Response to Request for Additional Information Regarding License Amendment Request for Extension of Completion Time for an Inoperable Emergency Diesel Generator - Probabilistic Risk Assessment Questions

ML071210491
Person / Time
Site:	Fermi
Issue date:	04/25/2007
From:	Cobb D Detroit Edison
To:	Document Control Desk, NRC/NRR/ADRO
References
FOIA/PA-2010-0209, NRC-07-0014
Download: ML071210491 (87)
v • d • e

Text

Donald K. Cobb Assistant Vice President, Nuclear Generation Fermi 2 6400 North Dixie Hwy., Newport, MI 48166 Tel: 734.586.5201 Fax: 734.586.4172 DTE Energy-April 25, 2007 10 CFR 50.90 NRC-07-0014 U. S. Nuclear Regulatory Commission Attention: Document Control Desk Washington D C 20555-0001

References:

1) Fermi 2 NRC Docket No. 50-341 NRC License No. NPF-43

2) Detroit Edison Letter to NRC, "Proposed License Amendment Request to Extend the Completion Time for Technical Specification 3.8.1 for an Inoperable Emergency Diesel Generator," NRC-06-0040, dated July 12, 2006

Subject:

Response to Request for Additional Information Regarding License Amendment Request for Extension of Completion Time for an Inoperable Emergency Diesel Generator - Probabilistic Risk Assessment Questions In Reference 2, Detroit Edison requested NRC approval of a proposed license amendment that requests an extension of the completion time for Fermi 2 Emergency Diesel Generators (EDGs) from 7 to 14 days.

In a September 18, 2006 electronic communication and a February 22, 2007 conference call, the NRC asked for clarification to the Fermi 2 submittal in the area of Probabilistic Risk Assessment (PRA). provides the response to the request for additional information. Attachments 1, 2, and 3 are excerpts from Fermi 2 Conduct Manuals (administrative procedures), is a list of protected systems for EDG and Combustion Turbine Generator 11-I Outages, Attachment 5 is PRA model documentation for Loss of Offsite Power (LOOP) initiators, Attachment 6 contains EDG unavailability data, and Attachment 7 contains the resume of the consultant who developed the Fermi 2 PRA Human Reliability Analysis.

AooI

USNRC NRC-07-0014 April 25, 2007 Page 2 There are no new regulatory commitments associated with this letter.

If you have any questions regarding this submittal, please contact Ronald W. Gaston at (734) 586-5197.

,sincerely,

Enclosures:

1. Response to Request for Additional Information Attachments:

1. Relevant Excerpts from Conduct Manual MMR 12

2. Relevant Excerpts from Conduct Manual MMR Appendix H

3. Relevant Excerpts from Conduct Manual MOP05

4. Listing of Protected Systems for EDG and CTG 11-1 Outages

5. PRA Model Documentation for LOOP Initiator Model Update

6. MSPI EDG Unavailability Data

7. Resume of PRA/HRA Consultant cc: NRC Project Manager Reactor Projects Chief, Branch 4, Region III NRC Resident Office Regional Administrator, Region III Supervisor, Electric Operators, Michigan Public Service Commission

USNRC NRC-07-0014 April 25, 2007 Page 3 I, Donald K. Cobb, do hereby affirm that the foregoing statements are based on facts and circumstances which are true and accurate to the best of my knowledge and belief.

D. K. Cobb Assistant Vice President Nuclear Generation On this ___ ______ day of AK1' ,2007 before me personally appeared Donald K. Cobb, being first duly sworn and says that he executed the foregoing as his free act and deed.

Notary Public rAMMYL ERVIN NOTARY PUBLIC, STATE OF MI COUNTY OF MONROE MY COMMIS8ON EXPIRES Aug 26, 2011 ACTING INCOUNTY OF

- ' .Z7

ENCLOSURE 1 to NRC-07-0014 Response To Request For Additional Information

Enclosure 1 to NRC-07-0014 Page 2

RAI 1

The safety evaluation for the extension of the emergency diesel generator (EDG) allowed outage time (AOT) from 3 days to 7 days (dated June 2, 1998) states:

"The verification of the operability of CTG [combustion turbine generator] 11-1 is necessary to compensate for the risk of having an EDG out of service for greater than 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The proposed TS [Technical Specification] requires the licensee to verify CTG 11-1 is operable wheri the EDG AOT is entered. If CTG 11-1 becomes inoperable during the 7-day AOT and cannot be restored to operable status, the AOT reverts back to 3 days, not to exceed a total of 7 days from the time the EDG originally became inoperable."

It does not appear that the original staff concern was only for circumstances in which both EDGs in a single division, were inoperable. Therefore, the statement on page 7 of the submittal that "returning to a 3-day Completion Time, removes the need for the CTG 11-1 Required Actions" is appropriate only for the new Condition B of TS 3.8.1 (both EDGs inoperable). For Condition A, in which one EDG is inoperable, the removal of requirements for CTG 11-1 should be justified as a Category 1 Combined Change Request per Regulatory Guide (RG) 1.174. Please provide a justification for the change, including uncertainty, to strengthen the statement on page 13 of the submittal that the risk remains within the "small" risk increase threshold.

RAI 1 Response The quantifications that were performed for the amendment request did not exclude sequences where CTG 11-1 was out of service due to test and maintenance activities.

The FermiV7 model conservatively assumes that the CTG is out of service for maintenance activities 10% of the year. The test and maintenance basic events in the nominal "with maintenance" model typically utilize the maintenance rule threshold out-of-service times as a basis for the unavailability basic event probabilities. Since actual system or train unavailability is usually substantially lower than these values, the "with maintenance" model yields conservative results that bound many of the uncertainties associated with the quantifications.

Fermi typically schedules major system outages such that only one risk significant train or system (such as CTG 11-1 or an EDG) is removed from service at one time. To minimize the risk associated with the removal of multiple risk significant systems from service, Fermi has implemented a protected systems program contained within the Operations Conduct Manual MOP05 (Attachment 3). This program controls the access to equipment for which the risk analysis has determined that it is imprudent to schedule elective maintenance on simultaneously. The guidance for which systems are protected from a risk significance perspective (note that other systems are protected based upon Technical Specification limitations or Operations Department judgment) are found in to NRC-07-0014 Page 3 MMR Appendix H (Attachment 2). It should be noted that EDGs 11, 12, 13, and 14 are protected systems during a CTG 11-1 outage and CTG 11-1 is a protected system during outages of each individual EDG. The listing of protected systems used by operations during EDG and CTG 11-1 outages is shown in Attachment 4.

If CTG 11-1 is out of service simultaneously with any EDG (due to emergent issues or corrective maintenance), the increased risk will be managed within the framework of Fermi's 10CFR50.65(a)(4) compliance program (Attachment 1, Section 3). Under this program, if work is scheduled to be performed that will cause the risk level to be elevated (for instance from a Low to a Moderate classification) compensatory measures must be implemented to minimize the potential for incurring additional risk and appropriate management approvals must be obtained.

A sensitivity analysis was performed to further characterize the risk associated with the removal of the limitation of the EDG out of service (OOS) time when CTG 11-1 is also out of service. Table PRA-RAI- 1.1 summarizes the result of the sensitivity analysis.

The definitions for the terms on the table are as follows:

ICCDP: The Incremental Conditional Core Damage Probability ICLERP: The Incremental Large Early Release Probability AOT: The allowed out-of-service time proposed in the license amendment (14 days)

CDFconfig: Core Damage Frequency for an analyzed configuration CDFbase: The baseline Core Damage Frequency LERFconfig: Large Early Release Frequency for an analyzed configuration LERFbase: The baseline Large Early Release Frequency Timecdf: Time in configuration before the Reg Guide 1.177 ICCDP threshold is reached Timelerf: Time in configuration before the Reg Guide 1.177 ICLERP threshold is reached CDPthresh: The Reg Guide 1.177 ICCDP threshold (5.OE-7)

LERPthresh: The Reg Guide 1.177 ICLERP threshold (5.OE-8)

The following equations were utilized to formulate the table:

1. ICCDP = (CDFconfig- CDFbase)

• AOT

2. ICLERP = (LERFconfig - LERFbase)

• AOT

3. Timecdf = (CDPthresh / (CDFconfig - CDFbase))* 365.25 days/yr

4. Timelerf = (LERPthresh / (LERFconfig - LERFbase))

• 365.25 days/yr For the baseline "no maintenance" case, CDFbase = 7.77E-6/yr and LERFbase = 9.8 1E-8/yr.

For the baseline "with maintenance" case CDFbase = 1.05E-5/yr and LERFbaSe = 3.01E-7/yr

Enclosure 1 to NRC-07-0014 Page 4 Table PRA-RAI-1.1 - EDG / CTG 11-1 Combined OOS Sensitivity Analysis Timecdf Timelerf OOS Config Maintenance CDFconfl LERFconfle ICCDP ICLERP (days) (days)

EDG 11 &

CTG 11-1 No Maintenance 9.15E-06 1.51E-07 5.3E-08 2.OE-09 132.3 345.2 EDG 12 &

CTG 11-1 No Maintenance 9.45E-06 5.45E-07 6.4E-08 1.7E-08 108.7 40.9 EDG 13 &

CTG 11-1 No Maintenance 9.51E-06 1.04E-07 6.7E-08 2.3E-10 105.0 3095.3 EDG 14 &

CTG 11-1 No Maintenance 1.09E-05 6.06E-07 1.2E-07 1.9E-08 58.3 36.0 EDG 11 &

CTG 11-1 With Maintenance 1.56E-05 7.35E-07 2.0E-07 1.7E-08 35.8 42.1 EDG 12 &

CTG 11-1 With Maintenance 1.80E-05 3.54E-06 2.9E-07 1.2E-07 24.4 5.6 EDG 13 &

CTG 11-1 With Maintenance 1.5 1E-05 3.79E-07 1.8E-07 3.OE-09 39.7 234.1 EDG 14 &

CTG 1]-1 With Maintenance 2.19E-05 3.96E-06 4.4E-07 1.4E-07 16.0 5.0 From the information on the above table, one can see that for each EDG in the "no maintenance" case the ICCDP and ICLERP values are below Regulatory Guide 1.177 criteria with significant margin to the threshold. In the "with maintenance" case, EDGs 11 and 13 are below the ICCDP and ICLERP thresholds. EDGs 12 and 14 meet the ICCDP threshold but are above the ICLERP threshold. The "no maintenance" case more closely approximates the actual values that would be obtained from a simultaneous outage of a diesel and CTG 11-1, since risk management and other scheduling concerns (such as available resources) would preclude additional elective maintenance on risk significant systems. The high margins to the Reg Guide 1.177 thresholds in the "no maintenance" case bound uncertainties associated with the analysis.

to NRC-07-0014 Page 5

RAI 2

Please provide the basis for the updated loss of offsite power (LOOP) frequency and recovery values. Include in your discussion a statement of how the new values account for the effects of the August 2003 Northeast blackout.

RAI 2 Response contains a detailed description excerpted from the Fermi PRA model documentation regarding the recent update of the loss of offsite power initiating event frequencies. Included in this documentation is an explanation of how the effects of the August 2003 Northeast blackout were incorporated.

RAI 3

The Tier 2 evaluation described in RG 1.174 is intended to establish an early evaluation to identify and preclude potentially high risk plant configurations. The application states that work performed on safety significant systems and their applicable support systems will be reviewed based on the site risk management procedure. Please provide details of the Tier 2 evaluation for the requested emergency diesel generator completion time (CT) extension request. That is, identify for the 14-day outage time any high risk plant configurations that may occur and the compensatory measures or commitments to ensure these configurations do not occur during the extended CT.

RAI 3 Response Fermi typically schedules system or train outages such that only one risk significant train or system is removed from service at one time. To minimize the risk associated with the removal of multiple risk significant systems from service, Fermi has implemented a protected systems program contained within the Operations Conduct Manual MOP05 (Attachment 3). This program controls the access to equipment for which the risk analysis has determined that it is imprudent to schedule elective maintenance on simultaneously. The systems which are protected from a risk significance perspective (note that other systems are protected based upon Technical Specification limitations) are found in MMR Appendix H (Attachment 2). During an EDG outage, the following equipment is protected:

1. Restricted access to the opposite division EDGs (e.g. EDGs 11 and 12 during an EDG 14 outage).

2. Controlled access to the 120kV and 345 kV Switchyards.

3. Controlled access to CTG 11-1.

to NRC-07-0014 Page 6 It should be noted that EDGs 11, 12, 13, and 14 are protected systems during a CTG 11 -1 outage and CTG 11-1 is a protected system during outages of each individual EDG. The listing of protected systems used by operations during EDG and CTG 11-1 outages is shown in Attachment 4. Additionally, MMR Appendix H states that during times of increased probability of loss of the divisional (or all) offsite power (e.g. Critical Load Days, increased geomagnetic activity, voltage variations on the switchyard buses for the division of power which the EDG supports, etc.) consideration should be given to:

1. Not beginning maintenance activities on the EDG, OR

2. If maintenance is already in progress, completing the maintenance activities in as short a time frame as possible and restore the EDG to available status.

Risk is monitored for scheduled and emergent work via MMR12 procedural guidance (Attachment 1, Section 3). If maintenance activities are scheduled which have a risk level above the "Low" risk classification, MMR12 requires that compensatory measures be implemented to minimize the potential for incurring additional risk. The appropriate management approvals must also be obtained for such activities.

For unplanned emergent conditions that cause an increase in the risk level, an online risk monitor is utilized in the Fermi 2 Control Room to ensure compliance with 10CFR50.65(a)(4). This risk monitor allows Operations personnel to perform hypothetical analysis of the plant configuration in lieu of overlapping planned and emergent activities. The results of these quantifications are utilized to determine the need to defer scheduled maintenance activities or restore systems that have previously been removed from service. MMR Appendix H contains specific recommendations on maintenance configurations to avoid (if possible) when emergent conditions arise.

RAI 4

Please provide details of the Maintenance Rule program for configuration risk management, including how assessments are made, what tools (risk models, risk matrices, etc.) are used, how the program complies with Chapter 11 of NUMARC 93-01, how the on-line risk monitoring tool is included in the quality assurance program, and what groups on site use the on-line risk monitor.

RAI 4 Response The Fermi site procedures which govern compliance with the Maintenance Rule for configuration risk management are MMR12 (Attachment 1) for "online" risk management (Modes 1, 2, and 3) and MWC 13 for "shutdown" risk management (Modes 4 and 5). The implementation at Fermi is fully compliant with Chapter 11 of NUMARC 93-01.

to NRC-07-0014 Page 7 The computer application for performing quantitative analysis is EOOS (Equipment Out of Service), which is an EPRI application that is used widely within the industry. The EOOS program is able to dynamically calculate the risk associated with planned maintenance and emergent plant conditions.

Operations Work Control personnel perform look-head risk assessments starting at Schedule Week T-5. The Probabilistic Risk Assessment (PRA) Group reviews work for the week during Schedule Week T- 1. Work Week Managers perform routine assessments of work included on the Plan-of-the-Day (POD) on a daily basis during Schedule Week T-0. On-shift Operations personnel perform "real time" risk assessments of scheduled and emergent conditions as they occur with the EOOS Operator's Screen.

A member of the PRA Group is available to assist Operations personnel with the use of the risk monitoring software, the interpretation of PRA model results, and appropriate risk management and mitigation strategies.

Fermi's compliance with 10CFR50.65(a)(4) is monitored by various internal and external oversight groups. This monitoring includes the internal Quality Assurance program, INPO industry peer visits and evaluations, and NRC routine inspections. These activities aid in assuring that Fermi's configuration risk management program is in compliance with regulatory requirements and industry standards.

It should be noted that some of the procedural guidance in MMR12 and the other procedures mentioned herein may change as a result of implementation of this proposed Technical Amendment (TS) amendment. Specifically, the sections regarding the implementation of the Configuration Risk Management Program (CRMP) would be deleted, since the procedural guidance employed (Attachment 1 Section 3) to comply with Maintenance Rule (a)(4) at Fermi fully encompasses the requirements of CRMP outlined in the regulatory guidance.

RAI 5

Please provide a detailed breakdown of the historical and estimated EDG unavailability on all four EDGs for preventative and corrective maintenance.

RAI 5 Response contains details of EDG historical unavailability for the four EDGs. The PRA model utilizes an estimated "bounding" value for unavailability of each EDG. For additional details regarding this estimated value see the response to RAI 6.

to NRC-07-0014 Page 8

RAI 6

The proposed Completion Time (CT) extension does not appear to distinguish between preventive and corrective maintenance. How have both types of maintenance been addressed in the risk insights provided with the application?

RAI 6 Response The PRA calculations for the CT extension as submitted assumed that only preventive maintenance was in progress for the 14 day CT. This assumption is based upon the Fermi EDG unavailability history (see RAI 5) where the majority of the EDG unavailability is due. to planned maintenance. Several potential Corrective Maintenance (CM) and Preventative Maintenance (PM) sensitivities were performed to address this issue.

1. Event Type A - Single EDG out for CM.

This event type assumes that corrective maintenance on an EDG is required when other maintenance is planned or in progress. Following plant procedures and risk management practices, it is reasonable to assume that within 2 days other risk significant non-EDG work activities would be completed or rescheduled. To quantify this scenario, the "with maintenance" model was used to analyze the first 2 days of the AOT. The "no maintenance model" was used for the remaining 12 days. For the most risk significant diesel (EDG 14), the ICCDP and ICLERP values are below Regulatory Guide 1.177 criteria with significant margin to the threshold. For details of these calculations, see Tables PRA-RAI-6.1 and PRA-RAI-6.2.

2. Event Type B - Two Intra-divisional EDGs OOS.

This event type assumes that one EDG is out of service for a PM, when the other EDG in the same division becomes inoperable and requires a CM for restoration. For an emergent repair condition, the proposed TS allows up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> (3 days)

Completion Time before one of the diesels is required to be returned to service; this allowed OOS time for two EDGs in the same division is a decrease from the current allowed CT of 7 days.

Several calculations were performed assuming that one of the two divisional EDGs was OOS for the full 14 day AOT for PM and a second EDG in the same division became inoperable for 3 days for repair. These calculations provide results for a 3-day repair for the second EDG followed by an additional 11 days of unavailability for first EDG (with second available). This is a "worst case" evaluation, since the second EDG would have undergone its monthly surveillance within its normal one-month interval and is unlikely to become unavailable within the time frame of the PM of the first EDG. These combined cases (shown in Table PRA-RAI-6.5) show that the to NRC-07-0014 Page 9 impact of this scenario for all maintenance combinations remains in the "Low Risk" category per the acceptance guidelines of Maintenance Rule (a)(4) criteria (ICCDP <

1.OE-6/yr and ICLERP < 1.OE-7/yr) and is below the criteria of RG 1.177 (ICCDP <

5.OE-7 and ICLERP < 5.OE-8).

It should be noted that the proposed Technical Specification change represents a reduction in risk contribution for two EDGs OOS in the same division, since the AOT for two inoperable EDGs in the same division would be reduced from 7 days to 3 days. For details on the quantitative impact of this reduction, see Tables PRA-RAI-6.3, PRA-RAI-6.4, PRA-RAI-6.5 and PRA-RAI-6.6.

The definitions for the terms in the tables are as follows:

ICCDP: The Incremental Conditional Core Damage Probability ICLERP: The Incremental Large Early Release Probability CDFconfig: Core Damage Frequency for an analyzed configuration CDFbase: The baseline Core Damage Frequency LERFconfig: Large Early Release Frequency for an analyzed configuration LERFbase: The baseline Large Early Release Frequency CDPthresh: The Reg Guide 1.177 CDF threshold (5.OE-7)

LERPthresh: The Reg Guide 1.177 LERF threshold (5.OE-8)

The following equations were utilized to formulate the table:

1. ICCDPdaily = (CDFconfig - CDFbase) / 365.25 days/yr

2. ICLERPdaily =(LERFconfig - LERFbase) / 365.25 days/yr For the baseline "no maintenance" case, CDFbase = 7.77E-6/yr and LERFbase 9.8 1E-8/yr.

For the baseline "with maintenance" case, CDFbase = 1.05E-5/yr and LERFbase = 3.01E-7/yr.

to NRC-07-0014 Page 10 Event Type A Table PRA-RAI-6.1 - Daily CDF and LERF Configuration Configuration Description EDG OOS CDFconl ICCDPdMaI LERFconn ICLERPdaily CM - EDG 14 (1) EDG 14 is OOS due to CM 14 3.12E-05/yr 5.67E-08 5.48E-07/yr 6.77E-10 work (with Maintenance model)

PM - EDG 14 EDG 14 is OOS due to PM 14 9.47E-06/yr 4.66E-09 1.06E-07/yr 2.16E- II work (No Maintenance model)

(1) It should be noted that the CM "with maintenance" quantifications are performed by not excluding the possibility of planned outages of equipment in the opposite division occurring simultaneously, whereas PM quantifications exclude such scenarios and thus result in lower CDF and LERF values.

