Text

Application for Amendment to Facility Operating License NPF-30 (LDCN 09-0039) Completion Time Extensions for TS 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation Functions
	ML093290318
Person / Time
Site:	Callaway
Issue date:	11/25/2009
From:	Sandbothe S; AmerenUE
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	LDCN 09-0039, ULNRC-05665
	Download: ML093290318 (348)
	v • d • e

AmerenUE PO Box 620 Callaway Plant Fulton, MO 65251 November 25, 2009 ULNRC-05665 U.S. Nuclear Regulatory Commission Attn: Document Control Desk Mail Stop PI-137 Washington, DC 20555-0001 10 CFR 50.90 Ladies and Gentlemen:

~~ DOCKET NUMBER 50-483 CALLAWAY PLANT wAmeren UNION ELECTRIC CO.

UE APPLICA TION FOR AMENDMENT TO FACILITY OPERATING LICENSE NPF-30 (LDCN 09-0039)

COMPLETION TIME EXTENSIONS FOR TS 3.3.2 ENGINEERED SAFETY FEATURE ACTUATION SYSTEM (ESFAS)

INSTRUMENTATION FUNCTIONS AmerenUE herewith transmits an application for amendment to Facility Operating License Number NPF-30 for the Callaway Plant.

This amendment application submits a proposed change to Technical Specification (TS) 3.3.2, "Engineered Safety Feature Action System (ESFAS)

Instrumentation," that would add a new Required Action Q.l to require restoration of an inoperable Balance of Plant ESFAS (BOP ESFAS) train to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Currently, Condition Q ofTS 3.3.2 for Function 6.c ofTS Table 3.3.2-1 requires the plant to enter a shutdown track to MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months with no allowed outage time provided for restoration. In addition, the Completion Times for TS 3.3.2 Required Actions J.l and 0 .1 to trip inoperable channels that provide inputs to BOP ESF AS would also be extended to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Shutdown track Completion Times to be in MODES 3 and 4 would be increased to reflect these longer restoration times. Separate Condition entry for TS Condition J would be restricted to assure that Function 6.g in TS Table 3. 3.2-1 will provide a start signal to the motor-driven auxiliary feedwater (AFW) pumps from one train of BOP ESFAS actuation logic. This is a risk-informed amendment request following the guidance of NRC Regulatory Guides (RGs) 1.174, 1.177, and 1.200 Revision 1.

a subsidiary of Ameren Corporation

ULNRC-05665 November 25, 2009 Page 2 Attachments 1 through 4 provide the Evaluation, Markup of Technical Specifications, Retyped Technical Specifications, and Proposed Technical Specification Bases Changes, respectively, in support of this amendment request. is provided for information only. Final TS Bases Changes will be processed under Callaways program for updates per TS 5.5.14, "Technical Specifications Bases Control Program," when the requested amendment is implemented.

Attachment 5 provides a logic block diagram of the BOP ESFAS design at Callaway as well as a schematic from the AmerenUE presentation on September 17, 2009 to NRC staff that shows signal inputs to, and logic outputs from, the BOP ESFAS cabinets.

Attachment 6 provides a table that discusses the remaining open Significance A and B peer review findings against the Callaway PRA model. Attachments 7 and 8 provide the results of the internal fire and internal flooding quantifications, respectively. Attachment 9 provides a gap analysis against the Capability Category II guidance of the PRA standards endorsed in NRC Regulatory Guide 1.200 Revision 1.

No commitments are contained in this amendment application.

It has been determined that this amendment application does not involve a significant hazard consideration as determined per 10 CFR 50.92. Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of this amendment.

The Callaway Onsite Review Committee and a subcommittee of the Nuclear Safety Review Board have reviewed and approved the attached licensing evaluations and have approved the submittal of this amendment application.

AmerenUE requests approval of this proposed license amendment prior to November 20, 2010. AmerenUE further requests that the license amendment be made effective upon NRC issuance to be implemented within 90 days.

In accordance with 10 CFR 50.91, a copy of this amendment application is being provided to the designated Missouri State official. If you have any questions on this amendment application, please contact me at (573) 676-8528, or Mr. Scott Maglio at (573) 676-8719.

ULNRC-05665 November 25,2009 Page 3 I declare under penalty of perjury that the foregoing is true and correct.

Very truly yours, Executed on:

Scott Sandbothe Manager, Plant Support Attachments 1 - Evaluation 2 - Markup of Technical Specifications 3 - Retyped Technical Specifications 4 - Proposed Technical Specification Bases Changes (for information only) 5 - Callaway BOP ESFAS Drawings 6 - Open Significance A and B Peer Review Findings 7 - Internal Fire Quantification 8 - Internal Flooding Quantification 9 - RG 1.200 Revision 1 Gap Analysis

ULNRC-05665 November 25, 2009 Page 4 cc: U.S. Nuclear Regulatory Commission (Original and 1 copy)

Attn: Document Control Desk Washington, DC 20555-0001 Mr. Elmo E. Collins, Jr.

Regional Administrator U.S. Nuclear Regulatory Commission Region IV 612 E. Lamar Blvd., Suite 400 Arlington, TX 76011-4125 Senior Resident Inspector Callaway Resident Office U.S. Nuclear Regulatory Commission 8201 NRC Road Steedman, MO 65077 Mr. Mohan C. Thadani (2 copies)

Senior Project Manager, Callaway Plant Office of Nuclear Reactor Regulation U. S. Nuclear Regulatory Commission Mail Stop O-8G14 Washington, DC 20555-2738

ULNRC-05665 November 25, 2009 Page 5 Index and send hardcopy to QA File A160.0761 Hardcopy:

Certrec Corporation 4200 South Hulen, Suite 422 Fort Worth, TX 76109 (Certrec receives ALL attachments as long as they are non-safeguards and may be publicly disclosed.)

Electronic distribution for the following can be made via Tech Spec ULNRC Distribution:

A. C. Heflin F. M. Diya L. S. Sandbothe S. A. Maglio S. L. Gallagher T. L. Woodward (NSRB)

T. B. Elwood G. G. Yates Ms. Diane M. Hooper (WCNOC)

Mr. Dennis Buschbaum (Luminant Power)

Mr. Ron Barnes (Palo Verde)

Mr. Tom Baldwin (PG&E)

Mr. Wayne Harrison (STPNOC)

Mr. John O'Neill (Pillsbury Winthrop Shaw Pittman LLP)

Missouri Public Service Commission Mr. Floyd Gilzow (DNR)

Page 1 of 41 EVALUATION

1. DESCRIPTION Page 2

2. PROPOSED CHANGES Page 2

3. BACKGROUND Page 3

4. TECHNICAL ANALYSIS Page 11

5. REGULATORY SAFETY ANALYSIS Page 35 5.1 NO SIGNIFICANT HAZARDS CONSIDERATION Page 36 5.2 APPLICABLE REGULATORY REQUIREMENTS/CRITERIA Page 38

6. ENVIRONMENTAL CONSIDERATION Page 40

7. REFERENCES Page 41 Page 2 of 41 EVALUATION

1.0 DESCRIPTION

This amendment application submits a proposed change to Technical Specification (TS) 3.3.2, Engineered Safety Feature Action System (ESFAS) Instrumentation, that would add a new Required Action Q.1 to require restoration of an inoperable Balance of Plant ESFAS (BOP ESFAS) train to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Currently, Condition Q of TS 3.3.2 for Function 6.c of TS Table 3.3.2-1 requires the plant to enter a shutdown track to MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months with no allowed outage time provided for restoration. In addition, the Completion Times for TS 3.3.2 Required Actions J.1 and O.1 to trip inoperable channels that provide inputs to BOP ESFAS would also be extended to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Shutdown track Completion Times to be in MODES 3 and 4 would be increased to reflect these longer restoration times. Separate Condition entry for TS Condition J would be restricted to assure that Function 6.g in TS Table 3.3.2-1 will provide a start signal to the motor-driven auxiliary feedwater (AFW) pumps from one train of BOP ESFAS actuation logic. This is a risk-informed amendment request following the guidance of NRC Regulatory Guides (RGs) 1.174, 1.177, and 1.200 Revision 1. See References 1 through 3 in Section 7.0.

2.0 PROPOSED CHANGE

S The proposed change to TS 3.3.2 Condition Q would add a new Required Action Q.1 that requires the restoration of an inoperable BOP ESFAS train (TS Table 3.3.2-1 Function 6.c, Auxiliary Feedwater - Automatic Actuation Logic and Actuation Relays (BOP ESFAS)) to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The new Required Action Q.1 for one train inoperable would read:

Restore train to OPERABLE status.

The Completion Time for new Required Action Q.1 would be 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

Existing Required Actions Q.1 and Q.2 would be changed to Required Actions Q.2.1 and Q.2.2, respectively, with the joining logic connector (AND) nested as required by TS 1.2. Required Actions Q.2.1 and Q.2.2 would be joined to new Required Action Q.1 with an OR logic connector. The Completion Times for Required Actions Q.2.1 and Q.2.2 would be 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months and 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months , respectively, which reflect the typical shutdown track times (6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to MODE 3 and 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months to MODE 4 as discussed in LCO 3.0.3) for reaching MODES 3 and 4 when a restoration action has not been met.

Since the risk impact associated with the loss of one train of BOP ESFAS actuation logic and actuation relays is greater than the loss of individual analog channel input(s) into that BOP ESFAS train, it is also proposed that the Completion Times for TS 3.3.2 Required Page 3 of 41 Action J.1 (for TS Table 3.3.2-1 Function 6.g, Auxiliary Feedwater - Trip of All Main Feedwater Pumps) and Required Action O.1 (for TS Table 3.3.2-1 Function 6.h, Auxiliary Feedwater - Pump Suction Transfer on Suction Pressure - Low) be changed from 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The Completion Time for Required Action J.2 (shutdown to MODE 3 if Required Action J.1 is not met within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ) would be extended to 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months (24 + 6). The Completion Time for Required Action O.2 would be unchanged.

An additional restriction would be added to TS 3.3.2 Condition J in the form of a new Note limiting the application of separate Condition entry. Since the Required Channels for Function 6.g are specified in TS Table 3.3.2-1 as 2 per pump, Condition J may be entered separately for each main feedwater pump. However, as shown on the J-104-00176 logic block diagram provided in Attachment 5, satisfying the trip logic requires the presence of a low oil pressure signal in the same separation group on each main feedwater pump. An inoperable separation group 1 channel on one pump coincident with an inoperable separation group 4 channel on the other pump would lead to the loss of this actuation function. Therefore, a new Note would be added to Condition J that would read:

Separate Condition entry is restricted to one inoperable channel per pump in the same separation group.

This would assure that the AFW start signal after the loss of both main feedwater pumps would be generated by the operable inputs from the other separation group to both motor-driven AFW pumps (cross train actuations are provided as shown in Attachment 5).

Associated Bases changes for the above are provided in Attachment 4 and will be implemented under the provisions of TS 5.5.14, Technical Specifications Bases Control Program.

3.0 BACKGROUND

3.1 System Descriptions Balance of Plant (BOP) Engineered Safety Feature Actuation System (ESFAS) -

Automatic Actuation Logic and Actuation Relays, Function 6.c of TS Table 3.3.2-1 provides a logic diagram for the BOP ESFAS and a schematic showing channel inputs and logic outputs. This system is also discussed in FSAR Section 7.3 and shown in FSAR Figure 7.3-1.

The BOP ESFAS actuation logic processes signals from several sources, such as the Solid State Protection System (SSPS) logic outputs associated with safety injection, containment isolation - phase A, and low-low steam generator (SG) water level, the load shedder and emergency load sequencer (LSELS) logic outputs associated with ESF bus Page 4 of 41 undervoltage, inputs from various plant radiation monitors, inputs from main feedwater pump lube oil pressure switches (used for motor-driven auxiliary feedwater (AFW) pump actuation), and inputs from pressure switches in the AFW suction supply from the condensate storage tank (CST) in order to actuate ESF equipment. There are two redundant trains of BOP ESFAS actuation logic (separation groups 1 and 4, cabinets SA036D and SA036E, respectively), and a third actuation logic cabinet (separation group 2, cabinet SA036C) to actuate the turbine-driven AFW pump (TDAFP) and reposition automatic valves required for that pumps operation (i.e., open turbine steam supply valves and the turbine trip and throttle valve). The separation group 2 BOP ESFAS actuation logic cabinet SA036C receives isolated inputs from both the SA036D and SA036E cabinets (separation groups 1 and 4) to start the TDAFP upon ESF bus undervoltage or upon low-low steam generator level in two or more steam generators.

Per Callaways original licensing basis, which was reconfirmed during the NRC reviews that led to the issuance of Callaway License Amendment 130 (notably pages 2 and 3 of the NRC Safety Evaluation for LA130) and the ITS conversion approved in Callaway License Amendment 133, the SA036C separation group 2 cabinet is considered to be part of its only end device (the TDAFP) and that cabinets operability requirements are addressed under TS 3.7.5, "Auxiliary Feedwater System." The redundant train BOP ESFAS actuation logic cabinets SA036D and SA036E actuate the motor-driven auxiliary feedwater pumps and reposition automatic valves as required (i.e., steam generator blowdown and sample line isolation valves, essential service water (ESW) supply valves, and CST supply valves). These redundant train cabinets also actuate containment purge isolation, control room emergency ventilation isolation, and emergency exhaust system (EES) actuation functions.

Auxiliary Feedwater - Trip of All Main Feedwater Pumps, Function 6.g of TS Table 3.3.2-1 A trip of all (both) main feedwater (MFW) pumps is an indication of a loss of MFW and the subsequent need for some method of decay heat and sensible heat removal to bring the reactor back to no-load temperature and pressure. Each turbine-driven MFW pump is equipped with two pressure switches (one in separation group 1 and one in separation group 4) on the oil line for the speed control system. A low pressure signal from either of these pressure switches indicates a trip of that pump. Two OPERABLE channels per pump satisfy redundancy requirements with one-out-of-two logic on both pumps required for signal actuation. A trip of all MFW pumps starts the motor-driven AFW pumps to ensure that the intact SGs are available with water to act as the heat sink for the reactor.

Auxiliary Feedwater - Pump Suction Transfer on Low Suction Pressure, Function 6.h of TS Table 3.3.2-1 A low pressure signal in the AFW pump suction line protects the AFW pumps against a loss of the normal supply of water for the pumps, the CST. Three pressure switches are located on the AFW pump suction line from the CST. A low pressure signal sensed by Page 5 of 41 any two of the three switches coincident with an auxiliary feedwater actuation signal will cause the emergency supply of water for the pumps to be aligned. Essential service water (ESW) is the safety grade suction source that is automatically lined up to supply the AFW pumps to ensure an adequate supply of water for the AFW System to maintain the intact SGs as the heat sink for reactor decay heat and sensible heat removal.

3.2 Need for License Amendment Change As discussed in Reference 4 in Section 7.0, a manual plant shutdown to MODE 3 was required on February 19, 2009, due to a 48-VDC power supply failure in BOP ESFAS actuation logic cabinet SA036D (separation group 1, train A). During the shutdown, all similar power supplies in the BOP ESFAS and LSELS cabinets were evaluated to establish when they were last replaced and the number of spares in stock. Scenarios for replacing the power supplies during that forced outage, during the rest of Cycle 17 power operation, and during Refuel 17 (spring 2010) were examined. Based on the Required Actions of TS 3.3.2 Condition Q (6-hour shutdown to MODE 3, 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months to MODE 4),

and concerns over infant mortality with replacement power supplies as well as the limited number of available spares, a decision was made to replace the power supplies with reverse-engineered power supplies featuring no microprocessor-based components in Refuel 17. Modification of the existing BOP ESFAS cabinets to accommodate the addition of redundant power supplies was investigated; however, this conceptual design change was determined to be impractical given the physical space constraints in the existing logic cabinets.

The power supply applications found to be the most limiting, based on the TS Completion Times and number of available spares, were the 48-VDC power supplies in BOP ESFAS actuation logic cabinets SA036D and SA036E. One of the two 48-VDC spares in stock was taken from the warehouse, placed on a bench in the I&C shop, and energized as a hot spare to burn in the power supply, with the intent of avoiding infant mortality concerns. Work packages, pre-job briefing instructions, and an Operations Night order were prepared in advance. Performance monitoring of the similar power supplies indicated that they were performing within expectations prior to making the decision to restart from the February 2009 forced outage.

Nowithstanding the Refuel 17 replacement plans for the BOP ESFAS power supplies, it has been determined that the existing Required Action Completion Times specified for an inoperable BOP ESFAS actuation logic cabinet and certain channel inputs are overly restrictive given the relatively low risk associated with such inoperabilities. More reasonable Completion Times would allow restoration of an inoperable BOP ESFAS actuation logic cabinet, or inoperable channel inputs, during plant operation without subjecting the plant to a forced shutdown. Therefore, changes are being proposed to the applicable TS Completion Times on a risk-informed basis. The details of that basis are provided in Section 4.0, Technical Analysis.

Page 6 of 41 3.3 Compliance with Current Regulations This amendment request itself does not propose to deviate from existing regulatory requirements, and compliance with existing regulations is maintained.

Evaluation of Safety Margins Safety analysis acceptance criteria for the events analyzed in FSAR Chapters 6.2 and 15 are not impacted by the proposed changes. The proposed Completion Time extensions would not impact any of the assumptions or inputs to the safety analyses. There are no design changes associated with this amendment request. Consequently, safety margins are not affected.

This amendment request does not impact any deterministic analysis nor does it credit safety margins in any deterministic analysis.

The containment pressure / temperature analyses in FSAR Section 6.2 and the transient and accident analyses in FSAR Chapter 15 are deterministic in nature. For those types of deterministic analyses, a safety analysis limit (SAL) is the acceptance criterion used in the analysis to assure the integrity of physical plant barriers (i.e., fuel cladding, RCS pressure boundary, and containment) to prevent the uncontrolled release of radioactivity.

Therefore, the SALs assure that the design basis limits for fission product barriers (DBLFPBs) are not exceeded. Nominal trip setpoints (NTSs) are established at an appropriate level away from the SALs. The NTSs are field setting values for the equipment and are obtained by adding (or subtracting) channel error allowance terms to/from the SAL (depending on whether the actuation channel is a low level or high level trip). The NTS allows for the normal expected channel behavior such that design limits are protected, inadvertent trips are avoided, and Technical Specification Allowable Values (AVs) will not be exceeded under normal operation and anticipated operational occurrences. The AV is obtained by adding or subtracting a calculated allowance to/from the NTS. The AV accounts for the function-specific allowances discussed in the Bases for Technical Specifications 3.3.1 and 3.3.2. There are no changes to any SALs, DBLFPBs, NTSs, or AVs in this amendment request.

The Completion Times in the Required Actions of the Technical Specifications have no tie to the above deterministic analyses. Completion Times were originally established in the first set of Standard Technical Specifications (STS) for Westinghouse plants (NUREG-0452, circa 1980) based on operating experience and engineering judgment, and that is largely still the case for the current STS for Westinghouse plants (NUREG-1431). Changes to Completion Times that are consistent with approved NRC staff positions, as discussed in Section 1.1 of RG 1.174 Revision 1, are typically evaluated deterministically by the NRC. Other Completion Time changes are evaluated by the NRC using a combination of deterministic and risk-based considerations; however, the durations of Completion Times are not themselves a factor in any deterministic analysis.

Completion Time changes do not affect the values for SAL, NTS, or AV.

Page 7 of 41 Finally, it should be noted that since the requirement to postulate a single failure is waived during the time a TS Condition is entered, i.e., in the event that a BOP ESFAS actuation logic train were declared inoperable, the operable BOP ESFAS train will continue to be capable of performing the necessary safety functions consistent with accident analysis assumptions.

Defense in Depth RG 1.177 contains several attributes that should be examined when requesting risk-informed changes to TS requirements. The following discussion considers those attributes.

A reasonable balance among prevention of core damage, prevention of containment failure, and consequence mitigation is preserved.

The proposed changes involve extensions of the current TS 3.3.2 Condition J, Condition O, and Condition Q Completion Times associated with BOP ESFAS functions. The functions that are affected during entry into these Conditions are all associated with a single inoperable BOP ESFAS train or inoperable channel input(s) into a single train, leaving one BOP ESFAS train fully operable and capable of performing its safety functions. Preserving the operability of one BOP ESFAS train will maintain the balance among the prevention of core damage, prevention of containment failure, and consequence mitigation.

Since the requirement to assume a single failure is suspended while operating under a TS Required Action, there will be no effect on the analysis of any accident or that accidents progression since the operable BOP ESFAS train is capable of actuating 100% of the required ESFs. As such, there will be no impact on core damage, containment release, or consequence mitigation for any transient or accident.

Over-reliance on programmatic activities to compensate for weaknesses in plant design is avoided.

The proposed change involves extensions of the current TS 3.3.2 Condition J, Condition O, and Condition Q Completion Times associated with BOP ESFAS functions. The functions that are affected during entry into these Conditions are all associated with a single inoperable BOP ESFAS train or inoperable channel input(s) into a single train, leaving one BOP ESFAS train fully operable and capable of performing its safety functions. No programmatic activities outside the requirements of the Technical Specifications are credited in this amendment application.

System redundancy, independence, and diversity are preserved commensurate with the expected frequency, consequences of challenges to the system, and uncertainties (e.g., no risk outliers).

Page 8 of 41 The operable BOP ESFAS train will continue to be capable of performing the necessary safety functions consistent with accident analysis assumptions. Redundant, independent, and diverse capabilities will be maintained for performing critical safety functions. A review of the actuation signal pathways in Attachment 5 would support a position that the Completion Time allowed to restore one train of BOP ESFAS actuation logic and actuation relays should at least be equal to that of the SSPS train that must provide the SG water level low-low signal inputs to BOP ESFAS for AFW actuation.

Defenses against potential common cause failures are preserved and the potential for the introduction of new common cause failure mechanisms is assessed.

Section 4.0 below has a discussion of common cause failures. No new common cause failure modes are introduced since the replacement power supplies being reverse engineered for the BOP ESFAS cabinets do not contain microprocessor-based components. One BOP ESFAS train will be maintained in an operable status during any entry into TS 3.3.2 Condition Q. No new requirements are being placed on the BOP ESFAS design. There is nothing that will be allowed by the Completion Time extensions that would impact the protected BOP ESFAS trains availability or introduce a new common mode failure mechanism.

Independence of barriers is not degraded.

This amendment application will not result in any undue challenges to the fuel cladding, reactor coolant pressure boundary, or containment. The amendment request does not involve design changes that would affect or degrade the independence of these barriers.

Further, the extension of Completion Times does not directly impact these barriers or otherwise cause them to be degraded. Therefore, the independence of barriers will not be degraded by the proposed Completion Time extensions.

Defenses against human errors are preserved.

Continuing operator training will apprise the operating staff of the effects of these Completion Time extensions. This training program will assure that the defenses against human errors will be adequately preserved.

The intent of the GDC in Appendix A to 10 CFR Part 50 is maintained.

The proposed change involves extensions of the current TS 3.3.2 Condition J, Condition O, and Condition Q Completion Times associated with BOP ESFAS functions. The proposed amendment does not modify the plant design bases or the design criteria that were applied to structures, systems, and components during plant licensing.

Consequently, the plant design with respect to the General Design Criteria is not affected by the proposed change.

Page 9 of 41 3.4 Relationship to Completion Time Extensions of WCAPs 10271, 14333, and 15376 Between May 1986 and March 2003 the Westinghouse Owners Group (now called the Pressurized Water Reactor Owners Group, or PWROG) completed a series of topical reports that documented the relaxation of reactor trip system (RTS) and ESFAS test times in bypass, Completion Times (CTs), and surveillance test intervals (STIs) for the protection system instrumentation. The relaxations were justified by an analysis of the protection system unavailability and the impact of that unavailability on the overall plant risk. The original study was identified by the acronym TOP (taken from Technical Specification Optimization Program) as documented in the WCAP-10271-P-A series of reports. The TOP changes were implemented at Callaway Plant via OL Amendment 17 for the RTS and OL Amendment 64 for the ESFAS, respectively.

Fault tree models of the protection system instrumentation were used to calculate the unavailability sensitivity to test and maintenance time allowances and frequencies. The changes in RTS and ESFAS unavailability were then used in a risk model to predict changes in risk as the test and maintenance time allowances and frequencies were relaxed. Differences in analysis methods from the TOPS WCAP-10271-P-A series of reports to the subsequent follow-up topical reports are discussed in Section 7.1 of WCAP-14333-P-A Revision 1 and in Section 8.3.5 of WCAP-15376-P-A Revision 1.

The approach used in WCAP-14333-P-A Revision 1 and WCAP-15376-P-A Revision 1 was consistent with the approach established in the TOP program. This included the fault tree models, signals, component reliability database, and most of the test and maintenance assumptions. The methodology used in the WCAP-10271 studies was applied to a representative set of RTS and ESFAS functions using the Vogtle Plant PRA model and revised unavailability data. The work documented in WCAP-14333 used a different common cause failure modeling approach for analog channels and included more realistic assumptions related to the component unavailability due to maintenance activities based on a survey of WOG plants. Operator actions to either manually trip the reactor or initiate safety injection were also modeled in WCAP-14333. In addition, credit for auxiliary feedwater pump start from the ATWS mitigating system actuation circuitry (AMSAC) was taken. More discussion of these differences is contained in Sections 7 and 8 of WCAP-14333. The relaxations that were justified in WCAP-14333 are summarized below:

Summary of WCAP-14333 RTS and ESFAS Completion Time and Bypass Test Time Changes - Solid State Protection System Component Completion Time Bypass Test Time Analog channels 6+6 hours to 72+6 hours 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Logic train 6+6 hours to 24+6 hours no relaxation*

Page 10 of 41 Actuation relays 6+6 hours to 24+6 hours no relaxation*

no relaxation beyond TOP (WCAP-10271 and its supplements)

WCAP-14333 was submitted for NRC review with WOG letter OG-95-51 dated June 20, 1995. The NRC issued a Safety Evaluation on July 15, 1998 approving WCAP-14333.

Southern Nuclear Operating Company submitted a License Amendment Request on October 13, 1999 for the Vogtle Units 1 and 2 to adopt the relaxations that were generically approved in WCAP-14333. As a result of the NRC review of this application, incremental conditional large early release probability (ICLERP) values were developed generically for all WOG plants. Amendments 116 and 94 were issued for Vogtle approving the changes proposed in WCAP-14333.

WOG letter OG-00-112, dated November 8, 2000, transmitted WCAP-15376, Revision 0 to the NRC for review and approval. WCAP-15376 expanded upon the groundwork laid by WCAP-14333, but used updated component failure probability data (WCAP-15376 Section 8.2) and made some changes to the fault tree models (WCAP-15376 Section 8.3).

Using these modifications, the changes previously approved in WCAP-14333 were quantified as the base case for WCAP-15376. Section 8.4 of WCAP-15376 provides the risk metrics for this change and demonstrates that the acceptance criteria of RG 1.174 and RG 1.177 were satisfied.

WCAP-15376 provided the technical justification for the following RTS Instrumentation (TS 3.3.1), ESFAS Instrumentation (TS 3.3.2), and BDMS (TS 3.3.9) Technical Specification changes:

Summary of WCAP-15376 RTS and ESFAS STI and CT Changes Solid State Protection System Component Surveillance Test Completion Times Intervals and Bypass Times Logic Train 2 months to 6 months No changes Master Relays 2 months to 6 months No changes Analog Channels 3 months to 6 months No changes Reactor Trip Breakers 2 months to 4 months AOT: 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Bypass Time: 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months The NRC approved WCAP-15376 by letter dated December 20, 2002.

Page 11 of 41 The Completion Time extensions requested in this amendment for BOP ESFAS and some of its associated input signals can be viewed in two perspectives with respect to these PWROG initiatives and topical reports. The amendment application submitted herewith does not use any of the inputs or results from the PWROG initiatives which were done on a generic basis for the entire fleet of Westinghouse NSSS plants. Therefore, Section 3.3.2 of RG 1.174 on cumulative risks can not truly be addressed by an individual licensee since nothing in an individual plants PRA model was changed in order to receive the relaxations granted in WCAPs 10271, 1433, and 15376. However, there are three considerations which can be cited here with respect to cumulative risk and the applicability of these previous topical reports:

This amendment application proposes a 24-hour Completion Time which is the same duration as approved under WCAP-14333 for an inoperable SSPS train.

Callaway performed a plant-specific evaluation of the RWST level function that was not analyzed generically. NRC approved the plant-specific evaluation in Callaway Amendment 64 dated October 9, 1991 (Reference 6, item 11 on pages 6-7 of the NRC Safety Evaluation) and in Callaway Amendment 165 dated January 31, 2005 (Reference 5, Section 4.4, pages 19-20 of the NRC Safety Evaluation). Those approvals were based on a relative comparison of the signal unavailabilities between the RWST level signal and those representative signals specifically analyzed in the topical reports. A comparison of the requested BOP ESFAS unavailability commensurate with one 24-hour Condition entry per year (24/8760 = 2.74E-03), as discussed in Section 4.0 of this amendment application, with the AFW pump start unavailability values in Table 7.1 for the proposed case of WCAP-14333 (1.56E-02) and in Table 8.10 for the combined case of WCAP-15376 (1.31E-02) with 2/4 logic, without common causes included and one SSPS train out-of-service, would support a similar conclusion, i.e., that a 24-hour Completion Time for one BOP ESFAS train and its input signals would not have a detrimental impact on the unavailability and risk conclusions reached in WCAP-14333 and WCAP-15376.

The cumulative delta-CDF risk from pre-TOP conditions to those proposed herein would be the sum of the value from Table 8.33 of WCAP-15376 (CDF of 5.7E-07 yr-1 for 2/4 AFW actuation logic signals on SG level low-low) and the value reported here in Section 4.1.4 (CDF of 1.92E-08 yr-1). That sum is less than the very small criterion of 1E-06 yr-1 identified in NRC Regulatory Guide 1.174.

4.0 TECHNICAL ANALYSIS

The following NRC Regulatory Guides provide an acceptable approach for the development and submittal of risk-informed licensing action requests.

Page 12 of 41 Regulatory Guide (RG) 1.174, Revision 1, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," describes a risk-informed approach, acceptable to the NRC, for assessing the nature and impact of proposed permanent licensing-basis changes by considering engineering issues and applying risk insights. This regulatory guide also provides risk acceptance guidelines for evaluating the results of such evaluations.

RG 1.177, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications," describes an acceptable risk-informed approach specifically for assessing proposed permanent TS changes in allowed outage times, referred to in TS parlance as Completion Times. This regulatory guide also provides risk acceptance guidelines for evaluating the results of such evaluations.

RG 1.200, Revision 1, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, describes one acceptable approach for determining that a licensees PRA quality is sufficient to support regulatory decision-making.

One acceptable approach to making risk-informed decisions about proposed TS changes is to show that the proposed changes meet the five key principles stated in RG 1.174, Section 2 and RG 1.177, Section B:

1. The proposed change meets the current regulations unless it is explicitly related to a requested exemption or rule change.

2. The proposed change is consistent with the defense-in-depth philosophy.

3. The proposed change maintains sufficient safety margins.

4. When proposed changes result in an increase in core-damage frequency (CDF) or risk, the increases should be small and consistent with the intent of the Commission's Safety Goal Policy Statement.

5. The impact of the proposed change should be monitored using performance measurement strategies.

The first three of the key principles have been addressed in Section 3.0 of this Evaluation.

The remaining two key principles are addressed in this section.

For permanent TS changes, RG 1.174 and RG 1.177 provide numerical risk acceptance guidelines that are helpful in determining whether or not the fourth key principle (small risk increases consistent with the intent of the Commissions Safety Goal Policy Statement) has been satisfied. These guidelines are not intended to be applied in an overly prescriptive manner; rather, they provide an indication, in numerical terms, of what is considered acceptable. The intent in comparing risk results with the risk acceptance guidelines is to demonstrate with reasonable assurance that the fourth key principle has been satisfied.

Page 13 of 41 The risk evaluation presented below addresses the last two key principles of the NRC staffs philosophy of risk-informed decision-making which concern changes in risk and performance measurement strategies. These key principles were evaluated by using the three-tiered approach described in Chapter 16.1 of the NRC Standard Review Plan and RG 1.177.

Tier 1 - The first tier evaluates the Callaway PRA and the impact of the change on plant operational risk, as expressed by the change in core damage frequency (CDF) and the change in large early release frequency (LERF). The change in risk is compared against the acceptance guidelines presented in RG 1.174. The first tier also aims to ensure that plant risk does not increase unacceptably during the period when equipment is taken out of service per the license amendment, as expressed by the incremental conditional core damage probability (ICCDP) and incremental conditional large early release probability (ICLERP). The incremental risk is compared against the acceptance guidelines presented in RG 1.177.

Tier 2 - The second tier addresses the need to preclude potentially high-risk plant configurations that could result if equipment, in addition to that associated with the proposed license amendment, is taken out of service simultaneously, or if other risk-significant operational factors such as concurrent system or equipment testing, are also involved. The objective of this part of the review is to ensure that appropriate restrictions on dominant risk-significant plant configurations associated with the CT extension are in place.

Tier 3 - The third tier addresses Callaways overall configuration risk management program (CRMP) to ensure that adequate programs and procedures are in place for identifying risk-significant plant configurations resulting from maintenance or other operational activities and taking appropriate compensatory measures to avoid such configurations. The purpose of the CRMP is to ensure that equipment removed from service prior to or during the proposed extended CT period will be appropriately assessed from a risk perspective.

It can be demonstrated with reasonable assurance that Completion Time extensions meet the fourth key principle if the associated risk metrics:

Satisfy the risk acceptance guidelines in RG 1.174 and RG 1.177, or Are not substantially above the risk acceptance guidelines in RG 1.174 and RG 1.177 and effective compensatory measures to maintain lower risk are implemented while a temporary TS change is in effect.

The discussion that follows addresses Tiers 1, 2, and 3 of RG 1.177.

Page 14 of 41 4.1 Tier 1, PRA Capability and Insights PRA Capability The PRA model used to calculate the core damage risk metrics associated with this amendment is the Callaway Fourth PRA Update, i.e., the fourth revision to the Callaway PRA model which was originally developed to meet the Individual Plant Examination (IPE) requirement. The Fourth PRA Update was completed in April 2006 and was undertaken primarily to meet the PRA quality and quantification truncation limit requirements associated with the Mitigating System Performance Index (MSPI).

Updates to the Callaway PRA are controlled by an administrative procedure (APA-ZZ-00312) which includes provisions for monitoring plant changes that could affect the PRA model. The procedure requires an update of the PRA model, to maintain fidelity between the model and actual plant design and operation, at a minimum frequency of every 36 months, or when a plant change is made that would significantly impact the PRA model.

In addition, PRA personnel participate in the review of all EOP revisions (per APA-ZZ-00103 Attachment 7) and in the meetings of the Callaway Emergency Operating Procedure (EOP) Steering Committee when PRA input is needed. At present, there are no outstanding plant changes that would significantly impact the Callaway PRA model or the risk results reported in this submittal. Future plant changes will be evaluated under the process discussed above in this paragraph.

The Fourth Update Model, used for this application, is an internal events PRA model.

The model does not include internal flooding, internal fires, or seismic/external events.

To meet the Individual Plant Examination of External Events (IPEEE) requirement, Callaway utilized the Electric Power Research Institutes (EPRIs) Seismic Margins Assessment and Fire Induced Vulnerability Evaluation (FIVE) methodologies. These methodologies, as well as the internal flooding analysis method used for Callaway, are essentially successive screening approaches focused on the identification of associated plant vulnerabilities. The methodologies do not calculate an overall core damage frequency from seismic, internal fire, or internal flood events, and do not lend themselves to direct incorporation into the internal events PRA model. The Callaway internal flooding and internal fire risk analyses, and seismic assessment, were therefore not integrated into the Fourth PRA Update Model.

Another Callaway PRA update is currently underway that will enable AmerenUE to submit a license amendment application in calendar year 2011 on TSTF-505 (risk initiative 4b).

Peer Reviews The Callaway PRA has undergone two peer reviews: a review sponsored by the Westinghouse Owners Group (WOG), performed in accordance with NEI-00-02, Industry PRA Peer Review Process, and a review by Scientech, LLC, performed Page 15 of 41 against the ASME PRA standard [ASME RA-S-2002,Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications (April 5, 2002), Addendum A to this standard (ASME RA-Sa-2003, December 5, 2003), and Addendum B to this standard (ASME RA-Sb-2005, December 30, 2005)]. Attachment 9 provides a gap analysis against the Capability Category II guidance of the PRA standards endorsed in NRC Regulatory Guide 1.200 Revision 1.

The WOG PRA Peer Review followed a review process adapted by the WOG and was performed during the week of November 5-10, 2000. The WOG Callaway Plant PRA peer review report was drafted in March 2001. The WOG peer review generated 4 significance level A Facts and Observations (F&Os) and 28 significance level B F&Os.

See Table 1 of Attachment 6 to this amendment application for a description of those findings and the corresponding dispositions with respect to this amendment application.

Of those 32 F&Os, 3 (one significance level A and two significance level B) F&Os have not yet been addressed; however, none of the open F&Os would have a direct impact on the PRA insights developed for this application.

The findings/observations (F/Os) from the Scientech review are discussed in Table 2 of to this amendment application (there were no significance level A or level D findings) as well as the corresponding dispositions with respect to this amendment application. Based on a review of these F/Os with respect to this amendment application, no significance level B F/O was identified with a significant impact on the enclosed PRA evaluation. One significance level C F/O (SC-4) was identified that had an impact on the enclosed PRA evaluation. For this F/O a sensitivity analysis was performed to evaluate the impact of different beta factor values on the common cause failure (CCF) evaluation.

See page 22 of Attachment 1. The remainder of the significance level C F/Os had no significant impact on the results of this PRA evaluation. AmerenUE does not believe that the gap analysis findings invalidate the PRA insights developed to support this license amendment request.

Truncation Levels The Callaway PRA is a small event tree, large fault tree model. Quantification of this type of PRA model involves quantification of linked fault trees which represent the event tree headings and then quantification of the event tree (i.e., accident) sequences to generate the overall core damage (or large early release) results. To generate the risk results reported in the license amendment request, cutsets were re-generated using the Fourth Callaway PRA Update model.

To meet the core damage frequency (CDF) truncation level requirements of the Mitigating System Performance Index (MSPI) in NEI 99-02, Revision 4, Appendix F, the fault and event tree quantifications of the Fourth PRA Update were each performed using a cutset truncation value (4E-12) that was seven orders of magnitude less than the baseline core damage frequency.

Page 16 of 41 In addition to meeting the MSPI CDF truncation level requirement, the truncation values used in the quantification of the current Callaway PRA (i.e., Fourth PRA Update) also meet Capability Category II of Supporting Requirement (SR) QU-B3 of ASME RA-Sb-2005 Addenda to ASME RA-S-2002, Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications the ASME PRA Standard. This Supporting Requirement indicates that model solution convergence / truncation can be considered sufficient when successive reductions in truncation value of one decade result in decreasing changes in CDF or LERF, and the final change is less than 5%.

A CDF truncation value sensitivity evaluation was performed as part of the Fourth PRA Update quantification, and showed that if the truncation value was decreased from 1E-10 to 1E-11, CDF increased by 1.45%, and if the truncation value was decreased from 1E-11 to 4E-12, the CDF value increased by 0.24%

For the quantification of LERF, various truncation values were used as discussed on page 19 below.

Based on the above discussion, the truncation values used are sufficiently low such that valid results are generated for this PRA application.

Risk Insights A review of the actuation signals developed from BOP ESFAS cabinets SA036D and SA036E (containment purge isolation signal (CPIS), control room emergency ventilation isolation signal (CRVIS), emergency exhaust system actuation signal (also referred to as the fuel building ventilation isolation signal or FBVIS), steam generator blowdown safety injection signal (SGBSIS), auxiliary feedwater actuation signal (AFAS), and low suction pressure (LSP) for AFW pump swapover to the ESW) demonstrates that the equipment that would factor into the risk metrics discussed later in this application are the motor-driven AFW pumps, the low suction swapover from the CST to ESW for the AFW pumps, SG blowdown and sample isolation valves, and containment mini-purge isolation valves. Control room ventilation isolation is important for control room habitability, and fuel building isolation is important for minimizing offsite exposures after a postulated fuel handling accident in the fuel building; however, those deterministic analysis mitigation systems do not have an impact on the probability of core damage or a large release from containment. In addition, Condition A in TS 3.3.7 and Condition A in TS 3.3.8 already contain Required Actions for one inoperable BOP ESFAS train with respect to the control room and emergency exhaust ventilation systems.

4.1.1 Internal Events In order to model the BOP ESFAS functions, the fault tree model AFW.LGC for the AFW system was updated to reflect the risk impact from the BOP ESFAS Completion Time extension, as were the component basic events. The corresponding surrogate basic events for applicable components that respond to the actuation signals would experience Page 17 of 41 increased failure probabilities due to the unavailability of one BOP ESFAS train, where the additional out-of-service (OOS) time results from the proposed 24-hour Completion Time (CT). Since a power supply in BOP ESFAS cabinet SA036D failed once and a power supply in BOP ESFAS cabinet SA036E failed once during the last 25 years of plant operation, the BOP ESFAS may potentially fail again during the remaining plant lifetime. Thus, it is likely the plant will enter TS 3.3.2 Condition Q again.

The current Callaway PRA model (4th Update), which is an internal events at-power model with test and maintenance unavailability data, was used for this evaluation. There are separation group 1 and separation group 4 BOP ESFAS actuation signals from cabinets SA036D and SA036E, respectively. Since there are two redundant BOP ESFAS separation group cabinets, SA036E was chosen to be evaluated.

Failure History at Callaway The failures of the Sorensen power supplies and cards that are the same as those used in the BOP ESFAS cabinets were identified. There were 14 failures during Callaways 25-year operating history, and the shortest running time was 4 days which could be deemed as an early infant mortality failure. The service times of the failed components are shown in the following table.

Service Service Failure Time Time Failure Start Date Date (day) (year) 1 12/19/1984 3/19/1990 1916.00 5.25 2 12/19/1984 11/7/1990 2149.00 5.89 3 12/19/1984 11/11/1990 2153.00 5.90 4 12/19/1984 1/30/1995 3694.00 10.12 5 12/19/1984 10/16/2002 6510.00 17.84 6 12/19/1984 4/25/2009 8893.00 24.36 7 12/19/1984 2/19/2009 8828.00 24.19 8 12/19/1984 3/1/1989 1533.00 4.20 9 12/19/1984 1/1/1990 1839.00 5.04 10 12/19/1984 1/1/1990 1839.00 5.04 11 12/19/1984 1/1/1990 1839.00 5.04 12 12/19/1984 3/1/1988 1168.00 3.20 13 2340.00 6.41 14 4.00 0.01 Sum: 44705.00 122.48 A Bayesian estimate of the BOP ESFAS train failure rate at Callaway is 1.225E-01 yr-1.

This failure rate is conservative since there have been only two BOP ESFAS power supply failures during the plants 25-year operating history. The above failure rate considers failures in other systems at Callaway with the same vendor power supply or card.

Page 18 of 41 Baseline Risk Evaluation due to the BOP ESFAS CT Extension If it is assumed that one BOP ESFAS train has failed and the plant has entered TS 3.3.2 Condition Q, the allowed out-of-service time would impact the availability of the BOP ESFAS. Therefore, the TS CT extension for BOP ESFAS would increase the plant risk due to the unavailability induced by one trains failure if the plant remains online. The additional unavailability due to the proposed BOP ESFAS TS CT extension would be 24/8760 =2.74E-03. With consideration given to the above Bayesian estimate of the BOP ESFAS train failure rate, the yearly average unavailability due to the BOP ESFAS CT extension would be 1.225E-01*24/8760 = 3.355E-04. The plant risk would be increased by the CT extension due to that failure. Risk metrics, namely ICCDP and ICLERP, address this single event risk contribution in the Tier 1 calculations below. In addition, CDF and LERF address the yearly risk contribution in the Tier 1 calculations based on a single 24-hour Condition entry per year.

ICCDP and CDF Calculation The baseline CDF, CDF0, for use in the calculation of ICCDP, is 4.213E-05 yr-1. This value is the point estimate mean of the baseline Callaway CDF with normal test and maintenance. Use of this value is consistent with the guidance in RG 1.177.

The Callaway basic event data file UEADD8ESFAS.BED was updated to reflect the CT extension. Then the batch processing file LEVEL1-ESFAS.IN was run to generate the new cutset equation file CALCDMIN.EQN and calculate the conditional CDF. In addition, Calculation Module Quantify an Equation was used to create the quantified cutset equation file CALCDMIN.EQP in folder plot. This calculation used WinNUPRA3.0.

Based on the BOP ESFAS design and actuation signal logic, the affected basic events are listed as follows:

BE Description Comments for Revision AL-ICC-AF-AFAS4 No Aux Feed Set AL-ICC-AF-AFAS4 =1.0.

Actuation Signal This represents ESFAS cabinet SA036E out-to Components of-service due to the cabinet failure.

(4)

AL-ICC-AF-NOLSP4 No Low Suction Set AL-ICC-AF-NOLSP4 = 1.0.

Pressure Signal One important function for cabinets Available (SG4) SA036D/E is the low suction pressure (LSP) swapover from the CST to ESW. This represents ESFAS cabinet SA036E out-of-service due to the cabinet failure.

Page 19 of 41 AMSACFAILS AMSAC System Set AMSACFAILS = 9.999E-02 (0.1).

Fails (AM) Since AMSAC system function on AFW system through AFAS, the failure of one train AFAS will increase the failure probability of AMSAC. Conservatively assuming that the failure of ESFAS cabinet SA036D and ESFAS cabinet SA036E are the only logic inputs to the failure of AMSAC, when the failure of ESFAS cabinet SA036E is TRUE, the failure probability of AMSAC will be equal to the failure probability of ESFAS cabinet SA036D, which is the square root of the nominal probability of AMSACFAILS with the assumption that both separation group ESFAS cabinets have the same failure probability.

Without considering common cause failures, the above changes to the probabilities of the affected basic events yield a Conditional Core Damage Frequency (CCDF) of 4.477E-05.

The Incremental Conditional Core Damage Probability (ICCDP) was calculated as follows:

ICCDP = (4.477E 4.213E-05)*24/8760 = 7.233E-09 If it is assumed that the proposed TS 3.3.2 Condition Q is entered once per year, which is conservative given the above discussed operating history, the increase in CDF, CDF, is then equivalent to:

CDF = 1/yr*(4.477E 4.213E-05)*24/8760 = 7.233E-09 yr-1 ICLERP and LERF Calculation:

The basic events mentioned in the CDF and ICCDP calculation section do not exist in the Callaway large early release cutset equation MINLERF1.EQN which is associated with the basic event data file UEALL.BED. This means these basic events are not risk significant from a LERF perspective. The Callaway containment isolation fault tree model only includes containment mini-purge, main steam isolation valves (MSIVs), and main feedwater isolation valves (FWIVs). Since the control room operators are required to take immediate actions per TS 3.3.6 Condition B to place and maintain the containment purge supply and exhaust valves in the closed position upon failure of one train of BOP ESFAS, the effect of containment mini-purge on LERF is unchanged. The MSIVs and FWIVs are not affected because they isolate on signals from different cabinets (the main steam/feedwater isolation system, or MSFIS, cabinets SA075A/B). It was thus determined that the LERF increase from the event is negligible and a calculation is not warranted. However, a bounding analysis was performed using the approach described below to calculate the ICLERP and LERF for the configuration in which the Page 20 of 41 plant intends to operate during the extended CT.

WinNUPRA Fault Tree Module Update LGC from BED was used to update the fault tree CISMESF.LGC (originally CISM1.LGC) with the house event data file HST-T.BED and basic event data file UEADD8ESFAS.BED.

WinNUPRA Calculation module Link Fault Trees was used to link the containment isolation fault tree CISMESFAS.LGC and generate file CISMESFAS.LKC, and then Solve Fault Trees was used to solve CISMESFAS.LKC on the top gate GCMI100 to evaluate the fault tree. A cutset equation, CISMESF.EQN, was created, which represents the baseline failure probability of containment isolation. Different cutoff values were tested as shown below (as previously discussed on page 15) and a cutoff value 1.0E-12 was used because the probability was unchanged and the number of minimum cutsets was reasonable; the resulting baseline probability is 3.551E-03 for containment isolation failure.

Cutoff Value 1.000E-10 1.000E-11 1.000E-12 1.000E-13 1.000E-14 1.000E-15 Probability 3.551E-03 3.551E-03 3.551E-03 3.551E-03 3.551E-03 3.506E-03 Number of MCS (Minimum Cutset) 17 34 56 105 243 24372 The probabilities of basic events were adjusted as follows. WinNUPRA Result module was used to perform sensitivity analysis using UEADD8ESFAS.BED and CISMESF.EQN. The resulting conditional failure probability is 5.651E-03.

Calculation Module Quantify an Equation was used to create the quantified cutset equation file CISMESF.EQP in folder plot. The result was verified by re-evaluating the fault tree with the adjusted probabilities of the following basic events in the data file UEADD8ESFAS.BED; both results match.

BE Description Comments for Revision VT-PND-FT-VTHZ04 Mini Purge Isolation Valve Set VT-PND-FT-VTHZ04 = 1.0 VTH04 Fails to Transfer Closed Set VT-PND-FT-VTHZ11 = 1.0 VT-PND-FT-VTHZ11 Mini Purge Isolation Valve due to the failure of BOP ESFAS cabinet VTH11 Fails to Transfer Closed SA036E MNPURGVLVSOPEN Percent of Year Mini-Purge Set MNPURGVLVSOPEN = 1.0 Open This conservatively assumes that the mini-purge valves are not closed immediately per TS 3.3.6.

The LERF was calculated by multiplying the Conditional CDF of 4.477E-05 yr-1 by the difference of the containment isolation failure probabilities. The corresponding Incremental Conditional Large Early Release Probability (ICLERP) for the CT 24-hour extension was calculated as follows:

ICLERP = (5.651E 3.551E-03)*4.477E-05*24/8760 = 2.576E-10 Page 21 of 41 Assuming TS 3.3.2 Condition Q with a 24-hour restoration time is entered once per year, the increase in LERF, LERF, is then equivalent to:

LERF = 1/yr*(5.651E 3.551E-03)*4.477E-05*24/8760 = 2.576E-10 yr-1 Common Cause Factor Impact on the Plant Risk If the plant has entered the BOP ESFAS TS 24-hour CT due to an inoperable separation group 4 BOP ESFAS train, a concurrent separation group 1 BOP ESFAS train failure would cause multiple components to fail to receive the appropriate actuation signals.

Thus, a BOP ESFAS separation group 1 failure concurrent with the separation group 4 cabinet out-of-service under TS 3.3.2 Condition Q would represent a common cause failure mode and this common cause factor (CCF) must be evaluated.

The CCF is directly attributable to basic event AL-ICC-AF-AFAS1 using a beta factor.

If the failure probability of this basic event is changed to account for CCF, this will propagate to the actuation of the A train MDAFP, the TDAFP, and the SG blowdown isolation valves via the logic model. So, if TS 3.3.2 Condition Q is entered because AL-ICC-AF-AFAS4 is failed, then the probability of AL-ICC-AF-AFAS1 would be set to the beta factor. The value of the beta factor may be in the 0.05 to 0.1 range per NUREG/CR-5485 and WCAP-15167. Given that SA036E has failed, AL-ICC-AF-AFAS4 and AL-ICC-AF-NOLSP4 were set to 1.0 and AMSACFAILS was set to 0.1.

The generic CCF parameter was used to modify AL-ICC-AF-AFAS1. Based on NUREG/CR-5485 equation (3.1), a value of 0.1 applies to the components of a system which are tested simultaneously (non-staggered) and a value of 0.05 applies to systems which are tested at fixed time intervals (staggered). Since both BOP ESFAS trains can not be taken out-of-service at the same time, the average value 0.075 was assigned to AL-ICC-AF-AFAS1. The conditional CDF is 9.342E-05, increasing by 108% from the CCDF of 4.477E-05. This means that the common cause failure that may fail both BOP ESFAS trains could be the major contributor to plant risk. The plant risk was therefore re-evaluated.

The Incremental Condition Core Damage Probability (ICCDP) would then be:

ICCDP = (9.342E 4.213E-05)*24/8760 = 1.405E-07 Assuming TS 3.3.2 Condition Q with a 24-hour CT is entered once per year, the increase in CDF would be:

CDF = 1/yr*(9.342E 4.213E-05)*24/8760 = 1.405E-07 yr-1 The Incremental Conditional Large Early Release Probability (ICLERP) would then be:

ICLERP = (5.651E 3.551E-03)* 9.342E-05*24/8760 = 5.375E-10 Page 22 of 41 Assuming TS 3.3.2 Condition Q with a 24-hour CT is entered once per year, the increase in LERF would be:

LERF = 1/yr*(5.651E 3.551E-03)* 9.342E-05*24/8760 = 5.375E-10 yr-1 CCF Sensitivity To evaluate the impact of beta factor on BOP ESFAS CCF, a sensitivity calculation was performed to show the impact of beta factor values in the range of 0.05 and 0.1 on risk.

The values were assigned to the basic event AL-ICC-AF-AFAS1 to model CCF of BOP ESFAS. The conditional CDF 4.477E-5 was used to compare the CDF increase, where CCF was not given consideration, so that different beta factors could demonstrate their common cause impacts on risk. The summary is listed as follows. The beta factor could increase the conditional CDF dramatically; the CCF would be the main contributor to the plant risk increase.

CCDF Increase ICCDP ICLERP Percentage (%)

0.05 7.652E-05 71% 9.422E-08 4.403E-10 0.075 9.342E-05 108% 1.405E-07 5.375E-10 0.1 1.103E-04 145% 1.868E-07 6.346E-10 Comparing beta factor 0.075 with 0.05 and 0.1, the change of the resulting CCDF would not exceed 20%. It shows that CCF presents a more significant impact on the risk than the different values of beta factor. Considering the given conservatism and the margin to the acceptance values, the most conservative beta factor would not unduly affect the plant risk, and the overall risk would not exceed the very small change criteria.

In another case for the CCF of the SG blowdown isolation valves, the beta factor of BM-AOV-DF-HV1-4 was 0.1 which is conservative. To evaluate the impact, the values of the beta factor were tried as 0.05 and 0.075. Since the CDF change is less than 5% and it decreases when compared with the BOP ESFAS CCF, there is little impact of this beta factor on the risk from the BOP ESFAS Completion Time (CT) extension. Thus, the use of the most conservative beta factor for SG blowdown isolation valves did not impact the results of the PRA evaluation for the BOP ESFAS CT extension.

Increase Increase Failure Baseline CCDF Percentage Percentage ICCDP ICLERP Probability CDF

(%) (%)

0.05 1.100E-04 4.267E-5 -4.67% 4.004E-05 -4.97% 7.205E-09 2.455E-10 0.075 1.650E-04 4.372E-5 -2.34% 4.109E-05 -2.48% 7.205E-09 2.515E-10 Page 23 of 41 4.1.2 Internal Fires The following fire risk evaluation is generally based on the data and methods used in the Callaway Plant Individual Plant Examination of External Events (IPEEE). The IPEEE fire analysis used the EPRI Fire Induced Vulnerability Evaluation (FIVE) method. The IPEEE was submitted to the NRC in June of 1995. The NRC SER on the Callaway IPEEE submittal was issued in September 1999.

