Supplement to Application to Revise Harris Technical Specifications to Adopt Risk-Informed Completion Times TSTF-505, Revision 2, Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b

ML20209A304
Person / Time
Site:	Harris
Issue date:	07/27/2020
From:	Maza K Duke Energy Corp
To:	Document Control Desk, Office of Nuclear Reactor Regulation
References
RA-20-0223
Download: ML20209A304 (70)
v • d • e

Text

Kim Maza Site Vice President Harris Nuclear Plant 5413 Shearon Harris Road New Hill, NC 27562 10 CFR 50.90 July 27, 2020 RA-20-0223 ATTN: Document Control Desk U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 Shearon Harris Nuclear Power Plant, Unit 1 Docket No. 50-400/Renewed License No. NPF-63

Subject:

Supplement to Application to Revise Harris Technical Specifications to Adopt Risk-Informed Completion Times TSTF-505, Revision 2, Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b

References:

1. Letter from T. M. Hamilton (Duke Energy Progress, LLC) to U.S. Nuclear Regulatory Commission, License Amendment Request to Revise Technical Specifications to Adopt Risk-Informed Completion Times TSTF-505, Revision 2, Provide Risk-Informed Extended Completion Times - RITSTF Initiative 4b, dated October 7, 2019 (ADAMS Accession No. ML19280C844).

2. E-mail from T. Hood (U.S. Nuclear Regulatory Commission) to D. C. Earp (Duke Energy Progress, LLC), RE: Harris Remote Audit - Items Requested to be Supplemented Prior to RAI, dated June 29, 2020.

Ladies and Gentlemen:

By letter dated October 7, 2019 (Reference 1), Duke Energy Progress, LLC (Duke Energy) requested an amendment to the Shearon Harris Nuclear Power Plant, Unit 1 (HNP) Renewed Facility Operating License. The proposed amendment would modify Technical Specifications (TS) requirements to permit the use of Risk-Informed Completion Times in accordance with TSTF-505, Revision 2, Provide Risk-Informed Extended Completion Times - RITSTF

[Risk-Informed TSTF] Initiative 4b, (ADAMS Accession No. ML18183A493).

By e-mail dated June 29, 2020 (Reference 2), the Nuclear Regulatory Commission (NRC) agreed with Duke Energys proposal to supplement the license amendment request (LAR) in Reference 1 to address several of the NRC staffs questions posed during the June 2020 regulatory audit that was held in support of the LAR review.

The Enclosure provides Duke Energys response to a selection of the NRC staffs regulatory audit questions.

U.S. Nuclear Regulatory Commission RA-20-0223 Page2 Duke Energy has reviewed the information supporting the No Significant Hazards Consideration and the Environmental Consideration that was previously provided to the NRG in Reference 1.

The additional information provided in this LAR supplement does not impact the conclusion that the proposed license amendment does not involve a significant hazards consideration. The additional information also does not impact the conclusion that there is no need for an environmental assessment to be prepared in support of the proposed amendment.

There are no regulatory commitments contained in this submittal.

In accordance with 10 CFR 50.91, Duke Energy is notifying the State of North Carolina of the supplement to this LAR by transmitting a copy of this letter and enclosure to the designated State Official.

If there are any questions or if additional information is needed, please contact Mr. Art Zaremba, Manager- Nuclear Fleet Licensing, at 980-373-2062 or Arthur.Zaremba@duke-energy.com.

I declare under penalty of perjury that the foregoing is true and correct. Executed on July 27, 2020.

Sincerely,

~~--1/V\d~

Kim Maza Site Vice President Harris Nuclear Plant

Enclosure:

Supplemental Information cc (with Enclosure):

L. Dudes, NRG Regional Administrator, Region II J. Zeiler, NRG Senior Resident Inspector, HNP M. Mahoney, NRG Project Manager, HNP W. L. Cox, 111, Section Chief N.C. DHSR

U.S. Nuclear Regulatory Commission RA-20-0223 Page 1 Enclosure Supplemental Information

U.S. Nuclear Regulatory Commission RA-20-0223 Page 2 NOTE: The NRC staffs questions are in italics throughout this enclosure to distinguish from the Duke Energy responses.

Question 01 - Probabilistic Risk Assessment (PRA) Implementation Items from 10 CFR 50.69 License Amendment Regulatory Guide (RG) 1.174, Revision 3, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis (ADAMS Accession No. ML17317A256), states that the scope, level of detail, and technical adequacy of the PRA are to be commensurate with the application for which it is intended and the role the PRA results play in the integrated decision process. The NRCs safety evaluation (SE) for Nuclear Energy Institute (NEI) Topical Report NEI 06-09, Revision 0-A, Risk Informed Technical Specifications Initiative 4b: Risk Managed Technical Specification (RMTS) (ADAMS Accession Nos. ML071200238 and ML122860402), states that the PRA models should conform to the guidance in RG 1.200, Revision 1, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities. The current version is RG 1.200, Revision 2 (ADAMS Accession No. ML090410014), which clarifies the current applicable American Society of Mechanical Engineers/American Nuclear Society (ASME/ANS)

PRA standard is ASME/ANS RA-Sa-2009, Addenda to ASME/ANS RA-S-2008, Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications. RG 1.200 describes a peer review process using ASME/ANS RA-Sa-2009 as one acceptable approach for determining the technical acceptability of the PRA. The primary result of a peer review are the facts and observations (F&Os) recorded by the peer review team and the subsequent resolution of these F&Os. ASME/ANS RA-Sa-2009, as endorsed by RG 1.200, Revision 2, defines PRA upgrade as the incorporation into a PRA model of a new methodology or significant changes in scope or capability that impact the significant accident sequences or the significant accident progression sequences. Section 1-5 in Part 1 of ASME/ANS RA-Sa-2009 states that upgrades of a PRA shall receive a peer review in accordance with the requirements specified in the peer review section of each respective part of this Standard.

The SE dated September 17, 2019 (ADAMS Accession No. ML19192A012) for the Harris LAR to adopt the provisions of Title 10 of the Code of Federal Regulations Section 50.69, Risk-informed categorization and treatment of structures, systems and components for nuclear power reactors, (10 CFR 50.69) identified the following PRA implementation items that may impact the current LAR to adopt TSTF-505, Revision 2.

i. Perform a detailed analysis in accordance with current methods for the four significant human failure events identified and incorporate the analysis into the Harris fire PRA model, as indicated in the licensee letter dated October 18, 2018 (ADAMS Accession No. ML18291A606).

ii. Update the fire PRA model to credit incipient detection per NUREG-2180, Determining the Effectiveness, Limitations, and Operator Response for Very Early Warning Fire Detection Systems in Nuclear Facilities (DELORES-VEWFIRE) (ADAMS Accession No. ML16343A058), or other NRC acceptable methodology, as described in the licensee letter dated October 18, 2018.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 3 iii. Update the fire PRA model to account for scenarios to address fire-induced failure of structural steel in the Turbine Building, as indicated in response to request for additional information 02.f contained in the licensee letter dated October 18, 2018.

iv. Update the PRA models to account for isolation of the reactor coolant system accumulators and steam generator safety relief valves, as indicated in response to RAI 5.01 of the licensee letter dated April 23, 2019 (ADAMS Accession No. ML19113A285).

From the information in the LAR, the NRC staff is unclear how these PRA model implementation items are addressed for the current LAR. Address the following:

a) Provide the status of the four implementation items. In this discussion, indicate whether the PRA models have been updated for each implementation item and, as applicable, summarize the changes made to the PRA models; indicate whether each change was PRA maintenance or a PRA upgrade, along with justification for this determination; discuss peer reviews performed on the PRA upgrades; and provide any F&Os and associated dispositions from these peer reviews in accordance with RG 1.200, Revision 2.

Duke Energy Response to Question 01, Part a The implementation items are all complete. There are no PRA upgrades that have not been peer reviewed. There are no open F&Os from peer reviews of these implementation items.

Each item is discussed below:

i. Three of the four human failure events had a detailed analysis performed. The remaining event was removed from the model and is not credited. This work was PRA maintenance, based on the following reasoning: The same detailed human reliability analysis (HRA) methodology was applied to new human failure event (HFE) calculations as was used for other HFE calculations, and therefore does not constitute a PRA upgrade, similar to Example 20 of Appendix 1-A of ASME/ANS RA-Sa-2009.

ii. NUREG-2180 methodology was adopted and incorporated into the HNP fire model. This work was PRA maintenance, based on the following reasoning: NUREG-2180 documents a confirmatory research program to inform the incipient detection credit methodology documented in FAQ 08-0046 (i.e., use of an event tree to address failure of incipient detection prior to conventional detection/suppression NSP calculation).

Incorporation of NUREG-2180 is essentially a data update, as it uses the outcome of the research to inform the value of existing event tree branches, as well as to inform some new event tree branches that are appropriate, and what the factors for each branch should be. However, the methodology of using an event tree to determine the failure likelihood of incipient detection has not changed and the values for each split fraction are provided in NUREG-2180. Similar to Example 3 of Appendix 1-A of ASME/ANS RA-Sa-2009, the incorporation of NUREG-2180 affects the numerical quantification of scenarios where incipient is modeled but does not change the scope or insights obtained from methodology used for those scenarios.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 4 iii. A quantitative assessment of the risk of fire-induced structural steel failure was added to the model. This work was a PRA Upgrade. The upgrade was peer reviewed in a Focused Scope Peer Review performed in June 2019 and findings closed in an F&O Closure in June 2019. There are no open finding level F&Os remaining from implementation of this issue.

iv. Modeling has been added to the internal events model, including internal flooding, to explicitly address isolation of reactor coolant system accumulators and steam generator safety relief valves. This change was also adopted by the fire model and fully incorporated. This work encompassed incorporation of modified system logic, data, and human failure events via the established methodology and was PRA maintenance, similar to Examples 6 and 20 of Appendix 1-A of ASME/ANS RA-Sa-2009.

Additionally, Enclosure 9 of the LAR describes the process for identifying key assumptions and sources of uncertainties and provides an assessment of each identified key assumption and uncertainty. Specifically, item 8 in Table E9-1 identifies a modeling incompleteness where an operator action to isolate the accumulators is not credited in the PRA. The failure to isolate the accumulators was incorporated into the PRA models as described above and includes the operator action as well as equipment failures. Therefore, this is no longer a key assumption/uncertainty for the application.

b) For those implementation items not completed and those PRA upgrades not peer reviewed, as identified under part (a), propose a mechanism that ensures these implementation items will be completed and necessary peer reviews performed prior to RICT program implementation. Alternatively, demonstrate that these implementation items do not impact the RICT.

Duke Energy Response to Question 01, Part b This item is not applicable as all the items have already been incorporated into the HNP PRA models and there are no un-peer-reviewed upgrades.

Question 03 - PRA Maintenance and Upgrades of the LAR describes the reviews conducted for the Harris PRA. The internal events PRA was subject to a full-scope peer review in 2002 prior to issuance of RG 1.200. A focused-scope peer review was conducted for two elements in 2007 against ASME Standard RA-Sb-2005 and RG 1.200, Revision 1. A focused-scope industry peer review was conducted against one supporting requirement (SR LE-D6) in July 2017. The LAR states that there are no unreviewed PRA upgrades as defined by the ASME PRA Standard RA-Sa-2009 in the internal events PRA.

The internal flood PRA was subject to a full-scope peer review conducted in August 2014 against RG 1.200, Revision 2. The fire PRA was subject to NRC review during the NFPA 805 pilot process and an additional focused-scope industry peer review, both in 2008 in accordance with ANSI/ANS-58.23-2007. The reviews of the fire PRA model were performed prior to the issuance of RG 1.200, Revision 2.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 5 F&O closure reviews were performed for internal events and internal flood in March 2017 and for internal fire in October 2017. The Harris Essential Services Chilled Water System LAR to extend the completion time (ADAMS Accession No. ML19049A027) states that the internal events PRA model was updated in 2017 and 2018 to: 1) document the sequence quantification for the revised model-of-record, 2) incorporate credit for FLEX equipment as well as implement several PRA tracker items, and 3) incorporate the results from additional dependencies from the human reliability analysis as well as updated initiator frequencies. It is not clear whether these PRA changes are considered PRA upgrades and whether these upgrades, if any, have been peer reviewed.

In addition, the NRC staff is unclear based on docketed information, whether there have been any upgrades to the internal flooding or fire PRAs that have not been peer reviewed. Address the following:

a) Describe the changes made to the internal events PRA since 2017 that are not associated with the resolutions of closed F&Os. This description should be of sufficient detail to determine whether the changes are considered PRA maintenance or PRA upgrades as defined in ASME/ANS RA-Sa-2009, Section 1-5.4, as qualified by RG 1.200, Revision 2. For each change, indicate whether the change was PRA maintenance or a PRA upgrade, along with justification for this determination.

Duke Energy Response to Question 03, Part a The following changes have been made to the Internal Events model that were not associated with the closure of peer review F&Os.

Change Disposition Description Surveillance Change exposure time for 125 VDC Frequency Maintenance: Model Vital battery periodic test basic Change for change to match as- events, and associated common 125 VDC built/as-operated cause basic events, to reflect change Vital plant. in battery surveillance frequency from Batteries 7 days to 31 days.

Change exposure time for Solid State Surveillance Protection System (SSPS) periodic Frequency Maintenance: Model test basic events, and associated Change for change to match as-common cause basic events, to 125 VDC built/as-operated reflect change in SSPS surveillance Vital plant.

frequency from 62 days staggered to Batteries 184 days staggered.

Modify instrument Maintenance: Model Corrected modeling to match air logic to change to match as- success criteria when air compressor match as- built/as-operated C fails and A and B compressors are operated plant. required.

plant

U.S. Nuclear Regulatory Commission RA-20-0223 Page 6 b) Describe the changes made to the internal flood and fire PRAs since 2017 that are not associated with the resolutions of closed F&Os. This description should be of sufficient detail to determine whether the changes are considered PRA maintenance or PRA upgrades as defined in ASME/ANS RA-Sa-2009, Section 1-5.4, as qualified by RG 1.200, Revision 2. For each change, indicate whether the change was PRA maintenance or a PRA upgrade, along with justification for this determination.

Duke Energy Response to Question 03, Part b The following changes have been made to the Internal Flood and Fire models that are not associated with closure of F&Os or propagation of 2017/2018 Internal Events updates into these models.

Change Disposition Description Application of obstructed plume credit represents a new Upgrade: New methodology within the model, and methodology used Incorporation of a focused-scope peer review was for fire probabilistic NUREG-2178 commissioned to address the risk assessment upgrade. All Findings were closed in (FPRA).

a subsequent F&O closure independent assessment.

Incorporation of NUREG-2169 is a Maintenance:

Incorporation of data update similar to Example 38 Update of model NUREG-2169 of Appendix 1-A of ASME/ANS RA-data for FPRA.

Sa-2009.

The application of the same hot Development of Maintenance: short duration methodology already hot short Additional valves applied in the model to additional duration were analyzed pieces of equipment does not probabilities for consistent with constitute a PRA upgrade, similar to selected valves. previous analysis. Example 40 of Appendix 1-A of ASME/ANS RA-Sa-2009.

Incorporation of walkdown Incorporation of Maintenance: information to improve realism and walkdown Increase in fidelity completeness is PRA maintenance, information of documentation. similar to Example 35 of Appendix 1-A of ASME/ANS RA-Sa-2009.

Maintenance:

Assessed dependency Update Internal Methodology used combinations for flooding using the Flooding in assessing HRA Calculator dependency tool dependency dependencies is superseding work completed using from using unchanged, only the previous dependency spreadsheets to the software tool for spreadsheets. Methodology HRA Calculator ease of use and between software and spreadsheet tools consistency across is retained.

fleet.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 7 Change Disposition Description Maintenance:

Adjusts Internal Modified Internal Events HFEs to Updated Internal Events HFEs for account for the decrease in time Events HFEs for use in the Internal available and the additional stresses use in Internal Flood model based from mitigating an Internal Flood Flooding model on timing and and plant transient.

stress level only.

c) For each PRA upgrade identified in Parts (a) and (b) above, either:

i. Discuss any focused-scope (or full-scope) peer reviews that have been performed for the PRA upgrade. Provide the findings of these peer reviews and the associated dispositions as it pertains to the impact on this LAR.

ii. Alternatively, provide sufficient information for NRC staff to compare the technical adequacy of the upgrade to RG 1.200, Revision 2, or provide a bounding or sensitivity evaluation of its effect to demonstrate that the baseline risk values still meet the risk acceptance guidelines of RG 1.174, Revision 3, until a focused-scope peer review can be completed. Also, justify that this PRA upgrade does not significantly impact the RICT calculations or show its impacts on the RICT estimates provided in Table E1-2 of Enclosure 2 of the LAR. Finally, commit to an implementation item to perform a focused-scope peer review of the upgrade and to close all resulting F&Os through a new peer review or through the F&O Closure process accepted by the NRC in the staff memorandum dated May 3, 2017 (ADAMS Accession number ML17079A427) prior to RICT program implementation.