Enclosure 1 to NRC-07-0014 Page 11 Event Type B Table PRA-RAI-6.2 - Total ICCDP/ICLERP due to EDG CM/PM OOS Event ICCDPconlg ICCDPconfg ICLERPconfig ICLERPonntg Total Total Case Case Description 1st Period 2nd Period (1st Period) (2nd Period) (1st Period) (2nd Period) ICCDP ICLERP I EDG 14 is OOS due to 2 days 12 days 1.13E-07 5.59E-08 1.35E-09 2.60E-10 1.69E-07 1.61E-09 CM work for 2 days during which other work may be in progress, followed by 12 days OOS with no other maintenance to NRC-07-0014 Page 12 Event Type B (continued)

Table PRA-RAI-6.3 - Daily CDF and LERF Values Configuration 1st EDG OOS 2nd EDG Configuration Description (PM) OOS (CM) CDFconfi2 ICCDPddai 0 i LERFco. ICLERPdaily PM - EDGI I EDG 11 is OOS due to 11 N/A 8.58E-06/yr 2.22E-09 9.81E-08/yr O.OOE+00 PM work PM - EDG12 EDG 12 is OOS due to 12 N/A 8.58E-06/yr 2.22E-09 9.81E-08/yr O.OOE+00 PM work PM - EDGI3 EDG .13 is OOS due to 13 N/A 9.23E-06/yr 4.OOE-09 9.8 1E-08/yr O.OOE+00 PM work PM - EDG14 EDG 14 is OOS due to 14 N/A 9.47E-06/yr 4.65E-09 1.06E-07/yr 2.16E-11 PM work EDG 11&12 EDG 11 is OOS due to 11 12 2.99E-05/yr 6.06E-08 1.03E-07/yr 1.34E-11 PM work during which EDG 12 requires CM EDG 12&11 EDG 12 is OOS due to 12 11 2.99E-05/yr 6.06E-08 1.03E-07/yr 1.34E-11 PM work during which EDG 11 requires CM EDG 13&14 EDG 13 is OOS due to 13 14 5.42E-05/yr 1.27E-07 5.37E-07/yr 1.20E-09 PM work during which EDG 14 requires CM EDG 14&13 EDG 14 is OOS due to 14 13 5.42E-05/yr 1.27E-07 5.37E-07/yr 1.20E-09 PM work during which EDG 13 requires CM to NRC-07-0014 Page 13 Event Type B (continued)

Table PRA-RAI-6.4 Current Technical Specification ICCDP and ICLERP for two EDGs in a division (7days) 1st EDG OOS 2nd EDG OOS Total Total Case Case Description Time (PM) Time (CM) ICCDP, 0 on-i, ICLERPconfi ICCDP ICLERP 1 EDG 11 is OOS due to PM 7 days 7 days 4.24E-07 9.39E-1 1 4.24E-07 9.39E-1 1 work for 7 days during which EDG 12 requires CM for 7 days 2 EDG 12 is OOS due to PM 7 days 7 days 4.24E-07 9.39E-1 I 4.24E-07 9.39E- I1 work for 14 days during which EDG II requires CM for 3 days 3 EDG 13 is OOS due to PM 7 days 7 days 8.90E-07 8.41E-09 8.90E-07 8.41E-09 work for 14 days during which EDG 14 requires CM for 3 days 4 EDG 14 is OOS due to PM 7 days 7 days 8.90E-07 8.41E-09 8.90E-07 8.41E-09 work for 14 days during which EDG 13 requires CM for 3 days

Enclosure 1 to NRC-07-0014 Page 14 Event Type B (continued)

Table PRA-RAI-6.5 - Pro*posed Technical Specification ICCDP and ICLERP for two EDGs in one Division 1st EDG 2nd EDG 00S OOS ICCDPconfg ICCDPconrg ICLERPonnlg ICLERPcoing Time Time (3 days -2 (11 days - 1 (3 days - 2 (11 days - Total Total Case Case Description (PM) (CM) EDGs) EDG) EDGs) I EDG) ICCDP ICLERP I EDG 11 is OOS due to PM 14 days 3 days 1.82E-07 2.44E-08 4.02E-1 1 0.00E+00 2.06E-07 4.02E- I1 work for 14 days during which EDG 12 requires CM for 3 days 2 EDG 12 is OOS due to PM 14 days 3 days 1.82E-07 2.44E-08 4.02E-1 I O.OOE+00 2.06E-07 4.02E-1 1 work for 14 days during which EDG 11 requires CM for 3 days 3 EDG 13 is OOS due to PM 14 days 3 days 3.81E-07 4.40E-08 3.60E-09 O.OOE+00 4.25E-07 3.60E-09 work for 14 days during which EDG 14 requires CM for 3 days 4 EDG 14 is OOS due to PM 14 days 3 days 3.81E-07 5.12E-08 3.60E-09 2.38E-10 4.33E-07 3.84E-09 work for 14 days during which EDG 13 requires CM for 3 days to NRC-07-0014 Page 15 Event Type B (continued)

Table PRA-RAI-6.6 - Change in Risk due to reducing AOT for 2 EDGs in a division from 7 days to 3 days

% Change in  % Change Change in Change in Total Total in Total Case Case Description Total ICCDP ICLERP ICCDP ICLERP 1 EDG 11 is OOS due to PM work for 14 days during which -2.18E-07 -5.37E- 11 -51% -57%

EDG 12 requires CM for 3 days 2 EDG 12 is OOS due to PM work for 14 days during which -2.18E-07 -5.37E- 11 -51% -57%

EDG 11 requires CM for 3 days 3 EDG 13 is OOS due to PM work for 14 days during which -4.65E-07 -4.8 1E-09 -52% -57%

EDG 14 requires CM for 3 days 4 EDG 14 is OOS due to PM work for 14 days during which -4.57E-07 -4.57E-09 -51% -54%

EDG 13 requires CM for 3 days to NRC-07-0014 Page 16

RAI 7

How have the common cause failure differences between corrective and preventive maintenance been factored into the risk assessment of core damage frequency and large early release frequency increases? For corrective maintenance, discuss the risk impacts when common cause failures are assumed to exist and not to exist.

RAI 7 Response The common cause potential during the extended CT was considered. The common cause factors for the EDGs are part of the results of determining the baseline risk metric values.

However, LCO 3.8.1 Actions A.3.1 (for one EDG) and B.3.1 (for both EDGs in a single division) which require that a determination be made that the opposite division's EDGs are not inoperable due to common cause failure, remain active in the proposed TS amendment. No additional common cause potential or Human Error Probability for incorrectly determining if a common cause was present has been added to the analysis for the extended EDG CT. The EDG extended Completion Time risk evaluation assumes that a common cause failure does not exist due to the Technical Specification requirement to perform this common cause evaluation or perform an operability test on the operable EDGs. If the common cause determination method is by evaluation and is not sufficiently determinate as to whether a common cause failure exists, the TS Action allows testing to verify that the potential common cause is not impacting the operable EDGs. If the common cause evaluation determines that the cause is likely to impact an operable EDG, LCO actions allow a much shorter period to rectify the common cause inoperability or a plant shutdown would be required, regardless of the risk evaluation results that include an increased common cause potential.

For one or both EDGs in both divisions inoperable, LCO Condition 3.8.1 .C requires restoration of both EDGs in one of the divisions to operable status within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. Failure to restore an EDG to operable status within this much shorter Completion Time would result in a required plant shutdown. Thus, for an actual common cause condition, the TS would preclude using the extended EDG Completion Time, unless the common cause condition is rectified.

The common cause evaluation period is unchanged by this proposed TS CT extension.

The completion time for restoring two EDGs in a single division to service due to a common cause failure is shorter in the proposed TS amendment (3 days) than in the current TS (7 days); thus the risk significance of this scenario is smaller. For completeness, the risk for the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> common cause determination interval is provided in Table PRA-RAI-7. 1. All quantifications were performed using the "with maintenance" model with a truncation limit of 1.OE-9.

Enclosure 1 to NRC-07-0014 Page 17 The definitions for the terms on Table PRA-RAI-7.1 are as follows:

ICCDP: The Incremental Conditional Core Damage Probability ICLERP: The Incremental Large Early Release Probability CDFoonfig: Core Damage Frequency for an analyzed configuration CDFbase: The baseline Core Damage Frequency LERFconfig: Large Early Release Frequency for an analyzed configuration LERFbase: The baseline Large Early Release Frequency CDPthresh: The Reg Guide 1.177 CDF threshold (5.OE-7)

LERPthsesh: The Reg Guide 1.177 LERF threshold (5.OE-8)

The following equations were utilized to formulate the table:

1. ICCDPdaily =(CDFconfig - CDFbase) / (365.25 days/yr)

2. ICLERPdaily = (LERFconfig - LERFbase) / (365.25 days/yr)

For the baseline "with maintenance," case CDFbase = 1.05E-5/yr and LERFbase 3.01E-7/yr.

Table PRA-RAI-7.1 DailyjCCDP and ICLERP Evaluation Period for CCF Other Configuratio Configuration EDG EDG(s) n Description OOS OOS CDFconn* ICCDdaiI LERFCOf, ICLERPdAi EDG 14 EDG 14 is OOS due to 14 N/A 1.47E-05/yr 1.1E-08 5.48E-07/yr 6.8E-10 PM work with no other EDG OOS EDG 14&11 EDG 14 is OOS due to - 14 11 3.21E-05/yr 5.9E-08 1.73E-06/yr 3.9E-09 PM work during which EDG 11 requires CM EDG 14&12 EDG 14 is OOS due to 14 12 3.94E-05/yr 7.9E-08 9.47E-06/yr 2.5E-08 PM work during which EDG 12 requires CM EDG 14&13 EDG 14 is OOS due to 14 13 8.52E-05/yr 2.OE-07 1.18E-06/yr 2.4E-09 PM work during which EDG 13 requires CM EDG 14&all EDG 14 is OOS due to 14 11,12,13 6.50E-04/yr 1.8E-06 2.19E-05/yr 5.9E-08 PM work during which EDG 11,12,13 OOS due to CCF From the information on the above table, one can see that for any two EDGs, that the ICCDP and ICLERP values are below Regulatory Guide 1.177 criteria with significant margin to the threshold. The value for the simultaneous outage of all EDGs is presented only for completeness, since the likelihood of such an occurrence is very small and the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> completion time for repair mitigates risk accumulation in this scenario.

to NRC-07-0014 Page 18

RAI 8

Please provide a discussion on the effects of the proposed CT extension on dominant accident sequences (sequences that contribute more than 5 percent to risk, for example) to show that the proposed change does not create risk outliers or exacerbate existing risk outliers. Please provide core damage contributions by initiating event and by sequence type for the base case and the extended CT case.

RAI 8 Response An examination of the cutsets for the base and extended CT case was performed. There were only two core damage cutsets that contributed more than 5% to risk. These cutsets are described below:

1) Reactor Scram, Operator Fails to Align Decay Heat Removal Options, Operator Fails to Vent the Containment (a loss of Decay Heat Removal sequence).

2) Turbine Trip, Operator Fails to Align Decay Heat Removal Options, Operator Fails to Vent the Containment (a loss of Decay Heat Removal sequence).

In the case where EDG 14 (the most limiting EDG) was removed from service, the only cutsets that contributed in excess of 5% of the total CDF were those listed above.

The LERF cutsets in the base case that contributed more than 5% to the total risk involved Interfacing System LOCAs (ISLOCAs) and Breaks Outside Containment (BOC). This result did not change when EDG 14 was removed from service.

From this examination of the cutsets, the proposed CT extension does not create risk outliers or exacerbate existing risk outliers.

The tables below contain the core damage contributions by initiating event and by sequence type for the base case and the extended CT case. Note that these tables are based upon cutsets generated from "with maintenance" quantifications at a 1.OE-9 truncation limit.

.to NRC-07-0014 Page 19 Table PRA-RAI-8.1 - Initiator Contribution to CDF - Base Case Initiator Description CDF PCT RX Reactor Scram 2.45E-06 23.36%

TX Turbine Trip 1.38E-06 13.16%

CMSIV MSIV Closure 1.12E-06 10.68%

LOCV Loss of Condenser Vacuum 1.04E-06 9.92%

LOPI Loss of Division 1 Offsite Power 9.82E-07 9.37%

LOP2 Loss of Division 2 Offsite Power 8.93E-07 8.52%

REFL Reference Leg Rupture 5.59E-07 5.33%

LODC Loss of Drywell Cooling 3.78E-07 3.60%

LOFW Loss of Feedwater 3.61E-07 3.44%

FWRU Feedwater Ramp-up 3.46E-07 3.30%

BOC Break Outside Containment 1.92E-07 1.83%

SRVI2 One or Two Stuck Open Relief Valves 1.78E-07 1.70%

LOSP Total Loss of Offsite Power 1.57E-07 1.50%

LOIA Loss of Instrument Air 1.27E-07 1.21%

LDWC Loss of Drywell Cooling 1.25E-07 1.19%

LGSW Loss of General Service Water 1.15E-07 1.10%

VSEQ Interfacing System LOCA 2.78E-08 0.27%

SRV3 Three or More Stuck Open Relief Valves 2.OOE-08 0.19%

FLOOD Flooding Imitators 1.88E-08 0.18%

TTWB Turbine Trip without Bypass 8.99E-09 0.09%

XL Extreme LOCA 6.40E-09 0.06%

SL Small Break LOCA 1.15E-09 0.01%

to NRC-07-0014 Page 20 Table PRA-RAI-8.2 - Initiator Contribution to CDF - EDG 14 OOS Case Initiator Description CDF PCT LOP2 Loss of Division 2 Offsite Power 3.88E-06 26.42%

RX Reactor Scram 2.45E-06 16.69%

TX Turbine Trip 1.38E-06 9.40%

LOSP Total Loss of Offsite Power 1.36E-06 9.27%

CMSIV MSIV Closure 1.12E-06 7.63%

LOCV Loss of Condenser Vacuum 1.04E-06 7.09%

LOPI Loss of Division I Offsite Power 9.82E-07 6.69%

REFL Reference Leg Rupture 5.59E-07 3.81%

LODC Loss of DC Power 3.78E-07 2.58%

LOFW Loss of Feedwater 3.61E-07 2.46%

FWRU Feedwater Ramp-up 3.46E-07 2.36%

BOC Break Outside Containment 1.92E-07 1.31%

SRV12 One or Two Stuck Open Relief Valves 1.78E-07 1.21%

LOIA Loss of Instrument Air 1.27E-07 0.87%

LDWC Loss of Drywell Cooling 1.25E-07 0.85%

LGSW Loss of General Service Water 1.15E-07 0.78%

VSEQ Interfacing System LOCA 2.78E-08 0.19%

FLOOD Flooding Imitators 2.03E-08 0.14%

SRV3 Three or More Stuck Open Relief Valves 2.OOE-08 0.14%

TTWB Turbine Trip without Bypass 8.99E-09 0.06%

XL Extreme LOCA 6.40E-09 0.04%

SL Small Break LOCA 1.15E-09 0.01%

Table PRA-RAI-8.3 - Core Damage Contributions by Sequence Type - Base Case Designator Sequence Type CDF PCT ZLESDHRDQNTF Loss of Decay Heat Removal 7.79E-06 74.21%

ZLESQTHIDQNTF Loss of Injection - High Pressure 1.30E-06 12.37%

ZLESTLODQNTF Loss of Injection - Low Pressure 2.42E-07 2.31%

ZLESATWSQNTF ATWS 8.87E-07 8.45%

ZLESVSEQDQNTF ISLOCA or BOC 2.20E-07 2.10%

ZLESSBODQNTF Station Blackout 5.90E-08 0.56%

Table PRA-RAI-8.4 - Core Damage Contributions by Sequence T pe - EDG 14 OOS Designator Sequence Type CDF PCT ZLESDHRDQNTF Loss of Decay Heat Removal 9.63E-06 65.59%

ZLESTLODQNTF Loss of Injection - Low Pressure 2.44E-06 16.62%

ZLESQTHIDQNTF Loss of Injection - High Pressure 1.43E-06 9.76%

ZLESATWSQNTF ATWS 8.87E-07 6.04%

ZLESVSEQDQNTF ISLOCA or BOC 2.20E-07 1.50%

ZLESSBODQNTF Station Blackout 7.17E-08 0.49%

,Enclosure 1 to NRC-07-0014 Page 21

RAI 9

Page 11 of the application states: "It is assumed for the purposes of this analysis that the preventive maintenance (PM) term will increase as a result of performing the four additional EDG major overhauls on line." The staff notes that the risk assessment uses this assumption as an input. However, this intention is not captured in the proposed revised technical specification pages or as a regulatory commitment. What controls will be in effect to ensure that the assumption of a single 14-day EDG outage per generator per cycle remains valid?

RAI 9 Response The controls that will be in affect to ensure that the assumption remains valid will be the Maintenance Rule performance criteria for the EDG system and the Mitigating Systems Performance Indicator (MSPI) program. The indicators used in both of these programs are designed to balance availability and reliability; the performance thresholds for the systems would remain the same under the new CT.

It should be noted that the statement in the submittal that was quoted in the RAI was a conservative assumption for the purpose of providing a bounding value for the quantified results. This is evidenced by the following statement on Pages 6 and 7 of the submittal (Reference 2): "The extended TS Completion Time for EDGs improves effectiveness of the allowed maintenance period. A significant portion of on-line maintenance activities is associated with preparation and return to service activities, such as tagging, fluid system drain down, fluid system fill and vent, and cylinder block heat-up. The duration of these activities is relatively constant. Longer Required Action Completion Time durations allow more maintenance to be accomplished during a given on-line maintenance period and, therefore, would improve maintenance efficiency. Thus, the total EDG unavailability is expected to be reduced with this proposed change."

-A sensitivity study has also been performed for this RAI. The purpose of this study was to determine the maximum allowed out of service time to meet the Reg Guide 1.177 and Reg Guide 1.174 acceptance thresholds. Note that all quantifications for this sensitivity utilized the "with maintenance" model and a truncation limit of 1.OE-9.

For Reg Guide 1.177 criteria, the following formulas are used:

1. AOTmax-CDF-1.177 =CDPtresh / (CDFEDG14 - CDFbase)

2. AOTmax-LERF-1.177 =LERPthrcsh / (LERFEDG14 - LERFbase)

For Reg Guide 1.174 criteria, the following formulas are used:

3. AOTmax-CDF-l.174 =((CDFthresh / (CDFEDG14 - CDFbase))

• Lengthcycle) / 4 EDGs

Enclosure I to NRC-07-0014 Page 22

4. AOTmax-LERF-1.174 -- ((LERFthresh / (LERFEDGI4 - LERFbase))

• Lengthcycle) / 4 EDGs

Where, AOTmax-CDF-i.177: The maximum allowed OOS time to meet Reg Guide 1.177 ICCDP criteria.

AOTmax-LERF-l.177: The maximum allowed OOS time to meet Reg Guide 1.177 ICCDP criteria.

AOTmax-CDF-I.174: The maximum allowed OOS time to meet Reg Guide 1.174 ACDF criteria.

AOTmax-LERF-l.174: The maximum allowed OOS time to meet Reg Guide 1.174 ALERF criteria.

CDFEDGI4: Core Damage Frequency for EDG 14 (the most limiting EDG) out of service.

CDFbase: The baseline Core Damage Frequency.

LERFEDG14: Core Damage Frequency for EDG 14 (the most limiting EDG) out of service.

LERFbase: The baseline Large Early Release Frequency.

Lengthcycie: The duration of a refueling cycle (518 days).

CDPthiresh: The Reg Guide 1.177 ICCDP threshold (5.OE-7).

LERPthresh: The Reg Guide 1.177 ICLERP threshold (5.OE-8).

CDFtlhresh: The Reg Guide 1.174 ACDF threshold (1.OE-6).

LERFthmrsh: The Reg Guide 1.174 ALERF threshold (1.OE-7).

The following is a derivation of Formula 3 above from the equation listed on Page 12 of the submittal (Reference 2) for DCDF (the derivation for Formula 4 above is very similar in nature and, therefore, not shown).

DCDF = (CDFEDG14 - CDFbase)

• AOT * (4 EDGs / Lengthcycle)

Note that in the above equation EDG 14 is conservatively used as a surrogate for the other three EDGs (which have a lower CDF/LERF impact).

Since it is desired to search for the limiting AOT (AOTmax-CDF-1.174), CDFthresh is introduced into the above equation:

CDFthresh =(CDFEDG14 - CDFbase)

• AOT (AOTmax-CDF-1.174) * (4 EDGs / LengtlycIe)

Rearranging terms in the above equation yields the formula below.

AOTmax-CDF-l.174 = (CDFthresh / (CDFEDG14 - CDFbase)

• Lengthcycie) / 4 EDGs to NRC-07-0014 Page 23 The results of this sensitivity analysis are shown below.