Fire Areas of Interest is a comprehensive list of all of the fire areas identified in IPEEE Table 4.3.2-1 (except for those areas that obviously do not affect core damage, e.g., the Fuel Building). The column titled Screen Basis provides 9 reasons (including the control room fire discussion below) for screening a fire area from further evaluation. These reasons are explained below:

CCDP = 1.0: The fire area conditional core damage probability (CCDP) was evaluated to be 1.0 in the original fire analysis. Therefore, there is no change in risk due to the BOP ESFAS CT extension.

No Appendix R or PRA equipment: The fire area has no equipment that is damaged that is credited in the deterministic or PRA fire analyses. Therefore, there is no change in risk due to the BOP ESFAS CT extension.

Low frequency: The fire area fire frequency is low (below 1E-03 yr-1) and was excluded as was done for the ESW CT extension project (see LA186, Reference 7).

CCDP very low, mitigation not significantly impacted: The fire area original CCDP was very low (approximately E-07), such that, when combined with the fire area fire frequency and any impact due to the BOP ESFAS CT extension, the risk impact is negligible (i.e., the difference in AFW unavailability is approximately 1.3E-04, determined in the flood evaluation above, and when considered in combination with other mitigation unavailability such as feed and bleed, the impact is negligible).

Reactor trip only, mitigation not impacted: The only impact due to a fire in the fire area is a reactor trip. No mitigation is impacted by the fire. Any impact due to the BOP ESFAS CT extension is negligible (i.e., the difference in AFW unavailability is approximately 1.3E-04, determined in the flood evaluation above, and when considered in combination with other mitigation unavailability such as feed and bleed, the impact is negligible).

Thermo-lag barriers credited: The fire area was credited with thermo-lag barriers such that the fire did not cause any damage to mitigation equipment. Any impact due to the BOP ESFAS CT extension is negligible.

LOOP delta CCDP = 0.0: A fire in the fire area results in a LOOP (or near LOOP) with no other mitigation equipment impacted. A sensitivity study was performed to show that there is essentially no risk increase for a LOOP event during the BOP ESFAS CT extension.

Page 24 of 41 A fire in the Control Room (fire area C-27) was analyzed separately in the IPEEE with the results presented in IPEEE Section 4.3.6. Recovery of a fire in the control room is dominated by human actions, including manual actions to initiate many functions. Automatic actuation signals are not specifically credited in the analysis. A train of BOP ESFAS out-of-service does not impact the ability of the operators to manually actuate AFW from either the control room or the auxiliary shutdown panel (ASP). Thus, there is no risk increase for a fire in the control room with respect to the BOP ESFAS CT extension.

Fire freq = 0: It was determined in the IPEEE that the fire frequency for the fire area was 0. Thus, there is no risk increase for a LOOP event during the BOP ESFAS CT extension.

There are 25 non-screened fire areas that required further evaluation.

The designators of the areas for evaluation are in bold text in the column titled Fire Compartment in Attachment 7. This evaluation addressed those fire areas identified in bold text in Attachment 7.

Fire Frequencies lists the fire frequency for each fire area. These values were obtained from the IPEEE. The fire frequencies used in the IPEEE were based upon the EPRI Fire Events Database (NSAC-178L). As was done in the IPEEE, a fire in a given fire area is assumed to fail all PRA-credited equipment in the fire area, as well as fail equipment associated with cable in the fire area, unless the fire area was fire modeled in detail. This evaluation used the fire frequencies listed in Attachment 7, except for those fire areas that were fire modeled. This is discussed below.

Fire Modeled Scenarios Fire areas A-1A, A-16, and A-27 were fire modeled in the IPEEE due to their high fire frequencies and their potentially high CCDPs.

IPEEE Table 4.3.3.4-5 presents the fire modeling results for fire area A-1A. Six fire scenarios were developed for this fire area. Each scenario is discussed below:

Scenario 1: Has a low fire frequency (approx. E-05 yr-1) and only non-safety related cable is impacted. This scenario was neglected.

Scenario 2: CCDP = 0 since no target damage is possible. This scenario was neglected.

Scenario 3: Only non-safety cable is impacted. This scenario was neglected.

Page 25 of 41 Scenario 4: CCDP = 0 since no damage from a hot gas layer (HGL) to any targets.

This scenario was neglected.

Scenario 5: Fire frequency of 3.93E-04 yr-1, multiplied by 0.1 to credit non-exposure to transients. So, fire modeled fire frequency is:

fA-1A/5 = (3.93E-04)

0.1 = 3.93E-05 yr-1 Scenario 6: Fire frequency of 3.93E-04 yr-1, multiplied by 0.1 to credit non-exposure to transients and 0.07 to credit small area of impact for a transient combustible fire. So, fire modeled fire frequency is:

fA-1A/6 = (3.93E-04)

0.1

0.07 = 2.75E-06 yr-1 IPEEE Table 4.3.3.4-8 presents the fire modeling results for fire area A-16. Twelve fire scenarios were developed for this fire area. Each scenario is discussed below:

Scenario 1: This scenario is a failure of a CCW pump due to a fire. Since there are four CCW pumps, this applies to Scenarios 1 to 4. The fire modeled fire frequency is:

fA-16/1 = 2.64E-04 yr-1 Scenario 5: CCDP = 0 since no damage from a HGL to any targets. This scenario was neglected.

Scenario 6: CCDP = 0 since no damage from a HGL to any targets. This scenario was neglected.

Scenario 7: CCDP = 0 since no damage from a HGL to any targets. This scenario was neglected.

Scenario 8: CCDP = 0 since no damage from a HGL to any targets. This scenario was neglected.

Scenario 9: Fire frequency of 3.26E-05 yr-1, multiplied by 0.05 to credit probability of suppression prior to damage. This results in a frequency of 1.63E-06 yr-1 which is very low. In addition, the IPEEE CCDP is low (E-05). Thus, this scenario was neglected.

Scenario 10: Fire frequency of 3.93E-04 yr-1, multiplied by 0.1 to credit non-exposure to transients and 0.05 to credit small area of impact for a transient combustible fire. This applies to Scenarios 10 to 12. So, fire modeled fire frequency is:

Page 26 of 41 fA-16/10 = (3.93E-04)

0.1

0.05 = 1.97E-06 yr-1 IPEEE Table 4.3.3.4-10 presents the fire modeling results for fire area A-27. Two fire scenarios were developed for this fire area. Each scenario is discussed below:

Scenario 1: Fire frequency of 1.67E-03 yr-1, multiplied by 0.005 to credit probability of suppression prior to damage and 0.333 to credit manual recovery of the Halon system. The fire modeled fire frequency is:

fA-27/1 = (1.67E-03)

0.005

0.333 = 2.78E-06 yr-1 Scenario 2: CCDP = 1.0: The scenario conditional core damage probability (CCDP) was evaluated to be 1.0 in the original fire analysis.

Therefore, there can be no change in risk due to the BOP ESFAS CT extension. This scenario was neglected.

Probability of Non-suppression IPEEE Table 4.3.3.2-2 lists the probability of non-suppression of the fire [column heading P(ns)] for the fire areas. The IPEEE references the EPRI FIVE document (EPRI TR-100370) for the unavailability of fire suppression equipment. The unavailability of pre-action sprinkler systems and Halon systems is 0.05. The unavailability of wet pipe sprinkler systems is 0.02. This evaluation credited the probability of non-suppression for fire areas A-17, A-18, C-6, C-9, C-10, D-1, and D-2, as well as what was credited in the fire modeled scenarios above. Attachment 7 lists the probability of non-suppression, taken from IPEEE Table 4.3.3.2-2, in the column labeled P(NS).

Conditional Core Damage Probability (CCDP)

For all evaluated fire areas, it was assumed that the increase in unavailability of the AFW system, due to an AFAS train out-of-service (OOS), represents the potential increase in risk for these fire areas. So, the change in CCDP is the increase in the unavailability between the baseline AFW results and the AFW results with an AFAS train OOS event. Thus, from the flood evaluation above:

CCDPAFWAFAS = PAFWAFAS1 - PAFWORIG

= (4.862E-04) - (3.616E-04) = 1.246E-04 The above CCDP was applied to evaluated fire areas as shown in the Attachment 7 column titled Fire CDF.

Page 27 of 41 Increase in CDF Due to Fires The ICCDP reported below is per Condition entry with the new 24-hour CT and the CDF is based on entering the new 24-hour CT once a year. From Attachment 7:

CDFfires = 3.20E-06 yr-1 ICCDPfires = (3.20E-06) * (24 / 8760) = 8.77E-09 CDFfires = 1/yr

ICCDPfires = (1/yr) * (3.20E-06) * (24 / 8760) = 8.77E-09 yr-1 Using the same approach used for internal events, with ICLERP reported per Condition entry with the new 24-hour CT and LERF based on entering the new 24-hour CT once a year:

ICLERP = 1.84E-11 LERF = 1.84E-11 yr-1 4.1.3 Internal Flooding The following flooding risk evaluation is generally based on the data and methods used in the Callaway Plant Individual Plant Examination (IPE). The IPE was submitted to the NRC in September of 1992. The NRC Staff Evaluation Report (SER) on the Callaway IPE submittal was issued in May 1996.

The flood frequency, due to a pipe failure in an ESW or AFW train, was determined for each risk-significant flood area. The flood frequencies were obtained from data used in the IPE. The IPE states that flood initiator frequencies were estimated using a combination of EPRI NP 6992L, EGG-SSRE-9639, NSAC-60, and EPRI TR-102266.

As was done in the IPE, a flood in a given flood area was assumed to fail all PRA-credited equipment in the flood area, as well as fail the flooding source.

Flood Zones of Interest is a comprehensive list of all of the pertinent flood areas (except for those areas that obviously do not affect core damage, e.g., the Fuel Building). The column titled Screen Basis provides 4 reasons for screening a flood zone from further evaluation. These reasons are explained below:

CCDP = 1.0: The flood zone conditional core damage probability (CCDP) was evaluated to be 1.0 in the original flooding analysis. Therefore, there is no change in risk due to the BOP ESFAS CT extension.

Page 28 of 41 No ESW/AFW Flood: The flood zone does not have a flooding source attributable to either the ESW or AFW systems. Floods due to breaks in ESW or AFW will affect the AFW system and thus are the most pertinent. Thus, for areas with no flood due to ESW or AFW, all three trains of AFW are potentially available, as well as most all of the ECCS equipment, and the impact of one train of BOP ESFAS OOS is negligible.

Low flood frequency: The flood zone flood frequency is low (approximately 1E-7 yr-1) and would have a negligible contribution to risk due to the BOP ESFAS CT extension.

Included in THREE: A review of the flood zones revealed that the diesel generator zones (D-1 and D-2, rooms 5201 and 5203) were included with flood zone THREE. Thus, these rooms were previously double counted in the flooding analysis. The double counting was excluded in this evaluation.

There are 26 non-screened flood zones that required further evaluation.

The designators of the areas for evaluation are in bold text in the column titled Flood Areas in Attachment 8. This evaluation addressed those flood zones identified in bold text in Attachment 8.

Flood Frequencies lists the flood frequency for each flood zone that is attributable to a flood due to the ESW or AFW system in that flood zone (Attachment 8 column titled ESW/AFW Flood Source). With one train of AFAS OOS, during the CT, a flood initiating event due to a leak/break in the opposite ESW or AFW train is the limiting flood event. Other flood events will not impact an entire train of equipment and thus are less limiting. The ESW and AFW flood frequencies, identified in Attachment 8, were used as the flood initiating event frequencies in this evaluation.

Conditional Core Damage Probability (CCDP)

For all flood zones, except ES-1, ES-2, UHS-1, and UHS-2, the flood results from a break in an ESW line or an AFW line. This results in one train of AFW unavailable.

Such a break, in combination with the opposite trains AFAS OOS, represents the potential increase in risk for these flood zones.

Fault tree AFW.LGC, as modified to perform this evaluation, was linked and then updated with BED files UEADD8ESFAS-12.BED and HSE-T.BED. The linked and updated fault tree was then solved and produced files AFW.EQN and AFW.FTP. The resulting AFW unavailability, with one train of AFAS OOS (i.e., probability of AL-ICC-AF-AFAS4 = 1.0) is:

PAFWAFAS4 = 4.862E-04 Page 29 of 41 Next, a sensitivity analysis was performed wherein the probability of AL-ICC-AF-AFAS4 was reset to its original value. The unavailability value, shown below, is consistent with the nominal AFW unavailability from the Fourth PRA Update of 3.53E-04. This established the baseline unavailability of the AFW system.

PAFWORIG = 3.616E-04 Another sensitivity was performed wherein the probability of AL-ICC-AF-AFAS1 was set to fail (i.e., probability of AL-ICC-AF-AFAS1 = 1.0). The unavailability value, shown below, is consistent with the AFW unavailability when AFAS4 is OOS of 4.862E-

04. This established the unavailability of the AFW system with AFAS1 OOS.

PAFWAFAS1 = 4.909E-04 A sensitivity was performed wherein the probability of EF-DRAIN-TRAINB was set to fail (i.e., probability of EF-DRAIN-TRAINB = 1.0), with nominal failure probabilities for AFAS1 and AFAS4. The unavailability value, shown below, established the baseline unavailability of the AFW system with a train of ESW drained.

PAFWDRAIN = 9.351E-04 A sensitivity was performed wherein the probability of EF-DRAIN-TRAINB was set to fail (i.e., probability of EF-DRAIN-TRAINB = 1.0) and the probability of AL-ICC-AF-AFAS1 was set to fail (i.e., probability of AL-ICC-AF-AFAS1 = 1.0). This established the unavailability of the AFW system with AFAS1 OOS and ESW train B drained.

PAFWAF1-DRAIN = 1.840E-03 It is conservatively assumed that the change in CCDP for these flood zones is the change in AFW unavailability between the baseline ESW drained event and the ESW drained coincident with an AFAS train out-of-service event. Thus, CCDPAFWAF1-DRAIN = (1.840E-03) - (9.351E-04) = 9.049E-04 Flood zones ES-1, ES-2, UHS-1, and UHS-2 reside outside the normal power block buildings. As such, flooding that occurs in any of these zones will not impact equipment associated with normal service water, and the break can be isolated such that normal service water (system EA) can be used to continue to provide cooling flow to the protected train, including the AFW system. A sensitivity was performed wherein the conditional probability of a T(2) event (reactor trip without MFW available) was determined coincident with EF-MDP-FR-PEF01A set to fail (i.e., probability of EF-MDP-FR-PEF01A = 1.0) and the probability of AL-ICC-AF-AFAS4 was kept failed (i.e.,

probability of AL-ICC-AF-AFAS4 = 1.0). The CCDP value, shown below, established the CCDP for a T(2) event (caused by a flood in ES-1, ES-2, UHS1, or UHS-2) with a train of ESW failed (which represents the ESW flood, but with EA still available) and a Page 30 of 41 train of AFAS OOS.

CCDPAF4-EFA = 2.627E-05 A sensitivity was performed wherein the conditional probability of a T(2) event (reactor trip without MFW available) was determined coincident with EF-MDP-FR-PEF01A set to fail (i.e., probability of EF-MDP-FR-PEF01A = 1.0) and with nominal failure probabilities for AFAS1 and AFAS4. The CCDP value, shown below, established the baseline CCDP for a T(2) event (caused by a flood in ES-1, ES-2, UHS1, or UHS-2) with a train of ESW failed (which represents the ESW flood, but with EA still available).

CCDPEFA = 1.971E-05 The change in CCDP for these flood zones is the change in CCDP between the baseline ESW train failed event and the ESW train failed coincident with an AFAS train out-of-service event. Thus, CCDPAF4-EFA = (2.627E-05) - (1.971E-05) = 6.560E-06 The above two CCDPs were applied to their respective flood zones as shown in the column titled Flooding CDF. Attachment 8 Note 1 delineates the flood zones to which these apply.

Increase in CDF Due to Floods The ICCDP reported below is per Condition entry with the new 24-hour CT and the CDF is based on entering the new 24-hour CT once a year. From Attachment 8:

CDFfloods = 1.17E-06 yr-1 ICCDPfloods = (1.17E-06) * (24 / 8760) = 3.21E-09 CDFfloods = 1/yr

ICCDPfloods = (1/yr) * (1.17E-06) * (24 / 8760) = 3.21E-9 yr-1 Using the same approach used for internal events, with ICLERP reported per Condition entry with the new 24-hour CT and LERF based on entering the new 24-hour CT once a year:

ICLERP = 6.73E-12 LERF = 6.73E-12 yr-1 Page 31 of 41 Fire and Flood Sensitivities The most likely source of uncertainty in the flood and fire risk assessments is the assumption that the increase in risk for most of these zones/areas is the change in unavailability of the AFW system. For most of the zones/areas, the change in unavailability of the AFW system was based on the whole AFW system (all three trains),

being potentially available (except in the case of the flood zones where the flood was due to an ESW or AFW pipe break).

To quantify this source of uncertainty, fault tree AFW.LGC, as modified to perform this evaluation, was linked and then updated with BED files UEADD8ESFAS-12.BED and SBOINIT.BED. The linked and updated fault tree was then solved and produced files AFWT1S-AF.EQN and AFWT1S-AF.FTP. The resulting unavailability represented only the TDAFP being potentially available with no ESW backup source (SBO event) and with one train of AFAS OOS (i.e., probability of AL-ICC-AF-AFAS4 = 1.0). The unavailability is:

PAFWT1S-AF = 2.534E-02 Next, a sensitivity was performed wherein the probability of AL-ICC-AF-AFAS4 was reset to its original value. The unavailability value, shown below, is consistent with the nominal TDAFP unavailability from the Fourth PRA Update of 2.50E-02. This established the baseline unavailability of the TDAFP during an SBO event.

PAFWT1S = 2.508E-02 So, the change in CCDP is the increase in the unavailability between the baseline TDAFP results and the TDAFP results with an AFAS train OOS event.

CCDPAFWAFAS = PAFWT1S-AF - PAFWT1S

= (2.534E-02) - (2.508E-02) = 2.60E-04 The above CCDP is roughly double the CCDP calculated for the fire risk.

Thus, to estimate the sensitivity of the flood and fire risk evaluations to the uncertainty in the assumed CCDPs, the risk metrics were doubled. A doubling of the risk metrics for floods and fires continues to result in a small impact on risk due to the BOP ESFAS CT extension.

4.1.4 Combined Risk Metric Results The following tables provide the risk metrics associated with this amendment request.

Page 32 of 41 The yearly risk contribution from a single TS 3.3.2 Condition Q 24-hour entry per year (ICCDP and ICLERP values apply to each Condition entry):

Acceptance Risk Criteria Callaway Results Metric Internal Flood Fire Total CDF <1E-06 yr-1 7.23-09 yr-1 3.21E-09 yr-1 8.77E-09 yr-1 1.92E-08 yr-1 very small RG 1.174 LERF <1E-07 yr-1 2.58E-10 yr-1 6.73E-12 yr-1 1.84E-11 yr-1 2.83E-10 yr-1 very small RG 1.174 ICCDP <5E 7.23E-09 3.21E-09 8.77E-09 1.92E-08 RG 1.177 ICLERP <5E 2.58E-10 6.73E-12 1.84E-11 2.83E-10 RG 1.177 Regulatory Guides 1.174 and 1.177 provide the core damage risk increase acceptance criteria above for very small risk changes.

4.2 External Events Seismic The Callaway Plant has a robust seismic design. Due to the SNUPPS design originally being intended for multiple sites, additional design conservatism was built into the plant by designing to floor response spectra (FRS) that overlapped the various sites originally considered. In order for Union Electric (now AmerenUE) to respond to Generic Letter 88-20, Supplement 4, the results of a Seismic Margins Assessment (SMA) were reported to the NRC in the IPEEE Report submitted via ULNRC-3232 dated 6-30-95. In support of that response, Bechtel Power Corporation was contracted to compare Callaways FRS against the 0.3g Review Level Earthquake (RLE). After this effort, seismic qualification documentation was reviewed to verify whether specific equipment was qualified for the limited frequencies where the RLE exceeded the FRS. This screened out all but 22 components listed in the IPEEE Report Section 3.1.4.1.4. As an example of how the SNUPPS design led to Callaways robust seismic design, IPEEE Report Section 3.1.4.5.3 documents a calculation demonstrating that the component cooling water (CCW) heat exchangers would survive a peak ground acceleration of 0.41g, far in excess of the RLE and the Safe Shutdown Earthquake (SSE).

Page 33 of 41 NUREG-1488 estimates a mean seismic hazard frequency of 1.68E-5 yr-1 for a 0.3g or greater earthquake. The SMA of the Callaway Plant determined that the Safe Shutdown Equipment List (SSEL) equipment, which is needed for two success paths to mitigate the effects of a seismically induced small break LOCA as discussed in Section 3.1.2.3 of Reference 8, is capable of withstanding the 0.3g Review Level Earthquake (RLE). Since the internal events CCDF due to this BOP ESFAS Completion Time Extension is calculated to be 4.48E-05 yr-1, as discussed above, the seismic risk is not significant for this application.

High Winds, External Floods, Transportation and Nearby Facility Accidents Callaway Plants design conforms to the 1975 Standard Review Plan and no potential vulnerabilities from high winds and tornadoes, floods, and transportation and nearby facility accidents exist that have not been included in the original design basis analysis.

All Seismic Category I structures are designed to withstand the effects of a tornado and the most severe wind phenomena encountered. Non-Category I structures are designed to preclude their collapse upon safety-related structures or components under loads imposed by the design basis tornado.

All Seismic Category I structures and the systems they house are designed to withstand the effects of natural phenomena, such as flooding and groundwater level. These structures are not protected above grade for flooding because there are no above-grade floods at the structure locations.

There are no hazards presented to the Callaway Plant either from barge traffic on the Missouri River or from the roads nearest the plant site. There are no aircraft hazards whose probability of occurrence is greater than 1E-07 per year.

There are no military bases, missile sites, or military firing ranges, manufacturing or chemical plants, pipelines or tank farms are located within 5 miles of the site. The potential design basis accidents from nearby facility hazards have been evaluated and there are no onsite or offsite hazards which have an adverse effect on the plant structures.

Therefore, there are no elevated risks from high winds and tornadoes, floods, and transportation and nearby facility accidents that are significant for the extended BOP ESFAS Completion Times.

4.3 Tier 2, Avoidance of Risk-Significant Plant Configurations In the calculation of ICCDP, delta-CDF, ICLERP and delta-LERF, no credit was taken for any compensatory measures. However, there are two Technical Specification LCOs that bear some discussion with respect to the risk findings reported herein:

Page 34 of 41 The BOP ESFAS must be OPERABLE in MODES 1-4 to support TS 3.3.6, Containment Purge Isolation Instrumentation. Condition B of TS 3.3.6 is entered for one or more inoperable BOP ESFAS trains and requires immediate action to be taken to close the containment mini-purge isolation valves. This Required Action B.1 is credited in the LERF and ICLERP calculations.

The new Note added to TS 3.3.2 Condition J will assure the availability of the actuation signal for AFW start after the loss of both main feedwater pumps from one train of BOP ESFAS. While this does not directly factor into the CDF and ICCDP calculations, it does address a deterministic concern with the separate Condition entry allowance.

4.4 Tier 3, Risk-Informed Configuration Risk Management Tier 3 requires a proceduralized process to assess the risk associated with both planned and unplanned work activities. The objective of the third tier is to ensure that the risk impact of out-of-service equipment is evaluated prior to performing any maintenance activity. As stated in Section 2.3 of Regulatory Guide 1.177, "a viable program would be one that is able to uncover risk-significant plant equipment outage configurations in a timely manner during normal plant operation." The third-tier requirement is an extension of the second-tier requirement, but addresses the limitation of not being able to identify all possible risk-significant plant configurations in the second-tier evaluation. Programs and procedures are in place at Callaway which serve to address this objective.

In particular, APA-ZZ-003l5, "Configuration Risk Management Program," and EDP-ZZ-01129, "Callaway Plant Risk Assessment," are an integral part of the work management process at the plant. The Configuration Risk Management Program (CRMP) ensures that configuration risk is assessed (using the PRA-based Safety Monitor, a computer-based program for assessing the impact on plant safety of out of service equipment) and managed prior to initiating any maintenance activity consistent with the requirements of 10 CFR 50.65(a)(4). The BOP ESFAS and systems actuated by the BOP ESFAS are within the scope of Callaways maintenance rule program and have availability and reliability criteria established to monitor performance. The CRMP also ensures that risk is reassessed if an emergent condition results in a plant configuration that has not been previously assessed.

Under the CRMP, using the associated Safety Monitor, risk thresholds were established to ensure that average baseline risk is maintained within an acceptable band. The four bands used in this program are:

Green - Key safety functions are at minimum risk. TS LCOs are met.

Yellow - A key safety function is in a reduced capability. The plants ability to perform the associated safety function is reduced but still acceptable. Risk Page 35 of 41 Management Action may be required prior to planned entry. For unplanned entry, Risk Management Action plan must be implemented as soon as possible. Plant and equipment availability conditions meet the TS without reliance on the action statements and the minimum equipment requirements.

Orange - Key safety functions are degraded and steps should be taken to minimize the amount of time in this condition. Risk Management Action plan and specific approval are required prior to planned entry. For unplanned entry, Initiation of a Risk Management Action Plan and Plant Director/EDO notification are required. Approval Forms and Risk Management Action Plans are contained in APA-ZZ-00322, Integrated Work Management Process Description.

Red - Key safety functions are severely threatened. Immediate actions are required to restore acceptable plant risk. Planned entry is NOT allowed. For unplanned entry, Initiation of a Risk Management Action Plan and Plant Director/EDO notification is required.

The risk thresholds for these bands are listed in the table that follows, where ICCDP is as defined under Tier 1 above, CDF' is the conditional core damage frequency, ICLERP is as defined under Tier 1 above, and LERF' is the conditional large early release frequency:

ICCDP CDF' ICLERP LERF' Red > 1E-3 >1E-4 Orange > 1E-5 > 5.5E-4 >1E-6 >5.2E-5 Yellow 1E 1E-5 8.7E 5.5E-4 1E 1E-6 5.7E 5.2E-5 Green < 1E-6 < 8.7E-5 < 1E-7 < 5.7E-6 When a risk significant configuration occurs (Safety Monitor in the Yellow, Orange, or Red Bands), Risk Management Action Planning is performed in accordance with Section 4.6 of APA-ZZ-00315 and APA-ZZ-00322, Integrated Work Management Process Description. Compensatory measures are established to reduce risk (limit unavailability time and implement a contingency plan to restore and/or mitigate the loss of a key safety function). If an unacceptable risk level occurs (in the orange or red band), the Shift Manager / Control Room Supervisor or the Work Week Manager reschedules work as needed to minimize the overall plant risk.

The Callaway CRMP was reviewed and approved by NRC in support of License Amendment 165 as discussed on pages 13-15 of the Safety Evaluation attached to Reference 5 in Section 7.0.

5.0 REGULATORY SAFETY ANALYSIS This section addresses the standards of 10 CFR 50.92 as well as the applicable regulatory requirements and acceptance criteria.

Page 36 of 41 This amendment application submits a proposed change to Technical Specification (TS) 3.3.2, Engineered Safety Feature Action System (ESFAS) Instrumentation, that would add a new Required Action Q.1 to require restoration of an inoperable Balance of Plant ESFAS (BOP ESFAS) train to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Currently, Condition Q of TS 3.3.2 for Function 6.c of TS Table 3.3.2-1 requires the plant to enter a shutdown track to MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and to MODE 4 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months with no allowed outage time provided for restoration. In addition, the Completion Times for TS 3.3.2 Required Actions J.1 and O.1 to trip inoperable channels that provide inputs to BOP ESFAS would also be extended to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Shutdown track Completion Times to be in MODES 3 and 4 would be increased to reflect these longer restoration times. Separate Condition entry for TS Condition J would be restricted to assure that Function 6.g in TS Table 3.3.2-1 will provide a start signal to the motor-driven auxiliary feedwater (AFW) pumps from one train of BOP ESFAS actuation logic. This is a risk-informed amendment request following the guidance of NRC Regulatory Guides (RGs) 1.174, 1.177, and 1.200 Revision 1.

5.1 No Significant Hazards Consideration (NSHC)

AmerenUE has evaluated whether or not a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, Issuance of amendment, Part 50.92(c), as discussed below:

1. Does the proposed change involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No Overall protection system performance will remain within the bounds of the previously performed accident analyses since no hardware changes are proposed to the protection systems. The same reactor trip system (RTS) and engineered safety feature actuation system (ESFAS) instrumentation will continue to be used. The protection systems will continue to function in a manner consistent with the plant design basis. There will be no changes to the BOP ESFAS surveillance and operating limits.

The proposed changes will not adversely affect accident initiators or precursors nor alter the design assumptions, conditions, and configuration of the facility or the manner in which the plant is operated and maintained. The proposed changes will not alter or prevent the ability of structures, systems, and components (SSCs) from performing their intended functions to mitigate the consequences of an initiating event within the assumed acceptance limits.

The proposed changes do not affect the way in which safety-related systems perform their functions.

All accident analysis acceptance criteria will continue to be met with the proposed Page 37 of 41 changes. The proposed changes will not affect the source term, containment isolation, or radiological release assumptions used in evaluating the radiological consequences of an accident previously evaluated. The proposed changes will not alter any assumptions or change any mitigation actions in the radiological consequence evaluations in the FSAR.

The applicable radiological dose acceptance criteria will continue to be met.

Therefore, the proposed changes do not involve a significant increase in the probability or consequences of an accident previously evaluated.

2. Does the proposed change create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No There are no proposed changes in the method by which any safety-related plant SSC performs its safety function. The proposed changes will not affect the normal method of plant operation or change any operating parameters. No equipment performance requirements will be affected. The proposed changes will not alter any assumptions made in the safety analyses.

No new accident scenarios, transient precursors, failure mechanisms, or limiting single failures will be introduced as a result of this amendment. There will be no adverse effect or challenges imposed on any safety-related system as a result of this amendment.

The proposed amendment will not alter the design or performance of the 7300 Process Protection System, Nuclear Instrumentation System, Solid State Protection System, BOP ESFAS, MSFIS, or LSELS used in the plant protection systems.

Therefore, the proposed changes do not create the possibility of a new or different accident from any accident previously evaluated.

3. Does the proposed change involve a significant reduction in a margin of safety?

Response: No There will be no effect on those plant systems necessary to assure the accomplishment of protection functions. There will be no impact on the overpower limit, departure from nucleate boiling ratio (DNBR) limits, heat flux hot channel factor (FQ), nuclear enthalpy rise hot channel factor (FH), loss of coolant accident peak cladding temperature (LOCA PCT), peak local power density, or any other margin of safety. The applicable radiological dose consequence acceptance criteria will continue to be met.

The proposed changes do not eliminate any surveillances or alter the frequency of surveillances required by the Technical Specifications. No instrument setpoints or Page 38 of 41 system response times are affected. None of the acceptance criteria for any accident analysis will be changed.

The proposed changes will have no impact on the radiological consequences of a design basis accident.

Therefore, the proposed changes do not involve a significant reduction in a margin of safety.

==

Conclusion:==

Based on the above evaluation, AmerenUE concludes that the proposed amendment presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c) and, accordingly, a finding of "no significant hazards consideration" is justified.

5.2 Applicable Regulatory Requirements / Criteria Section 182a of the Atomic Energy Act requires applicants for nuclear power plant operating licenses to include Technical Specifications (TSs) as part of the license. The TSs ensure the operational capability of structures, systems, and components that are required to protect the health and safety of the public. The U.S. Nuclear Regulatory Commissions (NRCs) requirements related to the content of the TSs are contained in Section 50.36 of Title 10 of the Code of Federal Regulations (10 CFR 50.36) which requires that the TSs include items in the following specific categories: (1) safety limits, limiting safety systems settings, and limiting control settings; (2) limiting conditions for operation; (3) surveillance requirements per 10 CFR 50.36(c)(3); (4) design features; and (5) administrative controls.

This amendment application is related to the second category above (LCOs) and is a less restrictive change; however, the requested change still affords an adequate assurance of safety when judged against applicable standards. 10 CFR 50.36 also requires that a licensee's TSs be derived from the analyses and evaluations included in the safety analysis report.

The regulatory requirements and guidance documents associated with this risk-informed amendment application include the guidance provided by Standard Review Plan (SRP)

Chapter 16.1, "Risk-Informed Decisionmaking: Technical Specifications." SRP Chapter 16.1 refers to RG 1.177, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications," as an acceptable approach for assessing proposed risk-informed changes to TS allowed outage times.

One acceptable approach for making risk-informed decisions about proposed TS changes, including both permanent and temporary TS changes, is to show that the proposed changes meet the five key principles stated in RG 1.177, Section B:

Page 39 of 41

1. The proposed change meets the current regulations unless it is explicitly related to a requested exemption or rule change.

2. The proposed change is consistent with the defense-in-depth philosophy.

3. The proposed change maintains sufficient safety margins.

4. When proposed changes result in an increase in core-damage frequency (CDF) or risk, the increases should be small and consistent with the intent of the Commission's Safety Goal Policy Statement.

5. The impact of the proposed change should be monitored using performance measurement strategies.

The first three principles pertain to traditional engineering considerations and are discussed in Section 3.0 of this Evaluation. The last two principles involve risk considerations as discussed in Section 4.0 of this Evaluation. Another traditional engineering consideration that is listed in Sections II.A and III.A of SRP Chapter 16.1, and is addressed in Section 3.0 of this Evaluation, is the need for and adequacy of the proposed change. References 1-3 provide guidance on the attributes necessary to support regulatory findings associated with risk-informed applications.

Although not the direct subject matter of this requested amendment, the following regulatory requirements and guidance documents apply to the BOP ESFAS logic cabinets and its input signals:

GDC 2 requires that structures, systems, and components important to safety be designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches without the loss of the capability to perform their safety functions.

GDC 4 requires that structures, systems, and components important to safety be designed to accommodate the effects of, and to be compatible with, the environmental conditions associated with the normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents. These structures, systems, and components shall be appropriately protected against dynamic effects, including the effects of missiles, pipe whipping, discharging fluids that may result from equipment failures, and from events and conditions outside the nuclear power unit. However, dynamic effects associated with postulated pipe ruptures in nuclear power units may be excluded from the design basis when analyses reviewed and approved by the Commission demonstrate that the probability of fluid system piping rupture is extremely low under conditions consistent with the design basis for the piping.

GDC 13 requires that instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission Page 40 of 41 process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems.

GDC 20 requires that the protection system(s) shall be designed (1) to initiate automatically the operation of appropriate systems including the reactivity control systems, to assure that specified acceptable fuel design limits are not exceeded as a result of anticipated operational occurrences and (2) to sense accident conditions and to initiate the operation of systems and components important to safety.

GDC 21 requires that the protection system(s) shall be designed for high functional reliability and testability.

GDC 22 through GDC 25 and GDC 29 require various design attributes for the protection system(s), including independence, safe failure modes, separation from control systems, requirements for reactivity control malfunctions, and protection against anticipated operational occurrences.

Regulatory Guide 1.22 discusses an acceptable method of satisfying GDC-20 and GDC-21 regarding the periodic testing of protection system actuation functions.

These periodic tests should duplicate, as closely as practicable, the performance that is required of the actuation devices in the event of an accident.

10 CFR 50.55a(h) requires that the protection systems meet IEEE 279-1971.

Section 4.2 of IEEE 279-1971 discusses the general functional requirement for protection systems to assure they satisfy the single failure criterion.

There are no changes being proposed in this amendment application such that commitments to the regulatory requirements and guidance documents above would come into question. The evaluations documented above confirm that Callaway Plant will continue to comply with all applicable regulatory requirements.

In conclusion, based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

6.0 ENVIRONMENTAL CONSIDERATION

AmerenUE has evaluated the proposed amendment and has determined that the proposed amendment does not involve (i) a significant hazards consideration, (ii) a significant change in the types or significant increase in the amounts of any effluent that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure. Accordingly, the proposed amendment meets the eligibility criterion Page 41 of 41 for categorical exclusion set forth in 10 CFR 51.22(c)(9). Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed amendment.

7.0 REFERENCES

1. NRC Regulatory Guide 1.174, Revision 1, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, November 2002.

2. NRC Regulatory Guide 1.177, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications, August 1998.

3. NRC Regulatory Guide 1.200, Revision 1, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, January 2007.

4. ULNRC-05612, Licensee Event Report 2009-001-00, Technical Specification Required Shutdown Due To Loss of Power Supply, dated April 17, 2009.

5. Callaway License Amendment No. 165 dated January 31, 2005, Callaway Plant, Unit 1 - Issuance of Amendment Re: Plant Protection Test Times, Completion Times, and Surveillance Test Intervals (TAC NO. MC1756).

6. Callaway License Amendment No. 64 dated October 9, 1991, Amendment No.

64 to Facility Operating License No. NPF-30 (TAC NO. M79969).

7. Callaway License Amendment No. 186 dated October 31, 2008, Callaway Plant, Unit 1 - Issuance of Amendment Re: One-Time Extension of Completion Time for Essential Service Water System Piping Replacement (TAC No. MD7252, ADAMS Accession Number ML082810643.

8. ULNRC-3232, Response to Generic Letter 88-20, Supplement No. 4, Individual Plant Examination of External Events (IPEEE), dated June 30, 1995.

ATTACHMENT 2 MARKUP OF TECHNICAL SPECIFICATIONS

ESFAS Instrumentation 3.3.2 ACTIONS (continued)

COMPLETION CONDITION REQUIRED ACTION TIME I. One channel inoperable. ------------------- NOTE -------------------

The inoperable channel may be bypassed for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing of other channels.

1.1 Place channel in trip. 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months OR 1.2 Be in MODE 3. 78 hours9.027778e-4 days 0.0217 hours 1.289683e-4 weeks 2.9679e-5 months J." One Main Feedwater ------------------- NOTE -------------------

Pumps trip channel The inoperable channel may be inoperable. bypassed for up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months for surveillance testing of other channels.

J.1 Place channel in trip. -~

J!/- j,~ fAr.

OR J.2 Be in MODE 3.

~"30hours (continued)

~---

No-rE----

CALLAWAY PLANT 3.3-29 Amendment No. 165

INSERT 1 Separate Condition entry is restricted to one inoperable channel per pump in the same separation group.

ESFAS Instrumentation 3.3.2 ACTIONS (continued)

COMPLETION CONDITION REQUIRED ACTION TIME M. Not used.

N. One or more Containment N.1 Place channel(s) in trip. 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Pressure - Environmental Allowance Modifier OR channel(s) inoperable.

N.2.1 Be in MODE 3. 78 hours9.027778e-4 days 0.0217 hours 1.289683e-4 weeks 2.9679e-5 months AND N.2.2 Be in MODE 4. 84 hours9.722222e-4 days 0.0233 hours 1.388889e-4 weeks 3.1962e-5 months O. One channel inoperable. 0.1 Place channel in trip. 1 "'el:lf ~4-NU rs AND 0.2 Restore channel to During OPERABLE status. performance of the next required COT (continued)

CALLAWAY PLANT 3.3-31 Amendment No. 168

ESFAS Instrumentation 3.3.2 ACTIONS (continued)

COMPLETION CONDITION REQUIRED ACTION TIME P. One or more channel(s) P.1 Declare associated Immediately inoperable. auxiliary feedwater pump(s) inoperable.

Q One train inoperable. ------------------- NOT E -------------------

One train may be bypassed for up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months for surveillance testing provided the other train is OPERABLE.

'SE~ .:2. .... :30

-e.-:+{}.=J./ Be in MODE 3. -&hours ANrH-/

~

Q.2. ':2 Be in MODE 4. ~hours R. One or both train(s) R.1

" Restore train(s) to 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months inoperable. OPERABLE status.

OR R.2.1 Be in MODE 3. 54 hours6.25e-4 days 0.015 hours 8.928571e-5 weeks 2.0547e-5 months AND R.2.2 Be in MODE 4. 60 hours6.944444e-4 days 0.0167 hours 9.920635e-5 weeks 2.283e-5 months (continued)

CALLAWAY PLANT 3.3-32 Amendment No. 165

INSERT 2 REQUIRED ACTION COMPLETION TIME Q.1 Restore train to OPERABLE 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months status.

OR

ESFAS Instrumentation 3.3.2 Table 3.3.2-1 (page 7 of 9)

Engineered Safety Feature Actuation System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS VALUE(a)

6. Auxiliary Feedwater

a. Manual Initiation 1,2,3 1/pump P SR 3.3.2.8 NA

b. Automatic 1,2,3 2 trains G SR 3.3.2.2 NA Actuation Logic SR 3.3.2.4 and Actuation SR 3.3.2.6

[,

Relays (SSPS)

Automatic Actuation Logic and Actuation Relays (BOP ESFAS)

d. SG Water Level 1,2,3 2 trains Q SR 3.3.2.3 NA

]

Low-Low (1) Steam. 1,2,3 4 per SG D SR 3.3.2.1 ;?: 20.6%(5) of Generator SR 3.3.2.5 Narrow Range Water Level SR 3.3.2.9 Instrument Low-Low SR 3.3.2.10 Span (Adverse Containment Environment)

(2) Steam 1(r), 2(r), 3(r) 4 per SG D SR 3.3.2.1 ;?: 16.6%(5) of Generator SR 3.3.2.5 Narrow Range Water Level SR 3.3.2.9 Instrument Low-Low SR 3.3.2.10 Span (Normal Containment Environment)

(a) The Allowable Value defines the limiting safety system setting except for Functions 1.e, 4.e.(1), 5.c, 5.e.(1), 5.e.(2),

6.d.(1), and 6.d.(2) (the Nominal Trip Setpoint defines the limiting safety system setting for these Functions). See the Bases for the Nominal Trip Setpoints.

(r) Except when the Containment Pressure - Environmental Allowance Modifier channels in the same protection sets are tripped.

(s) 1. If the as-found instrument channel setpoint is conservative with respect to the Allowable Value, but outside its as-found test acceptance criteria band, then the channel shall be evaluated to verify that it is functioning as required before returning the channel to service. If the as-found instrument channel setpoint is not conservative with respect to the Allowable Value, the channel shall be declared inoperable.

2. The instrument channel setpoint shall be reset to a value that is within the as-left setpoint tolerance band on either side of the Nominal Trip Setpoint, or to a value that is more conservative than the Nominal Trip Setpoint; otherwise, the channel shall be declared inoperable. The Nominal Trip Setpoints and the methodology used to determine the as-found test acceptance criteria band and the as-left setpoint tolerance band shall be specified in the Bases.

CALLAWAY PLANT 3.3-44 Amendment No. 189

ESFAS Instrumentation 3.3.2 Table 3.3.2-1 (page 8 of 9)

Engineered Safety Feature Actuation System Instrumentation APPLICABLE MODES OR OTHER SPECIFIED REQUIRED SURVEILLANCE ALLOWABLE FUNCTION CONDITIONS CHANNELS CONDITIONS REQUIREMENTS VALUE(a)

6. Auxiliary Feedwater

d. SG Water Level Low-Low (3) Not used.

(4) Containment 1,2,3 4 N SR 3.3.2.1 ::; 2.0 psig Pressure - SR 3.3.2.5 Environmental SR 3.3.2.9 Allowance SR3.3.2.10 Modifier

e. Safety Injection Refer to Function 1 (Safety Injection) for all initiation functions and requirements.

f. Loss of Offsite 1,2,3 2 trains R SR 3.3.2.7 NA Power SR 3.3.2.10

g. Trip of all Main 1,2(n) 2 per pump J SR 3.3.2.8 NA Feedwater Pumps

h. Auxiliary 1,2,3 3 0 SR 3.3.2.1 2: 20.64 psia Feedwater Pump SR 3.3.2.9 Suction Transfer SR 3.3.2.10 on Suction SR 3.3.2.12 Pressure - Low (a) The Allowable Value defines the limiting safety system setting except for Functions i.e, 4.e.(1), 5.c, 5.e.(1), 5.e.(2),

6.d.(1), and 6.d.(2) (the Nominal Trip Setpoint defines the limiting safety system setting for these Functions). See the Bases for the Nominal Trip Setpoints.

(k) Not used.

(I) Not used.

(n) Trip function may be blocked just before shutdown of the last operating main feedwater pump and restored just after the first main feedwater pump is put into service following performance of its startup trip test.

CALLAWAY PLANT 3.3-45 Amendment No. 189

ATTACHMENT 3 RETYPED TECHNICAL SPECIFICATIONS

ESFAS Instrumentation 3.3.2 ACTIONS (continued)

COMPLETION CONDITION REQUIRED ACTION TIME I. One channel inoperable. ------------------- NOTE -------------------

The inoperable channel may be bypassed for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing of other channels.

1.1 Place channel in trip. 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months OR 1.2 Be in MODE 3. 78 hours9.027778e-4 days 0.0217 hours 1.289683e-4 weeks 2.9679e-5 months J. ------------- NOT E ------------- ------------------- NOTE -------------------

Separate Condition entry is The inoperable channel may be restricted to one inoperable bypassed for up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months for channel per pump in the surveillance testing of other same separation group. channels.

One Main Feedwater J.1 Place channel in trip. 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Pumps trip channel inoperable. OR J.2 Be in MODE 3. 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months (continued)

CALLAWAY PLANT 3.3-29 Amendment No. ###

ESFAS Instrumentation 3.3.2 ACTIONS (continued)

COMPLETION CONDITION REQUIRED ACTION TIME M. Not used.

N. One or more Containment N.1 Place channel(s) in trip. 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Pressure - Environmental Allowance Modifier OR channel(s) inoperable.

N.2.1 Be in MODE 3. 78 hours9.027778e-4 days 0.0217 hours 1.289683e-4 weeks 2.9679e-5 months AND N.2.2 Be in MODE 4. 84 hours9.722222e-4 days 0.0233 hours 1.388889e-4 weeks 3.1962e-5 months O. One channel inoperable. 0.1 Place channel in trip. 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months AND 0.2 Restore channel to During OPERABLE status. performance of the next required COT (contmued)

CALLAWAY PLANT 3.3-31 Amendment No. ###

ESFAS Instrumentation 3.3.2 ACTIONS (continued)

COMPLETION CONDITION REQUIRED ACTION TIME P. One or more channel(s) P.1 Declare associated Immediately inoperable. auxiliary feedwater pump(s) inoperable.

Q One train inoperable. ------------------- NOT E -------------------

One train may be bypassed for up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months for sUNeillance testing provided the other train is OPERABLE.

Q.1 Restore train to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months OPERABLE status.

OR Q.2.1 Be in MODE 3. 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months AND Q.2.2 Be in MODE 4. 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months R. One or both train(s) - R.1 Restore train(s) to 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months inoperable. OPERABLE status.

OR R.2.1 Be in MODE 3. 54 hours6.25e-4 days 0.015 hours 8.928571e-5 weeks 2.0547e-5 months AND R.2.2 Be in MODE 4. 60 hours6.944444e-4 days 0.0167 hours 9.920635e-5 weeks 2.283e-5 months (continued)

CALLAWAY PLANT 3.3-32 Amendment No. ###

ATTACHMENT 4 PROPOSED TECHNICAL SPECIFICATION BASES CHANGES (for information only)

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE d. Auxiliary Feedwater - Steam Generator Water Level -

SAFETY Low Low (continued)

ANALYSES, LCO, AND (Normal) trip setpoint when these conditions are not APPLICABILITY present, thus allowing more margin to trip for normal operating conditions. If the EAM trip function has inoperable required channels, it is acceptable to place the inoperable channels in the tripped condition and continue operation. Placing the inoperable channels in the trip mode enables the Steam Generator Water Level -

Low Low (Adverse) Function, for the EAM. If the Steam Generator Water Level - Low Low (Normal) trip Function has an inoperable required channel, the inoperable channel must be tripped, subject to the LCO Applicability footnote.

The Trip Setpoint reflects the inclusion of both steady state and adverse environment instrument uncertainties. The Trip Setpoints for the SG Water Level - Low Low (Adverse Containment Environment) and (Normal Containment Environment) bistables are ~ 21.0% and ~ 17.0% of narrow range span, respectively. The Trip Setpoint for the Containment Pressure - Environmental Allowance Modifier bistables is :.::; 1.5 psig.

e. Auxiliary Feedwater - Safety Injection An SI signal starts the motor driven AFW pumps. The AFW initiation functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.

f. Auxiliary Feedwater - Loss of Offsite Power The loss of offsite power (LOP) is detected by a voltage drop on each ESF bus. The LOP is sensed and processed by the circuitry for LOP DG Start (Load Shedder and Emergency Load Sequencer) and fed to BOP ESFAS by relay actuation. Loss of power to either ESF bus will start (continued)

CALLAWAY PLANT B 3.3.2-32 Revision 8

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE f. Auxiliary Feedwater - Loss of Offsite Power (continued)

~

SAFETY

ANALYSES,

~<<'/".tz.d-S6.r the turbine - riven AFW pump, to ensure~t at lee~t 6, ,e LCO, AND ~ contai enough water to serve as the heat sink for APPLICABILITY reactor decay heat and sensible heat removal following the reactor trip, and automatically isolate the SG blowdown and sample lines. In addition, once the diesel generators are started and up to speed, the motor - driven AFW pumps will be sequentially loaded onto the diesel generator buses.

Functions 6.a through 6.f must be OPERABLE in MODES 1, 2, and 3 to ensure that the SGs remain the heat sink for the reactor. SG Water Level - Low Low in any operating SG will cause the motor - driven AFW pumps to start. The system is aligned so that upon a start of the pump, water immediately begins to flow to the SGs. SG Water Level - Low Low in any two operating SGs will cause the turbine - driven pump to start. The SG Water Level - Low Low (Normal Containment Environment) channels do not provide protection when the Containment Pressure - Environmental Allowance Modifier (EAM) channels in the same protection sets are tripped since that enables the SG Water Level - Low Low (Adverse Containment Environment) channels with a higher water level trip setpoint. As such, the SG Water Level - Low Low (Normal Containment Environment) channels need not be OPERABLE when the Containment Pressure - EAM channels in the same protection sets are tripped, as discussed in a footnote to Table 3.3.2-1. These Functions do not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW actuation does not need to be OPERABLE because either AFW or residual heat removal (RHR) will be available to remove decay heat or sufficient time is available to manually place either system in operation.

(continued)

CALLAWAY PLANT B 3.3.2-33 Revision 8

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE 6. Auxiliary Feedwater (continued)

SAFETY ANALYSES, g. Auxiliary Feedwater - Trip of All Main Feedwater Pumps LCO, AND APPLICABILITY A Trip of all MFW pumps is an indication of a loss of MFW and the subsequent need for some method of decay heat and sensible heat removal to bring the reactor back to no load temperature and pressure. Each turbine driven MFW pump is equipped with two pressure switches (one in separation group 1 and one in separation group 4) on the oil line for the speed control system. A low pressure signal from either of these pressure switches indicates a trip of that pump. Two OPERABLE channels per pump satisfy redundancy requirements with one-out-of-two logi n both pumps required for signal actuation. A trip of all W pumps starts the motor driven AFW pumps to e sure that

.....'-"!IaS'f-eiFte-~~.IIPvailable with water to act the heat sink for the react r. f" f/..e same

~e f~el-S~.s- are. settAr~/'-i" dHJo/

E in MODES 1 and 2. This

.at-IeeISt-l:ml!~EH~rovided with water to serve as the heat sink to remove reactor decay heat and sensible heat in the event of an accident. In MODES 3, 4, and 5, the MFW pumps may be normally shut down, and thus pump trip is not indicative of a condition requiring automatic AFW initiation. Note (n) of Table 3.3.2-1 allows the blocking of this trip function just before shutdown of the last operating main feedwater pump and the restoration of this trip function just after the first main feedwater pump is put into service following its startup trip test. This limits the potential for inadvertent AFW actuations during normal startups and shutdowns.

h. Auxiliarv Feedwater - Pump Suction Transfer on Suction Pressure - Low A low pressure signal in the AFW pump suction line protects the AFW pumps against a loss of the normal supply of water for the pumps, the CST. Three pressure switches are located on the AFW pump suction line from the CST. A low pressure signal sensed by any two of the (continued)

CALLAWAY PLANT B 3.3.2-34 Revision 8

ESFAS Instrumentation B 3.3.2 BASES APPLICABLE h. Auxiliary Feedwater - Pump Suction Transfer on Suction SAFETY Pressure - Low (continued)

ANALYSES, LCO, AND three switches coincident with an auxiliary feedwater APPLICABILITY actuation signal will cause the emergency supply of water for the pumps to be aligned. ESW (safety grade) is automatically lined up to supply the AFW pumps to ensure an adequate supply of water for the AFW System to maintai as the heat sink for reactor ecay heat and sensible heat removal.

~e fYr&cl-S(;~

Since the detectors are located in an area not affected by HELBs or high radiation, they will not experience any adverse environmental conditions and the Trip Setpoint reflects only steady state instrument uncertainties. The Trip Setpoint is ~ 21.71 psia.

This Function must be OPERABLE in MODES 1, 2, and 3 to ensure a safety grade supply of water for the AFW System to maintain the SGs as the heat sink for the reactor. This Function does not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink.

In MODE 4, AFW automatic suction transfer does not need to be OPERABLE because RHR will already be in operation, or sufficient time is available to place RHR in operation, to remove decay heat.

7. Automatic Switchover to Containment Sump At the end of the injection phase of a LOCA, the RWST will be nearly empty. Continued cooling must be provided by the ECCS to remove decay heat. The source of water for the RHR pumps is automatically switched to the containment recirculation sumps.

The low head residual heat removal (RHR) pumps and containment spray pumps draw the water from the containment recirculation sumps, the RHR pumps pump the water through the RHR heat exchanger, inject the water back into the RCS, and supply the cooled water to the other ECCS pumps. Switchover from the RWST to the containment sumps must occur before the RWST empties to prevent damage to the RHR pumps and a loss of core cooling capability. For similar reasons, switchover must not occur before there is sufficient water in the containment sumps to support ESF pump suction.

(continued)

CALLAWAY PLANT B 3.3.2-35 Revision 8

ESFAS Instrumentation B 3.3.2 BASES ACTIONS 1.1 and 1.2 (continued)

The Required Actions are modified by a Note that allows the inoperable channel to be bypassed for up to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for surveillance testing of other channels. The 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowed to place the inoperable channel in the tripped condition, and the 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed for an inoperable channel to be in the bypassed condition for testing, are justified in Reference 18.

J.1 and J.2 Condition J applies to the AFW pump start on trip of all MFW pumps.

This action addresses the train orientation of the BOP ESFAS for the auto start function of the AFW System on loss of all MFW pumps. The OPERABILITY of the AFW System must be assured by providing automatic start of the AFW System pumps. If a channel is inoperable,;;)f4-AotlY:S ttY"..

1 ~S~F is allowed to place it in the tripped condition. If the channel cannot be tripped inti j;J8~F, 6 additional hours are allowed to lace the unit in MODE 3. The allowed Completion Time 0 ours is reasonable, based 30 on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. In MODE 3, the unit does not have any analyzed transients or conditions that require the explicit use of the protection function noted abovetThe Required Actions are modified by a Note that allows the inoperable annel to be bypassed for up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months for surveillance testing of other c annels.

LNS'EK/3. '3.::l,T K.1, K,2.1, and K.2.2 Condition K applies to:

RWST Level - Low Low Coincident with Safety Injection.