Duke Energy Response to Question 03, Part c The FPRA upgrade received a peer review for incorporation of credit for obstructed plume (NUREG-2178 V1) in June 2019. A subsequent closure peer review closed all related F&Os in June 2019.

d) Confirm that the internal flooding and fire PRAs appropriately incorporate the 2017/2018 updates performed for the internal events PRA. If the internal flooding and fire PRAs did not appropriately incorporate the internal events PRA updates, then justify how the internal flooding and fire PRAs meet PRA quality expectations prescribed in RG 1.200, Revision 2, for risk-informed applications, or commit to an implementation item to update the internal flooding and fire PRAs to appropriately incorporate the internal events PRA updates.

Duke Energy Response to Question 03, Part d All changes from the 2017/2018 model of record update have been conveyed to the internal flood PRA and FPRA models.

The three items listed in the question from the Essential Services Chilled Water System LAR were incorporated into the model. These items were all considered PRA maintenance. Some of these items were incorporated to resolve open findings (e.g. initiator frequencies) that have been subsequently closed.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 8 Change Disposition Description Maintenance: This Documented the sequence Quantification issue updated quantification for the revised Documentation documentation only. model-of-record.

Maintenance: Added Incorporate credit for FLEX and removed items equipment as well as implement Updated equipment from the model to several PRA tracker items (Duke modeling match the as-built/as-Energys PRA configuration control operated plant. No tool).

new methods used.

Maintenance:

Additional analysis Incorporated additional was completed using Minor HRA update dependency analysis performed for the same methods HFE combinations.

previously used in the model.

Maintenance: Data Updated applicable initiating event Updated initiator update only, no frequencies to reflect more recent frequencies change in method. generic data sources.

Question 04 - PRA Update Process Section 2.3.4 of NEI 06-09, Revision 0-A, specifies that criteria shall exist in PRA configuration risk management to require PRA model updates concurrent with implementation of facility changes that significantly impact RICT calculations. Enclosure 7 of the LAR states that should a plant change or a discovered condition be identified that has a significant impact to the RICT Program calculations, as defined by plant procedure, an unscheduled update of the PRA model will be implemented. The LAR does not explain under what conditions an unscheduled update of the PRA model will be performed. Describe the criteria that is used to determine when an interim or unscheduled PRA model update is required (i.e., less than once every two refueling cycles). In the response define what is meant by significant impact to the RICT Program calculations.

Duke Energy Response to Question 04 Plant modifications and procedure changes potentially impacting the PRA undergo a thorough review process to determine the impact on the PRA. These changes to the plant are screened based on fleet procedural requirements, which includes an absolute delta in core damage frequency (CDF) (or large early release frequency (LERF)) or a percentage increase in CDF (or LERF), whichever is greater. These values are consistent with industry practice. If a plant change exceeds these values, then an interim model change is implemented.

A significant impact to the RICT Program calculations as it relates to the PRA update process would be a plant design or procedural change that exceeds the quantitative limits described above.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 9 Question 05 - Potential Loss of Function Conditions TSTF-505, Revision 2, does not allow for TS loss of function conditions. As stated in Section 2.3 of the traveler, constraint 1, Required Actions associated with Conditions that represent a TS loss of specified safety function are outside the scope of the traveler. Further, according to the traveler, a loss of safety function exists when, assuming no concurrent single failure, no concurrent loss of offsite power, or no concurrent loss of onsite diesel generator(s), a safety function assumed in the accident analysis cannot be performed.

Table E1-1 of Enclosure 1 of the LAR, with regards to TS 3.6.2.3 Action b, With both trains of the above required containment fan coolers inoperable and both Containment Spray Systems OPERABLE, restore at least one train of fan coolers to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, appears to represent a TS loss of function.

Table E1-1 of Enclosure 1 of the LAR, with regards to TS 3.7.1.5 Action for MODE 1 Main Steam Isolation Valves (MSIVs), specifies the design basis success criteria for steam line rupture. The NRC staff is unclear how an inoperable and open MSIV may affect the safety analysis for the steam generator tube rupture event and whether this condition would represent a TS loss of function within this context (i.e., to isolate the ruptured steam generator).

Address the following:

a) Define Loss of function as used in the LAR and compare that definition with the definition used in TSTF-505, Revision 2.

Duke Energy Response to Question 05, Part a Although HNP does not have a Safety Function Determination Program in TS consistent with plants with Standard Technical Specifications (i.e., NUREG-1431 for Westinghouse plants), the definition for loss of function or loss of safety function for the subject LAR is verbatim from TSTF-505, Revision 2. That is, a loss of safety function exists when, assuming no concurrent single failure, no concurrent loss of offsite power, or no concurrent loss of onsite diesel generators, a safety function assumed in the accident analysis cannot be performed.

b) If the TSTF-505 definition above and the definition used in the LAR differ, explain how the loss of function definition in the LAR is consistent with the Traveler and the limitations and conditions in the NRC staffs SE on NEI 06-09, Revision 0-A.

Duke Energy Response to Question 05, Part b The definition of loss of function for the subject HNP LAR is the exact same definition from TSTF-505, Revision 2.

c) Remove from the program any conditions proposed in the scope of the RICT program that are identified as loss function conditions in response to this question.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 10 Duke Energy Response to Question 05, Part c TS 3.6.2.3, Containment Cooling System HNP TS 3.6.2.3, Containment Cooling System, Action b does not represent a TS loss of function based on the following information. When HNP is in this Action statement, both trains of containment fan coolers are inoperable. However, both Containment Spray Systems are operable. The Containment Fan Coolers and Containment Spray System are redundant to each other in providing post-accident cooling to the containment atmosphere. HNP UFSAR Section 3.1.34 states:

Containment heat removal is provided by two systems, the Containment Cooling System and the Containment Spray System.

The Containment Spray System consists of two completely independent subsystems, each of which is designed for 100 percent of the heat removal capability.

Thus, for TS 3.6.2.3 Action b, both Containment Spray Systems can provide post-accident cooling to the containment atmosphere.

To clarify the design success criteria for TS 3.6.2.3, Table E1-1 from the original LAR is being revised as follows:

U.S. Nuclear Regulatory Commission RA-20-0223 Page 11 SSCs Technical Corresponding Function Covered by Design Success PRA Success Action Modeled in Comments Specification SSC(s) LCO Criteria Criteria PRA (revised) 3.6.2.3 a. With one train of the

• 4 containment Containment heat 1 of 2 Containment 1 of 4 fan coolers in SSCs are Action a above required fan coolers; one removal following a fan cooler trains in conjunction with 1 of modeled Containment containment fan coolers train is LOCA conjunction with 1 of 2 2 CS trains, or 3 of consistent with Spray and inoperable and both comprised of two Containment Spray 4 fan coolers the TS scope Cooling Systems Containment Spray containment fan trains provides the and can be Systems OPERABLE, coolers safety function of directly restore the inoperable post-accident cooling evaluated train of fan coolers to to the containment using the CRM OPERABLE status within atmosphere. 0 trains tool.

YES 7 days or be in at least of containment fan HOT STANDBY within coolers in conjunction The success the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in with 2 Containment criteria in the COLD SHUTDOWN Spray trains also PRA are based within the following 30 provides the safety on realistic hours. function of post- containment accident containment heat removal heat removal. capabilities of the containment cooling system consistent with the PRA standards for capability category II.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 12 SSCs Technical Corresponding Function Covered by Design Success PRA Success Action Modeled in Comments Specification SSC(s) LCO Criteria Criteria PRA (revised) 3.6.2.3 b. With both trains of the

• 4 containment Containment heat 1 of 2 Containment 1 of 4 fan coolers in SSCs are Action b above required fan coolers; one removal following a fan cooler trains in conjunction with 1 of modeled Containment Spray containment fan coolers train is LOCA conjunction with 1 of 2 2 CS trains, or 3 of consistent with and Cooling inoperable and both comprised of two Containment Spray 4 fan coolers the TS scope Systems Containment Spray containment fan trains provides the and can be Systems OPERABLE, coolers safety function of directly restore at least one train post-accident cooling evaluated of fan coolers to to the containment using the CRM OPERABLE status within atmosphere. 0 trains tool.

72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or be in at least of containment fan HOT STANDBY within the coolers in conjunction The success next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD with 2 Containment YES criteria in the SHUTDOWN within the Spray trains also PRA are based following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />. provides the safety on realistic Restore both above function of post- containment required trains of fan accident containment heat removal coolers to OPERABLE heat removal. capabilities of status within 7 days of the initial loss or be in at least containment HOT STANDBY within the cooling system next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD consistent with SHUTDOWN within the the PRA following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />. standards for capability category II.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 13 SSCs Technical Corresponding Function Covered by Design Success PRA Success Action Modeled in Comments Specification SSC(s) LCO Criteria Criteria PRA (revised) 3.6.2.3 c. With one train of the

• 4 containment Containment heat 1 of 2 Containment 1 of 4 fan coolers in SSCs are Action c above required fan coolers; one removal following a fan cooler trains in conjunction with 1 of modeled Containment Spray containment fan coolers train is LOCA conjunction with 1 of 2 2 CS trains, or 3 of consistent with and Cooling inoperable and one comprised of two Containment Spray 4 fan coolers the TS scope Systems Containment Spray containment fan trains provides the and can be System inoperable, coolers safety function of directly restore the inoperable

• 2 Containment post-accident cooling evaluated Spray System to Spray trains to the containment using the CRM OPERABLE status within consisting of atmosphere. 0 trains tool.

72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or be in at least pumps and flow of containment fan HOT STANDBY within paths coolers in conjunction The success the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in with 2 Containment YES criteria in the COLD SHUTDOWN Spray trains also PRA are based within the following 30 provides the safety on realistic hours. Restore the function of post- containment inoperable train of accident containment heat removal containment fan coolers heat removal. capabilities of to OPERABLE status the within 7 days of initial containment loss or be in at least HOT cooling system STANDBY within the next consistent with 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in COLD the PRA SHUTDOWN within the standards for following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />. capability category II.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 14 TS 3.7.1.5, Main Steam Line Isolation Valves With respect to HNP TS 3.7.1.5, Main Steam Line Isolation Valves, Action for MODE 1, the following is stated in TSTF-505, Revision 2 in Table 1 for Suggested Information:

From HNP UFSAR Section 5.4.9, Main Steam and Feedwater Piping:

A complete description and evaluation of the Main Steam System, including design criteria and operation of the main steam safety valves and main steam isolation valves, is contained in Section 10.3 From HNP UFSAR Section 10.3.2.1, Main Steam Isolation Valves (emphasis underline):

The MSIVs are fully open during power operation. They are required to limit uncontrolled flow of steam from the [steam generators] SGs in the event of a break in the steam piping system. The design criteria for the MSIVs are:

.d) They are installed in the individual [main steam] MS lines to prevent that SG from blowing down on a break downstream of the valve.

e) They are installed in the individual MS lines to prevent Containment overpressurization from reverse flow on a break inside Containment.

There is no discussion of a steam generator tube rupture with respect to the design criteria of the MSIVs. The above UFSAR discussion combined with the information provided in the original LAR (see Enclosure 1, Page 46) is the Suggested Information from TSTF-505, Revision 2, Table 1.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 15 The HNP TS 3.7.1.5 Bases also state:

The OPERABILITY of the main steam line isolation valves ensures that no more than one steam generator will blow down in the event of a steam line rupture. This restriction is required to: (1) minimize the positive reactivity effects of the Reactor Coolant System cooldown associated with the blowdown, and (2) limit the pressure rise within containment in the event the steam line rupture occurs within containment LAR Enclosure 1, Pages 29 and 46 each explain how the safety function is met. The analysis assumes one SG blows down into containment. With one MSIV failed open (inoperable), that still leaves the other two SG isolable by their respective MSIVs. A main steam line break (MSLB) event can be postulated anywhere (e.g., upstream on the SG with a failed open MSIV, upstream on a SG with a working MSIV (with a different MSIV failed open), or downstream of the MSIVs), and only one SG can blow down.

Steam Generator Tube Rupture Overfill Analysis A failed open (inoperable) MSIV is not assumed in the steam generator tube rupture (SGTR) overfill accident analysis. The analysis for SGTR overfill assumes that all three MSIVs close.

MSIVs are utilized in the mitigation of a SGTR overfill event, which is described in UFSAR Section 15.6.3. Specifically, the MSIVs are utilized in the action to isolate steam from the ruptured SG. However, while the MSIVs do perform a design function in the mitigation of a SG overfill scenario, the valves do not perform a Technical Specifications specified safety function with respect to a SGTR event. LCO 3.7.1.5 was established to satisfy 10 CFR 50.36(c)(2)(ii),

Criterion 3. The MSIVs are not part of the "primary success path" as described in 10 CFR 50.36(c)(2)(ii), Criterion 3 for the SGTR event. This is consistent with the HNP UFSAR, the TS 3.7.1.5 Bases, and the Suggested Information in Table 1 of TSTF-505, Revision 2 provided above. The TS OPERABILITY of the MSIVs ensures that no more than one SG will blow down in the event of a steam line rupture. The TS OPERABILITY of the MSIVs is not germane to the SGTR event.

TS Actions for Removal from RICT Program The following TS Actions shall be removed from the scope of the RICT Program because they represent a loss of function:

• TS 3.3.2 Table 3.3-3 Functional Unit 6.f for trip of all Main Feedwater Pumps (MFP)-

Start Motor-Driven Pumps (MDAFW)

Upon further review of TS 3.3.2 Table 3.3-3 Functional Unit 6.f, the time period during which HNP would enter Action 15 with an inoperable channel, until the jumper is installed to bypass the failed channel, does represent a loss of safety function. The associated contacts to fulfill the function are in series (one from each MFP), thus if one is inoperable, the path (either path) could not be credited.

Therefore, TS 3.3.2 Functional Unit 6.f is being removed from the scope of the RICT Program.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 16 Question 06 - Unspecified RICT Estimates NEI 06-09, Revision 0-A, states the following regarding high risk configurations:

RMTS evaluations shall evaluate the instantaneous core damage frequency (CDF),

instantaneous large early release frequency (LERF). If the SSC inoperability will be due to preplanned work, the configuration shall not be entered if the CDF is evaluated to be greater or equal than 10-3 events/year or the LERF is evaluated to be greater or equal to 10-4 events/year. If the SSC inoperability is due to an emergent event, if these limits are exceeded, the plant shall implement appropriate risk management actions to limit the extent and duration of the high risk configuration.

NEI 06-09, Revision 0-A, prohibits voluntary entry into a high risk configuration but it allows entry in such configurations due to emergent events with implementation of appropriate risk.

Table E1-2 of Enclosure 1 of the LAR, provides RICT estimates for TS actions proposed to be in the scope of the RICT program. However, RICT estimates for several LCO actions (3.8.1.1 Action c.1, 3.8.2.1, 3.8.3.1 Actions a, b and d) are not provided. In addition, Note 1 of Table E1-2 states:

By current calculation, the use of the RICT Program on this Action is precluded by the instantaneous CDF or LERF limits of 1E-03 or 1E-04, respectively. However, the Action remains within the scope of the license amendment request, and it is proposed that the RICT Program be used on this Action should plant risk estimates decrease in the future.

This note appears to be inconsistent with NEI 06-09, Revision 0-A, in that the note implies that involuntary RICT entries into conditions of high instantaneous CDF or LERF would be also prohibited. Address the following:

a) Clarify the intent of your note and whether NEI 06-09, Revision 0-A, will be followed regarding involuntary entries into high risk configurations.

Duke Energy Response to Question 06, Part a Note: A response on the docket to parts b through d was not requested by the NRC staff during the audit.

The note should read: By current calculation, the use of the RICT Program on this Action for planned equipment outages is precluded by the instantaneous CDF or LERF limits of 1E-03 or 1E-04, respectively. A RICT may still be entered for this action in the event of an unplanned equipment failure in accordance with NEI 06-09 guidance.

Question 07 - PRA Modeling of Digital Instrumentation and Control The LAR proposed TS LCOs include those related to instrumentation and controls (I&C).

Section 2.3.4 of NEI 06-09, Revision 0-A, states that PRA modeling uncertainties be considered in application of the PRA base model results to the RICT program. The NRC SE for NEI 06-09, Revision 0, states that this consideration is consistent with Section 2.3.5 of RG 1.177, Revision

1. NEI 06-09, Revision 0-A, further states that sensitivity studies should be performed on the base model prior to initial implementation of the RICT program on uncertainties which could

U.S. Nuclear Regulatory Commission RA-20-0223 Page 17 potentially impact the results of a RICT calculation and that sensitivity studies should be used to develop appropriate compensatory risk management actions (RMAs).