Table PRA-RAI-9.1 EDG OOS Time Sensitivity Parameter Value Units CDFEDG14 1.47E-05 yr-j CDFbase 1.05E-05 yr-LERFEDG1 4 5.48E-07 yr-1 LERFbý,, 3.01E-07 yr-_

Lengthcycle 518 days CDPthresh-l.177 5.00E-07 N/A LERPthresh-b.177 5.OOE-08 N/A DCDFthresh-1.174 1.00E-06 yr-DLERFthresh- .174 1.00E-07 L AOTmax.CDF-I.177 43.5 days AOTmax-LEP-1.177 73.9 days AOTmaxCDF-1.174 30.8 days AOTmax.LEY-1.174 52.4 days These results show that even if one conservatively assumes that each EDG is out of service for a total of 30 days per year (more than double the requested CT), the risk is still below all regulatory thresholds. It should be noted that EDG 14 was used to determine the maximum allowed AOT per Reg Guide 1.174 thresholds; this is a bounding estimate, since the other EDGs are less restrictive and the DCDF and DLERF averaged for all EDGs would be lower.

RAI 10

Please state how EDG maintenance unavailability values have been adjusted in the base risk model to account for the additional 14-day maintenance per cycle.

RAI 10 Response The EDG maintenance unavailability values have not been adjusted in the base model.

There are two reasons that this was not done:

1) Average EDG unavailability is not expected to increase as a result of this submittal.

2) The unavailability basic event values in the baseline PRA model are conservative with respect to the current and planned maintenance practices.

to NRC-07-00-14 Page 24 On pages 6 and 7 of the submittal (Reference 2), it is stated that "The extended TS Completion Time for EDGs improves effectiveness of the allowed maintenance period.

A significant portion of on-line maintenance activities are associated with preparation and return to service activities, such as tagging, fluid system drain down, fluid system fill and vent, and cylinder block heat-up. The duration of these activities is relatively constant. Longer Required Action Completion Time durations allow more maintenance to be accomplished during a given on-line maintenance period and, therefore, would improve maintenance efficiency. Thus, the total EDG unavailability is expected to be reduced with this proposed change."

The basic event representing the unavailability for each EDG in the PRA baseline model is 3.33E-2. This corresponds to an unavailability value per 18-month fuel cycle as follows:

UA/cycle (PRA model) = 3.33E-2

• 1.5 yr

• 365.25 days/yr = 18.2 days The actual planned and unplanned fractional baseline unavailability for each EDG during the 2002-2004 data collection interval for MSPI is shown on the tables below.

Table PRA-RAI-1 0.1 Planned Unavailability Based on MSPI data Diesel UA Days/cycle EDG 11 1.80E-02 9.9 EDG 12 2.38E-02 13.0 EDG 13 1.07E-02 5.9 EDG 14 1.44E-02 7.9 Table PRA-RAI-1 0.2 Unplanned Unavailability Based on MSPI data Diesel UA Days/cycle Hours/3 Years EDG 11 1.18E-03 0.65 31.0 EDG 12 4.96E-03 2.72 130.5 EDG 13 5.87E-04 0.32 15.5 EDG 14 5.00E-04 0.27 13.2 When the planned and unplanned unavailability for the MSPI data on EDG 12 (the EDG with the highest values) are added together, the result is 15.7 days/cycle of unavailability.

This value is below the 18.2 days/cycle, which is conservatively assumed in the PRA model.

The 18.2 days/cycle PRA model assumed outage duration accounts for one major EDG overhaul per cycle, as well as the unavailability accumulated as a result of routine to NRC-07-0014 Page 25 surveillance testing. If one were to conservatively assume that the planned unavailability of 28 days per cycle is attained, the revised basic event probability is:

P(BE) = 28 days/cycle

• 1 yr / 365.25 days

• 1 cycle / 1.5 yrs = 5.11E-2 The table below is a comparison of the quantification results for elevated and baseline unavailability conditions.

Table PRA-RAI-10.3 Unavailability Sensitivity Analysis Parameter Baseline UA Revised UA CDFconfig(1/yr) 1.47E-05 1.59E-05 CDFbase (1/yr) 1.05E-05 1.07E-05 LERFcon.f-,g (1/yr) 5.48E-07 6.75E-07 LERFbase (I/yr) 3.01E-07 3.02E-07 DCDF (1/yr) 4.5E-07 5.6E-07 DLERF (1/yr) 2.7E-08 4.OE-08 ICCDP 1.6E-07 2.OE-07 ICLERP 9.5E-09 1.4E-08 The above results for the case with modified unavailability are below Reg Guide 1.174 and Reg Guide 1.177 thresholds.

RAI 11

Please provide the results of an uncertainty analysis for the risk assessment of the proposed EDG CT extension. Alternatively, provide a sensitivity analysis to key assumptions for this application (in addition to the sensitivity calculation mentioned on Page 13 of the application for increased loss of offsite power (LOOP) frequency caused by severe weather).

RAI 11 Response The following is a sensitivity analysis for key assumptions for this risk-informed application.

The following sensitivity analyses have been performed for other RAIs:

1. A sensitivity analysis is provided for variation of the truncation limit to 1.OE-10 in the response to RAI 12.

2. A sensitivity analysis for the duration of unavailability is provided in the response to RAI 10.

Enclosure .1to NRC-07-0014 Page 26

3. A sensitivity analysis of CTG 11-1 being OOS concurrently with each EDG is presented in the response to RAI 1.

4. A sensitivity for varying completion times (CT) is provided in the response to RAI 9.

The following additional sensitivity cases were analyzed (using both "with maintenance" and "no maintenance") quantifications.

1. An outage of the dedicated diesel that is utilized to blackstart CTGs 11-2, 11-3, or 11-4 concurrent with an EDG 14 outage (the most limiting EDG).

2. An outage of CTG 11-2 concurrent with an EDG 14 outage.

3. An increase in the loss of offsite power (LOSP) initiating event frequency (IEF) by both a factor of 2 and a factor of 10, concurrent with the EDG outage.

4. A "combined sensitivity" involving an outage of the dedicated diesel that is utilized to blackstart CTGs 11-2, 11-3, or 11-4 concurrent with an EDG 14 outage and an increase in the LOSP IEF by a factor of 2. This sensitivity was performed at both a 1.OE-9 and a 1.OE-10 truncation limit.

The following equations were utilized to formulate the table:

1. ICCDP = (CDFconfg - CDFbase)

• AOT

2. ICLERP = (LERFconfig - LERFbase)

• AOT An AOT of 14 days was utilized for each quantification.

From the information on the following table, one can see that for each configuration in the "no maintenance" case, the ICCDP and ICLERP values are below Regulatory Guide 1.177 criteria with significant margin to the threshold. This is significant, since the likelihood of the dedicated blackstart diesel for CTGs 11-2, 11-3, and 11-4 being out of service concurrently with a condition that requires the elevation of the LOSP IEF by a factor of 2 for the entire duration of an EDG outage is extremely small. The high margins to the Reg Guide 1.177 thresholds in the "combined sensitivity" case bound uncertainties associated with this analysis.

The "with maintenance" cases are shown for completeness. It does not represent the plant configuration during the times of diesel outages, since risk management concerns, routine scheduling practices, and other scheduling issues (such as available resources) would preclude additional elective maintenance on other risk significant systems.

Nonetheless, one can see that for the first three sensitivity cases on the table, the "with maintenance" cases meet the ICCDP and ICLERP thresholds. For the final three sensitivity cases, the change in CDP and LERP for a single outage (equivalent to the listed ICCDP and ICLERP) only slightly exceed the MMR 12 threshold (see Attachment

1) for a "Low" risk classification (normal work control practices). Should an elevated risk category ("Moderate" or "High") be attained during an EDG outage, compensatory measures will be implemented and appropriate work approvals obtained per MMR 12.

to NRC-07-0014 Page 27 Table PRA-RAI-11.1 EDG Sensitivity/Uncertainty Analysis OOS Configuration Maintenance Truncation CDFbase LERFbase CDFcanfi! LERFconfi ICCDP ICLERP EDG 14 & Starting Diesel for CTGs 11-2,3,400S No Maintenance 1.OOE-09 7.77E-06 9.81E-08 1.01E-05 2.80E-07 8.9E-08 7.OE-09 EDG 14 & Starting Diesel for CTGs 11-2,3,4 00S With Maintenance 1.OOE-09 1.05E-05 3.01E-07 1.79E-05 2.06E-06 2.8E-07 6.7E-08 EDG 14 & CTG 11-2 00S No Maintenance L.OOE-09 7.77E-06 9.81E-08 9.47E-06 1.06E-07 6.5E-08 3.OE-10 EDG 14 & CTG 11-2 00S With Maintenance 1.OOE-09 1.05E-05 3.01E-07 1.49E-05 6.38E-07 1.7E-07 1.3E-08 EDG 14 & LOSP x2 No Maintenance 1.OOE-09 7.77E-06 9.81E-08 9.96E-06 1.28E-07 8.4E-08 1.IE-09 EDG 14 & LOSP x2 With Maintenance 1.OOE-09 1.05E-05 3.01E-07 1.67E-05 1.OOE-06 2.4E-07 2.7E-08 EDG 14 & LOSP xlO No Maintenance 1.OOE-09 7.77E-06 9.81E-08 1.47E-05 4.73E-07 2.7E-07 14E-08 EDG 14 & LOSP xlO With Maintenance 1.OOE-09 1.05E-05 3.01E-07 3.70E-05 6.29E-06 1.OE-06 2.3E-07 EDG 14 & Starting Diesel for CTGs 11-2,3,4 &

LOSP x2 No Maintenance 1.OOE-09 7.77E-06 9.81E-08 1.13E-05 5.47E-07 1.4E-07 1.7E-08 EDG 14 & Starting Diesel for CTGs 11-2,3,4 &

LOSP x2 With Maintenance 1.OOE-09 1.05E-05 3.01E-07 2.34E-05 4.33E-06 4.9E-07 1.5E-07 EDG 14 & Starting Diesel for CTGs 11-2,3,4 &

LOSP x2 No Maintenance 1.OOE-10 8.43E-06 1.45E-07 1.29E-05 9.05E-07 1.7E-07 2.9E-08 EDG 14 & Starting Diesel for CTGs 11 -2,3,4 &

LOSP x2 With Maintenance 1.OOE-10 1.24E-05 3.80E-07 2.90E-05 6.08E-06 6.4E-07 2.2E-07 to NRC-07-0014 Page 28

RAI 12

Please discuss any effects on the results caused by using a 1IE-9 truncation limit as opposed to the lE- 10 truncation limit used in the evaluation for Amendment No. 171.

RAI 12 Response A sensitivity study was performed on EDG 14 (the most limiting diesel) using the FermiV7 "with maintenance" model, a truncation limit of 1.OE- 10, and an assumption that the EDG is out of service for preventative maintenance. The results are shown on the table below.

Table PRA-RAI-12.1 Truncation Limit Sensitivity Analysis 1.OE-09 1.OE-10 Parameter Truncation Truncation Limit CDFconfig(1/yr) 1.47E-05 1.81E-05 N/A CDFbase (1/yr) 1.05E-05 1.24E-05 N/A LERFConlfi (1/yr) 5.48E-07 1.OIE-06 N/A LERFb.Se(./yr) 3.01E-07 3.80E-07 N/A DCDF (1/yr) 4.5E-07 6.2E-07 1.OE-06 DLERF (I/yr) 2.7E-08 6.8E-08 I.OE-07 ICCDP 1.6E-07 2.2E-07 5.OE-7 ICLERP 9.5E-09 2.4E-08 5.OE-8 The results for the 1E- 10 truncation limit are below Reg Guide 1.174 and Reg Guide 1.177 limits. The equations utilized to determine ICCDP, ICLERP, DCDF, and DLERF are found on Page 12 of the submittal. The limits referenced in the above tables are taken from Reg Guide 1.177 (ICCDP and ICLERP) and Reg Guide 1.174 (DCDF and DLERF).

to NRC-07-0014 Page 29

RAI 13

Please provide details of any self-assessments of the FermiV7 model performed against ASME RA-S-2002, "Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications," as suggested by recent Nuclear Energy Institute guidance.

RAI 13 Response A comprehensive self assessment of Fermi model performance against ASME RA-S-2002 has not been performed. However, in the past three years several applications and analyses of the model have demonstrated that the Fermi PRA model is technically adequate in the areas of EDG modeling, loss of offsite power modeling, and overall quantification results.

The Mitigating Systems Performance Index (MSPI) implementation required that Fermi PRA model results be subjected to an industry cross-comparison to determine if the PRA model was an outlier in the areas related to the monitored systems of the application. The EDGs are monitored components and as such were subject to the review. This review determined that the Fermi PRA model was not an outlier for the EDGs or any other monitored system. In addition, the quality of the Fermi PRA model improved as a result of this effort, since all "A" and "B" comments from the last Fermi PRA Model peer review (excluding the four "B" comments related to documentation) were addressed and closed. The industry cross-comparison allowed Fermi to compare itself to industry peers on issues related to EDG quantification results such as loss of offsite power initiating event frequencies and conditional core damage probabilities for loss of offsite power initiators.

Following the August 14th Loss of Grid event, the NRC issued an Accident Sequence Precursor (ASP) analysis which determined the conditional core damage probability (CCDP) for the event using the SPAR model. Fermi performed a benchmark of this analysis and determined that the results of the Fermi PRA model were similar in value to that of the SPAR model. This is a relevant comparison for the EDG CT extension submittal, since the EDGs were critical in the mitigation of this event.

When a major PRA model revision is produced, a comprehensive comparison of initiating event contributions, end states, cutsets, system importance, and HRA event importance parameters are reviewed and compared against the previous major model revision. This comparison ensures that significant changes in quantification results are identified and documented. This analytical comparison facilitates the continuous improvement of PRA model quality at Fermi 2.

-Enclosure 1 to NRC-07-0014 Page 30

RAI 14

Please provide details of any additional peer reviews performed after new methodologies were introduced for human reliability analysis (HRA) and thermal hydraulics (as mentioned on page 9 of the application).

RAI 14 Response A formal peer review has not been performed on the PRA model since new methodologies were introduced for human reliability analysis and thermal hydraulics.

However, the implementation of these methodologies has been subject to a high level of scrutiny from plant staff knowledgeable in plant operations and plant engineering staff.

The HRA update employed the EPRI HRA Calculator software tool. The implementation of the methodology change was performed by a consultant with over 26 years of PRA experience, who is an acknowledged expert in the field of HRA (this individual's resume is enclosed as Attachment 7). Scenario and timing requirements were reviewed by a staff technical expert with over 25 years of PRA experience.

The thermal hydraulic (TH) success criteria calculations were prepared by a consultant with 12 years of specialized TH modeling experience and over 30 years of experience in nuclear power. These calculations were thoroughly reviewed by two staff engineers at Fermi who specialize in the field of thermal hydraulics.

When a major PRA model revision is produced, a comprehensive comparison of initiating event contributions, end states, cutsets, system importance, and HRA event importance parameters are reviewed and compared against the previous major model revision. This comparison ensures that significant changes in quantification results are identified and documented. This analytical comparison facilitates the continuous improvement of PRA model quality at Fermi 2.

Attachment 1 Relevant Excerpts from Conduct Manual MMR 12 Revision 5 Pages 1-16

Fermi 2 Maintenance Rule Conduct Manual Detrot MMR12 Revision 5 Edison EQUIPMENT OUT OF SERVICE RISK MANAGEMENT Revision Summary

1) Removed all references to the Risk Matrix which is being retired.

2) Replaced risk memo with risk profile for scheduled work.

3) Provided additional guidance for performing initiating event frequency increases.

4) Corrected minor clerical errors.

Implementation Plan This conduct manual chapter is effective upon issue.

Enclosures A SSCs in (a)(4) On-Line Scope B SSCs in (a)(4) Scope for Shutdown Modes 4 and 5 C SSCs with Potential to Cause an Initiating Event During At-Power Modes D SSCs Initiating Event with Potential to Cause Loss of Critical Safety Functions During Shutdown Modes

Maintenance Rule Conduct Manual MMR12 Chapter 12 - Equipment Out of Service Risk Management Revision 5 Page 2 1.0 PURPOSE 1.1 This chapter describes the risk management program at Fermi 2 for evaluating plant configurations due to maintenance activities. This chapter describes the process to be used by the PSA (Probabilistic Safety Assessment) group and other site departments in performing equipment out of service risk assessments. The purpose of these assessments is to evaluate the effect on overall plant safety of removing equipment from service during power operation and shutdown conditions. This effort supports implementation of 10 CFR 50.65 paragraph (a)(4):

"Before performing maintenance activities (including, but not limited to, surveillance, post-maintenance testing, and corrective and preventive maintenance), the licensee shall assess and manage the increase in risk that may result from the proposed maintenance activities.

The scope of the assessment may be limited to those structures, systems, and components that a risk-informed evaluation process has shown to be significant to public health and safety."

1.2 This risk assessment guidance includes specific instructions for carrying out assessments under the Configuration Management Program (CRMP) as defined in Technical Requirements Manual Section 5.1.2. CRMP is applicable when one or more EDGs (Emergency Diesel Generators) are inoperable in Modes 1, 2, and 3.

1.3 This chapter provides guidance for providing risk information to be used in the engineering evaluation for balancing risk versus equipment reliability, which should be carefully managed to achieve a balance between the benefits and potential impacts on safety, reliability and availability. This effort supports implementation of 10 CFR 50.65 paragraph (a)(3):

"...ensure that the objective of preventing failures of SSCs (systems, structures, and components) through maintenance is appropriately balanced against the objective of minimizing unavailability of SSCs due to monitoring or preventive maintenance."

1.4 This chapter provides guidance for performing assessments for missed surveillance requirements for SR 3.0.3.

1.5 This chapter provides guidance for performing assessments for the lifting of mode change restraints under LCO 3.0.4(b).

1.6 This chapter provides guidance for performing assessments for inoperable snubbers for LCO 3.0.8.

Maintenance Rule Conduct Manual MMR12 Chapter 12 - Equipment Out of Service Risk Management Revision 5 Page 3 2.0 GENERAL REQUIREMENTS 2.1 Risk assessment methods are used to ensure that sufficient plant safety function capabilities are maintained during plant maintenance configurations to keep core damage probability and radionuclide release probability within acceptable limits as defined in this procedure.

This assessment is performed for the specific plant configuration for the total work scope, including maintenance and testing activities where one or multiple SSCs are out of service simultaneously.

2.2 Quantitative and/or qualitative assessment methods may be used to determine probabilistic risk levels. Risk assessment methods do not require explicit use of the PSA model, but the sophistication of the assessment should be commensurate with the safety significance of the equipment to be removed from service.

2.3 Risk levels in Modes 1, 2, and 3 are classified as "Low/Moderate/High/Unacceptable" since these are generally quantitative assessments. Shutdown risk is categorized using colors:

"Green/Yellow/Orange/Red" since a defense-in-depth approach is utilized. The two standards were chosen to emphasize the difference in basis for the at-power and shutdown risk assessments.

2.4 Systems or system functions which are within the scope of the risk assessment program are given in Enclosure A (Modes 1, 2, and 3) and Enclosure B (Modes 4 and 5).

2.5 For emergent (unplanned) situations, performance (or re-evaluation) of the risk assessment should not interfere with or delay the operations and/or maintenance crew from taking timely actions to restore equipment to service or take compensatory actions. When the plant configuration is restored or stabilized, a risk assessment for the emergent condition shall be performed in accordance with Section 3.8, "Risk Evaluations for Emergent Work."

2.6 The normal work control process as described in the MWC conduct manuals, including implementation of this procedure, suffices as a record that the risk assessment was performed. It is not necessary to document the basis of each assessment for removal of equipment from service as long as the processes are followed.

2.7 When Technical Specifications would require a forced shutdown to perform maintenance activities, a risk assessment may be performed as required for NRC issuance of a Notice of Enforcement Discretion as part of the justification for continued operation.

Maintenance Rule Conduct Manual MMR12 Chapter 12 - Equipment Out of Service Risk Management Revision 5 Page 4 2.8 When an unintentionally missed technical specification surveillance test is discovered, a risk analysis may be performed that may preclude performing the missed surveillance in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or declaring the subject equipment inoperable, provided that the following conditions apply:

" An existing surveillance test did not adequately test one or more components required to satisfy operability requirements credited in the surveillance test.

• The surveillance will not be completed within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of the time of discovery.

2.8.1 The risk evaluation may use quantitative, qualitative, or blended approaches. The degree of depth and rigor of the evaluation should be commensurate with the importance of the SSC for which the surveillance requirement has been missed.

The risk evaluation methodology should be similar to that used for an emergent condition.

2.8.2 This provision shall not be used for operational conyenience to extend surveillance frequencies. All missed surveillances are expected to be completed at the first reasonable opportunity.

2.9 LCO 3.0.4(b) allows the plant to enter an operating mode when equipment normally required for that mode is inoperable, provided that a risk assessment determines that the risk for allowing the mode change is in the Low or Moderate classification (per Section 3.4). This provision is also applicable for entering shutdown modes.

2.9.1 The risk impact of the out-of-service equipment must be assessed and risk management actions implemented as appropriate using the plant programs established for section (a)(4) of the Maintenance Rule prior to the mode change.

2.9.2 The provision should only be used when there is reasonable likelihood that the equipment will be made Operable within the applicable completion time once the mode is entered.

2.9.3 This provision is intended to be used when unanticipated circumstances occur which would otherwise delay unit startup or other plant maneuvers. It is not intended for routine, intentional use.