RWST Level - Low Low Coincident With SI provides actuation of switchover to the containment recirculation sumps. Note that this Function requires the bistables to energize to perform their required action. The failure of up to two channels will not prevent the operation of this Function. This Action Statement limits the duration that an RWST level channel could be inoperable in the tripped condition in order to limit the probability for automatic switchover to an empty containment sump upon receipt of an inadvertent safety injection signal (SIS), coincident with a single failure of another RWST level channel, or for premature switchover to the sump after a valid SIS. This sequence of events would start the RHR pumps, open the containment sump RHR suction valves (continued)

CALLAWAY PLANT B 3.3.2-50 Revision 8

INSERT 3.3.2.J Condition J is modified by a Note that restricts the application of the ACTIONS Note allowing separation Condition entry. Since the Required Channels for Function 6.g are specified in Table 3.3.2-1 as 2 per pump, Condition J may be entered separately for each main feedwater pump. However, as shown on FSAR Figure 7.3-1, sheet 2 (Ref. 2), satisfying the trip logic requires the presence of a low oil pressure signal in the same separation group on each main feedwater pump. An inoperable separation group 1 channel on one pump coincident with an inoperable separation group 4 channel on the other pump would lead to the loss of this actuation function requiring entry into LCO 3.0.3. This Note represents an additional requirement associated with the Completion Time increase approved for Condition J in Reference 23.

ESFAS Instrumentation B 3.3.2 BASES ACTIONS N.1. N.2.1. and N.2.2 (continued)

Condition N applies to the Environmental Allowance Modifier (EAM) circuitry for the SG Water Level - Low Low trip Functions in MODES 1,2, and 3. With one or more EAM channel(s) inoperable, they must be placed in the tripped condition within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . Placing an EAM channel in trip automatically enables the SG Water Level - Low Low (Adverse Containment Environment) bistable for that protection channel, with its higher SG level Trip Setpoint (a higher trip setpoint means a feedwater isolation or an AFW actuation would occur sooner). The Completion TIme of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is based on Reference 18. If the inoperable channel cannot be placed in the tripped condition within the specified Completion TIme, the unit must be placed in a MODE where this Function is not required to be OPERABLE. The unit must be placed in MODE 3 within an additional six hours and in MODE 4 within the following six hours.

0.1 and 0.2 Condition 0 applies to the Auxiliary Feedwater Pump Suction Transfer on Suction Pressure - Low trip Function. The Condensate Storage Tank is the highly reliable and preferred suction source for the AFW pumps. This function has a two-out-of-three trip logic. Therefore, continued operation is allowed with one inoperable channel until the performance of the next monthly COT on one of the other channels, as long as the inoperable channel is placed in trip within -4 R9l:lF. ::J.4- hOUrs..

Condition P applies to the Auxiliary Feedwater Manual Initiation trip Function. The associated auxiliary feedwater pump(s) must be declared inoperable immediately when one or more channel(s) is inoperable.

Refer to LCO 3.7.5, "Auxiliary Feedwater (AFW) System."

Condition Q applies to the Auxiliary Feedwater Balance of Plant ESFAS automatic actuation logic and actuation relays.~~*~~I4F;a+A~~~9Ie, the unit must be brought to MODE 3 Withi~hours and MODE 4 within tRs f911eovil 'E6. ours. The Required Action are modified by a Note that allows one tr to be bypassed for up to 2 ours for surveillance testing provided the ther train is OPERABLE. 30 3t (continued)

CALLAWAY PLANT B 3.3.2-52 Revision 8

INSERT 3.3.2.0 If one train is inoperable, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months are allowed to restore the train to OPERABLE status. The 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed for restoring the inoperable train to OPERABLE status is justified in Reference 23. The specified Completion Time is reasonable considering that there is another train OPERABLE, and the low probability of an event occurring during this interval. If the inoperable train cannot be restored to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ,

ESFAS Instrumentation B 3.3.2 BASES REFERENCES 17. Letter from Mel Gray (NRC) to Garry L. Randolph (UE), "Revision (continued) 20 of the Inservice Testing Program for Callaway Plant, Unit 1 (TAC No. MA4469)," dated March 19, 1999.

18. WCAP-14333-P-A, Revision 1, "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times," October 1998.

19. WCAP-15376-P-A, Revision 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," March 2003.

20. Westinghouse letter SCP-04-90 dated August 27,2004.

21. ULNRC-03748 dated February 27, 1998.

22. IDP-ZZ-00017 .

.23. Ctrllaw~y Lice.~e /lh.enime;rl- XXX tkI-el I

CALLAWAY PLANT B 3.3.2-63 Revision 8

ATTACHMENT 5 CALLAWAY BOP ESFAS DRAWINGS

8 7 ....-~

_ .-- ... J 6 5 4 3 CONT.... IN Me:N"T PURG.E I SOLATION CONTROL ROOM VENTlL.A.TION ISOLATION

_ _ CHP-B1-lcre _ _ _ _ SFME' MANUAl.

M"~.

5""

CCoTII:'T3Z.) COTR,T2.2. CIS'" CISA. (6TRT31) &TIi:T33 MAN.

AC" ReSET 5P'A~

(CItVIS) elSA B1'P1iS5 RESET SYI'AS5 B.Yf'ASS II:'fSf.T 6Yf'ASS ACT\fATION I

RESET ACT I I N Il[ Il[ :nr I I I lRIr' RESET I

I NOTes:

I. KEY TO SYMSOLS:

~1iI:E1)L.A.MP

--@ AMBER LAM" TEST INP\JT ----0 ~~~~TO~fCOMPUT~ ~:

I --0 ~\~~AI~ETRIP

~ SIGNAL ISOLATiON

-0 ;?~"t~r,.r~IP \.

CONT"Ltl.Mt~:l~rs~6E 150LAliON ___ ~ CONTROL ROOM VENTILATION lS0LATlON (CRVIS)

--tJ-- 'AND' LOCSIC. j)-- 'OR' L06)C

rr

~ 'T~O OUT OF TH~EE' L061C.

"U)([LIARY FEEDWAH.R FU1;"L. BUIU>IN; VENTILATION ISOL.....TION AL.PT37 I

SAJTI I

CON1~OL RooM ACT,(I)

T FUEL I!UILDlh1G

":et(I)

T GiG.RT:l.7(1)

FUEl.

!UILPING ACT.l£ T -"

<<I'....

ACT-Ill r:-r!l

~

R/s MEMORY WITt!.

O~~~RIDII'~ RESET --- INVERoSlON 30X FUEL !UILbING.

MOTOIt llRIVEN MOTOR I>RIVEN Of'EN STEM1 SUPPLY OI"EN Al/X STEAM GEN. Vf.NTIL~N ISOLATiON(FBVIS)

"U1UL.I"III.," AUIfILIAIt1 yALVU 'Ttl STAIt:T PEEDWKrEIt fuMP 8LOW'POWN

F!.lDWATU PUMP FEEDWA.lf1l. PUMP TLlR8IN! llRI'YfN SUCTION 'VALV!:S SAMPLE ISOL"'T'ON AUX I"EfDWAT1!It- P'Uh'lP TO EsW (A~II$) (A FA!) (sus's)

Il[ (AFAS) (LSP) I n N APPUC.<TION 8 7 6 5

. I

CALLAWAY PLANT RISK-INFORMED AMENDMENT REQUEST 24-HOUR BOP ESFAS COMPLETION TIME 1

ATTACHMENT 6 OPEN SIGNIFICANCE A AND B PEER REVIEW FINDINGS

TABLE 1 WOG PEER REVIEW LEVEL A AND B FACTS AND OBSERVATIONS F&O Significance Status F&O Description Comments / BOP ESFAS Disposition TH-3 B Open Consider preparing success criteria This is a documentation issue. No issues were identified with the guidance for the PRA, to address such actual success criteria utilized. Therefore, this F&O would not impact items as overall success criteria the results of the PRA evaluation for the BOP ESFAS completion time definition process, development of extension.

success criteria for systems, etc.

L2-1 A Open Address containment isolation failure An undetected, residual failure to the containment would result in a and internal floods in the LERF small increase in the baseline LERF. However, this increase would calculation. be reflected in both the baseline LERF and the Conditional LERF given one BOP ESFAS train out-of-service. There would be a negligible impact on the delta risk. Flooding was addressed explicitly in the PRA evaluation for the BOP ESFAS completion time extension.

Therefore, this F&O would have a minimal impact on the results of the PRA evaluation for the BOP ESFAS completion time extension.

L2-3 B Open The calculation of LERF is based on The Callaway process of using split fractions to partition a PDS to a containment event tree split fractions. LERF status is similar to the process used in NUREG/CR-6595. The The process simply multiplies the split split fractions are not generally subjected to change due to system fractions together, resulting in an failures. Any systems that were credited in accident mitigation (e.g.,

overall LERF split fraction for each sprays or containment coolers) were explicitly modeled, not plant damage state (PDS). It is not developed as split fractions. Elementary phenomena (such as direct obvious how the split fractions are containment heating due to corium dispersal that is dependent on a related back to elementary phenomena plant's cavity design) do not usually change, and thus split fractions or system failures. do not change. Containment isolation failure is not subject to split fractions. Therefore, this F&O would not impact the results of the PRA evaluation for the BOP ESFAS completion time extension.

Page 1 of 1

TABLE 2 SCIENTECH GAP ANALYSIS LEVEL B FINDINGS/OBSERVATIONS F/O Significance Status F/O Description Comments / BOP ESFAS Disposition AS-1 B Open Event Tree T(SW), function L2SW-M should evaluate Correction of these functions, which also addresses the TDAFW pump with no functioning SW/ESW similar issues in F/Os AS-3, AS-7, SY-1, QU-3, and equipment. The cutsets for this function include failures QU-4, would result in a small increase in the total of the ESW pumps and human action failures for baseline CDF (approx. 1%) for the Callaway PRA.

alignment of SW/ESW. Since the initiator fails all The current model without the corrections will have a SW/ESW, the logic should not include these events. A very small, conservative impact on the CCDF for the similar situation exists for function L2T1s. Event Tree PRA evaluation for the BOP ESFAS completion time T(SW) function O1SW-M includes a FANDB operator extension due to the incorrect ESW dependency and error which does not belong in the function. A similar the associated BOP ESFAS actuation dependency.

situation exists for functions O1C-M, O1CT1-M, and Therefore, these F/Os would have a minimal impact O1SW-M. on the results of the PRA evaluation for the BOP ESFAS completion time extension.

Page 1 of 9

AS-2 B Open Transfers between event trees may be used to reduce This is a documentation issue. The transfer the size and complexity of individual event trees. sequences have been extensively reviewed and no DEFINE any transfers that are used and the method issues have been identified. Therefore, this F/O that is used to implement them in the qualitative would not impact the results of the PRA evaluation definition of accident sequences and in their for the BOP ESFAS completion time extension.

quantification. USE a method for implementing an event tree transfer that preserves the dependencies that are part of the transferred sequence. These include functional, system, initiating event, operator, and spatial or environmental dependencies. This requirement is not met. Many transfers such as seal LOCA and stuck open PORV transfer to a psuedo event tree. These transfers are quantified using an OCL file that does not have a specific event tree. This introduces possibilities for error in the quantification since there is no event tree on which to base the evaluated functions, especially those that require preservation of dependencies. The actual event tree for quantification of the RCP seal LOCA events was not found. An event tree Trcp appears to have been used, but this event tree has an event for recovery of CCW, which is not included in the

.OCL files for the RCP seal LOCA events.

AS-3 B Open The method of event tree analysis for support system Reviews of the support system initiators reveal that initiators does not appear to correctly capture the failed this F/O actually only pertains to T(SW). This issue dependencies in the mitigating systems for some was addressed in the response to F/O AS-1 above.

support system IEs. A single basic event is used for the initiating event. House events are included in the fault trees to turn off the affected trains when a support system is not available. It is not clear there are sufficient support systems modeled in the main feedwater and non-safety service water to fail these systems when their support systems are unavailable. This may occur in Tsw, Tnk01, and Tnk04. The cutsets for Tsw, Tnk01, Tnk04, and Tccw should be checked to search for systems that would be failed by the loss of the initiator, and then modify the fault trees to include the appropriate house events to disable these systems.

Page 2 of 9

AS-4 B Open The RCP seal LOCA model needs to be updated to The current Callaway PRA model utilizes the RCP reflect the latest WOG model, which is approved by the seal LOCA model of WCAP-10541, in which the 21 NRC. gpm/pump seal LOCA has a probability of occurrence of approximately 90%. The WOG-2000 RCP seal LOCA model (documented in WCAP-15603), uses a probability of approximately 80% for the 21 gpm/pump seal LOCA. A sensitivity analysis was performed to address this source of uncertainty related to RCP seal LOCA. The associated core uncovery probabilities, following loss of RCP seal cooling, were increased by 25 percent to approximate the impact of the WOG-2000 RCP seal failure probabilities, and resulted in an insignificant increase of approximately 1.5% in CDF. However, this increase would be reflected in both the baseline CDF and the Conditional CDF given one BOP ESFAS train out-of-service. There would be a negligible impact on the delta risk. Therefore, this F/O would have a minimal impact on the results of the PRA evaluation for the BOP ESFAS completion time extension.

AS-6 B Open The MAAP results indicate there are 60 hours6.944444e-4 days 0.0167 hours 9.920635e-5 weeks 2.283e-5 months before Elimination of these sequences would result in a core melt for the SGTR sequence with failure to isolate small reduction in the total baseline CDF results the SG. If the MAAP analysis is correct, then the (approx. 1%). Retaining these sequences in the sequence should be screened. If the MAAP analysis is results is slightly conservative. Therefore, this F/O not correct, or MAAP 3 can not provide a correct would have a minimal impact on the results of the representation of the sequence, MAAP 4 should be PRA evaluation for the BOP ESFAS completion time used. extension.

Page 3 of 9

AS-7 B Open Specific errors are as noted below: Function O1T1S in This issue was addressed in the response to F/O the SBO event tree contains basic events for MFW and AS-1 above.

SW as a backup source for water to SGs if the TDP fails. The problem occurs in the SECDEP fault tree, which asks for GMFX100, but does not have any logic to cancel the gate in SBO. There are no events in the MFX fault tree which will cancel it in the event of an SBO, either. Also, in MFW.lgc, gate GMFW413 - the SVC system will be failed by LOSP, but comes through the link in the SBO function. Back-up sources of water to the SG are modeled at a high level, often only represented by an HEP. There needs to be either a) support systems developed which will be failed by LOSP or AC power, or b) house event logic to fail these for SBO. The AFW function on the TSW event tree -

(L2SW-M) - has recovery factors for ESW as a suction source to the turbine driven AFW pump. (AL-XHE-FO-AFWESW). ESW is failed by the initiator, but the IE is a basic event, not cutsets. Need to represent the initiator as a support system fault tree, OR need to include house events in the AFW function to fail the cross-tie to the ESW system after a Loss of ESW. In TSW event tree, function O1SW-M has an event (AE-XHE-FO-MFWFLO) for failure of MFW as back up to AFW. MFW is unavailable after loss of SW. Need to include support systems for MFW or insert house events in fault tree to turn off MFW for loss of TSW.

Page 4 of 9

SY-1 B Open For the Instrument Air System (IAS) a single basic The IAS consists of three compressors, two of which event is used and is based on generic data. The are cooled by ESW and one that is cooled by normal Callaway plant is not highly dependent upon IAS and service water (NSW). Parts of the MFW system and the PRA loads on IAS also are supplied with N2 backup the condensate system are dependent on IAS.

which is modeled. Modeling the IAS as a single basic is MFW and IAS are part of the modeled PRA function acceptable however, the MFW dependency on the IAS to cooldown and depressurize the RCS. This action is not modeled and needs to be included since MFW is occurs with successful secondary side cooling but credited as a backup to AFW and is important. The failed primary high head injection for events with a actuation system is modeled with a single event for primary leak. This dependency between each of the redundancies which is set to fail for ESW/NSW, IAS, and MFW has an insignificant scenarios in which the conditions are not present to effect on the PRA results, except for the T(SW) generate the signal. The level of detail is acceptable for event. For this event, this issue was addressed in this use. The dependency of MFW on IAS needs to be the response to F/O AS-1 above. Note that safety-included and the data associated with these single related components using instrument air also have event failures need to be reviewed against current safety-related nitrogen accumulators to support their industry data and updated if necessary. The operation.

applicability of the data to the Callaway configuration also needs to be justified. One such source of data is NUREG/CR-5750.

SY-2 B Open The Callaway PRA adequately models CCFs with the The Battery Charger basic events are not risk exception of battery chargers and breakers as noted in significant in the Callaway PRA model. A Battery supporting requirement (SR) SY-B1 and B3. The Charger CCF basic event is not expected to be risk quantification of all CCFs should be updated. CCFs significant. Many of the breaker basic events are should be added for Battery Chargers and Breakers. risk significant, so a breaker CCF basic event would The quantification of the CCFs should be done in also be expected to be risk significant and would accordance with NUREG/CR-5485. probably slightly increase the baseline total CDF.

However, because one train of BOP ESFAS is assumed to be out of service for the PRA evaluation for the BOP ESFAS completion time extension, CCF of the breakers between trains actuated by BOP ESFAS would not exist in the cutset solution.

Therefore, this F/O should not impact the results of the PRA evaluation for the BOP ESFAS completion time extension.

Page 5 of 9

DA- B Open Group estimations are based only on component type. A more recent data update, performed to the ASME 2 Capability Category II requires grouping of components standard, grouped pumps and valves by component according to type (e.g., motor-operated pump, air- type, service conditions, etc. The resulting operated valve) and according to the characteristics of groupings had populations that were similar to the their usage to the extent supported by data: (a) groupings that are the subject of this F/O.

mission type (e.g., standby, operating) (b) service Therefore, this F/O would not impact the results of condition (e.g., clean vs. untreated water, air) The the PRA evaluation for the BOP ESFAS completion level of grouping used in the latest data update uses a time extension.

very fine grouping which leads to a smaller data pool for each different component. Consideration should be given to collecting data on as large a group of components as possible to establish a meaningful collection of data. Grouping of the components as defined in SR DA-B1 and DA-B2 provides a more reasonable aggregation of data and results in a larger data pool to characterize the failure data.

IF-2 B Open This requirement is not met at any Category. The Flooding was addressed explicitly in the PRA Category I/II screening quantitative criterion in the evaluation for the BOP ESFAS completion time standard is 1E-09/year. AmerenUE Calculation ZZ-466 extension.

screening criterion was 1E-06/yr.

IF-4 B Open If additional human failure events are required to Flooding was addressed explicitly in the PRA support quantification of flood scenarios, PERFORM evaluation for the BOP ESFAS completion time any human reliability analysis in accordance with the extension.

applicable requirements described in Tables 4.5.5-2(e) through Table 4.5.5-2(h). This requirement is not met.

The HEP values used in ZZ-466 are not developed from a human reliability analysis.

IF-5 B Open For each defined flood area and each flood source, Flooding was addressed explicitly in the PRA IDENTIFY those automatic or operator responses that evaluation for the BOP ESFAS completion time have the ability to terminate or contain the flood extension.

propagation. This requirement is not met. ZZ-466 treats operator response in a generic sense.

Page 6 of 9

IF-6 B Open For each flood scenario, REVIEW the LERF analysis to Flooding was addressed explicitly in the PRA confirm applicability of the LERF sequences. If evaluation for the BOP ESFAS completion time appropriate LERF sequences do not exist, MODIFY the extension.

LERF analysis as necessary to account for any unique flood-induced scenarios or phenomena in accordance with the applicable requirements described in paragraph 4.5.9. This requirement is not met. The internal flooding sequences are not considered in the LERF analysis.

QU- B Open The current quantification does not include an The "state-of-knowledge" correlation generally 1 uncertainty calculation to account for the state-of- pertains to the data applied to equipment across knowledge correlation between event probabilities. trains. For example, an SBO cutset may contain the The structure exists to perform this correlation within failure of the "A" and "B" EDGs. The failure data for WinNUPRA but at the current time it has not been done. both EDGs most likely is based on the same source of information. Therefore, any uncertainty analysis should vary the failure data for these components in the same manner (i.e., the data is not independent).

For the BOP ESFAS completion time extension, one train of BOP ESFAS will be out of service. Except in some minor circumstances (e.g., cutsets in which multiple breakers, in the same train, fail), the "state-of-knowledge" correlation does not apply.

Therefore, this F/O should not impact the results of the PRA evaluation for the BOP ESFAS completion time extension.

QU- B Open Some instances of incorrect transfer of sequence This issue was addressed in the response to F/O 3 characteristics, incorrect logic, incorrect house event AS-1 above.

settings, and resultant cutsets were identified based on cutset reviews. The process is generally set up correctly but the overall process would benefit from revising the quantification process to account for the additional software capability currently available. As a minimum, the top cutsets (500) need to be reviewed to make sure that the transfers, logic, house event setting are yielding realistic combinations.

Page 7 of 9

QU- B Open The IAS is correctly failed for LOSP, but remains This issue was addressed in the response to F/O 4 available in all other cases. The IAS is cooled by SW AS-1 above.

and would be unavailable after loss of all SW (T(SW))

and should be set to failed via a house event setting.

The availability of IAS needs to be propagated correctly during the quantification process.

QU- B Open In general the model integration process is adequately This is a documentation issue. For the PRA 9 documented, however several of the areas do not meet evaluation for the BOP ESFAS completion time the requirements. Items b (records of the cutset review extension application, accident sequences and process), f (the accident sequences and their cutsets were reviewed.

contributing cutsets), g (equipment or human actions that are the key factors in causing the accidents to be non-dominant), and i (the uncertainty distribution for the total CDF) are not addressed in the documentation. As a minimum, these items need to be addressed to meet SR QU-F2. If the quantification process and documentation are revised the list of information included in SR QU-F2 should be followed in the revision.

QU- B Open Key assumptions and key sources of uncertainty which This is a documentation issue. For the PRA 10 influence the current quantification are not addressed in evaluation for the BOP ESFAS completion time a coherent manner in the documentation. extension application, an uncertainty analysis was performed.

QU- B Open The quantitative definition used for significant cutset This issue is has no impact on the BOP ESFAS 11 and significant accident sequence are documented and completion time extension evaluation.

vary from the ASME definition. The ASME definitions need to be applied or the Ameren definition needs to be justified. Significant sequence: ASME - aggregate 95% of total, individual sequence >1% Ameren -

aggregate 88% of total, individual sequence >1%

Significant cutset: ASME - aggregate 95% of total, individual cutset >1% Ameren - cutsets >1E-6 Page 8 of 9

LE-1 B Open Probability of containment isolation failure leading to Split fractions for SGTR and HPME were included in LERF does not contain a term to represent undetected, the LERF analysis. An undetected, residual failure residual failures in containment structural integrity. This to the containment would result in a small increase has been estimated at 5E-3 in NUREG/CR-4550. in the baseline LERF. However, this increase would Failure of containment isolation is derived by fault tree be reflected in both the baseline LERF and the analysis of the containment isolation combinations on Conditional LERF given one BOP ESFAS train out-the penetration paths. There are three LERF split of-service. There would be a negligible impact on fractions with probabilities of 7.7E-4. If the 5E-3 was the delta risk. Therefore, this F/O would have a added to this, the split fraction would change, although minimal impact on the results of the PRA evaluation LERF would not move significantly. Split fractions for for the BOP ESFAS completion time extension.

induced SGTR and HPME were not explicitly stated in the documentation available for review.

LE-2 B Open The Level 2 analysis does not include uncertainty Core damage is the limiting risk metric for the BOP analysis nor are there sensitivity studies identified to ESFAS completion time extension application. Core examine the significant contributors to LERF. As a damage uncertainty analysis was provided.

minimum, the Uncertainty in the Level 1 sequences should be propagated and sensitivity studies developed and evaluated for the important LERF scenarios.

SC- C Open The Callaway PRA has a common cause event for This F/O relates to the success criteria contained in 4 failure to isolate SG blowdown. This event fails all AFW. the auxiliary feedwater fault tree.

The importance of the event is 0.10 in the base case model with all initiators and 0.57 in the fire-transient Reducing the common cause failure probability to model. Very few plants have this strong dependence isolate SG blowdown would result in a small on failure to isolate SG blowdown. Suggest examination reduction in the total baseline CDF results (about of the success criteria, or at least re-evaluation of the 5% - 10%). This F/O would have a small impact on CCF values used, away from the 0.1 beta factor for 4/4 the results of the PRA evaluation for the BOP blowdown valves fail to close. ESFAS completion time extension. A sensitivity analysis was performed as discussed in Attachment 1.

Page 9 of 9

ATTACHMENT 7 INTERNAL FIRE QUANTIFICATION

INTERNAL FIRE QUANTIFICATION Page 1 of 6 Fire CDF Due to Fire Modeled an AFAS Train Fire Fire Frequency Description Screen Basis P(NS) Fire Frequency OOS Compartment (yr-1)

(yr-1) (Note 1)

(yr-1)

Aux. 1974' CVCS, A-1A 2.10E-03 3.93E-5/2.75E-6 5.26E-09 AFW 1988' Pipe Chase A-1B CCDP = 1.0 3.90E-04 Areas Vestibule near area A-1C No App. R or PRA equipment A-1B A-1D NCP Room low frequency 8.50E-04 ECCS Train A CCDP very low, mitigation not A-2 2.60E-03 Pump Rooms significantly impacted Boric Acid Tank CCDP very low, mitigation not A-3 1.40E-03 Rooms significantly impacted ECCS Train B A-4 2.80E-03 3.50E-07 Pump Rooms Reactor trip only, mitigation not A-5 Stairway 3.90E-04 impacted A-6 Stairway Thermo-lag barriers credited 3.90E-04 CCDP very low, mitigation not A-7 BIT Room 1.00E-03 significantly impacted A-8 CVCS Components low frequency 8.00E-04 CCDP very low, mitigation not A-9 RHR B HX Room 3.90E-04 significantly impacted CCDP very low, mitigation not A-10 RHR A HX Room 3.90E-04 significantly impacted A-11 Electrical Chase low frequency 3.90E-04 A-12 Electrical Chase low frequency 3.90E-04 A-13 MDAFP B 9.50E-04 1.19E-07 A-14 MDAFP A 9.50E-04 1.19E-07 A-15 TDAFP 1.10E-03 1.38E-07

INTERNAL FIRE QUANTIFICATION Page 2 of 6 Fire CDF Due to Fire Modeled an AFAS Train Fire Fire Frequency Description Screen Basis P(NS) Fire Frequency OOS Compartment (yr-1)

(yr-1) (Note 1)

(yr-1)

A-16 CCW Area 1.70E-03 2.64E-4/1.97E-6 1.33E-07 B Electrical Pen A-17 1.90E-03 0.05 1.19E-08 Room A Electrical Pen A-18 1.20E-03 0.05 7.50E-09 Room A-19 CB Supply A/C Unit low frequency 3.90E-04 CCW Surge Tank A-20 2.30E-03 2.88E-07 Area Control Room A/C A-21 low frequency 9.80E-04 B

Control Room A/C A-22 1.40E-03 1.75E-07 A

A-23 MSIV/MFIV Area low frequency 3.90E-04 North Piping Pen A-24 low frequency 5.10E-04 Room South Piping Pen A-25 low frequency 5.10E-04 Room Chem Storage A-26 low frequency 3.90E-04 Area Reactor Trip A-27 2.90E-03 2.78E-06 3.48E-10 Switchger Room Aux Shutdown A-28A low frequency 5.60E-04 Panel Room A Aux Shutdown A-28B low frequency 5.60E-04 Panel Room B AFW Valves and A-29 7.20E-04 9.00E-08 Pipe Chase AFW Valves and A-30 7.20E-04 9.00E-08 Pipe Chase C-1 ESW Pipe Space low frequency 3.90E-04

INTERNAL FIRE QUANTIFICATION Page 3 of 6 Fire CDF Due to Fire Modeled an AFAS Train Fire Fire Frequency Description Screen Basis P(NS) Fire Frequency OOS Compartment (yr-1)

(yr-1) (Note 1)

(yr-1)

North Electrical Reactor trip only, mitigation not C-2 3.90E-04 Chase impacted South Electrical Reactor trip only, mitigation not C-3 3.90E-04 Chase impacted C-5 HP Access LOOP delta CCDP = 0.0 3.90E-04 C-6 HP Access 5.00E-03 0.02 1.25E-08 North Electrical C-7 low frequency 3.90E-04 Chase South Electrical Reactor trip only, mitigation not C-8 5.60E-04 Chase impacted ESF Switchgear C-9 2.90E-03 0.05 1.81E-08 Room 1 ESF Switchgear C-10 3.20E-03 0.05 2.00E-08 Room 2 North Electrical C-11 low frequency 3.90E-04 Chase South Electrical C-12 low frequency 3.90E-04 Chase CCDP very low, mitigation not C-13 Access Control A/C 1.20E-03 significantly impacted CCDP very low, mitigation not C-14 Access Control A/C 1.30E-03 significantly impacted Battery and C-15 Switchboard 1.30E-03 1.63E-07 Rooms B Battery and C-16 Switchboard 2.60E-03 3.25E-07 Rooms A South Electrical C-17 low frequency 3.90E-04 Chase

INTERNAL FIRE QUANTIFICATION Page 4 of 6 Fire CDF Due to Fire Modeled an AFAS Train Fire Fire Frequency Description Screen Basis P(NS) Fire Frequency OOS Compartment (yr-1)

(yr-1) (Note 1)

(yr-1)

North Electrical C-18 low frequency 3.90E-04 Chase Column C-3 CCDP very low, mitigation not C-19 3.90E-04 Electrical Chase significantly impacted Column C-6 CCDP very low, mitigation not C-20 3.90E-04 Electrical Chase significantly impacted Lower Cable C-21 low frequency 4.80E-04 Spreading Rm Upper Cable C-22 low frequency 3.90E-04 Spreading Rm South Electrical C-23 low frequency 3.90E-04 Chase North Electrical C-24 low frequency 3.90E-04 Chase Column C-6 CCDP very low, mitigation not C-25 3.90E-04 Electrical Chase significantly impacted Column C-3 CCDP very low, mitigation not C-26 3.90E-04 Electrical Chase significantly impacted C-27 Control Room See Attachment 1.

Service Area near Reactor trip only, mitigation not C-28 3.90E-04 CR impacted SAS Room and Reactor trip only, mitigation not C-29 5.60E-04 Panel impacted South Electrical C-30 low frequency 3.90E-04 Chase North Electrical C-31 low frequency 3.90E-04 Chase Column C-6 CCDP very low, mitigation not C-32 3.90E-04 Electrical Chase significantly impacted South Electrical C-33 low frequency 3.90E-04 Chase

INTERNAL FIRE QUANTIFICATION Page 5 of 6 Fire CDF Due to Fire Modeled an AFAS Train Fire Fire Frequency Description Screen Basis P(NS) Fire Frequency OOS Compartment (yr-1)

(yr-1) (Note 1)

(yr-1)

Column C-6 CCDP very low, mitigation not C-34 3.90E-04 Electrical Chase significantly impacted Control Building Reactor trip only, mitigation not C-35 3.90E-04 2016 Corridor impacted Column C-6 Reactor trip only, mitigation not C-36 3.90E-04 Electrical Chase impacted Column C-3 Reactor trip only, mitigation not C-37 3.90E-04 Electrical Chase impacted Circ and Service CS 1.00E-03 1.25E-07 Water D-1 B EDG 2.90E-02 0.05 1.81E-07 D-2 A EDG 2.90E-02 0.05 1.81E-07 Reactor trip only, mitigation not T-1 Stairwell 4.10E-04 impacted TB-1 Turbine Building CCDP = 1.0 4.40E-02 Comm Corr. CCDP very low, mitigation not TB-2 4.10E-04 Stairwell significantly impacted Access Area and TB-3 LOOP delta CCDP = 0.0 4.10E-04 Hot Lab ESW Pumphouse ES-1 1.20E-03 1.50E-07 Train A ESW Pumphouse ES-2 1.20E-03 1.50E-07 Train B UHS Cooling UHS-1 1.40E-03 1.75E-07 Tower North UHS Cooling UHS-2 1.40E-03 1.75E-07 Tower South

INTERNAL FIRE QUANTIFICATION Page 6 of 6 Fire CDF Due to Fire Modeled an AFAS Train Fire Fire Frequency Description Screen Basis P(NS) Fire Frequency OOS Compartment (yr-1)

(yr-1) (Note 1)

(yr-1)

Reactor trip only, mitigation not INST Plant Intake 8.10E-04 impacted Manhole w/ A train YD-1A Fire freq = 0 0.00E+00 cable Manhole w/ B train YD-1B Fire freq = 0 0.00E+00 cable Train A emergency CCDP very low, mitigation not YD-1C 4.20E-04 fuel oil tank significantly impacted Train B emergency CCDP very low, mitigation not YD-1D 4.20E-04 fuel oil tank significantly impacted CCDP very low, mitigation not YD-1E Various yard tanks 4.20E-04 significantly impacted YD-1F XNB01 LOOP delta CCDP = 0.0 8.10E-04 YD-1G XNB02 LOOP delta CCDP = 0.0 8.10E-04 SWYD Plant Switchyard LOOP delta CCDP = 0.0 1.10E-04 Reactor trip only, mitigation not MXTR Main Transformers 2.40E-03 impacted Turbine Building Reactor trip only, mitigation not TBXTR 1.20E-03 Transformers impacted Total 3.20E-06 Note 1: CCDP of 1.25E-4 applied to all areas to account for one AFAS train OOS.

ATTACHMENT 8 INTERNAL FLOODING QUANTIFICATION

INTERNAL FLOODING QUANTIFICATION Page 1 of 4 ESW/AFW Flooding CDF Due to an Flood ESW/AFW Description Screen Basis Flood Frequency AFAS Train OOS (yr-1)

Area Flood Source (yr-1) (Note 1)

ONE CCW Area ESW CCDP = 1.0 TWO ESW Pipe Chase ESW 2.15E-05 1.95E-08 THREE ESF Switchgear ESW CCDP = 1.0 FOUR Battery and Chargers ESW CCDP = 1.0 FIVE Circ/SW Pump House None No ESW/AFW flood SIX-A 1974' Aux Building ESW 8.92E-06 8.07E-09 SIX-B 1988' Pipe Chase Areas ESW/AFW 7.37E-06 6.67E-09 SIX-C 1988' Pipe Spaces ESW 9.70E-07 8.78E-10 A-2 ECCS Train A Pump Rooms ESW 2.65E-05 2.40E-08 A-4 ECCS Train B Pump Rooms ESW 2.65E-05 2.40E-08 A-5 Stairway None No ESW/AFW flood A-6 Stairway None No ESW/AFW flood A-7 BIT Room None No ESW/AFW flood A-8 CVCS Components ESW CCDP = 1.0 A-9 RHR B HX Room None No ESW/AFW flood A-10 RHR A HX Room None No ESW/AFW Flood None A-11 Electrical Chase 1.10E-05 9.95E-09 Prop from A-24 None A-12 Electrical Chase 1.10E-05 9.95E-09 Prop from A-25 A-13 MDAFP B ESW/AFW 1.63E-04 1.47E-07 A-14 MDAFP A ESW/AFW 1.42E-04 1.28E-07 A-15 TDAFP AFW 1.19E-04 1.08E-07 A-17 B Electrical Pen Room ESW 4.93E-06 4.46E-09 A-18 A Electrical Pen Room ESW 4.93E-06 4.46E-09 A-19 CB Supply A/C Unit None No ESW/AFW flood A-20 CCW Surge Tank Area None No ESW/AFW flood A-21 Control Room A/C B ESW Low flood frequency

INTERNAL FLOODING QUANTIFICATION Page 2 of 4 ESW/AFW Flooding CDF Due to an Flood ESW/AFW Description Screen Basis Flood Frequency AFAS Train OOS (yr-1)

Area Flood Source (yr-1) (Note 1)

A-22 Control Room A/C A ESW 3.08E-06 2.79E-09 A-23 MSIV/MFIV Area None No ESW/AFW flood A-24 North Piping Pen Room ESW 1.10E-05 9.95E-09 A-25 South Piping Pen Room ESW 1.10E-05 9.95E-09 A-26 Chem Storage Area None No ESW/AFW flood Included w/ ONE for A-28 Aux Shutdown Panel Room None prop and no ESW/AFW flood A-29 AFW Valves and Pipe Chase AFW 2.45E-04 2.22E-07 A-30 AFW Valves and Pipe Chase AFW 2.45E-04 2.22E-07 Drains handle flood and C-2 North Electrical Chase None no ESW/AFW flood Drains handle flood and C-3 South Electrical Chase None no ESW/AFW flood C-5 HP Access None No ESW/AFW flood C-6 HP Access None No ESW/AFW flood C-7 North Electrical Chase None No ESW/AFW flood Drains handle flood and C-8 South Electrical Chase None no ESW/AFW flood None C-11 North Electrical Chase Prop from 4.30E-06 3.89E-09 THREE None C-12 South Electrical Chase Prop from 4.30E-06 3.89E-09 THREE C-13 Access Control A/C ESW 4.93E-06 4.46E-09 C-14 Access Control A/C ESW 2.46E-06 2.23E-09 None C-17 South Electrical Chase Prop from Low flood frequency FOUR

INTERNAL FLOODING QUANTIFICATION Page 3 of 4 ESW/AFW Flooding CDF Due to an Flood ESW/AFW Description Screen Basis Flood Frequency AFAS Train OOS (yr-1)

Area Flood Source (yr-1) (Note 1)

None C-18 North Electrical Chase Prop from Low flood frequency FOUR None C-19 Column C-3 Electrical Chase Prop from Low flood frequency FOUR None C-20 Column C-6 Electrical Chase Prop from Low flood frequency FOUR C-21 Lower Cable Spreading Rm None No ESW/AFW flood C-22 Upper Cable Spreading Rm None No ESW/AFW flood C-23 South Electrical Chase None No ESW/AFW flood C-24 North Electrical Chase None No ESW/AFW flood C-25 Column C-6 Electrical Chase None No ESW/AFW flood C-26 Column C-3 Electrical Chase None No ESW/AFW flood C-27 Control Room None No ESW/AFW flood C-28 Service Area near CR None No ESW/AFW flood C-29 SAS Room and Panel None No ESW/AFW flood C-30 South Electrical Chase None No ESW/AFW flood C-31 North Electrical Chase None No ESW/AFW flood C-32 Column C-6 Electrical Chase None No ESW/AFW flood C-33 South Electrical Chase None No ESW/AFW flood C-34 Column C-6 Electrical Chase No ESW/AFW flood Drains handle flood and C-36 Column C-6 Electrical Chase None no ESW/AFW flood Drains handle flood and C-37 Column C-3 Electrical Chase None no ESW/AFW flood D-1 B EDG ESW Included in THREE D-2 A EDG ESW Included in THREE T-1 Stairwell None No ESW/AFW flood TB-1 Turbine Building None No ESW/AFW flood

INTERNAL FLOODING QUANTIFICATION Page 4 of 4 ESW/AFW Flooding CDF Due to an Flood ESW/AFW Description Screen Basis Flood Frequency AFAS Train OOS (yr-1)

Area Flood Source (yr-1) (Note 1)

TB-2 Comm Corr. Stairwell None No ESW/AFW flood TB-3 Access Area and Hot Lab None No ESW/AFW flood ES-1 ESW Pumphouse Train A ESW 3.30E-03 2.16E-08 ES-2 ESW Pumphouse Train B ESW 3.30E-03 2.16E-08 UHS-1 UHS Cooling Tower North ESW 1.16E-02 7.61E-08 UHS-2 UHS Cooling Tower South ESW 1.16E-02 7.61E-08 INST Plant Intake None No ESW/AFW flood Total 1.17E-06 Note 1: CCDP of 9.049E-4 applied to all Areas except ES-1/2 and UHS-1/2 to account for one train of AFAS OOS and one train of ESW drained. CCDP of 6.56E-6 applied to Areas ES-1/2 and UHS-1/2 to account for one train of AFAS OOS and one train of ESW failed.

ATTACHMENT 9 RG 1.200 REVISION 1 GAP ANALYSIS

Callaway PRA Gap Analysis Report Prepared under Contract No. P99005-0001-001-17, Revision 2 Prepared for:

AmerenUE September 21, 2006 Final Report Prepared by:

SCIENTECH, LLC

Callaway PRA Gap Analysis Report Table of Contents 1.0 Introduction ............................................................................................................................ 1 2.0 Assessment .............................................................................................................................. 3 2.1. Internal Events During Full Power..................................................................................... 3 2.2. External Events During Full Power.................................................................................... 4 2.3. Low Power and Shutdown with External Events ............................................................... 5 2.4. Internal Fires During Full Power........................................................................................ 6 3.0 Conclusions ............................................................................................................................. 7 3.1 Internal Events During Full Power..................................................................................... 7 3.2 External Events During Full Power.................................................................................. 27 3.3 Low Power and Shutdown PRA with External Events .................................................... 32 3.4 Internal Fire During Full Power ....................................................................................... 59 4.0 Recommendations ................................................................................................................ 60 5.0 References ............................................................................................................................. 65 5.1 Callaway PRA Model....................................................................................................... 65 5.2 Reference Standards ......................................................................................................... 68 Appendix A - Independent Assessment Database Report (Areas AS, DA, IE, HR, LE, QU, SC, SY, MU) ...................................................................................................................................... A-1 Appendix B - Independent Assessment Results for Internal Events During Full Power............ B-1 Appendix B Initiating Events Analysis Assessment Results ................................................ B-2 Appendix B Accident Sequence Analysis Assessment Results .......................................... B-17 Appendix B Success Criteria Assessment Results.............................................................. B-25 Appendix B Systems Analysis Assessment Results ........................................................... B-30 Appendix B Human Reliability Analysis Assessment Results ........................................... B-34 Appendix B Data Analysis Assessment Results ................................................................. B-38 Appendix B Internal Flooding Assessment Results............................................................ B-42 Appendix B Quantification Assessment Results................................................................. B-49 Appendix B LERF Analysis Assessment Results ............................................................... B-62 Appendix B Maintenance and Update Assessment Results.............................................. B-66 Appendix C - Independent Assessment Results for External Events During Full Power .......... C-1 Appendix C Other External Events: Requirements for Screening and Conservative Analysis Assessment Results ..................................................................................................................... C-2 Appendix C Seismic Margins Assessment Results............................................................... C-4 Appendix D - Independent Assessment Results for Low Power and Shutdown Plant States modeling Internal and External Initiating Events........................................................................ D-7 i

Callaway PRA Gap Analysis Report Independent Assessment Report 1.0 Introduction NRC approved in 2003 implementation of a phased approach to achieving an appropriate quality for probabilistic risk assessments (PRAs) for NRC's risk-informed regulatory decision-making. This approach allows for continued practical use of risk insights while progressing towards more complete and technically acceptable PRAs. The phases of this approach are:

Phase 1 - This phase represented the status quo at the time of implementation of the approach where PRA quality is judged only in the context of what is needed for an individual application. All contributors to risk (operational modes and initiating event types) are considered but contributors to risk not within the scope of a given PRA can be addressed by qualitative arguments, performance of bounding analysis, or restricting the scope of the application of the PRA. In reality, most current industry PRAs, including Callaway, have undergone peer reviews and have achieved a higher level of quality than the basic level of phase 1.

Phase 2 - This is the first step towards a more efficient approach by establishing an "issue-specific" phase to PRA quality. During this "issue-specific" phase, each general topic (such as: risk-informed ISI applications, or risk-informed Tech Spec applications, or risk-informed 50.46 applications) should be addressed with a PRA that meet applicable consensus standards (e.g., ASME standard at Capability Category II). With respect to the critical issue of PRA scope, this phase should have PRAs that address all modes and all initiators applicable to the issue. Some modes and initiators could be addressed qualitatively but all significant modes and initiator, those that could change the regulatory decision substantially and that are applicable to the issue and within the scope of the change being considered, should to be quantified and should include an uncertainty analysis.

Phase 3 - This phase represents continued progress in PRA methodologies beyond Phase 2, with the goal of achieving a level of PRA quality consistent with using enhanced PRAs for all currently envisioned regulatory or operational uses. This phase therefore differs from Phase 2 in that a single base-line PRA should be fully capable of supporting currently envisioned uses and doing so in a manner consistent with all the applicable consensus standards. This phase requires PRAs to consider all modes and all initiators applicable to the full range of currently envisioned issues. Since there are a wide variety of applications currently envisioned, this would likely correspond to all modes and all initiators reasonably applicable, that is, power operation, low-power and shutdown, internal and reasonable external events. Some modes and initiators could be addressed qualitatively but all significant modes and initiators (those that could change the regulatory decision substantially) should be quantified and should include an uncertainty analysis.

The NRCs goal is to complete phase 3 by the end of 2008. In order to assess the status of the Callaway PRA with respect to this approach, AmerenUE has chosen to perform a 1

Callaway PRA Gap Analysis Report gap analysis to identify the areas of the PRA which need to be strengthened in order to assure that the Callaway PRA conforms to all the existing standards in sufficient depth to address all currently envisioned applications. The gap analysis is an informal peer review designed to provide an overall status of all of the PRA elements with respect to the applicable standards in the form that they presently exist and to provide a roadmap and initial estimate of the time and resources required to upgrade the Callaway PRA.

This report documents the results of the gap analysis conducted of the complete Callaway PRA model, data and documentation in accordance with the Category II requirements of the ASME Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications, updated to include Addenda B (Reference 1), the Category II requirements of ANSI/ANS-58.21-2003, American National Standard External-Events PRA Methodology, (Reference 2), and the expected requirements of the ANS Low Power and Shutdown PRA Standard (draft being written). The review was conducted by a team of three senior experts with experience in performing NEI PRA Certifications and pre-Certification reviews with support from a sister plant PRA staff member and experts in the areas of shutdown risk analyses and human reliability analyses.

The Callaway Internal Events PRA has had a peer review by the Westinghouse Owners Group (WOG) in accordance with NEI 00-02. Resolution of all F&Os from the peer review is essentially complete with a few exceptions. The assessment team performed its review of the model as currently used. The open peer review F&Os, however, were reviewed to determine if there are additional areas of the PRA (i.e., not noted in the peer review F&Os) to which the comment (or similar comments) might also be applicable.

The intent of this independent assessment was to review the entire current model against the applicable standards to assess the ability of the model to meet each of the supporting requirements for Capability Category II of the standards and identify those areas where the model did not meet Capability Category II requirements. The task was not limited to the changes made to the Callaway PRA since the peer review, but covered the full PRA.

The current Callaway PRA is composed of the IPE, Union Electric (AmerenUE) calculation packages and Addenda, the IPEEE, and the low power and shutdown safety monitor model. The specific calculation packages which comprise the Callaway IPE are shown in tabular form in Section 5, References. The assessment team reviewed the technical adequacy of compliance with each of the supporting requirements as compared to current PRA practices in the industry. Any requirements of the Standard that were believed to have not been fully complied with were noted in F&O format.

2

Callaway PRA Gap Analysis Report 2.0 Assessment The Callaway PRA was divided into four distinct areas for the purpose of performing the gap analysis: 1) Internal Events During Full Power; 2) External Events During Full Power; 3) Low Power and Shutdown with External Events; and 4) Internal Fires During Full Power. The assessment conducted in each area is discussed in the following subsections.

2.1. Internal Events During Full Power The review of the Callaway Internal Events PRA was performed by examining the Callaway internal events model, including Internal Floods, with respect to each of the supporting requirements in Reference 1. A determination was made for each supporting requirement whether the current Callaway model met the requirement or not. If the model was identified to not meet the requirement, the basis behind that conclusion was documented and an F&O generated. A significant effort was made to ensure that when a requirement was identified as not being met, that it was a true deficiency and not due to a failure to locate the correct documentation. Due to the sheer volume of documentation it is possible that some documentation was overlooked and the associated F&O can be resolved by identifying the documentation.

The review was largely documented in database format. The supporting requirements and evaluations to the Capability Category II criteria are provided in Appendix A.

The database report consists of the following information (described by report column heading):

SR Each supporting requirement is identified in Reference 1 with a designator that includes the PRA Area to which the SR relates (e.g., AS, IE, QU, etc.), the high level requirement to which the SR relates and a sequential number within the HLR.

Category II Requirement This is the supporting requirement statement from Reference 1 for Category II.

Cat II Not Met This column represents the judgment of the reviewer as to whether the Category II requirement is satisfied. Additional information, however, is contained in this column in several distinct entries:

Blank - This entry indicates that the requirements of Category II are met.

Some SRs are identical for multiple categories and, even though Category III may be satisfied, the evaluation was performed with regard to Category II.

3

Callaway PRA Gap Analysis Report Checked - The entry indicates that the requirements of Category II are not met. The requirements for Category I may or may not be satisfied for the specific supporting requirement. New F&Os will be found for these SRs.

N/A - The specific SR is not applicable. (Note: N/A items omitted from Appendix A listing)

F and O Number This column contains the F&Os, identified by number, that apply to this supporting requirement.

Assessment The contents of this field were not constrained and it contains any comments related to the supporting requirement that the reviewer felt to be important to the assessment.

Document Enhancement This field was used to identify potential enhancements to documentation related to the SR.

Model Enhancement This field was used to identify potential enhancements to the model related to the SR.

The ASME PRA Standard does not assign specific IDs to the configuration control requirements of Section 5 of the Standard; to support this review, high level requirements and Supporting Requirements for PRA configuration control are defined here using the text of Section 5 of the ASME PRA Standard.

The results of the independent assessment consists of the evaluation of the Callaway Internal Events PRA with respect to the requirements for Category II described in Reference 1 and the identification of any deficiencies noted in this process. The deficiencies are identified as Findings and Observations (F&Os) and are presented in Appendix B for each of the areas covered by Reference 1. Appendix B is subdivided into sections corresponding to the PRA analysis areas identified in Reference 1. The comparison of the Callaway Internal Events PRA to the high level requirements and the supporting requirements associated with each PRA analysis area is provided in Section 3.1.

2.2. External Events During Full Power The external events analyses performed for Callaway as part of the IPEEE (excluding the fire analysis which is in the process of being revised) were reviewed against the criteria of ANSI/ANS-58.21-2003, American National Standard External-Events PRA Methodology (Reference 2). This review included the seismic margins assessment 4

Callaway PRA Gap Analysis Report (SMA) and the other external events. These analyses have not been reviewed or updated since the IPEEE submittal.

The review of the Callaway External Events Analysis was performed by examining the Callaway IPEEE documentation with respect to each of the applicable supporting requirements in Reference 2. A determination was made for each supporting requirement whether the current Callaway analysis met the requirement or not. If the analysis was identified to not meet the requirement, the basis behind that conclusion was documented and an F&O generated. A significant effort was made to ensure that when a requirement was identified as not being met, that it was a true deficiency and not due to a failure to locate the correct documentation. Due to the sheer volume of documentation it is possible that some documentation was overlooked and the associated F&O can be resolved by identifying the documentation.

The results of the independent assessment consists of the evaluation of the Callaway IPEEE with respect to the requirements for Category II described in Reference 2 and the identification of any deficiencies noted in this process. The deficiencies are identified as F&Os and are presented in Appendix C for each of the areas covered by Reference 2 and are subdivided into sections corresponding to the applicable High Level Requirements.

The comparison of the Callaway IPEEE to the high level requirements and the supporting requirements associated with each analysis area are provided in Section 3.2.

2.3. Low Power and Shutdown with External Events The low power and shutdown (internal and external events) analyses performed for Callaway were constructed as part of a Safety Monitor Users Group project to develop a configuration risk management tool for evaluating risk trade-offs between conducting maintenance on-line or shutdown; and to provide an additional tool for outage risk management. The low power and shutdown PRA was reviewed against the high level requirements that are expected to be in the American National Standard Low Power and Shutdown PRA Methodology. Drafts of this particular PRA standard show that low power and shutdown PRA modeling starts with the ASME PRA elements and requirements, and then ANS adds, modifies, or deletes the ASME requirements to create the set of requirements applicable to low power and shutdown plant states. The low power and shutdown PRA analyses have not been reviewed nor updated since the their original development several years ago.

The review of the Callaway Low Power and Shutdown PRA was performed by examining the Callaway Low Power and Shutdown documentation with respect to each of the applicable high level requirements that are expected to be in the ANS Standard (based on drafts that have been released for comment). A determination was made for each high level requirement whether the current Callaway analysis met the requirement or not. If the analysis was identified to not meet the requirement, the basis behind that conclusion was documented and an F&O generated. A significant effort was made to 5

Callaway PRA Gap Analysis Report ensure that when an requirement was identified as not being met, that it was a true deficiency and not due to a failure to locate the correct documentation. As with other sections of the gap analysis, due to the large volume of documentation it is possible that some documentation was overlooked and the associated F&O can be resolved by identifying the documentation.

The results of the independent assessment consists of the evaluation of the Callaway Low Power and Shutdown PRA with respect to the requirements associated with Capability Category II and the identification of any deficiencies noted in this process. The deficiencies are identified as F&Os and are presented in Appendix D for each of the PRA elements. The comparison of the Callaway Low Power and Shutdown PRA to the high level requirements and the supporting requirements associated with each analysis area are provided in Section 3.3.

2.4. Internal Fires During Full Power The current Internal Fire model for the fire evaluation at Callaway is a Fire Induced Vulnerability Evaluation (FIVE) which was submitted to NRC as part of the IPEEE Submittal. Callaway is making the transition to NFPA 805 and is in the process of performing a detailed Fire PRA which will need to satisfy the intent of the requirements of the draft ANS Fire PRA Standard (Reference 3). Therefore, the Internal Fire Analysis was not reviewed as part of this gap analysis.

6

Callaway PRA Gap Analysis Report 3.0 Conclusions As indicated in Section 2, the Callaway PRA was divided into four distinct areas for the purpose of performing the gap analysis: 1) Internal Events During Full Power; 2)

External Events During Full Power; 3) Low Power and Shutdown with External Events; and 4) Internal Fires.

The conclusions associated with each of these areas of the assessment are discussed in the following subsections.

3.1 Internal Events During Full Power This gap analysis identified a number of items necessary to meet each Supporting Requirement of ASME RA-Sb-2005. Most of the findings of this gap analysis concern the enhancement of the documentation of the PRA, as opposed to recommending changes in models, data or PRA methodology.

The review was largely documented in database format. Appendix A provides the printout of the complete assessment of the Callaway PRA against each of the Capability Category II supporting requirements.

Where additional items were identified as necessary to meet the supporting requirements, F&Os were generated during the gap analysis. The individual F&Os, in some cases, address more than one supporting requirement and/or high level requirement.

Additionally, F&Os were generated when an error was discovered in the model or a significant conservatism was identified. The F&Os are presented in Appendices B-1 through B-10.

Table 1 provides an overview of the results of the review, indicating the number of supporting requirements meeting the various capability categories for each PRA area.

Table 1 provides the number of SRs in each PRA Area found in Reference 1. This total count includes those SRs which are noted as Deleted in Addendum B but retain a number. Additionally it indicates the number of SRs found to be in each category as a result of this assessment. SRs which were Deleted or were otherwise not applicable to Callaway (e.g., dual unit considerations) are totaled in the Not Applicable column.

Although Category III is met for some supporting requirements, this table does not include Category III because this project assessed the PRA against the requirements for Category II. For example, of the 44 SRs for the SY area, thirty-nine were found to currently meet at least the Category II requirements, two more will meet at least the Category II requirements when the outstanding F&Os are resolved satisfactorily, and three were not applicable to Callaway.