Regarding digital I&C, NRC staff notes the lack of consensus industry guidance for modeling these systems for plant PRAs to be used in risk-informed applications. In addition, known modeling challenges exist due to the lack of industry data for digital I&C components and the complexities associated with modeling software failures including common cause software failures. Given these needs and challenges, if the modeling of digital I&C system is included in the Real-Time Risk (RTR) model, then address the following:

a) Provide the results of a sensitivity study on the structures, systems, or components (SSCs) in the RICT program demonstrating that the uncertainty associated with modeling the digital I&C system has inconsequential impact on the RICT calculations.

Duke Energy Response to Question 07, Part a The SSPS encompasses the digital logic cards (universal logic cards and output cards) and is referenced only when that portion of the signal logic applies. This is based on original Westinghouse, Solid State Protection System 7300 design. The data for these components is updated in accordance with NUREG/CR-6928, Industry-Average Performance for Components and Initiating Events at U.S. Commercial Nuclear Power Plants, data.

The HNP Real-Time Risk (RTR) model does not include the specific modeling of digital I&C systems; however, the 7300 SSPS is modeled. The sensitivity study for various SSPS logic cards was conducted and the summary of results were developed into a table and displayed for the NRC during the audit. With the failure probabilities amplified by a factor of three (3), the final RICT is still, in the most limiting case, an order of magnitude greater than the 30-day back stop allowed by the RICT program. The sensitivity study results provide reasonable confidence that the uncertainty associated with modeling of digital I&C (i.e., SSPS) has inconsequential impacts on the RICT calculations, and that the results for the RICTs were not sensitive to the modeling of the digital I&C components.

The HNP fire PRA model does not contain any mitigation equipment (digital or otherwise) that is not modeled in the internal events model, and encompasses the impact of smoke damage.

b) Alternatively, identify which LCOs are determined to be impacted by the digital I&C system modeling for which RMAs will be applied during a RICT. Explain and justify the criteria used to determine what level of impact to the RICT calculation required additional RMAs.

Duke Energy Response to Question 07, Part b There are no TS LCO Actions that are determined to be impacted by digital I&C system modeling for which RMAs will be applied during a RICT. RMAs are implemented based on the specific plant configuration and SSC/scenarios. Typically, when there are instruments out-of-service in the SSPS cabinets, the opposite train and/or other identified risk-significant components would be protected, to include but not limited to, signage on the applicable cabinets and possibly roping off the area(s) in order to minimize the risk of a plant trip. The procedural risk management action guidance would be referenced and appropriate RMAs would be initiated accordingly.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 18 Question 08 - PRA Modeling of TS Functions NEI 06-09, Revision 0-A, specifies that the LAR should confirm that the Configuration Risk Management Program (CRMP) tools can be readily applied for each TSLCO within the scope of the plant-specific RMTS submittal. Furthermore, this guidance specifies that where the SSCs are not modeled in the PRA, and its impact cannot otherwise be quantified using conservative or bounding approaches, the RMTS are not applicable and the existing frontstop completion time would apply. Address the following with regard to the PRA modeling of TS functions:

a) The proposed TS LCOs identified in the LAR include I&C associated with the reactor trip system (RTS), or TS 3.3.1, and the engineered safety features actuation system (ESFAS), or TS 3.3.2. Table E1-1 of Enclosure 1 of the LAR, explains that the SSCs for the RTS functional units are mostly not explicitly modeled in the PRA and so a bounding method for determining the RICT is proposed (i.e., Note 2 to the table). Comparatively, many of the SSCs for the ESFAS functional units are shown to be modeled explicitly in the PRA. In some cases, these two systems rely on the same SSCs, yet are treated differently in the calculation of RICTs. Two specific cases are: 1) RTS TS 3.3.1 Functional Unit 9 Action 6 Pressurizer Pressure (Low) and ESFAS TS 3.3.2 Functional Unit 1.d Action 19 Safety Injection (Pressurizer Pressure - Low); and 2) RTS TS 3.3.1 Functional Unit 13 Action 6 Steam Generator (SG) Water Level - Low Low and ESFAS TS 3.3.2 Functional Units 6.c.(1) and 6.c.(2) Action 19 Auxiliary Feedwater (SG Water Level - Low Low). In both of these cases it is stated that the RTS TS SSCs are not explicitly modeled in the PRA (bounding method used) while it is stated for the corresponding ESFAS TS that the SSCs are explicitly modeled in the PRA. The LAR does not discuss how the RICT is determined for these situations. Address the following:

i. Provide a description of the SSCs that are shared between the RTS and ESFAS, and a description of how a RICT would be calculated when shared SSCs are removed from service.

ii. For the two cases described above, provide an example RICT calculation from removing the shared instrumentation from service and explain why these results are bounding.

Duke Energy Response to Question 08, Part a Part i.

The SSCs shared for the example stated for RTS TS 3.3.1 Functional Unit 9 Action 6 Pressurizer Pressure (Low) and ESFAS TS 3.3.2 Functional Unit 1.d Action 19 Safety Injection (Pressurizer Pressure - Low) are pressure transmitters PT-455, PT-456 and PT-457.

For the ESFAS function the Pressurizer pressure instruments are modeled as:

• Basic Event ETPPT455FF (ESF_017)

• Basic Event ETPPT456FF (ESF_018)

• Basic Event ETPPT457FF (ESF_019)

The Out of Service instrument would be entered in Phoenix by selecting the corresponding code, ESF_XXX, where XXX represents the instruments respective code.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 19 The SSCs shared for the example stated for RTS TS 3.3.1 Functional Unit 13 Action 6 Steam Generator (SG) Water Level - Low Low and ESFAS TS 3.3.2 Functional Units 6.c.(1) and 6.c.(2) Action 19 Auxiliary Feedwater (SG Water Level - Low Low) are: LT-474, LT-475 and LT-476; LT-484, LT-485 and LT-486; and LT-494, LT-495 and LT-496.

For the ESFAS function the SG Level instruments are modeled as:

• A SG level instruments (LT-474, LT-475 and LT-476) o ETLLT474TF (ESF_004) o ETLLT475TF (ESF_005) o ETLLT476TF (ESF_006)

• B SG level instruments (LT-484, LT-485 and LT-486) o ETLLT484TF (ESF_007) o ETLLT485TF (ESF_008) o ETLLT486TF (ESF_009)

• C SG level instruments (LT-494, LT-495 and LT-496) o ETLLT494TF (ESF_010) o ETLLT495TF (ESF_011) o ETLLT496TF (ESF_012)

The Out of Service instrument would be entered in Phoenix by selecting the corresponding code, ESF_XXX, where XXX represents the instruments respective code.

The reactor trip system (RTS) functions for the stated instruments are not modeled in the PRA and a surrogate Basic Event in the fault tree logic is used to calculate a RICT which would be equal to or shorter than if the detailed modeling were explicitly included in the PRA model.

Note: The RTS and Reactor Protection System (RPS) are interchangeable terms. The RTS terminology is used in HNP TS and the RPS terminology is used in the PRA for Basic Event naming.

The Basic Events are:

• ERPS2 (RPS Auto Trip Failure and Able To Be Manually tripped from [main control board] MCB with RPS signal)

• ERPS3 (RPS Auto Trip Failure and Able To Be Manually tripped from MCB without RPS signal).

The bounding criteria for basic events ERPS2 and ERPS3 are found in Section 6.1.1 of HNP-F/PSA-0122, PRA Input for TSTF-505 License Amendment Request. Failing these two Basic Events (ERPS2 and ERPS3) would not be appropriate for calculating a RICT because that would lead to an anticipated transient without scram (ATWS) event.

A more appropriate approach would be to fail the inputs to one of the two, in-series, RPS breakers.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 20 The decision was made to go back to the Westinghouse RPS model in order to get data and quantified values for the inputs to the RPS breakers. This required quantifying the RPS branches of the original fault trees. The detailed data to support the fault-tree required going back to the original Westinghouse model which did not contain a database. In order to decipher the data to develop a new database, the Westinghouse basic event (BE) files were taken from the Westinghouse model and converted into a database. The respective branches in the Westinghouse model representing the three scenarios (ERPS1, -2, and -3) were then quantified in order to get conservative, more realistic values which are slightly larger than those used in the HNP MOR2018 (i.e., model-of-record) (See Table 16 below from HNP-F/PSA-0122). The values are a conservatively bounding estimate when compared to a single channel of a single RPS parameter which is a single input to one of two RPS breaker when taken out of service.

TABLE 16 - RPS BASIC EVENT VALUE COMPARISON Event HNP RPS RPS Quant RPS Quant How to Quantify 2018 Quant (A in TM) (B in TM)

(Base)

WES-XHE-XE-SIGNL FALSE ERPS1 1.60E-06 1.60E-06 1.60E-06 1.60E-06 WES-XHE-XE-NSGNL FALSE WES-XHE-XE-SIGNL NOMINAL ERPS2 1.42E-05 1.58E-05 3.72E-04 3.72E-04 WES-XHE-XE-NSGNL FALSE WES-XHE-XE-SIGNL FALSE ERPS3 1.30E-05 1.46E-05 1.42E-05 1.42E-05 WES-XHE-XE-NSGNL NOMINAL To calculate a RICT, the values of ERPS2 and ERPS3 would be changed to the new values in RPS Quant columns to represent the single channel of a single RPS parameter out of service.

With the new values for ERPS2 and ERPS3, the changes to CDF and LERF are as follows:

Phoenix base With ERPS2 With %T1x2 With %T1x5 With and ERPS3 %T1x10 new values CDF 4.93E-6 5.69E-6 4.97E-6 5.09E-6 5.32E-6 LERF 1.14E-6 1.16E-6 1.14E-6 1.14E-6 1.14E-6

%T3x2 %T3x5 %T3x10 CDF 4.93E-6 5.69E-6 5.13E-6 5.76E-6 6.81E-6 LERF 1.14E-6 1.16E-6 1.14E-6 1.16E-6 1.19E-6 Using the Phoenix program, the reactor trip multiplier initiating event %T3x5 can be used to increase the reactor trip probability in lieu of changing the numbers for ERPS2 and ERPS3 to make data entry less complex. The change to CDF using the %T3x5 is more conservative than the ERPS2 and ERPS3 values, and therefore is still bounding.

(NOTE: The %T1 is the reactor trip multiplier and %T3 is the automatic reactor trip multiplier.)

U.S. Nuclear Regulatory Commission RA-20-0223 Page 21 Part ii.

For RTS TS 3.3.1 Functional Unit 9 Action 6 Pressurizer Pressure (Low) and ESFAS TS 3.3.2 Functional Unit 1.d Action 19 Safety Injection (Pressurizer Pressure - Low):

o %T3x5 would be entered in Phoenix for RTS TS 3.3.1.

o One of corresponding codes, ESF_XXX, would be entered in Phoenix for ESFAS TS 3.3.2, depending on which instrument was failed.

For RTS TS 3.3.1 Functional Unit 13 Action 6 Steam Generator (SG) Water Level - Low Low and ESFAS TS 3.3.2 Functional Units 6.c.(1) and 6.c.(2) Action 19 Auxiliary Feedwater (SG Water Level - Low Low):

o %T3x5 would be entered in Phoenix for RTS TS 3.3.1.

o One of corresponding codes, ESF_XXX, would be entered in Phoenix for ESFAS TS 3.3.2, depending on which instrument was failed.

b) Referring to LAR Table E1-1, TS 3.3.2 Functional Unit 1.c Action 19 Safety Injection (Containment Pressure - High 1), it is stated that this LCO is modeled with logically limiting events that produce a conservatively bounding RICT. A similar description is provided for TS 3.3.2 Functional Unit 1.e, Action 19 Safety Injection (Steam Line Pressure - LOW). Identify the logically limiting events used to determine the RICTs for these LCOs and explain how they are bounding.

Duke Energy Response to Question 08, Part b The Safety Injection signal via Containment Pressure High-1 is not explicitly modeled in the PRA. However, containment pressure transmitters PT-951, PT-952 and PT-953 are the inputs to the Containment Pressure High-1 signal with 2 out of 3 coincidence logic. Logically, the High-1 signal inputs to logic cards A516A and A516B to actuate safety injection relays. The logic cards are modeled as basic events ELGA516ANN and ELGA516BNN for the failure of these logic cards. Therefore, the logic cards are conservatively bounding since the surrogate Basic Events are at a higher level in the fault tree logic to calculate a RICT, which would be equal to or shorter than if the detailed modeling were explicitly included in the PRA model.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 22 c) Referring to LAR Table E1-1, TS 3.3.2 Functional Unit 4.c Action 19 Main Steam Line Isolation (Containment Pressure - High 2), it is stated that this LCO is represented by a bounding surrogate for the RICT calculation. Identify the surrogate and explain why it is bounding.

Duke Energy Response to Question 08, Part c TS 3.3.2 Functional Unit 4.c Action 19 Main Steam Line Isolation (Containment Pressure - High

2) mapped basic events using a bounding surrogate for actuation of containment spray. The basic events for comparator cards ECOPB951FN, ECOPB952FN and ECOPB953FN that has inputs for the containment pressure instruments PT-951, PT-952 and PT-953 were used as bounding surrogates.

The HNP PRA model does not address the automatic steam line isolation for any transient or accident condition. Since the main steam line isolation signal is not modeled, the impact from the loss of the same containment pressure instruments to the Containment Spray system was used as bounding for the loss of the main steam line isolation.

Containment pressure instruments PT-950, PT-951, PT-952 and PT-953 are used to generate a Containment Spray actuation signal High-3 at 10 psig. Main steam line isolation actuation signal High-2 is generated at 3 psig using PT-951, PT-952 and PT-953. When the basic event ECOPB951FN, ECOPB952FN or ECOPB953FN is failed, the impact on the PRA model is that the single input to the coincidence gate is failed. Main Steam Line Isolation High -2 signal would be a 2 out of 3 coincidence to fail the coincidence gate and the Containment Spray High-3 is a 3

U.S. Nuclear Regulatory Commission RA-20-0223 Page 23 out of 4 coincidence to fail the coincidence gate. The impact from a single containment pressure instrument channel failure would be the same up to the coincidence gate for a Main Steam Line Isolation and Containment Spray actuation, therefore bounding. See the fault tree figure below.

d) Note 3 to LAR Table E1-1 states that the [Harris] Fire PRA model does not credit containment sprays or containment fan coolers. LAR Table E1-1 proposes to apply the RICT program to several TS 3.6.2.3 (Containment Spray and Cooling Systems) actions but does not address whether bounding or surrogate analyses will be performed for the Fire PRA when determining the RICT for these actions. Address the following:

i. Provide justification for including the TS 3.6.2.3 actions in the RICT program. The justification should describe the bounding or surrogate analyses that will be used to calculate the Fire PRA contribution to the RICT. Also, explain how containment sprays and containment fan coolers are modelled in the internal events PRA.

ii. If justification cannot be provided in the response to item (i) above, then remove these LCOs from the RICT program and provide an updated TS markup.

Duke Energy Response to Question 08, Part d TS 3.6.2.3 Containment Spray and Cooling Systems will remain in the scope of the RICT program. The HNP Fire PRA model appropriately translates the functions for this equipment in to the risk analysis. The equipment associated with this TS functions to reduce containment pressure in response to a large break loss of coolant accident (LBLOCA) or MSLB, provide scrubbing, and support mixing of the containment atmosphere to prevent hydrogen ignition.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 24 These are not fire-induced accident sequences, so these systems have no mitigation function for CDF in the fire model. The model does contain logic to address multiple spurious operations (MSOs) in a fire that may cause containment spray components to actuate, present a flow diversion path, and inadvertently drain the refueling water storage tank (RWST) (Event S103).

Both containment spray and containment fan coolers are modeled in the LERF logic to determine the plant damage states, including the impact of fire failures from fire scenarios. The PRA model adequately represents the impacted systems applicable to this TS and therefore is bounding as required.

The containment spray pumps and containment fan coolers are modeled in the internal events and fire PRAs. Refer to the system notebook (HNP-F/PSA-0065) sections A.17 Containment Spray and A.6 Containment Fan Cooler System Notebook.

As such, containment spray pumps and containment fan coolers are appropriately modeled for their contribution to reducing containment failure events.