2.9.4 The risk assessment must meet the requirements of NEI 03-10. The risk assessment for LCO 3.0.4(b) will use the existing Maintenance Rule (a)(4) scope, and will explicitly consider, on a case-by-case basis, any additional scope requirements due to existing Technical Specification inoperable equipment not covered by the Maintenance Rule (a)(4) scope.

Maintenance Rule Conduct Manual MMR12 Chapter 12 - Equipment Out of Service Risk Management Revision 5 Page 5 2.10 LCO 3.0.8 allows a delay time for entering an LCO for an SSC supported by an inoperable seismic snubber provided that the risk for the condition is assessed and managed.

2.10.1 The risk evaluation may use quantitative, qualitative, or blended approaches.

2.10.2 The risk evaluation methodology should be similar to that used for an emergent condition.

2.10.3 The depth and rigor of the evaluation should be commensurate with the importance of the SSC supported by the snubber.

3.0 RISK ASSESSMENT DURING OPERATING MODES 1, 2, AND 3 NOTE: Risk assessment during power operation (includes Modes 1, 2, and 3) for planned maintenance and testing activities and the impact of emergent situations is discussed below.

3.1 Scope - Modes 1, 2, and 3 3.1.1 SSCs subject to the risk assessment during power operations are shown on Enclosure A, "SSCs in (a)(4) On-line Scope." This table is applicable to Operating Modes 1, 2, and 3. Note that the use of the Level 1 at-power PSA model to evaluate risk for start-up/low power (Mode 2) and hot shutdown (Mode 3) is conservative.

Both Mode 2 and Mode 3 plant operation typically have a short duration, so this is not overly restrictive with respect to risk recommendations. PSA may develop specific recommendations for longer-term operation in these modes when appropriate.

3.1.2 The EOOS risk monitor considers risk due to containment bypass conditions via the list of valves which are modeled in the Level 1 PSA for the "break outside containment" or the "Interfacing System LOCA" events. Applicable valves are included by component PIS number in Enclosure A.

3.2 General Guidance for Performing At-Power Risk Assessments 3.2.1 A blended approach is used. Quantitative risk utilizing the Level 1 PSA Model and the expected duration of the maintenance configuration are the primary considerations in the risk assessment. A quantitative Level 2 impact is also considered. Some qualitative considerations, such as evaluating the potential for increasing initiating event frequencies and consideration to external factors are also assessed when evaluating the overall risk to the plant.

3.2.2 The EOOS online risk monitor is the primary tool to be used for performing-schedule, routine, and emergent risk assessments.

Maintenance Rule Conduct Manual MMR12 Chapter 12 - Equipment Out of Service Risk Management Revision 5 Page 6 3.2.3 The Level 1 PSA Model identifies the SSC dependencies considered necessary for the success of the system function on a best-estimate basis. This set of assumptions may differ from support systems required for Technical Specification operability of the system, which utilizes design basis criteria. Operations Work Control, System Engineering and the PSA Group may be used as resources for determining if a component is "inoperable but available" for certain maintenance activities.

3.3 Risk Assessment Methodology -Modes 1, 2, and 3 3.3.1 Plant configurations are identified through several sources:

• Reviewing the planned safety system outage schedule published annually and updated periodically

• Reviewing the 17-week look-ahead schedule which is published weekly

• Reviewing the daily Plan of the Day (POD),

• Utilizing data from the electronic schedule which includes scheduled start and stop times and related component identification numbers for each job to help identify overlapping work and component-level maintenance impacts

• Discussions at scheduling meetings with face-to-face discussion of the safety system outage impacts as well as first time on-line jobs and other significant evolutions and maintenance activities of interest.

3.3.2 A quantitative instantaneous core damage frequency (CDF) and instantaneous Large Early Release Frequency (LERF) is calculated for the given plant configurations using the current PSA model. If the calculated CDF or LERF is above the "X-unacceptable" instantaneous threshold, the plant can NOT be put into this configuration, and the work must be re-scheduled to reduce risk by reducing overlapping activities.

3.3.3 If the CDF and LERF are both below the instantaneous "X" criteria, then the duration of the work is considered to obtain the Incremental Core Damage Probability (ICDP). The ICDP (which is also called "delta CDP or increase in CDP") compares the proposed configuration risk to the risk with no equipment in maintenance (the PSA model retains assumed random failure rates with no maintenance or testing in progress). The ICDP equals the CDF [in units of core damage events per year] multiplied by the duration, minus the no-maintenance CDP value for the same duration. This value is compared to the thresholds stated in Step 3.3.4 and risk is tentatively classified on the increase in ICDP alone as Low, Moderate, or High.

Maintenance Rule Conduct Manual MMR12 Chapter 12 - Equipment Out of Service Risk Management Revision 5 Page 7 3.3.4 Following the Level 1 risk assessment, a Level 2 assessment is performed to determine the risk associated with a potential "large early" release of radionuclides following a core damage event. A "large early release" is that release associated with the High/Early release bin defined in Section 4.7.4 of the Fermi 2 IPE. The instantaneous frequency of such a release is termed the Large Early Release Frequency (LERF), usually expressed in events per year, and the probability of such a release over a given period of time is termed the Large Early Release Probability (LERP). This risk importance measure can flag configurations where there is an increased potential for core damage AND a subsequent radiation release large enough to cause public health effects and early enough that evacuation cannot mitigate the health effects. There is a threshold for which the CDP is low enough that further LERP evaluation is unnecessary; if the increase in LERP due to a plant change is less than 1.OE-07, it is considered a LOW risk. Thus, a calculated change in CDP less than 1.OE-07 does not require any Level 2 consideration since the non-risk significant criterion would be met, even if the entire increase in core damage led to a large early release. Above this threshold, the ILERP compares the proposed configuration risk to the risk with no equipment in maintenance (the PSA model retains assumed random failures with no maintenance or testing in progress).

The ILERP equals the LERF value (in units of large early releases per year) multiplied by the duration minus the no-maintenance CDP value for the same duration. This value is compared to the thresholds stated below and risk is tentatively classified on the increase in ILERP alone as Low, Moderate, or High.

3.3.5 The most restrictive of the two risk levels obtained from Steps 3.3.3 and 3.3.4 is the overall risk level for the maintenance activity or activities being evaluated.

Maintenance Rule Conduct Manual MMR12 Chapter 12 - Equipment Out of Service Risk Management Revision 5 Page 8 3.3.6 Following the quantitative Level 1 and Level 2 considerations, several aspects of the maintenance impact are evaluated qualitatively.

I1. The maintenance activities are evaluated for their potential to cause an initiating event (IE). Enclosure C, SSCs With Potential To Cause An Initiating Event During At-Power Modes, may be referenced to determine the initiator(s) that may occur due to a specific SSC failure. Since the base PSA model used to calculate the CDP assumes nominal event frequencies, conditions anticipated during the maintenance activity that can significantly increase the potential for an initiating event can make the quantitative assessment non-conservative.

Quantifying this IE impact is subjective and is subject to a high degree of uncertainty, particularly when human error is considered. However, at the discretion of the risk analyst, the increase in initiating event frequency that would be required to elevate the risk above the LOW threshold may be calculated. An assessment whether it would be prudent to elevate the risk classification based on this potential can be "back-calculated". When warranted, this evaluation is typically discussed at Work Control meetings with Operations and Maintenance personnel present who are familiar with the specific job requirements (degree of difficulty, etc.) for any feedback on elevating the risk classification of the work. Guidance for performing adjustments to initiating event frequencies in the EOOS software is contained in the EOOS User's Guide and in Section C of MMR Appendix H.

2. If an increase in an IE frequency is made, Steps 3.3.3 and 3.3.4 should be repeated to ensure proper incorporation into the quantitative assessment.

3. The degree of difficulty for recovery efforts as a result of the maintenance activity if an initiating event occurs should be considered. For example, many surveillance tests are easy to "back out " to restore the system function, while other maintenance or testing activities may require completion of the original work plan before the system can be returned to service

4. The impact of External Events is qualitatively considered for maintenance configurations. Questions pertaining to the possible impact of scheduled maintenance and emergent conditions should be considered regarding:

• Decrease in ability to mitigate a fire due to proposed maintenance/emergent conditions (e.g., draining fire headers).

" Impact of imminent threatening weather (e.g., a tornado warning in effect for Monroe County can increase the potential for a loss of power event).

Maintenance Rule Conduct Manual MMR12 Chapter 12 - Equipment Out of Service Risk Management Revision 5 Page 9 Potential for the maintenance activities to cause an increased risk of flood from internal sources which would expose SSCs to hazards in a manner that degrades their ability to perform key safety functions (e.g., watertight doors open during maintenance) or due to proposed maintenance/

emergent condition.

3.4 Risk Classification Thresholds 3.4.1 Four categories for communicating plant risk levels at power are used:

'Unacceptable' (X), 'High' (H), 'Moderate' (M), and 'Low' (L). The quantitative criteria for these classifications are:

Unacceptable (X): The risk to overall plant safety has been elevated to the point that the particular configuration poses an instantaneous core damage frequency that is greater than or equal to 1.OE-03/year or instantaneous LERF that is greater than or equal to 1.OE-04/year. This risk level may also be attained with an integrated increase in CDP of greater than or equal to 1.OE-04 or an integrated increase in LERP of greater than or equal to 1.OE-5. It should be noted that this level is referred to as "Not Acceptable" with EOOS.

• High (H): The configuration is not in the unacceptable classification AND the increase in CDP for the configuration is greater than or equal to 1.OE-05 but less than 1.OE-04 OR the increase in LERP for the configuration of greater than or equal to 1.OE-06 but less than 1.OE-05. The risk to overall plant safety has been elevated to a level described in the "PSA Applications Guide"'I as "potentially risk significant". It should be noted that this level is referred to as the "Alarm" level within EOOS.

• Moderate (M): The configuration is not in the "Unacceptable" or "High" classification AND increase in CDP for the configuration is at least 1.OE-06 but less than 1.OE-05 OR the increase in LERP is greater than 1.OE-07 but less than 1.OE-06. The bases for the "M" rating is the "Assess Non-Quantifiable Factors" level specified in EPRI "PSA Applications Guide"'. It should be noted that this level is referred to as the "Alert" level within EOOS.

• Low (L): The increase in Core damage probability (CDP) is less than 1.OE-06 AND the increase in Large Early Release Probability (LERP) is less than 1.OE-07, which is "non-risk significant" per the "PSA Applications Guide"' and endorsed in NEI guidance in NUMARC 93-01 revised Section 112.

2 PSA Applications Guide, EPRI TR-105396, Final Report, August 1995 NEI guidance in NUMARC 93-01 Section 11 revision dated February 22, 2000

Maintenance Rule Conduct Manual MMR12 Chapter 12 - Equipment Out of Service Risk Management Revision 5 Page 10 3.5 Risk Management Actions 3.5.1 For LOW risk configurations: the normal work control process is followed and no additional actions to address risk management are necessary.

3.5.2 For MODERATE risk configurations: The Manager - Nuclear Operations and the Manager - Nuclear Work Control must concur that the planned work should proceed. For emergent work, they should be notified of the increased risk status to ensure support for resolving the situation. Risk aspects of the work will be communicated to the site via the POD for planned work. The following risk management actions should be considered:

" Arranging the work to reduce division-level work to train-level work

• Actions which could eliminate any overlap of system unavailability

• Actions which could reduce the duration of the activity

• Contingencies will be recommended when prudent, such as requesting a second verifier for postulated potential human errors or having a maintenance foreman, operator, or system engineer present for some activities

• Developing a written restoration plan if not easily identifiable in existing procedures (lineup sheets, etc) 3.5.3 For HIGH risk configurations: In addition to the actions required for 'Moderate', the Director - Nuclear Production's concurrence is required to enter or remain in plant configurations with risk classification of 'High'. Risk management actions like the above list will be considered and risk analyst will define the requirements on a case-by-case basis.

3.5.4 For UNACCEPTABLE risk configurations: Configurations shall not be entered into voluntarily that have this risk categorization. For emergent conditions, which could result in an "X" risk level, it is very likely that the plant will trip or Technical Specifications will force a shutdown before a risk assessment can be performed.

Maintenance Rule Conduct Manual MMR12 Chapter 12 - Equipment Out of Service Risk Management Revision 5 Page 11 3.6 Risk Assessment Tools 3.6.1 EOOS (Equipment Out Of Service) Risk Monitor

1. The EOOS risk monitoring software is the primary risk assessment tool. An additional tool available is the on-line Equipment Out-of-Service (EOOS) program. This tool utilizes PSA Level 1 (Core Damage Frequency) and Level 2 (Containment Integrity) models of Fermi 2 that includes detailed modeling of systems and components relied upon to mitigate the effects of postulated Initiating Events. The software allows for a comprehensive review of the risk impact of having numerous components/systems out of service simultaneously. EOOS can accept data from the work scheduling system to identify overlapping activities and calculate the associated risk. EOOS is utilized during evaluations of the Plan of the Day (POD) schedules published daily and the 17-week look ahead schedule published weekly as supplemental information. Detailed guidance on the use of EOOS may be found in the EOOS User's Guide.

3.6.2 MMR Appendix H includes the "Initiating Events Guidance Document" that provides information on initiating events that may increase in importance as a challenge to the plant due to specific equipment outages and maintenance configurations in Mode 1, 2, and 3. This guidance provides recommendations to ensure initiator likelihood does not increase and to ensure other mitigating systems remain available. Any recommendations derived from this initiating event guidance are prudent BUT NOT REQUIRED to maintain the risk classification determined by the methods outlined in Section 3.6.1. If these recommendations are not followed, the PSA group should be consulted for concurrence.

3.7 Risk Evaluations For Scheduled Maintenance Activities 3.7.1 Work Week Managers (WWMs) are responsible for ensuring that the risk assessment of scheduled maintenance activities are performed in accordance with MWC07, "On-line Scheduling Guidelines."

3.7.2 Week T-5: The initial risk review is performed at week "T-5" (5 weeks prior to scheduled work week) and can be utilized for discussion at the T-4 Schedule Development, T-3 Readiness Review, and T-2 Schedule Freeze meetings.

3.7.3 Week T-2: During the T-2 week, a draft risk profile for scheduled work shall be transmitted to the Work Week Manager and Field Support Supervisor (at a minimum).

Maintenance Rule Conduct Manual MMR12 Chapter 12 - Equipment Out of Service Risk Management Revision 5 Page 12 3.7.4 Week T-1: During the week prior to the start of the scheduled work, the risk profile for scheduled work is communicated to the site via inclusion in the POD.

Planned maintenance activities with risk significance scheduled during the workweek are identified on the profile.

3.7.5 Daily

The WWM for the work week in question is responsible for ensuring that emergent work and schedule changes are reviewed for risk impact prior to the daily POD being issued. The WWM, Work Control Scheduling group, or Operations will ensure any new risk recommendations are implemented. These may be communicated to the Operations staff by telecon, page, or e-mail. Any additional recommendations or other consultations with Operations or Work Week Managers may be documented informally or in the Control Room Log, however, there is no formal documentation required.

3.8 Risk Evaluations For Emergent Work 3.8.1 The Operations Department has the responsibility for identifying emergent work or conditions where a risk assessment needs to be performed. They may utilize the EOOS online risk monitor for the initial risk assessment. An Operations risk analyst will evaluate the effect of emergent conditions that extend into the next daily risk assessment including current plant operating conditions during the daily risk assessments.

3.8.2 Work that may impact the configuration of Fermi's 120kV or 345kV switchyards will be communicated and evaluated by Operations through normal work processes (reference MOP04).

3.8.3 FIRSTeam work, by definition, is not typically scheduled until the day it is performed, therefore it is usually considered emergent work for risk assessments.

The FIRSTeam Shift Manager is responsible for identifying their work that may have a risk impact and communicating this to the Shift Manager, Control Room Supervisor or Field Support Supervisor. The FIRSTeam Shift Manager is responsible for ensuring that a risk assessment of the FIRSTeam work is performed and that this information is communicated to the Control Room staff (Shift Manager, Control Room Supervisor, Shift Engineer, or Field Support Supervisor).

3.8.4 If the risk assessment of the emergent condition performed using EOOS is deemed to be inadequate or there is uncertainty about the risk classification of the condition, Operations shall notify the PSA Group of the need for a more in-depth risk assessment.

Maintenance Rule Conduct Manual MMR12 Chapter 12 - Equipment Out of Service Risk Management Revision 5 Page 13 3.8.5 For emergent work or conditions, risk management actions may be taken to return the original SSC or the emergent SSC to service to reduce risk. This would be based on risk level and the required time to repair the SSC. The Initiating Events Guidance or the "Out of Service Importance" feature within EOOS may be used to help prioritize returning equipment to service. For example, during EDG System outages switchyard work is normally not planned, however if an offsite power line becomes unavailable then the line should be restored to reduce the risk of a loss of offsite power initiating event or the EDG should be restored.

3.8.6 The potential for emergent work or an emergent condition to increase initiating event frequencies should be considered. Section C of MMR Appendix H should be utilized as a guide for the degree to which an initiating event should be increased.

3.8.7 Removing potentially degraded systems from service in a controlled, planned manner to perform maintenance can be an acceptable risk management action when, based on available expertise, the potential for an unplanned loss of function or potential increased risk of initiating event exists if the work was delayed. An example would be removing an offsite power supply due to indications of degradation, rather than risking a divisional loss of offsite power.

4.0 CONFIGURATION RISK MANAGEMENT PROGRAM (CRMP) 4.1 Risk Assessment for EDG Maintenance and Surveillances performed during Modes 1, 2, and 3 are required to implement the CRMP per Technical Requirements Manual Section 5.1.2.

4.2 The CRMP requires the following risk assessment capability and actions:

4.2.1 Provisions for control and implementation of a Level 1, at power, internal events PSA-informed methodology. The assessment shall be capable of evaluating the applicable plant configuration.

4.2.2 Provisions for performing an assessment prior to entering the LCO ACTION STATEMENT for pre-planned activities. (See Section 4.6.)

4.2.3 Provisions for performing an assessment after entering the LCO ACTION STATEMENT for unplanned entry into the LCO ACTION STATEMENT. (See Section 4.7.)

4.2.4 Provisions for assessing the need for additional actions after the discovery of additional equipment out of service conditions while in the LCO ACTION STATEMENT. (See Section 4.8.)

Maintenance Rule Conduct Manual MMR12 Chapter 12 - Equipment Out of Service Risk Management Revision 5 Page 14 4.2.5 Provisions for considering other applicable risk significant contributions such as Level 2 PSA issues and external events, qualitatively, or quantitatively. (See Section 3.3.)

4.3 Use of the EOOS risk monitoring tool and Initiating Event Guidance documents as described in Section 3.0 constitute a sufficient technical basis to comply with the CRMP.

Specific applications of the CRMP assessment activities are spelled out in the Technical Requirements Manual. CRMP is applicable only to ITS LCO 3.8.1 Required Actions A.3 and A.6.

4.4 The EDG Technical Specification LCO is stated to be applicable to Operational Conditions 1,2 and 3, which therefore includes Hot Shutdown. The Fermi 2 PSA is not explicitly modeled for an initial condition of Hot Shutdown so there is no transition risk model for quantitatively assessing risk for Operational Condition 3. However, with very few exceptions, the direct application of the at-power Level 1 PSA to Hot Shutdown conditions should be conservative as long as the plant configuration can be evaluated by identifying equipment outages that can be accommodated in the PSA model. This is due in large part to several initiating event contributions to core damage, such as turbine trip and inadvertent scram, that are in the model but are not physically possible in Hot Shutdown. Moreover, the ATWS Core Damage End State is no longer possible since the plant is already shut down though it is part of the at-power model.

4.4.1 Therefore, to comply with the CRMP, diesel outage configurations in Operational Condition 3 should be evaluated the same as for Conditions 1 and 2 as described in Section 4. If the resulting risk impact is unacceptable, the PSA Group should be contacted for a more precise evaluation.

4.5 Operations will implement and document use of the CRMP through Plant Technical Procedure 24.000.01, Attachment 28A and/or Operations Conduct Manual, Chapter 6 (MOP06).

4.6 Analysis of Routine short-duration EDG testing:

4.6.1 EDG Surveillances with a duration of four hours or less (e.g. monthly surveillances run once per week):

1. If one EDG is out-of-service for a period of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> or less and no other condition exists which elevates the calculated risk value (other equipment out of service, environmental variances, etc.), the resulting risk level is Low.

Thus, no additional action is required beyond that currently dictated by the Technical Specifications.

Maintenance Rule Conduct Manual MMR12 Chapter 12 - Equipment Out of Service Risk Management Revision 5 Page 15

2. For one EDG out-of-service for less than four hours and other conditions exist which elevate the calculated risk value, use EOOS online risk monitor to assess risk level for planned maintenance outages. The same actions that correspond to a given risk level as given in Section 3.5 should be used.

4.6.2 EDG Surveillances greater than four hours

1. For one diesel out-of-service for greater than four hours but not more than the 7 day LCO and no other condition exists which elevates the calculated risk value during any portion of the activity (other equipment out of service, environmental variances, etc.), the resulting risk level is Low; thus, no additional action is required beyond that currently dictated by the Technical Specifications.