7

Callaway PRA Gap Analysis Report Table 1. Internal Events PRA During Full Power - PRA Elements and Associated Supporting Requirements and Status PRA Cat II / Not No. of Element SRs Met Not Met Applicable F&Os IE 35 17 14 4 14 AS 21 16 4 1 7 SC 15 11 4 4 SY 44 39 2 3 3 HR 36 32 3 1 3 DA 33 25 8 3 IF 54 37 9 8 6 QU 36 27 8 1 12 LE 42 36 6 3 MU 10 8 2 2 (Note 1)

Note 1: The ASME PRA Standard does not assign specific IDs to the configuration control requirements of Section 5 of the Standard; to support this review, high level requirements and Supporting Requirements for PRA configuration control are defined here using the text of Section 5 of the ASME PRA Standard..

Table 2 provides a summary of each of the supporting requirements which were identified as not meeting the Capability Category 2 requirements. For each SR, the table provides a brief text description of the assessment; an indication whether the resolution requires a documentation change, a modeling change, or both; and a reference to the applicable F&Os.

8

Callaway PRA Gap Analysis Report Table 2: Capability Category II Supporting Requirements Not Met Enhancement Type SR Assessment Doc Model FO No IE-A4 The initial screening of the systems was performed during the initial PRA and is discussed in 3.1.1.1.3 of the X IE-3 IPE submittal. Detailed FMEAs were developed for those systems identified as leading to plant trip.

However, there was no justification provided for the exclusion of systems for which FMEAs were not performed. The FMEAs performed were documented in Calcs ZZ-116 (DC Power), ZZ-119 (AC Power), ZZ-120 (HVAC), EA-03 (SWS), EG-18 (CCWS), KA-30 (IAS). These FMEAs or the screening evaluations have not been revisited since the IPE. In order to meet Category 2 requirements, the documentation of the basis for the disposition of each system as an initiating event must be specified. In order to keep this documentation current, a review of the applicability of the FMEAs/screening basis should be made during each model update.

IE-A5 The screening process does not distinguish why events which occur during non-power were excluded. X IE-4 Therefore SR IE-A5 is not met.

IE-A7 There was no evidence found that operating experience was reviewed with precursors in mind. If an event did X IE-6 not result in the generation of a trip or an LER, then it was not reviewed. As a minimum, interviews with operations and maintenance personnel should be conducted to meet SR IE-A7. The current analysis does not meet Cat 2 SR IE-A7.

IE-C1 The IE frequencies do not include any distribution information. The Callaway PRA justifies excluding the early X IE-7 operational data not indicative of normal plant power operation. The IE frequencies need to have uncertainty bounds assigned to meet SR IE-C1.

IE-C1a The IE frequencies do not include any distribution information. The Callaway PRA justifies excluding the early X IE-7 operational data not indicative of normal plant power operation. The IE frequencies need to have uncertainty bounds assigned to meet SR IE-C1a.

IE-C1b As noted in SY, the Callaway PRA credits repair of hardware faults in the recovery of the loss of CCW and X IE-8 loss of SWS initiating events. The recovery events, which include recovery of CCF of pumps and valves lack sufficient analysis or data. The Callaway PRA does not meet SR IE-C1b. (See also SY-22)

IE-C3 The Callaway PRA does not make this correction. Note that the T2 and T3 initiating events already include X IE-10 this based on the data collection method and calculation. SR-C3 is not explicitly met for the other initiating events.

IE-C9 The Callaway PRA credits repair of hardware faults in the recovery of the loss of CCW and loss of SWS X IE-8 initiating events. The recovery events, which include recovery of CCF of pumps and valves lack sufficient analysis or data. The Callaway PRA does not meet criterion IE-C9.

IE-C10 There is no documentation of a comparison with generic data sources. This is primarily of interest for the X IE-12 support system initiating event fault trees and needs to be documented as part of each update in order to meet SR IE-C10.

9

Callaway PRA Gap Analysis Report Table 2 (cont.): Capability Category II Supporting Requirements Not Met Enhancement Type SR Assessment Doc Model FO No IE-C12 The Callaway treatment of ISLOCA addresses items a-d and may include item e but that is not clear. The X X IE-13 ISLOCA documentation is good for the evaluation of the high/low interfaces (ZZ-105) however the documentation of the quantification from that point on is minimal, is not incorporated in the main model, and has not been revised or reexamined since the IPE submittal. The ISLOCA model as it now stands does not meet SR IE-C12.

IE-C13 The data used in the PRA quantification are mean values but there is no characterization of the uncertainty. X IE-7 Therefore SR IE-C13 is not met.

IE-D1 The initiating event analysis documentation does not facilitate PRA applications, upgrades, and peer review. X IE-14 IE-D2 The current documentation of the initiating event selection, grouping, screening, modeling, and quantification is X IE-14 scattered throughout multiple calculation packages and only small portions have been updated since the completion of the IPE. The documentation could be significantly enhanced by combining all IE related calculations into one IE calculation package and making a commitment to revisit the calculation during each model update.

IE-D3 The assumptions made during the initiating events analysis are spread throughout multiple documents which X IE-14 makes it difficult to judge whether the assumptions are fully documented. Likewise, the key sources of uncertainty in the initiating events analysis are spread throughout multiple documents which makes it difficult to judge whether the assumptions are fully documented.

AS-A11 This requirement is met for some of the event trees. Calc note ZZ-267 contains a table of transfers. X X AS-2 However, many transfers such as seal LOCA and stuck open PORV transfer to a "psuedo event tree". These transfers are quantified using an OCL file that does not have a specific event tree. This introduces possibilities for error in the quantification since there is no event tree on which to base the evaluated functions, especially those that require preservation of dependencies. The actual event tree for quantification of the RCP seal LOCA events was not found. An event tree Trcp appears to have been used, but this event tree has an event for recovery of CCW, which is not included in the .OCL files for the RCP seal LOCA events.

AS-B1 This requirement is not met. See F&Os AS-1, AS-3, AS-5, and AS-7 for specific examples. X AS-1, AS-3, AS-5, AS-7 AS-B2 This requirement is not met. See F&Os AS-1, AS-3, AS-5, and AS-7 for specific examples. X AS-1, AS-3, AS-5, AS-7 AS-B6 Discussed in IPE, ZZ-275, ZZ-267, and the individual system calc notes. In most cases this requirement is X AS-4, AS-5 met, however, the RCP seal LOCA model needs to be updated to reflect the latest WOG model, which is approved by the NRC.

Room cooling requirements for the switchgear rooms for SBO should be re-evaluated to consider the actual heat loads in the rooms during SBO.

10

Callaway PRA Gap Analysis Report Table 2 (cont.): Capability Category II Supporting Requirements Not Met Enhancement Type SR Assessment Doc Model FO No SC-B5 There was no documentation found which provides a comparison of the plant-specific analysis with that of X SC-2 different plants or with other computer code calculations SC-C1 Success criteria are not documented in a single place. Each system notebook has the SC for that application. X SC-1 Current system of documentation does not provide easy comparison of T/H use for consistency. The ASME criteria expects to see a single place for SC documentation and a coordinated effort to compare and show that all SC are consistently derived from the same set of consistent T/H runs.

SC-C2 As identified for SR SC-C1, the documentation is spread out, and while it appears that all of the information is X SC-1 provided, the quality, useability and reviewability of the PRA would be greatly enhanced by pulling the disparate pieces into a single document.

SC-C3 Not done X SC-1 SY-A7 Detailed system models are available for all but two systems. For the Instrument Air System a single basic X X SY-1 event is used and is based on generic data. The Callaway plant is not highly dependent upon IAS and the PRA loads on IAS also are supplied with N2 backup which is modeled. The IAS is correctly failed for LOSP, but remains available in all other cases. The IAS is cooled by SW and would be unavailable after loss of all SW (T(SW)) and should be set to failed via a house event setting. The actuation system is modeled with a single event for each of the redundancies which is set to fail for scenarios in which the conditions are not present to generate the signal. The data associated with these single event failures need to be reviewed against current industry data and updated if necessary. The applicability of the data to the Callaway configuration also needs to be justified. In addition, the scram system has not been modeled in detail but is evaluated in a similar manner to most PRAs. SR SY-A7 is not met due to the above noted correction and documentation issues.

SY-A22 The Callaway PRA credits repair of hardware faults in the recovery of the loss of CCW and loss of SWS X IE-8 initiating events. The recovery events, which include recovery of CCF of pumps and valves lack sufficient analysis or data. The Callaway PRA does not meet SR SY-A22.

SY-B1 The Callaway PRA adequately models CCFs with the exception of battery chargers and breakers as noted in X SY-2 SR SY-B3.

SY-B3 The Callaway PRA includes most of the CCF groups identified. In order to meet the criterion for SY-B3, either X SY-2 a justification must be provided or the events added for: Battery chargers and circuit breakers. The current treatment does not meet the criterion for SY-B3.

HR-D3 Documentation should be updated to add a ground rule statement that the quality of written procedures is X HR-1 considered in the operator-procedure interface failure mechanisms of the CBDTM, and in the EOM parts of the THERP analyses (step-by-step vs. verbose). The instrumentation and control layout is considered in the "Cues" sections and in the THERP execution analyses. Equipment configuration is considered for local actions in "Execution PSFs" and in the THERP analyses.

11

Callaway PRA Gap Analysis Report Table 2 (cont.): Capability Category II Supporting Requirements Not Met Enhancement Type SR Assessment Doc Model FO No HR-G6 The analyst who performed the reevaluation of the HFEs indicated that a reasonableness check was X HR-2 performed, however the documentation does not discuss this issue.

HR-I3 Key assumptions are documented in the individual analyses files, where applicable. Key sources of X HR-3 uncertainty associated with the HRA are not documented.

DA-B1 Group parameter estimations are generally based only on component type. Recent data updates have used a X DA-2 much finer levels of grouping (e.g., the charging pumps are considered a different group than the SI pumps).

The grouping used to apply plant-specific data updates should be reexamined to make sure the data aggregation is reasonable. This meets category I but does not meet category II.

DA-C2 Plant specific data was initially collected but has not been updated for components associated with low risk X X DA-2 significant components in the most recent update. Consideration should be given to collecting data on as large a group of components as possible to establish a meaningful collection of data. Grouping of the components as defined in SR DA-B1 and DA-B2 provides a more reasonable aggregation of data.

DA-C6 The data collected is provided by the MR Group. It appears, based on discussions with the PRA analyst that X DA-1 the correct information is collected and transferred to the PRA Group however the documentation of the collection method needs to be formalized and included as part of the PRA.

DA-C7 The data collected is provided by the MR Group. It appears, based on discussions with the PRA analyst that X DA-1 the correct information is collected and transferred to the PRA Group however the documentation of the collection method needs to be formalized and included as part of the PRA.

DA-C8 The data collected is provided by the MR Group. It appears, based on discussions with the PRA analyst that X DA-1 the correct information is collected and transferred to the PRA Group however the documentation of the collection method needs to be formalized and included as part of the PRA.

DA-C9 The data collected is provided by the MR Group. It appears, based on discussions with the PRA analyst that X DA-1 the correct information is collected and transferred to the PRA Group however the documentation of the collection method needs to be formalized and included as part of the PRA.

DA-C14 The Callaway PRA credits repair of hardware faults in the recovery of the loss of CCW and loss of SWS X IE-8 initiating events. The recovery events, which include recovery of CCF of pumps and valves lack sufficient analysis or data. The Callaway PRA does not meet DA-C14.

DA-D2 No justification is provided for the use of engineering judgment to determine the probability as required by DA- X DA-3 D2 (Example: HYDRAULICSYSFAIL, STR-FR, STR-FS). There is no indication that any parameters were (or were not) determined by using data or estimates of similar equipment.

IF-C2a This requirement is not met. ZZ-466 treats operator response in a generic sense. X IF-5 12

Callaway PRA Gap Analysis Report Table 2 (cont.): Capability Category II Supporting Requirements Not Met Enhancement Type SR Assessment Doc Model FO No IF-C6 This requirement is met to Category I only. ZZ-466 allows the operator intervention and mitigation for floods X IF-3 that take 30 minutes or longer. Isolation and available manpower not specifically addressed. F&O IF-3 IF-C8 This requirement is met to Category I only. ZZ-466 allows the operator intervention and mitigation for floods X IF-3 that take 30 minutes or longer. Isolation and available manpower not specifically addressed. F&O IF-3 IF-D5 This requirement is met to Category I. The flood initiating event frequencies are based on generic pipe break X IF-1 frequencies. No plant specific experience is considered in the determination of the flooding initiator.

IF-D5a This requirement is met to Category I. The flood initiating event frequencies are based on generic pipe break X IF-1 frequencies. No plant specific experience is considered in the determination of the flooding initiator IF-E3a This requirement is not met at any Category. The Category I/II screening quantitative criteria in the standard X IF-2 is 1E-09/year. ZZ-466 screening criteria was 1E-06/yr.

IF-E5 This requirement is not met. The HEP values used in ZZ-466 are not developed from a human reliability X IF-4 analysis.

IF-E5a This requirement is not met. The HEP values used in ZZ-466 are not developed from a human reliability X IF-4 analysis.

IF-E7 This requirement is not met. The internal flooding sequences are not considered in the LERF analysis. X IF-6 QU-A2b The current quantification does not include an uncertainty calculation to account for the "state-of-knowledge" X QU-1 correlation between event probabilities. The structure exists to perform this correlation but at the current time it has not been done.

QU-B9 The Callaway PRA does not use modules, subtrees, or split fractions, with one exception. That exception is in X QU-2 the SSIE events. These "modules" provide a place that some dependencies can be overlooked. While the Ameren staff have made the effort to account for these hidden dependencies, enough inconsistencies were identified that SR QU-B9 is not considered to be met. Linking of the SSIE fault trees to the event trees provides more assurance of the correct treatment and should be considered.

QU-D4 There was no documentation of a review of non-significant accident sequences or cutsets to determine their X QU-5 reasonableness. This review is necessary to meet SR QU-D4.

QU-E3 The current quantification does not include an uncertainty calculation to account for the state-of-knowledge X QU-1 correlation between event probabilities. The structure exists to perform this correlation but at the current time it has not been done. SR QU-E3 is not met.

QU-F1 The documentation of the model quantification accurately documents what was performed during the X X QU-8 quantification process, however the manual integration required for several stand-alone pieces of the analysis is not well documented. The recommended changes to the quantification process to integrate the entire internal events (including internal flooding) would serve to facilitate the use of the quantification process for PRA applications, upgrades, and peer review.

QU-F2 In general the model integration process is adequately documented, however several of the areas do not meet X QU-9 the requirements. Items b, f, g, and i are not addressed in the documentation. These items need to be addressed to meet SR QU-F2.

13

Callaway PRA Gap Analysis Report Table 2 (cont.): Capability Category II Supporting Requirements Not Met Enhancement Type SR Assessment Doc Model FO No QU-F4 Key assumptions and key sources of uncertainty which influence the current quantification are not addressed X QU-10 in a coherent manner in the documentation.

QU-F5 No documentation of limitations was identified. X QU-12 QU-F6 The quantitative definition used for significant cutset and significant accident sequence are documented and X QU-11 vary from the ASME definition. The ASME definitions need to be applied or the Ameren definition needs to be justified.

Significant sequence:

ASME - aggregate 95% of total, individual sequence >1%

Ameren - aggregate 88% of total, individual sequence >1%

Significant cutset:

ASME - aggregate 95% of total, individual cutset >1%

Ameren - cutsets >1E-6 LE-B1 Not necessarily done. LERF identified based on source term and timing. Not evident that containment X X LE-1 isolation failure is included. Not evident that HPME is included.

Probability of containment isolation failure leading to LERF does not contain a term to represent undetected, residual failures in containment structural integrity. This has been estimated at 5E-3 in NUREG/CR-4550.

Failure of containment isolation is derived by fault tree analysis of the containment isolation combinations on the penetration paths. There are three LERF split fractions with probabilities of 7.7E-4. If the 5E-3 was added to this, the split fraction would change, although LERF would not move significantly. Split fractions for induced SGTR and HPME were not explicitly stated in the documentation available for review.

LE-D4 Meets category I. Little benefit expected from additional analysis at significant cost. X LE-3 LE-D5 Meets category I. Little benefit expected from additional analysis at significant cost. X LE-3 LE-D6 Containment isolation failure only occurs in bypass sequences. Failures of CI system are not included. X X LE-1 Probability of containment isolation failure leading to LERF does not contain a term to represent undetected, residual failures in containment structural integrity. This has been estimated at 5E-3 in NUREG/CR-4550.

Failure of containment isolation is derived by fault tree analysis of the containment isolation combinations on the penetration paths. There are three LERF split fractions with probabilities of 7.7E-4. If the 5E-3 was added to this, the split fraction would change, although LERF would not move significantly.

LE-F2 Not done. The Level 2 analysis does not include uncertainty analysis nor are there sensitivity studies X LE-2 identified to examine the significant contributors to LERF. As a minimum, the uncertainty in the Level 1 sequences should be propagated and sensitivity studies developed and evaluated for the important LERF scenarios.

LE-G4 Not done. The Level 2 analysis does not include uncertainty analysis nor are there sensitivity studies X LE-2 identified to examine the significant contributors to LERF. As a minimum, the uncertainty in the Level 1 sequences should be propagated and sensitivity studies developed and evaluated for the important LERF scenarios.

14

Callaway PRA Gap Analysis Report Table 2 (cont.): Capability Category II Supporting Requirements Not Met Enhancement Type SR Assessment Doc Model FO No MU-B3 This requirement is not met. There is no direction in APA-ZZ-00312 to follow the industry guidance, nor is there X MU-1 a reference to the industry standards. The procedure was written prior to the issuance of the standards and should be revised to incorporate the standards.

MU-B4 This requirement is not met. There is no direction in APA-ZZ-00312 to perform a peer review following an X MU-2 upgrade.

15

Callaway PRA Gap Analysis Report An Importance Level, as defined in Table 3, were assigned to each of the F&Os generated during the review process.

Table 3. F&O Importance Levels Importance Level Definition A Extremely important and necessary to address to assure the technical adequacy of the PRA or the quality of the PRA or the quality of the PRA update process.

B Important and necessary to address, but may be deferred until the next PRA update.

C Marginal importance, but considered desirable to maintain maximum flexibility in PRA Applications and consistency in the Industry.

D Editorial or Minor Technical Item, left to the discretion of the host utility.

Table 4 provides the numbers of F&Os that were identified for each of the PRA areas for each level of significance. Of those F&Os identified as A/B, none were identified by the reviewers to qualify as A level issues; all A/B items were identified on the F&O forms as B. This means that the reviewers felt that for the A/B findings, the issues needed to be corrected but that the issues did not cause the PRA to be technically inadequate from an overall perspective.

Table 4. HLR F&O Summary HLR Total F&Os Level A/B Level C IE 14 5 9 AS 7 7 0 SC 4 0 4 SY 4 3 1 HR 3 0 3 DA 3 1 2 IF 6 4 2 QU 12 6 6 LE 3 2 1 MU 2 0 2 The tables below summarize the assessment comments for each of the HLRs for each PRA functional area.

16

Callaway PRA Gap Analysis Report Table 5. Initiating Event (IE) HLR Summary GAP ANALYSIS REVIEW REPORT ELEMENT: INITIATING EVENT ANALYSIS (IE)

Completeness (IE-A):

Most of the SRs for this HLR meet Category II. There are three SRs which are not met due primarily to documentation issues:

There is no documentation of the FMEAs associated with the plant systems that were not identified as support system initiating events.

The documentation of screening process does not justify the exclusion of events which occur during non-power.

There is no documentation of operating experience review with precursors in mind.

Once these documentation issues are addressed this HLR should be met at a Category II level or greater.

Grouping (IE-B):

The Callaway PRA currently meets this HLR at a Category II level or greater.

Frequency Estimation (IE-C):

Eight SRs associated with this HLR were not met at the Category II Level and fall into five classes:

Lack of distribution information and propagation of uncertainty (3 SRs)

Credit for repair with insufficient justification (2 SRs)

IE frequencies not uniformly calculated on a reactor-year basis Lack of documentation of a comparison of the IE frequencies, particularly the SSIEs, with generic data Lack of documentation of the ISLOCA quantification and the consideration of isolation capabilities.

Once these F&Os are addressed, this HLR should be met at a Category II level or greater.

Documentation (IE-D):

The documentation provided for IE currently does not meet all of the requirements for Category II, primarily due to the documentation of the various pieces of the IE analysis being scattered throughout multiple calculation packages. Resolution of the F&O will enable this HLR to meet Category II (or better) requirements.

17

Callaway PRA Gap Analysis Report Table 6. Accident Sequence Analysis (AS) HLR Summary GAP ANALYSIS REVIEW REPORT ELEMENT: ACCIDENT SEQUENCE ANALYSIS (AS)

Scenario Description (AS-A):

The approach used is consistent with the requirements of the standard and other industry PRAs. One SR regarding the treatment of event tree transfers is not met for Category II.

The Callaway PRA will meet the requirements of Category II for this HLR, once the F&O generated during the gap analysis is resolved.

Dependencies (AS-B):

The overall treatment of dependencies in the accident sequence analysis is good.

However, several cases (involving SSIEs) were identified where dependencies were not correctly addressed. Three F&Os document the specific cases identified in this area.

Resolution of these F&Os will ensure that this HLR is met for Category II.

Documentation (AS-C):

The documentation provided for AS meets the requirements for Category II, however it would be beneficial to the future use of the PRA to merge the documentation currently in the IPE and multiple calculation packages. This HLR is met to Category II (or better) requirements.

18

Callaway PRA Gap Analysis Report Table 7. Success Criteria (SC) HLR Summary GAP ANALYSIS REVIEW REPORT ELEMENT: SUCCESS CRITERIA (SC)

Definition/Appropriateness (SC-A):

The Callaway PRA incorporates industry-accepted definitions and methods for developing success criteria. The Category II requirements are met in this area.

Success Criteria Bases (SC-B):

The Callaway PRA attempts to define realistic success criteria, based on thermal-hydraulic evaluations using the MAAP 3 code. Questions have arisen regarding validity of MAAP 3. Callaway plans to re-analyze the success criteria with MAAP 4. This analysis should be considered a high priority. Also, comparisons of the calculated results with other sources were not performed or documented. This issue needs to be resolved in order to fully meet the requirements of Category II.

Documentation (SC-C):

The SC documentation does not meet the requirements for Category II from the standpoint of facilitating PRA applications, upgrades, or peer review. While it appears that all of the necessary information is provided, the ASME criteria expects to see a single place for SC documentation and a coordinated effort to compare and show that all SC are consistently derived from the same set of consistent T/H runs. Resolution of these F&Os should allow the Category II (or higher) requirements to be met.

19

Callaway PRA Gap Analysis Report Table 8. Systems Analysis (SY) HLR Summary GAP ANALYSIS REVIEW REPORT ELEMENT: SYSTEMS ANALYSIS (SY)

Completeness (SY-A):

In general, the overall systems analysis process is good. The modeling is appropriate and is generally consistent with other plant models across the industry. There are many SRs in this set for which the analysis process meets Cat III, however, there are 2 SRs in which Cat II is not currently met.

Correct dependencies for systems modeled as single basic events and review these single basic event models against current industry data and configurations Credit for repair with insufficient justification in the SSIE fault trees A specific example is correcting the dependence of Instrument Air (IAS) on Service Water (SW). Resolution of these issues should allow the Category II (or higher) requirements to be met.

Common Cause/Dependencies (SY-B):

Common cause and dependency issues are in general, satisfactorily addressed. Processes that are in place are good. The only outstanding issue is to add or justify why CCFs are not necessary for battery charger and circuit breakers. It is also recommended that the CCF data be updated from NUREG/CR-5485 as the beta factors used in the Callaway model are currently very conservative. Resolution of this issue will meet at least the Category II requirements for this HLR.

Documentation (SY-C):

The overall documentation packages for SY are very good and provide all the necessary information. The documentation of the systems analysis, while reasonably complete, could benefit from reorganization. There are currently thirty three calculation packages which document different pieces of the systems analysis. The recommendation is to replace these calculations with a single calculation which merges all of these calculations.

This HLR is met to Category II (or better) requirements.

20

Callaway PRA Gap Analysis Report Table 9. Human Reliability Analysis (HR) HLR Summary GAP ANALYSIS REVIEW REPORT ELEMENT: HUMAN RELIABILITY ANALYSIS (HR)

Identification (Pre-Initiators) (HR-A):

The SRs related to this HLR meet the Category II (or better) requirements.

Screening (Pre-Initiators) (HR-B):

The SRs related to this HLR meet the Category II (or better) requirements.

HFE Definition (Pre-Initiators) (HR-C):

The SRs related to this HLR meet the Category II (or better) requirements.

HFE Assessment (Pre-Initiators) (HR-D):

It is expected that Capability Category II (at least) will be met after documentation is added to clarify the following points:

The quality of written procedures (for performing tasks) and administrative controls (for independent review) (HR-D3)

The quality of the human-machine interface, including both the equipment configuration, and instrumentation and control layout (HR-D3)

Identification (Post-Initiators) (HR-E):

The SRs related to this HLR meet the Category II (or better) requirements.

HFE Definition (Post-Initiators) (HR-F):

The SRs related to this HLR meet the Category II (or better) requirements.

HFE Assessment (Post-Initiators) (HR-G):

It is expected that Capability Category II will be met after the following actions are accomplished.

Documenting the reasonableness check of HEPs (HR-G6).

Recovery Modeling (Post-Initiators) (HR-H):

The SRs related to this HLR meet the Category II (or better) requirements.

Documentation (Pre-Initiators and Post-Initiators) (HR-I):

The documentation associated with the HLR-HR-I generally meets the requirements for Capability Category II (at least) with one exception:

The key sources of uncertainty associated with the HRA are not documented.

This issue needs to be resolved in order to fully meet the requirements of Category II.

21

Callaway PRA Gap Analysis Report Table 10. Data Analysis (DA) HLR Summary GAP ANALYSIS REVIEW REPORT ELEMENT: DATA ANALYSIS (DA)

Parameter Definition (DA-A):

The Callaway PRA Data effort meets Capability Category II requirements for this HLR.

Component Grouping (DA-B):

The component grouping and parameter estimation currently meet Capability Category I.

In order to meet the Capability Category II requirements the component groupings for parameter estimations should be re-examined to support reasonable aggregations of data.

The Callaway PRA Data effort will meet Capability Category II requirements for this HLR upon resolution of this grouping issue.

Collection (DA-C):

In general, the overall data analysis process is good. Six SRs associated with this HLR were not met at the Category II Level and fall into three classes:

Lack of documentation/procedures of collection methods used by MR group for plant specific data collection (4 SRs)

Limited collection of components for plant specific data.

Lack of documentation/analysis of plant specific data for repair events.

The data collection effort for the Callaway PRA will meet Category II requirements, once these issues are resolved to ensure that plant specific data is accurately counted and estimated, that the number of components that plant specific data is collected for is sufficient to characterize the failure rates for all components, and that a sufficient basis exists for all repair activities credited. It is also recommended that coincident T&M is examined to ensure that it is correctly accounted for.

Parameter Estimation (DA-D):

The parameter estimation will meet the Category II requirements, once documentation is provided on the data estimates made which are based upon engineering judgment Documentation (DA-E):

Meets Category II requirements.

22

Callaway PRA Gap Analysis Report Table 11. Internal Flooding (IF) HLR Summary GAP ANALYSIS REVIEW REPORT ELEMENT: INTERNAL FLOODING (IF)

Completeness of Flood Area Identification (IF-A):

The Callaway flood area identification process meets the ASME requirements of Category II.

Flood Source Identification and Characterization(IF-B):

The Callaway flood source identification process meets the ASME requirements of Category II.

Flooding Scenario Development (IF-C):

The Callaway flooding scenario development process generally meets the ASME requirements of Category II of HLR-IF-C with the exception of three SRs. These SRs all arise from the treatment of human interactions in a completely generic manner. Revision of the IF analysis to account for plant specific treatment of operator responses will meet the ASME requirements of Category II.

Initiating Event Identification and Quantification (IF-D):

The flood initiating frequencies are based on generic pipe break frequencies and currently meet Capability Category I only. In order to meet the Capability Category II requirements plant-specific information must be considered. The Capability Category II requirements for this HLR will be met upon consideration of plant specific considerations.

Quantification of Flooding Scenarios (IF-E):

The Callaway quantification of flooding scenarios does not meet Category II in four SRs for this HLR. These are grouped in three categories:

Screening criteria Insufficient human reliability analysis (2 SRs)

Lack of consideration of the internal flooding sequences in LERF analysis Each of these areas must be revised to meet the Category II requirements of HLR-IF-E.

Documentation (IF-F):

Meets Category II requirements.

23

Callaway PRA Gap Analysis Report Table 12. Quantification (QU) HLR Summary GAP ANALYSIS REVIEW REPORT ELEMENT: QUANTIFICATION (QU)

Core Damage Frequency Quantification (QU-A):

In general, the Callaway PRA process meets the ASME requirements of Cat II with the exception that the uncertainty analysis has not been updated during the PRA updates. The quantification must account for the "state-of-knowledge" correlation between event probabilities by properly utilizing WinNUPRA to calculate the results uncertainty.

Quantification Methodology (QU-B):

The Callaway PRA process generally meets the ASME requirements of Category II with the exception of the treatment of dependencies between the support system initiating event and the mitigation systems. In order to meet this SR to Category II, the dependencies need to be corrected. It is recommended to link the SSIE fault trees to the event trees.

Dependencies (QU-C):

The Callaway PRA process meets the ASME requirements of Category II of HLR-C.

However, several errors were identified with incorrect transfer of sequence characteristics. While the process is acceptable it places a significant burden on the analyst. The quantification process should be revised to account for the additional capabilities and automation available in the PRA software which will result in less manual manipulation (and potential for error) in the quantification process.

Results Analyses (QU-D):

The Callaway PRA process generally meets the ASME requirements of Category II with the exception of the documentation of a review of a sample of the non-significant sequences/cutsets.

Uncertainty Characterization (QU-E):

The Callaway PRA quantification updates do not calculate the uncertainty associated with the results and therefore do not meet one of the requirements of Category II for this HLR.

Documentation (QU-F):

The documentation of the model quantification accurately documents what was performed during the process, however the manual integration required for several stand-alone pieces of the analysis is not well documented. The recommended changes to the quantification process to integrate the entire internal events (including internal flooding and ISLOCA) would serve to facilitate the use of the quantification process for PRA applications, upgrades, and peer review and meet the Category II requirements.

24

Callaway PRA Gap Analysis Report Table 13. LERF Analysis (LE) HLR Summary GAP ANALYSIS REVIEW REPORT ELEMENT: LERF ANALYSIS (LE)

Plant Damage States (LE-A):

The Callaway Level 2 PRA meets Capability Category II requirements for this HLR.

Contributors to LER (LE-B):

Most of the severe accident phenomena that can result in LERF in a large, dry PWR containment are explicitly addressed in the Callaway Level 2 analysis. It is unclear as to whether containment isolation failure and high pressure melt ejection (HPME) are included. In order to meet the Category II requirements for this HLR, these two issues must be addressed and documented.

Identification of LER Sequences (LE-C):

The Callaway Level 2 PRA meets Capability Category II requirements for this HLR.

Containment Evaluation (LE-D):

The Callaway Level 2 PRA meets most of the Category II requirements for this HLR.

There are three SRs which are not met to Category II requirements, two of which meet Category I. These areas are:

Conservative assessment of secondary side isolation capability for all SGTR sequences (Cat I),

Conservative assessment of induced tube rupture sequences (Cat I),

Completeness of containment isolation analysis.

The first two issues, while not meeting the requirements for Category II explicitly, could be addressed by including a sensitivity study to demonstrate the minimal impact of additional analysis. The issue of the containment isolation analysis needs to be addressed in order to meet the Category II requirements.

Containment Failure Quantification (LE-E):

The Callaway Level 2 PRA meets Capability Category II requirements for this HLR.

LERF Quantification (LE-F):

The Callaway Level 2 PRA meets most of the Category II requirements for this HLR.

There is one SR which is not met to Category II requirements. This results from a lack of uncertainty analysis or sensitivity studies associated with the Level 2 analysis. As a minimum to meet the Category II requirements, the uncertainty in the Level 1 sequences should be propagated and sensitivity studies developed and evaluated for the important LERF scenarios.

Documentation (LE-G):

Overall, the documentation of the Callaway Level 2 PRA is good. The only portion of the Category II requirements that is not met is the requirement to document key assumptions and key sources of uncertainty, including results and insights from sensitivity studies.

Once this analysis and documentation is completed the Category II requirements will be met.

25

Callaway PRA Gap Analysis Report Table 14. Maintenance and Update (MU) HLR Summary GAP ANALYSIS REVIEW REPORT ELEMENT: MAINTENANCE AND UPDATE (MU)

Inputs (MU-A):

This requirement is met. APA-ZZ-00312.

Consistency with Plant (MU-B):

This requirement is not met. APA-ZZ-00312 does not reference industry guidance and standards. There is no mention of a peer review requirement following a PRA upgrade.

Although the documentation does not contain these requirements, it appears that the guidance is being followed.

Impact of Pending Changes on PRA Application (MU-C):

This requirement is met. APA-ZZ-00312.

Impact of PRA Changes on Previous RI Decisions (MU-D):

This requirement is met. APA-ZZ-00312.

Code Control (MU-E):

This requirement is met. APA-ZZ-00312.

Documentation (MU-F):

This requirement is met. APA-ZZ-00312.

26

Callaway PRA Gap Analysis Report 3.2 External Events During Full Power The gap analysis of the External Events during full power identified several items necessary to meet the Supporting Requirements of ANSI/ANS-58.21-2003. Most of the findings of this gap analysis concern the enhancement of the documentation of the PRA, as opposed to recommending changes in models, data or PRA methodology.

Where additional items were identified as necessary to meet the supporting requirements, F&Os were generated during the gap analysis. The individual F&Os, in some cases, address more than one supporting requirement. The F&Os are presented in Appendices C-1 and C-2.

The high level requirements (HLR) from ANSI/ANS-58.21-2003 which are potentially applicable to the Callaway PRA are:

EXT - Probabilistic Risk Assessment for Other External Events: Requirements for Screening and Conservative Analysis ANA - Probabilistic Risk Assessment for Other External Events: Technical Requirements for Analysis SM - Seismic Margin Assessment: Technical Requirements WIND - High-Winds Probabilistic Risk Assessment: Technical Requirements FLOOD - External-Flooding Probabilistic Risk Assessment: Technical Requirements The Callaway IPEEE was performed using the standard techniques recommended in NUREG-1407, Procedural and Submittal Guidance for the Individual Plant Examination of External Events (IPEEE) for Severe Accident Vulnerabilities. With the exception of the SMA and FIVE fire analysis, all other external events were screened from further quantitative evaluation based on conformance with the 1975 Standard Review Plan (SRP). While this screening criterion remains valid in the ANSI/ANS-58.21-2003 standard, in order to meet the requirements of the standard, additional documentation is required. The Callaway IPEEE documentation addresses, as directed in NUREG-1407, seismic events, internal fires, high winds, floods, and transportation and nearby facility accidents. However, NUREG-1407 also states that licensees should confirm that no other plant unique external events with potential severe accident vulnerability arc being excluded from the IPEEE.

The documentation does not discuss the entire range of external events considered and screened. In order to fully meet the EXT HLRs, several items, primarily documentation related, need to be resolved. The following list summarizes the four issues to be resolved:

27

Callaway PRA Gap Analysis Report

1. The ANSI/ANS standard requires a broader examination of external events than performed in the Callaway IPEEE. The list of external events requiring consideration from Appendix A of the standard should be assessed and the reason for screening or evaluation should be documented. This review is not expected to result in identification of any additional events to be evaluated but is needed to show comprehensive coverage (EXT-A1).

2. Similarly, the search for any site-specific or plant-unique external events should be documented (EXT-A2).

3. External events which are screened based on conformance with the 1975 SRP should be examined to assess the impact of any significant changes (plant design, operation, nearby military or industrial facilities, nearby transportation, on-site storage or activities involving hazardous materials, or any other changes that could affect the original design considerations) or revisions to data (extreme local precipitation, high wind data, probable maximum flood, etc.) on the screening basis (EXT-C2).

4. Documentation of the screening process needs to be revised to provide the criteria/basis for the screening classification of each external event (EXT-E1, EXT-E2, EXT-E3).

If the four EXT HLR issues are resolved and result in all events being screened similar to the IPEEE based on conformance to the 1975 SRP requirements, the ANA, WIND, and FLOOD HLRs are not applicable. If however, external events are identified which require additional analysis, this revised analysis needs to be structured to meet the applicable ANA, WIND, and FLOOD HLRs.

The remaining area regarding external events for discussion is the SMA. The SMA was found to be sufficient to meet the SM HLRs with two exceptions related to documentation:

1. Documentation that the required Soil-Structure interaction calculations were performed could not be located and must be provided in order to assure compliance with HLR SM-C4.

2. Documentation of the identification of major contributors to the uncertainty and inclusion of the peer review report are required by HLR SM-H1.

Table 15 provides the numbers of F&Os that were identified for each of the analysis areas for each level of significance as defined previously in Table 3. No F&Os were identified as A/B, since it is believed that the update of the documentation will not result in any additional model revisions, however, the documentation needs to be completed prior to use of the PRA where external events may become an issue.

28

Callaway PRA Gap Analysis Report Table 15. HLR F&O Summary HLR Total F&Os Level A/B Level C EXT 1 0 1 SM 2 0 2 Table 16 provides the text of the requirement and summarizes the assessment for each of the requirements which are not met to Category II.

29

Callaway PRA Gap Analysis Report Table 16: Capability Category II Supporting Requirements Not Met HLR SR Category 2 Requirement Assessment EXT A1 In the list of external events, INCLUDE as a minimum those that are enumerated in the PRA Review performed in accordance with guidance provided Procedures Guide, NUREG/CR-2300 [8] and NUREG-1407 [9] and examined in past studies in NUREG-1407 and used standard review plan for FSAR such as the NUREG-1150 analyses [10]. Appendix A contains the list adapted from to screen items. Appendix A contains additional external NUREG/CR-2300, and this list MAY be used as one acceptable way to meet this events which need to be addressed but should not result in any additional events being identified. This review needs to be documented.

EXT A2 SUPPLEMENT the list considered in (REQ. EXT-A1) with any sitespecific and plant-unique Not documented currently, needs to be documented at a external events. minimum.

NOTE EXT-A2: The purpose of this requirement is to ensure that an unusual type of event is not inadvertently omitted simply because it does not definitely fit into any of the list of events commonly considered and listed in the standard references in (REQ. EXT-A1).

Examples are possible detritus or zebra mussels growth in the river affecting the intake (although they may be considered to have been included in the category "biological events"),

or possible shorelineslump effects (although they may be considered to have been included under "landslide or seiche").

EXT B1 Initial Preliminary Screening: For screening out an external event, any one of the following This IPEEE submittal followed the guidance of NUREG-five screening criteria MAY be used as an acceptable basis: 1407 that required licensees to review the information Criterion 1: The event is of equal or lesser damage potential than the events for which the obtained on the plant design bases and any identified plant has been designed. This requires an evaluation of plant design bases in order to significant changes since the operating license for estimate the resistance of plant structures and systems to a particular external event. conformance with the 1975 Standard Review Plan Criterion 2: The event has a significantly lower mean frequency of occurrence than another criteria. It also required a confirmatory walkdown. As a event, taking into account the uncertainties in the estimates of both frequencies, and the minimum, the significant changes since the completion event could not result in worse consequences than the consequences from the other event. of the IPEEE should be reevaluated.

Criterion 3: The event cannot occur close enough to the plant to affect it. This criterion must be applied taking into account the range of magnitudes of the event for the recurrence frequencies of interest.

Criterion 4: The event is included in the definition of another event.

Criterion 5: The event is slow in developing, and it can be demonstrated that there is sufficient time to eliminate the source of the threat or to provide an adequate response.

NOTE EXT-B1: These criteria are based on those found in the PRA Procedures Guide [8]. The use of these criteria minimizes the likelihood of omitting any significant risk contributors while at the same time reducing the amount of detailed analysis required. In its guidance for the Individual Plant Examination of External Events (IPEEE) procedures and submittals

[9,11], the U.S. Nuclear Regulatory Commission (NRC) staff applied these criteria for the population of operating nuclear power plants in the United States and concluded that only earthquakes, high winds, floods, transportation accidents, and nearbyfacility accidents required evaluation in the IPEEE. However, the NRC staff required that each licensee confirm that no plant-unique external events with the potential to cause severe accidents were being excluded from the IPEEE. In NUREG-1407 [9] , a progressive screening approach is recommended for evaluating high winds, floods, transportation accidents, and nearby-facility accidents in the IPEEE. This IPEEE guidance required all licensees to review the information obtained on the plant design bases and any identified significant changes since the operating license for conformance with the 1975 Standard Review Plan criteria. It also requires a confirmatory walkdown.

30

Callaway PRA Gap Analysis Report Table 16(cont.): Capability Category II Supporting Requirements Not Met HLR SR Category 2 Requirement Assessment EXT B4 REVIEW any significant changes since the U.S. Nuclear Regulatory Commission operating No documentation was reviewed that indicates changes license was issued. In particular, CONSIDER in the review all of the following: (1) military to facilities or transportation near Callaway has been and industrial facilities within 8 kilometers of the site; (2) on-site storage or other activities reviewed since the FSAR review in 1986.

involving hazardous materials; (3) nearby transportation; (4) any other developments that could affect the original design conditions.

NOTE EXT-B4: This short list [(1), (2), and (3)] is specifically identified because it represents the most common areas where a significant change might have occurred since the issuance of the operating license. The 8-kilometer distance is defined in the U.S. Nuclear Regulatory Commission Standard Review Plan [7].

EXT C2 BASE the estimation of the mean frequency and the other parameters of the design-basis Changes to the data due to the collection of experience hazard on state-of-the art hazard modeling and recent data (e.g., annual maximum wind since the IPEEE should be reviewed to determine any speeds at the site, aircraft activity in the vicinity, or precipitation data), or BOUND the impact to the analysis. Data for extreme local estimation for the purposes of a demonstrably conservative analysis. CONSIDER the precipitation analysis has not been updated since 1986 uncertainties in modeling and data in this hazard evaluation. and does not include the heavy rains in the early 1990s.

NOTE EXT-C2: The spirit of a bounding (demonstrably conservative) analysis is such that it is acceptable to use demonstrably conservative modeling and data for the hazard evaluation EXT E1 In the documentation, MEET the general documentation requirements in Section 7. The documentation is weak and inadequate for the current requirements.

EXT E2 For each external event that is screened out, DOCUMENT the approach used for the The documentation is weak and inadequate for the screening (preliminary screening or demonstrably conservative analysis) and the screening current requirements.

EXT E3 In the documentation, INCLUDE any engineering or other analysis performed to support the The documentation is weak and inadequate for the screening out of an external event. current requirements.

SM C4 ENSURE that soil-structure interaction (SSI) analysis is median centered using median Soil-Structure interaction calculations. Documentation properties at soil strain levels corresponding to the review level earthquake input ground that the required Soil-Structure interaction calculations motion. CONDUCT at least three SSI analyses to investigate the effects on response due were performed could not be located.

to uncertainty in soil properties. ENSURE that one analysis is at the median low strain soil shear modulus and additional analyses at the median value times (1+ Cv) and the median value divided by (1 + Cv), where Cv is a factor that accounts for uncertainties in the SSI analysis and soil properties. If adequate soil investigation data are available, ESTABLISH the mean and standard deviation of the low strain shear modulus for every soil layer.

ESTABLISH the value of Cv so that it will cover the mean plus or minus one standard deviation for every layer. For the minimum value of Cv, USE 0.5. When insufficient data are available to address uncertainty in soil properties, USE Cv at a value not less than 1.0.

NOTE SM-C4: Further details about the basis for this requirement can be found in Ref. 25.

SM H1 MEET the general documentation requirements in Section 7. This requirement is not met. The documentation requirements for uncertainty and inclusion of the peer review report for the seismic analysis do not exist.

31

Callaway PRA Gap Analysis Report 3.3 Low Power and Shutdown PRA with External Events The gap analysis of the Low Power and Shutdown PRA with External Events identified several items necessary to meet the high level requirements that are expected to be in the ANS Low Power and Shutdown PRA Standard. The findings of this gap analysis are evenly split between the enhancement of the documentation of the PRA, and the technical changes in models, data or PRA methodology.

Where additional items were identified as necessary to meet the high level requirements, F&Os were generated during the gap analysis. Due to the lack of a draft standard for low power and shutdown PRA a single F&O was developed to indicate the areas thought at the present time to require an upgrade. The F&O is presented in Appendix D-1. Table 17 indicates the assessment of the Callaway Low Power and Shutdown model with respect to each of the requirements that are expected to be in the ANS Low Power and Shutdown PRA Standard.

Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD Plant Operational Using a structured, systematic process, the Capability Category I State (New PRA POS analysis shall identify and expected to be met.

Element) High characterize a set of plant states during Level low-power and shutdown operations that The Callaway Requirement #1 are representative of all the plant states shutdown PRA started not covered in the full-power PRA. with a refueling outage.

IDENTIFY a representative set of Several of the Plant LPSD evolutions (low-power and Operational States shutdown evolutions or outage (POSs) occurring as types include refueling outage, part of the refueling drained-down maintenance outage, outage are also states non-drained maintenance outage, were maintenance is hot shutdown) to be modeled. conducted (e.g. hot For each LPSD evolution, standby or cold REVIEW plant specific shutdown). A documentation (such as Technical systematic review was Specifications, normal shutdown, not conducted of all refueling and startup procedures) outages in order to and records (such as recent outage determine if any plans and records, maintenance additional plant states plans and records, operations data, should be added. For trip. example, the current model has no low 32

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD For each LPSD evolutions, power plant states.

DEFINE the characteristics of each Plant Operational State. Furthermore, plant In characterizing the POSs of each operations personnel LPSD evolution based on relevant were not interviewed as and capable SSCs: ASSESS the part of the ability of each system to mitigate identification and transient and LOCA initiating characterization of events in each POS, preventing plant states.

core damage and large early release.

For Capability Category II and III Interview appropriate plant personnel.

Plant Operational The POS analysis shall justify any Capability Category II State (New PRA grouping of POSs to facilitate the expected to be met.

Element) High practicality and efficiency of the PRA.

Level POSs with less limiting characteristics may Requirement #2 be grouped with a state with more limiting characteristics.

If Plant Operational States from a LPSD evolution are combined into groups to facilitate LPSD tasks the grouping process and definition of final POS conditions shall ensure that the most severe or constraining characteristics (with respect to CD or LER) of any group are chosen for the combined group.

GROUP Plant Operational States Define unique POSs with different plant response impacts.

For Category I, GROUP initiating events that are activity-based.

For Category II and III, CREATE separate POSs for time periods involving activities (operational or maintenance) that could lead to initiating events that are demand-33

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD based.

REVIEW known plans for future refueling outage (e.g. the next) to ensure the grouping remains valid.

Plant Operational The POS analysis shall determine the Capability Category I State (New PRA frequency, duration, and associated expected to be met.

Element) High fraction of a year, along with the Level representative decay heat levels, associated Frequency, duration, Requirement #3 with each POS. and time after DETERMINE the average shutdown data in the frequency and duration of LPSD Callaway low power evolutions based on a review of and shutdown PRA applicable plant specific records. model are based on an Within the LPSD evolutions outage schedule (the selected DETERMINE the average last one or the next duration and time after shutdown one) and did not for each Plant Operational State. consider COMBINE the durations for the adding/averaging all subsumed POSs for the duration of plant states.

the group. .

REVIEW plans to ensure the quantification of decay heat and durations remains valid.

DETERMINE the decay heat level associated with each POS for use in defining and applying success criteria and the timing for operator actions.

Plant Operational The POS analysis shall be documented in a Capability Category II State (New PRA manner that facilitates PRA applications, expected to be met.

Element) High updates, and peer review by describing the Level processes that were followed to identify, Requirement #4 group, screen the POS list and to model and quantify the POS frequencies, durations, and fraction of the year with the assumptions and bases stated.

Document Identification and Characterization of LPSD 34

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD evolutions and Plant Operational States Document Grouping of Plant Operational States Document Quantification of Plant Operational States Document key assumption Document interfaces with other PRA tasks HLR-IE-A The initiating event analysis shall provide Capability Category II a reasonably complete identification of expected to be met initiating events for all identified Plant (conditionally) operational states. assuming there are no Special emphasis is placed on changes to the POS review of plant evolutions (e.g., definitions based on reducing water level to midloop for comments above PWRs and hydro testing for (specifically for IE-A5 BWRs) and maintenance activities the experience from all (including plant realignment in POSs is to be reviewed, preparation for maintenance) during shutdown POSs to identify initiating events unique to these operating conditions.

For a LPSD analysis it is necessary to define what is meant by normal plant operation for each POS. Once normal plant operation for a POS is defined, events are identified which challenge that operation.

For ASME requirement IE-A5, it is important to review experience from all POSs.

HLR-IE-B The initiating event analysis shall group Capability Category II the initiating events so that events in the expected to be met.

same group have similar mitigation requirements (i.e., the requirements for most events in the group are less restrictive 35

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD than the limiting mitigation requirements for the group) to facilitate an efficient but realistic estimation of figures-of-merit (e.g., CDF). (Note that this grouping must be done in coordination for how the POSs are grouped, in which case the grouping combinations shall be delineated.)

Care must be taken in grouping initiating events for LPSD because of the variety of system configurations that are entered.

Identifying the bounding or worst case could require a careful review of plant operational practices.

HLR-IE-C The initiating event analysis shall estimate Capability Category I the annual frequency of each initiating or II expected to be met event or initiating event group. (depending on If the PRA is being used for some resolution of this purpose other than calculating issue). The Callaway annual average risk, then it may low power and not be necessary to account for the shutdown PRA was fraction of time the plant is in a made for some particular POS. The decision of purpose other than whether to account for such a calculating the average fraction will be dependent upon the annual risk application.

For requirement IE-C4, just as with the ASME Standard, the numerical screening criteria are appropriate for an annual average risk calculation. If the PRA is to be used for other types of analyses, then it is possible that different numerical criteria might need to be developed. Development and defense of such criteria would be a unique obligation of such an analysis.

When fault trees are used to 36

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD quantify support system initiating events, it is important to account for the amount of time the support system can cause the initiating event.

For requirement IE-C12, ASME discussion applies during low-power and hot standby conditions and is not applicable during shutdown conditions.

HLR-IE-D The initiating event analysis shall be Capability Category II documented in a manner that facilitates expected to be met.

PRA applications, upgrades, and peer review by describing the processes that were followed to select, group, and screen the initiating event list and to model and quantify the initiating event frequencies, with assumptions and bases stated.

For ASME IE-D3 Item (g) does not apply to shutdown conditions.

HLR-AS-A The accident sequence analysis shall Capability Category II describe the plant-specific scenarios that expected to be met.

can lead to core damage following each initiating event or initiating event category.

These scenarios shall address system responses and operator actions, including recovery actions that support the key safety functions necessary to prevent core damage.

HLR-AS-B Dependencies that can impact the ability of Capability Category I the mitigating systems to operate and expected since another function shall be addressed. plants data was used to For example, identify, the assess the viability of mitigating systems impacted by the recirculation from the occurrences of the initiator and the containment sump.

event of the impact (eg.

dependency between an operator induced initiating event and recovery events especially at 37

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD shutdown)

For each critical safety function, IDENTIFY its dependence on the success or failure of preceding functions. INCLUDE the impact on accident progression. For example:

Operator control of fill & spill in a PWR. In some cases, operators are directed to control the rate of feed to match boil-off. Success of this action has two ramifications: (1) it may avoid the need to go to recirculation and (2) it adds heat to the containment that may require containment heat removal systems to operate. Failure to control flow (i.e., over feeding), leads to a need for recirculation, but may not require additional heat removal capability beyond the recirculation system For example, systems that might not be available at the start of an accident due to the plants operational state could become available during the progression from initiating event to core damage. (RCIC is initially unavailable during Cold Shutdown due to the lack of steam).

An example of a phenomenological condition that could affect accident progression is viability of recirculation from the containment.

For shutdown, include the dependence between the initiator and subsequent recovery events.

For example: An operator-induced loss of RHR followed by recovery of RHR due to the time phased recovery applicable to the plant operational state being modeled (also see HR-H3).

38

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD HLR-AS-C Documentation shall be performed in a Capability Category II manner that facilitates peer review, as well expected to be met.

as future upgrades and applications of the PRA by describing the processes that were used, and providing details of the assumptions made and their bases.

HLR-SC-A The overall success criteria for the PRA Capability Category I and the system, structure, component and expected to be met.

human action success criteria used in the The current low power PRA shall be defined and justified, and and shutdown success shall be consistent with the features, criteria have been procedures, and operating philosophy of developed by the plant. extrapolating full power data.

HLR-SC-B The thermal/hydraulic, structural and other Capability Category I supporting engineering bases shall be expected to be met.

capable of providing success criteria and The current low power event timing sufficient for quantification of and shutdown success CDF, and LERF, determination of the criteria have been relative impact of success criteria on SSC developed by and human action importance, and the extrapolating full impact of uncertainty on this power data. Plant-determination. specific analyses were Full-power success criteria are not not available.

always bounding for LPSD conditions HLR-SC-C Documentation shall be performed in a manner that facilitates peer review, as well as future upgrades and applications of the PRA, by describing the processes that were used, and providing details of the assumptions made and their bases.

HLR-SY-A The systems analysis shall provide a Capability Category I reasonably complete treatment of the expected to be met.

causes of system failure and unavailability modes represented in the initiating events Walkdowns need to be analysis and sequence definition. documented, and the For LPSD states, look for outage- shutdown system specific planning guides, temporary 39

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD system alignments, etc. models need to be For LPSD states, past outages confirmed that they are should be reviewed to determine current (e.g. that unique system operating states system fault tree (e.g., temporary power or cooling) changes to the full that should be included in sequence power model may also models. apply during shutdown.

Additional systems walkdowns would be necessary for systems and alignments not modeled in the full-power PRA. Systems that perform similar functions during LPSD and full-power conditions may not need additional walkdowns if included in the full-power PRA.

During LPSD conditions, additional human failure events (HFEs) are expected due to the different POSs.

The capability to remove differing sets of SSCs for maintenance and testing is a unique characteristic of shutdown conditions.

In some shutdown cases where relatively long times are available before core damage, more credit for restoration of equipment could be feasible than is true for at-power models.

HLR-SY-B The systems analysis shall provide a Capability Category II reasonably complete treatment of common expected to be met.

cause failures, intersystem and intra-system dependencies, as well as dependencies on Plant Operational States.

For LPSD analyses, actuation signals sometimes vary by POS or might not be present.

HLR-SY-C The systems analysis shall be documented Capability Category II in a manner that facilitates PRA 40

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD applications, upgrades, and peer review by expected to be met.

describing the processes that were followed to select, to model, and to quantify the system unavailability.

Assumptions and bases shall be stated.