Question 09 - Treatment of Common Cause Failures for Planned Maintenance NEI 06-09, Revision 0-A, states that no common cause failure (CCF) adjustment is required for planned maintenance. The NRC SE for NEI 06-09, Revision 0, is based on conformance with RG 1.177, Revision 1, "An Approach for Plant-Specific, Risk-Informed Decisionmaking:

Technical Specifications" (ADAMS Accession No. ML100910008). Specifically, SE Section 2.2 states that, specific methods and guidelines acceptable to the NRC staff are [] outlined in RG 1.177 for assessing risk-informed TS changes. SE Section 3.2 further states that compliance with the guidance of RG 1.174, Revision 1, and RG 1.177, Revision 1, is achieved by evaluation using a comprehensive risk analysis, which assesses the configuration-specific risk by including contributions from human errors and common cause failures.

The guidance in RG 1.177, Revision 1, Section 2.3.3.1, states, CCF modeling of components is not only dependent on the number of remaining in-service components but is also dependent on the reason components were removed from service (i.e. whether for preventative or corrective maintenance). In relation to CCF for preventive maintenance, the guidance in RG 1.177, Appendix A, Section A-1.3.1.1, states:

If the component is down because it is being brought down for maintenance, the CCF contributions involving the component should be modified to remove the component and to only include failures of the remaining components (also see Regulatory Position 2.3.1 of Regulatory Guide 1.177).

According to RG 1.177, Revision 1, if a component from a CCF group of three or more components is declared inoperable, the CCF of the remaining components should be modified to reflect the reduced number of available components in order to properly model the as-operated plant. Address the following:

a) Explain how CCFs are included in the PRA model (e.g., with all combinations in the logic models as different basic events or with identification of multiple basic events in the cut sets).

U.S. Nuclear Regulatory Commission RA-20-0223 Page 25 Duke Energy Response to Question 09, Part a The HNP PRA models use the Multiple Greek Letter (MGL) method described in NUREG/CR-5485 to model and quantify CCF event probabilities. Common cause basic event probabilities are calculated from the equations shown below. Component combinations greater than four use the four component equations. Common cause basic events are explicitly modeled in the fault tree, with each specific combination of events modeled in conjunction with the independent failure basic event. For example, consider a group consisting of components A, B, and C where failure of all three components is necessary to fail the PRA mitigation function. Failure of component A is modeled as an OR gate of the independent failure event for A, along with three additional common cause basic events for combinations of AB, AC, and ABC.

Number of Components Two Failed Three Failed Four Failed Two Components N/A N/A Three Components 0.5**(1-) N/A Four Components 0.333**(1-) 0.333***(1-)

b) Explain how the quantification and/or models will be changed when, for example, one train of a 3x100 percent train system is removed for preventative maintenance and describe how the treatment of CCF meets the guidance in RG 1.177, Revision 1, or meets the intent of this guidance when quantifying a RICT.

Duke Energy Response to Question 09, Part b Duke Energys approach is that common cause events are not adjusted for preventative maintenance actions. Adjustments to the CCF grouping or CCF probabilities are not necessary when a component is taken out-of-service for preventative maintenance (PM). The component is not out-of-service for reasons subject to a potential common cause failure, and so the in-service components are not subject to increases in common cause probabilities.

Regulatory Guide 1.177 describes how CCF should be treated differently for PM conditions than as described for failure of a component. The Duke Energy approach is conservative in that CCF basic events are retained for components removed for maintenance, be it in a 2 or 3 train system. This approach may slightly increase the risk and shorten the calculated completion time, which would reflect a conservative modeling assumption.

Question 10 - Treatment of Common Cause Failures for Emergent Conditions According to RG 1.177, Revision 1, if a component from a CCF group of three or more components is declared inoperable, the CCF of the remaining components should be modified to reflect the reduced number of available components in order to properly model the as-operated plant. Attachment 2 of the LAR provides the proposed changes to the TSs. Constraint r.d to TS Administrative Section 6.0 (Insert 4), which states:

For emergent conditions, if the extent of condition evaluation for inoperable SSCs is not complete prior to exceeding the Completion Time, the RICT shall account for the increased possibility of CCF by either:

U.S. Nuclear Regulatory Commission RA-20-0223 Page 26

1. Numerically accounting for the increased possibility of CCF in the RICT calculation; or

2. RMAs not already credited in the RICT calculation shall be implemented that support redundant or diverse SSCs that perform the function(s) of the inoperable SSCs, and, if practicable, reduce the frequency of initiating events that challenge the function(s) performed by the inoperable SSCs.

Regarding option 1 of constraint r.d, provide the following:

a) Describe and justify how the numerical adjustment for increased possibility of CCF will be performed, or Duke Energy Response to Question 10, Part a Numerical adjustment of CCF events will not typically be performed for a RICT calculation. The procedural process is for plant personnel to complete an extent of condition assessment that addresses the possibility of CCF. If CCF cannot be ruled out, then the RICT will account for the increased possibility of CCF by method 1 or 2 as described in Insert 4 of the TS markups associated with the original HNP LAR submittal. This will typically be done using RMAs as described in method 2.

b) Confirm that numerically accounting for the increased possibility of CCF in the RICT calculation will be performed in accordance with RG 1.177, Revision 1.

Duke Energy Response to Question 10, Part b As noted in the response to Part a above, CCF probabilities will normally not be adjusted for emergent failures. If a numeric adjustment is performed, the RICT calculation would be adjusted to numerically account for the increased possibility of CCF in accordance with RG 1.177, Revision 1, as specified in Section A-1.3.2.1 of Appendix A of the RG. Specifically, when a component fails, the CCF probability for the remaining redundant components will be increased to represent the conditional failure probability due to CCF of these components in order to account for the possibility the first failure was caused by a common cause mechanism.

Question 11 - Real-Time Risk Model Regulatory Position 2.3.3 of RG 1.174, Revision 3, states that the level of detail in the PRA should be sufficient to model the impact of the proposed licensing basis change. The characterization of the problem should include establishing a cause-effect relationship to identify portions of the PRA affected by the issue being evaluated. Full-scale applications of the PRA should reflect this cause-effect relationship in a quantification of the impact of the proposed licensing basis change on the PRA elements.

Section 4.2 of NEI 06-09, Revision 0-A, describes attributes of the configuration risk management tool (CRM). A few of these attributes are listed below:

• Initiating events accurately model external conditions and effects of out-of-service equipment.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 27

• Model translation from the PRA to a separate CRM tool is appropriate; CRM fault trees are traceable to the PRA. Appropriate benchmarking of the CRM tool against the PRA model shall be performed to demonstrate consistency.

• Each CRM application tool is verified to adequately reflect the as-built, as-operated plant, including risk contributors which vary by time of year or time in fuel cycle or otherwise demonstrated to be conservative or bounding.

• Application specific risk important uncertainties contained in the CRM model (that are identified via PRA model to CRM tool benchmarking) are identified and evaluated prior to use of the CRM tool for RMTS applications.

• CRM application tools and software are accepted and maintained by an appropriate quality program.

• The CRM tool shall be maintained and updated in accordance with approved station procedures to ensure it accurately reflects the as-built, as-operated plant. of the LAR describes the attributes of the RTR model, Harris CRM tool, for use in RICT calculations. The LAR explains that the internal events, internal flooding events, and fire events PRA models are maintained as separate models. The LAR also describes several changes made to the PRA models to support calculation of configuration-specific risk and mentions approaches for ensuring the fidelity of the RTR to the PRAs including RTR maintenance, documentation of changes, and testing. With regards to development and application of the RTR model, provide the following:

a) Explain how any changes in success criteria based on seasonal variations are accounted for in the RTR model for use in RICT calculations.

Duke Energy Response to Question 11, Part a Phoenix Summer / Winter modes The HNP model has two HVAC elements with seasonal dependence - emergency diesel generator (EDG) HVAC and Switchgear room HVAC. The EDG events in the model require two fans for summer operation and only one fan during winter operation. During the winter, due to winter heating load, switchgear room (SGRM) B requires ventilation and, in some conditions, SGRM A also requires ventilation. During the summer the SGRMs do not depend on HVAC.

The Phoenix model sets flag events X-HVC-EDG (EDG alignment) and X-HVC-SGAB (SGRMs A & B alignment) to the appropriate summer and winter values using the equations portion of the Phoenix model based on the date. The alignment window also has a check box for the EDG/switchgear HVAC alignment.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 28 b) Confirm that out-of-service equipment will be properly reflected in the RTR models initiating event models as well as in the system response models. In the response, specifically address how SSC unavailability assumed in system initiator event fault trees are adjusted or accounted for in the RICT calculations to reflect the plant configuration.

Duke Energy Response to Question 11, Part b The out-of-service components are accounted for in both the mitigating and the Initiating Event fault tree. Two examples are shown below for the Charging Safety Injection Pump (CSIP) A and the Component Cooling Water (CCW) pump A. In both cases the pump alignments are set as not running and the Fail-to-Start basic event is used to reflect these components are out-of-service, which in turn increases the likelihood of an initiating event. Other support systems are modeled similarly.

The logic under gates XF110 for CSIP and XF210 for CCW (shown in the fault tree below) account for the initiating events. In Phoenix, the fault tree flags are set for the running pump(s) in the Alignments menu for the plant:

U.S. Nuclear Regulatory Commission RA-20-0223 Page 29

U.S. Nuclear Regulatory Commission RA-20-0223 Page 30

U.S. Nuclear Regulatory Commission RA-20-0223 Page 31

U.S. Nuclear Regulatory Commission RA-20-0223 Page 32

U.S. Nuclear Regulatory Commission RA-20-0223 Page 33 c) Describe the process that will be used to maintain the accuracy of any pre-solved cutsets with changes in plant configuration.

Duke Energy Response to Question 11, Part c Phoenix does not use pre-solved cutsets for RICT calculations. Configuration risk is calculated for each unique combination of out-of-service equipment, and the risk results are stored in the Phoenix SQL database. The cutset files are generated during quantification and are stored external to the model. Phoenix only uses these files if the user wants to see them or to perform importance calculations. They are stored in a controlled (limited access) directory with the model on the HNP PRA server.

d) Describe the benchmarking activities performed to confirm consistency of the RTR model results to the PRA Models of Record (MORs) results, including periodicity of RTR updates compared to the MORs updates. Address each of the MORs (i.e.,

internal events, internal flooding events, and internal fire events) in the response.

Duke Energy Response to Question 11, Part d Documentation on benchmarking of the Phoenix RTR model is described in the Phoenix calculation, HNP-F/PSA-0119, Online Phoenix PRA Model. For the initial roll-out, the Phoenix model was first benchmarked to the existing Equipment Out of Service (EOOS) model, then updated and benchmarked to the current MOR. All the applicable hazard models, the internal events, internal flood and internal fire models, are updated based on administrative programmatic requirements and are reviewed consistent with the regulatory guidance and Standards to ensure consistency between current MOR and real-time risk models. The PRA Model Update Process is documented in Duke Energy procedure AD-NF-NGO-0502 (PRA Model Technical Adequacy), section 5.6.

Question 14 - Identification of Compensatory Measures and RMAs The NRC SE for NEI 06-09, Revision 0-A, states that the LAR will describe the process to identify and provide compensatory measures and RMAs during extended completion times.

LAR Enclosure 12 identifies three kinds of RMAs (i.e., actions to provide increased risk awareness and control, reduction of the duration of maintenance activities, and reduction of the magnitude of risk increase). LAR Enclosure 12 also provides several examples of RMAs.

However, LAR Enclosure 12 does not describe what criteria or insights (e.g., important fire areas, important operator actions) are used to determine what RMAs to apply in specific instances. Provide the following:

a) Describe the criteria and insights (e.g., important fire areas, important operator actions) that are used to determine the compensatory measures and RMAs to apply in specific instances.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 34 Duke Energy Response to Question 14, Part a Risk Management is based on a graded approach where higher risk levels require more rigorous preparation and execution efforts. The risk levels and example of the increasing effort for RMAs are noted in the table below:

Required Risk Management Risk Indicator Color Actions (RMAs)

Green None (Normal Work Controls)

(Not Risk Significant)

Yellow Level 1 RMAs (Caution - Low Risk)

Orange Level 1 and Level 2 RMAs (Degraded - Medium Risk)

Red Level 1, Level 2, and Level 3 (Severely Degraded - High RMAs Risk)

Each RMA level prescribes a number of actions and approvals with increasing scope as the risk increases. For example, an orange risk condition prescribes much more effort for protected equipment, operator briefings, etc. than a green risk condition. Additionally, approval levels for each level of RMAs increases (e.g. Level 1 requires Shift Manager approval and Level 2 requires the Plant Manager approval, note these specific positions are subject to change but are shown as an example).

Entry into a yellow or orange risk condition is not typical, however such occurrences are allowed per procedure. Entry into these risk conditions is carefully scrutinized by plant staff and management. Mitigating actions are developed throughout the planning process to address the risk condition consistent with Duke Energy procedures.

Voluntary entry into a red risk condition is not allowed. If emergent issues cause entry into a red risk condition immediate actions are taken to reduce risk including restoring components important to accident mitigation to, at least, a functional state. If risk cannot be reduced in a reasonable amount of time, an orderly transition to Mode 3 is considered. Orderly transition to Mode 3 is a controlled shutdown of the plant (versus a plant trip), which typically takes approximately 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />. An operating shift is permitted to take conservative action to shut down the plant at any time if conditions warrant, the recommendation based on risk color is simply an additional prompt based on the current plant configuration and items out of service. This could also be required based on expiration of the RICT which would occur if the entire RICT was utilized (at which point a red cumulative risk will have been reached). The typical required action per the associated TS action would be to be in Mode 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

RICT RMAs are identified based on configuration-specific risk and generally fit into three categories:

U.S. Nuclear Regulatory Commission RA-20-0223 Page 35

1. Actions to increase risk awareness and control.

2. Actions to reduce the duration of maintenance activities.

3. Actions to minimize the magnitude of the risk increase.

RMAs for the RICT Program can be developed both qualitatively and quantitatively. Examples of qualitatively determined RMAs include:

• Actions to increase awareness of the plant conditions (e.g. protected equipment boundaries to keep personnel physically away from equipment important for defense-in-depth),

• Pre-staging of materials (e.g. portable pumps, diesel generators, or air compressors)

• Training on mockups (e.g. maintenance training to minimize time in the repair activity)

• Rescheduling of other maintenance activities (e.g. cross train planned maintenance)

RMAs can also be selected using quantitative insights given by the CRMP. These insights address risks from internal events, internal flood, and internal fires. Examples include:

• Identification of important equipment or trains for protection,

• Identification of important Operator Actions for briefings,

• Identification of key flood compartments, fire initiators and fire zones.

Common Cause RMAs lower configuration risk by focusing on:

a. Availability of SSCs providing redundancy to the failed SSC.

b. Availability of diverse SSCs providing redundancy for functions performed by the failed SSC.

c. Reducing the likelihood of events that can impact the availability of the SSCs described in (a) and (b).

d. Readiness of operators to respond to initiating events assuming SSCs susceptible to failure by common cause will fail.

e. Readiness of maintenance to respond to additional failures of SSCs described in (a) and (b).

RMAs for each RICT are recorded in the Operations tracking and turnover tools (e.g. logs) and RMAs are included with the RICT documentation package, typically captured in a condition report or similar process.

b) Explain how RMAs are identified for emergent conditions in which the extent of condition evaluation for inoperable SSCs is not complete prior to exceeding the Completion Time to account for the increased possibility of a CCF. Include explanation of if and how these RMAs are different from other RMAs.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 36 Duke Energy Response to Question 14, Part b Per Duke Energy procedures, Common Cause RMAs shall include the following actions:

1. Defer maintenance and testing activities that could generate an initiating event for which event mitigation may require operation of SSCs susceptible to failure by common cause.

2. Establish a compensatory action, shift brief, or Standing Instruction that focuses on actions operators will take in response to an initiating event and failure of SSCs susceptible to failure by common cause.

3. For SSCs that provide redundancy to the failed SSC or the function performed by the SSC:

a. Reduce the likelihood of unavailability, including for support systems and power supplies.

b. Perform non-intrusive inspections.

c. Defer maintenance and testing activities that could impact the availability of the SSC.

Additional RMAs may be used and would be identified using the methodology of Part a of this response.

If plant personnel establish a high degree of confidence that no common cause failure mechanism exists that could affect the redundant component(s) or if an adjustment to the RICT calculation is made to numerically account for the increased probability of common cause failure in the CRMP model, then no Common Cause RMAs are required. Numerical adjustment for increased possibility of CCF will not typically be performed.

Question 15 - Credit for FLEX Equipment and Actions The NRC memorandum dated May 30, 2017, Assessment of the Nuclear Energy Institute 16-06, Crediting Mitigating Strategies in Risk-Informed Decision Making, Guidance for Risk-Informed Changes to Plants Licensing Basis (ADAMS Accession No. ML17031A269), provides the NRCs staff assessment of challenges to incorporating FLEX equipment and strategies into a PRA model in support of risk-informed decision-making in accordance with the guidance of RG 1.200, Revision 2.