2. For one EDG out-of-service for greater than four hours and other conditions exist which elevate the calculated risk value, use EOOS online risk monitor to assess risk level for planned maintenance outages. The same actions that correspond to a given risk level as given in Section 3.5 should be used.

4.7 Unplanned entry into an EDG LCO Action Statement TS 3.8.1 Required Action A.3 and A.6 4.7.1 If no other condition exists which elevates the calculated risk value (other equipment out of service, environmental variances, etc.), govern recovery actions by normal response to the LCO requirements.

4.7.2 If another condition exists which elevates the calculated risk value, use the EOOS risk monitor to assess the risk level. This assessment should be initiated within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of discovery (similar to administrative requirements for verifying operability of remaining onsite AC power dependencies). Use the EDG TS Completion Time requirement of 7 days when performing the assessment.

1. If risk level is 'L' (Low), govern recovery, actions by normal response to LCO requirements.

2. If risk level is 'M' (Moderate), consider enhanced equipment recovery sooner than the normal response to LCO requirements and inform the Manager -

Nuclear Operations and Manager - Nuclear Work Control of the situation.

3. If risk level is 'H' (High), or X (Unacceptable), consider enhanced equipment recovery sooner than the normal response to LCO requirements and inform the Manager - Nuclear Operations, the Manager - Nuclear Work Control and the Director - Nuclear Production of the situation.

Maintenance Rule Conduct Manual MIMR12 Chapter 12 - Equipment Out of Service Risk Management Revision 5 Page 16

4. If the online EOOS risk monitor is unavailable or assistance is needed with interpretation of the risk monitor output, contact a member of the PSA Group for further assistance.

4.8 When in an EDG TS Required Action and a condition which elevates the calculated risk value is subsequently discovered:

4.8.1 Use the EOOS risk monitor to assess the risk level. The given EDG outage time (days) that most closely approximates, but is still greater than, the remaining TS Completion Time for the appropriate EDG should be used to perform the assessment.

1. If risk level is 'L' (Low), govern recovery actions by normal response to LCO requirements.

2. If risk level is 'M' (Moderate), consider enhanced equipment recovery sooner than the normal response to LCO requirements and inform the Manager -

Nuclear Operations and Manager - Nuclear Work Control of the situation.

3. If risk level is 'H' (High) or 'X' (Unacceptable), consider enhanced equipment recovery sooner than the normal response to LCO requirements and inform the Manager - Nuclear Operations, the Manager - Nuclear Work Control and the Director - Nuclear Production of the situation.

4. If the online EOOS risk monitor is unavailable or assistance is needed with the interpretation of the risk monitor output, contact a member of the PSA Group for assistance.

5.0 RISK ASSESSMENT DURING SHUTDOWN (MODES 4 and 5) 5.1 Shutdown Risk Advisors perform risk assessments in accordance with responsibilities delineated in MWC 11, "Refueling Outages" and MWC13, "Outage Nuclear Safety" for planned outages. Risk assessments for extended unplanned shutdowns of more than two days will utilize the same techniques. The risk of plant configurations during unplanned outages of only a few days is evaluated through a less formal daily assessment of the POD and awareness of changing plant conditions using the same qualitative guidelines in MWC 13, Enclosure A.

The level of risk evaluation will be commensurate with the extent of the outage work scope.

Attachment 2 Relevant Excerpts from MMR Appendix H Revision 3 Pages 1, 3, 5-7

Fermi 2 Maintenance Rule Conduct Manual Detroit MMR Appendix H Revision 4 Edison ON-LINE CORE DAMAGE RISK MANAGEMENT GUIDELINES Revision Summary

1) Incorporated enhancements as a result of surveying other nuclear utilities.

(CARD 06-27242)

2) Incorporated feedback from Licensed Operator training cycle 07-02.

Implementation Plan This conduct manual appendix is in effect upon issue.

Enclosures - None

Maintenance Rule Conduct Manual MMR APP H Appendix H - On-Line Core Damage Risk Management Guidelines Revision 4 Page 3 INTRODUCTION Disturbances to normal plant operation that have the potential of being a precursor to core damage are characterized in the PSA model as Initiating Events. Such events are normally successfully mitigated by the response of plant systems. When a system is taken out of service, the plant's mitigation capability may be reduced in response to one or more of the initiating events. For this reason, it would be prudent to take extra care when performing maintenance or testing activities that alter the normal operating configuration to minimize the likelihood of these initiators. Thus, for major planned system maintenance outages typically performed on-line, Section A is provided here (in addition to MMR12) that:

• identifies any initiating events that become particularly important in this equipment outage configuration, and

• lists examples of activities to be avoided to help minimize risk.

Conversely, in some cases where circumstances have already increased the likelihood of an important initiator, the guidance may recommend that the planned equipment outage be deferred.

Also listed in the system outage guidance are the systems recommended to be protected for PSA related purposes (in accordance with Conduct Manual MOP05 - Control of Equipment). The criteria utilized to generate the identified protected systems include the following:

1) if the quantitative core damage risk level were to increase as a result of the additional system/train being unavailable for the scheduled or estimated outage time of the first system in maintenance (this excludes systems/trains that when removed from service alone would result in an elevated risk level for the specified duration),

2) for qualitative purposes of maintaining safe reactor shutdown capability (defense-in-depth).

Operations also protects systems that may not be listed in this appendix for Technical Specification related reasons or per their discretion.

This guidance applies to extensive system maintenance outages where quick restoration of system function is not possible. These activities are usually scheduled well in advance and receive management scrutiny through processes described in the Work Control Conduct Manuals. For short duration surveillance tests, this guidance is applicable when deemed prudent by the Operations or PSA group and communicated to the work control authority.

To further aid in understanding the likelihood and potential consequences of initiating events, three appendices are provided. Section B describes those initiating events (including the Fermi 2 history if applicable), which, if they were to occur, provide the greatest conditional core damage probability (CCDP). Activities that have the potential for initiating such events should be minimized for all plant configurations. Section B also characterizes the nature and frequency of the more likely initiating events that would lead to core damage. This information can be used to help identify those activities that have the potential for creating a given initiating event, particularly when in a plant configuration where it is important to avoid such initiators. Section C discusses the possibility of severe weather, grid instability, and other activities/conditions that may increase initiating event frequencies (IEFs) and the requirement to adjust the appropriate IEFs in EOOS to accommodate the emergent condition. Finally, Section D has been added to centrally locate information pertaining to system/component availability, including the definition of availability (in terms of core damage mitigation) and guidance as it relates to availability determination.

Maintenance Rule Conduct Manual MMR APP H Appendix H - On-Line Core Damage Risk Management Guidelines Revision 4 Page 5 EDG 11 Maintenance

1. EDG 11 is an important mitigator for the Loss of the 120 kV Power (LOPI) and Loss of Offsite Power (LOSP) initiated events. Since work in the Division 1 switchyard increases the potential for a LOP 1, such activities should be avoided, if possible, while performing maintenance on EDG 11.

2. Additionally, during times of increased probability of Loss of the 120 kV Power (e.g. Critical Load Days, increased geomagnetic activity, severe weather, voltage variations on the 120 kV switchyard buses, etc.) consideration should be given to:

" not beginning maintenance activities on the EDG, or

" if maintenance is already in progress, completing the maintenance activities in as short a time frame as possible and restore the EDG to available status.

3. Protected Systems (related to PSA risk considerations) include the following:

• 345 kV Switchyard 0 120 kV Switchyard

• CTG1 1-1 (or the designated blackstart CTG)

EDG 12 Maintenance

1. EDG 12 is an important mitigator for the Loss of the 120 kV Power (LOPI) and Loss of Offsite Power (LOSP) initiated events. Since work in the Division 1 switchyard increases the potential for a LOP 1, such activities should be avoided, if possible, while performing maintenance on EDG 12.

2. Additionally, during times of increased probability of Loss of the 120 kV Power (e.g. Critical Load Days, increased geomagnetic activity, severe weather, voltage variations on the 120 kV switchyard buses, etc.) consideration should be given to:

" not beginning maintenance activities on the EDG, or

" if maintenance is already in progress, completing the maintenance activities in as short a time frame as possible and restore the EDG to available status.

3. Protected Systems (related to PSA risk considerations) include the following:

• 345 kV Switchyard

• 120 kV Switchyard

• CTGlI-1 (or the designated blackstart CTG)

Maintenance Rule Conduct Manual MMR APP H Appendix H - On-Line Core Damage Risk Management Guidelines Revision 4 Page 6 EDG 13 Maintenance

1. EDG 13 is an important mitigator for the Loss of the 345 kV Power (LOP2) and Loss of Offsite Power (LOSP) initiated events. Since work in the Division 2 switchyard increases the potential for a LOP2, such activities should be avoided, if possible, while performing maintenance on EDG 13.

2. Additionally, during times of increased probability of Loss of the 345 kV Power (e.g. Critical Load Days, increased geomagnetic activity, severe weather, voltage variations on the 345 kV switchyard buses, etc.) consideration should be given to:

• not beginning maintenance activities on the EDG, or

• if maintenance is already in progress, completing the maintenance activities in as short a time frame as possible and restore the EDG to available status.

3. Protected Systems (related to PSA risk considerations) include the following:

• 345 kV Switchyard

• 120 kV Switchyard

• CTG11-1 (or the designated blackstart CTG)

EDG 14 Maintenance

1. EDG 14 is an important mitigator for the Loss of the 345 kV Power (LOP2) and Loss of Offsite Power (LOSP) initiated events. Since work in the Division 2 switchyard increases the potential for a LOP2, such activities should be avoided, if possible, while performing maintenance on EDG 14.

2. Additionally, during times of increased probability of Loss of the 345 kV Power (e.g. Critical Load Days, increased geomagnetic activity, severe weather, voltage variations on the 345 kV switchyard buses, etc.) consideration should be given to:

• not beginning maintenance activities on the EDG, or

• if maintenance is already in progress, completing the maintenance activities in as short a time frame as possible and restore the EDG to available status.

3. Protected Systems (related to PSA risk considerations) include the following:

• 345 kV Switchyard

• 120 kV Switchyard

• CTG1 I-1 (or the designated blackstart CTG)

Maintenance Rule Conduct Manual MMR APP H Appendix H - On-Line Core Damage Risk Management Guidelines Revision 4 Page 7 CTG 11-1 Maintenance

1. CTG1 1-1 (or the designated blackstart CTG) is an important mitigator for the Loss of Offsite Power (LOSP) and Station Blackout (SBO) initiated events. Consideration should be given to deferring maintenance on CTG11-1 if EDG 11 or 12 are not available.

2. Additionally, during times of increased probability of Loss of the 120 kV or 345 kV Power (e.g.

Critical Load Days, increased geomagnetic activity, severe weather, voltage variations on the 120 kV or 345 kV switchyard buses, etc.) consideration should be given to:

• not beginning maintenance activities on CTG 11-1, or

• if maintenance is already in progress, completing the maintenance activities in as short a time frame as possible and restore CTG 11-1 to available status.

3. Protected Systems (related to PSA risk considerations) include the following:

• EDGil1

• EDG 12 0 EDG 13 0 EDG 14

• 345 kV Switchyard SBFW Pump Train A or B Maintenance

1. Standby Feedwater is an important mitigator for Loss of Feedwater (LOFW) and SBO initiated events. Activities that could jeopardize the availability of HPCI or RCIC should be avoided, if possible, during maintenance activities that render the SBFW system unavailable.

2. Additionally, during times of increased probability of Loss of the 120 kV or 345 kV Power (e.g.

Critical Load Days, increased geomagnetic activity, severe weather, voltage variations on the 120 kV or 345 kV switchyard buses, etc.) consideration should be given to:

• not beginning maintenance activities on SBFW, or

• if maintenance is already in progress, completing the maintenance activities in as short a time frame as possible and restore SBFW to available status.

3. Protected Systems (related to PSA risk considerations) include the following:

• HPCI

• RCIC

Attachment 3 Relevant Excerpts from Conduct Manual MOP05 Revision 22 Pages 1, 29-30

Fermi 2 Operations Conduct Manual Detroit MOP05 Revision 23 Edison CONTROL OF EQUIPMENT Revision Summary

1) Added notes to Sections 2.7 and 2.8.

2) Added steps to work with DTE2.

Implemeentation Plan

1) This conduct manual chapter goes into effect upon April 9 implementation of DTE2.

2) A site wide communication will be issued.

3) Site wide training has been performed.

4) No impact or changes to ongoing work.

Enclosures A SFD Flowchart

Operations Conduct Manual MOP05 Chapter 5 - Control of Equipment Revision 23 Page 29 5.0 PROTECTED SYSTEMS 5.1 Purpose 5.1.1 The intent of protecting systems is to provide additional administrative barriers to guard against inadvertently rendering a component or system, important to safety, inoperable or unavailable.

1. Operations has the final decision for designating systems and components as "protected." Typically, systems will be considered protected if their unavailability would result in entering a shutdown LCO action statement, have an adverse negative impact on plant risk level (as listed in MMR Appendix H), or result in a plant transient. The Shift Manager is the final authority in determining protected systems.

2. Normal use of Protected Systems Signs will be directed by PST events during Safety System Outages and Refueling Outages. Attachments similar to the Protected Systems Form (Form MOP05002) will come with the PST event to direct the location and sign type to be placed in the field. Once the signs are all placed in the field, the PST event and attachment will be held in the RTC in the "Defense File" until their removal is directed (usually by the POD).

When all signs are removed from the field the PST will be signed off and forwarded to the Surveillance Group.

3. Special use of Protected Systems Signs can be used by Shift Manager direction or as part of a discretionary enforcement mandate.

In such cases the Protected Systems Form should be filled out and reviewed prior to sign placement in -the field.

Once all signs are placed in the field return the Protected Systems Form to the RTC to be held in the "Defense File" until removal is directed by the Shift Manager. When all signs are removed from the field send the Protected Systems Form for this special use to Ops Work Control for disposition.

5.2 Sign Types 5.2.1 Restricted Access - Areas designated as restricted access will be clearly marked with Stop Signs. Restricted access areas will be used to protect systems that would result in plant transients or require a plant shutdown per TS 3.0.3. Access to those areas will be limited to Operations, Security, and personnel responding to plant emergencies.

Operations Conduct Manual MOP05 Chapter 5 - Control of Equipment Revision 23 Page 30 5.2.2 Controlled Access - Controlled access areas are those areas containing systems or components that should remain available to preserve the integrity of the weekly risk assessment or per the direction of the SM. The only activities allowed in these areas are those that were reviewed and approved during the work week pre-planning and are on the Plan Of The Day (POD). It is understood that these approved activities may make a system/component within the area unavailable for a period of time.

Personnel are allowed to pass through these areas taking care to not adversely impact the equipment in the area.

5.3 Exceptions 5.3.1 Access to Protected Areas may be granted to allow activities deemed necessary by the Shift Manager. The associated activity should normally have Operations escort.

Granting access to Protected Areas should be infrequent and for good cause.

5.3.2 Areas to which access is normally under Operations direct "lock and key" control do not need to be posted. Smaller areas inside these boundaries may be posted if the work scope and conditions warrant.

5.3.3 Areas do not need to be posted for activities, which are short term in nature (i.e.

routine surveillance with short recovery times).

5.3.4 NRC inspectors are exempt from Work Control Protected restrictions.

5.4 Placement of Signs 5.4.1 Signs are used to protect vital system equipment. As such, the signs should:

• Be easily recognizable

• Be clean and easy to read Placed for broadest viewing range Never be left in the field when not in use

Attachment 4 Listing of Protected Systems for EDG and CTG 11-1 Outages Information taken from Protected Systems Forms for EDGs and CTG 11-1

'to NRC-07-0014 Page 2 Job instructions for PST Event DD21 For EDG 11 System Outage Protected Train: Div 2 EDGs, CTG 11-1 and 120kV and 345kV Mats Maintain in "Defense File" in RTC until all Signs are removed.

Component/Location Sign type Placed by Removed by

1. EDG-14 Eng. Rm. Just Restricted inside RHR door D62

2. EDG-13 Swgr. just Restricted.

inside RHR door D57

3. 345 kV Relay House Controlled just inside door

4. 345 kV Switchyard just Controlled inside South gate

5. CTG 11-1 North end Controlled

6. CTG 11-1 West Peaker Controlled Yard entry

7. CTG 11-1 South end Controlled between CTG 11-1 and its Control House

8. 120 kV Switchyard Controlled inside North Pedestrian Gate

9. 120 kV Switchyard Controlled inside North Truck gate

10. 120 kV Switchyard Controlled inside West gate

11. 120 kV Switchyard Controlled inside East Truck gate

12. 120 kV Switchyard Controlled inside Southwest Pedestrian Gate to NRC-07-0014 Page 3 Job instructions for PST Event DD22 For EDG 12 System Outage Protected Train: Div 2 EDGs, CTG 11-1 and 120kV and 345kV Mats Maintain in "Defense File" in RTC until all Signs are removed.

Component/Location Sign type Placed by Removed by

1. EDG-14 Eng. Rm. just Restricted inside RHR door D62

2. EDG- 13 Swgr. just Restricted inside RHR door D57

3. 345 kV Relay House Controlled just inside door

4. 345 kV Switchyard just Controlled inside South gate

5. CTG 11-1 North end Controlled

6. CTG 11-1 West Peaker Controlled Yard entry

7. CTG 11-1 South end Controlled between CTG 11-1 and its Control House

8. 120 kV Switchyard Controlled inside North Pedestrian Gate

9. 120 kV Switchyard Controlled inside East Truck gate

10. 120 kV Switchyard Controlled inside West gate

11. 120 kV Switchyard Controlled inside East Truck gate

12. 120 kV Switchyard Controlled inside Southwest Pedestrian Gate to NRC-07-0014 Page 4 Job instructions for PST Event DD23 For EDG 13 System Outage Protected Train: Div 1 EDGs, CTG 11-1, 120kv and 345 kV Mats Maintain in "Defense File" in RTC until all signs are removed.

Component/Location Sign type Placed by Removed by

1. EDG-1 1 Eng. Rm. just Restricted inside RHR door D61

2. EDG-12 Swgr. Rm. just Restricted inside RHR door D32

3. 345 kV Relay House Controlled just inside door

4. 345 kV Switchyard just Controlled inside South gate

5. CTG 11-1 North end Controlled

6. CTG 11-1 West Peaker Controlled Yard entry

7. CTG 11-1 South end Controlled between CTG 11-1 and its Control House

8. 120 kV Switchyard Controlled inside North Pedestrian Gate

9. 120 kV Switchyard Controlled inside North Truck gate

10. 120 kV Switchyard Controlled inside West gate

11. 120 kV Switchyard Controlled inside East Truck gate

12. 120 kV Switchyard Controlled inside Southwest Pedestrian Gate to NRC-07-0014 Page 5 Job instructions for PST Event DD24 For EDG 14 System Outage Protected Train: Div 1 EDGs. CTG 11-1. 120kV and 345kV Switchvards Maintain in "Defense File" in RTC until all Signs are removed.

Component/Location Sign type Placed by Removed by

1. EDG-1 1 Eng. Rm. just Restricted inside RHR door D61

2. EDG- 12 Swgr. just Restricted inside RHR door D32

3. 345kV Relay House Controlled just inside door

4. 345kV Switchyard just Controlled inside South gate

5. CTG 11-1 North end Controlled

6. CTG 11-1 West Peaker Controlled Yard entry

7. CTG 11-1 South end Controlled between CTG 11-1 and its Control House

8. 120 kV Switchyard Controlled inside North Pedestrian Gate

9. 120 kV Switchyard Controlled inside East Truck gate

10. 120 kV Switchyard Controlled inside West gate

11. 120 kV Switchyard Controlled inside East Truck gate

12. 120 kV Switchyard Controlled inside Southwest Pedestrian Gate to NRC-07-0014 Page 6 Job instructions for PST Event DD25 For CTG 1I-1 System Outage Protected Train: ALL EDGs Maintain in "Defense File" in RTC until all signs are removed.

Component/Location Sign type Placed by Removed by

1. EDG- 14 Eng. Rm. just Controlled inside RHR door D62

2. EDG- 13 Swgr. just Controlled inside RHR door D57

3. EDG-1 1 Eng. Rm. just Controlled inside RHR door D61

4. EDG- 12 Swgr. just Controlled inside RHR door D32

Attachment 5 PRA Model Documentation for LOOP Initiator Model Update to NRC-07-0014 Page 2 Loss of Offsite Power Frequencies This attachment contains a detailed description excerpted from the Fermi PRA model documentation regarding the recent update of the loss of offsite power initiating event frequencies. Included in this documentation is an explanation of how the effects of the August 2003 Northeast blackout were incorporated.

For the loss of offsite power initiating events, cumulative calendar years during the period between 2/1/1989 and 10/31/2005 (16.75 calendar years) were used as the operating time for the second-stage Bayesian update of the plant-specific frequency.

Since the loss of offsite power frequency during shutdown is typically higher than that during power operation, due to loss of power events induced by switchyard activities, this is considered a conservative treatment of the loss of offsite power initiating event frequencies. It should be noted that this extended data collection period through 10/31/2005 includes the total loss of offsite power event that occurred on 8/14/2003 and affected 9 U.S. nuclear units.