HLR-HR-A A systematic process shall be used to None of the criteria identify those specific routine activities are met since the Low which, if not completed correctly, may Power and Shutdown impact the availability of equipment PRA does not model necessary to perform system function human reliability modeling in the PRA. events occurring Normal operational or standby before the initiating conditions vary by POS. However, events.

it is the responsibility of the analyst to identify activities based on the requirements of HR-A, not based on another PRA (i.e., not based on the full-power PRA).

Infrequent maintenance configurations and procedures are worthy of more careful evaluation. These would include procedures that have not gone through the long in-service use of EOPs, normal maintenance procedures, or outage procedures that have been used for many outages.

Review of LPSD operational events can assist the analyst identify activities and alignments that have led to HFEs.

Same as ASME Standard, extended to account for the fact that many responses are manual during LPSD conditions.

As a special case for requirement HR-A3, note that, during LPSD conditions, pre-initiator activities can be important when they impact the only available train.

HLR-HR-B Screening of activities that need not be None of the criteria 41

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD addressed explicitly in the model shall be are met since the Low based on an assessment of how plant- Power and Shutdown specific operational practices limit the PRA does not model likelihood of errors in such activities. human reliability Screening can only be done on a events occurring POS by POS basis, i.e., the before the initiating screening criteria are met for each events.

particular POS, for the activity to be screened. In each POS, the previous and current sequence of events are relevant.

As a special case of this requirement, note that, during LPSD conditions, pre-initiator activities can be important when they impact the only available train.

HLR-HR-C For each activity that is not screened, an None of the criteria appropriate human failure event (HFE) are met since the Low shall be defined to characterize the impact Power and Shutdown of the failure as an unavailability of a PRA does not model component, system, or function modeled in human reliability the PRA. events occurring AMSE Requirement HR-C3 is before the initiating extended to account for the fact events.

that many responses are manual during LPSD and recognizing that miscalibration can be especially troublesome if only one train of equipment is available (e.g., it can lead to so-called error of commission in stopping running equipment).

HLR-HR-D The assessment of the probabilities of the None of the criteria pre-initiator human failure events shall be are met since the Low performed by using a systematic process Power and Shutdown that addresses the plant-specific and PRA does not model activity-specific influences on human human reliability performance. events occurring before the initiating 42

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD While standard HRA methods may events.

be appropriate for pre-initiator events during LPSD, some adaptation of the methods may be required due to unusual conditions existing during LPSD. In particular consider the possible impacts of:

Dependence among the many human actions occurring during LPSD Highly variable time frame for returning equipment to service and for detection of errors Changing configurations (POS and maintenance)

Many seldom-used maintenance procedures are carried out.

Administrative controls during LPSD include control of additional conditions than at power; e.g., RCS configuration changes and extensive maintenance activities.

Uncertainties in HEPs for some pre-initiator HFEs may be broad, for the reasons identified in the commentary to HR-D1.

HLR-HR-E A systematic review of the relevant Capability Category I procedures shall be used to identify the set expected to be met. No of operator responses required for each of operator interviews or the accident sequences. talk-throughs however As reviews are specialized to LPSD were used to identify conditions: human failure events.

Reviews can only be done on a POS by POS basis, as conditions and cues to operators can vary widely among POS's Procedures applicable during LPSD have much less practical verification than at power procedures; be sure to search for traps and discuss with operators and 43

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD maintenance personnel Consider the fact that personnel are less familiar with LPSD procedures Talk-throughs are especially important, because use of control room simulators for shutdown scenarios is limited. Use simulators for scenarios that move quickly enough for practical study and to explore potential difficulties in identified scenarios.

HLR-HR-F Human failure events shall be defined that Capability Category II represent the impact of not properly expected to be met.

performing the required responses, consistent with the structure and level of detail of the accident sequences.

This can only be done on a POS by POS basis, as conditions and cues to operators can vary widely among POSs.

HLR-HR-G The assessment of the probabilities of the Capability Category I post-initiator HFEs shall be performed expected to be met.

using a well defined and self-consistent The current Callaway process that addresses the plant-specific HRA does not have a and scenario-specific influences on human dependency analysis.

performance, and addresses potential dependencies between human failure events in the same accident sequence.

Most methods require adaptation to handle the special LPSD considerations tabulated below. Many methods can be adapted to address such issues, even when they have no existing guidelines for 44

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD their resolution. Newer methods are structured to consider these and other aspects of context.

Most detection and nearly all actions are manual (especially in PWRs)

Many initiating events are so-called errors of commission; when few events are available, quantification relies on Bayesian analysis and expert judgment Dependence among human actions is affected by process activities (moving from POS to POS), maintenance activities, operator-induced initiating events, operational response actions, and recovery actions Several correlated performance shaping factors can be involved Impacts of instrument failures and control system failures on operator performance can be very important Highly variable time frames for detection and action from minutes to hours to days and weeks (for similar actions, they may occur at various times/conditions in the outage)

Data imbedded in some HRA methods include unstated assumptions about the nature of plant conditions, validity of situation model, extent of EOP (detail, applicability), extent of training, availability of automatic detection Changing configurations (POS and maintenance) mean that operators are less secure in their situation model Many seldom-used procedures are carried out EOPs are less thoroughly tested and exercised; they can be less applicable 45

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD to specific POS/Maintenance Configuration conditions Pre-initiators can cause problems with post-initiator restoration The ASME standard did not address all things that will have post-maintenance /

restoration test, but because of delay in testing during LPSD conditions, they could be unavailable for prolonged periods following maintenance. Therefore, administrative practice is important to the evaluation for LPSD conditions.

Uncertainties in HEPs for many post-initiator HFEs in all POSs will be broad, for the reasons identified in the note above HLR-HR-H Recovery actions (at the cutset or scenario Capability Category I level) shall be modeled only if it has been expected to be met.

demonstrated that the action is plausible The current Callaway and feasible for those scenarios to which HRA does not have a they are applied. Estimates of probabilities dependency analysis.

of failure shall address dependency on prior human failures in the scenario.

The requirement for a formal procedure can be relaxed for scenarios late in the outage, with very long time for recovery. Note that similar recovery actions can have very different PSFs from POS to POS.

Include dependence with any human action causing the initiating event. Beware of the increased chance of dependency as described in the HR-G bullets.

HLR-HR-I The HRA shall be documented in a manner Capability Category I that facilitates PRA applications, upgrades expected to be met.

and peer review by describing the 46

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD processes that were used, and providing details of the assumptions made and their bases.

Include dependence with any human action causing the initiating event. Beware of the increased chance of dependency as described in the NOTE at HR-G.

HLR-DA-A Each parameter shall be clearly defined in Capability Category II terms of the logic model, basic event expected to be met.

boundary, and the model used to evaluate event probability.

One common source for many data analysis methods and techniques is:

Atwood, C.L., J.L. LaChance, H.F. Martz, D.J. Anderson, M. Englehardt, D.

Whitehead, and T. Wheeler, Handbook of Parameter Estimation for Probabilistic Risk Assessment, NUREG/CR-6823, SAND2003-3348P, U.S. Nuclear Regulatory Commission, Washington, DC, September 2003.

It provides advice on selecting appropriate models.

HLR-DA-B The rationale for grouping components Capability Category II into a homogeneous population for the expected to be met.

purposes of parameter estimation shall consider both the design, environmental, and service conditions of the components in the as-built and as-operated plant.

One source that provides a range of statistical tests to complement engineering characteristics for grouping data is the Handbook of Parameter Estimation for Probabilistic Risk Assessment.

HLR-DA-C Generic parameter estimates shall be Capability Category I chosen and plant-specific data shall be expected to be met collected consistent with the parameter since the new 47

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD definitions of HLR A and the grouping supporting requirement rationale of HLR B. to collect timeline data This can only be done on a POS- was not accomplished specific basis. Use of the same over a wide range of estimates in multiple POS requires outages.

care and justification.

One source for shutdown-related initiating event data, see EPRI-TR-113051 (Reference 12).

Generally equipment failure data are no different during shutdown than during operations. However, several factors are important, when considering using normal failure data. The following factors can affect all parameter estimates, not just equipment failure rates:

Maintenance, construction, and installation activities can be the direct cause of failure (e.g., draining the RCS can lead to pump cavitation and failure, calibration of pressure instruments can cause MOVs to fail closed, etc.)

Maintenance, construction, and installation activities can be the cause of direct physical damage to supposedly unaffected components Satisfactorily conducted post-maintenance, construction, and installation tests are important to the performance of all components Long outages with equipment far outside normal operating conditions and test practice can affect successful performance Systems analysis models can account for different test and operating practice during the outage Parameter estimates are affected by 48

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD special configuration (RCS and maintenance) that occur during LPSD Caution is required for ASME Requirement DA-C3, because changes in outage practice are occurring. Refueling occurs less often, outages are getting much shorter, some forced outages are far less frequent, and planning is improving. The analyst is faced with playing off the value of historical data against its current relevance. He tempers new plans with knowledge of past problems.

Generalized Bayesian methods and expert elicitation techniques may be needed.

The NRCs Handbook of Parameter Estimation for Probabilistic Risk Assessment provides some useful how to guidance for such situations.

For ASME Requirements DA-C6, the counts may need to be specialized to LPSD conditions and even to specific shutdown maintenance conditions.

The timing information may need to be specialized to LPSD conditions and even to specific shutdown maintenance and POS conditions.

ASME Requirements DA-C12 will be modified to account for LPSD conditions.

Note that out of service unavailability data are very different for shutdown conditions, 49

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD primarily because Equipment unavailabilities are correlated by planned maintenance configurations; they are no longer independent as for corrective maintenance at-power Equipment repair is more a function of outage schedule and outage management than actual time required to complete repair Outage times may be much longer than at power [i.e., there may be no LCO and outage management considerations may defer restoration to service; thus data for outage time is often be based on policy and outage practice, rather than past experience (full-power data are irrelevant to such cases)]

For ASME Requirement DC-C14 repair data can be very different for shutdown conditions, primarily because the equipment repair is more a function of outage schedule and outage management than actual time. Or Outage times may be much longer than at power [i.e.,

there may be no LCO and outage management considerations may defer restoration to service; thus data for outage time can often be based on policy and outage practice, rather than past experience (full-power data are irrelevant to such cases)]. Realistic assessment of repair/ restoration depends on a realistic assessment of LPSD conditions on a POS-by POS basis. Cognizance of outage planning considerations is 50

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD essential.

For ASME Requirement DA-C15, other planned maintenance activities can have a major impact on recovery of off-site power Outage and POS-specific corrections may be required.

NEW Supporting Requirement -

COLLECT plant-specific outage timeline data, accounting for POS start time and duration and special maintenance configurations for each LPSD evolution (see also POS-C1, C2).

This new supporting to provide new data not required for full-power conditions. It is a function of the outage plan and uncertainties in the plant staffs ability to meet that plan. Thus data collection includes elicitation of expert information.

Uncertainty information can be developed from time lines of previous outages combined with expert elicitation. In such cases, the line between data gathering and parameter estimation (DA-D) gets a bit fuzzy. All indications are that such data are very plant-specific and vary with time, especially in recent years.

Data may be collected and assembled differently for average risk calculations and outage-specific assessments.

HLR-DA-D The parameter estimates shall be based on Capability Category I relevant generic industry or plant specific expected to be met.

evidence. Where feasible, generic and Plant-specific loss of plant specific evidence shall be integrated offsite power initiating using acceptable methods to obtain plant event frequency and specific parameter estimates. Parameter diesel generator data estimates for the important parameters during shutdown shall be accompanied by a characterization should be considered of the uncertainty. and if not used, then 51

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD USNRC PRA Data Handbook explain why not used.

provides additional guidance.

For ASME Requirement DA-D6, note that equipment common cause failure data is a difficult area for LPSD conditions. Many of the underlying causes of common cause failure can be affected by physical activities during outages, changes in plant conditions, and outside personnel having access to plant equipment.

Full-power common cause data may be applicable to the POS and maintenance activities during each phase of LPSD.

However, adjustments are often necessary.

Cognizance of the many controls the plant has in place to keep workers from interacting with the protected train helps ensure that CCF probabilities are realistic .

Good points and probably a better area to focus data assessment on rather than changing equipment failure rates with each POS. Are there any references where this has been performed before?

HLR-DA-E Documentation shall be performed in a Capability Category II manner that facilitates peer review, as well expected to be met.

as future upgrades and applications of the PRA by describing the processes that were used, and providing details of the assumptions made and their bases.

The documentation requirements ensure there is a record of how the special conditions that exist during LPSD are accounted for in the analysis. They provide a picture of the POS by POS differences in the data and parameter estimation.

HLR-IF-A Different flood areas of the plant and the None of the criteria 52

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD SSCs located within such areas SHALL be are met since the Low identified. Power and Shutdown The collection of data for LPSD PRA does not model includes verification of temporary internal flooding.

alignments for the specific outage, or outages being modeled in the average LPSD model. For example, opened/impaired hazard doors, opened covering drains, additional sources of floods.

For outage work activities with potential for temporary impairment of flood doors/barriers and potential for maintenance-induced floods, risk management actions are required and may include limiting the allowed impairment time (AIT) of flood barriers and using compensatory measures and contingency plans.

Walkdown for shutdown POSs might be needed if configuration differs from full-power.

HLR-IF-B The potential flood sources in the plant and None of the criteria their associated flooding mechanisms are met since the Low SHALL be identified. Power and Shutdown Maintenance-induced events could PRA does not model be more critical during LPSD. internal flooding.

HLR-IF-C The potential flooding scenarios SHALL None of the criteria be developed for each flood source by are met since the Low identifying the propagation path(s) of the Power and Shutdown water and the affected SSCs. PRA does not model Automatic responses likely to internal flooding.

differ from full power; examples of flood scenarios originating when no one is watching (filling is going on and workers are on break) are apparent in flood data HLR-IF-D Flooding-induced initiating events SHALL None of the criteria be identified and their frequencies are met since the Low 53

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD estimated. Power and Shutdown Databases such as INPO/EPIX, PRA does not model lessons learned from industry internal flooding.

outages, and lessons learned from self-assessment of previous outages are good sources for identifications of flood-induced initiating events and their frequencies.

HLR-IF-E Flood-induced accident sequences SHALL None of the criteria be quantified. are met since the Low Power and Shutdown PRA does not model internal flooding.

HLR-IF-F The internal flooding analysis SHALL be None of the criteria documented consistent with the applicable are met since the Low supporting requirements. Power and Shutdown PRA does not model internal flooding.

HLR-QU-A The level 1 quantification shall quantify Capability Category II core damage frequency and shall support expected to be met.

the quantification of LERF.

Quantification is to be performed separately by POS groups and then aggregated.

HLR-QU-B The quantification shall use appropriate Capability Category II models and codes, and shall account for expected to be met.

method-specific limitations and features.

HLR-QU-C Model quantification shall determine that Capability Category II all identified dependencies are addressed expected to be met.

appropriately.

HLR-QU-D The quantification results shall be Capability Category I reviewed and significant contributors to expected to be met CDF, such as Plant Operational States, since results were initiating events, accident sequences, basic reviewed and events (equipment unavailabilites and significant contributors human failure events) shall be identified. were not identified.

The results shall be traceable to the inputs and assumptions made in the PRA.

54

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD HLR-QU-E Uncertainties in the PRA results shall be Capability Category I characterized. Key sources of model expected to be met uncertainty and key assumptions shall be since uncertainty was identified, and their potential impact on the not conducted.

results understood.

HLR-QU-F Documentation shall be performed in a Capability Category II manner that facilitates peer review, as well expected to be met.

as future upgrades and applications of the PRA by describing the processes that were used, and providing details of the assumptions made and their bases.

HLR-LE-A Core damage sequences shall be grouped None of the criteria Plant Damage into plant damage states based on their are met since the Low Analysis accident progression attributes. Power and Shutdown Some examples may not apply to PRA does not model all POSs (e.g., high RCS pressure large early release.

is not possible with the reactor vented; containment open).

An example of ASME Requirement LE-A1 is time after shutdown HLR-LE-B The accident progression analysis shall None of the criteria Accident include an evaluation of the credible are met since the Low Progression contributors (e.g., phenomena, equipment Power and Shutdown Analysis failures, human actions) to a large early PRA does not model release. large early release.

The potential for air oxidation and its affect on releases of radionuclides, such as ruthenium, is being researched. Therefore this issue is beyond the state-of-the-art and is out of the scope of this standard, at this point.

For ASME Requirements HLR-LE-B2 Capability Category II and III:

DETERMINE the containment challenges (e.g., temperature, pressure loads, debris impingement) resulting from contributors 55

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD identified in LE-B1 in a realistic manner.

Conservative treatment or a combination of conservative and realistic treatment is used for nonsignificant phenomena.

CONSIDER differential pressure loadings on the RCS and vessel support capabilities during vessel failure and blowdown, in order to address whether RCS motions may impact containment integrity.

USE plant-specific containment thermal hydraulic analyses to model containment and RPV/RCS response under severe accident progression. The thermal/hydraulic computer codes used are developed, validated, and verified in sufficient detail to analyze the phenomena of interest, are applicable in the pressure, temperature, and flow range of interest, and are utilized by qualified trained users who have an understanding of the code and its limitations.

HLR-LE-C The accident progression analysis shall None of the criteria include identification of those sequences are met since the Low that would result in a large early release. Power and Shutdown For Capability Category II, the PRA does not model criteria in Appendix A of large early release.

NUREG/CR-6595, Rev. 1, for LER provide an acceptable alternative during transition from full power operation to shutdown operation.

For shutdown operation, CONSIDER radionuclide decay.

For transition from shutdown operation to full power operation, ACCOUNT for core changes during the outage.

These screening criteria may be applied to individual core damage sequences, as well as entire plant damage states (PDSs) or POSs, 56

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD provided the criteria can be shown to apply to the entire PDS or POS.

HLR-LE-D The accident progression analysis shall None of the criteria include an evaluation of the containment are met since the Low structural capability for those containment Power and Shutdown challenges that would result in a large PRA does not model early release. large early release.

The containment may be open or have a reduced pressure capability during shutdown. The calculation of containment capacity will be associated with the capacity of temporary closures for certain POSs.

TREAT thermally-induced SG tube rupture in a conservative manner.

ASME Requirement LE-D6 is the same as ASME-2005 except for the addition of the need to consider operator action and closure time for containment status during shutdown POSs.

HLR-LE-E The frequency of different containment None of the criteria LERF failure modes leading to a large early are met since the Low Quantification release shall be quantified and aggregated. Power and Shutdown For ASME Requirement LE-E3 PRA does not model Capability Category II, include as large early release.

LERF contributors potential large early release (LER) sequences identified from the results of LE-C except those LER sequences justified as non-LERF contributors in LE-C1.

For ASME Requirement LE-E3 Capability Category III, include as LERF contributors potential large early release (LER) sequences from the results of LE-C.

57

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD HLR-LE-F The quantification results shall be None of the criteria reviewed and significant contributors to are met since the Low LERF, such as plant damage states, Power and Shutdown containment challenges and failure modes, PRA does not model shall be identified. Sources of uncertainty large early release.

shall be identified and their impact characterized.

For ASME Requirement LE-F1a Capability Category II and III:

PERFORM a quantitative evaluation to determine the relative contribution to LERF from plant damage states and significant LERF contributors from Table 4.5.9-3.

HLR-LE-G The LERF analysis shall be documented None of the criteria Documentation consistent with the applicable supporting are met since the Low requirements. Power and Shutdown New Supporting Requirement: PRA does not model LE-G7 Document core damage large early release.

sequences, plant damage states, and POSs screened and the technical justification.

HLR-EXT-A The LPSD external events analysis shall None of the criteria Screening and include screening analysis of external are met since the Low Bounding events that are unimportant at the site, and Power and Shutdown Analysis may also include bounding analysis PRA does not model (demonstrably conservative analysis) for external events.

some of these events.

HLR-EXT-B The LPSD external events analysis shall None of the criteria Hazard Analysis include a hazard analysis. are met since the Low Power and Shutdown PRA does not model external events.

HLR- EXT-C The LPSD external events analysis shall None of the criteria Plant Operational include the identification of each relevant are met since the Low State (POS) Plant Operational State (POS). Power and Shutdown 58

Callaway PRA Gap Analysis Report Table 17: Assessment of Callaway Low Power and Shutdown PRA Model with Respect to Expected Requirements Designator High Level Requirement Gap Between Callaway and STD PRA does not model external events.

HLR- EXT-D The LPSD external events analysis shall None of the criteria Initiating Events include the identification of the character are met since the Low of all initiating events caused by the Power and Shutdown hazard. PRA does not model external events.

HLR- EXT-E The LPSD external events analysis shall None of the criteria List of SSCs include the identification of the relevant are met since the Low list of SSCs. Power and Shutdown PRA does not model external events.

HLR- EXT-F The LPSD external events analysis shall None of the criteria Fragility Analysis include fragility analysis for those SSCs are met since the Low identified as relevant. Power and Shutdown PRA does not model external events.

HLR- EXT-G The LPSD external events analysis shall None of the criteria Systems Analysis include a systems analysis. are met since the Low Power and Shutdown PRA does not model external events.

HLR- EXT-H The LPSD external events analysis shall None of the criteria Integration include integration to produce CDF and are met since the Low LERF. Power and Shutdown PRA does not model external events.

HLR- EXT-I The LPSD external events PRA analysis None of the criteria Documentation shall be documented in a manner that are met since the Low facilitates applying the PRA and updating Power and Shutdown it, and that enables peer review. PRA does not model external events.

3.4 Internal Fire During Full Power As indicated in Section 2.4, the Callaway Fire Analysis is not included in the gap analysis review.

59

Callaway PRA Gap Analysis Report 4.0 Recommendations The gap analysis identified a number of items necessary for the internal events PRA to meet the Supporting Requirement of ASME RA-Sb-2005. Most of the findings of this gap analysis concern the enhancement of the documentation of the PRA, as opposed to recommending changes in models, data or PRA methodology. Many of the findings are indicative of the age of the PRA and the documentation requirements at that time. Many of the subtasks were individually documented in separate calculation packages during performance of the IPE.

The level of day-to-day and enhanced usage desired of todays PRA models was not envisioned at the time of the Callaway PRA development. The need for readily accessible documentation has significantly increased as the model usage and applications have become more sophisticated. Additionally, evaluation code limits at the time of the Callaway PRA development provided constraints on the combined solution and aggregation of the entire internal events PRA results. Since that time significant advances have been made to the PRA evaluation codes which should be applied to make the quantification and reporting of results more automated and easier to use. As a result of all of these factors, the AmerenUE staff can significantly increase the efficiency when using the Callaway model and ensure a model which meets the Capability Category II requirements of ASME RA-Sb-2005 by resolution of the findings of this gap analysis.

Table 18 provides a consolidated list of the recommended modifications to the Callaway internal events PRA model. The fifty-eight F&Os are grouped into logical categories to form thirteen tasks. The specific SRs and F&O addressed by each of the identified tasks are identified and a rough estimate of the level of effort is provided in the table.

The gap analysis identified several items necessary for the external events analysis to meet the applicable Supporting Requirement of ANSI/ANS-58.21-2003. Most of the findings of this gap analysis concern the enhancement of the documentation of the identification and screening of external initiating events, as opposed to recommending changes in models, data or PRA methodology. These findings are more indicative of the age of the IPEEE and the documentation requirements at that time than of any deficiency.

The gap analysis for the low power and shutdown PRA identified numerous items however due to the lack of a draft standard caution should be taken with respect to upgrades of the model and documentation. In contrast to the F&Os generated for the internal events PRA, the F&Os generated for the external events analysis and the low power and shutdown PRA evaluations are independent and not amenable to additional grouping and are included individually in Table 18. The specific SRs and F&O addressed by each of the identified tasks are identified and a rough estimate of the level of effort is provided in the table. While it is not expected that any additional quantitative analysis will be required for the external events analysis, the documentation effort associated with satisfying the EXT HLRs may result in identifying additional analyses to satisfy the ANA, WIND, and FLOOD HLRs.

60

Callaway PRA Gap Analysis Report Table 18 - Callaway PRA Recommended Modifications Cat Effort (MW)

Task II No. SRs Recommended Modifications Met Doc Model FO_No Lower Upper 1

Documentation upgrade for Initiating Event Analysis - Combine the multiple calculation packages currently documenting the IE analysis into a single coherent calculation using the list in SR IE-D2 as a guide. If possible, provide a section which summarizes the assumptions and sources of uncertainty. Additions include:

1) Document FMEAs performed to identify SSIEs and the resolution of each systems status as SSIE,

2) Document basis for excluding events which occur at non-power,

3) Document the review of operating experience to identify plant specific precursor events, IE-1, IE-2, IE-A1, IE-A3a, IE-A6, 4) Document the comparison of the Callaway initiator frequencies, particularly the IE-5, IE-14, IE-D1, IE-D2, IE-D3, SSIEs, with generic values. IE-3, IE-4, IE-A4, IE-A5, IE-A7, 5) Document justification of informative prior distributions used. IE-6, IE-9, IE-C2, IE-C10 6) Make sure the PRA Update plans address revisitation of Initiating Event Identification No X IE-12 2 4 2 Upgrade to Quantification Process - The quantification process is generally set up correctly but the clarity and ease of use would benefit from revising the quantification process to take full advantage of the software capability. The recommended changes to the quantification process to integrate and automate the entire internal events (including internal flooding) model would serve to facilitate the use of the quantification process for PRA applications, upgrades, and peer review. As a minimum, the top cutsets (500?) need to be reviewed to make sure that the transfers, logic, house event QU-F1, QU-F2, QU- setting are yielding realistic combinations. Following the requantification, the C3, QU-D1a, QU- documentation should be developed to provide the required information from QU-F2. QU-3, QU-4, D1b, QU-D1c, MU- In addition Procedure APA-ZZ-00312 should be revised to reference the ASME QU-8, QU-9, B3, MU-B4 Standard and consider peer reviews No X X MU-1, MU-2 4 8 Merge the support system initiating event fault trees into the model to help insure IE-C7, IE-C8, QU-B9 dependencies are properly treated. No X X IE-11, QU-2 IE-C1b, IE-C9, SY- Repair events included in recovery of the Loss of CCW and Loss of SWS need to be A22, DA-C14 justified in light of the requirements. No X X IE-8 Revise the ISLOCA analysis as necessary based on the work being performed for the fire PRA and incorporate the quantification into the main model. Document full ISLOCA IE-C12 in one calculation. No X X IE-13 Develop and document event trees for transfers currently quantified only with an AS-A11 OCL(e.g., seal LOCA, stuck open PORV) and ensure that dependencies are retained. No X X AS-2, AS-4 Include a review of a sampling of non-significant cutsets/accident sequence cutsets in QU-D4 the PRA Update procedure and perform during next requantification. No X QU-5 61

Callaway PRA Gap Analysis Report Table 18 - Callaway PRA Recommended Modifications Cat Effort (MW)

Task II No. SRs Recommended Modifications Met Doc Model FO_No Lower Upper The recommended consolidation of documentation for the various areas of the PRA will enhance the visibility of the sources of model uncertainty and key assumptions and QU-E1, QU-E2, QU- allow their consolidation in the quantification. This should be an area which is visited F4 during each model update. No X QU-6, QU-10 Consider redefining significant terms to match the ASME definitions, otherwise justify QU-F6 the Ameren definition. No X QU-11 Review and document the dependence of mitigating systems on the initiating events to AS-B1, AS-B2, QU- ensure they are accurately reflected. See F&Os AS-1, AS-3, AS-5, and AS-7 for AS-1, AS-3, A2a, AS-B6 specific examples. No X AS-5, AS-7 During each model update, the sensitivity studies being run should be reviewed and QU-E4 revised if necessary. Yes X QU-7 3 Identify scenario specific automatic and operator responses with the ability to impact IF-C2a, IF-C6, IF-C8, the flooding analysis. Perform a human reliability analysis to determine any HEP IF-3, IF-4, IF-IF-E5, IF-E5a values. No X 5 IF-D5, IF-D5a Consider plant specific information as indicated in SR IF-D5a No X IF-1 IF-E3a Revise the flood screening using a 1E-9/yr screening criteria No X IF-2 IF-E7 Revise the LERF analysis to include appropriate flooding scenarios No X IF-6 25 50 4

HRA Documentation Fixes -

1) Documentation should be updated to add a ground rule statement that the quality of written procedures is considered in the operator-procedure interface failure mechanisms of the CBDTM, and in the error of omission parts of the THERP analyses (step-by-step vs. verbose).

2) Revise documentation to include a description and results of the HFE HR-D3, HR-G6, HR- reasonableness check. HR-1, HR-2, I3 3) Document the uncertainty associated with the HRA events. No X HR-3 0.4 1 5

Modify each initiating event not currently on a reactor year basis to represent a reactor IE-C3 year basis. No X IE-10 0.2 0.4 6 IE-C1, IE-C1a, IE-C13, QU-A2b, QU- Review/update parameter file data to ensure distributions are available for all basic E3 events (including initiating events) and perform uncertainty calculation. No X IE-7, QU-1 1 2 7

Combine the multiple calculation packages currently documenting the SC analysis into a single coherent calculation using the list in SR SC-C2 as a guide. If possible, provide a section which summarizes the assumptions and sources of uncertainty. One specific SC-B5, SC-C1,SC- required item is missing and must be added:

C2, SC-C3 1) Document comparison of plant specific analysis with similar plant results. No X SC-1, SC-2 2 3 62

Callaway PRA Gap Analysis Report Table 18 - Callaway PRA Recommended Modifications Cat Effort (MW)

Task II No. SRs Recommended Modifications Met Doc Model FO_No Lower Upper 8

Modify IAS to reflect dependency on SW. Document a comparison of the values used for the single event models of the IAS and the actuation system with generic industry SY-A7, SY-A6 data or other plant models. Verify correct dependencies for NCP FT. No X X SY-1, SY-4 SY-B1, SY-B3 Add CCFs for battery chargers and breakers or justify why it is not appropriate. No X SY-2 SY-B4, DA-C1, DA- Update CCF terms in the model using the method/data from NUREG/CR-5485 to D6 remove excessive conservatism. Yes X SY-2 AL check valves are only modeled for fail to open. Fail to close should also be considered and discussed. CC failure events dont address all possible combinations.

DA-A1 There are no CCF events for ALPT-37, 38, 39; ALHV-5,7,9,11; ALHV-6,8,10,12. Yes X Combine the multiple calculation packages currently documenting the SY analysis into SY-C1,SY-C2, SY- a single coherent calculation using the list in SR SY-C2 as a guide. If possible, provide C3 a section which summarizes the assumptions and sources of uncertainty. Yes X SY-3 Consider examining the actual plant history and if coincident maintenance is significant DA-C13 then the modeling should be revised. Yes X 2 4 9

Combine the multiple calculation packages currently documenting the DA analysis into a single coherent calculation using the list in SR DA-E2 as a guide. If possible, provide a section which summarizes the assumptions and sources of uncertainty. Consider DA-E1, DA-E2, DA- adding a summary table to the data update calculation which summarizes the actual E3 data changes. Yes X DA-D2 Document justification for items derived from engineering judgment. No X DA-3 Revise documentation to indicate whether any failure events were excluded and the DA-C3 basis. Yes X 2 3 10 Revise plant-specific data collection procedures to reflect the currently used data collection methods. Also, ensure data collection procedure is clear that repeated plant-DA-A3, DA-C6, DA- specific component failures occurring within a short time interval should be counted as C7, DA-C8, DA-C9, a single failure if there is a single, repetitive problem that causes the failures and to DA-C5 count only one demand. No X X DA-1 Consideration should be given to collecting data on as large a group of components as possible to establish a meaningful collection of data. Grouping of the components as DA-B1, DA-C2 defined in SR DA-B1 and DA-B2 provides a more reasonable aggregation of data. No X X DA-2 2 4 11 LE-B1, LE-D6 Revise to address containment isolation issues and HPME. No X X LE-1 2 3 63

Callaway PRA Gap Analysis Report Table 18 - Callaway PRA Recommended Modifications Cat Effort (MW)

Task II No. SRs Recommended Modifications Met Doc Model FO_No Lower Upper Justify acceptability of current modeling associated w/secondary isolation for SGTR and LE-D4, LE-D5 induced SGTR with sensitivity study. No X LE-3 As a minimum, the uncertainty in the Level 1 sequences should be propagated and LE-F2, LE-G4 sensitivity studies developed and evaluated for the important LERF scenarios. No X X LE-2 Consider expanding documentation to add discussion of the physical characteristics LE-A1 that can influence LERF to cover the items identified in the SR. Yes X 12 AS-A1, AS-A2, AS- Combine the multiple calculation packages currently documenting the AS analysis into A3, AS-A4, AS-A5, a single coherent calculation using the list in SR AS-C2 as a guide. If possible, provide AS-A6, AS-C1 a section which summarizes the assumptions and sources of uncertainty. Yes X 2 4 13 SC-B1, SC-B4, LE-C4, AS-A9 Re-analyze L1 success criteria AND L2 scenarios with MAAP 4. Yes X AS-6 ? ?

Total Effort - Internal Events PRA (Excluding MAAP 4 Analysis) 44.6 86.4 14 EXT-A1, EXT-A2, EXT-C2, EXT-E1, Revise external events identification and screening documentation to fully encompass EXT-E2, EXT-E3 requirements. No X EXT-1 2 4 15 Provide documentation that the required Soil-Structure interaction calculations were SM-C4 performed. No X SM-1 1 2 16 Provide documentation of the identification of major contributors to the uncertainty and SM-H1 inclusion of the peer review report No X SM-2 1 2 Total Effort - External Events Analysis (Excluding Fire) 4 8 17 Upgrade shutdown and low power internal events model and documentation to meet SDLP-INT the final approved standard No X X SDLP-1 13 26 Total Effort - Shutdown and Low Power Internal Events Analysis 13 26 18 Incorporate shutdown and low power external events model and documentation to meet the final approved standard (assumes completion of power operation other external SDLP-EXT events analysis) No X X SDLP-1 4 8 Total Effort - Shutdown and Low Power External Events Analysis (Excluding Seismic and Fire) 4 8 64

Callaway PRA Gap Analysis Report 5.0 References 5.1 Callaway PRA Model The following AmerenUE documents, calculation packages and addenda comprise the Callaway PRA for at power conditions:

Original Calc. 1st PRA 2nd PRA 3rd PRA 4th PRA Calc No. Title (IPE) Update Update Update Update Individual Plant Examination (IPE) Report For The Callaway Plant, Record Type: I020, NA File Number: A210.0027 Individual Plant Examination Of External Events (IPEEE) Report For The Callaway NA Plant AB-11 Failure Of Main Steam Isolation Fault Tree R0 R0, Add1 Failure Of Main Feedwater Isolation Fault AE-29 Tree R0 R0, Add1 R0, Add2 AE-31 Callaway IPE - Main Feedwater Fault Tree R0 R0, Add1 R1, Add1, Auxiliary Feedwater System Fault Tree Add2, AL-04 Model R0 R1 Add3 R1, Add4 Pressurizer PORV Failure To Reclose BB-92 Following Reactor Trip Fault Tree R0 R1 R1, Add2 BB-93 Pressurizer PORVs Fault Trees R0 Failure Of Reactor Protection (Trip) Function BB-94 Fault Tree R0 Failure Of Pressurizer Relief Or Safety Valve To Reclose After An ATWS Event BB-95 Fault Tree R0 R1 R1, Add1 BB-96 Post-SGTR Pressurizer PORV Fault Tree R0 Callaway IPE-Probabilities Of Core BB-97 Uncovery Due To RCP Seal LOCA R0 Callaway IPE Top Level Fault Trees For BB-98 RCS Bleed Path And Depressurization R0 R0, Add1 High Pressure Coolant Injection System (Cold Leg Recirculation Phase) Fault Tree BG-32 Model R0 R0, Add1 BG-33 RCP Seal Cooling Fault Tree R0 R0, Add1 R0, Add3 R0, Add4 Service Water System Failure Modes And EA-03 Effects Analysis R0 R0, Complete Loss Of Service Water Initiating Add1, EA-05 Event Quantification R0 Add2 EA-06 Service Water Fault Tree Package R0 R0, Add1 R0, Add2 R0, Add3 R0, Add4 EA-07 Modified Normal Service Water Fault Tree R0 R0, Add1 R0, Add2 Calculation Of Service Water Recovery At 2 EA-08 And 8 Hours R0 R0, Essential Service Water System Fault Tree Add3, EF-15 Model R0 R0, Add1 Add4 65

Callaway PRA Gap Analysis Report Original Calc. 1st PRA 2nd PRA 3rd PRA 4th PRA Calc No. Title (IPE) Update Update Update Update R0, Add2, EG-16 CCWS Trains A & B Fault Trees R0 R0, Add1 Add3 Component Cooling Water System (CCWS)

EG-18 Failure Modes And Effects Analysis (FMEA) R0 Complete Loss Of Component Cooling EG-19 Water - Special Initiator Quantification R0 R0, Add1 EG-27 Calculation Of CCW System Recovery R0 RHR System (Injection Phase) Fault Tree EJ-04 Model R0 RHR System Cold Leg Recirculation Mode EJ-19 Fault Tree Model R0 R0, Add1 RHR System Long Term Cooldown Mode EJ-20 Fault Tree Model R0 R0, Add1 High Pressure Coolant Injection System EM-02 (Injection Phase) Fault Tree Model R0 R1, Add1 Safety Injection System (Injection Phase)

EM-03 Fault Tree Model R0 R1, Add1 Safety Injection System (Cold Leg EM-04 Recirculation Phase) Fault Tree Model R0 R1, Add1 Fault Tree Model For Containment Spray EN-05 System (Injection Mode) R0 Fault Tree Model For Containment Spray EN-06 System (Recirculation Mode) R0 Accumulator Safety Injection System Fault EP-10 Tree Model R0 R0, Add1 Calculation Of DC And ESF Switchgear GK-19 Room Heatup R0 Fault Tree Model For Containment Cooling GN-05 System (GN) R0 Instrument Air System Failure Modes And KA-30 Effects Analysis R0 Class 1E AC Power System Fault Tree NB-03 Model R0 R0, Add1 R0, Add2 R0, Add3 Failure Of Both Emergency Diesel NE-03 Generators Fault Tree R0 Class 1E DC Power System Fault Tree NK-06 Model R0 R0, Add1 R0, Add2 Interfacing System LOCA (ISL) Location ZZ-105 Review R0 DC Power System Failure Modes And ZZ-116 Effects Analysis R0 Loss Of Class 1E Air Conditioning And DC ZZ-118 Power Train Special Initiator Quantification R0 AC Power System Failure Modes And ZZ-119 Effects Analysis R0 Heating, Ventilation, And Air Conditioning ZZ-120 (HVAC) Failure Modes And Effects Analysis R0 R0, Common Cause Failure Evaluation For Add1, ZZ-126 Callaway IPE R0 Add3 66

Callaway PRA Gap Analysis Report Original Calc. 1st PRA 2nd PRA 3rd PRA 4th PRA Calc No. Title (IPE) Update Update Update Update Determine Core Damage Frequency For ZZ-138 Interfacing Systems LOCA (ISL) R0 ZZ-174 PRA/Subtle Interactions Review R0 Secondary Plant Depressurization Fault ZZ-253 Tree Model R0 R1 R1, Add1 Review Of NUREG/CR-3862 PWR Categories For Inclusion As Initiating Events ZZ-256 For The Callaway IPE R0 R0, Callaway IPE Level 1 PRA Initating Event Add3, ZZ-257 Frequency Determination R0 R0, Add1 R0, Add2 Add4 ZZ-258 Quantification Fault Tree Models R0 R0, Add1 R0, Add2 Documentation Of The Event Tree-Fault ZZ-259 Tree Success Criteria Discrepancy R0 Grouping Of Initiating Events For The ZZ-260 Callaway IPE R0 Callaway IPE-Initiating Events Task-Review ZZ-261 Of Callaway Reactor Trips R0 ZZ-263 Callaway IPE - Actuation Fault Trees R0 R0, Add1 R0, Callaway PRA - Disallowed Maintenance Add2, ZZ-264 Fault Tree R0 R0, Add1 Add3 R0, Add4 R0, Add4, Add6, ZZ-266 Callaway Plant IPE Database R0 R0, Add2 R0, Add3 Add7 R0, Add8 ZZ-267 Callaway IPE Sequence Quantification R0 R0, Add2 R0, Add3 R0, Add4 ZZ-268 Master Logic Diagram R0 ZZ-269 Plant Response Trees R0 Fault Tree Model For The Containment ZZ-270 Isolation System R0 ZZ-273 Special Data Development R0 ZZ-275 Callaway IPE - Level I Event Trees R0 R0, Add1 R0, Add2 R0, Add3 Callaway IPE -. AC Power Recovery/Non-ZZ-276 Recovery Probabilities R0 R1 R1, Add1 ZZ-278 Callaway IPE Human Error Calculation R0 Identification Of Callaway Flood Zones For ZZ-434 Internal Flooding Evaluation. R0 Quantitative Screening Of Callaway Flood ZZ-436 Areas - Re-Evaluation. R0 Callaway Internal Flooding Analysis Update

- Calculation Of CDFs Due To Flooding In ZZ-462 Select Areas R0 Quantitative Screening Of Callaway Flood ZZ-466 Areas For Internal Flooding Re-Evaluation. R0 ZZ-470 Callaway IPE I PRA LERF Model R0 R0, Add1 Verification And Validation Of The NUPRA ZZ-481 Computer Code R0 Loss Of Offsite Power Multiplication Factors ZZ-492 For Use In The Safety Monitor R0 R1 67

Callaway PRA Gap Analysis Report Original Calc. 1st PRA 2nd PRA 3rd PRA 4th PRA Calc No. Title (IPE) Update Update Update Update Verification And Validation Of The ZZ-510 WinNUPRA PRA Computer Code R0 5.2 Reference Standards

1. ASME RA-S-2002, Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications, with ASME RA-Sa-2003 and ASME RA-Sb-2005 Addenda, ASME, 2005.

2. ANSI/ANS-58.21-2003, American National Standard External-Events PRA Methodology, American National Standards Institute, Inc., 2003.

3. BSR/ANS 58.23, Draft FPRA Methodology Standard, Version of 03 April 2006.

68

Callaway PRA Gap Analysis Report Appendix A - Independent Assessment Database Report (Areas AS, DA, IE, HR, LE, QU, SC, SY, MU)

A-1

Appendix A - Callaway PRA Gap Analysis High Level Requirement AS SR AS-A1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No USE a method for accident sequence analysis that: This requirement is met, however the documentation to confirm Doc.

(a) explicitly models the appropriate combinations of system responses and is hard to locate and follow. Process discussed in the IPE.

operator actions that affect the key safety functions for each modeled initiating Model event; (b) includes a graphical representation of the accident sequences in an event tree structure or equivalent such that the accident sequence progression is displayed; and (c) provides a framework to support sequence quantification.

SR AS-A2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For each modeled initiating event, IDENTIFY the key safety functions that are This requirement is met, however the documentation to confirm Doc.

necessary to reach a safe, stable state and prevent core damage. [See note 1] is hard to locate and follow. Process discussed in the IPE.

Model SR AS-A3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For each modeled initiating event, using the success criteria defined for each This requirement is met, however the documentation to confirm Doc.

key safety function (in accordance with SR SC-A4), IDENTIFY the systems that is hard to locate and follow. Process discussed in the IPE.

can be used to mitigate the initiator. [See note 1] Model Thursday, September 21, 2006 Page A-1 of A-106 A-2

Appendix A - Callaway PRA Gap Analysis SR AS-A4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For each modeled initiating event, using the success criteria defined for each This requirement is met, however the documentation to confirm Doc.

key safety function (in accordance with SR SC-A4), IDENTIFY the necessary is hard to locate and follow. Process discussed in the IPE.

operator actions to achieve the defined success criteria. [See notes 1 and 2] Model SR AS-A5 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DEFINE the accident sequence model in a manner that is consistent with the This requirement is met, however the documentation to confirm Doc.

plant-specific: system design, EOPs, abnormal procedures, and plant transient is hard to locate and follow. Process discussed in the IPE.

response. Model SR AS-A6 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No Where practical, sequentially ORDER the events representing the response of This requirement is met, however the documentation to confirm Doc.

the systems and operator actions according to the timing of the event as it is hard to locate and follow. Process discussed in the IPE.

occurs in the accident progression. Where not practical, PROVIDE the Model rationale used for the ordering.

SR AS-A7 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DELINEATE the possible accident sequences for each modeled initiating event, This requirement meets category III. ZZ-275. Doc.

unless the sequences can be shown to be a non-contribution using qualitative arguments. Model Thursday, September 21, 2006 Page A-2 of A-106 A-3

Appendix A - Callaway PRA Gap Analysis SR AS-A8 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DEFINE the end state of the accident progression as occurring when either a This requirement is met. Process discussed in the IPE and calc Doc.

core damage state or a steady state condition has been reached. note ZZ-275.

Model SR AS-A9 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No USE realistic, applicable (i.e., from similar plants) thermal hydraulic analyses to In general this requirement meets Category III. Plant specific Doc. AS-6 determine the accident progression parameters (e.g., timing, temperature, analysis was used. Evaluations were made with MAAP.

pressure, steam) that could potentially affect the operability of the mitigating However, one case appears questionable. The MAAP results Model systems. indicate there are 60 hours6.944444e-4 days 0.0167 hours 9.920635e-5 weeks 2.283e-5 months before core melt for the SGTR sequence with failure to isolate the SG. If the MAAP analysis is correct, then the sequence should be screened. If the MAAP analysis is not correct, or MAAP 3 can not provide a correct representation of the sequence, MAAP 4 should be used.

SR AS-A10 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No In constructing the accident sequence models, INCLUDE, for each modeled This requirement meets Category II. Discussed in IPE, inividual Doc.

initiating event, sufficient detail that significant differences in requirements on system calc notes, ZZ-275, and ZZ-267.

systems and operator responses are captured. Where diverse systems and/or Model operator actions provide a similar function, if choosing one over another changes the requirements for operator intervention or the need for other systems, MODEL each separately.

Thursday, September 21, 2006 Page A-3 of A-106 A-4

Appendix A - Callaway PRA Gap Analysis SR AS-A11 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No Transfers between event trees may be used to reduce the size and complexity of This requirement is met for some of the event trees. Calc note Doc. AS-2 individual event trees. DEFINE any transfers that are used and the method that ZZ-267 contains a table of transfers. However, many transfers is used to implement them in the qualitative definition of accident sequences such as seal LOCA and stuck open PORV transfer to a "psuedo Model and in their quantification. USE a method for implementing an event tree event tree". These transfers are quantified using an OCL file transfer that preserves the dependencies that are part of the transferred that does not have a specific event tree. This introduces sequence. These include functional, system, initiating event, operator, and possibilities for error in the quantification since there is no event spatial or environmental dependencies. tree on which to base the evaluated functions, especially those that require preservation of dependencies. The actual event tree for quantification of the RCP seal LOCA events was not found.

An event tree Trcp appears to have been used, but this event tree has an event for recovery of CCW, which is not included in the

.OCL files for the RCP seal LOCA events.

Therefore, this requirement is not met.

SR AS-B1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For each modeled initiating event, IDENTIFY mitigating systems impacted by This requirement is not met. See F&Os AS-1, AS-3, AS-5, and Doc. AS-1, AS-3, AS-5, AS-7 the occurrence of the initiator and the extent of the impact. INCLUDE the AS-7 for specific examples.

impact of initiating events on mitigating systems in the accident progression Model either in the accident sequence models or in the system models.

SR AS-B2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No IDENTIFY the dependence of modeled mitigating systems on the success or This requirement is not met. See F&Os AS-1, AS-3, AS-5, and Doc. AS-1, AS-3, AS-5, AS-7 failure of preceding systems, functions, and human actions. INCLUDE the AS-7 for specific examples.

impact on accident progression, either in the accident sequence models or in the Model system models. For example:

(a) turbine driven system dependency on SORV, depressurization, and containment heat removal (suppression pool cooling);

(b) low pressure system injection success dependent on need for RPV depressurization.

Thursday, September 21, 2006 Page A-4 of A-106 A-5

Appendix A - Callaway PRA Gap Analysis SR AS-B3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For each accident sequence, IDENTIFY the phenomenological conditions This requirement is met. See IPE discussion. Doc.

created by the accident progression. Phenomenological impacts include generation of harsh environments affecting temperature, pressure, debris, water Model levels, humidity, etc. that could impact the success of the system or function under consideration [e.g., loss of pump net positive suction head (NPSH),

clogging of flow paths]. INCLUDE the impact of the accident progression phenomena, either in the accident sequence models or in the system models.

SR AS-B5 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DEVELOP the accident sequence models to a level of detail sufficient to This requirement is met. See IPE discussion and individual Doc.

identify intersystem dependencies and train level interfaces, either in the event system calc notes.

trees or through a combination of event tree and fault tree models and associated Model logic.

SR AS-B5a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No If plant configurations and maintenance practices create dependencies among This requirement is met. See IPE discussion and individual Doc.

various system alignments, DEFINE and MODEL these configurations and system calc notes.

alignments in a manner that reflects these dependencies, either in the accident Model sequence models or in the system models.

Thursday, September 21, 2006 Page A-5 of A-106 A-6

Appendix A - Callaway PRA Gap Analysis SR AS-B6 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No MODEL time-phased dependencies (i.e., those that change as the accident Discussed in IPE, ZZ-275, ZZ-267, and the individual system Doc. AS-4, AS-5 progresses, due to such factors as depletion of resources, recovery of resources, calc notes. In most cases this requirement is met, however, the and changes in loads) in the accident sequences . RCP seal LOCA model needs to be updated to reflect the latest Model Examples are: WOG model, which is approved by the NRC.

(a) For SBO/LOOP sequences, key time phased events, such as:

(1) AC power recovery Room cooling requirements for the switchgear rooms for SBO (2) DC battery adequacy (time dependent discharge) should be re-evaluated to consider the actual heat loads in the (3) Environmental conditions (e.g., room cooling) for operating equipment rooms during SBO.

and the control room (b) For ATWS/failure to scram events (for BWRs), key time dependent actions such as:

(1) SLCS initiation (2) RPV level control (3) ADS inhibit (c) Other events that may be subject to explicit time dependent characterization include:

(1) CRD as an adequate RPV injection source (2) Long term make-up to RWST SR AS-C1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the accident sequence analysis in a manner that facilitates PRA This requirement is met, however the documentation to confirm Doc.

applications, upgrades, and peer review. is hard to locate and follow. The analysis discussed in the IPE, various calc notes, and calc note appendices. Model Thursday, September 21, 2006 Page A-6 of A-106 A-7

Appendix A - Callaway PRA Gap Analysis SR AS-C2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the processes used to develop accident sequences and treat This requirement is met. Discussed in IPE, ZZ-275, ZZ-267, Doc.

dependencies in accident sequences, including the inputs, methods, and and the individual system calc notes.

results. For example, this documentation typically includes: Model (a) the linkage between the modeled initiating event in the Initiating Event Analysis section and the accident sequence model; (b) the success criteria established for each modeled initiating event including the bases for the criteria (i.e., the system capacities required to mitigate the accident and the necessary components required to achieve these capacities);

(c) a description of the accident progression for each sequence or group of similar sequences (i.e., descriptions of the sequence timing, applicable procedural guidance, expected environmental or phenomenological impacts, dependencies between systems and operator actions, end states, and other pertinent information required to fully establish the sequence of events);

(d) the operator actions reflected in the event trees, and the sequence specific timing and dependencies that are traceable to the HRA for these actions; (e) the interface of the accident sequence models with plant damage states; (f) [when sequences are modeled using a single top event fault tree] the manner in which the requirements for accident sequence analysis have been satisfied.

SR AS-C3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the key assumptions and key sources uncertainty associated with Assumptions are documented in the calc notes associated with Doc.

the accident sequence analysis. the initiating event and the individual systems.

Sources of uncertainty are discussed in ZZ-267. Model Thursday, September 21, 2006 Page A-7 of A-106 A-8

Appendix A - Callaway PRA Gap Analysis High Level Requirement DA SR DA-A1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No IDENTIFY from the systems analysis the basic events for which probabilities All basic events identified by the systems analysis are included Doc.

are required. Examples of basic events include: in the data base and have associated data assigned (a) independent or common cause failure of a component or system to start or Model change state on demand AL check valves are only modeled for fail to open. Fail to (b) independent or common cause failure of a component or system to continue close should also be considered and discussed.

operating or provide a required function for a defined time period CC failure events dont address all possible combinations.

(c) equipment unavailable to perform its required function due to being out of There are no CCF events for ALPT-37, 38, 39; ALHV-5,7,9,11; service for maintenance ALHV-6,8,10,12.

(d) equipment unavailable to perform its required function due to being in test mode (e) failure to recover a function or system (e.g., failure to recover offsite-power)

(f) failure to repair a component, system, or function in a defined time period SR DA-A1a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No ESTABLISH definitions of SSC boundaries, failure modes, and success criteria The definition of the SSC boundaries, failure modes, and Doc.

consistent with corresponding basic event definitions in Systems Analysis (SY- success criteria are consistent with corresponding basic event A5, SY-A7, SY-A8, SY-A10 through SY-A13 and SY-B4) for failure rates and definitions in Systems Analysis for failure rates and common Model common cause failure parameters, and ESTABLISH boundaries of cause failure parameters. The boundaries of the out-of-service unavailability events consistent with corresponding definitions in Systems unavailability events are consistent with the corresponding Analysis (SY-A18). definitions in Systems Analysis SR DA-A2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No USE an appropriate probability model for each basic event. Examples include: Procedure 43.15 DBTP, table 1 lists the model used for each Doc.

(a) binomial distributions for failure on demand type basic event.

(b) Poisson distributions for standby and operating failures and initiating events Model Thursday, September 21, 2006 Page A-8 of A-106 A-9

Appendix A - Callaway PRA Gap Analysis SR DA-A3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No IDENTIFY the parameter to be estimated and the data required for estimation. Procedures ZZ-266 and 43.15 DBTP provide guidance on what Doc.

Examples are as follows: parameters are to be estimated and the required data. The total (a) For failures on demand , the parameter is the probability of failure, and the time of unavailability is provided. The procedures still refer to Model data required are the number of failures given a number of demands; the RAPID system that is no longer used. Procedures need to be (b) For standby failures, operating failures, and initiating events, the parameter revised to current practices.

is the failure rate, and the data required are the number of failures in the total (standby or operating) time; (c) For unavailability due to test or maintenance, the parameter is the unavailability on demand, and alternatives for the data required include:

the total time of unavailability; OR a list of the maintenance events with their durations, together with the total time required to be available, OR the number of maintenance or test acts, their average duration, and the total time required to be available.

SR DA-B1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For parameter estimation, GROUP components according to type (e.g., motor- Group parameter estimations are generally based only on Doc. DA-2 operated pump, air-operated valve) and according to the characteristics of their component type. Recent data updates have used a much finer usage to the extent supported by data: levels of grouping (e.g., the charging pumps are considered a Model (a) mission type (e.g., standby, operating) different group than the SI pumps). The grouping used to apply (b) service condition (e.g., clean vs. untreated water, air) plant-specific data updates should be reexamined to make sure the data aggregation is reasonable. This meets category I but does not meet category II.

SR DA-B2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DO NOT INCLUDE outliers in the definition of a group (e.g., do not group Groups are general and are done only by component type. It is Doc.

valves that are never tested and unlikely to be operated with those that are tested possible there are outliers in some of the groups from the or otherwise manipulated frequently) original IPE but this was not well documented. Later grouping Model is on a much finer level and outliers are not included.