With regards to equipment failure probability, in the May 30, 2017 memo, the NRC staff concludes (Conclusion 8):

The uncertainty associated with failure rates of portable equipment should be considered in the PRA models consistent with the ASME/ANS PRA Standard as endorsed by RG 1.200. Risk-informed applications should address whether and how these uncertainties are evaluated.

With regards to human reliability analysis, NEI 16-06, Section 7.5 recognizes that the current human reliability analysis methods do not translate directly to human actions required for implementing mitigating strategies. Sections 7.5.4 and 7.5.5 of NEI 16-06 describe such actions to which the current human reliability analysis methods cannot be directly applied, such as:

U.S. Nuclear Regulatory Commission RA-20-0223 Page 37 debris removal, transportation of portable equipment, installation of equipment at a staging location, routing of cables and hoses; and those complex actions that require many steps over an extended period, multiple personnel and locations, evolving command and control, and extended time delays. In the May 30, 2017 memo, the NRC staff concludes (Conclusion 11):

Until gaps in the human reliability analysis methodologies are addressed by improved industry guidance, HEPs associated with actions for which the existing approaches are not explicitly applicable, such as actions described in Sections 7.5.4 and 7.5.5 of NEI 16-06, along with assumptions and assessments, should be submitted to NRC for review.

Section 2.3.4 of NEI 06-09, Revision 0-A, states that PRA modeling uncertainties shall be considered in application of the PRA base model results to the RICT program. The NRC SE for NEI 06-09, Revision 0, states that this consideration is consistent with Section 2.3.5 of RG 1.177, Revision 1. NEI 06-09, Revision 0-A, further states that sensitivity studies should be performed on the base model prior to initial implementation of the RICT program on uncertainties which could potentially impact the results of a RICT calculation. The NRC staff notes that the impact of model uncertainty could vary based on the proposed RICTs. NEI 06-09, Revision 0-A, also states that the insights from the sensitivity studies should be used to develop appropriate RMAs, including highlighting risk significant operator actions, confirming availability and operability of important standby equipment, and assessing the presence of severe or unusual environmental conditions.

Uncertainty exists in PRA modeling of FLEX, related to the equipment failure probabilities for FLEX equipment used in the model, the corresponding operator actions, and pre-initiator failure probabilities. Therefore, FLEX modeling assumptions can be key assumptions and sources of uncertainty for RICTs proposed in this application.

The LAR does not address whether FLEX equipment or actions have been credited in the PRA models. However, the LAR to extend the allowed outage time for the Harris Essential Services Chilled Water System (ESCWS) (ADAMS Accession No. ML19049A027) states that the internal events PRA model was updated in 2017 to incorporate credit for FLEX equipment. To understand the full characterization of the risk estimates to be used in the RICT Program, address the following separately for the internal events PRA, internal flooding PRA, and fire PRA:

a) Discuss whether the licensee has credited FLEX equipment or mitigating actions into the Harris internal events, including internal flooding, or fire PRA models. If not incorporated, no additional response is requested.

Duke Energy Response to Question 15, Part a The HNP internal events and internal flooding models credit FLEX equipment and related mitigating actions. The HNP Fire model does not credit FLEX equipment.

b) Summarize the supplemental equipment and compensatory actions, including FLEX strategies, that have been quantitatively credited in the PRA models used to support this application. Include discussion of whether the credited FLEX equipment is portable or permanently installed equipment.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 38 Duke Energy Response to Question 15, Part b FLEX is only credited for backup power to FLEX related systems, 125 V DC systems, 480 V AC systems and as another source of injection into the steam generators for decay heat removal.

The FLEX equipment currently credited in the PRA model includes the permanently installed diesel generators and non-permanently installed portable pumps. Permanently installed piping, hoses or connection points are not modeled. Post initiators actions are modeled and include: failure to load shed, failure to align and start FLEX diesel generator, failure to refuel FLEX diesel generator, and failure to align and start FLEX Auxiliary Feedwater pump. The FLEX diesel generator, while permanently in place, requires operator actions to hookup to its respective connections for powering the associated loads. This action, along with the corresponding HFE, is modeled in the PRA.

Portable pumps for RCS makeup are not modeled due to modeling and timing limitations.

c) Regarding the credited equipment, address the following:

i. Discuss whether the credited equipment (regardless of whether it is portable or permanently-installed) are like other plant equipment (i.e. SSCs with sufficient plant-specific or generic industry data).

If all credited FLEX equipment is similar to other plant equipment credited in the PRA (i.e. SSCs with sufficient plant-specific or generic industry data), responses to items ii and iii below are not necessary.

Duke Energy Response to Question 15, Part c, Part i The HNP FLEX diesel generators are non-safety related, permanently installed inside a Class 1 structure, and power class 1E systems. From NUREG/CR-6928:

The generators covered in this data sheet include those within the Class 1E AC electrical power system, the high-pressure core spray (HPCS) systems, and station blackout (SBO) generators.

Thus, the FLEX diesel generator is similar to the industry EDGs used in NUREG/CR-6928, although there is no data specifically for the diesel generators of this class as of yet. The current FLEX model uses NUREG/CR-6928 data for the portable pumps due to the lack of appropriate data for these systems. While this does not match the current components in the current dataset, it was deemed appropriate given the low impact the FLEX equipment has on the modeling and because it does not have an impact on calculated RICTs.

ii. Discuss the data and failure probabilities used to support the modeling and provide the rationale for using the chosen data. Discuss whether the uncertainties associated with the parameter values are in accordance with the ASME/ANS PRA Standard as endorsed by RG 1.200, Revision 2. Discuss how the failure rates/probabilities assumed in the PRA for the FLEX equipment is consistent with the relevant plant-specific evidence/operational experience.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 39 Duke Energy Response to Question 15, Part c, Part ii The chosen data was obtained from NUREG/CR-6928, as it was the best available data at the time to approximate FLEX equipment failure rates. Sensitivity on FLEX equipment shows that it does not have an impact on the calculated RICTs.

The portable diesel driven pumps are similar to the industry pumps in that they are diesel powered, similar to, for example, the diesel fire pump. However, the pumps informing the data in NUREG/CR-6928 are Auxiliary Feedwater, Fire Protection, fuel oil transfer pumps, and standby service water pumps. There is no data available specifically for portable diesel pumps.

Uncertainty parameters for the type codes used for the independent failures of the FLEX equipment are currently not included in the PRA model. The uncertainty results in the most recent quantification calculation show a point estimate of 2.865E-6 while the mean value is 2.870E-6 for CDF (similarly close results for LERF). There were six FLEX basic events added to the model. It is reasonable to conclude that with only six new FLEX events added and the thousands of other basic events (even if extremely large uncertainty parameters are incorporated) the change in uncertainty divergence would be negligible. Further, the sensitivity study provided and demonstrated during the audit concluded that the RICT results are not sensitive to the FLEX equipment modifications.

FLEX equipment data will be updated to a more appropriate source when data is available and will be updated based on the current model update process.

iii. Justify and provide results of LCO specific sensitivity studies that assess impact on RICT due to FLEX equipment data and failure probabilities. Part of the response should include the following:

1. Justify values selected for the sensitivity studies, including justification of why the chosen values constitute bounding realistic estimates;

2. Provide numerical results on specific selected RICTs and discussion of the results;

3. Describe how the results of the sensitivity studies will be used to identify RMAs prior to the implementation of the RICT program, consistent with the guidance in Section 2.3.4 of NEI 06-09, Revision 0-A.

Duke Energy Response to Question 15, Part c, Part iii A detailed study of the sensitivity related to those systems impacted by FLEX equipment and their operator actions was presented to the NRC audit team during the audit. The sensitivity demonstration consisted of setting FLEX events to TRUE in one table (no credit for FLEX) and setting FLEX events to an increase of a factor of three (3) in the other table. A request was made to further break down one sensitivity to show how the FLEX equipment failures alone impacted the RICT as well as how the FLEX operator actions alone impacted the RICT. When

U.S. Nuclear Regulatory Commission RA-20-0223 Page 40 the factor of three was utilized, the results showed no change in CDF/LERF sufficient to affect the RICT. Therefore, only the results where the FLEX equipment and operator actions were set to TRUE are provided here. The results of the FLEX human error probability (HEP) and equipment sensitivity studies are shown in Tables 15.c.iii-1 through 15.c.iii-9 below.

Sensitivities were performed for each selected LCO with FLEX portable equipment failure rates modified and FLEX strategy HEPs modified.

The FLEX sensitivity study only required modification of the internal events model. The FPRA model did not credit the FLEX equipment. The internal flooding model is not sensitive to FLEX because few of the flood initiating events involve the LOOP logic in the fault tree. A search of the applicable flooding cutsets revealed no FLEX components; therefore, excluding the internal flooding from the sensitivity study is valid.

As shown in the tables below, the number of RICT days for each LCO are not highly sensitive to the reliabilities of the FLEX equipment or those operator actions associated with the FLEX equipment. Neither the FLEX HRAs or the FLEX equipment failure rates are significant to the RICT application. The CDF column represents the limiting RICT based on CDF numbers only.

The LERF column represents the limiting RICT based on LERF numbers only.

Table 15.c.iii-1 FLEX Sensitivity to Equipment and Human Failures (One off-site circuit and one EDG inoperable)

CDF (/yr) LERF (/yr)

Base (No Maintenance) 3.48E-05 4.04E-06 3.8.1.1 c.1 8.37E-04 1.89E-04 Delta 8.03E-04 1.85E-04 RICT (days) 4.55 2.0 Degraded FLEX SSCs (TRUE) 3.4613E-4 1.3423E-4 3.8.1.1 c.1 8.38E-04 1.89E-04 Delta 8.04E-04 1.85E-04 RICT (days) 4.54 2.0

U.S. Nuclear Regulatory Commission RA-20-0223 Page 41 Table 15.c.iii-2 FLEX Sensitivity to Equipment and Human Failures (One off-site circuit and one EDG inoperable)

CDF (/yr) LERF (/yr)

Base (No Maintenance) 3.48E-05 4.04E-06 3.8.1.1 c.1 8.37E-04 1.89E-04 Delta 8.03E-04 1.85E-04 RICT (days) 4.55 2.0 Degraded FLEX HRAs (TRUE) 3.4579E-4 1.3415E-4 3.8.1.1 c.1 8.38E-04 1.89E-04 Delta 8.03E-04 1.85E-04 RICT (days) 4.54 2.0 Table 15.c.iii-3 FLEX Sensitivity to Equipment and Human Failures (One off-site circuit and one EDG inoperable)

CDF (/yr) LERF (/yr)

Base (No Maintenance) 3.48E-05 4.04E-06 3.8.1.1 c.1 8.37E-04 1.89E-04 Delta 8.03E-04 1.85E-04 RICT (days) 4.55 2.0 Degraded All FLEX (TRUE) 3.4685E-4 1.3431E-4 3.8.1.1 c.1 8.39E-04 1.89E-04 Delta 8.04E-04 1.85E-04 RICT (days) 4.54 2.0

U.S. Nuclear Regulatory Commission RA-20-0223 Page 42 Table 15.c.iii-4 FLEX Sensitivity to Equipment and Human Failures DC Sources - Operating 3.8.2.1 Action (DC Sources - Operating One battery not available)

CDF (/yr) LERF (/yr)

Base (No Maintenance) 3.48E-05 4.04E-06 3.8.2.1 1.56E-4 1.76E-5 Delta 1.21E-4 1.36E-5 RICT (days) 30.1 27 Degraded FLEX SSCs (TRUE) 5.4187E-6 1.549E-6 3.8.2.1 1.57E-4 1.78E-5 Delta 1.23E-4 1.37E-5 RICT (days) 29.8 26.6 Table 15.c.iii-5 FLEX Sensitivity to Equipment and Human Failures DC Sources - Operating 3.8.2.1 Action (DC Sources - Operating One battery not available)

CDF (/yr) LERF (/yr)

Base (No Maintenance) 3.48E-05 4.04E-06 3.8.2.1 1.56E-4 1.76E-5 Delta 1.21E-4 1.36E-5 RICT (days) 30.1 27 Degraded FLEX HRAs (TRUE) 5.5606E-6 1.5222E-6 3.8.2.1 1.57E-4 1.78E-5 Delta 1.23E-4 1.37E-5 RICT (days) 29.8 26.6

U.S. Nuclear Regulatory Commission RA-20-0223 Page 43 Table 15.c.iii-6 FLEX Sensitivity to Equipment and Human Failures DC Sources - Operating 3.8.2.1 Action (DC Sources - Operating One battery not available)

CDF (/yr) LERF (/yr)

Base (No Maintenance) 3.48E-05 4.04E-06 3.8.2.1 1.56E-4 1.76E-5 Delta 1.21E-4 1.36E-5 RICT (days) 30.1 27 Degraded FLEX All (TRUE) 6.831E-6 1.7099E-6 3.8.2.1 1.59E-4 1.79E-5 Delta 1.24E-4 1.39E-5 RICT (days) 29.5 26.3 Table 15.c.iii-7 FLEX Sensitivity to Equipment and Human Failures DC Sources - Operating 3.8.2.1 Action (DC Sources - Operating; One DC Bus is not available)

CDF (/yr) LERF (/yr)

Base (No Maintenance) 3.48E-05 4.04E-06 3.8.2.1 2.08E-3 2.76E-4 Delta 2.05E-3 2.72E-4 RICT (days) 1.8 1.34 Degraded FLEX SSCs (TRUE) 1.4353E-3 2.0795E-4 3.8.2.1 2.11E-3 2.80E-4 Delta 2.08E-3 2.76E-4 RICT (days) 1.8 1.32

U.S. Nuclear Regulatory Commission RA-20-0223 Page 44 Table 15.c.iii-8 FLEX Sensitivity to Equipment and Human Failures DC Sources - Operating 3.8.2.1 Action (One DC Bus is not available)

CDF (/yr) LERF (/yr)

Base (No Maintenance) 3.48E-05 4.04E-06 3.8.2.1 2.08E-3 2.76E-4 Delta 2.05E-3 2.72E-4 RICT (days) 1.8 1.34 Degraded FLEX HRAs (TRUE) 1.4383E-3 2.0799E-4 3.8.2.1 2.11E-3 2.80E-4 Delta 2.08E-3 2.76E-4 RICT (days) 1.8 1.32 Table 15.c.iii-9 FLEX Sensitivity to Equipment and Human Failures DC Sources - Operating 3.8.2.1 Action (One DC Bus is not available)

CDF (/yr) LERF (/yr)

Base (No Maintenance) 3.48E-05 4.04E-06 3.8.2.1 2.08E-3 2.76E-4 Delta 2.05E-3 2.72E-4 RICT (days) 1.8 1.34 Degraded FLEX All (TRUE) 1.4660E-3 2.1227E-4 3.8.2.1 2.14E-3 2.84E-4 Delta 2.11E-3 2.80E-4 RICT (days) 1.7 1.30 Since the sensitivity study shows that the RICT calculations are not sensitive to FLEX modeling, there is little or no risk insights to be gleaned from these sensitivities, and therefore little impact on RMA development. Current plant alignment and equipment configurations will be utilized to establish RMAs as the Duke Energy processes and guidelines dictate.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 45 d) Regarding human reliability analysis, address the following:

i. Discuss whether any credited operator actions related to FLEX equipment contain actions described in Sections 7.5.4 and 7.5.5 of NEI 16-06.

If any credited operator actions related to FLEX equipment contain actions described in Sections 7.5.4 and 7.5.5 of NEI 16-06, answer either item ii or iii below.

Duke Energy Response to Question 15, Part d, Part i There are HNP operator actions related to the implementation of FLEX strategies that contain the activities described in Sections 7.5.4 and 7.5.5 of NEI 16-06. These actions are:

OPER-FLEX1 - OPERATOR FAILS FLEX LOAD SHED OPER-FLEX2 - OPERATOR FAILS TO ALIGN AND START THE FLEX DG OPER-FLEX3 - OPERATORS FAIL TO REFUEL THE FLEX DG OPER-FLEX4 - OPERATOR FAILS TO ALIGN AND START FLEX AFW PUMP OPER-FLEX6 - OPERATOR FAILS TO ALIGN AND START FLEX RCS PUMP All five actions were considered for the internal events and internal flooding, but OPER-FLEX6 is currently not credited.

ii. Justify and provide results of LCO specific sensitivity studies that assess impact from the FLEX independent and dependent HEPs associated with deploying and staging FLEX portable equipment on the RICTs proposed in this application.

Part of the response should include the following:

1. Justify independent and joint HEP values selected for the sensitivity studies, including justification of why the chosen values constitute bounding realistic estimates;

2. Provide numerical results on specific selected RICTs and discussion of the results;

3. Discuss composite sensitivity studies of the RICT results to the operator action HEPs and the equipment reliability uncertainty sensitivity study provided in response to item (c)(iii) above.

