr) Time ICLERP Internal Events 4.05E-07 1.10E-06 19 days 3.62E-08 Internal Flood 5.95E-09 2.35E-08 19 days 9.14E-10 Internal Fire 3.64E-06 4.05E-06 19 days 2.13E-08 Seismic 2.47E-07 2.15E-07 19 days 0.00E+00 Total Risk 4.30E-06 5.39E-06 19 days 5.84E-08 Cable Spreading Room Compensatory Measures for Fire Events A compensatory measure to limit access and restrict work in the cable spreading room during the DG 1C outage was identified. While this compensatory measure is not credited quantitatively, a sensitivity was performed to estimate the risk reduction in the fire PRA results by implementing this compensatory measure. Limiting access and restricting all necessary work in the cable spreading room will reduce the frequency of transient fires occurring in the room; therefore, a sensitivity was performed where the risk associated with transient fire scenarios in fire compartment 0024A was set to zero. The Unit 1 DG 1C case was used because it is the most limiting case. The Unit 1 DG 1C case is below the ICLERP risk criterion of 1E-7, so this sensitivity case was not performed for the LERF results. The results in Table 4-22 show that the compensatory measure to limit access and restrict work in the cable spreading room during the DG 1C decreases the total.

A4-47 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG Table 4 Compensatory Measure Sensitivity Risk Analysis Results: ICCDP for U1 DG 1C PRA Hazard CDFBASE (/yr) CDFINST (/yr) Time ICCDP Internal Events 5.01E-06 1.09E-05 19 days 3.07E-07 Internal Flood 2.38E-07 1.06E-06 19 days 4.28E-08 Internal Fire 5.89E-05 6.95E-05 19 days 5.52E-07 Seismic 9.53E-07 8.64E-07 19 days 0.00E+00 Total Risk 6.51E-05 8.23E-05 19 days 9.01E-07 Integrated Risk Assessment The qualitative engineering analysis documented in the LAR evaluates the defense-in-depth considerations for a DG extended out of service. This attachment evaluates the same conditions quantitively. The resulting recommendations for compensatory actions agree, thus the assessments complement each other and provide assurance that the increase in risk due to the proposed change is small and manageable.

Tier 2 - Identification of significant combinations.

As defined in NRC RG 1.177 (Ref. 2), Tier 2 is an identification of potentially high-risk configurations that could exist if equipment, in addition to that associated with the change, were to be taken out of service simultaneously or other risk-informed operational factors, such as concurrent system or equipment testing, were also involved.

Current plant maintenance practices include protecting redundant equipment when equipment is unavailable. In addition, plant procedures include on-line monitoring to identify risk-significant configurations to avoid, including protection of any additional plant equipment that could increase on-line risk.

The PRA results were examined for maintenance combinations that appeared in risk significant sequences or cutsets. The maintenance restrictions currently credited to remove a DG from service for 14 days continue to apply for the extended DG outage. Therefore, no new significant combinations were identified.

Tier 3 - Configuration Risk Management HNP has a mature on-line configuration risk management process. It combines quantitative and qualitative assessments and requires significant increases in oversight and compensatory actions as risk action levels are reached. The quantitative analysis uses ICCDP and ILERP as triggers for the risk action levels. The process is controlled by site procedures.

A4-48 to NL-20-0843 HNP Probabilistic Risk Assessment Summary Report One-Time AOT Extension for Unit 1 DGs and Swing DG References

1. NRC Regulatory Guide 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, Revision 3, January 2018 (NRC ADAMS Accession No. ML17317A256).

2. NRC Regulatory Guide 1.177, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications, Revision 1, May 2011 (NRC ADAMS Accession No. ML100910008).

3. NRC Regulatory Guide 1.200, "An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities," Revision 2, March 2009.

4. American Society of Mechanical Engineers ASME RA-Sa-2009, "Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications", February 2009.

5. Nuclear Energy Institute NEI 05-04, "Process for Performing Internal Events PRA Peer Reviews Using the ASME/ANS PRA Standard", November 2008.

6. Nuclear Energy Institute NEI 05-04/07-12/12-06 Appendix X, "Closeout of F&Os",

March 2017 (NRC ADAMS Accession No. ML16158A035).

7. Nuclear Energy Institute NEI 07-12, Fire Probabilistic Risk Assessment (FPRA) Peer Review Process Guidelines, June 2010.

8. Nuclear Energy Institute NEI 12-13, External Hazards PRA Peer Review Process Guidelines, August 2012.

A4-49

Attachment 5 List of Regulatory Commitments (4 total pages including cover page) to NL-20-0843 List of Regulatory Commitments List of Regulatory Commitments The following table identifies the regulatory commitments in this document. Any other statements in this submittal represent intended or planned actions. They are provided for information purposes and are not considered to be regulatory commitments.