Thursday, September 21, 2006 Page A-9 of A-106 A-10

Appendix A - Callaway PRA Gap Analysis SR DA-C1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No OBTAIN generic parameter estimates from recognized sources. ENSURE that No use of generic unavail. for test, maint. or repair was found. Doc.

the parameter definitions and boundary conditions are consistent with those NUREG/CR-4550 used in ZZ-266. As noted in SY, CCFs are established in response to DA-A1 to DA-A3. [Example: some sources include acceptable, but conservative and the quality of the PRA could Model the breaker within the pump boundary, be improved with use of the noted CCF reference.

whereas others do not.] DO NOT INCLUDE generic data for unavailability due to test, maintenance, and repair unless it can be established that the data is consistent with the test and maintenance philosophies for the subject plant.

Examples of parameter estimates and associated sources include:

(a) component failure rates and probabilities: NUREG/CR-4639 [Note (1)],

NUREG/CR-4550 [Note (2)]

(b) common cause failures: NUREG/CR-5497 [Note (3)], NUREG/CR-6268

[Note (4)]

(c) AC off-site power recovery: NUREG/CR-5496 [Note (5)], NUREG/CR-5032 [Note (6)]

(d) component recovery SR DA-C2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No COLLECT plant-specific data for the basic event/parameter grouping Plant specific data was initially collected but has not been Doc. DA-2 corresponding to that defined by requirement DA-A1, DA-A2, DA-A3, DA-B1, updated for components associated with low risk significant MR and DA-B2. function in the most recent update. Consideration should be Model given to collecting data on as large a group of components as possible to establish a meaningful collection of data. Grouping of the components as defined in SR DA-B1 and DA-B2 provides a more reasonable aggregation of data.

Thursday, September 21, 2006 Page A-10 of A-106 A-11

Appendix A - Callaway PRA Gap Analysis SR DA-C3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No COLLECT plant-specific data, consistent with uniformity in design, operational Data collected for IPE includes basis why some events were Doc.

practices, and experience. JUSTIFY the rationale for screening or disregarding disregarded. Subsequent updates dont clearly identify if any plant-specific data (e.g., plant design modifications, changes in operating events were excluded and why. Plant specific data was initially Model practices). collected but has not been updated for components associated with low risk significant MR function in the most recent update. Data collection should be performed on as large a group of components as possible to establish a meaningful collection of data. Grouping of the components as defined in SR DA-B1 and DA-B2 provides a more reasonable aggregation of data.

SR DA-C4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No When evaluating maintenance or other relevant records to extract plant specific Procedure ZZ-266 provides guidance for evaluating failure Doc.

component failure event data, DEVELOP a clear basis for the identification of data. The raw failure data is provided ito the PRA group by the events as failures. MR group and the PRA group examines each failure to Model DISTINGUISH between those degraded states for which a failure, as modeled in determine whether or not it constitutes a failure for the PRA the PRA, would have occurred during the mission and those for which a failure model.

would not have occurred (e.g., slow pick up to rated speed).

Include all failures that would have resulted in failure to perform the mission as defined in the PRA SR DA-C5 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No COUNT repeated plant-specific component failures occurring within a short There is no documentation to indicate this did or did not occur. Doc.

time interval as a single failure if there is a single, repetitive problem that causes This is not discussed in PRA guidance. A PRA analyst the failures. In addition, COUNT only one demand. performed a high level review of the failures to search for any Model notable abnormalities. In addition, the failure data was collected for the years 1996 to 2000. 1996 was chosen because that was the beginning of the Maintenance Rule (MR). All of the failure data came from the MR group. If repetitive failures had occurred, it would be expected that the MR Expert Panel would have noted the problem. A PRA analyst sits on the MR Expert Panel.

Thursday, September 21, 2006 Page A-11 of A-106 A-12

Appendix A - Callaway PRA Gap Analysis SR DA-C6 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DETERMINE the number of plant-specific demands on standby components on The data collected is provided by the MR Group. It appears, Doc. DA-1 the basis of the number of based on discussions with the PRA analyst that the correct (a) surveillance tests information is collected and transferred to the PRA Group Model (b) maintenance acts however the documentation of the collection method needs to be (c) surveillance tests or maintenance on other components formalized and included as part of the PRA.

(d) operational demands.

DO NOT COUNT additional demands from post-maintenance testing; that is part of the successful renewal.

SR DA-C7 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No BASE number of surveillance tests on plant surveillance requirements and The data collected is provided by the MR Group. It appears, Doc. DA-1 actual practice. BASE number of planned maintenance activities on plant based on discussions with the PRA analyst that the correct maintenance plans and actual practice. BASE number of unplanned information is collected and transferred to the PRA Group Model maintenance acts on actual plant experience. however the documentation of the collection method needs to be formalized and included as part of the PRA.

SR DA-C8 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No When required, USE plant-specific operational records to determine the time The data collected is provided by the MR Group. It appears, Doc. DA-1 that components were configured in their standby status. based on discussions with the PRA analyst that the correct information is collected and transferred to the PRA Group Model however the documentation of the collection method needs to be formalized and included as part of the PRA.

Thursday, September 21, 2006 Page A-12 of A-106 A-13

Appendix A - Callaway PRA Gap Analysis SR DA-C9 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No ESTIMATE operational time from surveillance test practices for standby The data collected is provided by the MR Group. It appears, Doc. DA-1 components, and from actual operational data. based on discussions with the PRA analyst that the correct information is collected and transferred to the PRA Group Model however the documentation of the collection method needs to be formalized and included as part of the PRA.

SR DA-C10 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No When using surveillance test data, REVIEW the test procedure to determine It appears during the initial development of the PRA model Doc.

whether a test should be credited for each possible failure mode. COUNT only surveillance tests were reviewed to determine what failure completed tests or unplanned operational demands as success for component modes should be credited with a demand. Design and procedure Model operation. If the component failure mode is decomposed into sub-elements (or modifications require the Responsible Engineer to assess the causes) that are fully tested, then USE tests that exercise specific sub-elements impact on plant programs. The PRA is one of the programs in their evaluation. Thus, one sub-element sometimes has many more successes assessed. The PRA Group is notified to perform an evaluation than another. of the modification to assess its impact on plant risk before the

[Example: a diesel generator is tested more frequently than the load sequencer. modification can be installed. These risk assessments are IF the sequencer were to be included in the diesel generator boundary, the documented in a QA-document called a PRA Evaluation number of valid test would be significantly decreased.] Request (PRAER). The list of PRAERs is reviewed during a PRA update to determine if there are modifications that must be captured in the PRA.

Thursday, September 21, 2006 Page A-13 of A-106 A-14

Appendix A - Callaway PRA Gap Analysis SR DA-C11 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No When using data on maintenance and testing durations to estimate In the development of the IPE, maintenance and test procedures Doc.

unavailabilities at the component, train, or system level, as required by the were reviewed to identify those that would result in a system model, only INCLUDE those maintenance or test activities that could component, train, or system unavailable to perform it's Model leave the component, train, or system unable to perform its function when function. Design and procedure modifications require the demanded. Responsible Engineer to assess the impact on plant programs.

The PRA is one of the programs assessed. The PRA Group is notified to perform an evaluation of the modification to assess its impact on plant risk before the modification can be installed.

These risk assessments are documented in a QA-document called a PRA Evaluation Request (PRAER). The list of PRAERs is reviewed during a PRA update to determine if there are design or procedure modifications that must be captured in the PRA.

SR DA-C11a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No When an unavailability of a front line system component is caused by an Generally, the PRA and MR philosophy is, a support system Doc.

unavailability of a support system, COUNT the unavailability towards that of failure is counted against the support system. In certain rare the support system and not the front line system, in order to avoid double instances (e.g., rule-of-the-box), a support system failure is Model counting and to capture the support system dependency properly. counted against the supported system.

Thursday, September 21, 2006 Page A-14 of A-106 A-15

Appendix A - Callaway PRA Gap Analysis SR DA-C12 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No EVALUATE the duration of the actual time that the equipment was unavailable Estimates of outage start and finish times are collected and Doc.

for each contributing activity. Since maintenance outages are a function of the reasonable. The T&M unavailabilities come from the MR. The plant status, INCLUDE only outages occurring during plant at power. Special MR Expert Panel reviews this information. Maintenance and Model attention should be paid to the case of a multi-plant site with shared systems, Ops personnel are members of the MR Expert Panel.

when the Specifications (TS) requirements can be different depending on the status of both plants. Accurate modeling generally leads to a particular allocation of outage data among basic events to take this mode dependence into account. In the case that reliable estimates or the start and finish times are not available, INTERVIEW the plant maintenance and operations staff to generate estimates of ranges in the unavailable time per maintenance act for components, trains, or systems for which the unavailabilities are significant basic events.

SR DA-C13 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No EXAMINE coincident unavailability due to maintenance for redundant The modeling of unavailability due to maintenance is based on Doc.

equipment (both intra- and inter-system) based on actual plant experience. the plant philosophy for maintenance. Maintenace CALCULATE coincident maintenance unavailabilities that reflect actual plant combinations which result in violation of the technical Model experience. Such coincident maintenance unavailability can arise, for example, specifications are removed from the cutsets on the basis that any for plant systems that have "installed spares", i.e., plant systems which have coincident maintenance which results in the plant entering an more redundancy than is addressed by tech specs. For example, the charging LCO is short lived and not a significant contributor. The actual system in some plants has a third train which may be out of service for extended plant history should be examined and if coincident maintenance periods of time coincident with one of the other trains and yet is in compliance is significant then the modeling should be revised.

with tech specs. In Calculation ZZ-266 system unavailability is based on actual plant historical experience.

SR DA-C14 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For each SSC for which repair is to be modeled (see SY-A22), IDENTIFY The Callaway PRA credits repair of hardware faults in the Doc. IE-8 instances of plant-specific or applicable industry experience and for each repair, recovery of the loss of CCW and loss of SWS initiating events.

COLLECT the associated repair time with the repair time being the period from The recovery events, which include recovery of CCF of pumps Model identification of the component failure until the component is returned to and valves lack sufficient analysis or data. The Callaway PRA service. does not meet DA-C14.

Thursday, September 21, 2006 Page A-15 of A-106 A-16

Appendix A - Callaway PRA Gap Analysis SR DA-C15 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No Data on recovery from loss of offsite power, loss of service water, etc. are rare Callaway has never experienced a loss of offsite power, loss of Doc.

on a plant-specific basis. If available, for each recovery, COLLECT the all service water, or loss of all component cooling water. These associated recovery time with the recovery time being the period from are the only special initiators which credit recovery of the Model identification of the system or function failure until the system or function is initiating fault. Recovery of offsite power is based on generic returned to service. industry data due to the lack of plant specific experience.

Recovery of loss of all service water or loss of component cooling water is discussed in the initiating events section. For information on the recovery events see F&O IE-8.

SR DA-D1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No CALCULATE realistic parameter estimates for significant basic events based The PRA model uses a combination of generic, plant specific, Doc.

on relevant generic and plant specific evidence unless it is justified that there Bayesian updated data for PRA parameters, as appropriate.

are adequate plant specific data to characterize the parameter value and its Statistical analysis is provided for each event value.

Reference:

Model uncertainty. When it is necessary to combine evidence from generic and plant ZZ-266 Table 4 and Table 5.

specific data USE a Bayes update process or equivalent statistical process that assigns appropriate weight to the statistical significance of the generic and plant specific evidence and provides an appropriate characterization of uncertainty, CHOOSE prior distributions as either non-informative, or representative of variability in industry data. CALCULATE parameter estimates for the remaining events by using generic industry data.

SR DA-D2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No If neither plant-specific data nor generic parameter estimates are available for No justification is provided for the use of engineering judgment Doc. DA-3 the parameter associated with a specific basic event, USE data or estimates for to determine the probability as required by DA-D2 (Example:

the most similar equipment available, adjusting if necessary to account for HYDRAULICSYSFAIL, STR-FR, STR-FS). There is no Model differences. Alternatively, USE expert judgment and document the rationale indication that any parameters were (or were not) determined by behind the choice of parameter values. using data or estimates of similar equipment.

Thursday, September 21, 2006 Page A-16 of A-106 A-17

Appendix A - Callaway PRA Gap Analysis SR DA-D3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No PROVIDE a mean value of, and a statistical representation of the uncertainty Mean values and a statistical representation of uncertainty Doc.

intervals for, the parameter estimates of significant basic events. Acceptable intervals are provided in procedure ZZ-266 table 5. Bayesian systematic methods include Bayesian updating, frequentist method, or expert updating is used by Callaway Model judgment. Cat II MET SR DA-D4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No When the Bayesian approach is used to derive a distribution and mean value of Guidelines for the appropriateness of Bayesian updating of Doc.

a parameter, CHECK that the posterior distribution is reasonable given the events is provided in Attachment 3 to ZZ-266 Addendum 4.

relative weight of evidence provided by the prior and the plant specific data. These guidelines discusses a process that is used to determine Model Examples of tests to ensure that the updating is accomplished correctly and that whether a Bayesian update for a basic event given the collected the generic parameter estimates are consistent with the plant-specific data is appropriate.

application include the following:

(a) confirmation that the Bayesian updating does not produce a posterior distribution with a single bin histogram (b) examination of the cause of any unusual (e.g., multimodal) posterior distribution shapes (c) examination of inconsistencies between the prior distribution and the plant-specific evidence to confirm that they are appropriate (d) confirmation that the Bayesian updating algorithm provides meaningful results over the range of values being considered (e) confirmation of the reasonableness of the posterior distribution mean value SR DA-D5 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No USE one of the following models for estimating CCF parameters for significant Procedure 43.15 states that beta factors were used for common Doc.

CCF basic events: cause evaluation. The multiple greek letter (MGL) method was (a) Alpha Factor Model used for quantification of common cause failures events. Model (b) Basic Parameter Model CAT II MET (c) Multiple Greek Letter Model (d) Binomial Failure Rate Model JUSTIFY the use of alternative methods (i.e., provide evidence of peer review or verification of the method which demonstrates its acceptability).

Thursday, September 21, 2006 Page A-17 of A-106 A-18

Appendix A - Callaway PRA Gap Analysis SR DA-D6 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No USE generic common cause failure probabilities consistent with available plant This is generally met although NUREG/CR-4550 was used Doc. SY-2 experience. EVALUATE the common cause failure probabilities consistent rather than the more current NUREG/CR-5485. The Callaway with the component boundaries. PRA adequately models CCFs with the exception of battery Model chargers and breakers as noted in SR SY-B1 and B3. The quantification of all CCFs should be updated. CCFs should be added for Battery Chargers and Breakers. The quantification of the CCFs should be done in accordance with NUREG/CR-5485.

SR DA-D6a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No If screening of generic event data is performed for plant-specific estimation, Screening of generic data is not performed. Doc.

PERFORM screening on both the CCF events and the independent failure events in the data base used to generate the CCF parameters. Model SR DA-D7 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No If modifications to plant design or operating practice lead to a condition where Design modifications require the design's Responsible Engineer Doc.

past data are no longer representative of current performance, LIMIT the use of to assess the design's impact on plant programs. The PRA is old data: one of the programs assessed. The PRA Group is notified to Model (a) If the modification involves new equipment or a practice where generic perform an evaluation of the modification to assess its impact on parameter estimates are available, USE the generic parameter estimates updated plant risk before the modification can be installed. These risk with plant-specific data as it becomes available for significant basic events; or assessments are documented in a QA-document called a PRA (b) If the modification is unique to the extent that generic parameter estimates Evaluation Request (PRAER). The list of PRAERs is reviewed are not available and only limited experience is available following the change, during a PRA update to determine if there are design then ANALYZE the impact of the change and assess the hypothetical effect on modifications that must be captured in the PRA. As an the historical data to determine to what extent the data can be used. example, calculation AE-29 Addendum 1 covers the Main Feedwater Isolation Valves being replaced with a different type.

This necessitated changes to the basic event naming convention as well as to the failure probability. Because the valve type did not exist in the generic data base, the valve manufacturer was contacted to provide failure data.

Thursday, September 21, 2006 Page A-18 of A-106 A-19

Appendix A - Callaway PRA Gap Analysis SR DA-E1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the data analysis in a manner that facilitates PRA applications, Documentation is adequate to support PRA applications and Doc.

upgrades, and peer review. upgrades because Callaway has been successful at both.

Documentation and organization of documentation could be Model improved to facilitate peer reviews.

SR DA-E2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the processes used for data parameter definition, grouping, and Generally adequate but needs improvement. Doc.

collection including parameter selection and estimation, including the inputs, Identification of data excluded and justification for exclusion methods, and results. For example, this documentation typically includes: not provided in revisions and Addenda to IPE. Model (a) system and component boundaries used to establish component failure probabilities (b) the model used to evaluate each basic event probability (c) sources for generic parameter estimates (d) the plant-specific sources of data (e) the time periods for which plant-specific data were gathered (f) justification for exclusion of any data (g) the basis for the estimates of common cause failure probabilities, including justification for screening or mapping of generic and plant-specific data (h) the rationale for any distributions used as priors for Bayesian updates, where applicable (i) parameter estimate including the characterization of uncertainty, as appropriate SR DA-E3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the key assumptions and key sources of uncertainty associated The key assumptions and key sources of uncertainty were Doc.

with the data analysis. identified in the IPE. Since that time there is little documentation of assumptions or uncertainty. To be useful Model going forward the documentation of assumptions and sources of uncertainty need to be revised.

Thursday, September 21, 2006 Page A-19 of A-106 A-20

Appendix A - Callaway PRA Gap Analysis High Level Requirement HR SR HR-A1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For equipment modeled in the PRA, IDENTIFY, through a review of procedures Done in IPE, changes in procedures, test, system alignment Doc.

and practices, those test and maintenance activities that require realignment of reviewed for impact by PRA staff and added to list for model equipment outside its normal operational or standby status. update if any impact. Model SR HR-A2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No IDENTIFY, through a review of procedures and practices, those calibration Done in IPE, changes in procedures reviewed for impact by Doc.

activities that if performed incorrectly can have an adverse impact on the PRA staff and added to list for model update if any impact.

automatic initiation of standby safety equipment. Model SR HR-A3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No IDENTIFY which of those work practices identified above (HR-A1, HR-A2) Done in IPE, changes in procedures, test, system alignment Doc.

involve a mechanism that simultaneously affects equipment in either different reviewed for impact by PRA staff and added to list for model trains of a redundant system or diverse systems [e.g., use of common calibration update if any impact. Model equipment by the same crew on the same shift, a maintenance or test activity that requires realignment of an entire system (e.g.,

SLCS)].

Thursday, September 21, 2006 Page A-20 of A-106 A-21

Appendix A - Callaway PRA Gap Analysis SR HR-B1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No If screening is performed, ESTABLISH rules for screening individual activities System modeling guidelines used in IPE outlines acceptable Doc.

from further consideration. screening criteria.

Example: Screen maintenance and test activities from further consideration Model only if (a) equipment is automatically re- aligned on system demand, or (b) following maintenance activities, a post-maintenance functional test is performed that reveals misalignment, or (c) equipment position is indicated in the control room, status is routinely checked, and realignment can be affected from the control room, or (d) equipment status is required to be checked frequently (i.e., at least once a shift)

SR HR-B2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DO NOT screen activities that could simultaneously have an impact on multiple System modeling guidelines used in IPE outlines acceptable Doc.

trains of a redundant system or diverse systems (HR-A3). screening criteria.

Model SR HR-C1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For each unscreened activity, DEFINE a human failure event (HFE) that Performed as part of IPE Doc.

represents the impact of the human failure at the appropriate level, i.e., function, system, train, or component affected. Model Thursday, September 21, 2006 Page A-21 of A-106 A-22

Appendix A - Callaway PRA Gap Analysis SR HR-C2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No INCLUDE those modes of unavailability that, following completion of each Human errors are included for each identified unscreened Doc.

unscreened activity, result from failure to restore activity.

(a) equipment to the desired standby or operational status Model (b) initiation signal or set point for equipment start-up or realignment (c) automatic realignment or power ADD failure modes identified during the collection of plant-specific or applicable generic operating experience that leave equipment unavailable for response in accident sequences.

SR HR-C3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No INCLUDE the impact of miscalibration as a mode of failure of initiation of Miscalibraqtion is included where the potential exists for Doc.

standby systems. miscalibration and miscalibration is not readily discernible Model SR HR-D1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No ESTIMATE the probabilities of human failure events using a systematic Risk significant HFEs were revised in 2005 using the EPRI Doc.

process. Acceptable methods include THERP [Note (1)] and ASEP [Note (2)]. HRA Calculator Version 3.0 which meets the criteria.

Model SR HR-D2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For significant HFEs, USE detailed assessments in the quantification of pre- Risk significant Type A & B HEPs were analyzed in detail, non- Doc.

initiator HEPs. USE screening values based on a simple model, such as ASEP significant HEPs were not revised from their IPE values.

in the quantification of the pre-initiator HEPs for non-significant human failure Model basic events. When bounding values are used, ENSURE they are based on limiting cases from models such as ASEP.

Thursday, September 21, 2006 Page A-22 of A-106 A-23

Appendix A - Callaway PRA Gap Analysis SR HR-D3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For each detailed human error probability assessment, INCLUDE in the Documentation should be updated to add a ground rule Doc. HR-1 evaluation process the following plant-specific relevant information: statement that the quality of written procedures is considered in (a) the quality of written procedures (for performing tasks) and administrative the operator-procedure interface failure mechanisms of the Model controls (for independent review) CBDTM, and in the errors of omission parts of the THERP (b) the quality of the human-machine interface, including both the equipment analyses (step-by-step vs. verbose). The instrumentation and configuration, and instrumentation and control layout control layout is considered in the "Cues" sections and in the THERP execution analyses. Equipment configuration is considered for local actions in "Execution PSFs" and in the THERP analyses.

SR HR-D4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No When taking into account self-recovery or recovery from other crew members in Risk significant HFEs were revised in 2005 using the EPRI Doc.

estimating HEPs for specific HFEs, USE pre-initiator recovery factors HRA Calculator Version 3.0 which meets the criteria.

consistent with selected methodology. If recovery of pre-initiator errors is Model credited (a) ESTABLISH the maximum credit that can be given for multiple recovery opportunities (b) USE the following information to assess the potential for recovery of pre-initiator:

(1) post-maintenance or post-calibration tests required and performed by procedure (2) independent verification, using a written check-off list, which verify component status following maintenance/testing (3) original performer, using a written check-off list, makes a separate check of component status at a later time (4) work shift or daily checks of component status, using a written check-off list Thursday, September 21, 2006 Page A-23 of A-106 A-24

Appendix A - Callaway PRA Gap Analysis SR HR-D5 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No ASSESS the joint probability of those HFEs identified as having some degree of Dependency between HFEs was assessed and accounted for in Doc.

dependency (i.e., having some common elements in their causes, such as the Callaway PRA performed by the same crew in the same time- frame). Model SR HR-D6 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No PROVIDE an assessment of the uncertainty in the HEPs consistent with the The calculated values of the HEPs are presented as mean values Doc.

quantification approach. USE mean values when providing point estimates of of the distribution and associated error factor.

HEPs. Model SR HR-D7 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No No requirement to check reasonableness of HEPs in light of the plants Not applicable for category II Doc.

experience Model SR HR-E1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No When identifying the key human response actions REVIEW: The plant specific procedures were reviwed as part of the HRA Doc.

(a) the plant-specific emergency operating procedures, and other relevant update for the risk significant HEPs. During the development of procedures (e.g., AOPs, annunciator response procedures) in the context of the the IPE fault tree/event tree models, the system operation was Model accident scenarios. reviewed to ensure the models and the underlying assumptions (b) system operation such that an understanding of how the system(s) reflected how the system(s) function and the human interface functions and the human interfaces with the system is obtained. was correctly incorporated.

Thursday, September 21, 2006 Page A-24 of A-106 A-25

Appendix A - Callaway PRA Gap Analysis SR HR-E2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No IDENTIFY These issues were identified in the IPE and system/procedure Doc.

(a) those actions required to initiate (for those systems not automatically changes are evaluated on a regular basis and incorporated if initiated), operate, control, isolate, or terminate those systems and components important. Model used in preventing or mitigating core damage as defined by the success criteria (e.g., operator initiates RHR)

(b) those actions performed by the control room staff either in response to procedural direction or as skill-of-the-craft to recover a failed function, system or component that is used in the performance of a response action as identified in HR-H1.

SR HR-E3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No TALK THROUGH (i.e., review in detail) with plant operations and training Operator interviews were conducted in August 2005 during the Doc.

personnel the procedures and sequence of events to confirm that interpretation reevaluation of the risk significant HFEs of the procedures is consistent with plant observations and training procedures. Model SR HR-E4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No USE simulator observations or talk-throughs with operators to confirm the Operator interviews were conducted in August 2005 during the Doc.

response models for scenarios modeled. reevaluation of the risk significant HFEs Model SR HR-F1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DEFINE human failure events (HFEs) that represent the impact of the human HFEs were defined during the performance of the IPE. Doc.

failures at the function, system, train, or component level as appropriate.

Failures to correctly perform several responses may be grouped into one HFE if Model the impact of the failures is similar or can be conservatively bounded.

Thursday, September 21, 2006 Page A-25 of A-106 A-26

Appendix A - Callaway PRA Gap Analysis SR HR-F2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No COMPLETE THE DEFINITION of the HFEs by specifying Risk significant HFEs are fully defined to Category III Doc.

(a) accident sequence specific timing of cues, and time window for successful requirements.

completion Model (b) accident sequence specific procedural guidance (e.g., AOPs, and EOPs)

(c) the availability of cues and other indications for detection and evaluation errors (d) the specific high level tasks (e.g., train level) required to achieve the goal of the response.

SR HR-G1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No PERFORM detailed analyses for the estimation of HEPs for significant HFEs. Detailed analysis performed for all risk significant HFEs. All Doc.

USE screening values for HEPs for non-significant human failure basic events. other values remain at the original IPE values.

Model SR HR-G2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No USE an approach to estimation of HEPs that addresses failure in cognition as Risk significant HFEs were revised in 2005 using the EPRI Doc.

well as failure to execute. HRA Calculator Version 3.0 which meets the criteria.

Model Thursday, September 21, 2006 Page A-26 of A-106 A-27

Appendix A - Callaway PRA Gap Analysis SR HR-G3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No When estimating HEPs EVALUATE the impact of the following plant-specific In the evaluation of the risk significant HEPs, all of the listed Doc.

and scenario-specific performance shaping factors: PSF were considered.

(a) quality [type (classroom or simulator) and frequency] of the operator Model training or experience (b) quality of the written procedures and administrative controls (c) availability of instrumentation needed to take corrective actions (d) degree of clarity of cues/indications (e) human-machine interface (f) time available and time required to complete the response (g) complexity of the required response (h) environment (e.g., lighting, heat, radiation) under which the operator is working (i) accessibility of the equipment requiring manipulation (j) necessity, adequacy, and availability of special tools, parts, clothing, etc.

SR HR-G4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No BASE the time available to complete actions on appropriate realistic generic Time windows for operator action were developed using plant- Doc.

thermal/hydraulic analyses, or simulation from similar plants (e.g., plant of specific MAAP analysis during performance of the IPE.

similar design and operation). SPECIFY the point in time at which operators Model are expected to receive relevant indications.

SR HR-G5 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No When needed, BASE the required time to complete actions for significant HFEs Required times for completion of actions was developed during Doc.

on action time measurements in either walkthroughs or talk-throughs of the the IPE.

procedures or simulator observations. Model Thursday, September 21, 2006 Page A-27 of A-106 A-28

Appendix A - Callaway PRA Gap Analysis SR HR-G6 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No CHECK the consistency of the post-initiator HEP quantifications. REVIEW the The analyst who performed the reevaluation of the HFEs Doc. HR-2 HFEs and their final HEPs relative to each other to check their reasonableness indicated that a reasonableness check was performed, however given the scenario context, plant history, procedures, operational practices, and the documentation does not discuss this issue. Model experience.

SR HR-G7 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For multiple human actions in the same accident sequence or cut set, identified The dependency between human interactions is assessed and is Doc.

in accordance with supporting requirement QU-C1, ASSESS the degree of discussed in Appendix E of calculation ZZ-278, Rev. 0, dependence, and calculate a joint human error probability that reflects the Addendum 1. Model dependence. ACCOUNT for the influence of success or failure in preceding human actions and system performance on the human event under consideration including:

(a) time required to complete all actions in relation to the time available to perform the actions (b) factors that could lead to dependence (e.g., common instrumentation, common procedures, increased stress, etc.)

(c) availability of resources (e.g., personnel) [Note (3)]

SR HR-G9 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No Characterize the uncertainty in the estimates of the HEPs consistent with the HEPs are presented in terms of mean values and error factors. Doc.

quantification approach, and PROVIDE mean values for use in the quantification of the PRA results. Model Thursday, September 21, 2006 Page A-28 of A-106 A-29

Appendix A - Callaway PRA Gap Analysis SR HR-H1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No INCLUDE operator recovery actions that can restore the functions, systems, or The IPE inclusion of operator actions meets the category II Doc.

components on an as needed basis to provide a more realistic evaluation of requirement significant accident sequences. Model SR HR-H2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No CREDIT operator recovery actions only if, on a plant-specific basis: Opeator actions included in the Callaway PRA account for items Doc.

(a) a procedure is available and operator training has included the action as part a-d of the requirement.

of crews training, or justification for the omission for one or both is provided Model (b) cues (e.g., alarms) that alert the operator to the recovery action provided procedure, training, or skill of the craft exist (c) attention is given to the relevant performance shaping factors provided in HR-G3 (d) there is sufficient manpower to perform the action SR HR-H3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No ACCOUNT for any dependency between the HFE for operator recovery and any The dependency between human interactions is assessed and is Doc.

other HFEs in the sequence, scenario, or cutset to which the recovery is applied discussed in Appendix E of calculation ZZ-278, Rev. 0, (see HR-G7). Addendum 1. Model SR HR-I1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the human reliability analysis in a manner that facilitates PRA The documentation of the HRA facilitates PRA applications, Doc.

applications, upgrades, and peer review. upgrades, and peer review.

Model Thursday, September 21, 2006 Page A-29 of A-106 A-30

Appendix A - Callaway PRA Gap Analysis SR HR-I2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the processes used to identify, characterize and quantify the pre- The process is well documented and addresses all the issues Doc.

initiator, post-initiator and recovery actions considered in the PRA, including included in the SR.

the inputs, methods, and results. For example, this documentation typically Model includes:

(a) HRA methodology and process used to identify pre- and post-initiator HEPs (b) qualitative screening rules and results of screening (c) factors used in the quantification of the human action, how they were derived (their bases), and how they were incorporated into the quantification process (d) quantification of HEPs, including:

(1) screening values and their bases (2) detailed HEP analyses with uncertainties and their bases (3) the method and treatment of dependencies for post-initiator actions (4) tables of pre- and post-initiator human actions evaluated by model, system, initiating event, and function (5) HEPs for recovery actions and their dependency with other HEPs SR HR-I3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the key assumptions and key sources uncertainty associated with Key assumptions are documented in the individual analyses Doc. HR-3 the human reliability analysis. files, where applicable. Key sources of uncertainty associated with the HRA are not documented. Model Thursday, September 21, 2006 Page A-30 of A-106 A-31

Appendix A - Callaway PRA Gap Analysis High Level Requirement IE SR IE-A1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No IDENTIFY those initiating events that challenge normal plant operation and that The Callaway identification of initiating events that challenge Doc. IE-1 require successful mitigation to prevent core damage using a structured, normal plant operation and require successful mitigation to systematic process for identifying initiating events that accounts for plant- prevent core damage was initially performed using a structured Model specific features. For example, such a systematic approach may employ master systematic process to account for plant specific features. It is logic diagrams, heat balance fault trees, or failure modes and effects analysis unclear from the documentation whether the initial basis for (FMEA). Existing lists of known initiators are also commonly employed as a selecting the support system initiating events is ever revisited starting point. with the changing models or plant modifications. The Callaway PRA meets SR IE-A1.

Thursday, September 21, 2006 Page A-31 of A-106 A-32

Appendix A - Callaway PRA Gap Analysis SR IE-A2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No INCLUDE in the spectrum of internal-event challenges considered at least the The Callaway PRA includes the identified general categories Doc.

following general categories: and therefore meets the SR IE-A2.

(a) Transients. INCLUDE among the transients both equipment and human Model induced events that disrupt the plant and leave the primary system pressure boundary intact.

(b) LOCAs. INCLUDE in the LOCA category both equipment and human induced events that disrupt the plant by causing a breach in the core coolant system with a resulting loss of core coolant inventory. DIFFERENTIATE the LOCA initiators, using a defined rationale for the differentiation. Example of LOCA types includes:

(1) Small LOCAs. Examples: reactor coolant pump seal LOCAs, small pipe breaks (2) Medium LOCAs. Examples: stuck open safety or relief valves (3) Large LOCAs. Examples: inadvertent ADS, component ruptures (4) Excessive LOCAs. (LOCAs that cannot be mitigated by any combination of engineered systems). Example: reactor pressure vessel rupture (5) LOCAs Outside Containment. Example: primary system pipe breaks outside containment (BWRs)

(c) SGTRs: INCLUDE spontaneous rupture of a steam generator tube (PWRs)

(d) ISLOCAs: INCLUDE postulated events in systems interfacing with the reactor coolant system that could fail or be operated in such a manner as to result in an uncontrolled loss of core coolant outside the containment [e.g.,

interfacing systems LOCAs (ISLOCAs)].

(e) Special initiators (e.g., support systems failures, instrument line breaks)

[Note (1)].

(f) Internal flooding initiators (see IF-D1 and D2) [Note (1)].

SR IE-A3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No REVIEW the plant-specific initiating event experience of all initiators to ensure The plant trips were reviewed in the development of the IPE and Doc.

that the list of challenges accounts for plant experience. See also IE-A7. documented in Calc. ZZ-261. This calculation has never been updated since 1992. Model The plant trips occurring since the completion of the IPE have been systematically reviewed and updated via calculation ZZ-257. This process is completed for each update and. therefore meets SR IE-A3 Thursday, September 21, 2006 Page A-32 of A-106 A-33

Appendix A - Callaway PRA Gap Analysis SR IE-A3a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No REVIEW generic analyses of similar plants to assess whether the list of This was performed in the original PRA in Calculation ZZ-256, Doc. IE-2 challenges included in the model accounts for industry experience. which has not been revisited. There doesnt appear to be any process to review current industry lists. The Callaway PRA Model meets SR IE-A3a SR IE-A4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No PERFORM a systematic evaluation of each system, including support systems, The initial screening of the systems was performed during the Doc. IE-3 to assess the possibility of an initiating event occurring due to a failure of the initial PRA and is discussed in 3.1.1.1.3 of the IPE submittal.

system. USE a structured approach (such as a system-by-system review of Detailed FMEAs were developed for those systems identified as Model initiating event potential, or an FMEA [failure modes and effects analysis], or leading to plant trip. However, there was no justification other systematic process) to assess and document the possibility of an initiating provided for the exclusion of systems for which FMEAs were event resulting from individual systems or train failures. not performed. The FMEAs performed were documented in Calcs ZZ-116 (DC Power), ZZ-119 (AC Power), ZZ-120 (HVAC), EA-03 (SWS), EG-18 (CCWS), KA-30 (IAS). These FMEAs or the screening evaluations have not been revisited since the IPE. In order to meet Category 2 requirements, the documentation of the basis for the disposition of each system as an initiating event must be specified. In order to keep this documentation current, a review of the applicability of the FMEAs/screening basis should be made during each model update.

SR IE-A4a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No When performing the systematic evaluation required in IE-A4, INCLUDE The support system FMEAs were examined on the basis of loss Doc.

initiating events resulting from multiple failures, if the equipment failures result of each load. If loss of that load resulted in a reactor trip and from a common cause, and from routine system alignments. loss of mitigation capability the event was identified as an Model initiating event, regardless of the necessary failures to lose the load. The IE fault trees contain random as well as common cause events. Other than the documentation requirements discussed above, the Callaway models meet the Category 3 requirements for IE-A4a Thursday, September 21, 2006 Page A-33 of A-106 A-34

Appendix A - Callaway PRA Gap Analysis SR IE-A5 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No In the identification of the initiating events, INCORPORATE The screening process does not distinguish why events which Doc. IE-4 (a) events that have occurred at conditions other than at-power operation (i.e., occur during non-power were excluded. Therefore SR IE-A5 is during low-power or shutdown conditions), and for which it is determined that not met. Model the event could also occur during at-power operation.

(b) events resulting in a controlled shutdown that includes a scram prior to reaching low -power conditions, unless it is determined that an event is not applicable to at-power operation.

SR IE-A6 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No INTERVIEW plant personnel (e.g., operations, maintenance, engineering, safety The IPE calculations were reviewed by each of the mentioned Doc. IE-5 analysis) to determine if potential initiating events have been overlooked. groups prior to the IPE submittal however, it is not clear if this process is ever revisited. The analysis meets Cat. 2 SR IE-A6 Model but should be revisited as part of each major update.

SR IE-A7 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No REVIEW plant-specific operating experience for initiating event precursors, for There was no evidence found that operating experience was Doc. IE-6 the purposes of identifying additional initiating events For example, plant- reviewed with precursors in mind. If an event did not result in specific experience with intake structure clogging might indicate that loss of the generation of a trip or an LER, then it was not reviewed. Model intake structures should be identified as a potential initiating event. Interviews with operations and maintenance personnel would be one method to meet SR IE-A7. The current analysis does not meet Cat 2 SR IE-A7.

SR IE-B1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No COMBINE initiating events into groups to facilitate definition of accident Callaway groups the IEs into logical groups and meets SR IE-B1. Doc.

sequences in the Accident Sequence Analysis element (para. 4.5.2) and to facilitate quantification in the Quantification element (para. 4.5.8). Model Thursday, September 21, 2006 Page A-34 of A-106 A-35

Appendix A - Callaway PRA Gap Analysis SR IE-B2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No USE a structured, systematic process for grouping initiating events. For The Callaway IPE used a structured approach to group the Doc.

example, such a systematic approach may employ master logic diagrams, heat individual initiating events and meets SR IE-B2 balance fault trees, or failure modes and effects analysis (FMEA). Model SR IE-B3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No GROUP initiating events only when the following is true: The method Callaway used to group the individual initiating Doc.

(a) events can be considered similar in terms of plant response, success criteria, events looked at the impact to the plant and whether they timing, and the effect on the operability and performance of operators and required a different plant response or different mitigating system Model relevant mitigating systems; or impact. If no additional plant effects were identified, the event (b) events can be was considered to be in either the T2, transient w/MFW subsumed into a group and bounded by the worst case impacts within the "new" unavailable or T3, transient w/MFW available depending upon group. the impact to the plant. The documentation of the initiating AVOID subsuming events into a group unless: event grouping does not discuss timing issues which may (i) the impacts are comparable to or less than those of the remaining events in impact the success criteria or human error evaluations. The that group, success criteria used to evaluate the event trees are selected to AND represent the worst case scenario for the IE group. The HEP (ii) it is demonstrated that such grouping does not impact significant accident quantification where an event is performed for the limiting time sequences. window. The Cat. 2 criteria for SR IE-B3 are therefore met.

SR IE-B4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No GROUP separately from other initiating event categories those categories with All scenarios which are LERF scenarios are maintained Doc.

different plant response (i.e., those with different success rate criteria) impacts separately. The success criteria are a major factor in grouping.

or those that could have more severe radionuclide release potential (e.g., The Callaway PRA meets SR IE-B4. Model LERF). This includes such initiators as excessive LOCA, interfacing systems LOCA, steam generator tube ruptures, and unisolated breaks outside containment.

Thursday, September 21, 2006 Page A-35 of A-106 A-36

Appendix A - Callaway PRA Gap Analysis SR IE-C1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No CALCULATE the initiating event frequency accounting for relevant generic The IE frequencies do not include any distribution information. Doc. IE-7 and plant specific data unless it is justified that there are adequate plant specific The Callaway PRA justifies excluding the early operational data data to characterize the parameter value and its uncertainty. (See also IE-C11 not indicative of normal plant power operation. The IE Model for requirements for rare and extremely rare events) frequencies need to have uncertainty bounds assigned to meet SR IE-C1.

SR IE-C1a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No When using plant-specific data, USE the most recent applicable data to quantify The IE frequencies do not include any distribution information. Doc. IE-7 the initiating event frequencies. JUSTIFY excluded data that is not considered The Callaway PRA justifies excluding the early operational data to be either recent or applicable (e.g., provide evidence via design or operational not indicative of normal plant power operation. The IE Model change that the data are no longer applicable.) frequencies need to have uncertainty bounds assigned to meet SR IE-C1a.

SR IE-C1b Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No CREDIT recovery actions (those implied in IE-C4(c), and those implied and As noted in SY, the Callaway PRA credits repair of hardware Doc. IE-8 discussed in IE-C6 through IE-C9) as appropriate JUSTIFY each such credit faults in the recovery of the loss of CCW and loss of SWS (as evidenced such as through procedures or training). initiating events. The recovery events, which include recovery Model of CCF of pumps and valves lack sufficient analysis or data.

The Callaway PRA does not meet SR IE-C1b. (See also SY-22)

SR IE-C2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No When combining evidence from generic and plant specific data, USE a The Callaway IPE uses Bayesian update techniques, however, Doc. IE-9 Bayesian update process or equivalent statistical process. JUSTIFY the limited justification is provided about the informative prior selection of any informative prior distribution used on the basis of industry distribution. SR IE-C2 is met. Refer to note 2 of the standard Model experience. [See Note 2] for guidance.

Thursday, September 21, 2006 Page A-36 of A-106 A-37

Appendix A - Callaway PRA Gap Analysis SR IE-C3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No CALCULATE initiating event frequencies on a reactor year basis. [See Note 3] The Callaway PRA does not make this correction. Note that the Doc. IE-10 INCLUDE in the initiating event analysis the plant availability, such that the T2 and T3 initiating events already include this based on the frequencies are weighted by the fraction of time the plant is at-power. data collection method and calculation. SR-C3 is not explicitly Model met for the other initiating events. Refer to the ASME Standard for guidance on making this correction.

SR IE-C4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No USE as screening criteria no higher than the following characteristics (or more No internal event initiating event was screened from the Doc.

stringent characteristics as devised by the analyst) to eliminate initiating events evaluation. SR IE-C4 is met.

or groups from further evaluation: Model (a) the frequency of the event is less than 1E-7 per reactor year (/ry) and the event does not involve either an ISLOCA, containment bypass, or reactor pressure vessel rupture (b) the frequency of the event is less than 1E-6/ry and core damage could not occur unless at least two trains of mitigating systems are failed independent of the initiator, or (c) the resulting reactor shutdown is not an immediate occurrence. That is, the event does not require the plant to go to shutdown conditions until sufficient time has expired during which the initiating event conditions, with a high degree of certainty (based on supporting calculations), are detected and corrected before normal plant operation is curtailed (either administratively or automatically).

If either criterion (a) or (b) above is used, then CONFIRM that the value specified in the criterion meets the applicable requirements in the Data Analysis section (para. 4.5.6) and the Level 1 Quantification section (para. 4.5.8).

SR IE-C5 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No No requirement for time trend analysis. No time trend analysis is required for Cat. 2 SR IE-C5. Doc.

Model Thursday, September 21, 2006 Page A-37 of A-106 A-38

Appendix A - Callaway PRA Gap Analysis SR IE-C6 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No Some initiating events are amenable to fault-tree modeling as the appropriate The Callaway PRA uses fault trees to calculate the support Doc.

way to quantify them. These initiating events, usually support system failure system initiating events. The support system initiator fault trees events, are highly dependent upon plant-specific design features. If fault-tree are based on the system fault trees and meet SR IE-C6. Model modeling is used for initiating events, USE the applicable systems-analysis requirements for fault-tree modeling found in the Systems Analysis section (para. 4.5.4).

SR IE-C7 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No If fault tree modeling is used for initiating events, QUANTIFY the initiating The fault trees used to quantify the support system initiating Doc. IE-11 event frequency (as opposed to the probability of an initiating event over a events all appear to use the correct computational methodology specific time frame, which is the usual fault tree quantification model described however the clarity is somewhat limited. The quantification Model in the Systems Analysis section, para. 4.5.4.). MODIFY, as necessary, the fault process and maintenance of the support system initiating event tree computational methods that are used so that the top event quantification fault trees could be improved and a better understanding of the produces a failure frequency rather than a top event probability as normally support system importance by actually using a modified computed. USE the applicable requirements in the Data Analysis section, para. support system fault tree to generate an equation which then is 4.5.6, for the data used in the fault-tree quantification. assigned to the initiating event for the corresponding event tree.

The current methodology marginally meets SR IE-C7 and IE-C8.

SR IE-C8 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No If fault-tree modeling is used for initiating events, CAPTURE within the The fault trees used to quantify the support system initiating Doc. IE-11 initiating event fault tree models all relevant combinations of events involving events all appear to use the correct computational methodology the annual frequency of one component failure combined with the unavailability however the clarity is somewhat limited. The quantification Model (or failure during the repair time of the first component) of other components. process and maintenance of the support system initiating event fault trees could be improved and a better understanding of the support system importance by actually using a modified support system fault tree to generate an equation which then is assigned to the initiating event for the corresponding event tree.

The current methodology marginally meets SR IE-C7 and IE-C8.

Thursday, September 21, 2006 Page A-38 of A-106 A-39

Appendix A - Callaway PRA Gap Analysis SR IE-C9 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No If fault-tree modeling is used for initiating events, USE plant-specific The Callaway PRA credits repair of hardware faults in the Doc. IE-8 information in the assessment and quantification of recovery actions where recovery of the loss of CCW and loss of SWS initiating events.

available, consistent with the applicable requirements in the Human Reliability The recovery events, which include recovery of CCF of pumps Model Analysis section (para. 4.5.5) and valves lack sufficient analysis or data. The Callaway PRA does not meet criterion IE-C9.

SR IE-C10 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No COMPARE results and EXPLAIN differences in the initiating event analysis There is no documentation of a comparison with generic data Doc. IE-12 with generic data sources to provide a reasonableness check of the results. sources for the support system initiating event fault tree results.

This comparison needs to be documented as part of each update Model in order to meet SR IE-C10.

SR IE-C11 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For rare initiating events, USE industry generic data and INCLUDE plant- The basis for initiating event frequencies used for the rare and Doc.

specific functions. For extremely rare initiating events, engineering judgment extremely rare IEs are well documented and are from acceptable may be used; if used, AUGMENT with applicable generic data sources. sources. SR IE-C11 is met. Model Refer to para. 4.3, Use of Expert Judgment, as appropriate.

For purposes of this Requirement, a rare event might be expected to occur one or a few times throughout the world nuclear industry over many years. An extremely rare event would not be expected to occur even once throughout the industry over many years.

Thursday, September 21, 2006 Page A-39 of A-106 A-40

Appendix A - Callaway PRA Gap Analysis SR IE-C12 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No In the ISLOCA frequency analysis, INCLUDE the following features of plant The Callaway treatment of ISLOCA addresses items a-d and Doc. IE-13 and procedures that influence the ISLOCA frequency: may include item e but that is not clear. The ISLOCA (a) configuration of potential pathways including numbers and types of values documentation is good for the evaluation of the high/low Model and their relevant failure modes existence and positioning of relief valves interfaces (ZZ-105) however the documentation of the (b) provision of protective interlocks quantification from that point on is minimal, is not incorporated (c) relevant surveillance test procedures. in the main model, and has not been revised or reexamined since (d) the capability of secondary system piping the IPE submittal. The ISLOCA model as it now stands does (e) isolation capabilities given high flow/differential pressure conditions that not meet SR IE-C12.

might exist following breach of the secondary system, SR IE-C13 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No CHARACTERIZE the uncertainty in the initiating event frequencies and The data used in the PRA quantification are mean values but Doc. IE-7 PROVIDE mean values for use in the quantification of the PRA results. there is no characterization of the uncertainty. Therefore SR IE-C13 is not met. Model SR IE-D1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the initiating event analysis in a manner that facilitates PRA The initiating event analysis documentation does not facilitate Doc. IE-14 applications, upgrades, and peer review. PRA applications, upgrades, and peer review.

Model Thursday, September 21, 2006 Page A-40 of A-106 A-41

Appendix A - Callaway PRA Gap Analysis SR IE-D2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the processes used to select, group, and screen the initiating The current documentation of the initiating event selection, Doc. IE-14 events and to model and quantify the initiating event frequencies, including the grouping, screening, modeling, and quantification is scattered inputs, methods, and results. For example, this documentation typically throughout multiple calculation packages and only small Model includes: portions have been updated since the completion of the IPE.

(a) the functional categories considered and the specific initiating events The documentation could be significantly enhanced by included in each. combining all IE related calculations into one IE calculation (b) the systematic search for plant-unique and plant-specific support system package and making a commitment to revisit the calculation initiators. during each model update.

(c) the systematic search for RCS pressure boundary failures and interfacing system LOCAs.

(d) the approach for assessing completeness and consistency of initiating events with plant-specific experience, industry experience, other comparable PRAs and FSAR initiating events.

(e) the basis for screening out initiating events.

(f) the basis for grouping and subsuming initiating events (g) the dismissal of any observed initiating events, including any credit for recovery (h) the derivation of the initiating event frequencies and the recoveries used.

(i) the approach to quantification of each initiating event frequency.

(j) the justification for exclusion of any data.

SR IE-D3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the key assumptions and key sources uncertainty associated with The assumptions made during the initiating events analysis are Doc. IE-14 the initiating event analysis. spread throughout multiple documents which makes it difficult to judge whether the assumptions are fully documented. Model Likewise, the key sources of uncertainty in the initiating events analysis are spread throughout multiple documents which makes it difficult to judge whether the assumptions are fully documented.

Thursday, September 21, 2006 Page A-41 of A-106 A-42

Appendix A - Callaway PRA Gap Analysis High Level Requirement IF SR IF-A1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DEFINE flood areas by dividing the plant into physically separate areas where a Internal flooding evaluation meets this requirement. ZZ-434. Doc.

flood area is viewed as generally independent of other areas in terms of the ZZ-279.

potential for internal flooding effects and flood propagation. Model SR IF-A1a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DEFINE flood areas at the level of individual rooms or combined rooms/halls This requirement is met at Category II/III. ZZ-434. Doc.

for which plant design features exist to restrict flooding. ZZ-279.

Model SR IF-A3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No USE plant information sources that reflects the as-built as-operated plant to Internal flooding evaluation meets this requirement. ZZ-434. Doc.

support development of flood areas. ZZ279.

Model SR IF-A4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No CONDUCT plant walkdown(s) to verify the accuracy of information obtained This requirement is met. ZZ-436. ZZ-279. ZZ-274. Doc.

from plant information sources and to obtain or verify:

(a) spatial information needed for the development of flood areas, and Model (b) plant design features credited in defining flood areas.

Note: A walkdown(s) may be done in conjunction with the requirements of IF-B3a, IF-C9 and IF-E8.

Thursday, September 21, 2006 Page A-42 of A-106 A-43

Appendix A - Callaway PRA Gap Analysis SR IF-B1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For each flood area, IDENTIFY the potential sources of flooding [Note 1]. This requirement is met. ZZ-466 Doc.

INCLUDE:

(a) equipment (e.g., piping, valves, pumps) located in the area that are Model connected to fluid systems (e.g., circulating water system, service water system, component cooling water system, feedwater system, condensate and steam systems)

(b) plant internal sources of flooding (e.g., tanks or pools) located in the flood area (c) plant external sources of flooding (e.g., reservoirs or rivers) that are connected to the area through some system or structure (d) in-leakage from other flood areas (e.g., back flow through drains, doorways, etc.)

SR IF-B1b Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No SCREEN OUT flood areas with none of the potential sources of flooding listed This requirement is met. ZZ-462, ZZ-466. Doc.

in IF-B1and IF-B1a.

Model SR IF-B2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For each potential source of flooding, IDENTIFY the flooding mechanisms that This requirement is met. ZZ-466. Doc.

would result in a fluid release. INCLUDE:

(a) failure modes of components such as pipes, tanks, gaskets, expansion joints, Model fittings, seals, etc.

(b) human-induced mechanisms that could lead to overfilling tanks, diversion of flow through openings created to perform maintenance; inadvertent actuation of fire suppression system (c) other events resulting in a release into the flood area Thursday, September 21, 2006 Page A-43 of A-106 A-44

Appendix A - Callaway PRA Gap Analysis SR IF-B3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For each source and its identified failure mechanism, IDENTIFY the This requirement is met. ZZ-466. Doc.

characteristic of release and the capacity of the source. INCLUDE:

(a) a characterization of the breach, including type (e.g., leak, rupture, spray) Model (b) flow rate (c) capacity of source (e.g., gallons of water)

(d) the pressure and temperature of the source SR IF-B3a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No CONDUCT plant walkdown(s) to verify the accuracy of information obtained This requirement is met. ZZ-436. ZZ-279. ZZ-274. Doc.

from plant information sources and to determine or verify the location of flood sources and in-leakage pathways Model Note: Walkdown(s) may be done in conjunction with the requirements of IF-A4, IF-C9 and IF-E8.

SR IF-C1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For each defined flood area and each flood source, IDENTIFY the propagation This requirement is met. ZZ-436. Doc.

path from the flood source area to its area of accumulation.

Model Thursday, September 21, 2006 Page A-44 of A-106 A-45

Appendix A - Callaway PRA Gap Analysis SR IF-C2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For each defined flood area and each flood source, IDENTIFY plant design This requirement is met. ZZ-466 Doc.

features that have the ability to terminate or contain the flood propagation.

INCLUDE the presence of : Model (a) flood alarms, (b) flood dikes, curbs, sumps (i.e., physical structures that allow for the accumulation and retention of water),

(c) drains (i.e., physical structures that can function as drains),

(d) sump pumps, spray shields, water-tight doors, and (e) blowout panels or dampers with automatic or manual operation capability.

SR IF-C2a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For each defined flood area and each flood source, IDENTIFY those automatic This requirement is not met. ZZ-466 treats operator response in Doc. IF-5 or operator responses that have the ability to terminate or contain the flood a generic sense.

propagation. Model SR IF-C2b Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No ESTIMATE the capacity of the drains and the amount of water retained by This requirement is met. ZZ-466 Doc.

sumps, berms, dikes and curbs. ACCOUNT for these factors in estimating flood volumes and SSC impacts from flooding. Model Thursday, September 21, 2006 Page A-45 of A-106 A-46

Appendix A - Callaway PRA Gap Analysis SR IF-C2c Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For each flood area not screened out using the requirements under other Internal This requirement is met. ZZ-466. Additionally, SSCs identified Doc.

Flooding supporting requirements (e.g., IF-B1b and IF-C5), IDENTIFY the for most flood zones that were screened out.

SSCs located in each defined flood area and along flood propagation paths that Model are modeled in the internal events PRA model as being required to respond to an initiating event or whose failure would challenge normal plant operation, and are susceptible to flood. For each identified SSC, IDENTIFY, for the purpose of determining its susceptibly per IF-C3, its spatial location in the area and any flooding mitigative features (e.g., shielding, flood or spray capability ratings).

SR IF-C3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For the SSCs identified in IF-C2c, IDENTIFY the susceptibility of each SSC in This requirement is met to Category I/II. ZZ-462, ZZ-466 Doc.

a flood area to flood-induced failure mechanisms.