4. Describe how the source of uncertainty due to the uncertainty in FLEX operator action HEPs will be addressed in the RICT program. Describe specific RMAs being proposed, and how these RMAs are expected to reduce the risk associated with this source of uncertainty.

Duke Energy Response to Question 15, Part d, Part ii See Duke Energy response to Part d, Part iii.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 46 iii. Alternatively, to item ii) above, provide the following discussion of the uncertainties associated with supporting requirements (SR) HR-G3 and HR-G7 of ASME/ANS RA-Sa-2009 to support detailed NRC review:

1. The level and frequency of training that the operators and/or non-operators receive for deployment of the FLEX equipment (performance shaping factor (a) in SR HR-G3),

2. Performance shaping factor (f) in SR HR-G3, regarding estimates of time available and time required to execute the response,

3. Performance shaping factor (g) in SR HR-G3 regarding complexity of detection, diagnosis and decision making and executing the required response,

4. Performance shaping factor (h) in SR HR-G3 regarding consideration of environmental conditions, and

5. Human action dependencies as listed in SR HR-G7.

Duke Energy Response to Question 15, Part d, Part iii EPRI 3002013018, Human Reliability Analysis (HRA) for Diverse and Flexible Mitigation Strategies (FLEX) and Use of Portable Equipment: Examples and Guidance, has provided a systematic approach to addressing the issues addressed in NEI 16-06 Sections 7.5.4 and 7.5.5 (and related uncertainties with modeling FLEX-related HFEs) and insights from the guidance indicate that for some of the activities identified, the available methodologies may overestimate the task failure probabilities.

• Debris removal: The suggested treatment is account for the task in the timeline rather than to quantify an HEP because commonly used HRA methodologies do not address this type of work. While this could be considered be a non-addressed contributor to the FLEX strategy failure probability, debris removal is not expected to be a major faction for the full power internal events (FPIE) or internal flooding. All actions credited (with the exception of load shedding, which is an internally performed action) have ample time to recover or perform their execution actions as the total time available for the FLEX actions is of long duration. Additional time spent working on debris removal is not expected to be a significant issue for these FLEX actions.

• Transportation of Portable Equipment: EPRI 3002013018 provided an approach to assessing the risk from potential transportation errors and they were determined to be negligible contributors for HNP. No reasonable variations in the probability of failure for these tasks is expected to impact the action HEPs.

• Installation of Equipment at Staging Location/Addressing Complex Actions in Mitigating Strategies: EPRI 3002013018 indicates that a weakness of using the technique for human error-rate prediction (THERP) to assess tasks comprised of many steps is that the aggregate HEP can be unrealistically high. For those tasks that are not directly represented by the THERP data, EPRI 3002013018 requires a

U.S. Nuclear Regulatory Commission RA-20-0223 Page 47 basis to be developed for surrogate values used. This may lead to a greater degree of uncertainty in the HEPs for sub-steps, but the surrogate values are generally applied to those actions that are comprised of many steps (e.g. making hose connections), which would reduce the likelihood of underestimating the FLEX action HEP.

• Routing of Hoses and Cables: The treatment of these tasks fits into the category of self-revealing errors in EPRI 3002013018. If the hoses or cables are incorrectly routed such that they cannot be connected to equipment, the action could not progress. If there is adequate time for recovery (true for the relevant HNP actions) and no irreversible consequence occurs, the errors are treated as negligible contributors to risk. No reasonable variations in the probability of failure for these tasks is expected to impact the action HEPs.

All timings were based on validation of the actions with operators using a walk through and actual performance (as practical) of the actions following the FLEX support guidelines. The only time that was estimated was the execution time for refilling the FLEX EDG. This was based on an estimate with discussion with the site.

1. Discussions with the site indicated that training took place in the simulator and in the classroom once per year. There is no assumption made in this regard.

2. OPER-FLEX1 - Operators fail to Load Shed - Load shedding is required to be completed within two hours of the declaration of ELAP to extend the batteries to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. Based on the validation of this action it was found that this would take 42 minutes. Given that this execution timing is based on actual execution/practice of the HRA event there is little uncertainty related to this action.

OPER-FLEX2 - Operators fail to Align and Start FLEX DG - Total time available is based on successful load shedding of the batteries. There could be some uncertainties related to how well this is done or the actual load of the components remaining (or when they shed). The total execution time of this event provides greater than 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> of recovery time. The total execution time is 4.64 hours7.407407e-4 days <br />0.0178 hours <br />1.058201e-4 weeks <br />2.4352e-5 months <br /> (2.64 hours7.407407e-4 days <br />0.0178 hours <br />1.058201e-4 weeks <br />2.4352e-5 months <br /> actual execution time plus 1-hour time delay and 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> for cognitive decisions). Execution of the actual steps is 2.64 hours7.407407e-4 days <br />0.0178 hours <br />1.058201e-4 weeks <br />2.4352e-5 months <br /> and is based on validation of the action. Total system window prior to irreversible damage is 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. Given that there is over 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> for any recovery actions to take place, any uncertainties made in regard to the total time available of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> would be mitigated.

OPER-FLEX3 - Operators fail to Refuel the FLEX DG - A total time available to complete this is action is estimated to be 21 hours2.430556e-4 days <br />0.00583 hours <br />3.472222e-5 weeks <br />7.9905e-6 months <br />. This assumes that the diesel is started 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> into the event (which is conservative as the diesel could be started 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> into the event). The diesels fuel consumption is known and can run for 15 hours1.736111e-4 days <br />0.00417 hours <br />2.480159e-5 weeks <br />5.7075e-6 months <br /> before needing to be refueled. After 15 hours1.736111e-4 days <br />0.00417 hours <br />2.480159e-5 weeks <br />5.7075e-6 months <br /> the indication that the diesel needs to be refueled is reached and it is assumed this action will take 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. This is a conservative timing and leaves an additional 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> for recovery of either not knowing the diesel is required to be refueled or the execution portion of refueling.

While there is uncertainty in the execution time of this action, there is still 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> of time to recover the execution portion. In addition, the total time available is

U.S. Nuclear Regulatory Commission RA-20-0223 Page 48 conservatively evaluated as this timing could be 23 hours2.662037e-4 days <br />0.00639 hours <br />3.80291e-5 weeks <br />8.7515e-6 months <br /> instead of the assumed 21 hours2.430556e-4 days <br />0.00583 hours <br />3.472222e-5 weeks <br />7.9905e-6 months <br />.

OPER-FLEX4 - Operators fail to align and start FLEX AFW Pump - Total time available for this operator action is based on a 12-hour system window prior to an irreversible damage state being reached. The turbine-driven auxiliary feedwater pump (TDAFW) is expected to operate for a minimum of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The delay time is estimated to be approximately 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. The actual execution time is established as approximately 61 minutes to complete. Given that there is about 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> for any recovery actions to take place, any uncertainties made in regard to the total time available is considered adequate.

3. For the FLEX actions developed, the complexity of detection, diagnosis and decision making and execution was deemed to be low. This is because these actions are deemed to be obvious given the scenario involved (LOOP with failure of EDGs) in which FLEX is credited in the PRA model. Given the scenario, operators would have no alternative other than to start deploying FLEX and procedural guidance. Per the FLEX Support Guideline (FSG) documents, the operators would execute the strategy in line with what is written and practiced. Therefore, it is judged that detection and execution of the actions, as well as other associated performance shaping factors, is high given the obvious and robust cues and the guidelines available to the operators.

4. The performance shaping factor for environmental conditions directly feeds into the level of execution stress assessed in making the action. For all FLEX operator actions, a high level of execution stress was selected regardless of the level recommended by the environmental performance shaping factors. While moderate could be selected, it was deemed reasonable to select high given the scenario. As such, this is categorized as a conservative assumption.

5. Joint HFEs involving FLEX were evaluated using the HRA Dependency analysis tool and related decision tree within the HRA Calculator. Calculated dependency values are carried through to quantification and used to determine CDF and LERF values. There are currently 36 HRA combination events identified and included in the PRA model which include FLEX operator actions. Two of the 36 are set to a floor value of 1E-6 which, after review, appear to be an appropriate assessment as they contain events with a 21-hour system window in which to compete the tasks. The FLEX operator action of concern is to refill the FLEX DG fuel oil tank. As shown by the sensitivity study, it is not expected that this will have any impact on calculated RICTs with regard to this application as the dependencies were set to one in the sensitivity study evaluating FLEX HRA with no observable impact seen.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 49 e) The AMSE/ANS RA-Sa-2009 PRA standard defines PRA upgrade as the incorporation into a PRA model of a new methodology or significant changes in scope or capability that impact the significant accident sequences or the significant accident progression sequences. Section 1-5 of Part 1 of ASME/ANS RA-Sa-2009 PRA Standard states that upgrades of a PRA shall receive a peer review in accordance with the requirements specified in the peer review section of each respective part of this Standard.

Provide an evaluation of the model changes associated with incorporating mitigating strategies, which demonstrates that none of the following criteria is satisfied: (1) use of new methodology, (2) change in scope that impacts the significant accident sequences or the significant accident progression sequences, and (3) change in capability that impacts the significant accident sequences or the significant accident progression sequences.

Duke Energy Response to Question 15, Part e Incorporation of FLEX into the HNP PRA model reflects plant modifications and procedure changes. The methods in which the FLEX equipment and HRAs were incorporated into the model has been consistent with existing Duke Energy processes and procedures. Updating the model to reflect such a change is necessary to maintain the model as representative of the as-built, as-operated plant. As shown in the sensitivity analysis, the inclusion of FLEX equipment does not constitute a significant change in scope nor does it greatly impact the results for this application. The incorporation of FLEX equipment is considered a model maintenance activity just as addition of any other plant equipment per Duke Energy processes. Accident sequences progress in the same manner as before, except there is the possibility of extended time for power to be available and alternate injection sources. Risk estimation capability is not changed; all FLEX system implementations were made utilizing the existing PRA methodology.

The model changes associated with incorporating FLEX mitigating strategies are recorded in Duke Energy PRA documentation. These changes are limited to including the equipment failures of FLEX into the appropriate places in the model. Quantification of internal events shows that FLEX does not reduce CDF/LERF in a meaningful manner or impact significant accident sequences.

Question 18 - High Winds PRA The NRC staff SE to NEI 06-09, Revision 0, states In order to support the RMTS, the plant-specific CRMP must include the capability to assess LERF, and must include a quantified assessment of all significant sources of risk (i.e., external events and fires) which can be impacted by changes to the plant configuration. Where PRA models are not available, conservative or bounding analyses may be performed to quantify the risk impact and support the calculation of the RICT. Sources of risk shown to be insignificant or unaffected by changes in plant configurations may be neglected in the RICT calculations. This assures that the RICT is calculated with appropriate consideration of all potentially significant sources of risk. of the LAR provides a qualitative assessment of the high winds hazard and screens this hazard from inclusion in the RICT calculations. Specifically, hurricanes are screened as not applicable to the RICT Program, straight line winds are stated to already be included in the internal events PRA, and tornadoes are screened based on the design basis for Harris meeting

U.S. Nuclear Regulatory Commission RA-20-0223 Page 50 the 1975 Standard Review Plan criteria. However, the NRC staff is aware that a high wind PRA has been developed for Harris. In the LAR dated February 18, 2019 for ESCWS allowed outage time, the licensee explains that this PRA was peer reviewed in 2015 and the four finding F&Os subsequently dispositioned. The ESCWS LAR also reports a high winds CDF of 2.14E-06 per year and LERF of 2.24E-07 per year. The NRC staff notes that these CDF and LERF values are comparable to those reported in the TSTF-505 LAR for internal events and for internal flooding events. Based on the CDF results reported for the High Wind PRA being greater than 1E-06 per year, the NRC staffs concern is that there are potentially high winds vulnerabilities that could impact the RICT calculations. In light of this concern, address the following:

a) Provide justification for not including the High Wind PRA in the RICT Program. The justification should discuss vulnerabilities to SSCs credited in the PRA, include the results of a sensitivity study that evaluates the impact of high winds on the RICT estimates provided in Table E1-2 of the LAR (especially for those SSCs for which the estimated RICT is less than 30 days), and discuss if RMAs are needed to protect against vulnerabilities.

b) If justification cannot be provided to exclude the High Wind PRA from the RICT Program, incorporate the High Wind PRA into the RICT Program and provide applicable updated LAR sections (e.g., Enclosures 1, 2, 4, 5, 7, 9).

Duke Energy Response to Question 18 Regulatory Position C.2.3.2 of RG 1.177 states that a licensee should perform evaluations of CDF and LERF to support any risk-informed changes to TS. The scope of the analysis should include all hazard groups (i.e., internal events, internal flooding, fires, seismic events, high winds, and other external hazards) unless it can be shown the contribution from specific hazard groups does not affect the decision.

High winds are not considered a significant hazard for HNP and have been screened as a negligible contributor for HNP. The basis for this screening is provided below. Additionally, the justification below discusses insights from the high wind PRA (HWPRA) and presents relative contribution to the high wind CDF and LERF from the distinct high wind categories (hurricanes, straight-line winds, and tornadoes). The initial ESCWS LAR reported a high winds CDF of 2.14E-06 per year and LERF of 2.24E-07 per year. These are the values which are evaluated in the discussion below. Also, the discussion below provides some examples of how the CDF and LERF values presented above are conservative.

The high wind treatment was divided into three distinct categories, as follows:

• Hurricanes

• Straight-Line Winds

• Tornadoes The end goal for high winds treatment for the application is to see if the hazard can be screened in accordance with Section 6-2 of the ASME/ANS RA-Sa 2009 PRA standard. Specifically, Section 6-2.3 states the following:

U.S. Nuclear Regulatory Commission RA-20-0223 Page 51 An event can be screened out for the following reasons:

(a) If it meets the criteria in the NRCs 1975 Standard Review Plan (SRP) or a later revision; or (b) If it can be shown using a demonstrably conservative analysis that the mean value of the frequency of the design-basis hazard used in the plant design is less than ~10-5/yr and that the conditional core damage probability is <10-1, given the occurrence of the design-basis hazard event; or (c) If it can be shown using a demonstrably conservative analysis that the CDF is

<10-6 /yr.

The following sections provide justification for screening high winds from inclusion regarding RMTS.

HURRICANES RMTS are to be applied to at-power operations and not for shutdown conditions. The site procedure for response to severe weather directs Operations to place the plant in Mode 3 at least two hours prior to the anticipated arrival of sustained winds in excess of 74 mph at the site (i.e., hurricane force winds). Hurricanes, therefore, do not apply to the RMTS in the at-power PRA model and can be screened from inclusion in calculations.

The portion of the HWPRA that hurricanes contributed is 20.8% to CDF (4.45E-7) and 20.8% to LERF (4.66E-8). This contribution can be removed from consideration in the HWPRA discussion above.

STRAIGHT-LINE WINDS The straight-line wind hazard includes winds primarily from thunderstorms and extratropical storms. Since these events involve a lower wind speed, the primary consideration is a loss of offsite power (LOOP).

Since LOOP events (including weather related LOOPs) are considered and modeled in the internal events PRA model, the hazard associated with straight-line winds was already considered in the RMTS calculations based on the FPIE PRA and need not be addressed separately in a high winds PRA. Including the risk associated with straight-line wind-induced LOOP events in the RMTS AOT calculations using a high wind PRA would have constituted double counting with the FPIE PRA model.

The entire portion of the HWPRA that straight-line wind events contributed is 64.5% to CDF (1.38E-6) and 64.7% to LERF (1.45E-7). However, not all these sequences are addressed in the FPIE PRA. Only the subset of straight-line wind events that cause a reactor trip or a LOOP, but do not have additional high wind failures, are accounted for in the FPIE PRA. That portion is 48.1% of CDF (1.03E-6) and 48.7% of LERF (1.09E-7). That is, this is the portion of the HWPRA model results that are addressed by the FPIE PRA and can be removed from consideration in the HWPRA. The aggregate of hurricanes and straight-line wind events that can be removed from consideration from the HWPRA is 68.9% of CDF (1.48E-6) and 69.5% of LERF (1.56E-7).

U.S. Nuclear Regulatory Commission RA-20-0223 Page 52 TORNADOES Per the assessment of high winds in Section 3.3 of the HNP UFSAR, structures, systems, or components (SSCs) whose failure (due to design wind loading, tornado wind loading, or associated missiles) could prevent safe shutdown of the reactor, or result in significant uncontrolled release of radioactivity from the unit, are protected from such failure by one of the following methods:

a) the structure or component is designed to withstand design wind, tornado wind and tornado-generated missiles, or b) the system or components are housed within a structure which is designed to withstand the design wind, tornado wind and tornado-generated missiles.