Due to the special features of the Fermi 2 switchyard design, loss of either one or both divisions of offsite power supplies simultaneously were defined as separate initiating events. In addition, a 2004 draft U.S. NRC contractor report (INEEL/EXT-04-02326) has further divided the loss of offsite power events into five subcategories: plant-centered, switchyard-centered, grid-related, severe weather-related and extreme weather-related events. Due to the potential for significantly different nature/extent of damages to the electrical grid, switchyard, and plant equipment and the associated recoveries from them, the subdivision of the loss of offsite power events into these five subcategories would permit a more accurate analysis of the power recovery evaluation. As such, the initial analysis of the loss of offsite power initiating events in 2005 were performed separately for the composite categories (i.e., %LOSP, %LOP1, and %LOP2) and each of the five subcategories associated with each of the three major categories; i.e., total loss of offsite power, loss of Divisional 1 offsite power, and loss of Division 2 offsite power (for total of 3 composite categories and 15 subcategories).

A two-stage Bayesian data update analysis was performed for each of these 3 composite categories and 15 subcategories (i.e., %LOSPPC, %LOSP_SC, %LOSP_GR,

%LOSP_SW, %LOSPEW, %LOPIPC, %LOPI_SC, %LOPI_GR, %LOPI_SW,

%LOPIEW, %LOP2_PC, %LOP2_SC, %LOP2_GR, %LOP2_SW, %LOP2_EW). The prior probability distributions for the 3 composite loss of offsite power initiating event categories and 15 loss of offsite power initiating event subcategories were generated by applying the screened industry loss of offsite power event data through the first stage of the two-stage Bayesian update process. For the analysis of divisional loss of offsite power initiating events, no distinction was made during the first-stage Bayesian update between these two sets of initiating events since it is very difficult to definitely determine whether a loss of offsite power event that occurred some time ago at another plant should be treated as a Division 1 or Division 2 loss of offsite power event. As a result, both of to NRC-07-0014 Page 3 sets of divisional loss of offsite power initiating events were assumed to have identical frequencies for the first-stage Bayesian update.

The data sources from which the loss of offsite power event data were developed include a series of EPRI reports (EPRI TR-101 1764, TR-1009889, TR-1002987, TR-1000158, TR-1 10398, and TR-106306) and U.S. NRC contractor reports (INEEL/EXT-04-02326, NUREG/CR-5496, etc.) which document the industry loss of offsite power events and event power recovery durations for U.S. nuclear units from 1980 through 2004. These events were reviewed in detail to determine if they are applicable to Fermi 2 as a loss of offsite power initiating event. The review was performed with a focus on whether the events would result in a loss of offsite power initiating event at Fermi 2 if the same or equivalent failures were to occur at Fermi 2. Those events that survive the screening from this consideration are used for the first-stage Bayesian update analysis of the loss of offsite power initiating event frequencies.

The Fermi 2 switchyard is designed with two separate switchyards with one for each of the two electrical divisions. Division 1 (120kV) is supplied with 3 offsite transmission lines and Division 2 (345kV) is supplied with two offsite transmission lines. Generator output is transmitted to the grid through the Division 2 switchyard. Fermi 2 is not equipped with a unit auxiliary transformer that receives power from the main generator and supplies power to the switchyard buses. The two switchyards at Fermi 2 and the associated electrical supplies are completely separate and independent (i.e., not connected through any equipment).

The major criteria used in the review and screening for applicability of the industry loss of offsite power events include:

• Industry loss of offsite power events that occurred during shutdown were not considered in the first-stage Bayesian analysis unless the shutdown was initiated strictly for plant protection from damages by such external influences as hurricane.

The reason for this criterion is because, during shutdown, the plant evolution may involve abnormal electrical configurations and activities that would not be present during power operations. These abnormal configurations and activities significantly increase the likelihood of loss of offsite power. As such, these events are excluded from the first-stage Bayesian analysis. To be consistent with this consideration, only the critical operating year's data during power operations were used in the first-stage Bayesian analysis.

" Events that involve only momentary loss of power (or undervoltage) from the offsite supply are not considered as an applicable loss of offsite power initiating event.

" Events with the offsite power remaining available (or no loss of offsite power to safety buses from the offsite supply) are not considered as an applicable loss of offsite power initiating event.

to NRC-07-0014 Page 4

• Events involving a loss of only one transmission line are not considered as an applicable loss of offsite power initiating event because Fermi 2 is designed with at least two transmission lines supplying each division.

• Events that involve random failures of the switchyard transformers or buses are not considered as an applicable loss of offsite power initiating event because these failures are modeled as separate initiating events in the Fermi 2 PRA. However, failures of this equipment due to external, environmental, or protective interactions (e.g., water spray from deluge system, water intrusion, tripping open of breakers due to protective actuation, external flood, fires, etc.) are retained in the first-stage Bayesian analysis.

" Events involving salt deposit/spray are not considered as an applicable loss of offsite power initiating event because Fermi 2 is not located close to the ocean.

• Each event was reviewed to determine if the event would cause a loss of offsite power supply in either one of the two divisions or if it would result in a total loss of offsite power supply in both divisions. Since the main generator and main transformer are connected through the Division 2 switchyard, malfunctions associated with this equipment typically could only cause a loss of Division 2 offsite power.

Because the two switchyards are not connected electrically, it is very unlikely for a plant-centered or switchyard-centered event to cause a total loss of offsite power in both divisions.

• Events associated with plants with only one switchyard or multiple switchyards with equipment electrically connected, or plants with only one high voltage level typically could only cause a loss of offsite power to one Fermi 2 division.

" Events associated with malfunctions of the startup transformers, auxiliary transformers, offsite transformers, etc. can be considered as equivalent to failures to Fermi 2 Transformers # 1, 64, or 65.

• Although the August 14, 2003 blackout event affected nine nuclear sites, it is only counted as one event, represented by the Fermi 2 event, because it is all resulting from the same cause/event, and as such is treated as one event.

• Each of the applicable events is further categorized into one of the five subcategories:

plant-centered, switchyard-centered, grid-related, severe weather-related, and extreme weather-related events.

• Loss of offsite power events induced by tornados are considered as extreme weather-related events for Fermi 2.

to NRC-07-0014 Page 5 For lightning events to be categorized as "Severe Weather-Related", the following must occur: a) has caused damage to transmission, switchyard, or plant equipment, b) has struck more than one piece of equipment, more than one location, or more than once, or c) has affected more than one unit.

The prior initiating event frequencies were updated with the plant-specific initiating event data summarized from Table 4.5-10 by using either a one-stage or a two-stage (for loss of offsite power initiating events only) application of Bayes theorem. The data analysis module of the RISKMAN software was used to perform the update. With the exception of the total loss of offsite power initiating events, these updated frequencies are used as the initiating event frequencies in the current Fermi 2 CAFTA model.

For the total loss of offsite power initiating events, the updated Fermi-specific frequencies for the 5 subcategories (%LOSPPC, %LOSP_SC, %LOSP_GR,

%LOSP_SW, and %LOSPEW) were only used to determine the relative (or percentage) contribution of each of the subcategories to the composite category of total loss of offsite power initiating event frequency (%LOSP). These relative/percentage contributions of the total loss of offsite power initiating event subcategories are used as the weighting factors in the calculation of the average non-recovery probabilities. In the updated CAFTA model, the total loss of offsite power initiating event is only represented by the composite category frequency (%LOSP).

The loss of offsite power initiating events for each division are represented in the CAFTA model by one switchyard-centered, divisional loss of offsite power initiating event subcategory (%LOP ISC/%LOP2_SC) and a newly defined composite divisional loss of offsite power initiating event (%LOP 1_OTH/%LOP2_OTH) which accounts for the total contributions from the remaining four subcategories (%LOP IPC/%LOP2_PC,

%LOP IGR/%LOP2_GR, %LOP ISW/%LOP2_SW, and %LOP IEW/%LOP2_EW).

The frequencies for %LOPISC/%LOP2_SC used in the CAFTA model were derived from the two-stage Bayesian update calculation. The frequencies for the new, composite divisional loss of offsite power initiating events, %LOP IOTH/%LOP2_OTH, were obtained by subtracting the updated switchyard-centered, divisional loss of offsite power initiating event subcategory frequencies from the total, updated composite divisional loss of offsite power initiating event frequencies; i.e., %LOP1/%LOP2. The reason that the switchyard-centered divisional loss of offsite power initiating events are separated from the composite divisional loss of offsite power initiating events is that these portions of the divisional loss of offsite power initiating event frequencies would vary when one or more pieces of switchyard equipment (e.g., breakers, etc.) are removed from service for maintenance.

To model the switchyard-centered, divisional loss of offsite power initiating event frequencies as a function of the switchyard equipment configuration, a fault tree developed to calculate the frequency of switchyard-centered, divisional loss of offsite power initiating event frequency for each division was constructed (i.e., under Gates LOPISC and LOP2_SC). These fault trees that model the switchyard-centered, to NRC-07-0014 Page 6 divisional loss of offsite power initiating event frequencies do not include contributions from those switchyard transformers (i.e., Transformer # 1, 64, and 65) and buses (i.e.,

Bus 11, 101, and 301) that have already been modeled as separate initiating events. Since these fault tree gates model all of the combinations of switchyard equipment failures (except those represented by separate transformer and bus initiating events) on an annual frequency basis, the calculated values for Gates LOPISC and LOP2_SC would increase as the other switchyard equipment (e.g., breakers) is removed from service. To ensure that the calculated values for these gates under the normal (i.e., no-maintenance) switchyard configuration is consistent with the Bayesian updated frequencies for

%LOP1 _SC and %LOP2_SC, Gates LOP ISC and LOP2_SC are inserted under Gates

%LOPISC and %LOP2_SC, respectively. With the inclusion of Basic Events

%LOP1SCFAC (0.9676) and %LOP2SC FAC (2.8808) also under Gates %LOPISC and %LOP2_SC, respectively, the calculated values for Gates %LOPISC and

%LOP2_SC are automatically calibrated to be the same as the Bayesian updated frequencies under the normal (no-maintenance) switchyard configuration.

Similar to the case for the total loss of offsite power initiating event frequencies, the updated Fermi-specific frequencies for the 5 subcategories (%LOP IPC/%LOP2_PC,

%LOPISC/%LOP2_SC, %LOPIGR/%LOP2_GR, %LOPISW/%LOP2_SW, and

%LOP 1_EW/%LOP2_EW) for each division were also used to determine the relative (or percentage) contribution of each of the subcategories to the composite category of divisional loss of offsite power initiating event frequency.

Offsite Power Recovery Due to the special features of the Fermi 2 electrical grid, the frequencies of losing either one or both divisional offsite power supplies simultaneously were calculated. A two-stage Bayesian update of the total loss of offsite power initiating event frequency

(%LOSP), divisional loss of offsite power initiating event frequencies (%LOP 1/%LOP2),

and switchyard-centered, divisional loss of offsite power initiating event frequencies

(%LOP1 _SC/%LOP2_SC) were performed in 2005 using generic LOSP event information provided in NUREG/CR-5496, draft INEEL/EXT-04-02326, and EPRI Technical Reports TR-106306, TR-110398, TR-1000158, TR-1002987, TR-1009889, and TR-10 11764, in conjunction with plant-specific information from Fermi 2. The loss of offsite power initiating event frequencies are listed in Table 4.5-12.

Table 4.5-16 shows the probabilities of failure of offsite power recovery. The non-recovery probabilities for the loss of offsite power events (%LOSP, %LOP 1, and

%LOP2) were previously derived in Appendix A of the Fermi 2 IPE. For purposes of evaluating offsite power recovery duration, there have been sufficient generic studies in recent years by the U.S. NRC and the industry to allow a useful characterization of these contributors to the AC power non-recovery curves as a function of time. In late 2002, early 2004, and late 2005, the non-recovery probabilities for the total and divisional loss of offsite power initiating events (%LOSP, %LOP1, %LOP2, %LOPISC, %LOP2_SC,

%LOP I_OTH, and %LOP2_OTH) were re-evaluated using the power restoration

Attachment .5 to NRC-07-0014 Page 7 duration information contained in NUREG/CR-5496, draft INEEL/EXT-04-02326, and EPRI Technical Reports TR-106306, TR- 110398, TR-1000158, TR-1002987, TR-1009889, and TR-101 1764. The blackout event that occurred on August 14, 2003 is also included in this set of data sources.

The loss of power events from the U.S. nuclear plants listed in the above documents were compiled and screened for the evaluation of failure of power restoration probabilities.

The review of these events was to determine if the recovery durations are applicable to Fermi 2 if similar events were to occur at Fermi 2. Those events surviving this screening are used for the analysis of power non-recovery probability as a function of time from the onset of loss of offsite power. This set of loss of offsite power events includes events that have occurred at U.S. nuclear units from 1980 through 2004. Since the recovery duration and thus the non-recovery probability may be significantly different among the five loss of offsite power subcategories (i.e., plant-centered, switchyard-centered, grid-related, severe weather-related, and extreme weather-related), the loss of offsite power initiating event frequencies and power non-recovery probability analysis performed in the 2005 update were performed separately for each of the subcategories. The results of these subcategories were then combined using the relative frequency contributions of the subcategories as the weighting factors.

To ensure that sufficient recovery duration data is available (and to increase the limited number of events that caused loss of offsite power for each of the subcategories) for the calculation of non-recovery probabilities, one of the event screening criteria was relaxed (from the screening performed for the loss of offsite power initiating event frequency analysis) to include also recovery durations for those events that occurred during plant shutdown and events that did not result in a unit trip. This would enlarge the size of the applicable event database to permit a more meaningful analysis. It is recognized, however, that this approach may result in more conservative non-recovery probabilities since the power recovery duration during shutdown or following events that did not cause a unit trip could potentially be longer than those events that occurred during power operations and had caused a unit trip.

Other key considerations used in the screening include:

" Recovery durations for events that were caused/influenced by those factors that were completely dependent on plant, design, locations, etc., and may not be applicable to Fermi 2 (e.g., recovery from failures caused by salt deposit/spray or from extensive damages caused by hurricanes in south Florida) were excluded.

" In addition to such considerations as excluding those recovery durations that involved efforts in washing the salt deposit or in recovery from extensive hurricane damages, this analysis also excludes those durations associated with power recovery by cross-tying to the 4.16kV buses or transformer output from the adjacent unit, since the unit crosstie capability does not exist at Fermi 2.

-to NRC-07-0014

• Page 8

" Recovery durations for events with momentary power loss are generally not considered unless extended duration was involved for the eventual bus restoration.

• In some cases, the recovery duration was adjusted to reflect a more realistic power recovery duration under transient or accident conditions (e.g., for those events in which some plants continued to run on emergency power even after offsite power became available).

The recovery time information contained in the event description for the remaining events were used to develop the non-recovery probabilities at 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> following the loss of offsite power events. The analysis of the non-recovery probabilities is similar for both the total loss of offsite power and the divisional loss of offsite power events. The power non-recovery probabilities as a function of time for each of the loss of offsite power initiating event subcategories were first calculated as the ratio of the number of loss of power events for that subcategory which last longer than the specified duration (i.e., 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for the pre-extended power uprate case) to the total number of events with applicable restoration time information for that subcategory. A weighted-average offsite power non-recovery probability as a function of time was then calculated by the use of the percentage frequency contribution of each of the loss of power subcategories.

In the case of total loss of offsite power initiating event, the non-recovery probabilities for all five subcategories were combined with the percentage frequency contributions of the subcategories (i.e., weighted-average) to develop the non-recovery probabilities for the total loss of offsite power initiating event (HERFOSPROG2 and HERFOSPR4HT).

For the divisional loss of offsite power events, the non-recovery probabilities calculated for the switchyard-centered, divisional loss of offsite power are used directly as separate basic events in the CAFTA model (HERFOSPR1H12_SC and HERFOSPR4H12_SC) for their corresponding initiating events. The same values are applied to both Division 1 and Division 2 switchyard-centered divisional loss of offsite power initiating events. For the composite, divisional loss of offsite power events including the remaining subcategories, the non-recovery probabilities calculated for each of the four subcategories were combined with the percentage frequency contributions for these subcategories (weighted average) to derive the non-recovery probabilities; i.e., HERFOSPRHI HOTH and HERFOSPR4H1_0TH for Division 1, and HERFOSPR1H2_0TH and HERFOSPR4H2_0TH for Division 2.

The offsite power recovery factors (or the non-recovery probabilities) are applied to all sequences except those in which recirculation pump trip or boron injection by the Standby Liquid Control System has failed following a scram failure event. This is considered reasonable because, typically, majority of the offsite power recovery effort is not performed by plant personnel, except for the switchyard breaker realignment operation to re-energize the buses that lost power after the offsite power supply is restored. As such, most of the offsite power recovery efforts are performed independently of the in-plant operator actions (i.e., performance of the offsite power recovery actions is

Attachment 5 to NRC-07-0014 Page 9 generally not affected by the in-plant event response in progress). It is, therefore, appropriate to apply offsite power recovery factor to the sequences in which scram function has failed, but recirculation pump trip and Standby Liquid Control System boron injection are successful.

Table 4.5-10 Fermi 2 List of Scram Initiating Events Date Source Scram Event Description Initiating Event Initiating Category Event ID 9/24/89 LER 89023 Loss of Division I ESF Power due to personnel error Loss of Division 1 %TF64 during checking of the 13.2kV switchgear inadvertently Offsite Power tripping buses 64B and 64C (cubicle door shut quickly causing relays located on door to trip).

1/27/94 LER 94001 Loss of Division I Power Due to ice storm in Loss of Division 1 %LOP1 conjunction with failure of an incoming feed breaker to Offsite Power open.

10/6/90 LER 90011 Reactor Scram due to discrepancy in the reactor water Inadvertent Reactor %RX level. Discrepancy was caused by air voids in A loop Scram reference leg.

6/27/91 LER 91015 Reactor Scram due to transformer fire (manual Inadvertent Reactor %RX shutdown due to overheating at main transformer 2A). Scram 3/16/92 LER 92002 Manual Shutdown due to inadvertent actuation of LPCI Inadvertent Reactor %RX loop select logic. Scram 4/7/92 LER 92003 Technical Specifications required shutdown due to Inadvertent Reactor %RX stuck open drywell-to-torus vacuum breaker Scram (suppression pool vacuum breaker not closing after being opened).

4/20/93 LER 93007 During a startup, leakage past a threaded adapter Inadvertent Reactor %RX allowed steam and water to leak into an instrument Scram cabinet, which contained the pressure transmitters used to control main steam manifold pressure. The transmitters failed causing the bypass valves to open.

The operator responded to the decreasing reactor vessel pressure and increasing reactor vessel level by gradually closing the bypass valves. As level decreased, feedwater flow increased causing an increase in reactor power and a reactor trip on IRM upscale.

8/13/93 LER 93010 Operator inadvertently unseated an instrument Inadvertent Reactor %RX calibration/vent isolation valve inducing a pressure Scram transient. A false high reactor water level signal caused a turbine trip and a reactor scram.

Attachment 5 to NRC-07-0014 Page 10 Table 4.5-10 Fermi 2 List of Scram Initiating Events Date Source Scram Event Description Initiating Event Initiating Category Event ID 2/28/95 LER 95003 Manual scram due to faulty instrumentation caused by Inadvertent Reactor %RX the gradual drain down of the Division 2 reactor water Scram level reference leg.

4/25/95 LER 95005 Reactor trip due to high neutron flux caused by reactor Inadvertent Reactor %RX pressure transient. A malfunction of a reactor pressure Scram regulator caused the turbine control valves and turbine bypass valves to open. When the regulator, control valves, and bypass valves returned to normal, a high APRM upscale signal tripped the reactor.

9/14/98 LER 98005 Manual scram in response to reactor power fluctuations. Inadvertent Reactor %RX Manual scram for power oscillations during RF06 Scram shutdown evolution.

5/18/99 LER 99002 Reactor recirculation pump trip results in manual Inadvertent Reactor %RX reactor scram. Recirculation pump trip caused by short Scram during MG set brush changeout which resulted in manual scram to avoid instability region on power-flow map.

12/6/01 LER 01004 Manual reactor scram due to a leak on the Stator Water Inadvertent Reactor %RX Cooling System (SWC) upper heat exchanger. The leak Scram occurred when a vent line broke and separated from the heat exchanger during removal of the pipe cap from the vent line. The original vent line design was a contributing factor. In anticipation of an automatic reactor scram due to a turbine trip from loss of SWC, a manual reactor scram was initiated by placing the mode switch in the shutdown position.

11/18/92 LER 92012 Manual scram due to loss of feedwater following trip of Loss of Feedwater %LOFW heater feed pumps.

2/26/89 LER 89006 Turbine trip and subsequent scram due to use of Turbine Trip with %TX overspeed reset. Turbine trip: caused by poor design of Bypass turbine overspeed trip linkage.

12/25/93 LER 93014 Automatic reactor shutdown following failure of the Turbine Trip with %TX main turbine. High turbine vibration causes a turbine Bypass trip.