INCLUDE failure by submergence and spray in the identification process. Model EITHER:

(a) ASSESS qualitatively the impact of flood-induced mechanisms that are not formally addressed (e.g., using the mechanisms listed under Capability Category III of this requirement), by using conservative assumptions; OR (b) NOTE that these mechanisms are not included in the scope of the evaluation.

SR IF-C3a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No In applying SR IF-C3 to determine susceptibility of SSCs to flood-induced This requirement is met. ZZ-462, ZZ-466 Doc.

failure mechanisms, TAKE CREDIT for the operability of SSCs identified in IF-C2c with respect to internal flooding impacts only if supported by an Model appropriate combination of:

(a) test or operational data (b) engineering analysis (c) expert judgment.

Thursday, September 21, 2006 Page A-46 of A-106 A-47

Appendix A - Callaway PRA Gap Analysis SR IF-C3b Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No IDENTIFY inter-area propagation through the normal flow path from one area This requirement is met to Category II. ZZ-466. Doc.

to another via drain lines; and areas connected via back flow through drain lines involving failed check valves, pipe and cable penetrations (including cable Model trays), doors, stairwells, hatchways, and HVAC ducts.

INCLUDE potential for structural failure (e.g., of doors or walls) due to flooding loads.

SR IF-C3c Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No PERFORM any necessary engineering calculations for flood rate, time to reach This requirement is met. ZZ-466 Doc.

susceptible equipment, and the structural capacity of SSCs in accordance with the applicable requirements described in Table 4.5.3-2(b). Model SR IF-C4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DEVELOP flood scenarios (i.e., the set of information regarding the flood area, This requirement is met. ZZ-462, ZZ-466 Doc.

source, flood rate and source capacity, operator actions, and SSC damage that together form the boundary conditions for the interface with the internal events Model PRA) by examining the equipment and relevant plant features in the flood area and areas in potential propagation paths, giving credit for appropriate flood mitigation systems or operator actions, and identifying susceptible SSCs.

Thursday, September 21, 2006 Page A-47 of A-106 A-48

Appendix A - Callaway PRA Gap Analysis SR IF-C5 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No SCREEN OUT flood areas where flooding of the area does not cause an This requirement is met. ZZ-436. Doc.

initiating event or a need for immediate plant shutdown, AND either of the following applies: Model (a) the flood area (including adjacent areas where flood sources can propagate) contains no mitigating equipment modeled in the PRA; OR (b) the flood area has no flood sources sufficient (e.g., through spray, immersion, or other applicable mechanism) to cause failure of the equipment identified in IF-C2c.

DO NOT USE failure of a barrier against inter-area propagation to justify screening (i.e., for the purposes of screening, do not credit such failures as a means of beneficially draining the area)

JUSTIFY any other qualitative screening criteria.

SR IF-C5a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No SCREEN OUT flood areas where flooding of the area does not cause an This requirement is met. ZZ-436, ZZ-466. Doc.

initiating event or a need for immediate plant shutdown, AND the following applies: Model The flood area contains flooding mitigation systems (e.g., drains or sump pumps) capable of preventing unacceptable flood levels, and the nature of the flood does not cause equipment failure (e.g., through spray, immersion, or other applicable failure mechanisms).

DO NOT CREDIT mitigation systems for screening out flood areas unless there is a definitive basis for crediting the capability and reliability of the flood mitigation system(s).

Thursday, September 21, 2006 Page A-48 of A-106 A-49

Appendix A - Callaway PRA Gap Analysis SR IF-C6 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No USE potential human mitigative actions as additional criteria for screening out This requirement is met to Category I only. ZZ-466 allows the Doc. IF-3 flood areas if all the following can be shown: operator intervention and mitigation for floods that take 30 (a) flood indication is available in the control room minutes or longer. Isolation and available manpower not Model (b) the flood sources in the area can be isolated specifically addressed. F&O IF-3 (c) the mitigative action can be performed with high reliability for the worst flooding initiator. High reliability is established by demonstrating, for example, that the actions are procedurally directed, that adequate time is available for response, that the area is accessible, and that there is sufficient manpower available to perform the actions.

SR IF-C7 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No SCREEN OUT flood sources if it can be shown that: This requirement is met. ZZ-466, ZZ-436. Doc.

(a) the flood source is insufficient (e.g., through spray, immersion, or other applicable mechanism) to cause failure of equipment identified in IF-C2c; OR Model (b) the area flooding mitigation systems (e.g., drains or sump pumps) are capable of preventing unacceptable flood levels and nature of the flood does not cause failure of equipment identified in IF- C2c (e.g., through spray, immersion, or other applicable failure mechanism); OR (c) the flood only affects the system that is the flood source and the systems analysis addresses this per SY-A13 and SY-A14 and need not be treated as a separate internal flooding initiating event.

Thursday, September 21, 2006 Page A-49 of A-106 A-50

Appendix A - Callaway PRA Gap Analysis SR IF-C8 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No USE potential human mitigative actions as additional criteria for screening out This requirement is met to Category I only. ZZ-466 allows the Doc. IF-3 flood sources if all the following can be shown: operator intervention and mitigation for floods that take 30 (a) flood indication is available in the control room, minutes or longer. Isolation and available manpower not Model (b) the flood source can be isolated, and specifically addressed. F&O IF-3 (c) the mitigative action can be performed with high reliability for the worst flood from that source. High reliability is established by demonstrating, for example, that the actions are procedurally directed, that adequate time is available for response, that the area is accessible, and that there is sufficient manpower available to perform the actions.

SR IF-C9 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No CONDUCT plant walkdown(s) to verify the accuracy of information obtained This requirement is met. ZZ-436, ZZ-466. Doc.

from plant information sources and to obtain or verify:

(a) SSCs located within each defined flood area Model (b) flood / spray / other applicable mitigative features of the SSCs located within each defined flood area (e.g., drains, shields, etc.)

(c) pathways that could lead to transport to the flood area Note: Walkdown(s) may be done in conjunction with the requirements of IF-A4, IF-B3a and IF-E8.

SR IF-D1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For each flood scenario, IDENTIFY the corresponding plant initiating event This requirement is met. The flooding initiators are not grouped Doc.

group identified per Table 4.5.7-1 and the scenario-induced failures of SSCs with any other initiator. ZZ-462.

required to respond to the plant initiating event. INCLUDE the potential for a Model flooding-induced transient or LOCA.

If an appropriate plant initiating event group does not exist, CREATE a new plant initiating event group in accordance with the applicable requirements of Table 4.5.1-2(b).

Thursday, September 21, 2006 Page A-50 of A-106 A-51

Appendix A - Callaway PRA Gap Analysis SR IF-D3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No GROUP flooding scenarios identified in IF-C4 only when the following is true: This requirement is met to Category III since the flooding Doc.

(a) scenarios can be considered similar in terms of plant response, success initiators are treated individually and not grouped. ZZ-462.

criteria, timing, and the effect on the operability and performance of operators Model and relevant mitigating systems; or (b) scenarios can be subsumed into a group and bounded by the worst case impacts within the new group.

AVOID subsuming scenarios into a group unless:

(i) the impacts are comparable to or less than those of the remaining scenarios in that group, AND (ii) it is demonstrated that such grouping does not impact significant accident sequences.

SR IF-D3a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No GROUP OR SUBSUME the flood initiating scenarios with an existing plant This requirement is met to Category III. Flooding initiators are Doc.

initiating event group, if the impact of the flood (i.e., plant response and not grouped or subsumed into other plant initiating event mitigating system capability) is the same as a plant initiating event group groups. ZZ-434, ZZ-436, ZZ-466. Model already considered in the PRA in accordance with the applicable requirements of Table 4.5.1-2(b).

SR IF-D5 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DETERMINE the flood initiating event frequency for each flood scenario group This requirement is met to Category I. The flood initiating Doc. IF-1 by using the applicable requirements in Table 4.5.1-2(c). event frequencies are based on generic pipe break frequencies.

No plant specific experience is considered in the determination Model of the flooding initiator frequencies. Plant experience at the time the flooding analysis was performed was 0 events.

Documentation of the plant specific considerations used in the development of the scenarios needs to be added as discussed in SR IF-D5a.

Thursday, September 21, 2006 Page A-51 of A-106 A-52

Appendix A - Callaway PRA Gap Analysis SR IF-D5a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No GATHER plant-specific information on plant design, operating practices and This requirement is met to Category I. The flood initiating Doc. IF-1 conditions that may impact flood likelihood (i.e., material condition of fluid event frequencies are based on generic pipe break frequencies.

systems, experience with water hammer, and maintenance induced floods). No plant specific experience is considered in the determination Model In determining the flood initiating event frequencies for flood scenario groups, of the flooding initiator frequencies. Plant experience at the USE a combination of time the flooding analysis was performed was 0 events.

(a) generic and plant-specific operating experience, Documentation of the plant specific considerations used in the (b) pipe, component, and tank rupture failure rates from generic data sources development of the scenarios needs to be added as discussed in and plant-specific experience, and SR IF-D5a.

(c) engineering judgment for consideration of the plant-specific information collected, SR IF-D6 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No INCLUDE consideration of human-induced floods during maintenance through This requirement is met to Category I/II. IPE discusses Doc.

application of generic data. maintenance induced floods and that they will not be explicitly considered due to low potential. Model SR IF-D7 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No SCREEN OUT flood scenario groups if This requirement is considered to be met. No screening is Doc.

(a) the quantitative screening criteria in IE-C4, as applied to the flood scenario performed based on the value of the flood initiating frequency.

groups, are met, OR ZZ-466. Model (b) the internal flooding initiating event affects only components in a single system, AND it can be shown that the product of the frequency of the flood and the probability of SSC failure given the flood is two orders of magnitude lower than the product of the non-flooding frequency for the corresponding initiating event in the PRA, and the random (non-flood-induced) failure probability of the same SSCs that are assumed failed by the flood.

If the flood impacts multiple systems, DO NOT screen on this basis.

Thursday, September 21, 2006 Page A-52 of A-106 A-53

Appendix A - Callaway PRA Gap Analysis SR IF-E1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For each flood scenario, REVIEW the accident sequences for the associated This requirement is met. ZZ-462. Doc.

plant initiating event group to confirm applicability of the accident sequence model. Model If appropriate accident sequences do not exist, MODIFY sequences as necessary to account for any unique flood-induced scenarios and/or phenomena in accordance with the applicable requirements described in para. 4.5.2.

SR IF-E3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No MODIFY the systems analysis results obtained by following the applicable This requirement is met. ZZ-462. Doc.

requirements described in para 4.5.4 to include flood-induced failures identified by IF-C3. Model SR IF-E3a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No SCREEN OUT a flood area if the product of the sum of the frequencies of the This requirement is not met at any Category. The Category I/II Doc. IF-2 flood scenarios for the area, and the bounding conditional core damage screening quantitative criteria in the standard is 1E-09/year. ZZ-probability (CCDP) is less than 1E-9/reactor yr. 466 screening criteria was 1E-06/yr. Model The bounding CCDP is the highest of the CCDP values for the flood scenarios in an area.

SR IF-E4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No If additional analysis of SSC data is required to support quantification of flood This requirement is met. ZZ-462. Doc.

scenarios, PERFORM the analysis in accordance with the applicable requirements described in para. 4.5.6. Model Thursday, September 21, 2006 Page A-53 of A-106 A-54

Appendix A - Callaway PRA Gap Analysis SR IF-E5 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No If additional human failure events are required to support quantification of flood This requirement is not met. The HEP values used in ZZ-466 Doc. IF-4 scenarios, PERFORM any human reliability analysis in accordance with the are not developed from a human reliability analysis.

applicable requirements described in Tables 4.5.5-2(e) through Table 4.5.5-2(h). Model SR IF-E5a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For all human failure events in the internal flood scenarios, INCLUDE the This requirement is not met. The HEP values used in ZZ-466 Doc. IF-4 following scenario-specific impacts on PSFs for control room and ex-control are not developed from a human reliability analysis.

room actions as appropriate to the HRA methodology being used: Model (a) additional workload and stress (above that for similar sequences not caused by internal floods)

(b) cue availability (c) effect of flood on mitigation, required response, timing, and recovery activities (e.g., accessibility restrictions, possibility of physical harm)

(d) flooding-specific job aids and training (e.g., procedures, training exercises)

SR IF-E6 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No PERFORM internal flood sequence quantification in accordance with the This requirement is met. ZZ-462. Doc.

applicable requirements described in para. 4.5.8.

Model SR IF-E6a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No INCLUDE, in the quantification, the combined effects of failures caused by This requirement is met. ZZ-462. Doc.

flooding and those coincident with the flooding due to independent causes including equipment failures, unavailability due to maintenance, and other Model credible causes.

Thursday, September 21, 2006 Page A-54 of A-106 A-55

Appendix A - Callaway PRA Gap Analysis SR IF-E6b Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No INCLUDE, in the quantification, both the direct effects of the flood (e.g., loss of This requirement is met. ZZ-462. Doc.

cooling from a service water train due to an associated pipe rupture) and indirect effects such as submergence, jet impingement, and pipe whip, as Model applicable.

SR IF-E7 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No For each flood scenario, REVIEW the LERF analysis to confirm applicability of This requirement is not met. The internal flooding sequences Doc. IF-6 the LERF sequences. are not considered in the LERF analysis.

If appropriate LERF sequences do not exist, MODIFY the LERF analysis as Model necessary to account for any unique flood-induced scenarios or phenomena in accordance with the applicable requirements described in para. 4.5.9..

SR IF-E8 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No CONDUCT walkdown(s) to verify the accuracy of information obtained from This requirement is met. ZZ-436, ZZ-466. Doc.

plant information sources and to obtain or verify inputs to:

(a) engineering analyses Model (b) human reliability analyses (c) spray or other applicable impact assessments (d) screening decisions Note: A walkdown(s) may be done in conjunction with the requirements of IF-A4, IF-B3a, and IF-C9.

SR IF-F1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the internal flooding analysis in a manner that facilitates PRA This requirement is met. ZZ-436, ZZ-466, ZZ-434, ZZ-462, Doc.

applications, upgrades, and peer review. IPE.

Model Thursday, September 21, 2006 Page A-55 of A-106 A-56

Appendix A - Callaway PRA Gap Analysis SR IF-F2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the process used to identify flood sources, flood areas, flood This requirement is met. ZZ-436, ZZ-466, ZZ-434, ZZ-462, Doc.

pathways, flood scenarios, and their screening, and internal flood model IPE.

development and quantification. For example, this documentation typically Model includes:

(a) flood sources identified in the analysis, rules used to screen out these sources, and the resulting list of sources to be further examined (b) flood areas used in the analysis and the reason for eliminating areas from further analysis (c) propagation pathways between flood areas and key assumptions, calculations, or other bases for eliminating or justifying propagation pathways (d) accident mitigating features and barriers credited in the analysis, the extent to which they were credited, and associated justification (e) key assumptions or calculations used in the determination of the impacts of submergence, spray, temperature, or other flood-induced effects on equipment operability (f) screening criteria used in the analysis (g) flooding scenarios considered, screened, and retained (h) description of how the internal event analysis models were modified to model these remaining internal flooding scenarios (i) flood frequencies, component unreliabilities/unavailabilities, and HEPs used in the analysis (i.e., the data values unique to the flooding analysis)

(j) calculations or other analyses used to support or refine the flooding evaluation (k) results of the internal flooding analysis, consistent with the quantification requirements provided in HLR QU-D SR IF-F3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No Document the key assumptions and key sources of uncertainty associated with This requirement is met. ZZ-436, ZZ-466, ZZ-434, ZZ-462, Doc.

the internal flooding analysis. IPE.

Model Thursday, September 21, 2006 Page A-56 of A-106 A-57

Appendix A - Callaway PRA Gap Analysis High Level Requirement LE SR LE-A1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No IDENTIFY those physical characteristics at the time of core damage that can These items were included, but not specifically stated. Doc.

influence LERF. Examples include:

(a) RCS pressure (high RCS pressure can result in high pressure melt ejection) Model (b) status of emergency core coolant systems (failure in injection can result in a dry cavity and extensive Core Concrete Interaction)

(c) status of containment isolation (failure of isolation can result in an unscrubbed release)

(d) status of containment heat removal (e) containment integrity (e.g., vented, bypassed or failed)

(f) steam generator pressure and water level (PWRs)

(g) status of containment inerting (BWRs)

SR LE-A2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No IDENTIFY the accident sequence characteristics that lead to the physical All included Doc.

characteristics identified in LE-A1. Examples include:

(a) type of initiator Model (1) Transients can result in high RCS pressure (2) LOCAs usually result in lower RCS pressure (3) ISLOCAs, SGTRs can result in containment bypass.

(b) status of electric power: loss of electric power can result in loss of ECC injection (c) status of containment safety systems such as sprays, fan coolers, igniters, or venting systems: operability of containment safety systems determines status of containment heat removal The references in Notes (1) and (2) provide example lists of typical characteristics.

Thursday, September 21, 2006 Page A-57 of A-106 A-58

Appendix A - Callaway PRA Gap Analysis SR LE-A3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No IDENTIFY how the physical characteristics identified in LE-A1 and the This is obvious from the analysis. Doc.

accident sequence characteristics identified in LE-A2 are addressed in the LERF analysis. For example, Model (a) which characteristics are addressed in the level 1 event trees, (b) which characteristics, if any, are addressed in bridge trees, and (c) which characteristics, if any, are addressed in the containment event trees.

JUSTIFY any characteristics identified in LE-A1 or LE-A2 that are excluded from the LERF analysis.

SR LE-A4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No PROVIDE a method to explicitly account for the LE-A1 and LE-A2 The Level 2 PDS trees are explicitly solved to retain Doc.

characteristics and ensure that dependencies between the Level 1 and Level 2 dependencies.

models are properly treated. Examples include: treatment in Level 2, Model expanding Level 1, construction of a bridge tree, transfer of the information via PDS, or a combination of these.

SR LE-A5 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DEFINE plant damage states consistent with LE-A1, LE-A2, LE-A3, and LE- Done Doc.

A4.

Model Thursday, September 21, 2006 Page A-58 of A-106 A-59

Appendix A - Callaway PRA Gap Analysis SR LE-B1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No IDENTIFY LERF contributors from the set identified in Table 4.5.9-3. Not necessarily done. LERF identified based on source term Doc. LE-1 INCLUDE as appropriate, unique plant issues as determined by expert judgment and timing. Not evident that containment isolation failure is and/or engineering analyses. included. Not evident that HPME is included. Model Probability of containment isolation failure leading to LERF does not contain a term to represent undetected, residual failures in containment structural integrity. This has been estimated at 5E-3 in NUREG/CR-4550. Failure of containment isolation is derived by fault tree analysis of the containment isolation combinations on the penetration paths. There are three LERF split fractions with probabilities of 7.7E-4. If the 5E-3 was added to this, the split fraction would change, although LERF would not move significantly. Split fractions for induced SGTR and HPME were not explicitly stated in the documentation available for review.

SR LE-B2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DETERMINE the containment challenges (e.g., temperature, pressure loads, Used plant specific analysis to develop bridge trees whose Doc.

debris impingement) resulting from contributors identified in LE-B1 using success criteria are based on MAAP 3. Used realistic estimate applicable generic or plant-specific analyses for significant containment for phenomena Model challenges. USE conservative treatment or a combination of conservative and realistic treatment for non-significant containment challenges. If generic calculations are used in support of the assessment, JUSTIFY applicability to the plant being evaluated.

SR LE-B3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No UTILIZE supporting engineering analyses in accordance with the applicable Done Doc.

requirements of Table 4.5.3-2(b).

Model Thursday, September 21, 2006 Page A-59 of A-106 A-60

Appendix A - Callaway PRA Gap Analysis SR LE-C1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DEVELOP accident sequences to a level of detail to account for the potential Done Doc.

contributors identified in LE-B1 and analyzed in LE-B2. Compare the containment challenges analyzed in LE-B with the containment structural Model capability analyzed in LE-D and identify accident progressions that have the potential for a large early release.

JUSTIFY any generic or plant- specific calculations or references used to categorize releases as non-LERF contributors based on release magnitude or timing. NUREG/CR-6595, App. A [Note (1)] provides an acceptable definition of LERF source terms.

SR LE-C2a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No INCLUDE realistic treatment of feasible operator actions following the onset of No risk significant additional human actions after core damage Doc.

core damage consistent with applicable procedures, e.g., EOPs/SAMGs, occurs are included in the level 2.

proceduralized actions, or Technical Support Center guidance. Model SR LE-C2b Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No REVIEW significant accident progression sequences resulting in a large early No repair after core damage was postulated. Meets Cat III. Doc.

release to determine if repair of equipment can be credited. JUSTIFY credit given for repair (i.e., ensure that plant conditions do not preclude repair and Model actuarial data exists from which to estimate the repair failure probability [see SY-A22, DA-C14 and DA-D8]). AC power recovery based on generic data applicable to the plant is acceptable.

Thursday, September 21, 2006 Page A-60 of A-106 A-61

Appendix A - Callaway PRA Gap Analysis SR LE-C3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No INCLUDE model logic necessary to provide a realistic estimation of the Done Doc.

significant accident progression sequences resulting in a large early release.

INCLUDE mitigating actions by operating staff, effect of fission product Model scrubbing on radionuclide release, and expected beneficial failures in significant accident progression sequences. PROVIDE technical justification (by plant-specific or applicable generic calculations demonstrating the feasibility of the actions, scrubbing mechanisms, or beneficial failures) supporting the inclusion of any of these features SR LE-C4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No USE appropriate realistic generic or plant-specific analyses for system success All done with plant specific MAAP. See SC-B1 and SC-B4 Doc.

criteria for the significant accident progression sequences. USE conservative or a combination of conservative and realistic system success criteria for non-risk Model significant accident progression sequences SR LE-C5 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DEVELOP system models that support the accident progression analysis Done Doc.

consistent with the applicable requirements for para. 4.5.4, as appropriate for the level of detail of the analysis. Model SR LE-C6 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No In crediting HFEs that support the accident progression analysis, USE the No post CD HFEs Doc.

applicable requirements of para. 4.5.5 as appropriate for the level of detail of the analysis. Model Thursday, September 21, 2006 Page A-61 of A-106 A-62

Appendix A - Callaway PRA Gap Analysis SR LE-C7 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No INCLUDE accident sequence dependencies in the accident progression Done, because they used the same fault trees. Doc.

sequences consistent with the applicable requirements of para. 4.5.2, as appropriate for the level of detail of the analysis. Model SR LE-C8a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No JUSTIFY any credit given for equipment survivability or human actions under No credit for post core damage equipment operation. Doc.

adverse environments.

Model SR LE-C8b Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No REVIEW significant accident progression sequences resulting in a large early Do not credit Doc.

release to determine if engineering analyses can support continued equipment operation or operator actions during accident progression that could reduce Model LERF. USE conservative or a combination of conservative and realistic treatment for non-significant accident progression sequences.

SR LE-C9a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No JUSTIFY any credit given for equipment survivability or human actions that Containment failure is so rare in Level 2, that no credit is Doc.

could be impacted by containment failure. needed. Containment failure equals release. All CD sequences occur prior to CF. Model Thursday, September 21, 2006 Page A-62 of A-106 A-63

Appendix A - Callaway PRA Gap Analysis SR LE-C9b Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No REVIEW significant accident progression sequences resulting in a large early There are none. LERF dominated by CF, ISLOCA and SGTR, Doc.

release to for which there are no mitigating actions.

determine if engineering analyses can support continued equipment operation or Model operator actions after containment failure that could reduce LERF.

USE conservative or a combination of conservative and realistic treatment for non-significant accident progression sequences.

SR LE-C10 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No PERFORM a containment bypass analysis in a realistic manner. JUSTIFY any No credit for scrubbing Doc.

credit taken for scrubbing (i.e., provide an engineering basis for the decontamination factor used). Model SR LE-D1a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DETERMINE the containment ultimate capacity for the containment challenges Done. Containment fails at 135 psig at 400F. Doc.

that result in a large early release. PERFORM a realistic containment capacity analysis for the significant containment challenges. USE a conservative or a Model combination of conservative and realistic evaluation of containment capacity for non-significant containment challenges. If generic calculations are used in support of the assessment, JUSTIFY applicability to the plant being evaluated.

Analyses may consider use of similar containment designs or estimating containment capacity based on design pressure and a realistic multiplier relating containment design pressure and median ultimate failure pressure. Quasi-static containment capability evaluations are acceptable unless hydrogen concentrations are expected to result in potential detonations. Such considerations need to be included for small volume containments such as the ice-condenser type.

Thursday, September 21, 2006 Page A-63 of A-106 A-64

Appendix A - Callaway PRA Gap Analysis SR LE-D1b Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No EVALUATE the impact of accident progression conditions on containment Done in evaluation Doc.

seals, penetrations, hatches, drywell heads (BWRs), and vent pipe bellows.

INCLUDE these impacts as potential containment challenges, as required. If Model generic analyses are used in support of the assessment, JUSTIFY applicability to the plant being evaluated.

SR LE-D2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No When containment failure location [Note (2)] affects the event classification of Doesnt make a difference Doc.

the accident progression as a large early release, DEFINE failure location based on a realistic Containment assessment which accounts for plant-specific Model features. If generic analyses are used in support of the assessment, JUSTIFY applicability to the plant being evaluated.

SR LE-D3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No PERFORM a realistic interfacing system failure probability analysis for the done Doc.

significant accident progression sequences resulting in a large early release.

USE a conservative or a combination of conservative and realistic evaluation of Model interfacing system failure probability for non-significant accident progression sequences Resulting in a large early release. INCLUDE behavior of piping relief valves, pump seals, and heat exchangers at applicable temperature and pressure conditions.

Thursday, September 21, 2006 Page A-64 of A-106 A-65

Appendix A - Callaway PRA Gap Analysis SR LE-D4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No PERFORM a realistic secondary side isolation capability analysis for the Meets category I. Little benefit expected from additional Doc. LE-3 significant accident progression sequences caused by SG tube failure resulting analysis at significant cost.

in a large early release. USE a conservative or a combination of conservative Model and realistic evaluation of secondary side isolation capability for non-significant accident progression sequences resulting in a large early release. JUSTIFY applicability to the plant being evaluated. Analyses may consider realistic comparison with similar isolation capability in similar containment designs.

SR LE-D5 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No PERFORM an analysis of thermally-induced SG tube rupture that includes Meets category I. Little benefit expected from additional Doc. LE-3 plant-specific procedures and design features and conditions that could impact analysis at significant cost.

tube failure An acceptable approach is one that arrives at a plant-specific split Model fractions by selecting the SG tube conditional failure probabilities based on NUREG -1570 [Note (3)] or similar evaluation for induced SG failure of a similarly designed SGs and loop piping.

SELECT failure probabilities based on (a) RCS and SG post-accident conditions to sufficient to describe the important risk outcomes, (b) secondary side conditions including plant-specific treatment of MSSV and ADV failures.

JUSTIFY key assumptions and selection of key inputs. An acceptable justification can be obtained by the extrapolation of the information in NUREG-1570 to obtain plant-specific models, use of reasonably bounding assumptions, or performance of sensitivity studies indicating low sensitivity to changes in the range in question.

Thursday, September 21, 2006 Page A-65 of A-106 A-66

Appendix A - Callaway PRA Gap Analysis SR LE-D6 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No PERFORM containment isolation analysis in a realistic manner for the Containment isolation failure only occurs in bypass sequences. Doc. LE-1 significant accident progression sequences resulting in a large early release. Failures of CI system are not included. Probability of USE conservative or a combination of conservative or realistic treatment for the containment isolation failure leading to LERF does not contain a Model non-significant accident progression sequences resulting in a large early term to represent undetected, residual failures in containment release. INCLUDE consideration of both the failure of containment isolation structural integrity. This has been estimated at 5E-3 in systems to perform properly and the status of safety systems that do not have NUREG/CR-4550. Failure of containment isolation is derived automatic isolation provisions. by fault tree analysis of the containment isolation combinations on the penetration paths. There are three LERF split fractions with probabilities of 7.7E-4. If the 5E-3 was added to this, the split fraction would change, although LERF would not move significantly.

SR LE-E1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No SELECT parameter values for equipment and operator response in the accident Same as level 1 Doc.

progression analysis consistent with the applicable requirements of paras. 4.5.5 and 4.5.6 including consideration of the severe accident plant conditions, as Model appropriate for the level of detail of the analysis.

SR LE-E2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No USE realistic parameter estimates to characterize accident progression Done Doc.

phenomena for significant accident progression sequences resulting in a large early release. USE conservative or a combination of conservative and realistic Model estimates for non-significant accident progression sequences resulting in a large early release.

Thursday, September 21, 2006 Page A-66 of A-106 A-67

Appendix A - Callaway PRA Gap Analysis SR LE-E3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No INCLUDE as LERF contributors potential large early release (LER) sequences Done Doc.

identified from the results of the accident progression analysis of LE-C except those LER sequences justified as non-LERF contributors in LE-C1. Model SR LE-E4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No QUANTIFY LERF consistent with the applicable requirements of Tables 4.5.8- Done Doc.

2(a), 4.5.8-2(b), and 4.5.8-2(c).

NOTE: The supporting requirements in these tables are written in CDF Model language. Under this requirement, the applicable quantification requirements in Table 4.5.8-2 should be interpreted based on the approach taken for the LERF model. For example, supporting requirement QU-A2 addresses the calculation of point estimate/mean CDF. Under this requirement, the application of QU-A2 would apply to the quantification of point estimate/mean LERF.

SR LE-F1a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No PERFORM a quantitative evaluation of the relative contribution to LERF from Done Doc.

plant damage states and significant LERF contributors from Table 4.5.9-3.

Model SR LE-F1b Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No REVIEW contributors for reasonableness (e.g., to assure excessive Done Doc.

conservatisms have not skewed the results, level of plant-specificity is appropriate for significant contributors, etc.). Model Thursday, September 21, 2006 Page A-67 of A-106 A-68

Appendix A - Callaway PRA Gap Analysis SR LE-F2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No PROVIDE uncertainty analysis that identifies the key sources of uncertainty and Not done. The Level 2 analysis does not include uncertainty Doc. LE-2 includes sensitivity studies for the significant contributors to LERF. analysis nor are there sensitivity studies identified to examine the significant contributors to LERF. As a minimum, the Model uncertainty in the Level 1 sequences should be propagated and sensitivity studies developed and evaluated for the important LERF scenarios.

SR LE-F3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No IDENTIFY contributors to LERF and characterize LERF uncertainties Done Doc.

consistent with the applicable requirements of Tables 4.5.8-2(d) and 4.5.8-2(e).

NOTE: The supporting requirements in these tables are written in CDF Model language. Under this requirement, the applicable requirements of Table 4.5.8 should be interpreted based on LERF, including characterizing key modeling uncertainties associated with the applicable contributors from Table 4.5.9-3.

For example, supporting requirement QU-D5 addresses the significant contributors to CDF. Under this requirement, the contributors would be identified based on their contribution to LERF.

SR LE-G1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the LERF analysis in a manner that facilitates PRA applications, Done Doc.

upgrades, and peer review.

Model Thursday, September 21, 2006 Page A-68 of A-106 A-69

Appendix A - Callaway PRA Gap Analysis SR LE-G2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the process used to identify plant damage states and accident Done Doc.

progression contributors, define accident progression sequences, evaluate accident progression analyses of containment capability, and quantify and Model review the LERF results. For example, this documentation typically includes:

(a) the plant damage states and their attributes, as used in the analysis (b) the method used to bin the accident sequences into plant damage states (c) the containment failure modes, phenomena, equipment failures and human actions considered in the development of the accident progression sequences and the justification for their inclusion or exclusion from the accident progression analysis (d) the treatment of factors influencing containment challenges and containment capability, as appropriate for the level of detail of the analysis (e) the basis for the containment capacity analysis including the identification of containment failure location(s), if applicable (f) the accident progression analysis sequences considered in the containment event trees (g) the basis for parameter estimates (h) the model integration process including the results of the quantification including uncertainty and sensitivity analyses, as appropriate for the level of detail of the analysis.

SR LE-G3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the relative contribution of contributors (i.e., plant damage states, Done Doc.

accident progression sequences, phenomena, containment challenges, containment failure modes) to LERF. Model Thursday, September 21, 2006 Page A-69 of A-106 A-70

Appendix A - Callaway PRA Gap Analysis SR LE-G4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT key assumptions and key sources of uncertainty associated with Not done. The Level 2 analysis does not include uncertainty Doc. LE-2 the LERF analysis, including results and important insights from sensitivity analysis nor are there sensitivity studies identified to examine studies. the significant contributors to LERF. As a minimum, the Model uncertainty in the Level 1 sequences should be propagated and sensitivity studies developed and evaluated for the important LERF scenarios.

SR LE-G5 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No IDENTIFY limitations in the LERF analysis that would impact applications. Done Doc.

Model SR LE-G6 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the quantitative definition used for significant accident Done Doc.

progression sequence. If other than the definition used in Section 2, JUSTIFY the alternative. Model Thursday, September 21, 2006 Page A-70 of A-106 A-71

Appendix A - Callaway PRA Gap Analysis High Level Requirement MU SR MU-A1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No The PRA configuration control process shall include monitoring of changes in This requirement is met. APA-ZZ-00312. Doc.

design, operation, and maintenance that could affect the PRA. Such changes shall include operating procedures, design configuration, initiating event Model frequencies, unavailabilities, and component failure rate data.

SR MU-A2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No The PRA configuration control process shall include monitoring of changes in This requirement is met. APA-ZZ-00312. Doc.

PRA technology and industry experience that could change the results of the PRA. Model SR MU-B1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No Changes in PRA inputs or new information (as obtained per MU-A1 and MU- This requirement is met. APA-ZZ-00312. Doc.

A2) shall be assessed and incorporated as appropriate in PRA maintenance activities (i.e., PRA update) or a PRA Upgrade. Model SR MU-B2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No Changes that would impact risk-informed decisions should be prioritized to This requirement is met. APA-ZZ-00312. Doc.

ensure that the most significant changes are incorporated as soon as possible.

Model Thursday, September 21, 2006 Page A-71 of A-106 A-72

Appendix A - Callaway PRA Gap Analysis SR MU-B3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No PRA changes shall be performed consistent with the previously defined This requirement is not met. There is no direction in APA-ZZ- Doc. MU-1 Supporting Requirements. 00312 to follow the industry guidance, nor is there a reference to the industry standards. The procedure was written prior to Model the issuance of the standards and should be revised to incorporate the standards.

SR MU-B4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No PRA Upgrades shall receive a peer review (in accordance with the requirements This requirement is not met. There is no direction in APA-ZZ- Doc. MU-2 specified in Section 6 of the ASME PRA Standard) for those aspects of the PRA 00312 to perform a peer review following an upgrade.

that have been upgraded. Refer to Section 2 of the ASME PRA Standard for the Model distinction of a PRA Upgrade versus PRA maintenance and update.

SR MU-C1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No The PRA configuration control process shall consider the cumulative impact of This requirement is met. APA-ZZ-00312. Doc.

pending changes in the performance of risk applications.

Model SR MU-D1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No The PRA configuration control process shall include evaluation of the impact of This requirement is met. APA-ZZ-00312. Doc.

changes on previously implemented risk-informed decisions that have used the PRA AND that affect the safe operation of the plant. Model Thursday, September 21, 2006 Page A-72 of A-106 A-73

Appendix A - Callaway PRA Gap Analysis SR MU-E1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No The PRA configuration control process shall include a process for maintaining This requirement is met. APA-ZZ-00312. Doc.

control of computer codes used to support PRA quantification.

Model SR MU-F1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No The PRA configuration control process shall be documented. Documentation This requirement is met. APA-ZZ-00312. Doc.

typically includes:

Description of the process used to monitor PRA inputs and collect new Model information Evidence that the aforementioned process is active Descriptions of proposed changes Descriptions of changes in PRA due to each Update or Upgrade Record of the performance and result of the appropriate PRA reviews Record of the process and results used to address the cumulative impact of pending changes Record of the process and results used to evaluate changes on previously implemented risk-informed decisions (pursuant to MU-D1)

Description of the process used to maintain software configuration control Thursday, September 21, 2006 Page A-73 of A-106 A-74

Appendix A - Callaway PRA Gap Analysis High Level Requirement QU SR QU-A1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No INTEGRATE the accident sequence delineation, system models, data, and HRA The Callaway PRA integrates all of the mentioned items and Doc.

in the quantification process for each initiating event group, accounting for therefore SR QU-A1 is met system dependencies, to arrive at accident sequence frequencies. Model SR QU-A2a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No PROVIDE estimates of the individual sequences in a manner consistent with the The Callaway PRA provides this capability, however several Doc. AS-1, AS-3, AS-5, AS-7 estimation of total CDF to identify significant accident sequences/cutsets and examples were identified which identified logic errors. Since confirm the logic is appropriately reflected. The estimates may be the process is acceptable, SR QU-A2a is met. Model accomplished by using either fault tree linking or event trees with conditional split fractions.

SR QU-A2b Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No ESTIMATE the mean CDF from internal events, accounting for the "state-of- The current quantification does not include an uncertainty Doc. QU-1 knowledge" correlation between event probabilities when significant (see NOTE calculation to account for the "state-of-knowledge" correlation (1)). between event probabilities. The structure exists to perform this Model correlation within WinNUPRA but at the current time it has not been done.

SR QU-A3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No SELECT a method that is capable of discriminating the contributors to the CDF The method used to quantify the Callaway PRA provides the Doc.

commensurate with the level of detail in the model. required capability.

Model Thursday, September 21, 2006 Page A-74 of A-106 A-75

Appendix A - Callaway PRA Gap Analysis SR QU-A4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No INCLUDE recovery actions in the quantification process in applicable Recovery actions are included in the models as appropriate and Doc.

sequences and cut sets. [see HR-H1, HR-H2, and HR-H3)] SR QU-A4 is met.

Model SR QU-B1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No PERFORM quantification using computer codes that have been demonstrated to WinNUPRA is an acceptable code. This meets SR QU-B1. Doc.

generate appropriate results when compared to those from accepted algorithms.

IDENTIFY method-specific limitations and features that could impact the Model results.

SR QU-B2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No TRUNCATE accident sequences and associated system models at a sufficiently The truncation is currently performed at 4E-12 which is seven Doc.

low cutoff value that dependencies associated with significant cutsets or orders of magnitude below the TCDF and is sufficient to ensure accident sequences are not eliminated. all significant terms are retained. This meets SR QU-B2. Model NOTE: Truncation should be carefully assessed in cases where cutsets are merged to create a solution (e.g., where system level cutsets are merged to create sequence level cutsets)

SR QU-B3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No ESTABLISH truncation limits by an iterative process of demonstrating that the The latest quantification demonstrated convergence at a Doc.

overall model results converge and that no significant accident sequences are truncation level of 1E-10. This meets SR QU-B3.

inadvertently eliminated. Model For example, convergence can be considered sufficient when successive reductions in truncation value of one decade result in decreasing changes in CDF or LERF, and the final change is less than 5%

Thursday, September 21, 2006 Page A-75 of A-106 A-76

Appendix A - Callaway PRA Gap Analysis SR QU-B4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No Where cutsets are the means used in quantification, USE the minimal cutset The rare event approximation is used. In general, all basic event Doc.

upper bound or an exact solution. The rare event approximation may be used probabilities are less than 0.1.

when basic event probabilities are below 0.1. Model SR QU-B5 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No Fault tree linking and some other modeling approaches may result in circular The logic loops have been broken correctly. This meets SR QU- Doc.

logic that must be broken before the model is solved. BREAK the circular logic B5.

appropriately. Guidance for breaking logic loops is provided in NUREG/CR- Model 2728 [Note (1)]. When resolving circular logic, AVOID introducing unnecessary conservatisms or non-conservatisms SR QU-B6 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No ACCOUNT for system successes in addition to system failures in the evaluation WinNUPRA accounts for successes by a combination of Doc.

of accident sequences to the extent needed for realistic estimation of CDF. This numerical correction when the failure branch exceeds a accounting may be accomplished by using numerical quantification of success predefined value and a delete term approximation. This meets Model probability, complementary logic, or a delete term approximation and includes SR QU-B6.

the treatment of transfers among event trees where the successes may not be transferred between event trees.

SR QU-B7a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No IDENTIFY cutsets (or sequences) containing mutually exclusive events in the Mutually exclusive cutsets are identified during the system Doc.

results. modeling task and set up in the DAM (Disallowed Maintenance) fault tree to be automatically deleted from the Model results during the quantification. This meets SR QU-B7a.

Thursday, September 21, 2006 Page A-76 of A-106 A-77

Appendix A - Callaway PRA Gap Analysis SR QU-B7b Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No CORRECT cutsets containing mutually exclusive events by either: Mutually exclusive cutsets are identified during the system Doc.

(a) developing logic to eliminate mutually exclusive situations, or modeling task and set up in the DAM (Disallowed (b) deleting cutsets containing mutually exclusive events. Maintenance) fault tree to be automatically deleted from the Model results during the quantification. This meets SR QU-B7b.

SR QU-B8 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No When using logic flags, SET logic flag events to either TRUE or FALSE The Callaway PRA is quantified with house events (logic flags) Doc.

(instead of setting the event probabilities to 1.0 or 0.0), as appropriate for each set to logical TRUE or FALSE values. The settings are defined accident sequence, prior to the generation of cutsets. in Tables in the documentation and in data sets for each Model sequence and applied during the batch process. This meets SR QU-B6.

SR QU-B9 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No If modules, subtrees, or split fractions are used to facilitate the quantification, The Callaway PRA does not use modules, subtrees, or split Doc. QU-2 USE a process that allows fractions, with one exception. That exception is in the SSIE (a) identification of shared events events. These "modules" provide a place that some Model (b) correct formation of modules that are truly independent dependencies can be overlooked. While the Ameren staff have (c) results interpretation based on individual events within modules (e.g., risk made the effort to account for these hidden dependencies, significance) enough inconsistencies were identified that SR QU-B9 is not considered to be met. Linking of the SSIE fault trees to the event trees provides more assurance of the correct treatment and should be considered. EPRI is currently developing a procedure to guide the treatment of support system initiating events which should be issued in the near future.

Thursday, September 21, 2006 Page A-77 of A-106 A-78

Appendix A - Callaway PRA Gap Analysis SR QU-C1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No IDENTIFY cutsets with multiple HFEs that potentially impact significant The latest HRA update ZZ-278 Rev0, Add. 1, evaluated Doc.

accident sequences/cutsets by requantifying the PRA model with HEP values set dependent HEPs and replaced multiple dependent HEPs with a to values that are sufficiently high that the cutsets are not truncated. The final single event appropriately in the FTs. SR QU-C1 is met. Model quantification of these post-initiator HFEs may be done at the cutset level or saved sequence level.

SR QU-C2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No ASSESS the degree of dependency between the HFEs in the cutset or sequence The latest HRA update ZZ-278 Rev0, Add. 1, evaluated Doc.

in accordance with HR-D5 and HR-G7. dependent HEPs and replaced multiple dependent HEPs with a single event appropriately in the FTs. SR QU-C2 is met. Model SR QU-C3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No When linking event trees, TRANSFER the sequence characteristics (e.g., failed Some instances of incorrect transfer of sequence characteristics Doc. QU-3 equipment, flag settings) that impact the logic or quantification of the were identified based on cutset reviews. The process is subsequent accident development, as well as the sequence frequency. For generally set up correctly but the overall process would benefit Model example, sequence characteristics can be transferred to another event tree by from revising the quantification process to account for the using the appropriate cutsets. additional software capability currently available.

SR QU-D1a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No REVIEW a sample of the significant accident sequences/cutsets sufficient to Some instances of incorrect logic were identified based on Doc. QU-3, QU-4 determine that the logic of the cutset or sequence is correct. cutset reviews. The process is generally set up correctly but the overall process would benefit from revising the quantification Model process to account for the additional software capability currently available.

Thursday, September 21, 2006 Page A-78 of A-106 A-79

Appendix A - Callaway PRA Gap Analysis SR QU-D1b Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No REVIEW the results of the PRA for modeling consistency (e.g., event sequence Some instances of incorrect results were identified based on Doc. QU-3 models consistency with systems models and success criteria) and operational cutset reviews. The process is generally set up correctly but the consistency (e.g., plant configuration, procedures, and plant-specific and overall process would benefit from revising the quantification Model industry experience). process to account for the additional software capability currently available.

SR QU-D1c Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No REVIEW results to determine that the flag event settings, mutually exclusive Some instances of incorrect house event settings were identified Doc. QU-3 event rules, and recovery rules yield logical results. based on cutset reviews. The process is generally set up correctly but the overall process would benefit from revising the Model quantification process to account for the additional software capability currently available.

SR QU-D3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No COMPARE results to those from similar plants and IDENTIFY causes for Comparisons have been made between Callaway and its sister Doc.

significant differences. For example: Why is LOCA a large contributor for one plant Wolf Creek and differences were identified and plant and not another? explained. SR QU-D3 is met. Model SR QU-D4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No REVIEW a sampling of non-significant accident cutsets or sequences to There was no documentation of a review of non-significant Doc. QU-5 determine they are reasonable and have physical meaning. accident sequences or cutsets to determine their reasonableness. This review is necessary to meet SR QU-D4. Model Thursday, September 21, 2006 Page A-79 of A-106 A-80

Appendix A - Callaway PRA Gap Analysis SR QU-D5a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No IDENTIFY significant contributors to CDF, such as initiating events, accident The Callaway PRA has undergone extensive looks at importance Doc.

sequences, equipment failures, common cause failures, and operator errors. of contributors to the plant CDF as a part of MSPI. SR QU-D5a INCLUDE SSCs and operator actions that contribute to initiating event is met. Model frequencies and event mitigation.

SR QU-D5b Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No REVIEW the importance of components and basic events to determine that they The Callaway PRA has undergone extensive looks at importance Doc.

make logical sense. of contributors to the plant CDF as a part of MSPI. SR QU-D5b is met. Model SR QU-E1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No IDENTIFY key sources of model uncertainty. Key sources of model uncertainty were identified during the IPE Doc. QU-6 but they are scattered throughout the calculation packages which serve as the documentation. There is no indication that Model the results have ever been revisited since that time even though the model has underwent changes. Gathering the information in one place would be very beneficial to the long term maintainability of the analysis.

Thursday, September 21, 2006 Page A-80 of A-106 A-81

Appendix A - Callaway PRA Gap Analysis SR QU-E2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No IDENTIFY key assumptions made in the development of the PRA model. Key assumptions were identified during the IPE but they are Doc. QU-6 scattered throughout the calculation packages which serve as the documentation. There is no indication that the results have ever Model been revisited since that time even though the model has underwent changes. Gathering the information in one place would be very beneficial to the long term maintainability of the analysis.

SR QU-E3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No ESTIMATE the uncertainty interval of the overall CDF results. ESTIMATE the The current quantification does not include an uncertainty Doc. QU-1 uncertainty intervals associated with parameter uncertainties (DA-D3, HR-D6, calculation to account for the state-of-knowledge correlation HR-G9, IE-C13), taking into account the state-of-knowledge correlation. between event probabilities. The structure exists to perform this Model correlation within WinNUPRA but at the current time it has not been done. SR QU-E3 is not met.

SR QU-E4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No EVALUATE the sensitivity of the results to key model uncertainties and key Key sources of model uncertainty and key assumptions were Doc. QU-7 assumptions using sensitivity analyses. [Note 1] evaluated during the IPE with sensitivity analyses and those cases are requantified during each update to the model Model quantification but there is no documentation to show that the basis for the sensitivity studies has ever been revisited since that time even though the model has underwent changes. The sensitivity studies should be reexamined to make sure they cover the major sources of modeling uncertainty in the current model.

Thursday, September 21, 2006 Page A-81 of A-106 A-82

Appendix A - Callaway PRA Gap Analysis SR QU-F1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the model quantification in a manner that facilitates PRA The documentation of the model quantification accurately Doc. QU-8 applications, upgrades, and peer review. documents what was performed during the quantification process, however the manual integration required for several Model stand-alone pieces of the analysis is not well documented. The recommended changes to the quantification process to integrate the entire internal events (including internal flooding) would serve to facilitate the use of the quantification process for PRA applications, upgrades, and peer review.

Thursday, September 21, 2006 Page A-82 of A-106 A-83

Appendix A - Callaway PRA Gap Analysis SR QU-F2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the model integration process including any recovery analysis, In general the model integration process is adequately Doc. QU-9 and the results of the quantification including uncertainty and sensitivity documented, however several of the areas do not meet the analyses. For example, documentation typically includes: requirements. Items b, f, g, and i are not addressed in the Model (a) records of the process/results when adding non-recovery terms as part of the documentation. These items need to be addressed to meet SR final quantification QU-F2.

(b) records of the cutset review process (c) a general description of the quantification process including accounting for systems successes, the truncation values used, how recovery and post-initiator HFEs are applied (d) the process and results for establishing the truncation screening values for final quantification demonstrating that convergence towards a stable result was achieved (e) the total plant CDF and contributions from the different initiating events and accident classes (f) the accident sequences and their contributing cutsets (g) equipment or human actions that are the key factors in causing the accidents to be non-dominant (h) the results of all sensitivity studies (i) the uncertainty distribution for the total CDF (j) importance measure results (k) a list of mutually exclusive events eliminated from the resulting cutsets and their bases for elimination (l) asymmetries in quantitative modeling to provide application users the necessary understanding regarding why such asymmetries are present in the model (m) the process used to illustrate the computer code(s) used to perform the quantification will yield correct results process SR QU-F3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the significant contributors (such as initiating events, accident The significant contributors are documented as required, but the Doc.

sequences, basic events) to CDF in the PRA results summary. PROVIDE a definition of significant used by Ameren differs from the ASME detailed description of significant accident sequences or functional failure standard as previously noted. The documentation meets SR QU- Model groups. F3.

Thursday, September 21, 2006 Page A-83 of A-106 A-84

Appendix A - Callaway PRA Gap Analysis SR QU-F4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT key assumptions and key sources of uncertainty, such as: Key assumptions and key sources of uncertainty which Doc. QU-10 possible optimistic or conservative success criteria, suitability of the reliability influence the current quantification are not addressed in a data, possible modeling uncertainties (modeling limitations due to the method coherent manner in the documentation. Model selected), degree of completeness in the selection of initiating events, possible spatial dependencies, etc.

SR QU-F5 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT limitations in the quantification process that would impact No documentation of limitations was identified. Doc. QU-12 applications.

Model SR QU-F6 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the quantitative definition used for significant basic event, The quantitative definition used for significant cutset and Doc. QU-11 significant cutset, significant accident sequence. If other than the definition significant accident sequence are documented and vary from the used in Section 2, JUSTIFY the alternative. ASME definition. The ASME definitions need to be applied or Model the Ameren definition needs to be justified.

Significant sequence:

ASME - aggregate 95% of total, individual sequence >1%

Ameren - aggregate 88% of total, individual sequence >1%

Significant cutset:

ASME - aggregate 95% of total, individual cutset >1%

Ameren - cutsets >1E-6 Thursday, September 21, 2006 Page A-84 of A-106 A-85

Appendix A - Callaway PRA Gap Analysis High Level Requirement SC SR SC-A1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No USE the definition of core damage provided in Section 2 of this Standard. If Calc - ZZ-275 Doc.

core damage has been defined differently than in Section 2: 2200F core peak node temp.

(a) IDENTIFY any substantial differences from the Section 2 definition Model (b) PROVIDE the bases for the selected definition SR SC-A2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No SPECIFY the plant parameters (e.g., highest node temperature, core collapsed 2200F core peak node temp. Doc.

liquid level) and associated acceptance criteria (e.g., temperature limit) to be used in determining core damage. SELECT these parameters such that the Model determination of core damage is as realistic as practical, consistent with current best practice. DEFINE computer code-predicted acceptance criteria with sufficient margin on the code-calculated values to allow for limitations of the code, sophistication of the models, and uncertainties in the results, consistent with requirements specified under HLR-SC-B.

Examples of measures for core damage suitable for Capability Category II / III, that have been used in PRAs, include:

(a) Collapsed liquid level less than 1/3 core height or code-predicted peak core temperature >2,500°F (BWR)

(b) Collapsed liquid level below top of active fuel for a prolonged period, or code-predicted core peak node temperature >2,200°F using a code with detailed core modeling; or code-predicted core peak node temperature >1,800°F using a code with simplified (e.g., single-node core model, lumped parameter) core modeling; or code-predicted core exit temperature >1,200°F for 30 min using a code with simplified core modeling (PWR)

Thursday, September 21, 2006 Page A-85 of A-106 A-86

Appendix A - Callaway PRA Gap Analysis SR SC-A4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No SPECIFY success criteria for each of the key safety functions identified per SR Done Doc.

AS-A2 for each modeled initiating event, [Note 2]

Model SR SC-A5 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No SPECIFY an appropriate mission time for the modeled accident sequences. 24 hr for all, except where noted for SBO. Doc.

For sequences in which stable plant conditions have been achieved, USE a minimum mission time of 24 hr. Mission times for individual SSCs that Model function during the accident sequence may be less than 24 hr, as long as an appropriate set of SSCs and operator actions are modeled to support the full sequence mission time.

For example, if following a LOCA, low pressure injection is available for 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , after which recirculation is required, the mission time for LPSI may be 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and the mission time for recirculation may be 23 hours2.662037e-4 days 0.00639 hours 3.80291e-5 weeks 8.7515e-6 months .

For sequences in which stable plant conditions would not be achieved by 24 hr using the modeled plant equipment and human actions, PERFORM additional evaluation or modeling by using an appropriate technique. Examples of appropriate techniques include:

(a) assigning an appropriate plant damage state for the sequence; (b) extending the mission time, and adjusting the affected analyses, to the point at which conditions can be shown to reach acceptable values; or (c) modeling additional system recovery or operator actions for the sequence, in accordance with requirements stated in the Systems Analysis and Human Reliability sections of this Standard, to demonstrate that a successful outcome is achieved.

SR SC-A6 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No CONFIRM that the bases for the success criteria are consistent with the Done Doc.

features, procedures, and operating philosophy of the plant.

Model Thursday, September 21, 2006 Page A-86 of A-106 A-87

Appendix A - Callaway PRA Gap Analysis SR SC-B1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No USE appropriate realistic generic analyses/evaluations that are applicable to the Plant specific MAAP analysis was used for all Success Criteria Doc. SC-B1 plant for thermal/hydraulic, structural, and other supporting engineering bases in 1992. The SC re-analysis is being updated with MAAP 4 in support of success criteria requiring detailed computer modeling. Realistic currently (Indeterminate schedule). This resolution in Model models or analyses may be supplemented with plant-specific/generic FSAR or Addendum B may be a way of saying NRC does not trust other conservative analysis applicable to the plant, but only if such MAAP 3. If such is the case, Callaway should update with supplemental analyses do not affect the determination of which combinations of MAAP 4 as a priority.

systems and trains of systems are required to respond to an initiating event.

SR SC-B2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DO NOT USE expert judgment except in those situations in which there is lack Found no instance of expert judgement being used in place of Doc.

of available information regarding the condition or thermal hydraulic analysis.

response of a modeled SSC, or a lack of analytical methods upon which to base Model a prediction of SSC condition or response. USE the requirements in para. 4.3 when implementing an expert judgment process.

SR SC-B3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No When defining success criteria, USE thermal/hydraulic, structural, or other Done Doc.

analyses/evaluations appropriate to the event being analyzed, and accounting for a level of detail consistent with the initiating event grouping (HLR-IE-B) and Model accident sequence modeling (HLR-AS-A and HLR-AS-B).