As such, the design basis for this event meets the criteria in the 1975 SRP and can be screened from inclusion in the calculations. Additionally, the most likely damage would be a LOOP event, which is already included in the FPIE PRA model. Thus, the tornado hazard for HNP can be screened from the RMTS.

The entire portion of the HWPRA that tornadoes contributed is 15.1% to CDF (3.23E-7) and 14.4% to LERF (3.22E-8). However, similar to straight-line wind events, not all these sequences are addressed in the FPIE PRA. Only the subset of tornadoes that cause a reactor trip or a LOOP, but do not have additional high wind failures, are accounted for in the FPIE PRA. That portion is 3.6% of CDF (7.62E-8) and 2.4% of LERF (5.28E-9). That is, this is the portion of the HWPRA model results that are addressed by the FPIE PRA and can be removed from consideration in the HWPRA. The aggregate of hurricanes, straight-line wind events and tornadoes that can be removed from consideration from the HWPRA is 72.5% of CDF (1.55E-6) and 71.9% of LERF (1.61E-7).

Finally, after removing all the hurricanes from the HWPRA, and straight-line wind events and tornadoes which are already explicitly evaluated in the FPIE PRA, a relatively small portion remains. Of the CDF of 2.14E-06 per year and a LERF of 2.24E-07 per year that the HNP HWPRA reports, the portion not included in the FPIE PRA is 27.5% of CDF (5.89E-7) and 28.1% of LERF (6.31E-8). These values are well below the 1.0E-6 and 1.0E-07 screening thresholds for CDF and LERF, respectively. Furthermore, there is still substantial conservatism in the remaining portion of CDF and LERF.

In addition to the conservatism in the HWPRA results due to inapplicability of hurricanes to RMTS and the double counting of the risk from straight line winds when applying the HWPRA results, additional conservatism exists in the HWPRA model with respect to the wind pressure fragility of the dedicated shutdown diesel generator (DSDG). In response to RAI 02 in the NRC letter dated July 23, 2019 (ADAMS Accession No. ML19204A268), Duke Energy discussed the conservatisms in the wind pressure fragility used for the DSDG. The response to RAI 02 in the September 3, 2019 letter (ADAMS Accession No. ML19246A731) states that the anchorage for the DSDG is not considered in the calculation of the wind pressure fragility for the high winds PRA (i.e., only the weight of the DSDG was considered in the fragility), which leads to a conservatively high wind pressure fragility (failure probability) of the DSDG. Since the DSDG provides backup power to SSCs used to safely shut down the plant, given a LOOP and the loss of the EDGs, this conservatism leads to conservatism in the overall HWPRA results. Other conservatism in the HWPRA is that is that no high wind LOOPs are considered for offsite power

U.S. Nuclear Regulatory Commission RA-20-0223 Page 53 recovery. Since most of the high wind CDF and LERF is comprised of the lower-end F1 and F2 windspeeds, a portion of those could presumably have offsite power recovered but that recovery is not credited in the HWPRA model. Additionally, FLEX is not credited in the HWPRA. It would be expected that FLEX could provide another line of defense to prevent core damage, especially in sequences with EDG fail-to-run events.

Finally, the process for the real-time risk (RTR) to calculate the RICT explicitly addresses the weather condition expected during the out of service time when calculating the RICT. See the response to audit question 11.a for further details.

Based on the discussion above, although the HNP HWPRA reports a CDF of 2.14E-06 per year and a LERF of 2.24E-07 per year, most of this CDF and LERF is not applicable to this RMTS application since it either:

1. does not apply to this application since the plant would not be in an applicable mode when the event occurred (hurricanes),

2. it is already substantially, if not completely, addressed in the FPIE PRA (straight line winds), or

3. has a negligible contribution to risk since SSCs whose failure (due to design wind loading, tornado wind loading, or associated missiles) could prevent safe shutdown of the reactor, or result in significant uncontrolled release of radioactivity from the unit, are protected from such failure by being designed to withstand design wind, tornado wind and tornado generated missiles, or being housed within a structure which is designed to withstand the design wind, tornado wind and tornado generated missiles.

Additionally, the HWPRA model has significant conservatism built in regarding the treatment of the DSDG, LOOP recoveries, and not crediting FLEX equipment. Therefore, the results from the HWPRA are appropriately screened from use in the RICT calculation.

Question 19 - Manual Actions The LAR is a risk-informed request to modify Harris, Units 1 Technical Specification consistent with the approach approved in TSTF-505 Revision 2. In Section 3.1.2.3 Evaluation of Instrumentation and Control Systems of the TSTF-505, Revision 2, Model Application, the NRC clarifies the basis of the staffs SE is to consider a number of potential plant conditions allowed by the new TSs and to consider what redundant or diverse means were available to assist the licensee in responding to various plant conditions. The TSTF-505, Revision 2, states that at least one redundant or diverse means (e.g., other automatic features or manual action) to accomplish the safety functions (e.g., reactor trip, safety injection, or containment isolation) remain available during the use of the RICT.

In addition, the RG 1.174 Revision 2 (ADAMS Accession No. ML100910006) states the licensee should assess whether the proposed [licensing basis] LB change meets the defense-in-depth principle by not over-relying on programmatic activities as compensatory measures associated with the change in the LB. The RG 1.174, Revision 3, further elaborates that human actions (e.g., manual system actuation) are considered as one type of compensatory measure.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 54 In Section 5, MAINTAINING DEFENSE-IN-DEPTH, of the LAR Enclosure 1 List of Revised Required Actions to Corresponding PRA Functions the licensee identifies the diverse means for each affected I&C function under each postulated accident. A number of diverse means are identified solely as manual actuation.

Please confirm that these manual actuations identified in Section 5 are modeled in PRA, defined in Harris operation procedures to which operators are trained, and describe how the times associated with these actions are evaluated as adequate.

In addition, the licensee does not provide diverse means for the following functional units:

1. LCO 3.3.1 FUNCTIONAL UNIT 21. Automatic Trip and Interlock Logic

2. LCO 3.3.2 FUNCTIONAL UNIT 1. Safety Injection b. Automatic Actuation Logic and Actuation Relays

3. LCO 3.3.2 FUNCTIONAL UNIT 2. Containment Spray b. Automatic Actuation Logic and Actuation Relays

4. LCO 3.3.2 FUNCTIONAL UNIT 3. Containment Isolation a. Phase A Isolation 2)

Automatic Actuation Logic and Actuation Relays

5. LCO 3.3.2 FUNCTIONAL UNIT 3. Containment Isolation b. Phase B Isolation 2)

Automatic Actuation Logic and Actuation Relays

6. LCO 3.3.2 FUNCTIONAL UNIT 4. Main Steam Line Isolation b. Automatic Actuation Logic and Actuation Relays

7. LCO 3.3.2 FUNCTIONAL UNIT 5. Turbine Trip and Feedwater Isolation a. Automatic Actuation Logic and Actuation Relays

8. LCO 3.3.2 FUNCTIONAL UNIT 6. Auxiliary Feedwater b. Automatic Actuation Logic and Actuation Relays

9. LCO 3.3.2 FUNCTIONAL UNIT 7. Safety Injection Switchover to Containment Sump a.

Automatic Actuation Logic and Actuation Relays

10. LCO 3.3.2 FUNCTIONAL UNIT 8. Containment Spray Switchover to Containment Sump

a. Automatic Actuation Logic and Actuation Relays Duke Energy Response to Question 19 A detailed review was performed of the manual actuations identified in Section 5 in Table E1-4 RTS Instrumentation Diversity under the column Diverse Reactor Trips and Table E1-5 ESFAS Instrumentation Diversity Diverse Protection (including the functional units described in Question 19 above). This review verified that these actuations have a diverse means of performing the function via manual actions that are in the PRA model, HNP Emergency Operating Procedures (EOPs), or both.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 55 The details of this review related to the times associated with these actions were discussed with the NRC audit team and were not requested to be placed on the docket.

Question 20 - Functional Trip Capability The TSTF-505, Revision 2, excludes loss of function conditions (e.g. trip capability is not maintained) from the risk informed completion time program. FUNCTIONAL UNIT 6.f in TS TABLE 3.3-3 starts the motor driven auxiliary feedwater pumps by loss of both main feedwater pumps. Per TS TABLE 3.3-3 and Updated Final Safety Analysis Report (UFSAR), 7.3.1.3.3, Auxiliary Feedwater System, this functional unit has one channel per main feedwater pump, and both channels for both pumps are required to initiate the motor driven auxiliary feedwater pump starting signal. Please confirm under ACTION 15, the FUNCTIONAL UNIT 6.f in TS TABLE 3.3-3 still maintains its trip capability.

Duke Energy Response to Question 20 Upon further review of TS 3.3.2 Table 3.3-3 Functional Unit 6.f for trip of all Main Feedwater Pumps (MFP)- Start Motor-Driven Pumps (MDAFW), the time period during which HNP would enter Action 15 with an inoperable channel, until the jumper is installed to bypass the failed channel, does represent a loss of safety function. The associated contacts to fulfill the function are in series (one from each MFP), thus if one is inoperable, the path (either path) could not be credited.

Therefore, TS 3.3.2 Functional Unit 6.f is being removed from the scope of the RICT Program.

Question 25 - Electrical Defense-in-Depth Example RMAs to ensure that a reasonable balance of defense-in-depth is maintained, are discussed in Enclosure 12 Section 7 of LAR. The NRC staff needs to discuss with Harris staff the RMAs associated with the following TS conditions with a focus on maintaining and assuring the defense-in- depth requirements for various electrical TS actions. Examples of information requested include, deferred preventive maintenance/surveillance, and actions designed to increase confidence in redundant and backup systems for defense-in-depth purposes.

a. TSTF 3.8.1.1 Condition a

b. TSTF 3.8.1.1 Condition b

c. TSTF 3.8.1.1 Condition c

d. TSTF 3.8.2.1

e. TSTF 3.8.3.1 Condition a

f. TSTF 3.8.3.1 Condition c

g. TSTF 3.8.3.1 Condition d Duke Energy Response to Question 25 HNP procedures contain guidance on the development of RMAs, RMA implementation during the execution of a RICT, and example RMAs to guide personnel. The example RMAs have been pre-developed for fire a(4) considerations but parallel the RMA process and considerations to be made in similar determinations for a RICT.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 56 The process for developing RMAs is outlined in response to Question 14 above. Example RMAs were provided in the LAR. Additionally, an example RMA for the B Emergency Diesel Generator being out of service is provided below. This example also shows the typical format for Duke Energys approach to RMAs and the associated documentation.

<< B-SB Emergency Diesel Generator RMA Form >>

W/O Number:

Clearance Number:

1. System: DIESEL GENERATOR SYSTEM (5095)

2. Component: 1DG-E003, Emergency Diesel Generator B-SB

3. Unavailable Equipment: 1DG-E003, Emergency Diesel Generator B-SB

4. Applicable Requirements: Modes 1 through 4

5. Time Requirements: Within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the Risk Management Actions (RMAs) are required to be implemented.

6. Risk Sensitive Areas: Turbine Building 261', Turbine Building 286',

Main Transformers (A, B, and C), Startup Transformers (1A and 1B),

Auxiliary Transformers (1A and 1B), RAB 261 Fire Area 1-A-BAL-B RAB-261 Fire Area 1-A-BAL-D, ASI Room, RAB 286 - Switchgear Room A RAB 286 - Switchgear Room B, RAB 286 - S-3 Area and Penetration Room, (1-A-BAL-J, Fire Zones 1-A-5-HV3, and 1-A-5-HVA only), Switchyard

7. Risk Management Actions Log initiated. /

Signature Date

8. Risk Management Actions Log completed. /

Signature Date

U.S. Nuclear Regulatory Commission RA-20-0223 Page 57

9. Reviewed by:

Shift Manager Date Completed Risk Mitigation Actions (RMAs) Log Initials Time Date Begin minimizing Switchyard and Transformer activities affecting offsite power supplies (2)

Begin minimizing high energy circuit breaker operations (480v) in the Risk Sensitive Areas (2)

Begin minimizing equipment swaps in the Risk Sensitive Areas (2)

Validate alert/alarm computer points for 6.9kV motors in the TB are operating in the normal range (2)

Protect/post Risk Sensitive Area per AD-OP-ALL-0201 (2)

Verify applicable detection, barriers, dampers operable for the Risk Sensitive Areas (2)

Walk down the Risk Sensitive Areas for fire hazards (transient combustibles, hot work, openings for electrical cabinets are secured shut or documented open etc,) (2)

Begin limiting scheduled test activities and maintenance activities in the Risk Sensitive Areas (2)

Inform the following groups of the Risk Sensitive Areas: (2)

• Fire Brigade

• Work Control

• Operations Within 7 days, contact Fire Protection Program Manager to determine success path(s) or additional RMAs necessary after 14 days Restore unavailable equipment within 14 days When the unavailable equipment is returned to service, remove protected equipment signs When the unavailable equipment is returned to service, then Risk Mitigation Actions may be terminated Additional actions taken:

NOTES:

1. Time requirements not met shall be explained in the remarks.

2. Initial actions required within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 58 Question 27 - Estimated RICT Values 2 to the LAR contains the approximate values of RICT for the electrical TS required actions. The actual RICT is calculated using CRMP. There could be a range of RICT values depending on different plant configuration. Please provide the RICT values for the Harris TS associated with all electrical power systems. Please provide the possible ranges of RICT considering the best and the worst configurations that could be anticipated.

Duke Energy Response to Question 27 Normal conduct of operations limits voluntary entry into greater than green risk configurations, and administrative processes and procedures provide guidance that are designed to minimize plant risk. Table E1-2 of the LAR provides the base-case scenario for LCO entry and quantifies a representative value for risk informed completion time based on those basic events (BE) being failed. In order to estimate a worst-case scenario for quantification without entry into a shutdown required TS, the additional BEs listed in the Compounded Degradation BEs column of the table below were set to TRUE. The BEs selected for the Compounded Degradation case were derived by running an importance report on each applicable scenario. The additional BEs, as indicated from the importance report, were then set to TRUE in addition to those BEs in the base case. A comparison of RICT in days is in the Compounded Degradation RICT (days) column. The table below displays the possible ranges of RICT considering differing configurations.

Compounded Best Case RICT Best Case Compounded Degradation BEs Tech Specification Case (Phoenix Function RICT Degradation (Phoenix Function Code) (days) RICT (days)

Code)

AC Sources - A56-1 JTRSUTA/SU 8.9 WPM/ESWAWS 2.3 Operating (ACP_013) ESWA (1SW-E005)

HNP: 3.8.1.1 Action TS 3.7.4 a.2 AC Sources - A57-1 PDGE1ASAFS 26.6 JCB1D101NN 3.7 Operating SUT breaker to Aux HNP: 3.8.1.1 Action Bus 1D (ACP_004) b.3 3.8.1.1.C AC Sources - A58-1 JTRSUTA/SU 4.8 FPT1XSABFS 0.6 Operating JTRSUTB/SU TDAFW HNP: 3.8.1.1 Action PDT-01AF-2180SB d.1 3.7.1.2 Action a AC Sources - A60-1 ERYUR1SANN 30 CBS1DPS2FN 2.1 Operating ERYUR2SANN IDP-1B-SII HNP: 3.8.1.1 Action (ESF_065) (1B Inst Dist Panel) h.1 (ESF_076) TS 3.8.3.1 DC Sources - A61-1 DBC1A-SAFN 30 YAVDW533NN 10.2 Operating DBC1B-SAFN Demin Transfer HNP: 3.8.2.1 Action (DCS_001 and Pump (FCV9562)

(undesignated) DCS_002) (DMIN004)

DC Sources - A62-1 DBA1A-SAFN 27.7 YAVDW533NN 7.8 Operating Demin Transfer HNP: 3.8.2.1 Action Pump (FCV9562)

(undesignated) (DMIN004)

U.S. Nuclear Regulatory Commission RA-20-0223 Page 59 Compounded Best Case RICT Best Case Compounded Degradation BEs Tech Specification Case (Phoenix Function RICT Degradation (Phoenix Function Code) (days) RICT (days)

Code)

Inverters - A64-1 CIICHI//FN 30 UAVCS283NN 10.7 Operating Boric Acid MUFCV HNP: 3.8.3.1 Action (ICS-283 or c CVCS010)

Question 28 - Electrical Source and Load Models Table E1-1 of LAR identifies the corresponding PRA functions for in-scope TS. In order to ensure that the PRA models associated with electrical sources and loads are consistent with the LCO requirements, the NRC staff requests a demonstration of PRA models for the following electrical systems, and an examination of the associated PRA system notebooks:

• Each of the two DC divisions.

• Each of the two emergency AC divisions including the support systems.

• Each of the two EDGs including the supporting fuel transfer, cooling and ventilation systems.