6/2/95 LER 95006 Main turbine trip due to false overspeed during Turbine Trip with %TX mechanical overspeed test. Bypass 2/1/98 LER 98001 Automatic reactor scram due to a main turbine trip Turbine Trip with %TX caused by a relay failure on the 345 kV transmission Bypass mat.

3/21/91 LER 91004 Manual scram due to loss of condenser. Loss of Loss of Condenser %LOCV condenser vacuum due to failure of a moisture separator Vacuum reheater relief valve on a drain line.

Attachment 5 to NRC-07-0014 Page 11 Table 4.5-10 Fermi 2 List of Scram Initiating Events Date Source Scram Event Description Initiating Event Initiating Category Event ID 2/19/93 LER 93004 Loss of condenser vacuum causes a turbine trip Loss of Condenser %LOCV followed by a reactor scram. Vacuum 12/18/89 LER 89036 Reactor scram due to MSIV closure. During the Main Steam Isolation %CMSIV performance of reactor water cleanup differential flow Valve Closure functional test (44.020.151), an operator inadvertently depressed the close push-buttons on A, B and C inboard MSIVs and a reactor scram resulted.

5/4/90 LER 90004 Residual heat removal system small bore connections. Main Steam isolation %CMSIV MSIVs closed due to a loss of pneumatic pressure due Valve Closure to pneumatic supply isolation induced by MG set failure.

7/18/90 LER 90010 MSIV closure due to operator error. During main steam Main Steam Isolation %CMSTV line isolation channel functional surveillance test Valve Closure (24.137.001) an operator incorrectly depressed the "close" push-button for an outboard MSlV rather than the "test" push-button.

Attachment 5 to NRC-07-0014 Page 12 Table 4.5-12 Fermi 2 Updated Initiating Event Frequencies Initiating Event Category CAFTA IE NUREG/CR- Changes Prior Mean Prior Fermi 2 Data Bayesian Bayesian Bayesian Designator 5750 Category Distribution No. Events Updated Mean Updated 5 th% Updated 95th°%

INo. of Yrs Loss of Division 1 (120kV) Offsite %LOP1 B1 Use U.S. nuclear plant LOSP event data from 1980 4.36E-02 5 =9.71E-3 1/16.75 4.56E-02 1.30E-02 9.28E-02 Power Supply through 2004 (critical years were used) to generate the 2n 50' = 3.22E-2 stage prior for the 2-stage Bayesian update. %LOP1 is not 95' = 1.01E-1 used directly, but represented by %LOP1_SC and

'%LOP1 OTH in the Fermi 2 PRA model.

Loss of Division 1 (120kV) Offsite %LOP1_SC B1 Use U.S. nuclear plant LOSP event data from 1980 2.64E-02 5' = 4.70E-3 0/16.75 2.09E-02 3.95E-03 4.57E-02 Power Supply, Switchyard-Centered through 2004 (critical years were used) to generate the 2'd 50ý = 1.95E-2 stage prior for the 2-stage Bayesian update. 950 = 6.55E-2 Loss of Division 1 (120kV) Offsite %LOP1IOTH Bi The updated mean value for this IE was calculated by N/A N/A 0 / 16.75 2.46E-02 N/A N/A Power Supply, w/o Switchyard- subtracting %LOP1_SC from %LOP1.

Centered Loss of Division 2 (345kV) Offsite %LOP2 B1 Use U.S. nuclear plant LOSP event data from 1980 4.36E-02 T*= 9.71E-3 0 / 16.75 3.19E-02 8.07E-03 6.63E-02 Power Supply . through 2004 (critical years were used) to generate the 2'* 50' = 3.22E-2 stage prior for the 2-stage Bayesian update. %LOP2 is not 95 ' = 1.01E-1 used directly, but represented by %LOP2_SC and

%LOP2 0TH in the Fermi 2 PRA model.

Loss of Division 1 (120kV) Offsite %LOP2_SC Bi Use U.S. nuclear plant LOSP event data from 1980 2.64E-02 5' = 4.70E-3 0 / 16.75 2.09E-02 3.95E-03 4.57E-02 Power Supply, Switchyard-Centered through 2004 (critical years were used) to generate the 2 " 50'5 = 1.95E-2 stage prior for the 2-stage Bayesian update. 95 = 6.55E-2 Loss of Division 1 (120kV) Offsite %LOP2_OTH B1 The updated mean value for this IEwas calculated by N/A N/A 0 / 16.75 1.09E-02 N/A N/A Power Supply, w/o Switchyard- subtracting %LOP2_SC from %LOP2.

Centered Total Loss of Offsite Power %LOSP B13 Use U.S. nuclear plant LOSP event data from 1980 5.14E-03 = 4.22E-4 1 /16.75 1.09E-02 1.49E-03 3.24E-02 through 2004 (critical years were used) to generate the 2* 50' = 3.13E-3 (8/14/2003)

_stage prior for the 2-stage Bayesian update 95h = 1.41E-2 Legends:

L(a, b) - L represents Lognormal Distribution; a is the median and b is the error factor.

G(a, b) -G represents Gamma Distribution; b is critical years; a divided by bis the mean.

Notes:

1. With the exceptions of loss of offsite power and loss of 120VAC MPU cabinet initiating events, the data collection period used for this initiating event frequency update effort starts on 2/1/1989 (I.e., about 1 year after start of commercial operation) and ends on 1/31/2002.

2. Frequency of Functional Impact (FI) as listed is Table D-11 of NUREG/CR-5750 is usually used as prior.

3. For loss of offsite power and loss of 120VAC MPU cabinet initiating events, cumulative calendar years during the data collection period between 2/1/1989 and 1/31/2004 (i.e., the data collection period which includes the total loss of offsite power event of 8/14/2003) is used as the operating time for Bayesian update. For all other initiating events, cumulative critical years during the data collection period is used as the operating time for Bayesian update.

For %MPU1 and %MPU2, the data covers 9 cabinets (Cabinets 2 and 3 for MPUs 1, 2, and 3, and Cabinet 3 for MPUs 4, 5, and 6) over 15 years from 2/1/1989 through 1/31/2004 (for a total of 135 MPU cabinet years)

4. Prior mean for large LOCA initiating events %LLRA, %LLRB, %LLCSA, and %LLCSB were obtained by multiplying the mean value for G7 in Table D-11 of NUREG/CR-5750 by the fractions of small leaks that occur in Recirc. piping (30/34) and Core Spray piping (4/34), respectively, and then multiplying by 1/2/for each of the two loops. Prior mean for large LOCA initiating event %LLOTH was obtained by conservatively assuming 1 leak in piping other than Recirc. and Core Spray loops (1/34).

The median values for large LOCA initiating events were obtained by using the apportioned mean (from G7 in NUREG/CR-5750) and an error factor of 10.

5. Prior mean for inadvertent opening of 1 or 2 relief valves (%SRV12) was obtained by summing the mean values for G2 and G5 in Table D-11 of NUREG/CR-5750.

Parameter B for the prior gamma distribution uses the same value as that for G2. Parameter A for the prior gamma distribution was obtained by multiplying the prior mean by the Parameter B value.

6. The prior probability distribution for Initiating Event Category "Total Loss of Offsite Power" was obtained using the EPRI loss of offsite power event data (a better data source than NUREG/CR-5750 for loss of offsite power events). A two-stage Bayesian update was performed using the EPRI data source.

Attachment 5 to NRC-07-0014 Page 13 Table 4.5-16 Offsite Power Non-Recovery Probabilities Initiating Event Probability of Non-Recover, (per event) 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> Loss of All Offsite Power (%LOSP) 0.845 0.304 0.098 HERFOSPROG2 HERFOSPR4HT Loss of Divisional Offsite Power, 0.485 0.165 0.087 Switchyard-Centered HERFOSPRI HI12SC HERFOSPR4H12_SC

(%LOP I SC/%LOP2_SC)

Loss of Division 1 Offsite Power, 0.518 0.233 0.116 Others (%LOPI OTH) HERFOSPRIHI 0TH HERFOSPR4HI OTH Loss of Division 2 Offsite Power, 0.458 0.221 0.128 Others (%LOP2_0TH) HERFOSPRIH2 OTH HERFOSPR4H2 0TH

Attachment 6 MSPI EDG Unavailability Data

Attachment 6 to NRC-0OO014 Page 2 EDG 11 Functions monitored under Planned Unplanned Planned Unplanned Fault Fault MSPI but not Planned Support Unplanned Support Planned Unavailable Unavailable Exposure Exposure monitored under System System System System Overhaul Non -Crtical YrMQ Hours Hours Hours Reset Hours NEI 99-02 Hours Hours Hours Hours Hours Hours Critical Houo Jan-02 0.78 0.00 0.00 0.00 0.00 0.78 0.00 0.00 0.00 0.00 0.00 744.00 Feb-02 2.42 0.00 0.00 0.00 0.00 2.42 0.00 0.00 0.00 0.00 0.00 672.00 Mar-02 2.80 0.00 0.00 0.00 0.00 2.80 0.00 0.00 0.00 0.00 0.00 744.00 Apr-02 8.50 0.00 0.00 0.00 0.00 8.50 0.00 0.00 0.00 11.47 0.00 719.00 May-02 25.50 0.00 0.00 0.00 0.00 25.50 0.00 0.00 0.00 0.00 0.00 744.00 Jun-02 1.68 0.00 0.00 0.00 0.00 1.68 0.00 0.00 0.00 0.00 0.00 720.00 Jul-02 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 744.00 Aug-02 34.48 0.00 0.00 0.00 0.00 4.51 29.97 0.00 0.00 0.00 0.00 744.00 Sep-02 52.55 0.00 0.00 0.00 0.00 42.28 10.27 0.00 0.00 0.00 0.00 720.00 Oct-02 1.05 0.00 0.00 0.00 0.00 1.05 0.00 0.00 0.00 0.00 0.00 702.68 Nov-02 4.27 0.00 0.00 0.00 0.00 4.27 0.00 0.00 0.00 0.00 0.00 720.00 Dec-02 1.73 0.00 0.00 0.00 0.00 1.73 0.00 0.00 0.00 0.00 0.00 672.20 Jan-03 0.00 13.00 0.00 0.00 0.00 0.00 0.00 13.00 0.00 106.83 0.00 738.60 Feb-03 36.07 16.82 0.00 0.00 0.00 36.07 0.00 16.82 0.00 0.00 0.00 672.00 Mar-03 1.93 0.00 0.00 0.00 0.00 1.93 0.00 0.00 0.00 0.00 0.00 676.00 Apr-03 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 May-03 1.83 0.00 0.00 0.00 0.00 1.83 0.00 0.00 0.00 0.00 0.00 587.50 Jun-03 6.32 0.00 0.00 0.00 0.00 6.32 0.00 0.00 0.00 0.00 0.00 720.00 Jul-03 1.97 0.00 0.00 0.00 0.00 1.97 0.00 0.00 0.00 0.00 0.00 744.00 Aug-03 16.58 0.00 0.00 0.00 0.00 3.92 12.67 0.00 0.00 0.00 0.75 641.80 Sep-03 26.31 0.00 0.00 0.00 0.00 9.58 16.73 0.00 0.00 0.00 0.00 624.70 Oct-03 2.57 0.00 0.00 0.00 0.00 2.57 0.00 0.00 0.00 0.00 0.00 745.00 Nov-03 5.28 0.00 0.00 0.00 0.00 5.28 0.00 0.00 0.00 0.00 0.00 720.00 Dec-03 1.67 0.00 0.00 0.00 0.00 1.67 0.00 0.00 0.00 0.00 0.00 744.00 Jan-04 5.78 0.00 0.00 0.00 0.00 5.78 0.00 0.00 0.00 0.00 0.00 744.00 Feb-04 1.65 0.00 0.00 0.00 0.00 1.65 0.00 0.00 0.00 0.00 0.00 696.00 Mar-04 2.57 0.00 0.00 0.00 0.00 2.57 0.00 0.00 0.00 0.00 0.00 744.00 Apr-04 1.53 0.00 0.00 0.00 0.00 1.53 0.00 0.00 0.00 0.00 0.00 719.00 May-04 1.72 0.00 0.00 0.00 0.00 1.72 0.00 0.00 0.00 0.00 0.00 744.00 Jun-04 3.45 1.27 0.00 0.00 0.00 3.45 0.00 1.27 0.00 88.55 0.00 720.00 Jul-04 1.68 0.00 0.00 0.00 0.00 1.68 0.00 0.00 0.00 0.00 0.00 744.00 Aug-04 13.83 0.00 0.00 0.00 0.00 10.10 3.73 0.00 0.00 0.00 0.00 557.50 Sep-04 34.15 0.00 0.00 0.00 0.00 14.85 19.30 0.00 0.00 0.00 0.00 678.00 Oct-04 17.85 0.00 0.00 0.00 0.00 17.85 0.00 0.00 0.00 0.00 0.00 745.00 Nov-04 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 124.00 Dec-04 1.53 0.00 0.00 0.00 0.00 1.53 0.00 0.00 0.00 0.00 0.00 689.70 Jan-05 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 568.30 Feb-05 1.63 0.00 0.00 0.00 0.00 1.63 0.00 0.00 0.00 0.00 0.00 572.00 Mar-05 1.55 0.00 0.00 0.00 0.00 1.55 .0.00 0.00 0.00 0.00 0.00 744.00 Apr-05 5.45 0.00 0.00 0.00 0.00 5.45 0.00 0.00 0.00 0.00 0.00 719.00 May-05 1.63 0.00 0.00 0.00 0.00 1.63 0.00 0.00 0.00 0.00 0.00 744.00 Jun-05 1.52 0.00 0.00 0.00 0.00 1.52 0.00 0.00 0.00 0.00 0.00 602.80 Jul-05 1.87 0.00 0.00 0.00 0.00 1.87 0.00 0.00 0.00 0.00 0.00 409.70 Aug-05 1.58 0.00 0.00 0.00 0.00 1.58 0.00 0.00 0.00 0.00 0.00 744.00 Sep-05 22.60 0.00 0.00 0.00 0.00 2.13 20.47 0.00 0.00 0.00 0.00 720.00 Oct-05 0.95 0.00 0.00 0.00 0.00 0.95 0.00 0.00 0.00 78.14 0.00 745.00 Nov-05 3.00 0.00 0.00 0.00 0.00 3.00 0.00 0.00 0.00 0.00 0.00 720.00 Dec-05 2.25 0.00 0.00 0.00 0.00 2.25 0.00 0.00 0.00 0.00 0.00 744.00 02-04 322.03 31.09 0.00 0.00 0.00 229.37 92.67 31.09 0.00 206.85 0.75 24164.68 02-04 Determination of initial value of Planned Unavailability EDG11

1. Record the Total train unavailable hours reported under ROP for 2002-2004 353.12

2. Subtract any fault exposure hours still included in the 2002-2004 period 0.00

3. Subtract any unplanned unavailable hours 31.09

4. Add on-line overhaul hours 206.85

5. Add unavailable hours for functions monitored under MSPI but not monitored under NEI 99-02 0.00

6. Subtract unavailable hours reported when reactor was not critical. 0.75

7. Subtract hours (planned) cascaded onto monitored systems by support systems 92.67 Result of Steps 1-7 on Pages F-7 and F-8 ==> 435.46

8. Divide the hours derived by the total critical hours during 2002 through 2004. 24164.68, This is the baseline planned unavailability. I 1.80E-021

Attachment 6 to NRC-07-0014 Page 3 EDG 12 Functions monitored under Planned Unplanned Planned Unplanned Fault Fault MSPI but not Planned Support Unplanned Support Planned Unavailable Unavailable Exposure Exposure monitored under System System System System Overhaul Non -Critical YrMQ Hours Hours Hours Reset Hours NEI 99-02 Hours Hours Hours Hours Hours Hours Critical Hours Jan-02 1.98 0.00 0.00 0.00 0.00 1.98 0.00 0.00 0.00 0.00 0.00 744.00 Feb-02 1.83 0.00 0.00 0.00 0.00 1.83 0.00 0.00 0.00 0.00 0.00 672.00 Mar-02 1.48 0.00 0.00 0.00 0.00 1.48 0.00 0.00 0.00 0.00 0.00 744.00 Apr-02 68.22 0.00 0.00 0.00 0.00 59.22 9.00 0.00 0.00 0.00 0.00 719.00 May-02 88.78 0.00 0.00 0.00 0.00 80.78 8.00 0.00 0.00 15.57 0.00 744.00 Jun-02 5.39 0.00 0.00 0.00 0.00 5.39 0.00 0.00 0.00 0.00 0.00 720.00 Jul-02 1.92 0.00 0.00 0.00 0.00 1.92 0.00' 0.00 0.00 0.00 0.00 744.00 Aug-02 1.80 0.00 0.00 0.00 0.00 1.80 0.00 0.00 0.00 0.00 0.00 744.00 Sep-02 17.92 0.00 0.00 0.00 0.00 7.65 10.27 0.00 0.00 0.00 0.00 720.00 Oct-02 6.98 26.40 0.00 0.00 0.00 6.98 0.00 26.40 0.00 0.00 0.00 702.68 Nov.02 6.93 0.00 0.00 0.00 0.00 6.93 0.00 0.00 0.00 0.00 0.00 720.00 Dec-02 2.62 0.00 0.00 0.00 0.00 2.62 0.00 0.00 0.00 0.00 0.00 672.20 Jan-03 1.93 0.00 0.00 0.00 0.00 1.93 0.00 0.00 0.00 0.00 0.00 738.60 Feb-03 13.15 0.00 0.00 0.00 0.00 13.15 0.00 0.00 0.00 0.00 0.00 672.00 Mar-03 2.03 0.00 0.00 0.00 0.00 2.03 0.00 0.00 0.00 0.00 0.00 676.00 Apr-03 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 May-03 2.13 0.00 0.00 0.00 0.00 2.13 0.00 0.00 0.00 0.00 0.00 587.50 Jun-03 1.75 0.00 694.00 694.00 0.00 1.75 0.00 0.00 0.00 93.72 0.00 720.00 Jul-03 1.30 0.00 744.00 744.00 0.00 1.30 0.00 0.00 0.00 0.00 0.00 744.00 Aug-03 3.08 0.00 744.00 744.00 0.00 3.08 0.00 0.00 0.00 0.00 0.75 641.80 Sep-03 17.46 17.43 720.00 720.00 0.00 0.73 16.73 17.43 0.00 0.00 0.73 624.70 Oct-03 2.10 0.00 745.00 745.00 0.00 2.10 0.00 0.00 0.00 0.00 0.00 745.00 Nov-03 56.87 0.00 183.93 183.93 0.00 56.87 0.00 0.00 0.00 0.00 0.00 720.00 Dec-03 9.05 0.00 0.00 0.00 0.00 9.05 0.00 I 0.00 0.00 0.00 0.00 744.00 Jan-04 1.92 0.00 0.00 0.00 0.00 1.92 0.00 0.00 0.00 0.00 0.00 744.00 Feb-04 3.92 0.00 0.00 0.00 0.00 3.92 0.00 0.00 0.00 0.00 0.00 696.00 Mar-04 66.02 0.00 0.00 0.00 0.00 66.02 0.00 0.00 0.00 0.00 0.00 744.00 Apr-04 1.72 0.00 0.00 0.00 0.00 1.72 0.00 0.00 0.00 0.00 0.00 719.00 May-04 1.43 0.00 0.00 0.00 0.00 1.43 0.00 0.00 0.00 0.00 0.00 744.00 Jun-04 1.62 0.00 0.00 0.00 0.00 1.62 0.00 0.00 0.00 0.00 0.00 720.00 Jul-04 1.33 0.00 0.00 0.00 0.00 1.33 0.00 0.00 0.00 0.00 0.00 744.00 Aug-04 4.02 86.65 385.25 385.25 0.00 0.29 3.73 86.65 0.00 90.07 0.00 557.50 Sep-04 33.53 0.00 0.00 0.00 0.00 14.23 19.30 0.00 0.00 0.00 0.00 678.00 Oct-04 1.13 0.00 0.00 0.00 0.00 1.13 0.00 0.00 0.00 0.00 0.00 745.00 Nov-04 7.30 0.00 0.00 0.00 0.00 7.30 0.00 0.00 0.00 0.00 0.00 124.00 Dec-04 2.48 0.00 0.00 0.00 0.00 2.48 0.00 0.00 0.00 0.00 0.00 689.70 Jan-05 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 568.30 Feb-05 1.55 0.00 0.00 0.00 0.00 1.55 0.00 0.00 0.00 0.00 1.55 572.00 Mar-05 1.50 0.00 0.00 0.00 0.00 1.50 0.00 0.00 0.00 0.00 0.00 744.00 Apr-05 1.82 0.00 0.00 0.00 0.00 1.82 0.00 0.00 0.00 0.00 0.00 719.00 May-05 11.67 0.00 0.00 0.00 0.00 11.67 0.00 0.00 0.00 0.00 0.00 744.00 Jun-05 1.32 0.00 0.00 0.00 0.00 1.32 0.00 0.00 0.00 0.00 0.00 602.80 Jul-05 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 409.70 Aug-05 1.55 0.00 0.00 0.00 0.00 1.55 0.00 0.00 0.00 0.00 0.00 744.00 Sep-05 25.82 0.00 0.00 0.00 0.00 10.75 15.07 0.00 0.00 0.00 0.00 720.00 Oct-05 27.68 0.00 0.00 0.00 0.00 27.88 0.00 0.00 0.00 0.00 0.00 745.00 Nov-05 1.88 0.00 0.00 0.00 '0.00 1.88 0.00 0.00 0.00 0.00 0.00 720.00 Dec-05 3.82 0.00 0.00 0.00 0.00 3.82 0.00 0.00 0.00 0.00 0.00 744.00 02-04 443.12 130.48 4216.18 4216.18 0.00 376.09 67.03 130.48 0.00 199.36 1.48 24164.68 02 - 04 Determination of initial value of Planned Unavailability EDG12