TYPE SCHEDULED COMMITMENT One-Time Continuing COMPLETION (per DG) Compliance TIME DATE

1. ---------------------NOTE------------------ Following Applicable only to Unit 1 diesel completion of generators (DGs) and the swing DG extended DG extended outages planned in 2020 outage period; and and 2021.

X Prior to removing HNP will assess the lessons learned another DG for a from previous extended DG outages planned extended and develop strategies, if possible, to maintenance minimize the out-of-service time of outage.

subsequent DG outages.

2. The following defense-in-depth controls will be established and maintained prior to and during the one-time extended completion time period as specified in the applicable technical specifications (TS) 3.8.1 actions:

a. Three qualified circuits between the offsite transmission network and the onsite Class 1E electrical distribution system (i.e., station auxiliary transformers (SATs) and associated circuit paths to the Prior to removing a 4.16 kV engineered safety X DG for a planned feature (ESF) buses) per unit extended must be operable and aligned to maintenance their respective 4.16 ESF bus outage.

and no SAT will supply more than one 4.16 kV ESF bus;

b. Feeder lines from the 230 kV switchyard to the primary of each SAT will be protected and no discretionary maintenance or X testing will be scheduled on these lines for the duration of the extended completion time period; A5-1 to NL-20-0843 List of Regulatory Commitments TYPE SCHEDULED COMMITMENT One-Time Continuing COMPLETION (per DG) Compliance TIME DATE

c. No discretionary maintenance or testing will be scheduled in the 500 kV or 230 kV switchyards X that could affect the stability of the feeder lines to the SATs;

d. Electrical system load dispatcher will be contacted once per day to verify multiple line contingencies are available and to ensure no significant grid perturbations (i.e.,

high grid loading unable to X

withstand a single contingency of line or generation outage) are expected during the extended DG maintenance period;

e. Each automatic transfer of unit power supply from the normal offsite circuit to the alternate offsite circuit must be operable X

Prior to removing a for each Class 1E 4.16 kV ESF DG for a planned bus; extended maintenance

f. At least two DGs must be operable to each unit; X outage.

g. High pressure coolant injection and reactor core isolation cooling X systems must be operable;

h. For each residual heat removal loop, either the shutdown (SDC) mode must be operable or the low pressure coolant injection X

alternate SDC mode must be available; and

i. Systems and components specified in Appendix A of the plant online configuration risk management program will be maintained available and no X

discretionary maintenance or testing will be scheduled on these systems or components.

A5-2 to NL-20-0843 List of Regulatory Commitments TYPE SCHEDULED COMMITMENT One-Time Continuing COMPLETION (per DG) Compliance TIME DATE

3. The following risk management control will be established and maintained prior to and during the one-time extended completion time period as specified in the applicable technical specifications (TS) 3.8.1 actions:

NOTE------------------

This risk management control is only applicable to the DG 1C Prior to removing a extended outage.

DG for a planned extended No discretionary maintenance or X maintenance testing, including fire protection outage.

surveillances, will be scheduled on any equipment in the cable spreading room during the extended completion time and access will be limited to fire watches, on-shift operations personnel; and security personnel for the purposes of required area surveillance and inspection.

4. In accordance with the plant online Prior to removing a configuration risk management DG for a planned program, the planned DG extended preventative maintenance overhaul X maintenance will be removed from the work outage.

schedule if a period of severe weather is forecast.

A5-3

v t e Letter Sequence Request
EPID:L-2020-LLA-0171, TSTF-529, TSTF-564, TSTF-566, TSTF-563 (Approved, Closed)
Initiation Request, Request, Request, Request Acceptance... Administration Questions Answers 23 August 2020 Results Approval, Approval Other: ML20218A469, ML20218A479
MONTHYEAR2020-07-31 [Table View]

NL-20-0843, License Amendment Request to Revise the Required Actions of Technical Specifications 3.8.1, AC Sources - Operating, for One-Time Extension of Completion Time for Unit 1 and Swing Emergency Diesel Generators

Text

Enclosure:

Subject:

SUMMARY

3.1 Background

SUMMARY

3.1 Background

Navigation menu

NL-20-0843, License Amendment Request to Revise the Required Actions of Technical Specifications 3.8.1, AC Sources - Operating, for One-Time Extension of Completion Time for Unit 1 and Swing Emergency Diesel Generators

Text

Enclosure:

Subject:

SUMMARY

3.1 Background

SUMMARY

3.1 Background

Navigation menu

Search