• The Dedicated Shutdown Diesel Generator including non-skid support system if any.

• 480 VAC loads associated with DSDG.

Duke Energy Response to Question 28 Note: Per the demonstrations associated with Question 28 during the remote audit, the following content was requested to be provided on the docket.

Electrical tie in for the DSDG and the Flex Diesel The DSDG provides backup power to Bus 1D23 via an Automatic Transfer Switch. The normal power to Bus 1D23 is non-safety bus 1D2. Bus 1D23 is an alternate power supply to the A and B Safety Train Battery chargers via manual transfer switches. Refer to the one-line diagram of the DSDG System below. The DSDG is automatically given a start signal by the Automatic Transfer switch upon detecting a loss of normal source (Bus 1D2) to MCC 1D23.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 60 The Flex Diesel connects to safety buses via Flex Temp Power Unit to 1A3-SA or 1B3-SB. Bus 1A3-SA supplies power to 1A21-SA and 1A31-SA. Bus 1B3-SB supplies power to 1B21-SB and 1B31-SB. Once respective Buses 1A21-SA and 1A31-SA or 1B21-SB and 1B31-SB are energized, then the opposite train buses can be energized.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 61 Electrical drawing 6-G-0651 Flex DG one-line diagram is provided below.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 62 Question 29 - Electrical Power Systems RICT associated with each TS action is evaluated by disabling the associated equipment in the PRA model. In some cases, such re-evaluation is not a straightforward undertaking. For example, in TS 3.9.1.1 condition d, with two offsite power inoperable, the plant may be placed in hot shutdown with EDGs feeding the two emergency buses. The NRC staff needs to have a discussion and an explanation of how the PRA models are manipulated to assess the impact due to the following TS changes:

• TSTF 3.8.1.1 Condition d

• TSTF 3.8.1.1 Condition c

• TSTF 3.8.2.1

• TSTF 3.8.3.1 Condition c Duke Energy Response to Question 29 Note: The following bulleted information reflects the information requested by the NRC staff during the remote audit to be put on the HNP docket.

• TS 3.8.1.1 Condition d (with 2 of the required offsite AC sources inoperable) o The PRA model includes Offsite AC power switchyard breakers, Startup Transformers (SUT) and SUT output breakers to buses 1D and 1E that make up the offsite AC sources. (Electronic Risk Assessment Tool (ERAT) is Phoenix) o (one SSC or pair of SSCs from Train A AND Train B)

Train A

• 52-2 Cape Fear North to SUT-A (ERAT code ACP_047) and

• 52-3 North Bus to SUT-A (ERAT code ACP_048)

Or

• SUT-A Startup Transformer 1A (ERAT code ACP_013) (Basic Event JTRSUTA/SU)

Or

• 1D3 Feeder breaker from SUT A to 6.9KV Aux bus 1D (ERAT code ACP_004)

Train B

• 52-13 South Bus to SUT-B (ERAT code ACP_049) and

• 52-14 Cary Regency Park to SUT-B (ERAT code ACP_050)

Or

• SUT-B Startup Transformer 1B (ERAT code ACP_014) (Basic Event JTRSUTB/SU)

Or

• 1E3 Feeder breaker from SUT B to 6.9KV Aux bus 1E (ERAT code ACP_015) o The specific components or the ERAT code would be placed out of service to assess the impact of the TS condition. Only one of the two breakers to the SUTs is required for operability of the SUTs.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 63

• TS 3.8.1.1 Condition c (with one offsite circuit and one diesel generator inoperable) o The PRA model includes the Offsite AC power sources as listed above.

(one SSC or pair of SSCs from Train A OR Train B) o The PRA model includes the EDG 1DG-E002 A EDG (ERAT code EDG_001 EDG 1A-SA and Output breaker 106) (Basic Event PDGE1ASAFS) OR 1DG-E003 B EDG (ERAT code EDG_006 EDG 1B-SB and Output breaker 126) (Basic Event PDGE1BSBFS) o The specific components of the ERAT code would be placed out of service to assess the impact of the TS condition. Only one of the two breakers to the SUTs is required for operability of the SUTs.

• TS 3.8.2.1 (125V emergency battery bank and either full capacity charger) o The PRA model includes the battery banks, battery chargers and the supply breakers to the battery chargers o (one SSCs or pair of SSCs from Train A OR Train B)

Train A

• 1EE-E114 125V Emergency Battery Bank 1A-SA (ERAT code DCS_007) (Basic Event DBA1A-SAFN)

Or

• 1EE-E084 Battery charger 1A-SA (ERAT code DCS_001) (Basic Event DBC1A-SAFN) And

• 1EE-E086 Battery charger 1B-SA (ERAT code DCS_002) (Basic Event DBC1B-SAFN)

Or

• 1A21-SA-3BL:002 MC 1A21 output breaker to charger 1A-SA (ERAT code DCS_001) And

• 1A31-SA-1BL:002 MC 1A31 output breaker to charger 1B-SA (ERAT code DCS_002)

Train B

• 1EE-E115 125V Emergency Battery Bank 1B-SB (ERAT code DCS_008) (Basic Event DBA1B-SBFN)

Or

• 1EE-E085 Battery charger 1A-SB (ERAT code DCS_003) (Basic Event DBC1A-SBFN) And

• 1EE-E087 Battery charger 1B-SB (ERAT code DCS_004) (Basic Event DBC1B-SBFN)

Or

• 1B21-SB-1CR:002 MC 1B21 output breaker to charger 1A-SB (ERAT code DCS_003) And

• 1B21-SB-3CL:002 MC 1B31 output breaker to charger 1A-SB (ERAT code DCS_004) o The Battery charger and the supply breaker uses the same ERAT code.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 64 o The specific components of the ERAT code would be placed out of service to assess the impact of the TS condition. Only one of the two battery chargers are required for operability in each Train.

• TS 3.8.3.1 Condition c (118 volt AC Vital bus energized from its associated inverter connected to its 125 volt DC Bus) o The PRA model includes the buses IDP-1A-SI through IDP-1B-SIV, inverter components and its power supply breakers from AC and DC sources o (one SSC from one Channel)

Channel I (any component)

• Breaker 1A21-SA-3BR Channel I 7.5KV inverter (ERAT code IBUS001)

• DP-1A-SA-28 DC breaker to inverter Channel II (ERAT code IBUS002)

• Safety Inverter per Basic event CIICHI/FN (ERAT code IBUS009)

• IDP-1A-SI Instrument Distribution Panel 1A-SI (ERAT code IBUS013)

• Basic Event JSW1A211FN Alternate power (ERAT code IBUS017)

• 1A31-SA-10B:002 SI Bypass XFMR breaker (ERAT code IBUS035)

• X201(UPS-S1) Single Phase Static Switch (ERAT code IBUS036)

• Basic Event CSW1A31/FN Manual bypass switch (ERAT code IBUS037)

• Basic Event CBS1DPS1FN Open circuit on IDP-1A-SI (ERAT code IBUS038)

Channel II (any component)

• Breaker 1B21-SB-1CL Channel II 7.5KV inverter (ERAT code IBUS005)

• DP-1B-SB-28 DC breaker to inverter Channel I (ERAT code IBUS006)

• Safety Inverter per Basic event CIICHII/FN (ERAT code IBUS011)

• IDP-1A-SII Instrument Distribution Panel 1B-SII (ERAT code IBUS015)

• Basic Event JSW1B211FN Alternate power (ERAT code IBUS019)

• 1B31-SB-12A:002 SII Bypass XFMR breaker (ERAT code IBUS027)

• X201(UPS-S2) Single Phase Static Switch (ERAT code IBUS029)

• Basic Event CSW1B21/FN Manual bypass switch (ERAT code IBUS031)

• Basic Event CBS1DPS2FN Open circuit on IDP-1A-SII (ERAT code IBUS033)

U.S. Nuclear Regulatory Commission RA-20-0223 Page 65 Channel III (any component)

• Breaker 1A31-SA-6AL Channel III 7.5KV inverter (ERAT code IBUS004)

• DP-1A-SA-29 DC breaker to inverter Channel III (ERAT code IBUS003)

• Safety Inverter per Basic event CIICHIII/FN (ERAT code IBUS010)

• IDP-1A-SIII Instrument Distribution Panel 1A-SIII (ERAT code IBUS014)

• Basic Event JSW1A311FN Alternate power (ERAT code IBUS018)

• 1A21-SA-11A:002 SIII Bypass XFMR breaker (ERAT code IBUS039)

• X201(UPS-S3) Single Phase Static Switch (ERAT code IBUS040)

• Basic Event CSW1A21/FN Manual bypass switch (ERAT code IBUS041)

• Basic Event CBS1DPS3FN Open circuit on IDP-1A-SIII (ERAT code IBUS042)

Channel IV (any component)

• Breaker 1B31-SB-3CR Channel IV 7.5KV inverter (ERAT code IBUS007)

• DP-1B-SB-29 DC breaker to inverter Channel IV (ERAT code IBUS008)

• Safety Inverter per Basic event CIICHIV/FN (ERAT code IBUS012)

• IDP-1A-SIV Instrument Distribution Panel 1B-SIV (ERAT code IBUS016)

• Basic Event JSW1B311FN Alternate power (ERAT code IBUS020)

• 1B21-SB-10A:002 S4 Bypass XFMR breaker (ERAT code IBUS028)

• X201(UPS-S4) Single Phase Static Switch (ERAT code IBUS030)

• Basic Event CSW1B31/FN Manual bypass switch (ERAT code IBUS032)

• Basic Event CBS1DPS4FN Open circuit on IDP-1A-SIV (ERAT code IBUS034) o The specific components of the ERAT code would be placed out of service to assess the impact of the TS condition.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 66 Question 30 - LCO Actions Based on the design success criteria provided in the LAR, Table E1-1 lists each Harris TS Action to which the RICT Program is proposed to be applied. It appears that some LCO Actions may constitute a loss of function. Provide a technical basis for why the action that follows does not constitute a loss of function, or alternatively, remove it from the scope of the RICT program.

LCO 3.6.2.3, Containment Cooling System Action b: With both trains of the above required containment fan coolers inoperable and both Containment Spray Systems OPERABLE, restore at least one train of fan coolers to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and LCO 3.3.2, Engineered Safety Features Actuation System Instrumentation Functional Unit 6.f, Trip of All Main Feedwater Pumps Start Motor-Driven Pumps Action 15: With the number of OPERABLE channels one less than the Total Number of Channels, operation may proceed until performance of the next required CHANNEL OPERATIONAL TEST provided the inoperable channel is placed in the tripped condition within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

Duke Energy Response to Question 30 HNP TS 3.6.2.3, Containment Cooling System, Action b does not represent a TS loss of function based on the following. When HNP is in this Action statement, both trains of containment fan coolers are inoperable. However, both Containment Spray Systems are OPERABLE. The Containment Fan Coolers and Containment Spray System are redundant to each other in providing post-accident cooling to the containment atmosphere. HNP UFSAR Section 3.1.34 states:

Containment heat removal is provided by two systems, the Containment Cooling System and the Containment Spray System.

The Containment Spray System consists of two completely independent subsystems, each of which is designed for 100 percent of the heat removal capability.

Thus, for TS 3.6.2.3 Action b, both Containment Spray Systems can provide post-accident cooling to the containment atmosphere.

HNP TS 3.3.2, Engineered Safety Features Actuation System Instrumentation, Functional Unit 6.f, Trip of All Main Feedwater Pumps Start Motor-Driven Pumps, does represent a loss of safety function during the time which HNP would enter Action 15 with an inoperable channel, until the jumper is installed to bypass the failed channel. The associated contacts to fulfill the function are in series (one from each Main Feedwater Pump), thus if one is inoperable, the path (either path) could not be credited.

Therefore, HNP TS 3.3.2 Functional Unit 6.f is being removed from the scope of the RICT Program.

U.S. Nuclear Regulatory Commission RA-20-0223 Page 67 Question 31 - Design Success Criteria for LCO 3.8.1.1.d In Table E1-1 of Enclosure 1 of the LAR, the licensee stated that the design success criteria (DSC) for TS 3.8.1.1, Action D - Two required offsite AC sources inoperable, are 1 of 2 trains from either offsite circuit or EDG [emergency diesel generator]. Explain how an offsite circuit could provide the capacity and capability to safely shut down the reactor in case of a loss-of-coolant-accident or any other design bases accidents, with both required offsite sources inoperable, and maintain it in a safe condition. Also, confirm that if any clarifications are made to the DSC, these changes will also be represented in the probabilistic risk assessment success criteria in Table E1-1 of Enclosure 1 of the LAR.

Duke Energy Response to Question 31 Design success criteria for TS 3.8.1.1, Action d - Two required offsite AC sources inoperable was stated as 1 of 2 trains from either offsite circuit or EDG. in LAR Enclosure 1, Table E1-1.

Per Section 8.1.3, Onsite Power System, of the HNP UFSAR:

The Onsite Power System includes two 6.9 kV Engineered Safety Feature (ESF) buses (1A-SA and 1B-SB), two diesel generators (1A-SA and 1B-SB), several 480V buses (supplying loads directly and through motor control centers), two 125V DC ESF batteries (1A-SA and 1B-SB), four 120V AC ESF uninterruptible buses, two 125V DC ESF buses, and several ESF 208Y/120V power distribution panels. The main one line diagram, Figure 8.1.3-1, auxiliary one line diagram, Figure 8.1.3-2, and the 125V DC, 250V DC and 120V AC one line diagram, Figure 8.1.3-3, show the complete Onsite Power System configuration.

The two ESF buses supply all of the safety related loads. The normal source of power for the ESF buses is the main generator/unit auxiliary transformer. When this source of power is not available, power will be supplied to these buses from the 230 KV switchyard through the startup transformers or with the generator disconnect links removed, from the main and unit auxiliary transformers. When neither of these sources is available, power to the two ESF buses will be supplied from diesel generators (one diesel generator for each ESF bus).

To clarify the Design success criteria for TS 3.8.1.1, Action d, the Design Success Criteria is being revised from 1 of 2 trains from either offsite circuit or EDG to 1 of 2 trains from EDG from the original license amendment.

The revised Table E1-1 entry for TS 3.8.1.1, Action d is provided below (change in red).

U.S. Nuclear Regulatory Commission RA-20-0223 Page 68 Design Function SSCs PRA Technical Corresponding Success Action Covered Modeled Success Comments Specification SSC(s) Criteria by LCO in PRA Criteria (revised) 3.8.1.1 d. With two of the

• Two offsite Source of 1 of 2 SAME SSCs are Action d.1 required offsite A.C. circuits power to trains from modeled AC Sources - sources inoperable:

• Two safety- EDG consistently Operating 1. Restore one emergency related with the TS offsite circuit to diesel systems scope and so OPERABLE status within generators can be directly 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or be in at least

• Two evaluated by HOT STANDBY within automatic YES the CRMP.

the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in load COLD SHUTDOWN sequencers The success within the following 30 criteria in the hours: PRA are consistent with the design basis criteria.

Supplement to LAR Enclosure 2 (not directly associated with a NRC audit question)

After development and submittal of the original LAR in October 2019, additional PRA peer review and F&O closure activities were completed. Some of these activities supersede information from the LAR as noted in the following discussion.

The HNP Internal Events PRA model was subject to a focused-scope peer review conducted in September 2019. The scope included HLRs IE, AS, SC, SY, QU, and LE conducted to the ASME/ANS RA-Sa-2009 PRA standard with NRC clarifications from RG 1.200 Revision 2. This peer review, combined with the focused scope peer review conducted in 2007, form the review of record for the HNP Internal Events PRA model and cover all HLRs in the ASME/ANS RA-Sa-2009 PRA standard, superseding the 2002 peer review.

Finding level F&Os generated from the September 2019 focused-scope peer review were reviewed and closed in June 2020 using the process documented in Appendix X to NEI 05-04, NEI 07-12 and NEI 12-13, Close-out of Facts and Observations as accepted by NRC in the letter dated May 3, 2017.

There are no open finding level F&Os from the September 2019 peer review. Further, there are no open finding level F&Os for the HNP Internal Events PRA model.

The HNP Fire PRA model was subject to a focused scope peer review in June 2019 conducted to the ASME/ANS RA-Sa-2009 PRA standard with NRC clarifications from RG 1.200, Revision

2. This peer review addressed implementation of two upgrades to the model: incorporating credit for obstructed plume and resolution of finding FSS-F3.

Finding level F&Os generated from the June 2019 focused-scope peer review were reviewed and closed in June 2019 using the process documented in Appendix X to NEI 05-04, NEI 07-12 and NEI 12-13, Close-out of Facts and Observations (F&Os) as accepted by NRC in the letter dated May 3, 2017.

There are no open finding level F&Os from the June 2019 focused scope peer review of the HNP Fire PRA model.