Thursday, September 21, 2006 Page A-87 of A-106 A-88

Appendix A - Callaway PRA Gap Analysis SR SC-B4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No USE analysis models and computer codes that have sufficient capability to MAAP 3 used. The SC re-analysis is being updated with Doc.

model the conditions of interest in the determination of success criteria for MAAP 4 currently whose completion should be a priority before CDF, and that provide results representative of the plant. A qualitative application of the PRA. Model evaluation of a relevant application of codes, models, or analyses that has been used for a similar class of plant (e.g., Owners Group generic studies) may be used. USE computer codes and models only within known limits of applicability.

SR SC-B5 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No CHECK the reasonableness and acceptability of the results of the There was no documentation found which provides a Doc. SC-2 thermal/hydraulic, structural, or other supporting engineering bases used to comparison of the plant-specific analysis with that of different support the success criteria. plants or with other computer code calculations Model Examples of methods to achieve this include:

(a) comparison with results of the same analyses performed for similar plants, accounting for differences in unique plant features (b) comparison with results of similar analyses performed with other plant-specific codes (c) check by other means appropriate to the particular analysis SR SC-C1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the success criteria in a manner that facilitates PRA applications, Success criteria are not documented in a single place. Each Doc. SC-1 upgrades, and peer review. system notebook has the SC for that application. Current system of documentation does not provide easy comparison of T/H use Model for consistency. The ASME criteria expects to see a single place for SC documentation and a coordinated effort to compare and show that all SC are consistently derived from the same set of consistent T/H runs.

Thursday, September 21, 2006 Page A-88 of A-106 A-89

Appendix A - Callaway PRA Gap Analysis SR SC-C2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the processes used to develop overall PRA success criteria and As identified for SR SC-C1, the documentation is spread out, Doc. SC-1 the supporting engineering bases, including the inputs, methods, and results. and while it appears that all of the information is provided, the For example, this documentation typically includes: quality, useability and reviewability of the PRA would be Model (a) the definition of core damage used in the PRA including the bases for any greatly enhanced by pulling the disparate pieces into a single selected parameter value used in the definition (e.g., peak cladding temperature document.

or reactor vessel level)

(b) calculations (generic and plant-specific) or other references used to establish success criteria, and identification of cases for which they are used (c) identification of computer codes or other methods used to establish plant-specific success criteria (d) a description of the limitations (e.g., potential conservatisms or limitations that could challenge the applicability of computer models in certain cases) of the calculations or codes (e) the uses of expert judgment within the PRA, and rationale for such uses (f) a summary of success criteria for the available mitigating systems and human actions for each accident initiating group modeled in the PRA (g) the basis for establishing the time available for human actions (h) descriptions of processes used to define success criteria for grouped initiating events or accident sequences SR SC-C3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the key assumptions and key sources uncertainty associated with Not done Doc. SC-1 the development of success criteria.

Model Thursday, September 21, 2006 Page A-89 of A-106 A-90

Appendix A - Callaway PRA Gap Analysis High Level Requirement SY SR SY-A1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DEVELOP system models for those systems needed to provide or support the There are fault tree system models associated with each function Doc.

safety functions contained in the accident sequence analyses. in the accident sequence analysis and therefore meet SR SY-A1.

Model SR SY-A2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No COLLECT pertinent information to ensure that the systems analysis The Callaway fault tree documentation packages contain a Doc.

appropriately reflects the as-built and as-operated systems. Examples of such detailed list of the items used to develop the fault tree. The information include system P&IDs, one-line diagrams, instrumentation and information meets SR SY-A2. Model control drawings, spatial layout drawings, system operating procedures, abnormal operating procedures, emergency procedures, success criteria calculations, the final or updated SAR, technical specifications, training information, system descriptions and related design documents, actual system operating experience, and interviews with system engineers and operators.

SR SY-A3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No REVIEW plant information sources to define or establish The Callaway fault tree documentation packages contain a Doc.

(a) system components and boundaries detailed list of the items used to develop the fault tree. The (b) dependencies on other systems information meets SR SY-A3. Model (c) instrumentation and control requirements (d) testing and maintenance requirements and practices (e) operating limitations such as those imposed by technical specifications (f) component operability and design limits (g) procedures for the operation of the system during normal and accident conditions (h) system configuration during normal and accident conditions Thursday, September 21, 2006 Page A-90 of A-106 A-91

Appendix A - Callaway PRA Gap Analysis SR SY-A4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No PERFORM plant walkdowns and interviews with system engineers and plant Plant walkdowns as well as system engineer and plant Doc.

operators to confirm that the systems analysis correctly reflects the as-built, as- operations review of the basis for the fault tree models and operated plant. correct system operational assumptions were performed during Model the Callaway PRA and therefore SR SY-A4 is met.

SR SY-A5 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No INCLUDE the effects of both normal and alternate system alignments, to the The Callaway PRA is based on the normal system alignments Doc.

extent needed for CDF and LERF determination. and no other alignments were identified which would result in a lower reliability. SR SY-A5 is met. During any revisions to the Model model, alternate alignments should be evaluated.

SR SY-A6 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No In defining the system model boundary [see SY-A3], INCLUDE within the The fault tree model boundaries including the support system Doc.

boundary the components required for system operation, and the components interfaces are adequately defined and meet SR SY-A6.

providing the interfaces with support systems required for actuation and Model operation of the system components.

Thursday, September 21, 2006 Page A-91 of A-106 A-92

Appendix A - Callaway PRA Gap Analysis SR SY-A7 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DEVELOP detailed systems models, unless (a) sufficient system-level data are Detailed system models are available for all but two systems. Doc. SY-1 available to quantify the system failure probability, or (b) system failure is For the Instrument Air System a single basic event is used and is dominated by operator actions, and omitting the model does not mask based on generic data. The Callaway plant is not highly Model contributions to the results of support systems or other dependent-failure modes. dependent upon IAS and the PRA loads on IAS also are For case (a), USE a single data value only for systems with no equipment or supplied with N2 backup which is modeled. The IAS is human-action dependencies, and if data exist that sufficiently represent the correctly failed for LOSP, but remains available in all other unreliability or unavailability of the system and account for plant-specific cases. The IAS is cooled by SW and would be unavailable after factors that could influence unreliability and unavailability. Examples of loss of all SW (T(SW)) and should be set to failed via a house systems that have sometimes not been modeled in detail include the scram event setting. The actuation system is modeled with a single system, the power-conversion system, instrument air, and the keep-fill systems. event for each of the redundancies which is set to fail for JUSTIFY the use of limited (i.e., reduced or single data value) modeling. scenarios in which the conditions are not present to generate the signal. The data associated with these single event failures need to be reviewed against current industry data and updated if necessary. The applicability of the data to the Callaway configuration also needs to be justified.

In addition, the scram system has not been modeled in detail but is evaluated in a similar manner to most PRAs. SR SY-A7 is not met due to the above noted correction and documentation issues.

SR SY-A8 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No ESTABLISH the boundaries of the components required for system operation. The component boundaries are defined and the prior plant Doc.

MATCH the definitions used to establish the component failure data. For specific data collection effort was based on those definitions.

example, a control circuit for a pump does not need to be included as a separate Future data collection needs to observe the same boundaries. Model basic event (or events) in the system model if the pump failure data used in Actuation components (limit, temperature switches) which quantifying the system model include control circuit failures. impact multiple components were modeled explicitly. SR SY-MODEL as separate basic events of the model, those sub-components (e.g., a A8 is met.

valve limit switch that is associated with a permissive signal for another component) that are shared by another component or affect another component, in order to account for the dependent failure mechanism.

Thursday, September 21, 2006 Page A-92 of A-106 A-93

Appendix A - Callaway PRA Gap Analysis SR SY-A11 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No INCORPORATE the effect of variable success criteria (i.e., success criteria that The Callaway PRA fault trees represent the appropriate success Doc.

change as a function of plant status) into the system modeling. Example causes criteria defined in the accident sequence analysis. Support of variable system success criteria are: function success criteria are based on either the design basis of Model (a) different accident scenarios. Different success criteria are required for some the system or on analysis which demonstrates acceptable systems to mitigate different accident scenarios (e.g., the number of pumps alternatives. The Callaway PRA meets SR SY-A11.

required to operate in some systems is dependent upon the modeled initiating event);

(b) dependence on other components. Success criteria for some systems are also dependent on the success of another component in the system (e.g.,

operation of additional pumps in some cooling water systems is required if non-critical loads are not isolated);

(c) time dependence. Success criteria for some systems are time- dependent (e.g., two pumps are required to provide the needed flow early following an accident initiator, but only one is required for mitigation later following the accident);

(d) sharing of a system between units when both units are challenged by the same initiating event (e.g., LOOP)

SR SY-A12 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No INCLUDE in the system model those failures of the equipment and components The fault tree models all components necessary to provide the Doc.

that would affect system operability (as identified in the system success required functions and therefore SR SY-A12 is met.

criteria), except when excluded using the criteria in SY-A14. This equipment Model includes both active components (e.g., pumps, valves, and air compressors) and passive components (e.g., piping, heat exchangers, and tanks) required for system operation.

SR SY-A12a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DO NOT INCLUDE in a system model component failures that would be The Callaway PRA does not credit component failures which Doc.

beneficial to system operation, unless omission would distort the results. would be beneficial, therefore SR SY-A12a is met.

Example of a beneficial failure: A failure of an instrument in such a fashion as Model to generate a required actuation signal.

Thursday, September 21, 2006 Page A-93 of A-106 A-94

Appendix A - Callaway PRA Gap Analysis SR SY-A12b Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No INCLUDE those failures that can cause flow diversion pathways that result in Flow diversion pathways of sufficient size to fail the function Doc.

failure to meet the system success criteria. are explicitly modeled therefore SR SY-A12b is met.

Model SR SY-A13 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No When identifying the failures in SY-A12 INCLUDE consideration of all failure The Callaway PRA considered each of the example failure Doc.

modes, consistent with available data and model level of detail, except where modes in the fault tree development. Therefore SR SY-A13 is excluded using the criteria in SY-A14. met. Model For example:

(a) active component fails to start (b) active component fails to continue to run (c) failure of a closed component to open (d) failure of a closed component to remain closed (e) failure of an open component to close (f) failure of an open component to remain open (g) active component spurious operation (h) plugging of an active or passive component (i) leakage of an active or passive component (j) rupture of an active or passive component (k) internal leakage of a component (l) internal rupture of a component (m) failure to provide signal/operate (e.g., instrumentation)

(n) spurious signal/operation (o) pre-initiator human failure events (see SY-A15)

(p) other failures of a component to perform its required function Thursday, September 21, 2006 Page A-94 of A-106 A-95

Appendix A - Callaway PRA Gap Analysis SR SY-A14 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No In meeting SY-A12 and SY-A13, contributors to system unavailability and Applicable failure modes were included for all components in Doc.

unreliability (i.e., components and specific failure modes) may be excluded the model. In most cases, although more than two orders of from the model if one of the following screening criteria is met: magnitude below other system failures, plugging of passive Model (a) A component may be excluded from the system model if the total failure valves were included if they were considered to be the only probability of the component failure modes resulting in the same effect on credible failure mode for a component (e.g., manual valve which system operation is at least two orders of magnitude lower than the highest is not required to change state). The fault tree documentation failure probability of the other components in the same system train that results identifies components which are not included in the model and in the same effect on system operation; although not explicitly stated, the exclusion is obviously based (b) One or more failure modes for a component may be excluded from the on the low magnitude of the possible failure mode and is systems model if the contribution of them to the total failure rate or probability covered under the general assumptions included in the IPE. SR is less than 1% of the total failure rate or probability for that component, when SY-A14 is therefore met.

their effects on system operation are the same.

SR SY-A15 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No In the system model, INCLUDE HFEs that cause the system or component to be Pre-initiator human errors were included in the fault tree model Doc.

unavailable when demanded. These events are referred to as pre-initiator where considered to be credible and the probability of human events. (See also Human Reliability Analysis, para. 4.5.5.) occurrence was not inconsequential. SR SY-A15 is therefore Model met.

SR SY-A16 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No In the system model, INCLUDE HFEs that are expected during the operation of Post-initiator human actions were included in the fault tree Doc.

the system or component or that are accounted for in the final quantification of model where determined to be appropriate. SR SY-A16 is accident sequences unless they are already included explicitly as events in the therefore met. Model accident sequence models . These HFEs are referred to as post-initiator human actions. [See also Human Reliability Analysis (para. 4.5.5) and Accident Sequence Analysis (para. 4.5.2)].

Thursday, September 21, 2006 Page A-95 of A-106 A-96

Appendix A - Callaway PRA Gap Analysis SR SY-A17 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No INCLUDE in either the system model or accident sequence modeling those The fault trees include conditions necessary for operation where Doc.

conditions that cause the system to isolate or trip, or those conditions that once appropriate. Protective trips, such as high temperature trips exceeded cause the system to fail, or SHOW that their exclusion does not were not modeled explicitly but if a trip was expected to occur Model impact the results. For example, conditions that isolate or trip a system include: on loss of a support function, then loss of that support function (a) system-related parameters such as a high temperature within the system was assumed to fail the component. SR SY-A17 is therefore (b) external parameters used to protect the system from other failures[e.g., the met.

high reactor pressure vessel (RPV) water level isolation signal used to prevent water intrusion into the turbines of the RCIC and HPCI pumps of a BWR]

(c) adverse environmental conditions (see SY-A20)

SR SY-A18 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No In the systems model, INCLUDE out-of-service unavailability for components Maintenance unavailability is included in the Callaway PRA on Doc.

in the system model, unless screened, consistent with the actual practices and the basis of existing practices. The application of these terms history of the plant for removing equipment from service. was done at the level necessary to reflect the effect on the ability Model INCLUDE: to provide the safety function. This may be in some cases the (a) unavailability caused by testing when a component or system train is train level, subtrain level or component level. Relief valves reconfigured from its required accident mitigating position such that the modeled as being required which are allowed to be taken out of component cannot function as required; service are addressed in the model. SR SY-A18 is therefore met.

(b) maintenance events at the train level when procedures require isolating the entire train for maintenance; (c) maintenance events at a sub-train level (i.e., between tagout boundaries, such as a functional equipment group) when directed by procedures.

Examples of out-of-service unavailability to be modeled:

(a) train outages during a work window for preventive/corrective maintenance; (b) a functional equipment group (FEG) removed from service for preventive/corrective maintenance; (c) a relief valve taken out of service.

Thursday, September 21, 2006 Page A-96 of A-106 A-97

Appendix A - Callaway PRA Gap Analysis SR SY-A18a Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No INCLUDE events representing the simultaneous unavailability of redundant As discussed for SR SY-A18a, maintenance failures were Doc.

equipment when this is a result of planned activity (see DA-C13). included for each portion of the system as applicable. Terms including maintenance combinations which violated tech specs Model were removed from the analysis. SR SY-A18a is therefore met.

SR SY-A19 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No IDENTIFY system conditions that cause a loss of desired system function, e.g., The Callaway fault tree models consider environmental Doc.

excessive heat loads, excessive electrical loads, excessive humidity, etc. conditions which may fail components, typically due to failure of support systems. SR SY-A19 is met. Model SR SY-A20 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No TAKE CREDIT for system or component operability only if an analysis exists to Analysis was performed to verify the operability of systems and Doc.

demonstrate that rated or design capabilities are not exceeded. components where it was determined that conditions would exist which were outside the original design envelope. SR SY- Model A20 is therefore met.

SR SY-A21 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DEVELOP system model nomenclature in a consistent manner to allow model The Callaway PRA follows a rigorous naming convention for Doc.

manipulation and to represent the same designator when a component failure basic events to assure dependencies are correctly accounted for.

mode is used in multiple systems or trains. SR SY-A21 is therefore met. Model Thursday, September 21, 2006 Page A-97 of A-106 A-98

Appendix A - Callaway PRA Gap Analysis SR SY-A22 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DO NOT MODEL the repair of hardware faults, unless the probability of repair The Callaway PRA credits repair of hardware faults in the Doc. IE-8 is justified through an adequate analysis or examination of data. (See DA-C14.) recovery of the loss of CCW and loss of SWS initiating events.

The recovery events, which include recovery of CCF of pumps Model and valves lack sufficient analysis or data. The Callaway PRA does not meet SR SY-A22.

SR SY-B1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No MODEL intra-system common-cause failures when supported by generic or The Callaway PRA adequately models CCFs with the exception Doc. SY-2 plant-specific data. An acceptable method is represented in NUREG/CR-5485 of battery chargers and breakers as noted in SR SY-B3.

[Note (1)]. Model SR SY-B2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No No requirement to model inter-system common cause failures. No requirements exist for Category 2 SR SY-A18 and is Doc.

therefore NA for Callaway.

Model Thursday, September 21, 2006 Page A-98 of A-106 A-99

Appendix A - Callaway PRA Gap Analysis SR SY-B3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No ESTABLISH common cause failure groups by using a logical, systematic The Callaway PRA includes most of the CCF groups identified. Doc. SY-2 process that considers similarity in In order to meet the criterion for SY-B3, either a justification (a) service conditions must be provided or the events added for: Battery chargers and Model (b) environment circuit breakers. The current treatment does not meet the (c) design or manufacturer criterion for SY-B3.

(d) maintenance JUSTIFY the basis for selecting common cause component groups.

Candidates for common-cause failures include, for example:

(a) motor-operated valves (b) pumps (c) safety-relief valves (d) air-operated valves (e) solenoid-operated valves (f) check valves (g) diesel generators (h) batteries (i) inverters and battery charger (j) circuit breakers SR SY-B4 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No INCORPORATE common cause failures into the system model consistent with The current Callaway PRA uses fairly high beta factors and Doc. SY-2 the common cause model used for data analysis. (See DA-D6.) although acceptable, use of the current method/data from NUREG/CR-5485 would be beneficial. SR SY-B4 is met, but Model only marginally.

Thursday, September 21, 2006 Page A-99 of A-106 A-100

Appendix A - Callaway PRA Gap Analysis SR SY-B5 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No ACCOUNT explicitly for the modeled systems dependency on support systems The Callaway fault tree models include links to all identified Doc.

or interfacing systems in the modeling process. This may be accomplished in support fault trees necessary to perform their required function.

one of the following ways: Therefore SR SY-B5 is met. Model (a) for the fault tree linking approach by modeling the dependencies as a link to an appropriate event or gate in the support system fault tree; (b) for the linked event tree approach, by using event tree logic rules, or calculating a probability for each split fraction conditional on the scenario definition.

SR SY-B6 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No PERFORM engineering analyses to determine the need for support systems that Support system requirements are based on design success Doc.

are plant-specific and reflect the variability in the conditions present during the criteria and timing, unless determined to be over conservative at postulated accidents for which the system is required to function. which point more realistic success criteria were evaluated. Model Therefore SR SY-B6 is met.

SR SY-B7 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No BASE support system modeling on realistic success criteria and timing, unless a Support system modeling is based on design success criteria and Doc.

conservative approach can be justified, i.e. if their use does not impact risk timing, unless determined to be over conservative at which point significant contributors. more realistic success criteria were evaluated. Therefore SR SY- Model B7 is met.

Thursday, September 21, 2006 Page A-100 of A-106 A-101

Appendix A - Callaway PRA Gap Analysis SR SY-B8 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No IDENTIFY spatial and environmental hazards that may impact multiple systems Plant walkdowns were performed as part of the fault tree Doc.

or redundant components in the same system , and ACCOUNT for them in the development and used as a source of information regarding system fault tree or the accident sequence evaluation. spatial/environmental hazards, for resolution of Model Example: Use results of plant walkdowns as a source of information regarding spatial/environmental issues, or evaluation of the impacts of spatial/environmental hazards, for resolution of spatial/environmental issues, or such hazards during the Callaway PRA and therefore SR SY-B8 evaluation of the impacts of such hazards. is met.

SR SY-B10 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No When modeling a system, INCLUDE appropriate interfaces with the support The Callaway fault tree models include links to all identified Doc.

systems required for successful operation of the system for a required mission support fault trees necessary to perform their required function.

time (see also AY-A6). Therefore the SY-B10 criterion is met. Model Examples include:

(a) actuation logic (b) support systems required for control of components (c) component motive power (d) cooling of components (e) any other identified support function (e.g., heat tracing) necessary to meet the success criteria and associated systems Thursday, September 21, 2006 Page A-101 of A-106 A-102

Appendix A - Callaway PRA Gap Analysis SR SY-B11 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No MODEL those systems that are required for initiation and actuation of a The Callaway PRA models the Safety Injection signals and the Doc.

system. In the model quantification, INCLUDE the presence of the conditions LOSP signals at the train level. The trains are not modeled in needed for automatic actuation (e.g., low vessel water level). INCLUDE detail due to the large redundancy built into the system. Model permissive and lockout signals that are required to complete actuation logic. Interlocks were modeled as failing the components they prevented from operating. For each sequence, and the associated functional equations, the presence of the conditions for an SI or LOSP signal were assessed and a house event was used to fail the signal if the conditions were not present or apply an event representing the train unavailability if the conditions were present. A review was made to identify the potential permissives and lockouts which could affect components. In those cases, failure of the component was modeled as resulting from failure of the component which provides the permissive.

The requirements of SY-B11 are met.

SR SY-B12 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No MODEL the ability of the available inventories of air, power, and cooling to The available inventories for all systems were considered in the Doc.

support the mission time. development of the Callaway fault trees and therefore SR SY-B12 is met. Model SR SY-B13 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DO NOT USE proceduralized recovery actions as the sole basis for eliminating Support system requirements are not eliminated from the Doc.

a support system from the model; however, INCLUDE these recovery actions in Callaway model unless it can be shown that the loss of the the model quantification. For example, it is not acceptable to not model a support system does not impact the ability of the front-line Model system such as HVAC or CCW on the basis that there are procedures for system to perform its function and therefore SR SY-B13 is met.

dealing with losses of these systems.

Thursday, September 21, 2006 Page A-102 of A-106 A-103

Appendix A - Callaway PRA Gap Analysis SR SY-B14 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No Some systems use components and equipment that are required for operation of Components which are part of or impact multiple Doc.

other systems. INCLUDE components that, using the criteria in SY-A14, may systems/functions are not screened in the Callaway PRA and be screened from each system model individually, if their failure affects more therefore SR SY-B14 is met. Model than one system (e.g., a common suction pipe feeding two separate systems).

SR SY-B15 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No IDENTIFY SSCs that may be required to operate in conditions beyond their Each of the example degraded environments were considered Doc.

environmental qualifications. INCLUDE dependent failures of multiple SSCs and addressed in either the event trees or fault trees. SR SY-that result from operation in these adverse conditions. B15 is met. Model Examples of degraded environments include:

(a) LOCA inside containment with failure of containment heat removal (b) safety relief valve operability (small LOCA, drywell spray, severe accident)

(for BWRs)

(c) steam line breaks outside containment (d) debris that could plug screens/filters (both internal and external to the plant)

(e) heating of the water supply (e.g., BWR suppression pool, PWR containment sump) that could affect pump operability (f) loss of NPSH for pumps (g) steam binding of pumps SR SY-B16 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No INCLUDE operator interface dependencies across systems or trains, where Dependencies between operator actions are identified and Doc.

applicable. treated in the HRA and therefore the criterion for SY-B16 is met.. Model Thursday, September 21, 2006 Page A-103 of A-106 A-104

Appendix A - Callaway PRA Gap Analysis SR SY-C1 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the systems analysis in a manner that facilitates PRA The documentation of the systems analysis, while reasonably Doc. SY-3 applications, upgrades, and peer review. complete, could benefit from reorganization. There are currently thirty three calculation packages which document Model different pieces of the systems analysis. The recommendation is to replace these calculations with a single calculation which merges all of these calculations.

Thursday, September 21, 2006 Page A-104 of A-106 A-105

Appendix A - Callaway PRA Gap Analysis SR SY-C2 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the system functions and boundary, the associated success The documentation of the systems analysis, addresses all of the Doc. SY-3 criteria, the modeled components and failure modes including human actions, items identified with the exception of the component spatial and a description of modeled dependencies including support system and information which was only included at a very general level. If Model common cause failures, including the inputs, methods, and results. For the revision of the documentation recommended above is example, this documentation typically includes: performed, each of these areas for each system model should be (a) system function and operation under normal and emergency operations examined for robustness.

(b) system model boundary (c) system schematic illustrating all equipment and components necessary for system operation (d) information and calculations to support equipment operability considerations and assumptions (e) actual operational history indicating any past problems in the system operation (f) system success criteria and relationship to accident sequence models (g) human actions necessary for operation of system (h) reference to system-related test and maintenance procedures (i) system dependencies and shared component interface (j) component spatial information (k) assumptions or simplifications made in development of the system models (l) the components and failure modes included in the model and justification for any exclusion of components and failure modes (m) a description of the modularization process (if used)

(n) records of resolution of logic loops developed during fault tree linking (if used)

(o) results of the system model evaluations (p) results of sensitivity studies (if used)

(q) the sources of the above information, (e.g., completed checklist from walkdowns, notes from discussions with plant personnel)

(r) basic events in the system fault trees so that they are traceable to modules and to cutsets.

(s) the nomenclature used in the system models.

Thursday, September 21, 2006 Page A-105 of A-106 A-106

Appendix A - Callaway PRA Gap Analysis SR SY-C3 Cat II Not Met Capability Category II Requirement Assessment Enhancement FandO No DOCUMENT the key assumptions and key sources uncertainty associated with The system analysis key assumptions and areas of uncertainty Doc. SY-3 the systems analysis. are documented. If the revision of the documentation recommended above is performed, each of these areas for each Model system model should be examined for robustness.

Thursday, September 21, 2006 Page A-106 of A-106 A-107

Callaway PRA Gap Analysis Report Appendix B - Independent Assessment Results for Internal Events During Full Power B-1

Callaway PRA Gap Analysis Report Appendix B Initiating Events Analysis Assessment Results B-2

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: IE-1 Technical Element: IE Supporting Requirement: IE-A1 The Callaway identification of initiating events that challenge normal plant operation and require successful mitigation to prevent core damage was initially performed using a structured systematic process to account for plant specific features. It is unclear from the documentation whether the initial basis for selecting the support system initiating events is ever revisited with the changing models or plant modifications.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-3

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: IE-2 Technical Element: IE Supporting Requirement: IE-A3a The review of generic analyses of similar plants to assess whether the list of challenges included in the model accounts for industry experience was performed in the original PRA in Calculation ZZ-256, which has not been revisited. There doesnt appear to be any process to review current industry lists.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-4

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: IE-3 Technical Element: IE Supporting Requirement: IE-A4 The initial screening of the systems was performed during the initial PRA and is discussed in 3.1.1.1.3 of the IPE submittal. Detailed FMEAs were developed for those systems identified as leading to plant trip. However, there was no justification provided for the exclusion of systems for which FMEAs were not performed. The FMEAs performed were documented in Calcs ZZ-116 (DC Power), ZZ-119 (AC Power), ZZ-120 (HVAC), EA-03 (SWS), EG-18 (CCWS), KA-30 (IAS). These FMEAs or the screening evaluations have not been revisited since the IPE. In order to meet Category 2 requirements, the documentation of the basis for the disposition of each system as an initiating event must be specified.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-5

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: IE-4 Technical Element: IE Supporting Requirement: IE-A5 The screening process does not distinguish why events which occur during non-power were excluded. This does not meet SR IE-A5.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-6

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: IE-5 Technical Element: IE Supporting Requirement: IE-A6 The IPE calculations were reviewed by plant personnel (e.g., operations, maintenance, engineering, safety analysis) prior to the IPE submittal to determine if potential initiating events have been overlooked however, it is not clear if this process is ever revisited. The analysis meets Cat. 2 SR IE-A6 but should be revisited as part of each major update.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-7

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: IE-6 Technical Element: IE Supporting Requirement: IE-A7 There was no evidence found that operating experience was reviewed with precursors in mind. If an event did not result in the generation of a trip or an LER, then it was not reviewed. Interviews with operations and maintenance personnel would be one method to meet SR IE-A7. The current analysis does not meet Cat 2 SR IE-A7.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-8

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: IE-7 Technical Element: IE Supporting Requirement: IE-C1, IE-C1a, and IE-C13 The IE frequencies currently do not include any uncertainty bounds. The IE frequencies need to have uncertainty bounds assigned to meet SR IE-C1, IE-C1a, and IE-C13.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-9

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: IE-8 Technical Element: IE, SY Supporting Requirement: IE-C1b, IE-C9, SY-A22 The Callaway PRA credits repair of hardware faults in the recovery of the loss of CCW and loss of SWS initiating events. The repair events, which include repair of CCF of pumps and valves lack sufficient analysis or data.

Crediting repair of components is not acceptable unless the probability of repair is justified through an adequate analysis or examination of data.

The Callaway PRA does not meet SR IE-C1b, IE-C9, and SY-A22.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-10

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: IE-9 Technical Element: IE Supporting Requirement: IE-C2 The Callaway IPE uses Bayesian update techniques, however, limited justification is provided about the informative prior distribution. Refer to note 2 of the standard for guidance.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-11

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: IE-10 Technical Element: IE Supporting Requirement: IE-C3 IE-C3 requires that calculation of initiating event frequencies on a reactor year basis.

The Callaway PRA does not make this correction. Note that the T2 and T3 initiating events already include this based on the data collection method and calculation. SR-C3 is not explicitly met for the other initiating events. Refer to the ASME Standard for guidance on making this correction.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-12

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: IE-11 Technical Element: IE Supporting Requirement: IE-C7 &

IE-C8 The fault trees used to quantify the support system initiating events all appear to use the correct computational methodology however the clarity is somewhat limited. The quantification process and maintenance of the support system initiating event fault trees could be improved and a better understanding of the support system importance by actually using a modified support system fault tree to generate an equation which then is assigned to the initiating event for the corresponding event tree. The current methodology marginally meets SR IE-C7 and IE-C8.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-13

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: IE-12 Technical Element: IE Supporting Requirement: IE-C10 There is no documentation of a comparison with generic data sources for the support system initiating event fault tree results. This comparison needs to be documented as part of each update in order to meet SR IE-C10.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-14

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: IE-13 Technical Element: IE Supporting Requirement: IE-C12 The Callaway treatment of ISLOCA addresses items a-d and may include item e but that is not clear. The ISLOCA documentation is good for the evaluation of the high/low interfaces (ZZ-105) however the documentation of the quantification from that point on is minimal, is not incorporated in the main model, and has not been revised or reexamined since the IPE submittal. The ISLOCA model as it now stands does not meet SR IE-C12.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-15

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: IE-14 Technical Element: IE Supporting Requirement: IE-D1, IE-D2, IE-D3 The documentation of the initiating events analysis, while reasonably complete except as noted above, is not conducive to performing updates necessary to maintaining the PRA and does not make the IE analysis clear for peer review.

There are currently fifteen calculation packages which document different pieces of the initiating events analysis as well as some information only found in the IPE submittal.

The recommendation is to replace these calculations with two IE calculations, one for the identification of initiating events and one for the quantification of the initiating events.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-16

Callaway PRA Gap Analysis Report Appendix B Accident Sequence Analysis Assessment Results B-17

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: AS-1 Technical Element: AS Supporting Requirement: AS-B1, AS-B2, QU-A2a Event Tree T(SW), function L2SW-M should evaluate the TDAFW pump with no functioning SW/ESW equipment. The cutsets for this function include failures of the ESW pumps and human action failures for alignment of SW/ESW. Since the initiator fails all SW/ESW, the logic should not include these events. A similar situation exists for function L2T1s.

Event Tree T(SW) function O1SW-M includes a FANDB operator error which does not belong in the function. A similar situation exists for functions O1C-M, O1CT1-M, and O1SW-M.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: MIKE A. PHILLIPS B-18

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: AS-2 Technical Element: AS Supporting Requirement: AS-A11 Transfers between event trees may be used to reduce the size and complexity of individual event trees. DEFINE any transfers that are used and the method that is used to implement them in the qualitative definition of accident sequences and in their quantification. USE a method for implementing an event tree transfer that preserves the dependencies that are part of the transferred sequence. These include functional, system, initiating event, operator, and spatial or environmental dependencies.

This requirement is not met. Many transfers such as seal LOCA and stuck open PORV transfer to a psuedo event tree. These transfers are quantified using an OCL file that does not have a specific event tree. This introduces possibilities for error in the quantification since there is no event tree on which to base the evaluated functions, especially those that require preservation of dependencies. The actual event tree for quantification of the RCP seal LOCA events was not found. An event tree Trcp appears to have been used, but this event tree has an event for recovery of CCW, which is not included in the .OCL files for the RCP seal LOCA events.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: MIKE A. PHILLIPS B-19

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: AS-3 Technical Element: AS Supporting Requirement: AS-B1 The method of event tree analysis for support system initiators does not appear to correctly capture the failed dependencies in the mitigating systems for some support system IEs. A single basic event is used for the initiating event. House events are included in the fault trees to turn off the affected trains when a support system is not available. It is not clear there are sufficient support systems modeled in the main feedwater and non-safety service water to fail these systems when their support systems are unavailable. This may occur in Tsw, Tnk01, and Tnk04. The cutsets for Tsw, Tnk01, Tnk04, and Tccw should be checked to search for systems that would be failed by the loss of the initiator, and then modify the fault trees to include the appropriate house events to disable these systems.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: Robert C. Bertucio B-20

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: AS-4 Technical Element: AS Supporting Requirement: AS-B6 The RCP seal LOCA model needs to be updated to reflect the latest WOG model, which is approved by the NRC.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: Robert C. Bertucio B-21

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: AS-5 Technical Element: AS Supporting Requirement: AS-B6 Room cooling requirements for the switchgear rooms for SBO should be re-evaluated to consider the actual heat loads in the rooms during SBO.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Robert C. Bertucio B-22

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: AS-6 Technical Element: AS Supporting Requirement: AS-A9 The MAAP results indicate there are 60 hours6.944444e-4 days 0.0167 hours 9.920635e-5 weeks 2.283e-5 months before core melt for the SGTR sequence with failure to isolate the SG. If the MAAP analysis is correct, then the sequence should be screened. If the MAAP analysis is not correct, or MAAP 3 can not provide a correct representation of the sequence, MAAP 4 should be used.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: Robert C. Bertucio B-23

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: AS-7 Technical Element: AS Supporting Requirement: AS-B1 Specific errors are as noted below:

Function O1T1S in the SBO event tree contains basic events for MFW and SW as a backup source for water to SGs if the TDP fails. The problem occurs in the SECDEP fault tree, which asks for GMFX100, but does not have any logic to cancel the gate in SBO. There are no events in the MFX fault tree which will cancel it in the event of an SBO, either. Also, in MFW.lgc, gate GMFW413 - the SVC system will be failed by LOSP, but comes through the link in the SBO function. Back-up sources of water to the SG are modeled at a high level, often only represented by an HEP. There needs to be either a) support systems developed which will be failed by LOSP or AC power, or b) house event logic to fail these for SBO.

The AFW function on the TSW event tree - (L2SW-M) - has recovery factors for ESW as a suction source to the turbine driven AFW pump. (AL-XHE-FO-AFWESW). ESW is failed by the initiator, but the IE is a basic event, not cutsets.

Need to represent the initiator as a support system fault tree, OR need to include house events in the AFW function to fail the cross-tie to the ESW system after a Loss of ESW.

In TSW event tree, function O1SW-M has an event (AE-XHE-FO-MFWFLO) for failure of MFW as back up to AFW. MFW is unavailable after loss of SW.

Need to include support systems for MFW or insert house events in fault tree to turn off MFW for loss of TSW.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: Robert C. Bertucio B-24

Callaway PRA Gap Analysis Report Appendix B Success Criteria Assessment Results B-25

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: SC-1 Technical Element: SC Supporting Requirement: SC-C1, SC-C2, SC-C3 Success criteria are not documented in a single place. Each system notebook has the SC for that application. Current system of documentation does not provide easy comparison of T/H use for consistency. The ASME criteria expects to see a single place for SC documentation and a coordinated effort to compare and show that all SC are consistently derived from the same set of consistent T/H runs. The documentation should also identify the key assumptions and key sources of uncertainty associated with the development of success criteria.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Robert C. Bertucio B-26

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: SC-2 Technical Element: SC Supporting Requirement: SC-B5 There was no documentation found which provides a comparison of the plant-specific analysis with that of different plants or with other computer code calculations to check the reasonableness and acceptability of the results of the thermal/hydraulic, structural, or other supporting engineering bases used to support the success criteria.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Robert C. Bertucio B-27

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: SC-3 Technical Element: SC Supporting Requirement: SC-B1 It is noted that the feed and bleed criteria is conservatively set to 2 of 2 PORV. This may have significant numerical impact in use of the PRA, particularly considering spatial dependencies, for rooms that disable a train of AC power or DC power or fail a PORV.

The base case CCDP for a transient in 1.3E-6. If one PORV is OOS, the CCDP is 3.3E-5.

It may be worthwhile to re-evaluate F&B criteria with MAAP 4.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Robert C. Bertucio B-28

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: SC-4 Technical Element: SC Supporting Requirement: SC-B1 The Callaway PRA has a common cause event for failure to isolate SG blow down. This event fails all AFW. The importance of the event is 0.10 in the base case model with all initiators and 0.57 in the fire-transient model. Very few plants have this strong dependence on failure to isolate SG blow down. Suggest examination of the success criteria, or at least re-evaluation of the CCF values used, away from the 0.1 beta factor for 4/4 blowdown valves fail to close.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Robert C. Bertucio B-29

Callaway PRA Gap Analysis Report Appendix B Systems Analysis Assessment Results B-30

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: SY-1 Technical Element: SY Supporting Requirement: SY-A7 For the Instrument Air System a single basic event is used and is based on generic data.

The Callaway plant is not highly dependent upon IAS and the PRA loads on IAS also are supplied with N2 backup which is modeled. Modeling the IAS as a single basic is acceptable however, the MFW dependency on the IAS is not modeled and needs to be included since MFW is credited as a backup to AFW and is important. The actuation system is modeled with a single event for each of the redundancies which is set to fail for scenarios in which the conditions are not present to generate the signal. The level of detail is acceptable for this use.

The dependency of MFW on IAS needs to be included and the data associated with these single event failures need to be reviewed against current industry data and updated if necessary. The applicability of the data to the Callaway configuration also needs to be justified. One such source of data is NUREG/CR-5750.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-31

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: SY-2 Technical Element: SY Supporting Requirement: SY-B1, SY-B3, & SY-B4 The Callaway PRA adequately models CCFs with the exception of battery chargers and breakers as noted in SR SY-B1 and B3. The quantification of all CCFs should be updated. CCFs should be added for Battery Chargers and Breakers. The quantification of the CCFs should be done in accordance with NUREG/CR-5485.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-32

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: SY-3 Technical Element: SY Supporting Requirement: SY-C1, SY-C2, & SY-C3 The documentation of the systems analysis, while reasonably complete, is not conducive to performing updates necessary to maintaining the PRA and does not make the systems analysis clear for peer review.

There are currently thirty three calculation packages which document different pieces of the systems analysis. The recommendation is to replace these calculations with a single calculation which merges all of these calculations.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-33

Callaway PRA Gap Analysis Report Appendix B Human Reliability Analysis Assessment Results B-34

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: HR-1 Technical Element: HR Supporting Requirement: HR-D3 Documentation should be updated to add a ground rule statement that the quality of written procedures is considered in the operator-procedure interface failure mechanisms of the CBDTM, and in the EOM parts of the THERP analyses (step-by-step vs. verbose). The instrumentation and control layout is considered in the "Cues" sections and in the THERP execution analyses. Equipment configuration is considered for local actions in "Execution PSFs" and in the THERP analyses.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Lincoln Sarmanian B-35

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: HR-2 Technical Element: HR Supporting Requirement: HR-G6 The analyst who performed the reevaluation of the HFEs indicated that a reasonableness check was performed, however the documentation does not discuss this issue.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Lincoln Sarmanian B-36

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: HR-3 Technical Element: HR Supporting Requirement: HR-I3 Key assumptions are documented in the individual analysis files, where applicable. Key sources of uncertainty associated with the HRA are not documented.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Lincoln Sarmanian B-37

Callaway PRA Gap Analysis Report Appendix B Data Analysis Assessment Results B-38

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: DA-1 Technical Element: DA Supporting Requirement: DA-C6, DA-C7, DA-C8, DA-C9 The data collected for component demands, surveillance tests, maintenance unavailability, system configuration, and operation time is provided by the MR Group.

It appears, based on discussions with the PRA analyst, that the correct information is collected and transferred to the PRA Group; however the documentation of the collection method needs to be formalized and included as part of the PRA.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Mark Farrell B-39

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: DA-2 Technical Element: DA Supporting Requirement: DA-B1, DA-C2 Group estimations are based only on component type. Capability Category II requires grouping of components according to type (e.g., motor-operated pump, air-operated valve) and according to the characteristics of their usage to the extent supported by data:

(a) mission type (e.g., standby, operating)

(b) service condition (e.g., clean vs. untreated water, air)

The level of grouping used in the latest data update uses a very fine grouping which leads to a smaller data pool for each different component. Consideration should be given to collecting data on as large a group of components as possible to establish a meaningful collection of data. Grouping of the components as defined in SR DA-B1 and DA-B2 provides a more reasonable aggregation of data and results in a larger data pool to characterize the failure data.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: Mark Farrell B-40

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: DA-3 Technical Element: DA Supporting Requirement: DA-D2 No justification is provided for the use of engineering judgment to determine the probability as required by DA-D2 (Example: HYDRAULICSYSFAIL, STR-FR, STR-FS). There is no indication that any parameters were (or were not) determined by using data or estimates of similar equipment.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Mark Farrell B-41

Callaway PRA Gap Analysis Report Appendix B Internal Flooding Assessment Results B-42

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: IF-1 Technical Element: IF Supporting Requirement: IF-D5, IF-D5a This requirement is met to Category I. The flood initiating event frequencies are based on generic pipe break frequencies. No plant specific experience is considered in the determination of the flooding initiator frequencies. Plant experience at the time the flooding analysis was performed was 0 events. Documentation of the plant specific considerations used in the development of the scenarios needs to be added as discussed in SR IF-D5a.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: MIKE A. PHILLIPS B-43

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: IF-2 Technical Element: IF Supporting Requirement: IF-E3a This requirement is not met at any Category. The Category I/II screening quantitative criteria in the standard is 1E-09/year. ZZ-466 screening criteria was 1E-06/yr.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: MIKE A. PHILLIPS B-44

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: IF-3 Technical Element: IF Supporting Requirement: IF-C6, IF-C8 This requirement is met to Category I only. ZZ-466 allows the operator intervention and mitigation for floods that take 30 minutes or longer. Isolation and available manpower not specifically addressed.

Isolation and available manpower should be considered and documented with the revised screening discussed in F&O IF-2.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: MIKE A. PHILLIPS B-45

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: IF-4 Technical Element: IF Supporting Requirement: IF-E5, IF-E5a If additional human failure events are required to support quantification of flood scenarios, PERFORM any human reliability analysis in accordance with the applicable requirements described in Tables 4.5.5-2(e) through Table 4.5.5-2(h).

This requirement is not met. The HEP values used in ZZ-466 are not developed from a human reliability analysis.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: MIKE A. PHILLIPS B-46

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: IF-5 Technical Element: IF Supporting Requirement: IF-C2a For each defined flood area and each flood source, IDENTIFY those automatic or operator responses that have the ability to terminate or contain the flood propagation.

This requirement is not met. ZZ-466 treats operator response in a generic sense.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: MIKE A. PHILLIPS B-47

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: IF-6 Technical Element: IF Supporting Requirement: IF-E7 For each flood scenario, REVIEW the LERF analysis to confirm applicability of the LERF sequences. If appropriate LERF sequences do not exist, MODIFY the LERF analysis as necessary to account for any unique flood-induced scenarios or phenomena in accordance with the applicable requirements described in para. 4.5.9.

This requirement is not met. The internal flooding sequences are not considered in the LERF analysis.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: MIKE A. PHILLIPS B-48

Callaway PRA Gap Analysis Report Appendix B Quantification Assessment Results B-49

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: QU-1 Technical Element: QU Supporting Requirement: QU-A2b &

QU-E3 The current quantification does not include an uncertainty calculation to account for the state-of-knowledge correlation between event probabilities. The structure exists to perform this correlation within WinNUPRA but at the current time it has not been done.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-50

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: QU-2 Technical Element: QU Supporting Requirement: QU-B9 The Callaway PRA does not use modules, subtrees, or split fractions, with one exception.

That exception is in the SSIE events. These modules provide a place that some dependencies can be overlooked. While the Ameren staff have made the effort to account for these hidden dependencies and SR QU-B9 is considered to be met, linking of the SSIE fault trees to the event trees provides more assurance of the correct treatment and should be considered. EPRI is currently developing a procedure to guide the treatment of support system initiating events which should be issued in the near future.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-51

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: QU-3 Technical Element: QU Supporting Requirement: QU-C3, QU-D1a, QU-D1b, QU-D1c Some instances of incorrect transfer of sequence characteristics, incorrect logic, incorrect house event settings, and resultant cutsets were identified based on cutset reviews. The process is generally set up correctly but the overall process would benefit from revising the quantification process to account for the additional software capability currently available. As a minimum, the top cutsets (500?) need to be reviewed to make sure that the transfers, logic, house event setting are yielding realistic combinations.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-52

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: QU-4 Technical Element: QU Supporting Requirement: QU-D1a The IAS is correctly failed for LOSP, but remains available in all other cases. The IAS is cooled by SW and would be unavailable after loss of all SW (T(SW)) and should be set to failed via a house event setting. The availability of IAS needs to be propagated correctly during the quantification process.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-53

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: QU-5 Technical Element: QU Supporting Requirement: QU-D4 There was no documentation of a review of non-significant accident sequences or cutsets to determine their reasonableness. This review is necessary to meet SR QU-D4.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-54

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: QU-6 Technical Element: QU Supporting Requirement: QU-E1 &

QU-E2 Key sources of model uncertainty and key assumptions were identified during the IPE but they are scattered throughout the calculation packages which serve as the documentation. There is no indication that the results have ever been revisited since that time even though the model has underwent changes. Gathering the information in one place would be very beneficial to the long term maintainability of the analysis.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-55

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: QU-7 Technical Element: QU Supporting Requirement: QU-E4 Key sources of model uncertainty and key assumptions were evaluated during the IPE with sensitivity analyses and those cases are requantified during each update to the model quantification but there is no documentation to show that the basis for the sensitivity studies has ever been revisited since that time even though the model has underwent changes. The sensitivity studies should be reexamined to make sure they cover the major sources of modeling uncertainty in the current model.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-56

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: QU-8 Technical Element: QU Supporting Requirement: QU-F1 The documentation of the model quantification accurately documents what was performed during the quantification process, however the manual integration required for several stand-alone pieces of the analysis is not well documented. The recommended changes to the quantification process to integrate the entire internal events (including internal flooding) would serve to facilitate the use of the quantification process for PRA applications, upgrades, and peer review.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-57

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: QU-9 Technical Element: QU Supporting Requirement: QU-F2 In general the model integration process is adequately documented, however several of the areas do not meet the requirements. Items b (records of the cutset review process), f (the accident sequences and their contributing cutsets), g (equipment or human actions that are the key factors in causing the accidents to be non-dominant), and i (the uncertainty distribution for the total CDF) are not addressed in the documentation. As a minimum, these items need to be addressed to meet SR QU-F2. If the quantification process and documentation are revised the list of information included in SR QU-F2 should be followed in the revision.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-58

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: QU- Technical Element: QU Supporting Requirement: QU-F4 10 Key assumptions and key sources of uncertainty which influence the current quantification are not addressed in a coherent manner in the documentation.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-59

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: QU- Technical Element: QU Supporting Requirement: QU-F6 11 The quantitative definition used for significant cutset and significant accident sequence are documented and vary from the ASME definition. The ASME definitions need to be applied or the Ameren definition needs to be justified.

Significant sequence:

ASME - aggregate 95% of total, individual sequence >1%

Ameren - aggregate 88% of total, individual sequence >1%

Significant cutset:

ASME - aggregate 95% of total, individual cutset >1%

Ameren - cutsets >1E-6 LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-60

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: QU- Technical Element: QU Supporting Requirement: QU-F5 12 SR QU-F5 requires documentation of limitations in the quantification process that would impact applications. No documentation of limitations was identified.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici B-61

Callaway PRA Gap Analysis Report Appendix B LERF Analysis Assessment Results B-62

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: LE-1 Technical Element: LE Supporting Requirement: LE-B1, LE-D6 Probability of containment isolation failure leading to LERF does not contain a term to represent undetected, residual failures in containment structural integrity. This has been estimated at 5E-3 in NUREG/CR-4550. Failure of containment isolation is derived by fault tree analysis of the containment isolation combinations on the penetration paths. There are three LERF split fractions with probabilities of 7.7E-4. If the 5E-3 was added to this, the split fraction would change, although LERF would not move significantly. Split fractions for induced SGTR and HPME were not explicitly stated in the documentation available for review.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: Robert C. Bertucio B-63

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: LE-2 Technical Element: LE Supporting Requirement: LE-F2, LE-G4 The Level 2 analysis does not include uncertainty analysis nor are there sensitivity studies identified to examine the significant contributors to LERF. As a minimum, the Uncertainty in the Level 1 sequences should be propagated and sensitivity studies developed and evaluated for the important LERF scenarios.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: Robert C. Bertucio B-64

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: LE-3 Technical Element: LE Supporting Requirement: LE-D4, LE-D5 Meets category I for the evaluation of induced SGTR only. In order to meet category II, it is necessary to perform an analysis of thermally-induced SG tube rupture that includes plant-specific procedures and design features and conditions that could impact tube failure and a more plant specific estimation of secondary side isolation capability.

Little benefit is expected from the additional analysis at significant cost.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Robert C. Bertucio B-65

Callaway PRA Gap Analysis Report Appendix B Maintenance and Update Assessment Results B-66

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: MU-1 Technical Element: MU Supporting Requirement: MU-B3 Supporting requirement MU-B3 states that all PRA changes shall be performed consistent with the supporting requirements in the ASME standard. There is no requirement in APA-ZZ-00312 to do this. There is no reference in the procedure to any PRA standard.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: MIKE A. PHILLIPS B-67

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: MU-2 Technical Element: MU Supporting Requirement: MU-B4 Supporting requirement MU-B4 states that PRA upgrades shall receive a peer review.

There is no requirement in APA-ZZ-00312 to do this.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: MIKE A. PHILLIPS B-68

Callaway PRA Gap Analysis Report Appendix C - Independent Assessment Results for External Events During Full Power C-1

Callaway PRA Gap Analysis Report Appendix C Other External Events: Requirements for Screening and Conservative Analysis Assessment Results C-2

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: EXT- Technical Element: EXT Supporting Requirement: EXT-A1, 1 EXT-A2, EXT-C2, EXT-E1, EXT-E2, EXT-E3 The ANSI/ANS standard requires a broader examination of external events than performed in the Callaway IPEEE. The list of external events requiring consideration from Appendix A of the ANSI/ANS standard should be assessed and the reason for screening or evaluation should be documented. This review is not expected to result in identification of any additional events to be evaluated but is needed to show comprehensive coverage. Similarly, the search for any site-specific or plant-unique external events should be documented.

External events which are screened based on conformance with the 1975 SRP need to be examined to assess the impact of any significant changes (plant design, operation, nearby military or industrial facilities, nearby transportation, on-site storage or activities involving hazardous materials, or any other changes that could affect the original design considerations) or revisions to data (extreme local precipitation, high wind data, probable maximum flood, etc.) on the screening basis.

Documentation of the screening process needs to be revised to provide the criteria/basis for the screening classification of each external event (EXT-E1, EXT-E2, EXT-E3)

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: Marc D. Quilici C-3

Callaway PRA Gap Analysis Report Appendix C Seismic Margins Assessment Results C-4

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: SM-1 Technical Element: SM Supporting Requirement: SM-H1 Requirement SM-H1 is to meet the general documentation requirements of Section 7 of the External Events Standard. The following requirements in Section 7 are not met for the Seismic margins analysis.

DOC-5: The documentation SHALL describe the major contributors to the uncertainty in each of the important final PRA results and insights.

DOC-7: The documentation SHALL include the peer-review report and the PRA analysis teams disposition of the peer-review teams comments.

Neither of these are included in the documentation of the Seismic Margins analysis.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: MIKE A. PHILLIPS C-5

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: SM-2 Technical Element: SM Supporting Requirement: SM-C4 ENSURE that soil-structure interaction (SSI) analysis is median centered using median properties at soil strain levels corresponding to the review level earthquake input ground motion. CONDUCT at least three SSI analyses to investigate the effects on response due to uncertainty in soil properties.

ENSURE that one analysis is at the median low strain soil shear modulus and additional analyses at the median value times (1 + Cv) and the median value divided by (1 + Cv), where Cv is a factor that accounts for uncertainties in the SSI analysis and soil properties. If adequate soil investigation data are available, ESTABLISH the mean and standard deviation of the low strain shear modulus for every soil layer. ESTABLISH the value of Cv so that it will cover the mean plus or minus one standard deviation for every layer. For the minimum value of Cv, USE 0.5. When insufficient data are available to address uncertainty in soil properties, USE Cv at a value not less than 1.0.

Could not locate any documentation that the soil-structure analyses required by this requirement were performed.

LEVEL OF SIGNIFICANCE: C AR:

PRESOLUTION PLAN:

REVIEWER: MIKE A. PHILLIPS C-6

Callaway PRA Gap Analysis Report Appendix D - Independent Assessment Results for Low Power and Shutdown Plant States modeling Internal and External Initiating Events D-1

Callaway PRA Gap Analysis Report FINDING/OBSERVATION REGARDING PRA TECHNICAL ELEMENTS OBSERVATION: Technical Element: Supporting Requirement:

The Low Power and Shutdown PRA Standard is under development. When issued, there are expected to be PRA elements that will be required but are not part of the Callaway shutdown PRA model, specifically pre-initiating event HRA, internal flooding, uncertainty, LERF, and external events. Additionally the POS element will likely require additional analyses documenting the identification of plant states. The other PRA elements of the low power and shutdown PRA generally satisfy Capability Category II of the expected PRA Standard.

LEVEL OF SIGNIFICANCE: B AR:

PRESOLUTION PLAN:

REVIEWER: JEFF A. JULIUS D-2

ULNRC-05665, Application for Amendment to Facility Operating License NPF-30 (LDCN 09-0039) Completion Time Extensions for TS 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation Functions

Contents

Text

1.0 DESCRIPTION

2.0 PROPOSED CHANGE

3.0 BACKGROUND

4.0 TECHNICAL ANALYSIS

6.0 ENVIRONMENTAL CONSIDERATION

7.0 REFERENCES

Reference:

Navigation menu

ULNRC-05665, Application for Amendment to Facility Operating License NPF-30 (LDCN 09-0039) Completion Time Extensions for TS 3.3.2 Engineered Safety Feature Actuation System (ESFAS) Instrumentation Functions

Text

1.0 DESCRIPTION

2.0 PROPOSED CHANGE

3.0 BACKGROUND

4.0 TECHNICAL ANALYSIS

6.0 ENVIRONMENTAL CONSIDERATION

7.0 REFERENCES

Reference:

Navigation menu

Search