1. Record the Total train unavailable hours reported under ROP for 2002-2004 573.60

2. Subtract any fault exposure hours still included in the 2002-2004 period 0.00

3. Subtract any unplanned unavailable hours 130.48

4. Add on-line overhaul hours 199.36

5. Add unavailable hours for functions monitored under MSPI but not monitored under NEI 99-02 0.00

6. Subtract unavailable hours reported when reactor was not critical. 1.48

7. Subtract hours (planned) cascaded onto monitored systems by support systems 67.03 Result of Steps 1-7 on Pages F-7 and F-8 = 573.96

8. Divide the hours derived by the total critical hours during 2002 through 2004. 24164.68

_This is the baseline planned unavailability. 7 2"38E-021

Attachment 6 to NRC-07-0014 Page 4 EDG 13 Functions monitored under Planned Unplanned Planned Unplanned Fault Fault MSPI but not Planned Support Unplanned Support Planned Unavailable Unavailable Exposure Exposure monitored under System System System System Overhaul Non -Critical YrMQ Hours Hours Hours Reset Hours NEI 99-02 Hours Hours Hours Hours Hours Hours Critical Hourn Jan-02 1.72 0.00 0.00 0.00 0.00 1.72 0.00 0.00 0.00 0.00 0.00 744.00 Feb-02 2.25 0.00 0.00 0.00 0.00 2.25 0.00 0.00 0.00 0.00 0.00 672.00 Mar-02 1.86 0.00 0.00 0.00 0.00 1.86 0.00 0.00 0.00 0.00 0.00 744.00 Apr-02 28.52 0.00 0.00 0.00 0.00 12.52 16.00 0.00 0.00 0.00 0.00 719.00 May-02 21.83 5.00 0.00 0.00 0.00 21.83 0.00 5.00 0.00 25.08 0.00 744.00 Jun-02 1.68 0.00 0.00 0.00 0.00 1.68 0.00 0.00 0.00 0.00 0.00 720.00 Jul-02 2.27 0.00 0.00 0.00 0.00 2.27 0.00 0.00 0.00 0.00 0.00 744.00 Aug-02 19.64 1.30 0.00 0.00 0.00 3.27 16.37 1.30 0.00 0.00 0.00 744.00 Sep-02 2.18 0.00 0.00 0.00 0.00 2.18 0.00 0.00 0.00 0.00 0.00 720.00 Oct-02 2.70 0.00 0.00 0.00 0.00 2.70 0.00 0.00 0.00 0.00 0.00 702.68 Nov-02 2.17 0.00 0.00 0.00 0.00 2.17 0.00 0.00 0.00 0.00 0.00 720.00 Dec-02 4.10 0.00 0.00 0.00 0.00 2.10 2.00 0.00 0.00 0.00 0.00 672.20 Jan-03 9.42 0.00 0.00 0.00 0.00 9.42 0.00 0.00 0.00 0.00 0.00 738.60 Feb-03 14.27 0.00 0.00 0.00 0.00 14.27 0.00 0.00 0.00 0.00 0.00 672.00 Mar-03 2.75 0.00 0.00 0.00 0.00 2.75 0.00 0.00 0.00 0.00 0.00 676.00 Apr-03 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 May-03 1.52 0.00 0.00 0.00 0.00 1.52 0.00 0.00 0.00 0.00 0.00 587.50 Jun-03 2.03 2.03 0.00 0.00 0.00 2.03 0.00 2.03 0.00 62.57 0.00 720.00 Jul-03 2.38 0.00 0.00 0.00 0.00 2.38 0.00 0.00 0.00 0.00 0.00 744.00 Aug-03 2.15 0.00 0.00 0.00 0.00 2.15 0.00 0.00 0.00 0.00 1.42 641.80 Sep-03 1.55 0.00 0.00 0.00 0.00 1.55 0.00 0.00 0.00 0.00 0.00 624.70 Oct-03 9.54 0.00 0.00 0.00 0.00 2.39 7.15 0.00 0.00 0.00 0.00 745.00 Nov-03 2.62 0.00 0.00 0.00 0.00 2.62 0.00 0.00 0.00 0.00 0.00 720.00 Dec-03 12.48 0.00 0.00 0.00 0.00 12.48 0.00 0.00 0.00 0.00 0.00 744.00 Jan-04 2.43 0.00 0.00 0.00 0.00 2.43 0.00 0.00 0.00 0.00 0.00 744.00 Feb-04 4.42 0.00 0.00 0.00 0.00 4.42 0.00 0.00 0.00 0.00 0.00 696.00 Mar-04 1.18 0.00 0.00 0.00 0.00 1.18 0.00 0.00 0.00 0.00 0.00 744.00 Apr-04 1.60 0.00 0.00 0.00 0.00 1.60 0.00 0.00 0.00 0.00 0.00 719.00 May-04 1.92 0.00 0.00 0.00 0.00 1.92 0.00 0.00 0.00 0.00 0.00 744.00 Jun-04 1.33 0.00 0.00 0.00 0.00 1.33 0.00 0.00 0.00 0.00 0.00 720.00 Jul-04 7.37 0.00 0.00 0.00 0.00 7.37 0.00 0.00 0.00 .0.00 0.00 744.00 Aug-04 1.60 0.00 0.00 0.00 0.00 1.60 0.00 0.00 0.00 0.00 1.60 557.50 Sep-04 34.15 7.12 2.72 0.00 0.00 16.47 17.68 7.12 0.00 0.00 0.00 678.00 Oct-04 1.87 0.00 0.00 0.00 0.00 1.87 0.00 0.00 0.00 0.00 0.00 745.00 Nov-04 24.20 0.00 0.00 0.00 0.00 24.20 0.00 0.00 0.00 0.00 0.00 124.00 Dec-04 1.65 0.00 0.00 0.00 0.00 1.65 0.00 0.00 0.00 0.00 0.00 689.70 Jan-05 1.85 0.00 0.00 0.00 0.00 1.85 0.00 0.00 0.00 0.00 0.00 568.30 Feb-05 1.37 0.00 0.00 0.00 0.00 1.37 0.00 0.00 0.00 0.00 0.00 572.00 Mar-05 2.15 0.00 0.00 0.00 0.00 2.15 0.00 0.00 0.00 0.00 0.00 744.00 Apr-05 1.75 0.00 0.00 0.00 0.00 1.75 0.00 0.00 0.00 88.99 0.00 719.00 May-05 1.73 0.00 0.00 0.00 0.00 1.73 0.00 0.00 0.00 0.00 0.00 744.00 Jun-05 4.80 0.00 0.00 0.00 0.00 4.80 0.00 0.00 0.00 0.00 0.00 602.80 Jul-05 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 409.70 Aug-05 4.07 0.00 0.00 0.00 0.00 4.07 0.00 0.00 0.00 58.60 0.00 744.00 Sep-05 27.51 0.00 0.00 0.00 0.00 8.10 19.41 0.00 0,00 0.00 0.00 720.00 Oct-05 1.92 0.00 0.00 0.00 0.00 1.92 0.00 0.00 0.00 0.00 0.00 745.00 Nov-05 27.80 0.00 0.00 0.00 0.00 4.61 23.18 0.00 0.00 0.00 0.00. 720.00 Dec-05 2.23 0.00 0.00 0.00 0.00 2.23 0.00 0.00 0.00 0.00 0.00 744.00 02-04 235.35 15.45 2.72 0.00 0.00 176.15 59.20 15.45 0.00 87.65 3.02 24164.68 02-04 Determination of initial value of Planned Unavailability EDG13

1. Record the Total train unavailable hours reported under ROP for 2002-2004 250.80

2. Subtract any fault exposure hours still included in the 2002-2004 period 2.72

3. Subtract any unplanned unavailable hours 15A5

4. Add on-line overhaul hours 87.65

5. Add unavailable hours for functions monitored under MSPI but not monitored under NEI 99-02 0.00

6. Subtract unavailable hours reported when reactor was not critical. 3.02

7. Subtract hours (planned) cascaded onto monitored systems by support systems 59.20 Result of Steps 1-7 on Pages F-7 and F-8 => 258.06

8. Divide the hours derived by the total critical hours during 2002 through 2004. 24164.68

_This is the baseline planned unavailability. I 1"07E-021

Attachment 6 to NRC-07-0014 Page 5 EDG 14 Functions monitored under Planned Unplanned Planned Unplanned Fault Fault MSPI but not Planned Support Unplanned Support Planned Unavailable Unavailable Exposure Exposure monitored under System System System System Overhaul Non -Critical YrMQ Hours Hours Hours Reset Hours NEI 99-02 Hours Hours Hours Hours Hours Hours Critical Hours Jan-02 5.55 0.00 0.00 0.00 0.00 5.55 0.00 0.00 0.00 00 0.00 744.00 Feb-02 170 0.00 0.00 0.00 0.00 1.70 0.00 0.00 0.00 0.00 0.00 672.00 Mar-02 11.20 2.10 0.00 0.00 0.00 11.20 0.00 2.10 1 0.00 0.00 0.00 744.00 Apr-02 7.78 0.00 0.00 0.00 0.00 1.78 6.00 0.00 0.00 0.00 0.00 719.00 MyQ2 48.73 0.00 0.00 0.00 0.00 48.73 0.00 0.00 0.00 44.15 0.00 744.00 Jun-02 5.62 0.00 0.00 0.00 0.00 5.62 0.00 0.00 0.00 0.00 0.00 720.00 Jul-02 2.42 0.00 0.00 0.00 0.00 2.42 0.00 0.00 0.00 0.00 0.00 744.00 Aug-02 18.32 0.47 0.00 0.00 0.00 1.95 16.37 0.47 0.00 0.00 0.00 744.00 Sep-02 18.85 3.47 0.00 0.00 0.00 18.85 0.00 3.47 0.00 0,00 0.00 720.00 Oct-02 2.38 0.00 0.00 0.00 0.00 2.38 0.00 0.00 0.00 0.00 0.00 702.68 Nov-02 2.84 0.00 0.00 0.00 0.00 2.84 0.00 0.00 0.00 0.00 0.00 720.00 Dec-02 2.52 0.00 0.00 0.00 0.00 2.52 0.00 0.00 0.00 0.00 0.00 672.20 Jan-03 1.83 0.00 0.00 0.00 0.00 1.83 0.00 0.00 0.00 0.00 0.00 738.60 Feb-03 16.97 0.00 0.00 0.00 0.00 16.97 0.00 0.00 0.00 0.00 0.00 672.00 Mar-03 5.93 0.00 0.00 0.00 0.00 5.93 0.00 0.00 0.00 0.00 0.00 676.00 Apr-03 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 May-03 2.23 0.00 0.00 0.00 0.00 2.23 0.00 0.00 0.00 0.00 0.00 587.50 Jun-03 6.37 0.00 0.00 0.00 0.00 6.37 0.00 0.00 0.00 79.22 0.00 720.00 Jul-03 1.40 0.00 0.00 0.00 0.00 1.40 0.00 0.00 0.00 0.00 0.00 744.00 Aug-03 3.00 0.00 0.00 0.00 0.00 3.00 0.00 0.00 0.00 0.00 0.75 641.80 Sep-03 3.78 0.00 0.00 0.00 0.00 3.78 0.00 0.00 0.00 0.00 0.00 624.70 Oct-03 8.55 0.00 0.00 0.00 0.00 1.40 7.15 0.00 0.00 0.00 0.00 745.00 Nov-03 1.60 0.00 0.00 0.00 0.00 1.60 0.00 0.00 0.00 0.00 0.00 720.00 Dec-03 2.63 0.00 0.00 0.00 0.00 2.63 0.00 0.00 0.00 130.00 0.00 744.00 Jan-04 7.17 0.00 0.00 0.00 0.00 7.17 0.00 0.00 00 0.00 0.00 744.00 Feb-04 4.42 0.00 0.00 0.00 0.00 4.42 0.00 0.00 0.00 0.00 0.00 696.00 Mar-04 1.48 0.00 0.00 0.00 0.00 1.48 0.00 0.00 0.00 0.00 0.00 744.00 Apr-04 1.63 0.00 0.00 0.00 0.00 1.63 0.00 0.00 0.00 0.00 0.00 719.00 May-04 2.67 0.00 0.00 0.00 0.00 2.67 0.00 0.00 0.00 0.00 0.00 744.00 4

Jun-0 1.62 0.00 0.00 0.00 0.00 1.62 0.00 0.00 0.00 0.00 0.00 720.00 Jul-04 1.42 0.00 0.00 0.00 0.00 1.42 0.00 0.00 0.00 0.00 0.00 744.00 Aug-04 1.38 0.00 0.00 0.00 0.00 1.38 0.00 0.00 0.00 0.00 0.00 557.50 Sep-04 33.08 7.13 2.72 0.00 0.00 15.40 17.68 7.13 0.00 0.00 0.00 678.00 Oct-04 11.98 0.00 0.00 0.00 0.00 11.98 0.00 0.00 0.00 0.00 0.00 745.00 Nov-04 23.48 0.00 0.00 0.00 0.00 23.48 0.00 0.00 00 0.00 0.00 124.00 Dec-04 1.80 0.00 0.00 0.00 0.00 1.80 0.00 0.00 0.00 0.00 0.00 689.70 Jan-05 1.53 0.00 0.00 0.00 0.00 1.53 0.00 0.00 0.00 0.00 0.00 568.30 Feb-05 7.68 9.08 0.00 0.00 0.00 7.68 0.00 9.08 0.00 88.82 0.00 572.00 Mar-05 1.72 0.00 0.00 0.00 0.00 1.72 0.00 0.00 0.00 0.00 0.00 744.00 Apr-05 1.98 0.00 0.00 0.00 0.00 1.98 0.00 0.00 0.00 0.00 0.00 719.00 May-05 7.06 0.00 0.00 0.00 0.00 7.06 0.00 0.00 0.00 0.00 0.00 744.00 Jun-05 1.67 0.00 0.00 0.00 0.00 1.67 0.00 0.00 0.00 0.00 0.00 602.80 Jul-05 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 409.70 Aug-05 10.73 0.00 0.00 0.00 0.00 10.73 0.00 0.00 0.00 0.00 0.00 744.00 Sep-05 25.87 14.10 0.00 0.00 0.00 0.53 25.34 14.10 0.00 0.00 0.00 720.00 Oct-05 1.97 0.00 0.00 0.00 0.00 1.97 0.00 0.00 0.00 0.00 0.00 745.00 Nov-05 7.47 0.00 0.00 0.00 0.00 7.47 0.00 0.00 0.00 0.00 0.00 720.00 Dec-05 2.83 0.00 0.00 0.00 01.00 2.83 0.00 0.00 0.00 55.67 0.00 744.00 02 -04 274.33 1 13.17 j 2.72 0.00 0.00 227.13 47.20 13.17 0.00 123.37 0.75 24164.68 02 - 04 Determination of initial value of Planned Unavailability EDG14

1. Record the Total train unavailable hours reported under ROP for 2002-2004 287.50

2. Subtract any fault exposure hours still included in the 2002-2004 period 2.72

3. Subtract any unplanned unavailable hours 13.17

4. Add on-line overhaul hours 123.37

5. Add unavailable hours for functions monitored under MSPI but not monitored under NEI 99-02 0.00

6. Subtract unavailable hours reported when reactor was not critical. 0.75

7. Subtract hours (planned) cascaded onto monitored systems by support systems 47.20 Result of Steps 1-7 on Pages F-7 and F-8 == 347.03

8. Divide the hours derived by the total critical hours during 2002 through 2004. 24164.68 This is the baseline planned unavailability. I 1.44E-02 1 to NRC-07-0014 Page 2 Attachment 7 Resume of PRA/HRA Consultant

5ABS Consulting JAMES C. LIN JAMES C. LIN PROFESSIONAL

SUMMARY

Mr. James C. Lin is a Senior Consultant with over 26 years of experience in probabilistic safety assessment (PSA), reliability and availability analysis, and system engineering.

He has led key tasks in over 20 major PSAs. He has performed extensive work in every aspect of PSAs including fire PSA. One of the most experienced analysts at ABS Consulting. Mr. Lin has served as project manager, principal investigator, or task leader in numerous nuclear plant projects.

-,PROFESSIONAL EXPERIENCE ..

Project manager and principal investigator for thý Fermi 2 Level 2 rmiodel fipdife pr-oject.

Project manager and principal investigator for the Hope Creek and Salem PSA updates.

Project manager for the Fermi 2 and Hatch data update projects. Principal investigator for the Fermi 2 selected PSA element upgrade project. Principal investigator for the risk evaluation of Hatch main steam line high steam flow setpoint and SRV operability issues. Project leader for the risk-informed fire analysis completed for the evaluation of the Chinshan, Kuosheng, and Maanshan cable tray fire barrier wraps. Project manager and principal investigator for the Capacity Loss Prevention Model Development project completed for the Hope Creek and Salem plants. Project manager and principal reviewer for the Peer Review Certification project completed for the at-power and shutdown living PSAs for the Chinshan, Kuosheng, and Maanshan plants. On behalf of Republic of China Atomic Energy Council (ROCAEC), served as the primary reviewer for the severe accident analysis section of the Lungmen Preliminary' Safety Analysis Report (PSAR). Supported the entire PSA certification process for a major nuclear utility in the U.S.

Project manager and principal investigator for the risk-informed regulation initiatives project being conducted for Taiwan Power Company and, Institute of Nuclear Energy Research. Project manager and principal investigator for the risk-informed extension of EDG AOT project completed for Salem. Provided training, guidance, and review services for the Kuosheng risk-informed inservice inspection of piping pilot project.

Served as the principal reviewer for the analyses performed in the Vogtle risk-informed in-service inspection of piping program (RI-ISI). Provided guidance and served as the main reviewer for the analyses performed for the application of Hatch diesel generator allowed outage time (AOT) extension. Providing guidance and serving as the principal reviewer for the analyses performed for the application of risk-informed Technical Specification relaxation associated with ECCS and Reactor Protection System B-2

SABS Consulting JAMES C. LIN Instrumentation for Plant Hatch. Providing guidance and serving as the principal reviewer for the analyses performed for the application of risk-informed AOT extension associated with the DC systems including batteries for Plant Hatch. Project manager and principal investigator for the on-line maintenance, outage management, in-vessel Visual inspection, and risk-informed in-service inspection of piping projects performed for Institute of Nuclear Energy Research (INTER). Mr. Lin provided on-line maintenance training at the nuclear power plants and headquarters at Taiwan Power Company.

Mr. Lin was Project manager and principal investigator for the Taiwan Power Company steam generator aging management project.

Supported the implementation of a risk monitor for on-line maintenance risk assessment at Plant Hatch. Project manager and principal investigator for the development of an on-line risk monitor-and-for the conversion of-PSA model-to a fault tree liLckinig software platform (CAFTA). for Plant Hatch and Fermi 2. Project manager for the development of Safety Monitor models for Beaver Valley Units 1 and 2 and Indian Point Unit 2. Project manager for the development of system performance criteria for Hatch. Project manager for the technical services provided to Beaver Valley in support of the risk matrix development and Maintenance Rule inspection. Project manager and principal investigator for the conversion of Salem PSA from the WinNUPRA to the CAFTA software platform.

Principal investigator for the development of an outage risk model for Fermi 2.

Principal reviewer for a shutdown events PSA for a Japanese PWR. Participated in an extensive review and survey of the shutdown external event PSAs. Principal investigator for the human reliability and procedure event tree tasks in a shutdown events PSA for a typical Japanese PWR. Project manager for the human action and control room fire analyses in the USNRC pressurized water reactor low power and shutdown accident sequence program- Principal investigator for the Advanced Neutron Source (ANS) Reactor PSA. Developed risk model for ANS refueling operations.

Prepared review comments for a utility client on the regulatory approach to shutdown and low-power operations.

Principal reviewer for the Farley (a 3-loop Westinghouse plant) PSA and risk monitor model revisions. Performed update analysis for Farley and Vogtle human reliability analyses (HRAs). Provided guidance and review services to the data analysis update for Plant Hatch. Principal reviewer for the Fermi system fault tree model upgrade project.

Systems modeling task leader for the Browns Ferry IPE, Watts Bar IPE, Sequoyah IPE,.

and Diablo Canyon PRA. Provided consulting services, training, and technical review for the at-power PSA of Fukushima Daiichi Unit 2. Principal investigator for the conversion of Kuosheng PSA from fault tree linking to event tree linking model.

Principal investigator and support systems plant model and systems analysis task leader B-3